Deploy synology_dsm.sh - Error 109 (was succeed 2 months ago)

[LordDarkneo]

Hello all!

I just realized that my certificate has not been newed few weeks ago. After checking the logs, I saw a deployment issue:

Getting certificates in Synology DSM...
POST
_post_url='http://192.168.1.100:5000/webapi/entry.cgi'
_CURL='curl --silent --dump-header /acme.sh/http.header -L -g '
_ret='0'
escaped_certificate='Certificat LE pour domaine OVH'
Failed to fetch certificate info with error: 119, please try again or contact Synology to learn more.
Error deploy for domain:mydomain.ovh
Deploy error.
Return code: 1
Error renew mydomain.ovh.
_error_level='1'
_set_level='2'
The NOTIFY_HOOK is empty, just return.
===End cron===

I checked the synology_dsm.sh file, and the issue seems to be here:

  _info "Getting certificates in Synology DSM..."
  response=$(_post "api=SYNO.Core.Certificate.CRT&method=list&version=1&_sid=$sid" "$_base_url/webapi/entry.cgi")
  _debug3 response "$response"
  escaped_certificate="$(printf "%s" "$SYNO_CERTIFICATE" | sed 's/\([].*^$[]\)/\\\1/g;s/"/\\\\"/g')"
  _debug escaped_certificate "$escaped_certificate"
  id=$(echo "$response" | sed -n "s/.*\"desc\":\"$escaped_certificate\",\"id\":\"\([^\"]*\).*/\1/p")
  _debug2 id "$id"

  error_code=$(echo "$response" | grep '"error":' | grep -o '"code":[0-9]*' | grep -o '[0-9]*')
  _debug2 error_code "$error_code"
  if [ -n "$error_code" ]; then
    if [ "$error_code" -eq 105 ]; then
      _err "Current user is not administrator and does not have sufficient permission for deploying."
    else
      _err "Failed to fetch certificate info with error: $error_code, please try again or contact Synology to learn more."
    fi
    _temp_admin_cleanup "$SYNO_USE_TEMP_ADMIN" "$SYNO_USERNAME"
    return 1
  fi

I saw there has been a modification on this file 2 month ago... What's surprising is that I normally configured the acme not to be updated automatically.... So I do not understand why I received the updates.

Thanks in advance for your help (I am a real beginner in Docker... So if some can tell me how to download the certificates so I'll update them manually with the DSM interface).

FYI: the Acme is running on a docker (neilpang one) on a Synology. Previous logs in mid april were:

Getting certificates in Synology DSM
POST
_post_url='http://192.168.1.100:5000/webapi/entry.cgi'
_CURL='curl --silent --dump-header /acme.sh/http.header -L -g '
_ret='0'
escaped_certificate='Certificat LE pour domaine OVH'
Generate form POST request
Upload certificate to the Synology DSM
POST
_post_url='http://192.168.1.100:5000/webapi/entry.cgi?api=SYNO.Core.Certificate&method=import&version=1&SynoToken=xxxxx
_CURL='curl --silent --dump-header /acme.sh/http.header -L -g '
_ret='0'
Restarting HTTP services succeeded
GET
url='http://192.168.1.100:5000/webapi/auth.cgi?api=SYNO.API.Auth&version=6&method=logout&_sid=xxxxx
timeout=
_CURL='curl --silent --dump-header /acme.sh/http.header -L -g '
ret='0'
Success
Return code: 0
_error_level='2'
_set_level='2'
The NOTIFY_HOOK is empty, just return.
===End cron===

[github-actions]

Please upgrade to the latest code and try again first. Maybe it's already fixed. acme.sh --upgrade If it's still not working, please provide the log with --debug 2, otherwise, nobody can help you.

[LordDarkneo]

Well... trying to get the level 3 debug logs, I ran this command:
acme.sh --deploy -d 'mydomain.ovh' --deploy-hook synology_dsm --debug 3

And the deployment.... Has succeeded.... without changing anything.....

