acme.sh
acme.sh copied to clipboard
acmesh-official
Deploy issue on synology nas + docker
Steps to reproduce
I am a very novice user and really bad with any command lines so someone will hopefully be very patient to help me out. Running acme.sh in a docker container on my synology NAS. Couple months ago I started seeing an issue when renewing a cert (which is run via synology tasks).
docker exec acme acme.sh --renew -d "abc.com" --force
Looks like the cert is being renewed and uploaded, but deploy fails due to some auth issue.
Here are the settings of the container itself
Debug log
[Sat Jun 15 14:33:32 PDT 2024] Your cert is in: /acme.sh/[abc.com/abc.com.cer](https://github.com/acmesh-official/acme.sh/issues/abc.com/abc.com.cer)
[Sat Jun 15 14:33:32 PDT 2024] Your cert key is in: /acme.sh/[abc.com/abc.com.key](https://github.com/acmesh-official/acme.sh/issues/abc.com/abc.com.key)
[Sat Jun 15 14:33:32 PDT 2024] The intermediate CA cert is in: /acme.sh/[abc.com/ca.cer](https://github.com/acmesh-official/acme.sh/issues/abc.com/ca.cer)
[Sat Jun 15 14:33:32 PDT 2024] And the full chain certs is there: /acme.sh/[abc.com/fullchain.cer](https://github.com/acmesh-official/acme.sh/issues/abc.com/fullchain.cer)
[Sat Jun 15 14:33:33 PDT 2024] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 3
[Sat Jun 15 14:33:33 PDT 2024] Logging into "192.168.0.86":"1313"...
[Sat Jun 15 14:33:33 PDT 2024] WARNING: Usage of SYNO_TOTP_SECRET is deprecated!
[Sat Jun 15 14:33:33 PDT 2024] See synology_dsm.sh script or ACME.sh Wiki page for details:
[Sat Jun 15 14:33:33 PDT 2024] https://github.com/acmesh-official/acme.sh/wiki/Synology-NAS-Guide
[Sat Jun 15 14:33:33 PDT 2024] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 3
[Sat Jun 15 14:33:33 PDT 2024] Unable to authenticate to "http"://"192.168.0.86":"1313", you may report the full log to the community.
[Sat Jun 15 14:33:33 PDT 2024] Error deploy for domain:[abc.com](https://github.com/acmesh-official/acme.sh/issues/abc.com)
[Sat Jun 15 14:33:33 PDT 2024] Deploy error.
Please upgrade to the latest code and try again first. Maybe it's already fixed. acme.sh --upgrade If it's still not working, please provide the log with --debug 2, otherwise, nobody can help you.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
More detailed log:
[Sat Jun 15 15:01:58 PDT 2024] Your cert is in: /acme.sh/abc.com/abc.com.cer
[Sat Jun 15 15:01:58 PDT 2024] Your cert key is in: /acme.sh/abc.com/abc.com.key
[Sat Jun 15 15:01:58 PDT 2024] The intermediate CA cert is in: /acme.sh/abc.com/ca.cer
[Sat Jun 15 15:01:58 PDT 2024] And the full chain certs is there: /acme.sh/abc.com/fullchain.cer
[Sat Jun 15 15:01:58 PDT 2024] _on_issue_success
[Sat Jun 15 15:01:58 PDT 2024] 'dns_cf' does not contain 'dns'
[Sat Jun 15 15:01:58 PDT 2024] _deployApi='/root/.acme.sh/deploy/synology_dsm.sh'
[Sat Jun 15 15:01:58 PDT 2024] _cdomain='abc.com'
[Sat Jun 15 15:01:58 PDT 2024] Domain config new key exists, old key SYNO_Username='"***"' has been removed.
[Sat Jun 15 15:01:58 PDT 2024] Domain config new key exists, old key SYNO_Password='"***"' has been removed.
[Sat Jun 15 15:01:58 PDT 2024] SYNO_USE_TEMP_ADMIN
[Sat Jun 15 15:01:58 PDT 2024] SYNO_USE_TEMP_ADMIN
[Sat Jun 15 15:01:58 PDT 2024] SYNO_USERNAME='"acme"'
[Sat Jun 15 15:01:58 PDT 2024] SYNO_PASSWORD='[hidden](please add '--output-insecure' to see this value)'
[Sat Jun 15 15:01:58 PDT 2024] SYNO_DEVICE_NAME
[Sat Jun 15 15:01:58 PDT 2024] SYNO_DEVICE_ID='[hidden](please add '--output-insecure' to see this value)'
[Sat Jun 15 15:01:58 PDT 2024] Domain config new key exists, old key SYNO_Scheme='"https"' has been removed.
[Sat Jun 15 15:01:58 PDT 2024] Domain config new key exists, old key SYNO_Port='"1314"' has been removed.
