Synology Let’s Encrypt certificate renewal doesn’t work with VPN connection enabled


Small lesson learned – I got warning e-mails from Let’s Encrypt that some of my certificates I used to access certain services on my Synology NAS were almost expiring. I was mildly surprised as I have all certificates on auto-renewal on my NAS and to my recollection that was working for almost a year already.

Indeed the certificates were not renewed, and the log showed

2020-09-05T09:29:10+02:00 system synoscgi_SYNO.Core.Certificate.LetsEncrypt_1_renew[17388]: certificate.cpp:965 syno-letsencrypt failed. 200 [Fetching http://@@URL@@/.well-known/acme-challenge/@@challenge@@: Timeout during connect (likely firewall problem)]

So I thought I need to open port 80 or 443 as also the Synology UI tool suggested – but it turned out I already had that in place in my network firewall. Also turning the Synology own firewall off didn’t help (as I found online it did help someone with this particular issue).

It took me some time to realize I had setup my synology to connect to a VPN server – which obviously resulted in this error… Turning of the VPN connection made Let’s Encrypt happy again.


Leave a Reply