openmediavault-letsencrypt

    • OMV 3.x

    This site uses cookies. By continuing to browse this site, you are agreeing to our Cookie Policy.

    • I too hit the too many request limit. Maybe you could add a test against the testing server that does not have a limit. Then we wont be banned for a week. Once that works we can switch to the real server.

      Source Code

      1. Hint
      2. During the beta phase, Let’s Encrypt enforces strict rate limits on
      3. the number of certificates issued for one domain. It is recommended to
      4. initially use the test server via --test-cert until you get the desired
      5. certificates.
      From http://letsencrypt.readthedocs.org/en/latest/using.html

      Thanks

      If you make it idiot proof, somebody will build a better idiot.
    • mcloum wrote:

      Can you explain more about SNI proxy and how it works?

      Is this a plugin in OMV or something you installed manually?

      From what i understand LE is expecting a response for my subdomains on port 80, but as they are running on ports 9091, 8081 etc then its not getting a response? SNI proxy solves this?


      Server Name Indication is an extension to the TLS Handshake. Clients can use it to put the server name in the cleartext part of the TLS Handshake, so that webserver can use name based virtual hosting for SSL too. In fact the webserver could hold multiple certificates and present the right one to the client. Before that you needed different IPs for different SSL Servers.
      SNI Proxy takes the idea a step further, and instead of forwarding the request to the right Virtual Host, it can forward it to another server/port. HA Proxy could make that too, but SNI proxy seems to be more straight forward for this case. Typically you could also use nginx as a reverse proxy, but then you would need to configure SSL proxy in nginx. This has the benefit that you could redirect traffic also based on the complete URLs inside a ssl tunnel.

      I think he installed it manually, couldn't find a plugin. Maybe theres also a docker for that.

      Yes, SNI Proxy can forward to 127.0.0.1:9091 etc based on host names.
    • mcloum wrote:

      Can you explain more about SNI proxy and how it works?

      Is this a plugin in OMV or something you installed manually?

      From what i understand LE is expecting a response for my subdomains on port 80, but as they are running on ports 9091, 8081 etc then its not getting a response? SNI proxy solves this?

      I updated my second post in this thread with more details and a specific use case. There is not a plugin for OMV, I compiled the source, but the binaries are listed as well.
      To your last question, yes SNI Proxy will allow you to resolve all your authentication requests from LE on a single domain port and webroot

      donh wrote:

      I too hit the too many request limit. Maybe you could add a test against the testing server that does not have a limit. Then we wont be banned for a week. Once that works we can switch to the real server.


      A testing switch is available in the latest version now found in the omv-extras repo

      tinh_x7 wrote:

      With the updated LE plug-in, where do I find the path for WebRoot at?

      It should already be populated, was it not?
      For OMV it is /var/www/openmediavault/
      If you are looking for the webroot for whatever service is running on port 443 or 80 you will need to do some investigation. Think of it this way. If you were to go to yourdomain.tld/webroot.html then on your filesystem there would be a file:
      /var/www/someservice/webroot.html The /var/www/someservice is your webroot, the root folder of your web service.
    • tinh_x7 wrote:

      It isn't populated.
      I"m using LE for owncloud, not OMV.
      So my webroot should be /media/54bf67db-da31-4c50-bb3c-27140944b223/www/owncloud ?
      What if my I want to use LE for both OMV and OC?


      Correct your webroot is /media/54bf67db-da31-4c50-bb3c-27140944b223/www/owncloud

      Check out my second post in this thread, I elaborated on how to use SNI Proxy which will allow you to authenticate all of your lets encrypt certificates from a single location on your file system.
    • I got this error.
      By the way, where do I see LE's log at ?

      Edit: If I don't include my main domain in the cert, then it generated fine.
      I don't understand why it wouldn't allow me to include my main domain in it.
      Images
      • Le failed.png

        85.51 kB, 639×523, viewed 260 times
      OMV v3.0
      Asus Z97-A/3.1; i3-4370
      32GB RAM Corsair Vengeance Pro
      4x3TB RAID10

      The post was edited 1 time, last by tinh_x7 ().

    • tinh_x7 wrote:

      I got this error.
      By the way, where do I see LE's log at ?

      Edit: If I don't include my main domain in the cert, then it generated fine.
      I don't understand why it wouldn't allow me to include my main domain in it.

      Logs: /var/log/letsencrypt

      What is the IP of your domain, what is the IP of the subdomain?
      Are they the same?
      Do they take you to the same part of your website? Probably not. Look at where your authorization files are being placed. They are going in the same directory, but your subdomain and domain and hosted from different directories. You will need to wait until the plugin supports multi webroots or until you setup the SNI Proxy like I explained before.
    • please revise creation of cron jobs, I finish with 3 jobs.