[Sat Jun 15 15:01:58 PDT 2024] SYNO_SCHEME='"http"'
[Sat Jun 15 15:01:58 PDT 2024] SYNO_HOSTNAME='"192.168.0.86"'
[Sat Jun 15 15:01:58 PDT 2024] SYNO_PORT='"1313"'
[Sat Jun 15 15:01:58 PDT 2024] Domain config new key exists, old key SYNO_Certificate='"abc.com"' has been removed.
[Sat Jun 15 15:01:58 PDT 2024] SYNO_CERTIFICATE='"abc.com"'
[Sat Jun 15 15:01:58 PDT 2024] Getting API version...
[Sat Jun 15 15:01:58 PDT 2024] _base_url='"http"://"192.168.0.86":"1313"'
[Sat Jun 15 15:01:58 PDT 2024] GET
[Sat Jun 15 15:01:58 PDT 2024] url='"http"://"192.168.0.86":"1313"/webapi/query.cgi?api=SYNO.API.Info&version=1&method=query&query=SYNO.API.Auth'
[Sat Jun 15 15:01:58 PDT 2024] timeout=
[Sat Jun 15 15:01:58 PDT 2024] Http already initialized.
[Sat Jun 15 15:01:58 PDT 2024] _CURL='curl --silent --dump-header /acme.sh/http.header -L --trace-ascii /tmp/tmp.AbfFJZR3sR -g '
[Sat Jun 15 15:01:58 PDT 2024] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 3
[Sat Jun 15 15:01:58 PDT 2024] Here is the curl dump log:
[Sat Jun 15 15:01:58 PDT 2024] == Info: URL rejected: Port number was not a decimal number between 0 and 65535
== Info: Closing connection
[Sat Jun 15 15:01:58 PDT 2024] ret='3'
[Sat Jun 15 15:01:58 PDT 2024] Logging into "192.168.0.86":"1313"...
[Sat Jun 15 15:01:58 PDT 2024] WARNING: Usage of SYNO_TOTP_SECRET is deprecated!
[Sat Jun 15 15:01:58 PDT 2024] See synology_dsm.sh script or ACME.sh Wiki page for details:
[Sat Jun 15 15:01:58 PDT 2024] https://github.com/acmesh-official/acme.sh/wiki/Synology-NAS-Guide
[Sat Jun 15 15:01:58 PDT 2024] POST
[Sat Jun 15 15:01:58 PDT 2024] _post_url='"http"://"192.168.0.86":"1313"/webapi/auth.cgi?enable_syno_token=yes'
[Sat Jun 15 15:01:58 PDT 2024] body='method=login&account=%22acme%22&passwd=%22***%22&api=SYNO.API.Auth&version=&enable_syno_token=yes&otp_code=&device_name=certrenewal&device_id='
[Sat Jun 15 15:01:58 PDT 2024] _postContentType
[Sat Jun 15 15:01:58 PDT 2024] Http already initialized.
[Sat Jun 15 15:01:58 PDT 2024] _CURL='curl --silent --dump-header /acme.sh/http.header -L --trace-ascii /tmp/tmp.AbfFJZR3sR -g '
[Sat Jun 15 15:01:58 PDT 2024] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 3
[Sat Jun 15 15:01:58 PDT 2024] Here is the curl dump log:
[Sat Jun 15 15:01:58 PDT 2024] == Info: URL rejected: Port number was not a decimal number between 0 and 65535
== Info: Closing connection
[Sat Jun 15 15:01:58 PDT 2024] _ret='3'
[Sat Jun 15 15:01:58 PDT 2024] error_code
[Sat Jun 15 15:01:58 PDT 2024] Session ID
[Sat Jun 15 15:01:58 PDT 2024] SynoToken
[Sat Jun 15 15:01:58 PDT 2024] Unable to authenticate to "http"://"192.168.0.86":"1313", you may report the full log to the community.
[Sat Jun 15 15:01:58 PDT 2024] Error deploy for domain:abc.com
[Sat Jun 15 15:01:58 PDT 2024] Deploy error.
[Sat Jun 15 15:01:58 PDT 2024] The NOTIFY_HOOK is empty, just return.
