Obtained cert is "broken"

[bluppfisk]

First of all, thanks for the great script. Couple of questions:

The script successfully obtained a certificate from GandiV5 after I had also told it to not wait for full DNS propagation because I am using a local DNS server to which it will probably not propagate. (LEGO_OPTIONS=(--dns.disable-cp))

It also installed it correctly so that it showed up in the Synology Control panel (Security > Certificate). However, the certificate shows up as being in "Error". Funnily enough, I can use it, and browsers recognise it as a valid certificate, but synology itself says the certificate is "Error" without further information. Turns out that there's a file in the $cert_id_path that is called cert_info and contains {"is_broken":true}. Simply setting that to false solved the display, but I wonder what has caused this. Any ideas?

Extra question: any best practices on how to automate this? I have set the Synology Task scheduler to run /usr/local/bin/synology-letsencrypt.sh as root every week. This seems obvious to me but is perhaps not the way you would do it?

[JessThrysoee]

I haven't come across a cert_info file before. The strings appear in the Synology builtin HTTP-01 binary:

$ grep -w is_broken syno/sbin/syno-letsencrypt
Binary file /usr/syno/sbin/syno-letsencrypt matches

$ grep -w cert_info syno/sbin/syno-letsencrypt
Binary file /usr/syno/sbin/syno-letsencrypt matches

Do you have the builtin HTTP-01 functionality enabled or at some point tried it out?

---

Regarding scheduling. See the README, it suggests your approach, but running it daily.

[bluppfisk]

Hi, I've definitely tried HTTP challenges before but I don't want that port open on my home network so I figured DNS challenges are more secure. However I haven't run http01 challenge in combination with your script so I don't understand how that file ended up in the _archive/$cert_id folder

re: the 2nd point: I cannot believe I've read over it. Thanks :)