openmediavault-letsencrypt

    • OMV 2.x

    This site uses cookies. By continuing to browse this site, you are agreeing to our Cookie Policy.

    • you can change chiper for omv web gui as you want (see here)
      so you just add OMV_NGINX_SITE_WEBGUI_SSL_CIPHERS="EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH" in /etc/default/openmediavault
      not to use DH keys

      for RSA key length 4096, should have to chnage omv-letsencrypt to support it
      but not sure when that feature is released
      OMV3 on Proxmox
      Intel E3-1245 v5 | 32GB ECC RAM | 4x3TB RAID10 HDD
      omv-zfs | omv-nginx | omv-letsencrypt | omv-openvpn
      Click link for more details
    • luxflow wrote:

      you can change cipher for omv web gui as you want (see here)
      so you just add OMV_NGINX_SITE_WEBGUI_SSL_CIPHERS="EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH" in /etc/default/openmediavault
      not to use DH keys
      It's not about not using DH, it's about using the right ones. See a favored nginx A+ ssllabs rated config here.

      OMV_NGINX_SITE_WEBGUI_SSL_CIPHERS="ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS"
      but I have it on a debian wheezy machine, with;


      nginx version: nginx/1.11.3
      built by gcc 4.7.2 (Debian 4.7.2-5)
      built with OpenSSL 1.0.1e 11 Feb 2013 (running with OpenSSL 1.0.1t 3 May 2016)
      TLS SNI support enabled
      configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-http_geoip_module=dynamic --with-http_perl_module=dynamic --add-dynamic-module=debian/extra/njs-0.1.0/nginx --with-threads --with-stream --with-stream_ssl_module --with-stream_geoip_module=dynamic --with-http_slice_module --with-mail --with-mail_ssl_module --with-file-aio --with-ipv6 --with-http_v2_module --with-cc-opt='-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-z,relro -Wl,--as-needed'

      while OMV3 runs;


      nginx version: nginx/1.6.2
      TLS SNI support enabled
      configure arguments: --with-cc-opt='-g -O2 -fstack-protector-strong -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2' --with-ld-opt=-Wl,-z,relro --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-ipv6 --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_addition_module --with-http_dav_module --with-http_geoip_module --with-http_gzip_static_module --with-http_image_filter_module --with-http_spdy_module --with-http_sub_module --with-http_xslt_module --with-mail --with-mail_ssl_module --add-module=/build/nginx-AGNHOe/nginx-1.6.2/debian/modules/nginx-auth-pam --add-module=/build/nginx-AGNHOe/nginx-1.6.2/debian/modules/nginx-dav-ext-module --add-module=/build/nginx-AGNHOe/nginx-1.6.2/debian/modules/nginx-echo --add-module=/build/nginx-AGNHOe/nginx-1.6.2/debian/modules/nginx-upstream-fair --add-module=/build/nginx-AGNHOe/nginx-1.6.2/debian/modules/ngx_http_substitutions_filter_module


      so I'll let you know if it works..
    • luxflow wrote:

      for RSA key length 4096, should have to change omv-letsencrypt to support it
      but not sure when that feature is released
      Maybe just use the renewal options to change it, or a conf include for custom user config?

      /etc/letsencrypt/renewal/*.conf
      [...]
      # Options used in the renewal process
      [renewalparams]
      rsa-key-size = 4096

      [...]


      By the way, have you heard about acme.sh? It's really awesome. Use it for work all the time. Perhaps you can snag some things from it for the OMV plugin.

      The post was edited 1 time, last by OhMyVirtual ().

    • I'm considering passing --rsa-key-size argument whenever calling certbot

      What I concern is that changing rsa key size 4096 may be drop supports for older browser
      also as I don't think it is urgent thing to be fixed. it will takes time..
      OMV3 on Proxmox
      Intel E3-1245 v5 | 32GB ECC RAM | 4x3TB RAID10 HDD
      omv-zfs | omv-nginx | omv-letsencrypt | omv-openvpn
      Click link for more details
    • all cert information is stored at /etc/letsencrypt/
      so basic idea is copy that folder to the other omv
      it can be done with scp, or rsync cronjob

      but problem is
      it copy only cert file, don't copy omv configuration
      so you cannot see cert in omv interface

      so you have to make script for adding cert configuration for omv gui

      but don't know why you want to use same cert
      so I cannot give you advice further
      OMV3 on Proxmox
      Intel E3-1245 v5 | 32GB ECC RAM | 4x3TB RAID10 HDD
      omv-zfs | omv-nginx | omv-letsencrypt | omv-openvpn
      Click link for more details
    • luxflow wrote:

      why are you trying to copy cert not just using reverse proxy?
      just use omv-nginx

      like this..

      1st OMV as proxy server (https) <------------> services on 2nd OMV (http)
      |
      services on 1st OMV
      I'm unsing a reverse proxy (sophos utm) for external access, but I want to use the cert internal (dns zone), It's working fine for omv01.

      tinh_x7 wrote:

      Bambuleee wrote:

      The cert is for 5 subdomains. I have different webservices on the omv instances and just want to use one certificate.
      Why you don't want to regenerate the cert on the new system?The new cert still have the same sub-domains with longer expiration date.
      I will try. I though it's not possible.

      Edit: works. thx

      The post was edited 2 times, last by Bambuleee ().

    • Hope anybody can help:

      When i generate the certifacates for multiple domains, i geht this error

      Source Code

      1. >>> *************** Error ***************
      2. The configuration object 'conf.system.certificate.ssl' is referenced.
      3. <<< *************************************
      EDIT: Okay,just find this post. shame :/

      luxflow wrote:

      to renew cert
      go schedule job -> omv-letsencrypt -> run
      HomeServer @ OMV 3.0.59 Erasmus:
      Intel i5-4590 / 8GB DDR3 / 30GB SSD OS / 2 x 4TB WD RED, 1 x 3 TB Seagate ST3000 / Fractal Design Node 304 white

      The post was edited 1 time, last by ed3ln1ce ().

    • tinh_x7 wrote:

      @luxflow,

      I'm looking in the /etc/letsencrypt/renewal/*.conf, but I don't see rsa-key-size = in there.
      I want to change the RSA key length to 4096.


      openmediavault-letsencrypt 3.2
      does it work with the key length 4096?
      omv 3.0.76 | 64 bit | omvextrasorg 3.4.25 | kernel 4.9
      used plugins: nginx | mysql | docker-gui | flashmemory |rsnapshot | antivirus | apt tool | letsEncrypt | fail2ban for omv-webgui/Nextcloud/emby
      used other: netxtcloud | logitechmediaserver | emby