can't add community repo - "invalid location" error - problem solved #4897
Comments
|
That link can only be used as package source and cannot be opened in a browser. |
All internet sites opening. Ping work.... |
This in log's |
|
I am having the same problem |
|
I also get the "invalid location" error when trying to add the repo. Indeed, it was working before. I thought by removing/readding would resolve the issue, but alas, it does not. And now.... I cannot add back. From an SSH Session into my NAS (DS1816+), I performed the following: `$ curl -k https://packages.synocommunity.com <title>400 Bad Request</title>Bad RequestThe browser (or proxy) sent a request that this server could not understand. ``curl http://packages.synocommunity.com <title>400 Bad Request</title>Bad RequestThe browser (or proxy) sent a request that this server could not understand. `
`sudo nslookup packages.synocommunity.com Non-authoritative answer: It appears that I can not only reach you, but I can resolve your DNS name as well. However, attempts to curl the URL fail - whether http or https. I've read that this has happened in the past, and it was a change in your html code. Can you check you end and validate any changes made? |
|
Same issue here, but a couple of other observations suggest it is a network issue which I don't understand...
UPDATED & FIXED: now fixed on my home unit after updating DSM to 6.2.4-25556 Update 2 (was DSM 6.2.3-something) and rebooting. (Although I'm not sure if it was a DSM version issue or just a clean boot would have fixed things!) |
|
Same issue here (DSM 6.2.4-25556 Update 2). A reboot unfortunately does not fix it for me. |
|
well. I be damned..... @Noone2018b - I updated my NAS, and that seems to have resolved it for me as well. Updated to DSM 6.2.4-25556 Update 2 |
you must use secure http (https://) it will not work with http (without s). I had the same error on DSM 5.2. It first occurred on 27.09.2021 The reason is, that the /etc/ssl/certs/ca-certificates.crt file on the diskstation is outdated (last modified in 2016) I downloaded a more recent crt file (from debian repo) but the error was not gone. finally I solved the issue by downloading the current certs.pem from openssl site (haxxe...) and saving this under the name ca-certificates.crt on the diskstation. As I do not expect any security update for my DS-210+ from synology this file will not be updated... |
Are you send my direct link to current certs.pem from openssl site ? A can't find this cert.... |
|
If it is a expired certificate problem you should renew it via the control panel, security, certificate and if it is expired right click to renew it. |
Not work. This operation created request, but not renew or update current cert's |
The problem I solved with a manual update of ca-certificates.crt was not the certificate on the diskstation, but that for curl the certificate used on packages.synocommunity.com is validated as expired (in fact the certificate is not expired, but one of the intermediate ca certificates in the chain could not be verified against the known ca-certificates). |
my one was from 2016. So I'm not sure it is the same problem. Do you get the error 60? |
try this one https://curl.se/ca/cacert.pem |
https://discord.com/channels/732558169863225384/732559466721181738/893810613384515584 Might also be related to https://scotthelme.co.uk/lets-encrypt-old-root-expiration/ |
publicarray
changed the title
Yes, everybody should update the DSM. My solution is for DS-210+ and other old models that do not support DSM 6. The cacert.pem you download from curl.se is not managed by curl, but it is the pem version of the mozillas trust store, downloaded and converted by mk-ca-bundle (see https://curl.se/docs/mk-ca-bundle.html). So everything is transparent as you can inspect and execute mk-ca-bundle yourself. |
|
We are saying the same thing then. It's on curl's server hence trust the file that is there and thanks yes, I failed to mention that it is from the trust store from Mozilla. The public TLS infrastructure relies on trust, so you have to trust someone. I wrote this note as quick way to make someone think before they run a sudo command from a stranger that changes a critical system file. |
|
synocommunity uses let's encrypt certificate and indeed, there is an issue with an expired issuer certificate in the trust chain. https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/ And yes, DSM has very old openssl (DSM 5.2 has openssl 1.0.1u-fips and DSM 6.2.4 has openssl 1.0.2u-fips) |
|
@hgy59 I've send an email to Synology asking how long their release rollout is. People still run into this issue about a month after the initial release of their update. I mean how long do we keep this issue open? |
|
IF it is a certifcate-related error, this MAY help: I copied this file (that was mentioned before by @hgy59 ): At first, nothing changed, even after a reboot. I didn't know where to copy this file until i found this thread, where the author ( @catchdave ) also offers a script for automation: Hope, this will help some of you. |
|
Please don't do this. You just replaced the default TLS (Synology's self signed) certificate with the combined root trust store from Mozilla. If you for what ever reason can't update the DSM please read the comment above: #4897 (comment) If it works again it's probably because the NAS updated it self. |
So,- would you also be so kind to explain, WHY this should be the way, to integrate the cacert.pem from curl.se and not otherwise?
I really don't think so. If so,- it would be solved for everyone just through waiting by now. |
|
Sure you use any method to update your cert. But
Yes the fix is to just update to 6.2.4-25556 Update 2 or later. TLDR: The root course is that the Synology's outdated trust store no longer trusts Let's encrypt certificates because the If you can't follow along I recommend reading more about PKI (Public Key Infrastructure), CA's (Certificate Authority), Chain Of Trust and Public-key cryptography (Diffie–Hellman key exchange) https://www.youtube.com/watch?v=fuK-OAyfET4 https://www.youtube.com/results?search_query=computerphile+TLS |
Yes, they are sloooooooooow. I got the notification for the DSM 7.0.1 update yesterday (11/02/2021) - the update was released on 10/21/2021. |
|
Just ran into this issue (and been dealing with the fallout from the same CA expiry at work for weeks!) and confirm that upgrading to the latest version of DSM 6.2.4-25556 Update 2 has indeed resolved the issue. |
|
#4897 (comment) |
From communicating with Synology:
|
|
Hello, |
My two DSM is accepted certificates without reboot :) |
SlalomJohn
changed the title
|
Please don't close the issue yet so that others can find this thread more easily. If you get too many notifications you can unsubscribe from the right sidebar. |
|
From Synology:
|
These commands do the job! Thank you publicarray!!! |
Thanks for the answer @publicarray! Still useful for those of us stuck on old 6.2.3 |
Thank you! It works on my DSM 6.2.1 |
|
I've had the same issue on DSM 6.2.1. I performed a manual software update to renew the certificates. Updating to DSM 7.1.1 solved the problem for me. |
|
For the shy which do not want to update to DSM7 yet: Updated from DSM 6.x.y to 6.2.4 and works now. |
|
@debuglevel please tell me more |
Synlogy RS815RP+ (2 node in cluster mode)
Adding repo as https://packages.synocommunity.com/
But got error
if i open this link in browser - got
Bad Request The browser (or proxy) sent a request that this server could not understand.The text was updated successfully, but these errors were encountered: