synology-letsencrypt icon indicating copy to clipboard operation
synology-letsencrypt copied to clipboard

Published 20 hours ago verified publisher icon JessThrysoee

Certs not reloading after refresh

Open thefl0yd opened this issue 1 year ago • 10 comments

On both my DS1821 units it seems the certificate is not getting reloaded anymore on the webgui after it gets refreshed.

One has been offline so the certificate legitimately expired. I booted it up, ran synology-letsencrypt.sh which fetched a new certificate just fine and when I navigated to the web interface I was told my certificate expired N days ago. Examining the certificate shows I'm indeed presented with the old cert. synology-letsencrypt-reload-services.sh doesn't do anything useful. Software: 7.2-64570

On the other unit that I've expected regular refreshes on (and indeed, LE has not emailed me to tell me this cert is expiring) when I logged in today I was told the certificate expired Friday. Running synology-letsencrypt.sh, however, tells me that my cert is valid for 64 more days and it will not try and refresh. Running synology-letsencrypt-reload-services.sh did nothing. A reboot of the unit resulted in the NAS coming back with the now current certificate. Software: 7.2.1-69057

thefl0yd avatar Jan 14 '24 20:01 thefl0yd

Hi I have the same issue. After debugging the scripts. I found out that the service Webstation is not listed in the file /usr/syno/etc/certificate/_archive/INFO which means the script synology-letsencrypt-reload-services.sh does not run the commands in this if clause https://github.com/JessThrysoee/synology-letsencrypt/blob/23ea76ac6b9eee0d3c86bdbffacb85bc5ceef869/synology-letsencrypt-reload-services.sh#L56

I have DSM 7.1.1-42962 Update 6 installed.

my current fix is to run afterwards

synow3tool --gen-all
systemctl reload nginx

raskhadafi avatar Feb 23 '24 16:02 raskhadafi

Ah awesome find, thank you! I’ve had zero time to debug so appreciate you sharing what you found.

thefl0yd avatar Feb 23 '24 17:02 thefl0yd

Thanks for the investigation @raskhadafi

I have changed the hook to always reload nginx, see https://github.com/JessThrysoee/synology-letsencrypt/commit/21cc4a9e5f9489a2bce35374f7ae4d40179313d2 -- does this fix your issues?

JessThrysoee avatar Feb 24 '24 10:02 JessThrysoee

@JessThrysoee I think that will work. I will see it in a few weeks. ;-) Thank you very much for this fast fix.

raskhadafi avatar Feb 24 '24 14:02 raskhadafi

I just got this error on a Synology NAS running DSM 6.x:

/usr/local/bin/synology-letsencrypt-reload-services.sh: line 50: systemctl: command not found

I think for DSM 6.x, you have to use:

synoservice --restart nginx

OR:

synoservicectl --restart nginx

Stunt0265 avatar Feb 26 '24 22:02 Stunt0265

@Stunt0265 what does you /usr/libexec/security-profile/tls-profile/dsm.sh look like?

JessThrysoee avatar Feb 27 '24 22:02 JessThrysoee

#!/bin/bash if /usr/syno/sbin/synoservice --status nginx > /dev/null 2>&1; then /usr/syno/bin/synow3tool --gen-nginx-tmp && /usr/syno/sbin/synoservice --reload nginx fi

Stunt0265 avatar Feb 28 '24 03:02 Stunt0265

@Stunt0265 I have comitted an attempt to fix the DSM6 regression.

JessThrysoee avatar Feb 28 '24 20:02 JessThrysoee

Thanks. What's the best way to update - just run the install script again?

Stunt0265 avatar Feb 28 '24 20:02 Stunt0265

Yes

JessThrysoee avatar Feb 28 '24 20:02 JessThrysoee