openmediavault-letsencrypt

  • you can change chiper for omv web gui as you want (see here)
    so you just add OMV_NGINX_SITE_WEBGUI_SSL_CIPHERS="EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH" in /etc/default/openmediavault
    not to use DH keys


    for RSA key length 4096, should have to chnage omv-letsencrypt to support it
    but not sure when that feature is released

    OMV3 on Proxmox
    Intel E3-1245 v5 | 32GB ECC RAM | 4x3TB RAID10 HDD
    omv-zfs | omv-nginx | omv-letsencrypt | omv-openvpn
    Click link for more details

  • you can change cipher for omv web gui as you want (see here)
    so you just add OMV_NGINX_SITE_WEBGUI_SSL_CIPHERS="EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH" in /etc/default/openmediavault
    not to use DH keys

    It's not about not using DH, it's about using the right ones. See a favored nginx A+ ssllabs rated config here.


    OMV_NGINX_SITE_WEBGUI_SSL_CIPHERS="ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS"
    but I have it on a debian wheezy machine, with;


    nginx version: nginx/1.11.3
    built by gcc 4.7.2 (Debian 4.7.2-5)
    built with OpenSSL 1.0.1e 11 Feb 2013 (running with OpenSSL 1.0.1t 3 May 2016)
    TLS SNI support enabled
    configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-http_geoip_module=dynamic --with-http_perl_module=dynamic --add-dynamic-module=debian/extra/njs-0.1.0/nginx --with-threads --with-stream --with-stream_ssl_module --with-stream_geoip_module=dynamic --with-http_slice_module --with-mail --with-mail_ssl_module --with-file-aio --with-ipv6 --with-http_v2_module --with-cc-opt='-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-z,relro -Wl,--as-needed'


    while OMV3 runs;



    nginx version: nginx/1.6.2
    TLS SNI support enabled
    configure arguments: --with-cc-opt='-g -O2 -fstack-protector-strong -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2' --with-ld-opt=-Wl,-z,relro --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-ipv6 --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_addition_module --with-http_dav_module --with-http_geoip_module --with-http_gzip_static_module --with-http_image_filter_module --with-http_spdy_module --with-http_sub_module --with-http_xslt_module --with-mail --with-mail_ssl_module --add-module=/build/nginx-AGNHOe/nginx-1.6.2/debian/modules/nginx-auth-pam --add-module=/build/nginx-AGNHOe/nginx-1.6.2/debian/modules/nginx-dav-ext-module --add-module=/build/nginx-AGNHOe/nginx-1.6.2/debian/modules/nginx-echo --add-module=/build/nginx-AGNHOe/nginx-1.6.2/debian/modules/nginx-upstream-fair --add-module=/build/nginx-AGNHOe/nginx-1.6.2/debian/modules/ngx_http_substitutions_filter_module


    so I'll let you know if it works..

  • for RSA key length 4096, should have to change omv-letsencrypt to support it
    but not sure when that feature is released

    Maybe just use the renewal options to change it, or a conf include for custom user config?


    /etc/letsencrypt/renewal/*.conf
    [...]
    # Options used in the renewal process
    [renewalparams]
    rsa-key-size = 4096

    [...]



    By the way, have you heard about acme.sh? It's really awesome. Use it for work all the time. Perhaps you can snag some things from it for the OMV plugin.

  • I'm considering passing --rsa-key-size argument whenever calling certbot


    What I concern is that changing rsa key size 4096 may be drop supports for older browser
    also as I don't think it is urgent thing to be fixed. it will takes time..

    OMV3 on Proxmox
    Intel E3-1245 v5 | 32GB ECC RAM | 4x3TB RAID10 HDD
    omv-zfs | omv-nginx | omv-letsencrypt | omv-openvpn
    Click link for more details

  • all cert information is stored at /etc/letsencrypt/
    so basic idea is copy that folder to the other omv
    it can be done with scp, or rsync cronjob


    but problem is
    it copy only cert file, don't copy omv configuration
    so you cannot see cert in omv interface


    so you have to make script for adding cert configuration for omv gui


    but don't know why you want to use same cert
    so I cannot give you advice further

    OMV3 on Proxmox
    Intel E3-1245 v5 | 32GB ECC RAM | 4x3TB RAID10 HDD
    omv-zfs | omv-nginx | omv-letsencrypt | omv-openvpn
    Click link for more details

  • why are you trying to copy cert not just using reverse proxy?
    just use omv-nginx


    like this..


    1st OMV as proxy server (https) <------------> services on 2nd OMV (http)
    |
    services on 1st OMV

    OMV3 on Proxmox
    Intel E3-1245 v5 | 32GB ECC RAM | 4x3TB RAID10 HDD
    omv-zfs | omv-nginx | omv-letsencrypt | omv-openvpn
    Click link for more details

  • The cert is for 5 subdomains. I have different webservices on the omv instances and just want to use one certificate.

    Why you don't want to regenerate the cert on the new system?
    The new cert still have the same sub-domains with longer expiration date.

    OMV v5.0
    Asus Z97-A/3.1; i3-4370
    32GB RAM Corsair Vengeance Pro

  • I'm unsing a reverse proxy (sophos utm) for external access, but I want to use the cert internal (dns zone), It's working fine for omv01.

    Why you don't want to regenerate the cert on the new system?The new cert still have the same sub-domains with longer expiration date.

    I will try. I though it's not possible.


    Edit: works. thx

  • Hope anybody can help:


    When i generate the certifacates for multiple domains, i geht this error


    Code
    >>> *************** Error ***************
    The configuration object 'conf.system.certificate.ssl' is referenced.
    <<< *************************************

    EDIT: Okay,just find this post. shame :/


    to renew cert
    go schedule job -> omv-letsencrypt -> run

    OMV3.X
    Intel i5-4590 / 8GB DDR3 / 30GB SSD OS / 3 x 4TB WD RED / Fractal Design Node 304 white

    Einmal editiert, zuletzt von ed3ln1ce ()

  • does it work with the key length 4096?

    omv 6.x | 64 bit | omvextrasorg 6.x |
    used plugins: omv-extras | portainer | rsnapshot | antivirus
    used container: portainer/portainer | nextcloud/all-in-one | linuxserver/swag | paperless-ngx | jellyfin/jellyfin | lmscommunity/logitechmediaserver | adguard/adguardhome |

Jetzt mitmachen!

Sie haben noch kein Benutzerkonto auf unserer Seite? Registrieren Sie sich kostenlos und nehmen Sie an unserer Community teil!