[Sun Jun 30 13:11:57 UTC 2024] readlink exists=0
[Sun Jun 30 13:11:57 UTC 2024] dirname exists=0
[Sun Jun 30 13:11:57 UTC 2024] Lets find script dir.
[Sun Jun 30 13:11:57 UTC 2024] SCRIPT='/usr/local/bin/acme.sh'
[Sun Jun 30 13:11:57 UTC 2024] _script='/root/.acme.sh/acme.sh'
[Sun Jun 30 13:11:57 UTC 2024] _script_home='/root/.acme.sh'
[Sun Jun 30 13:11:57 UTC 2024] Using default home:/root/.acme.sh
[Sun Jun 30 13:11:57 UTC 2024] Using config home:/acme.sh
[Sun Jun 30 13:11:57 UTC 2024] ACCOUNT_CONF_PATH='/acme.sh/account.conf'
[Sun Jun 30 13:11:57 UTC 2024] OK
[Sun Jun 30 13:11:57 UTC 2024] 4:AUTO_UPGRADE='0'
[Sun Jun 30 13:11:57 UTC 2024] LE_WORKING_DIR='/root/.acme.sh'
https://github.com/acmesh-official/acme.sh
v3.0.8
[Sun Jun 30 13:11:57 UTC 2024] Running cmd: deploy
[Sun Jun 30 13:11:57 UTC 2024] Using config home:/acme.sh
[Sun Jun 30 13:11:57 UTC 2024] ACCOUNT_CONF_PATH='/acme.sh/account.conf'
[Sun Jun 30 13:11:57 UTC 2024] default_acme_server='https://acme-v02.api.letsencrypt.org/directory'
[Sun Jun 30 13:11:57 UTC 2024] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
[Sun Jun 30 13:11:57 UTC 2024] _ACME_SERVER_HOST='acme-v02.api.letsencrypt.org'
[Sun Jun 30 13:11:57 UTC 2024] _ACME_SERVER_PATH='directory'
[Sun Jun 30 13:11:57 UTC 2024] CA_CONF='/acme.sh/ca/acme-v02.api.letsencrypt.org/directory/ca.conf'
[Sun Jun 30 13:11:57 UTC 2024] DOMAIN_PATH='/acme.sh/mydomain.ovh'
[Sun Jun 30 13:11:57 UTC 2024] DOMAIN_CONF='/acme.sh/mydomain.ovh/mydomain.ovh.conf'
[Sun Jun 30 13:11:57 UTC 2024] OK
[Sun Jun 30 13:11:57 UTC 2024] 16:Le_DeployHook='synology_dsm,'
[Sun Jun 30 13:11:57 UTC 2024] _deployApi='/root/.acme.sh/deploy/synology_dsm.sh'
[Sun Jun 30 13:11:57 UTC 2024] synology_dsm_deploy exists=0
[Sun Jun 30 13:11:57 UTC 2024] _cdomain='mydomain.ovh'
[Sun Jun 30 13:11:57 UTC 2024] Domain config new key exists, old key SAVED_SYNO_Username='user' has been removed.
[Sun Jun 30 13:11:57 UTC 2024] Domain config new key exists, old key SAVED_SYNO_Password='password' has been removed.
[Sun Jun 30 13:11:57 UTC 2024] Domain config new key exists, old key SAVED_SYNO_Device_ID='xxxxx' has been removed.
[Sun Jun 30 13:11:57 UTC 2024] SYNO_USE_TEMP_ADMIN
[Sun Jun 30 13:11:57 UTC 2024] SYNO_USE_TEMP_ADMIN
[Sun Jun 30 13:11:57 UTC 2024] SYNO_USERNAME='Acme-cert'
[Sun Jun 30 13:11:57 UTC 2024] SYNO_PASSWORD='[hidden](please add '--output-insecure' to see this value)'
[Sun Jun 30 13:11:57 UTC 2024] SYNO_DEVICE_NAME='CertRenewal'
[Sun Jun 30 13:11:57 UTC 2024] SYNO_DEVICE_ID='[hidden](please add '--output-insecure' to see this value)'
[Sun Jun 30 13:11:57 UTC 2024] Domain config new key exists, old key SAVED_SYNO_Scheme='http' has been removed.
