Skip to main content

User Manual

Why can't I obtain or renew an SSL certificate for my KeenDNS domain name?

Automatic renewal or obtaining an SSL certificate may not work in the following cases:

  1. In the router configuration, requests to port TCP/443 are redirected to another host on the local network.

    Solution: Remove the forwarding rules for port TCP/443.

  2. The domain name of the certification centre's CDN server cannot be resolved due to incorrect operation of the Internet provider's DNS resolver.

    Solution: Try configuring name resolution via DoT/DoH DNS servers. Refer to the instructions ???.

  3. At the time of renewing or obtaining an SSL certificate, there is an unstable connection to your ISP's gateway.

    Solution: Check the stability of the connection to the ISP and contact them for diagnostics.

  4. The management port for the built-in NGINX server (TCP/80 by default) is not set. The following entries can be seen in the router's system log:

    ndm: Acme::Client: obtaining certificate is available only when HTTP port is set to 80.
ndm: Core::Pki::Tools: certificate for "domain" is expired.

    Solution: If you see this log message, it means you must set up TCP/80 control port for the router's web server.

  5. Your ISP blocks the domain and IP addresses of the certification centre's CDN server.

    Solution: Try configuring the router to connect to the Internet through another provider. For example, enable an access point on your smartphone and connect the router to it via a WISP connection to access the Internet through the mobile operator's network.

  6. Due to unsuccessful attempts to connect to the server, the remote party has paused the certificate obtaining/renewal process.

    This may trigger rate limits on the server, and the following entries may appear in the router's system log:

    ndm: Acme::Tools: bad HTTP status: 429.
ndm: Acme::Client: unable to issue certificate for "domain": too many failed retries.

    Solution: You will need to reset the settings to factory defaults and then wait for the certificate to be issued for the previously registered domain name — the last one used (no need to change the name).

    Important! It is not recommended to load the previously saved router configuration (startup-config file).

  7. The maximum allowed space for SSL certificate records in the Config_X section of the KeeneticOS operating system has been exceeded. The following error will appear in the system log:

    failed to store a new extended entry: new data size is too large

    Solution: Delete previously configured VPN tunnels. OpenVPN configuration takes up the most space, so deleting one of the unused OpenVPN tunnels may help.

  8. The system time is not synchronized. In this case, automatic and manual certificate revocation do not work, and the following entries can be seen in the system log:

    ndm: Acme::Client: start automatic revocation of certificate for domain "mydomain.keenetic.pro".
ndm: Acme::Client: time is not set, "mydomain.keenetic.pro" revocation deferred.
ndm: Acme::Client: retry #2 after 20s.
ndm: Acme::Client: time is not set, "mydomain.keenetic.pro" revocation deferred.

    Solution: Check the connection to the ISP's gateway. Stable Internet access is required for the router's system time to synchronize automatically.

    It is also recommended that the NTP server settings in the system be checked. Refer to the instructions Time settings.

In this section: