openmediavault-letsencrypt

    • OMV 3.x
    • I have upgraded from OMV 3.x to 4.x, and Let's Encrypt used to work, but now it doesn't.

      I have tried everything 5 times: Forwarding ports, reinstalling plugin, updating everything incl. OMV-Extras, running apt clean, checking DNS-settings, asking nicely, yelling at my monitor. Nothing helps. I just get this message every time:

      Source Code

      1. Command: export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin; export LANG=C; /usr/bin/certbot certonly --non-interactive --rsa-key-size 2048 --text --keep-until-expiring --agree-tos --allow-subset-of-names --cert-name MYDOMAIN.COM-cert --email MY@MAIL.COM --webroot -w /var/www/openmediavault -d MYDOMAIN.COM 2>&1
      2. Saving debug log to /var/log/letsencrypt/letsencrypt.log
      3. Plugins selected: Authenticator webroot, Installer None
      4. Obtaining a new certificate
      5. Performing the following challenges:
      6. http-01 challenge for MYDOMAIN.COM
      7. Using the webroot path /var/www/openmediavault for all unmatched domains.
      8. Waiting for verification...
      9. Challenge failed for domain MYDOMAIN.COM
      10. Cleaning up challenges
      11. Challenges failed for all domains
      12. Done...
      Display All

      I'm not good at using Linux, I have SSH-access but mainly use OMV WebUI.
      Any suggestions? Thank you ;)
    • Hi,

      I am on OMV 4.x, I don't have the "Test Certificate" button enabled, certbot is running fine, BUT ...

      Certificate in Tab "SSL" does NOT get renewed - it also tells me an old date in the comment: "LetsEncrypt - home.stockinger.name (20180911)"

      when I directly look into corresponding directories I see that there are new certificates in the letsencrypt directory (dated 29th of Dec), but in the OMV cert and key directory they are still from 11th of Sept.

      Source Code

      1. ls /etc/letsencrypt/live/home.stockinger.name -al
      2. lrwxrwxrwx 1 root root45 Dez 29 14:26 cert.pem -> ../../archive/home.stockinger.name/cert13.pem
      3. lrwxrwxrwx 1 root root46 Dez 29 14:26 chain.pem -> ../../archive/home.stockinger.name/chain13.pem
      4. lrwxrwxrwx 1 root root50 Dez 29 14:26 fullchain.pem -> ../../archive/home.stockinger.name/fullchain13.pem
      5. lrwxrwxrwx 1 root root48 Dez 29 14:26 privkey.pem -> ../../archive/home.stockinger.name/privkey13.pe
      6. ls /etc/ssl/certs/openmediavault-* -al
      7. -rw-r--r-- 1 root root 1826 Sep 11 14:21 /etc/ssl/certs/openmediavault-54f42090-ca0b-4565-976a-d6e42b2c1203.crt
      8. -rw-r--r-- 1 root root 3875 Sep 11 14:21 /etc/ssl/certs/openmediavault-7f34f58c-3f7c-4866-a209-4492770c7754.crt
      9. ls /etc/ssl/private/openmediavault-* -al
      10. -rw-r----- 1 root root 3272 Sep 11 14:21 /etc/ssl/private/openmediavault-54f42090-ca0b-4565-976a-d6e42b2c1203.key
      11. -rw-r----- 1 root root 1704 Sep 11 14:21 /etc/ssl/private/openmediavault-7f34f58c-3f7c-4866-a209-4492770c7754.key
      Display All

      I also cannot find anything in the logs:


      letsencrypt.log


      Display Spoiler

      Last lines after renewal:

      2018-12-29 14:26:05,722:DEBUG:certbot.storage:Writing new private key to /etc/letsencrypt/archive/home.stockinger.name/privkey13.pem.

      2018-12-29 14:26:05,723:DEBUG:certbot.storage:Writing certificate to /etc/letsencrypt/archive/home.stockinger.name/cert13.pem.

      2018-12-29 14:26:05,723:DEBUG:certbot.storage:Writing chain to /etc/letsencrypt/archive/home.stockinger.name/chain13.pem.

      2018-12-29 14:26:05,723:DEBUG:certbot.storage:Writing full chain to /etc/letsencrypt/archive/home.stockinger.name/fullchain13.pem.

      2018-12-29 14:26:05,749:DEBUG:certbot.storage:Writing new config /etc/letsencrypt/renewal/home.stockinger.name.conf.new.

      2018-12-29 14:26:05,795:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None

      2018-12-29 14:26:05,796:DEBUG:certbot.renewal:no renewal failures




      syslog (no trace for a call to Certifcate Management at that time):


      Display Spoiler

      Dec 29 14:25:53 datacenter systemd[1]: Starting Certbot...

      Dec 29 14:26:05 datacenter systemd[1]: Started Certbot.

      Dec 29 14:26:05 datacenter systemd[1]: certbot.timer: Adding 2h 21min 55.240251s random time.

      Dec 29 14:26:05 datacenter systemd[1]: certbot.timer: Adding 1h 48min 51.393595s random time.



      Here is the output for the generated key, which has a different UUID - so the old one was not replaced.
      omv-showkey letsencrypt

      Source Code

      1. <letsencrypt>
      2. <enable>1</enable>
      3. <test_cert>0</test_cert>
      4. <email>gerald@stockinger.name</email>
      5. <name>home.stockinger.name</name>
      6. <certuuid>7f34f58c-3f7c-4866-a209-4492770c7754</certuuid>
      7. <keylength>2048</keylength>
      8. <extraoptions/>
      9. <domains>
      10. <domain>
      11. <uuid>c1ceba72-82d4-436e-b8e3-25fbac4c63f4</uuid>
      12. <domain>home.stockinger.name,ftp.stockinger.name,share.stockinger.name</domain>
      13. <webroot>/media/c8529c27-fd7a-4cd9-abf6-64d26c7489c2/Applications/www/home/public</webroot>
      14. </domain>
      15. </domains>
      16. </letsencrypt>
      Display All


      Any ideas?

      Thx, Gerald
    • joaquinain wrote:

      Now if I change this port to another of mi like when I have to renew the certificate wil I have problems?
      yes
      omv 4.1.19 arrakis | 64 bit | 4.15 proxmox kernel | omvextrasorg 4.1.15
      omv-extras.org plugins source code and issue tracker - github

      Please read this before posting a question and this and this for docker questions.
      Please don't PM for support... Too many PMs!
    • joaquinain wrote:

      I guess I need por 80 to be open to keep the certificate OK, right?
      No, you just need it open to renew the cert. If you manually open the port and renew it, you wouldn't need to keep it open all the time.
      omv 4.1.19 arrakis | 64 bit | 4.15 proxmox kernel | omvextrasorg 4.1.15
      omv-extras.org plugins source code and issue tracker - github

      Please read this before posting a question and this and this for docker questions.
      Please don't PM for support... Too many PMs!
    • I have an issue with my letsencrypt, every renewal I have the problem, that the cert gets renewed, but the older one kept in use by nginx. I need to apply a self-signed one to nginx, manually delete the letsentcrypt-cert in cert organisation of OMV and then try to renew the letsencrypt cert. It says that the cert is already up to date and then lists the new letsencrypt cert in OMV so that I can use it in nginx.

      IS there a way to automaticly replace the cert in OMV & nginx with the new one when it gets renewed automaticly?
      Chaos is found in greatest abundance wherever order is being sought.
      It always defeats order, because it is better organized.
      Terry Pratchett
    • riff-raff wrote:

      IS there a way to automaticly replace the cert in OMV & nginx with the new one when it gets renewed automaticly?
      The OMV 4.x version of the plugin is supposed to do this.
      omv 4.1.19 arrakis | 64 bit | 4.15 proxmox kernel | omvextrasorg 4.1.15
      omv-extras.org plugins source code and issue tracker - github

      Please read this before posting a question and this and this for docker questions.
      Please don't PM for support... Too many PMs!
    • I would like to point out that I have the same problem like riff-raff and I am using OMV 4.0 as well for some time.

      I described my problem a few posts above - maybe my explanation had too much details and was therefore confusing ...

      Result is the same: Letsencrypt gets a new certifcate but OMV does not use it. Need to manually delete it in OMV Frontend and then renew.