[Sun Jun 30 13:11:57 UTC 2024] Domain config new key exists, old key SAVED_SYNO_Hostname='192.168.1.100' has been removed.
[Sun Jun 30 13:11:57 UTC 2024] Domain config new key exists, old key SAVED_SYNO_Port='5000' has been removed.
[Sun Jun 30 13:11:57 UTC 2024] OK
[Sun Jun 30 13:11:57 UTC 2024] 30:SAVED_SYNO_SCHEME='http'
[Sun Jun 30 13:11:57 UTC 2024] OK
[Sun Jun 30 13:11:57 UTC 2024] 31:SAVED_SYNO_HOSTNAME='192.168.1.100'
[Sun Jun 30 13:11:57 UTC 2024] OK
[Sun Jun 30 13:11:57 UTC 2024] 32:SAVED_SYNO_PORT='5000'
[Sun Jun 30 13:11:57 UTC 2024] SYNO_SCHEME='http'
[Sun Jun 30 13:11:57 UTC 2024] SYNO_HOSTNAME='192.168.1.100'
[Sun Jun 30 13:11:57 UTC 2024] SYNO_PORT='5000'
[Sun Jun 30 13:11:57 UTC 2024] Domain config new key exists, old key SAVED_SYNO_Certificate='Certificat LE pour domaine OVH' has been removed.
[Sun Jun 30 13:11:57 UTC 2024] SYNO_CERTIFICATE='Certificat LE pour domaine OVH'
[Sun Jun 30 13:11:57 UTC 2024] Getting API version...
[Sun Jun 30 13:11:57 UTC 2024] _base_url='http://192.168.1.100:5000'
[Sun Jun 30 13:11:57 UTC 2024] GET
[Sun Jun 30 13:11:57 UTC 2024] url='http://192.168.1.100:5000/webapi/query.cgi?api=SYNO.API.Info&version=1&method=query&query=SYNO.API.Auth'
[Sun Jun 30 13:11:57 UTC 2024] timeout=
[Sun Jun 30 13:11:57 UTC 2024] curl exists=0
[Sun Jun 30 13:11:57 UTC 2024] mktemp exists=0
[Sun Jun 30 13:11:57 UTC 2024] wget exists=0
[Sun Jun 30 13:11:57 UTC 2024] _CURL='curl --silent --dump-header /acme.sh/http.header -L --trace-ascii /tmp/tmp.iD1d7FuriB -g '
[Sun Jun 30 13:11:58 UTC 2024] ret='0'
[Sun Jun 30 13:11:58 UTC 2024] response='{"data":{"SYNO.API.Auth":{"maxVersion":6,"minVersion":1,"path":"auth.cgi"}},"success":true}'
[Sun Jun 30 13:11:58 UTC 2024] api_path='auth.cgi'
[Sun Jun 30 13:11:58 UTC 2024] api_version='6'
[Sun Jun 30 13:11:58 UTC 2024] Logging into 192.168.1.100:5000...
[Sun Jun 30 13:11:58 UTC 2024] od exists=0
[Sun Jun 30 13:11:58 UTC 2024] _url_encode
[Sun Jun 30 13:11:58 UTC 2024] _hex_str=' 41 63 6d 65 2d 63 65 72 74'
[Sun Jun 30 13:11:58 UTC 2024] od exists=0
[Sun Jun 30 13:11:58 UTC 2024] _url_encode
[Sun Jun 30 13:11:58 UTC 2024] _hex_str=' 7a 42 6e 71 24 4b 31 38 31 38 31 38 21'
[Sun Jun 30 13:11:58 UTC 2024] error_code='403'
[Sun Jun 30 13:11:58 UTC 2024] GET
[Sun Jun 30 13:11:58 UTC 2024] url='http://192.168.1.100:5000/webapi/auth.cgi?api=SYNO.API.Auth&version=6&method=login&format=sid&account=user&passwd=pwd&enable_syno_token=yes&device_name=CertRenewal&device_id=B3J4N01003'
[Sun Jun 30 13:11:58 UTC 2024] timeout=
[Sun Jun 30 13:11:58 UTC 2024] curl exists=0
[Sun Jun 30 13:11:58 UTC 2024] mktemp exists=0
[Sun Jun 30 13:11:58 UTC 2024] wget exists=0
[Sun Jun 30 13:11:58 UTC 2024] _CURL='curl --silent --dump-header /acme.sh/http.header -L --trace-ascii /tmp/tmp.cgFXRZtbLB -g '
[Sun Jun 30 13:11:59 UTC 2024] ret='0'
[Sun Jun 30 13:11:59 UTC 2024] response='[hidden](please add '--output-insecure' to see this value)'
[Sun Jun 30 13:11:59 UTC 2024] error_code
[Sun Jun 30 13:11:59 UTC 2024] Session ID='zAQ7x2jazj99AB3J4N01003'
[Sun Jun 30 13:11:59 UTC 2024] SynoToken='IAk.m0v9Bqlcg'
[Sun Jun 30 13:11:59 UTC 2024] H1='X-SYNO-TOKEN: IAk.m0v9Bqlcg'
[Sun Jun 30 13:11:59 UTC 2024] OK
[Sun Jun 30 13:11:59 UTC 2024] 26:SAVED_SYNO_USERNAME='user'
[Sun Jun 30 13:11:59 UTC 2024] OK
[Sun Jun 30 13:11:59 UTC 2024] 27:SAVED_SYNO_PASSWORD='password'
[Sun Jun 30 13:11:59 UTC 2024] OK
[Sun Jun 30 13:11:59 UTC 2024] 28:SAVED_SYNO_DEVICE_ID='xxx'
[Sun Jun 30 13:11:59 UTC 2024] OK
[Sun Jun 30 13:11:59 UTC 2024] 29:SAVED_SYNO_DEVICE_NAME='CertRenewal'
[Sun Jun 30 13:11:59 UTC 2024] Getting certificates in Synology DSM...
[Sun Jun 30 13:11:59 UTC 2024] POST
[Sun Jun 30 13:11:59 UTC 2024] _post_url='http://192.168.1.100:5000/webapi/entry.cgi'
[Sun Jun 30 13:11:59 UTC 2024] body='api=SYNO.Core.Certificate.CRT&method=list&version=1&_sid=zAQ7x2jazj99AB3J4N01003'
[Sun Jun 30 13:11:59 UTC 2024] _postContentType
[Sun Jun 30 13:11:59 UTC 2024] curl exists=0
[Sun Jun 30 13:11:59 UTC 2024] mktemp exists=0
[Sun Jun 30 13:11:59 UTC 2024] wget exists=0
[Sun Jun 30 13:11:59 UTC 2024] _CURL='curl --silent --dump-header /acme.sh/http.header -L --trace-ascii /tmp/tmp.lP5f5rBE4W -g '
[Sun Jun 30 13:11:59 UTC 2024] _ret='0'
[Sun Jun 30 13:11:59 UTC 2024] response='{"data":{"certificates":[{"desc":"","id":"AeNVW2","is_default":false,"issuer":{"common_name":"R3","country":"US","organization":"Let's Encrypt"},"services":[],"signature_algorithm":[...] },"success":true}'
[Sun Jun 30 13:11:59 UTC 2024] escaped_certificate='Certificat LE pour domaine OVH'
[Sun Jun 30 13:11:59 UTC 2024] id='Cbb2wb'
[Sun Jun 30 13:11:59 UTC 2024] error_code
[Sun Jun 30 13:11:59 UTC 2024] SYNO_CREATE
[Sun Jun 30 13:11:59 UTC 2024] base64 single line.
[Sun Jun 30 13:11:59 UTC 2024] OK
[Sun Jun 30 13:11:59 UTC 2024] 33:SAVED_SYNO_CERTIFICATE='_ACME_BASE64__START_Q2VydGlmaWNhdCBMRSBwb3VyIGRvbWFpbmUgT1ZI__ACME_BASE64__END'
[Sun Jun 30 13:11:59 UTC 2024] Generating form POST request...
[Sun Jun 30 13:11:59 UTC 2024] default='This is the default certificate'
[Sun Jun 30 13:11:59 UTC 2024] Upload certificate to the Synology DSM.
[Sun Jun 30 13:11:59 UTC 2024] POST
[Sun Jun 30 13:11:59 UTC 2024] _post_url='http://192.168.1.100:5000/webapi/entry.cgi?api=SYNO.Core.Certificate&method=import&version=1&SynoToken=IAk.m0v9Bqlcg&_sid=zAQ7x2jazj99AB3J4N01003'
[Sun Jun 30 13:11:59 UTC 2024] body='----------------------------20240630131159
Content-Disposition: form-data; name="key"; filename="mydomain.ovh.key"
Content-Type: application/octet-stream