show me the config file:
acme.sh --info -d abc.com
Thanks for responding. Here you go:
/ # acme.sh --info -d abc.com
DOMAIN_CONF=/acme.sh/abc.com/abc.com.conf
Le_Domain=abc.com
Le_Alt=*.abc.com
Le_Webroot=dns_cf
Le_PreHook=
Le_PostHook=
Le_RenewHook=
Le_API=https://acme-v02.api.letsencrypt.org/directory
Le_Keylength=2048
Le_OrderFinalize=https://acme-v02.api.letsencrypt.org/acme/finalize/594609756/278720718317
Le_LinkOrder=https://acme-v02.api.letsencrypt.org/acme/order/594609756/278720718317
Le_LinkCert=https://acme-v02.api.letsencrypt.org/acme/cert/04e4c1ee2060df707d09516f3f6353e5de9e
Le_CertCreateTime=1718488918
Le_CertCreateTimeStr=2024-06-15T22:01:58Z
Le_NextRenewTimeStr=2024-08-13T22:01:58Z
Le_NextRenewTime=1723586518
Le_DeployHook=synology_dsm,
SAVED_SYNO_DID=__REPLACE_ME_WITH_DID_COOKIE_VALUE__
SAVED_SYNO_TOTP_SECRET=_
SAVED_SYNO_USE_TEMP_ADMIN=
SAVED_SYNO_USERNAME="acme"
SAVED_SYNO_PASSWORD="****"
SAVED_SYNO_SCHEME="http"
SAVED_SYNO_HOSTNAME="192.168.0.86"
SAVED_SYNO_PORT="1313"
SAVED_SYNO_CERTIFICATE="abc.com"
I did everything from scratch using the synology guide (no docker) and when running an update via task scheduler still getting this deploy error:
` -----END CERTIFICATE----- [Mon Jul 1 10:29:33 PDT 2024] Your cert is in: ./abc.com_ecc/abc.com.cer [Mon Jul 1 10:29:33 PDT 2024] Your cert key is in: ./abc.com_ecc/abc.com.key [Mon Jul 1 10:29:33 PDT 2024] The intermediate CA cert is in: ./abc.com_ecc/ca.cer [Mon Jul 1 10:29:33 PDT 2024] And the full chain certs is there: ./abc.com_ecc/fullchain.cer [Mon Jul 1 10:29:34 PDT 2024] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 60 [Mon Jul 1 10:29:34 PDT 2024] Logging into localhost:1314... [Mon Jul 1 10:29:35 PDT 2024] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 60 [Mon Jul 1 10:29:35 PDT 2024] Unable to authenticate to https://localhost:1314, you may report the full log to the community. [Mon Jul 1 10:29:38 PDT 2024] Error deploy for domain:abc.com [Mon Jul 1 10:29:38 PDT 2024] Deploy error. [Mon Jul 1 10:29:38 PDT 2024] Error renew abc.com_ecc. [Mon Jul 1 10:29:38 PDT 2024] ===End cron===
`
In the latest logs posted, it looks to me like the cert is an ECC cert (saved in abc.com_ecc directory):
[Mon Jul 1 10:29:33 PDT 2024] Your cert is in: ./abc.com_ecc/abc.com.cer [Mon Jul 1 10:29:33 PDT 2024] Your cert key is in: ./abc.com_ecc/abc.com.key [Mon Jul 1 10:29:33 PDT 2024] The intermediate CA cert is in: ./abc.com_ecc/ca.cer [Mon Jul 1 10:29:33 PDT 2024] And the full chain certs is there: ./abc.com_ecc/fullchain.cer
You might want to try adding --ecc option to your renew and deploy commands, if you're not already doing this. I also got bit by this after my CA started issuing ECC certs.
Example:
acme.sh --renew -d "abc.com" --ecc --force
Thanks for the tip @mmercurio, but I am afraid this is unrelated to the deploy error. Tried it.
Hey @tjkcc,
You might also want to try changing Syno_SCHEME from https to http or specify --insecure option on the deploy command.
It's difficult to tell from the abbreviated logs posted, but this:
Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 60 Unable to authenticate to https://localhost:1314/, you may report the full log to the community.
looks like the deploy is failing possibly because the current cert for https://localhost:1314 is invalid (e.g. expired or self signed).
Note, that the URL in the logs (https://localhost:1314) does not match the output of acme.sh --info -d abc.com posted here. Specifically the SAVED_SYNO_SCHEME is different (http vs https). Although it does match the value for Syno_SCHEME in the screenshot in your first post. So something is not getting saved properly.
If the issue is that the current cert is already expired or invalid, you may want to try adding the --insecure option to the deploy command as shown here or changing the Syno_SCHEME from https to http.
Are you able to verify if the current cert for your DSM is already invalid? If yes, then this is most likely the issue and either using --insecure or changing the scheme to http might get you back to working.
@tjkcc,
why do you specify the user data in the container and not in the account.conf? This can't work. Acme.sh works in Synology and docker for years without problems.
@tjkcc,
why do you specify the user data in the container and not in the account.conf? This can't work. Acme.sh works in Synology and docker for years without problems.
It used to work for years without a problem for me too. Until it stopped working. And I did zero modifications, just kept the container updated.
The issue is somewhere else I think. I already tried this guide from scratch and it led me to the same error.
I still need to try what mmercurio suggested above.
@tjkcc,
Environments are capitalized in the container! Not none like in the screenshot.
Why don't you create an account.conf in the Acme odner and save your Synology and DNS entries there?
You can find a good guide here.
However, no task is necessary, as the internal cron regularly checks the certificate. You can check this every day in the container log.
If you can't handle it, I can send you my compose or docker-run command.