openmediavault-letsencrypt

    • OMV 3.x

    This site uses cookies. By continuing to browse this site, you are agreeing to our Cookie Policy.

    • joq3 wrote:

      Because NAT Loopback does this right?
      Yay, NAT Loopback would do the trick but I think it is "dangerous" in security meanings.

      So I would go to change your LAN DNS server to point your domain name to OMV's LAN IP.
      DISCLAIMER: :!: I'm not a native English speaker, I'm sorry if I don't explain as good as you would want. :!:

      My NAS:
      Always the latest OMV Erasmus running on an AMD Sempron 3850 @1.3GHz with 4.9.0 Backports Kernel
      with 120GB Samsung SSD 850 EVO for OpenMediaVault & 2x500GB Primary Data HDD + 1TB Secondary HDD for Backup & 2TB USB 3.0 External HDD for offline backup

      Plugin list:
      Flash Memory, Locate, OMV-Extras.org, RSnapshot, Sensors, Syncthing, SMB/CIFS, SSH, USB Backup
      _____________________________________________________________________________________________________________________________

      The Schrödinger's code is that one which is going to work and it's full of bugs at the same time; until you test it, you won't be able to determine it.
    • hello everybody,

      I finally managed to install omv3. I am planning to install seafile (managed by the nginx plugin, reverse proxying) and i definitely want to use lets-encrypt for its ssl connection.

      But my first question is a little bit more general:
      I have my omv installation running on port 80. Domain is owned by me. Portforwarding is 80-->80 for my omv-lan-ip. I successfully created a lets-encrypt certificate using the standard /var/www/openmediavault as webroot. This is all good.

      As far as I understood lets-encrypt needs access to my server on port 80 (all the time?). What I absolutely don't want, however, is that my omv-installation is accessible from outside my lan. So, is there any way to block this access other than changing the port 80 omv is running on??

      Despite not having seafile installed yet I already created two servers at the nginx-plugin section:
      The one running on port 80 (just showing what is set under "additional options"):
      Display Spoiler

      location /.well-known/acme-challenge {
      alias /var/www/openmediavault;
      }
      return 301 https://$http_host$request_uri;

      and the one running on port 443 with the lets-encrypt certificate activated (just showing what is set under "additional options"):
      Display Spoiler

      proxy_set_header X-Forwarded-For $remote_addr;
      add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
      server_tokens off;
      gzip off;


      include /etc/nginx/perfect-forward-secrecy.conf;


      location /.well-known/acme-challenge {
      alias /var/www/openmediavault;
      }


      location / {
      fastcgi_pass 127.0.0.1:8000;
      fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
      fastcgi_param PATH_INFO $fastcgi_script_name;
      fastcgi_param SERVER_PROTOCOL $server_protocol;
      fastcgi_param QUERY_STRING $query_string;
      fastcgi_param REQUEST_METHOD $request_method;
      fastcgi_param CONTENT_TYPE $content_type;
      fastcgi_param CONTENT_LENGTH $content_length;
      fastcgi_param SERVER_ADDR $server_addr;
      fastcgi_param SERVER_PORT $server_port;
      fastcgi_param SERVER_NAME $server_name;
      fastcgi_param REMOTE_ADDR $remote_addr;
      fastcgi_param HTTPS on;
      fastcgi_param HTTP_SCHEME https;
      access_log /var/log/nginx/seahub.access.log;
      error_log /var/log/nginx/seahub.error.log;
      }


      location /seafhttp {
      rewrite ^/seafhttp(.*)$ $1 break;
      proxy_pass 127.0.0.1:8082;
      client_max_body_size 0;
      proxy_connect_timeout 36000s;
      proxy_read_timeout 36000s;
      proxy_send_timeout 36000s;
      }


      location /media {
      root /opt/seafile/seafile-server-latest/seahub;
      }


      location /seafdav {
      fastcgi_pass 127.0.0.1:8080;
      fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
      fastcgi_param PATH_INFO $fastcgi_script_name;
      fastcgi_param SERVER_PROTOCOL $server_protocol;
      fastcgi_param QUERY_STRING $query_string;
      fastcgi_param REQUEST_METHOD $request_method;
      fastcgi_param CONTENT_TYPE $content_type;
      fastcgi_param CONTENT_LENGTH $content_length;
      fastcgi_param SERVER_ADDR $server_addr;
      fastcgi_param SERVER_PORT $server_port;
      fastcgi_param SERVER_NAME $server_name;
      fastcgi_param REMOTE_ADDR $remote_addr;
      fastcgi_param HTTPS on;
      client_max_body_size 0;
      access_log /var/log/nginx/seafdav.access.log;
      error_log /var/log/nginx/seafdav.error.log;
      }


      Any help is much appreciated.

      The post was edited 7 times, last by nasty_vibrations ().

    • Just to confirm, there is still the possibility to change port 80 for omv to, let's say, port 81, right? And port 81 might not be open to the internet!
      As long as my seafile service is listening on port 80 and nginx is redirecting the request of /.well-know/acme-challenge to /var/www/openmediavault... it should work, or am I misunderstanding something??
      @luxflow

      The post was edited 2 times, last by nasty_vibrations ().