-----BEGIN RSA PRIVATE KEY-----
M
g=
-----END RSA PRIVATE KEY-----

----------------------------20240630131159
Content-Disposition: form-data; name="cert"; filename="mydomain.ovh.cer"
Content-Type: application/octet-stream

-----BEGIN CERTIFICATE-----
M
gB5b
-----END CERTIFICATE-----

----------------------------20240630131159
Content-Disposition: form-data; name="inter_cert"; filename="ca.cer"
Content-Type: application/octet-stream

-----BEGIN CERTIFICATE-----
MI
A
-----END CERTIFICATE-----

----------------------------20240630131159
Content-Disposition: form-data; name="id"

Cbb2wb
----------------------------20240630131159
Content-Disposition: form-data; name="desc"

Certificat LE pour domaine OVH
----------------------------20240630131159
Content-Disposition: form-data; name="as_default"

true
----------------------------20240630131159--
'
[Sun Jun 30 13:11:59 UTC 2024] _postContentType='multipart/form-data; boundary=--------------------------20240630131159'
[Sun Jun 30 13:11:59 UTC 2024] curl exists=0
[Sun Jun 30 13:11:59 UTC 2024] mktemp exists=0
[Sun Jun 30 13:11:59 UTC 2024] wget exists=0
[Sun Jun 30 13:11:59 UTC 2024] _CURL='curl --silent --dump-header /acme.sh/http.header -L --trace-ascii /tmp/tmp.azZ57SEeHi -g '
[Sun Jun 30 13:12:04 UTC 2024] _ret='0'
[Sun Jun 30 13:12:04 UTC 2024] response='{"data":{"id":"Cbb2wb","restart_httpd":true},"success":true}'
[Sun Jun 30 13:12:04 UTC 2024] Restart HTTP services succeeded.
[Sun Jun 30 13:12:04 UTC 2024] GET
[Sun Jun 30 13:12:04 UTC 2024] url='http://192.168.1.100:5000/webapi/auth.cgi?api=SYNO.API.Auth&version=6&method=logout&_sid=zAQ7x2jazj99AB3J4N01003'
[Sun Jun 30 13:12:04 UTC 2024] timeout=
[Sun Jun 30 13:12:04 UTC 2024] curl exists=0
[Sun Jun 30 13:12:04 UTC 2024] mktemp exists=0
[Sun Jun 30 13:12:04 UTC 2024] wget exists=0
[Sun Jun 30 13:12:04 UTC 2024] _CURL='curl --silent --dump-header /acme.sh/http.header -L --trace-ascii /tmp/tmp.PQpNgU1c8L -g '
[Sun Jun 30 13:12:04 UTC 2024] ret='0'
[Sun Jun 30 13:12:04 UTC 2024] response='{"success":true}'
[Sun Jun 30 13:12:04 UTC 2024] Success

Any clue why I had this 119 error message?

[scruel]

According to the official doc of Login Web API, 119 means "Invalid session", don't know how it can happen, and since either you can't reproduce this issue, we won't be able to identify the reason to help.

[nillebor]

You need 2FA for the Synology-ACME-Admin-User?
Try once without 2FA or delete the device ID and re-enter the TOP.
Have you installed ACME natively on Diskstation or in Docker?

I think it's a 2FA problem.

[LordDarkneo]

Well 2FA is needed when you activate it on your Synology, I dont think it relates to the admin account.
But as said it was working previously with the exact same configuration, and worked when I only published the certificate.. So seem to be a impossible issue to reproduce... (I forgot to close this case... Sorry for that)

[nillebor]

Don't just give up.
Did you acme.sh natively installed or in docker?

Required for the import acme.sh a user account with administrator rights, not without the admin or adminuser. It is best to test the import without 2FA. There should be no $ sign in password. If this works, you can test the 2FA again. The 2FA has often caused problems in the near past.

Giving up and not using acme is not an option ;)

[LordDarkneo]

Don't just give up. Did you acme.sh natively installed or in docker?

Required for the import acme.sh a user account with administrator rights, not without the admin or adminuser. It is best to test the import without 2FA. There should be no $ sign in password. If this works, you can test the 2FA again. The 2FA has often caused problems in the near past.

Giving up and not using acme is not an option ;)

Yes the acme is on docker so no rights problem.
And point is only publication failed on the renewal. So I sshed on the docker and used the command to only publish the certificate (as they were already downloaded on the docker), and it worked perfectly without any modification on the deploy sh file.

So I do not give up using acme, I just give up investigating this issue 😅

[nillebor]

Do you use acme as a deamon? With this, the update works automatically, without an extra task or command. I have already set up acme on the DS for many users, and they have been running for over 2 years without any problems. There were only problems with 2FA.

How did you install acme ssh/task or compose? How was the order?

Install via Docker/Container Manager (task not needet by deamon - its wrong)
https://www.christosgeo.com/2022/02/03/renew-lets-encrypt-certificates-on-synology-using-acme-sh/