I can't register or renew the Let's Encrypt certificate. What can I do?
I can't register or renew the Let's Encrypt certificate. What can I do?
Symptoms
You are unable to create or renew the Let's Encrypt certificate on a Synology device.
Diagnosis
The registration or renewal of Let's Encrypt certificate may not proceed under the following reasons:
- The Let's Encrypt certificate is transferred from another device.1
- You configured a primary domain name and multiple subject alternative names for a certificate (e.g.,
example.com
andmail.example.com
), but not all the domain names point to the public IP address of your Synology device.2 - You used Synology DDNS to register or renew a Let's Encrypt certificate when the Synology DDNS status is not activated.
- You used Synology DDNS to register or renew a Let's Encrypt certificate when the Synology DDNS hostname has been changed.
Notes:
- Certificates exported from other devices cannot be renewed after importing to a Synology device. To activate the automatic renewal, obtain a Let’s Encrypt certificate from your original Synology device.
- You can use the nslookup command to check if all the domain names are pointing to the same public IP address.
Resolution
Point domain names to the correct IP address
To securely encrypt network communication via Let's Encrypt, the A record (IPv4) of your Synology device should point the FQDN (fully qualified domain name) to the IP address correctly on the DNS server. For an IPv6 network environment, the aforementioned configuration should be applied to the AAAA record.
- Run the command "nslookup" along with the FQDN of your Synology device as shown below (detailed steps). You will get the IP address to which the FQDN in the A record is pointing.1
- Sign in to your Synology device via SSH (detailed steps).
- Enter
curl checkip.synology.com
orcurl checkipv6.synology.com
to get the public IPv4 or IPv6 address of your Synology device. - Ensure that the IP address registered from step 1 matches the one registered from step 3. If not, please contact your DNS hosts or domain providers to correct the A or AAAA record settings of your device.
If you have applied subnet names to any of your DSM services (e.g., Synology Chat), you also have to check the A or AAAA record settings of these subnets by following the steps above.
Forward port 80 to your Synology device
Network packets should be redirected from port 80 of your parent router/switch to port 80 of your Synology device.2 Before checking port forwarding configurations, please verify if port 80 on your Synology device is open (detailed steps).
Once you have verified the accessibility of your Synology device's port 80, you can check the port forwarding from your router to your Synology device by conducting the following tests:
- Test 1: Open a web browser on your local network (i.e., the one where your Synology device is located), and go to the web page "http://Private IP address of your Synology device".
- Test 2: Open a web browser on your local network, and go to the web page "http://FQDN of your Synology device".
- Test 3: Open a web browser outside your local area network, and go to the web page "http://FQDN of your Synology device".
If you see the same web page from the results of the above tests, you have successfully directed port 80 of your router to port 80 of your Synology device.