Synology Letsencrypt Renewal and Unifi Firmware Update Fail



  • Hi,
    pfSense 2.4.4-RELEASE-p3
    DNS Server Setting on General Setup Page 1.1.1.1, 1.0.0.1
    DNS Forwarder and Resolver enabled
    Firewall LAN rules forces pfSense IP to be used to used as DNS
    pfBlockerNG 2.1.4_18

    Synology Letsencrypt Renewal and Unifi Firmware Update Fail. If I disable pfBlockerNG, remove firewall LAN rule to allow other DNS and change Synology and Unifi Cloud Key DNS to 1.1.1.1 (or any external DNS), LE renewal and Unifi firmware update will work.

    Can anyone advise? Thank you.



  • @saunada said in Synology Letsencrypt Renewal and Unifi Firmware Update Fail:

    Can anyone advise?

    Yep.
    It looks like you have a very off standard DNS setup.
    This :

    @saunada said in Synology Letsencrypt Renewal and Unifi Firmware Update Fail:

    DNS Forwarder and Resolver enabled

    has been done for what reason ?

    Normally, DNS Server Setting on General Setup Page is set to 127.0.0.1 you might consider adding "::1", but that's it.
    Your giving away your (private) DNS requests to "1.1.1.1" which isn't needed at all. Default DNS settings, using only the resolver works just fine.
    pfBlockerNG 2.1.4_18 is still available, but know that pfBlockerNG-devel / 2.2.5_29 is far more superior.

    Letsencrypt Renewal : all depend on what method you are using, etc. the ascme pfSense package logs severally. What does it tell you ?



  • I had DNS Forwarding enabled because of the following, but I noticed now that they are also in DNS Resolver. I will disable dns forwarding.
    295a7713-6c7a-4f5f-b886-56d98456d401-image.png

    Do you mean 127.0.0.1::1 in the DNS Server Setting? what does "::1" mean?

    I will upgrade pfBlockerNG as well.

    Synology (LE renewal) logs in the web interface do not tell much. I am not sure where to get them. I am using the tool in the web interface. Not sure if it is acme in the background. I will make the above changes tonight (equipment are operational now) and update here again. Thank you.



  • @saunada said in Synology Letsencrypt Renewal and Unifi Firmware Update Fail:

    Do you mean 127.0.0.1::1 in the DNS Server Setting? what does "::1" mean?

    127.0.0.1 is default - and it's IPv4
    ::1 is the IPv6 counterpart.

    Like :
    9194ff14-358d-4794-adc4-a421f593d25e-image.png

    @saunada said in Synology Letsencrypt Renewal and Unifi Firmware Update Fail:

    I am not sure where to get them

    Here : /tmp/acme/[acme - LE account name]/acme_issuecert.log if your talking about the acme pfSense package.
    LetsEnscrypt certs renewal on a Syno NAS is totally not related to pfSense. I would advise you to use the acme pfSense packages, ask for a wild card cert, and export it ones every 60 days or so to your Syno NAS (and other devices,, if needed).



  • @Gertjan said in Synology Letsencrypt Renewal and Unifi Firmware Update Fail:

    Like :
    9194ff14-358d-4794-adc4-a421f593d25e-image.png

    Thank you.

    Here : /tmp/acme/[acme - LE account name]/acme_issuecert.log if your talking about the acme pfSense package.
    LetsEnscrypt certs renewal on a Syno NAS is totally not related to pfSense. I would advise you to use the acme pfSense packages, ask for a wild card cert, and export it ones every 60 days or so to your Syno NAS (and other devices,, if needed).

    Is the exporting a manual process?



  • Yes.

    You have to click on these icons

    c0d3853f-ec31-4068-be7b-6b09a5d793eb-image.png

    to export the certs - P12 and pem format.

    The certs are also available here :

    caae1ef0-a836-428b-b1f4-27a526e4e4f2-image.png

    You'll have to write a scrip to send it over to other devices. But as you might have guessed : the Synology DSM GUI uses a ... GUI to install the certs. Maybe it can be done using scripts on the Synology;,an ssh interface exists, but you have to discover that yourself.


Log in to reply