Synology: unable to replace expired cert with --force

[bson]

The cert expired on my Synology NAS, but I'm not sure why it didn't get updated prior to this. It might be related to a power outage. But that's a completely different problem.

Now acme.sh can't update - it correctly obtains a new cert, but when trying to install it at the tail end this fails, as it's using Syno's web api, because the existing cert has expired:

Wed Jan 29 20:38:36 UTC 2025] == Info: Host bankofzork.rockgarden.net:5001 was resolved.
== Info: IPv6: (none)
== Info: IPv4: 10.0.1.140
== Info:   Trying 10.0.1.140:5001...
== Info: Connected to bankofzork.rockgarden.net (10.0.1.140) port 5001
== Info: ALPN: curl offers h2,http/1.1
=> Send SSL data, 5 bytes (0x5)
0000: .....
== Info: TLSv1.3 (OUT), TLS handshake, Client hello (1):
=> Send SSL data, 512 bytes (0x200)
...
== Info:  CAfile: /etc/ssl/certs/ca-certificates.crt
== Info:  CApath: /etc/ssl/certs
<= Recv SSL data, 5 bytes (0x5)
0000: ....z
== Info: TLSv1.3 (IN), TLS handshake, Server hello (2):
<= Recv SSL data, 122 bytes (0x7a)
0000: ...v...,.......,`.Inq.........n......3 .A..P......-..V.Q.cp.....
0040: ..... .......+.....3.$... q....y~....=....6.Ik.p...u..z0!K
<= Recv SSL data, 5 bytes (0x5)
0000: .....
<= Recv SSL data, 5 bytes (0x5)
0000: ....$
<= Recv SSL data, 1 bytes (0x1)
0000: .
== Info: TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
<= Recv SSL data, 19 bytes (0x13)
0000: .................h2
<= Recv SSL data, 5 bytes (0x5)
0000: .....
<= Recv SSL data, 1 bytes (0x1)
0000: .
== Info: TLSv1.3 (IN), TLS handshake, Certificate (11):
<= Recv SSL data, 2939 bytes (0xb7b)
...
=> Send SSL data, 5 bytes (0x5)
0000: .....
== Info: TLSv1.3 (OUT), TLS alert, certificate expired (557):
=> Send SSL data, 2 bytes (0x2)
0000: .-
== Info: SSL certificate problem: certificate has expired
== Info: closing connection #0
[Wed Jan 29 20:38:36 UTC 2025] ret='60'
[Wed Jan 29 20:38:36 UTC 2025] response
[Wed Jan 29 20:38:36 UTC 2025] error_code
[Wed Jan 29 20:38:36 UTC 2025] Session ID
[Wed Jan 29 20:38:36 UTC 2025] SynoToken
[Wed Jan 29 20:38:36 UTC 2025] Unable to authenticate to https://bankofzork.rockgarden.net:5001, you may report this by providing full log with '--debug 3'.
[Wed Jan 29 20:38:36 UTC 2025] Error deploying for domain: *.rockgarden.net
[Wed Jan 29 20:38:36 UTC 2025] Error encountered while deploying.
[Wed Jan 29 20:38:36 UTC 2025] The NOTIFY_HOOK is empty, will just return.

The problem is it can't install a new cert because the old one has expired. --force doesn't seem to be respected at this step, which I think seems like a bug: it really shouldn't trip over these sort of chicken-and-egg problems, in fact this seems exactly when you need to force it do something. The Synology Web Manager is configured to strict mode, so http can't be used - it'll just redirect to https.

I'm not a web dev, but I imagine the fix here is for --force to add whatever option to curl that makes it ignore the validity of the peer cert. Otherwise if there's something wrong with the installed cert, anything really, then acme.sh is pathologically incapable of fixing it.

Running the neilpang image, stock (just set to persist cert state on a share).

[github-actions]

Please upgrade to the latest code and try again first. Maybe it's already fixed. acme.sh --upgrade If it's still not working, please provide the log with --debug 2, otherwise, nobody can help you.

[bson]

Please upgrade to the latest code and try again first. Maybe it's already fixed. acme.sh --upgrade If it's still not working, please provide the log with --debug 2, otherwise, nobody can help you.

Thanks, but it's already up to date...

[Wed Jan 29 21:11:09 UTC 2025] Already up to date!
[Wed Jan 29 21:11:09 UTC 2025] Upgrade successful!

[bson]

By the way - yes, installing the cert manually is very easy. The issue here is the script failing to do its job.

[szhu25]

Based on the log I believe this error occured because the API endpoint's certificate has expired, which the underlying program (probably curl?) would refuse to connect to that API hostname.

I did not look at the complete code in acme.sh, but could you try to run acme.sh again with --insecure parameter and see if that would allow you to bypass the insecure API endpoint error?

Thanks!

[JuicyFruiter]

+1 here. just posting for the subscribe notification.

I have similar issue (except my error is == Info: subjectAltName does not match hostname) and have successfully used --insecure to get past it, although I have used up my 5 a week cert renews using -force so cannot confirm that removing --insecure will continue to work successfully going forwards.

[szhu25]

I have similar issue (except my error is == Info: subjectAltName does not match hostname) and have successfully used --insecure to get past it, although I have used up my 5 a week cert renews using -force so cannot confirm that removing --insecure will continue to work successfully going forwards.

I do not believe the --insecure flag would be used as a long term solution. You might want to resolve the actual issue (aka subjectAltName does not match hostname) in order for it to run automatically in the future...
If you open up your Synology DSM with the same endpoint in your browser, does your browser throw the same error? You might want to go to Control Panel -> Security -> Certificate -> Settings and see if the certificate is assigned correctly. Or Control Panel -> External Access -> Advanced and check if the fields in there are matching your expectations.

[bson]

Based on the log I believe this error occured because the API endpoint's certificate has expired, which the underlying program (probably curl?) would refuse to connect to that API hostname.

Yes indeed, this is exactly the problem. Curl connects to the webapi to update the cert that the webapi uses to identify itself with. If it has expired the cert becomes impossible to update.

Ideally, one might imagine a behavior where an expired cert used to identify the webapi endpoint is accepted by the client, as long as the only thing wrong with it is that it's expired. Not that it's revoked, for example.