      Can I delete 2 of then?forum.openmediavault.org/index…d89332287efe6084ff87754e8
      Images
      • 2.jpg

        51.65 kB, 1,135×214, viewed 362 times
      OMV 3.0.88 x64 on a HP T510, 8GB CF as Boot Disk & 32GB SSD 2,5" disk for Data, 4 GB RAM, CPU VIA EDEN X2 U4200 is x64 at 1GHz

      Post: HPT510 SlimNAS ; HOWTO Install Pi-Hole ; HOWTO install MLDonkey ; HOHTO Install ZFS-Plugin ; OMV_OldGUI ; ShellinaBOX ;
    • tinh_x7 wrote:

      My IP is dynamic, that's why I'm using DDNS.
      No, my domain, and my subdomain are on different hosts with different IPs.

      That is why you cannot authenticate both of your certs. You will have to use Lets Encrypt on each machine individually.

      raulfg3 wrote:

      please revise creation of cron jobs, I finish with 3 jobs.

      Can I delete 2 of then?forum.openmediavault.org/index…d89332287efe6084ff87754e8

      I was worried about this. I will have to investigate a way of making it more robust.

      What did you do to get multiple crons? Did you reinstall the plugin multiple times? Any info will help.

      Make a backup of /etc/openmediavault/config.xml
      Open /etc/openmediavault/config.xml navigate to /config/services/letsencrypt (Good chance it's on the bottom of the file if it's the last plugin you installed).
      Search for references to the cron_uuid <cron_uuid>422a5cd7-008f-46e7-9ce8-b874271b5e50</cron_uuid>; in VI just press #
      Delete the <job>..</job> sections that do not refer to the cron_uuid you found previously and contain the command for omv-letsencrypt
    • What did you do to get multiple crons?
      Not totally sure, if I remember well, I first enable test mode, and check that works, then disable test mode and generate cert but this time fail or at least I think this, and finally I push other time to generate cert.

      I Atach my 3 last logs, perhaps can help to determine the problem.

      forum.openmediavault.org/index…d89332287efe6084ff87754e8
      Files
      • letsencrypt.zip

        (21.13 kB, downloaded 105 times, last: )
      OMV 3.0.88 x64 on a HP T510, 8GB CF as Boot Disk & 32GB SSD 2,5" disk for Data, 4 GB RAM, CPU VIA EDEN X2 U4200 is x64 at 1GHz

      Post: HPT510 SlimNAS ; HOWTO Install Pi-Hole ; HOWTO install MLDonkey ; HOHTO Install ZFS-Plugin ; OMV_OldGUI ; ShellinaBOX ;
    • I got multiple crons also.
      Whenever LE failed to generate the certs or if you re-install the plug-ins, then you'll get duplicate cron jobs.
      I also noticed that if I uninstall the plug-in, re-install it, then regenerate the certs, the expiration date stay the same.
      I thought it suppose to extend the expiration date.
      OMV v3.0
      Asus Z97-A/3.1; i3-4370
      32GB RAM Corsair Vengeance Pro
      4x3TB RAID10

      The post was edited 2 times, last by tinh_x7 ().

    • tinh_x7 wrote:

      I got multiple crons also.
      Whenever LE failed to generate the certs or if you re-install the plug-ins, then you'll get duplicate cron jobs.
      I also noticed that if I uninstall the plug-in, re-install it, then regenerate the certs, the expiration date stay the same.
      I thought it suppose to extend the expiration date.

      Currently crons are not being uninstalled. I will fix that in the next release.
      Regenerating certs does not give you a new expiration date because I have the flag --keep-until-expiring on the lets-encrypt process to prevent certs from being regenerated when it is not needed. If you really want new certs you will need to delete the /etc/letsencrypt folder
    • Hi,

      I tried to get signed certificate for 2 of my ddns domains (dedyn and myds from SYNOLOGY, I specially didn't try no-ip) and no one got real issuer (always “happy hacker fake CA”) for them. I found jeremyfelt.com/2015/11/12/my-first-lets-encrypt-certificate/ and here is one interesting thing.
      ​“happy hacker fake CA” is the issuer used in our staging/testing server. This is what the Let’s Encrypt client currently uses when you don’t specify a different server using the--server option like you did in the original post. Because of this, I believe the --server flag was not included when you ran the client. Try running the client again, but make sure you include the --server option from your original post.


      Production server according to reference in mentioned webpage is acme-v01.api.letsencrypt.org/directory
      Plugin not using --server option and inside /etc/letsencrypt/account/ I found that all activities happen with staging/testing server.

      Is this might be a case why my certificates not "real"?

      About multiple crons - looks like new cron created every time I change something in plugin definitions and apply changes (first time I filled data and turned on "Test certificate" and saved/applied changes, then I turned off "Test certificate" saved/applied changes. Finally I got 2 crons).

      Thanks for the valued plugin. Hope it will works for me in the near future.