    • @nasty_vibrations
      first, if you have public ip and ISP (your internet provider) doesn't block your port,
      anyone can access your seafile regardless of your listening port(80,81..82)
      you can test what ports are open in your computer with pentest-tools.com/network-vuln…-port-scanner-online-nmap
      you can also block your port by using iptables
      checkout network -> firewall

      second, letsencrpyt require 80 port open to receive cert whenever you certificate (1 time per 3 month)
      after that you can use ANY port for https with that cert

      lastly, why are you blocking 80 port?
      if I were you, I only open /.well-know/acme-challenge for 80 port
      and make anything else redirect to 443(https)

      and I'm very busy these day so I maybe cannot answer more detail
      OMV3 on Proxmox
      Intel E3-1245 v5 | 32GB ECC RAM | 4x3TB RAID10 HDD
      omv-zfs | omv-nginx | omv-letsencrypt | omv-openvpn
      Click link for more details
    • Thanks for your answers @luxflow,


      luxflow wrote:

      anyone can access your seafile regardless of your listening port(80,81..82)
      I'm not quite sure if I understand you correctly. I have a public IP, yes. My ISP doesn't block my port 80. At the moment my router is set to forward incoming requests on port 80 to port 80 of my omv-installation. And I assume that's the prerequisit for getting a valid lets-encrypt certificate. But if I disable this port-forwarding-rule no one can access my server. At least that's my understanding.
      And currently this is also my problem. Because omv is also running on port 80 I am now able to access my omv-installation via internet, which is what I want to disable!


      luxflow wrote:

      why are you blocking 80 port?
      I am not blocking port 80, at the moment it is open. It's just that I don't want my omv to be reachable via internet, i.e. I would disable the port forwarding to port 80 completely, but then I couldn't certificate (once each 3 months).


      luxflow wrote:

      if I were you, I only open /.well-know/acme-challenge for 80 port
      and make anything else redirect to 443(https)
      That's what my plan is, and I actually have already set the servers in nginx plugin this way (see my first post, the two spoilers).


      Ok, so right now seafile isn't installed at all, but the server-settings in the plugin are already activated. If I now go to xxx.mydomain.tld I land on my omv login screen. That's what I don't want. So, the only way that came into my mind, was to change the port of omv, so that it isn't running on port 80 anymore.

      I hope you guys get what I want.

      Thanks a lot for your help.
    • You can use reverse proxy.
      OMV doesn't need to be on port 80 for you to use LE.
      As long as port 80/443 are open, LE will work.
      Port 80/443 are standard ports that should be opened.


      i.e:

      server {

      listen 80 default_server;

      server_name example.com example.com;
      return 301 https://$server_name$request_uri;
      }
      OMV v3.0
      Asus Z97-A/3.1; i3-4370
      32GB RAM Corsair Vengeance Pro
      4x3TB RAID10

      The post was edited 1 time, last by tinh_x7 ().

    • Seafile installation was successful. I changed port of omv to 81. Everything seems to be working.

      Just one thing, if I try to run the "omv-letsencrypt" command via scheduled jobs I get the following error message:
      Failed to execute command 'export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin; export LANG=C; export SHELL=/bin/sh; sudo --shell --non-interactive --user=root -- omv-letsencrypt 2>&1': [b]Existing certificate uuid is invalid[/b] Use the Generate Certificate button in the plugin view at least once before using this script.
      Any idea why my certificate uuid is invalid?

      Thanks
    • Hi.

      The renew process works fine. I have the new certificate in the "live"-directory. But I still get this error during renew of the certificate:

      Waiting for verification... Cleaning up challenges Generating key (2048 bits):/etc/letsencrypt/keys/0005_key-certbot.pem Creating CSR: /etc/letsencrypt/csr/0005_csr-certbot.pem {"response":null,"error":{"code":3002,"message":"Failedto set configuration","trace":"exception 'OMVException'with message 'Failed to set configuration' in\/usr\/share\/openmediavault\/engined\/rpc\/certificatemgmt.inc:211\nStacktrace:\n#0 [internal function]: OMVRpcServiceCertificateMgmt->set(Array,Array)\n#1 \/usr\/share\/php\/openmediavault\/rpcservice.inc(125):call_user_func_array(Array, Array)\n#2\/usr\/share\/php\/openmediavault\/rpc.inc(79):OMVRpcServiceAbstract->callMethod('set', Array, Array)\n#3 \/usr\/sbin\/omv-engined(500):OMVRpc::exec('CertificateMgmt', 'set', Array, Array, 1)\n#4 {main}"}}

      Any idea?

      Thanks for help!
    • I have a question .

      I installed LE succesfully on my maschine.
      now i want to have access to different ports/services on my server over the internet. but always on the same domain !!. for example: domain/tvserver-- domain/couchpotato-- domain/nextcloud etc.

      i read a tutorial using nginx proxy_pass function but i´m too dumb to get it to work.

      maybe someone can help an old guy..
      HP Microserver Gen 8 | 10GB RAM | 12TB WD red (snapraid) | OMV 3.x (latest) | DD Cine S2 V6.5
    • googling following keyword

      tvserver nginx reverse proxy
      couchpotato nginx reverse proxy
      nextcloud nginx reverse proxy

      give you application specific reverse proxy configuration

      if you use same domain, only different thing is path (/tvserver /couchpotato /nextcloud)
      you just get only one cert from LE for that domain
      OMV3 on Proxmox
      Intel E3-1245 v5 | 32GB ECC RAM | 4x3TB RAID10 HDD
      omv-zfs | omv-nginx | omv-letsencrypt | omv-openvpn
      Click link for more details