QNAP QTS SSL Certificate 证书更新修复
系统-常规设置-区域 设置为全球时,
控制台-安全-证书和私钥-下载证书 或 取代当前证书 使用Let's Encrypt 更新证书时提示
身份验证失败,请检查DNS服务器或端口80是否正常运行
或者通过 QTS SSL Certificate 下载并安装SSL凭证或者证书续签/延期/续订时
QTS SSL Certificate 版本为 2.2.18
下载地址:https://www.qnap.com.cn/zh-cn/app-center/?os=qts&version=4.3.4&kw=ssl
ssh登录系统
cat /mnt/ext/opt/QcloudSSLCertificate/log/acme_error_log_dns
08/10/25 00:29:52 - args: Namespace(account_key='/mnt/ext/opt/QcloudSSLCertificate/cert/account/key', acme_dir='/mnt/ext/opt/QcloudSSLCertificate/cert/.well-known/acme-challenge', ca='https://acme-v02.api.letsencrypt.org', cert_file='/mnt/ext/opt/QcloudSSLCertificate/cert/cert_tmp', chain_file='/mnt/ext/opt/QcloudSSLCertificate/cert/chain_tmp', contact=['mailto:admin@example.com'], csr='/mnt/ext/opt/QcloudSSLCertificate/cert/csr', directory_url='https://acme-v02.api.letsencrypt.org/directory', disable_check=False, qpkg_dir='/mnt/ext/opt/QcloudSSLCertificate', quiet=40, verify_type='dns', web_document_root='/share/Web', well_known_dir='/mnt/ext/opt/QcloudSSLCertificate/cert/.well-known')
Traceback (most recent call last):
File "/mnt/ext/opt/QcloudSSLCertificate/bin/acme-tiny/acme_tiny.py", line 889, in main
qpkg_path=args.qpkg_dir, challenge_type=challenge_type, ca_certs=ca_certs, web_document_root=args.web_document_root)
File "/mnt/ext/opt/QcloudSSLCertificate/bin/acme-tiny/acme_tiny.py", line 770, in get_crt
raise ex
ValueError: Challenge did not pass for mydomain.myqnapcloud.com: {u'status': u'invalid', u'challenges': [{u'status': u'invalid', u'url': u'https://acme-v02.api.letsencrypt.org/acme/chall/188466480/566438855816/8DVRpg', u'token': u'NOdz9J4hOmoscUxMGDcVzohX9DmZuGskn8qLNkRV19k', u'error': {u'status': 400, u'type': u'urn:ietf:params:acme:error:dns', u'detail': u'DNS problem: query timed out looking up TXT for _acme-challenge.mydomain.myqnapcloud.com'}, u'validated': u'2025-08-09T16:29:18Z', u'type': u'dns-01'}], u'identifier': {u'type': u'dns', u'value': u'mydomain.myqnapcloud.com'}, u'expires': u'2025-08-16T16:29:04Z'}
cat /mnt/ext/opt/QcloudSSLCertificate/log/acme_error_log_http
08/11/25 13:51:36 - args: Namespace(account_key='/mnt/ext/opt/QcloudSSLCertificate/cert/account/key', acme_dir='/mnt/ext/opt/QcloudSSLCertificate/cert/.well-known/acme-challenge', ca='https://acme-v02.api.letsencrypt.org', cert_file='/mnt/ext/opt/QcloudSSLCertificate/cert/cert_tmp', chain_file='/mnt/ext/opt/QcloudSSLCertificate/cert/chain_tmp', contact=['mailto:admin@example.com'], csr='/mnt/ext/opt/QcloudSSLCertificate/cert/csr', directory_url='https://acme-v02.api.letsencrypt.org/directory', disable_check=False, qpkg_dir='/mnt/ext/opt/QcloudSSLCertificate', quiet=40, verify_type='http', web_document_root='/share/Web', well_known_dir='/mnt/ext/opt/QcloudSSLCertificate/cert/.well-known')
Traceback (most recent call last):
File "/mnt/ext/opt/QcloudSSLCertificate/bin/acme-tiny/acme_tiny.py", line 890, in main
qpkg_path=args.qpkg_dir, challenge_type=challenge_type, ca_certs=ca_certs, web_document_root=args.web_document_root)
File "/mnt/ext/opt/QcloudSSLCertificate/bin/acme-tiny/acme_tiny.py", line 760, in get_crt
wellknown_path, tmp_wellknown_url), ERROR_CODE_CHALLENGE_NOT_FOUND)
CustomError: Wrote file to /mnt/ext/opt/QcloudSSLCertificate/cert/.well-known/acme-challenge/O5YteB0h-fdAz6b5xtoE_1ml8VHeq3FbK-Vs77yREkE, but couldn't download http://localhost/.well-known/acme-challenge/O5YteB0h-fdAz6b5xtoE_1ml8VHeq3FbK-Vs77yREkE
cat /mnt/ext/opt/QcloudSSLCertificate/log/acme_error_log_https
08/10/25 00:30:27 - args: Namespace(account_key='/mnt/ext/opt/QcloudSSLCertificate/cert/account/key', acme_dir='/mnt/ext/opt/QcloudSSLCertificate/cert/.well-known/acme-challenge', ca='https://acme-v02.api.letsencrypt.org', cert_file='/mnt/ext/opt/QcloudSSLCertificate/cert/cert_tmp', chain_file='/mnt/ext/opt/QcloudSSLCertificate/cert/chain_tmp', contact=['mailto:admin@example.com'], csr='/mnt/ext/opt/QcloudSSLCertificate/cert/csr', directory_url='https://acme-v02.api.letsencrypt.org/directory', disable_check=False, qpkg_dir='/mnt/ext/opt/QcloudSSLCertificate', quiet=40, verify_type='https', web_document_root='/share/Web', well_known_dir='/mnt/ext/opt/QcloudSSLCertificate/cert/.well-known')
Traceback (most recent call last):
File "/mnt/ext/opt/QcloudSSLCertificate/bin/acme-tiny/acme_tiny.py", line 889, in main
qpkg_path=args.qpkg_dir, challenge_type=challenge_type, ca_certs=ca_certs, web_document_root=args.web_document_root)
File "/mnt/ext/opt/QcloudSSLCertificate/bin/acme-tiny/acme_tiny.py", line 714, in get_crt
raise CustomError("Missing tls challenge: {0} {1}".format(code, result), ERROR_CODE_REQUEST_CHALLENGE_FAILED)
NameError: global name 'result' is not defined
由于Let's Encrypt已经禁用了TLS-SNI challenges,因此 acme_error_log_https 的错误可以暂时不理,或者手动更改为 raise CustomError("Missing tls challenge", ERROR_CODE_REQUEST_CHALLENGE_FAILED)
然后修改 /mnt/ext/opt/QcloudSSLCertificate/bin/acme-tiny/acme_tiny.py
new_https_connect函数中
sock = create_connection((self.host, self.port), self.timeout, self.source_address, socket.AF_INET)
修改为
try:
# try ipv4 first
sock = create_connection((self.host, self.port), self.timeout, self.source_address, socket.AF_INET)
except Exception:
# try ipv6 when ipv4 fail
sock = create_connection((self.host, self.port), self.timeout, self.source_address, socket.AF_INET6)
将
if contact is not None:
account, _, _ = _send_signed_request(acct_headers['Location'], {"contact": contact}, "Error updating contact details")
log.info("Updated contact details:\n{0}".format("\n".join(account.get('contact'))))
修改为
if contact is not None:
account, _, _ = _send_signed_request(acct_headers['Location'], {"contact": contact}, "Error updating contact details")
contacts = account.get('contact') or []
if contacts:
log.info("Updated contact details:\n{0}".format("\n".join(contacts)))
else:
log.info("Updated contact details: (none)")
更改/share/Web/.well-known路径为软连接
mv /mnt/ext/opt/QcloudSSLCertificate/cert/.well-known /mnt/ext/opt/QcloudSSLCertificate/cert/.well-known.bak
ln -s /share/Web/.well-known /mnt/ext/opt/QcloudSSLCertificate/cert/.well-known
最后再申请一次,(Let's Encrypt有次数限制,申请失败后需要隔一段时间再申请)
cat /mnt/ext/opt/QcloudSSLCertificate/log/ssl_agent.log 有
08/11/25 14:36:02: ssl_agent.c: 885: main():start cmd=get_status
08/11/25 14:36:02: ssl_agent.c: 896: main():cmd: get_status
08/11/25 14:36:02: ssl_agent.c: 507: execute_command():device_name=mydomain api_endpoint=core2.api.myqnapcloud.com, portal_endpoint=www.myqnapcloud.com
08/11/25 14:36:02: ../common/src/cert_utils.c: 553: check_is_letsencrypt_cert():this is letsencrypt certificate
08/11/25 14:36:02: ssl_agent.c: 909: main():response: { "result": { "cname": "mydomain.myqnapcloud.com", "api_endpoint": "core2.api.myqnapcloud.com", "portal_endpoint": "www.myqnapcloud.com", "firmware_verison": "4.3.4" }, "status_code": -3000, "message": "get_certificate_info failed" }
08/11/25 14:36:02: letsencrypt_agent.c: 542: main():cmd: get_status
08/11/25 14:36:03: letsencrypt_agent.c: 225: execute_command():certificate remaining_days=90
08/11/25 14:36:03: letsencrypt_agent.c: 257: execute_command():certificate_info status_code=0
08/11/25 14:36:03: letsencrypt_agent.c: 555: main():response: { "result": { "certificate_domain_name": "mydomain.myqnapcloud.com", "api_endpoint": "core2.api.myqnapcloud.com", "portal_endpoint": "www.myqnapcloud.com", "web_site_domain": "myqnapcloud.com", "qid_primary_email": "admin@example.com", "authority": "Let's Encrypt", "applied_on_device_start_datetime": "2025\/08\/11", "applied_on_device_end_datetime": "2025\/11\/09", "is_auto_renew": 1 }, "status_code": 0, "message": "normal" }
08/11/25 14:36:43: letsencrypt_agent.c: 542: main():cmd: set_config
08/11/25 14:36:43: ../common/src/letsencrypt_utils.c: 237: set_letsencrypt_certificate_config():set_letsencrypt_certificate_config by cmd:/sbin/setcfg CERT is_auto_renew 0 -f /mnt/ext/opt/QcloudSSLCertificate/data/agent.conf
08/11/25 14:36:43: letsencrypt_agent.c: 555: main():response: { "status_code": 0, "message": "success" }
08/11/25 14:36:48: letsencrypt_agent.c: 542: main():cmd: set_config
08/11/25 14:36:48: ../common/src/letsencrypt_utils.c: 237: set_letsencrypt_certificate_config():set_letsencrypt_certificate_config by cmd:/sbin/setcfg CERT is_auto_renew 1 -f /mnt/ext/opt/QcloudSSLCertificate/data/agent.conf
08/11/25 14:36:48: letsencrypt_agent.c: 555: main():response: { "status_code": 0, "message": "success" }
08/11/25 14:37:11: ssl_agent.c: 885: main():start cmd=get_status
08/11/25 14:37:11: ssl_agent.c: 896: main():cmd: get_status
08/11/25 14:37:11: ssl_agent.c: 507: execute_command():device_name=mydomain api_endpoint=core2.api.myqnapcloud.com, portal_endpoint=www.myqnapcloud.com
08/11/25 14:37:11: ../common/src/cert_utils.c: 553: check_is_letsencrypt_cert():this is letsencrypt certificate
08/11/25 14:37:11: ssl_agent.c: 909: main():response: { "result": { "cname": "mydomain.myqnapcloud.com", "api_endpoint": "core2.api.myqnapcloud.com", "portal_endpoint": "www.myqnapcloud.com", "firmware_verison": "4.3.4" }, "status_code": -3000, "message": "get_certificate_info failed" }
08/11/25 14:37:11: letsencrypt_agent.c: 542: main():cmd: get_status
08/11/25 14:37:12: letsencrypt_agent.c: 225: execute_command():certificate remaining_days=90
08/11/25 14:37:12: letsencrypt_agent.c: 257: execute_command():certificate_info status_code=0
08/11/25 14:37:12: letsencrypt_agent.c: 555: main():response: { "result": { "certificate_domain_name": "mydomain.myqnapcloud.com", "api_endpoint": "core2.api.myqnapcloud.com", "portal_endpoint": "www.myqnapcloud.com", "web_site_domain": "myqnapcloud.com", "qid_primary_email": "admin@example.com", "authority": "Let's Encrypt", "applied_on_device_start_datetime": "2025\/08\/11", "applied_on_device_end_datetime": "2025\/11\/11", "is_auto_renew": 1 }, "status_code": 0, "message": "normal" }
网页端点击后,后台可能运行如下命令
python /mnt/ext/opt/QcloudSSLCertificate/bin/acme-tiny/acme_tiny.py
--account-key /mnt/ext/opt/QcloudSSLCertificate/cert/account.key
--csr /mnt/ext/opt/QcloudSSLCertificate/cert/domain.csr
--acme-dir /mnt/ext/opt/QcloudSSLCertificate/challenges/
--qpkg-dir /mnt/ext/opt/QcloudSSLCertificate/
--well-known-dir /mnt/ext/opt/QcloudSSLCertificate/challenges/
--verify_type dns # 或 http,
此外,通过 https://github.com/Yannik/qnap-letsencrypt 也可以更新证书
浙公网安备 33010602011771号