openmediavault-letsencrypt

    • OMV 3.x

    This site uses cookies. By continuing to browse this site, you are agreeing to our Cookie Policy.

    • Dont know which update gave me this but,

      ​root@dunder:~# omv-letsencrypt
      Generating New Certificates
      Getting certificates from /etc/letsencrypt/live/****.com/
      Updating letsencrypt and virtual environment dependencies...You are using pip version 7.1.2, however version 8.0.2 is available.
      You should consider upgrading via the 'pip install --upgrade pip' command.
      ...
      Requesting root privileges to run with virtualenv: /root/.local/share/letsencrypt/bin/letsencrypt certonly --webroot -w --text --keep-until-expiring --agree-tos --expand --email joel.kaberg@gmail.com -d ****.com -d www.****.com
      usage:
      letsencrypt-auto [SUBCOMMAND] [options] [-d domain] [-d domain] ...

      The Let's Encrypt agent can obtain and install HTTPS/TLS/SSL certificates. By
      default, it will attempt to use a webserver both for obtaining and installing
      the cert. Major SUBCOMMANDS are:

      (default) run Obtain & install a cert in your current webserver
      certonly Obtain cert, but do not install it (aka "auth")
      install Install a previously obtained cert in a server
      revoke Revoke a previously obtained certificate
      rollback Rollback server configuration changes made during install
      config_changes Show changes made to server config during installation
      plugins Display information about installed plugins
      letsencrypt: error: argument -w/--webroot-path: expected one argument
      ERROR: The params argument is no valid JSON
      Applying Configuration Changes
    • ACME DNS-01 Challenge!!!! AT LAST!

      This is VERY important!

      Last January 20th Lets Encrypt put in prodution the long expected ACME DNS Challenge, where people like me that CANT (Damn ISP) open ports 80 or 443 , now are eligible to validate the domain via DNS server TXT record. It's actually MUCH easier than opening ports in my server.

      Official Let's Encrypt announe: twitter.com/letsencrypt/status/689919523164721152

      Example of a shell-script client that supports it : github.com/lukas2511/letsencrypt.sh/blob/master/README.md
      Others: community.letsencrypt.org/t/li…ient-implementations/2103
      Example of a hook (auxiliary script used by letsencrypt.sh above):

      PLEASE look into this!
      I've generated mine manually today, but having it as a plugin would be MUCH better, because Let'sEncrypt expires every 90 days.

      Thanks a lot!
    • papka__ wrote:

      But there were no errors during generation. And actually I have no idea what should I change. It's 3 fields domain/e-mail/webroot. All of them contain correct values (e-mail used for account only, for webroot used default value). Any ideas?

      I've seen the happy hacker ca root cert before. I'm still struggling to figure out why this happens. I know it happens when a cert is acquired from the Let's Encrypt Test server; however, the plugin never changes what server the cert is acquired from. The Test option just tells LE to do a dry run and not generate a certificate. I'm still investigating but I am still unsure.
      My best suggestion is to completely uninstall the plugin and manually delete /etc/letsencrypt and /opt/letsencrypt

      jkaberg wrote:

      Dont know which update gave me this but,

      Your webroot parameter is not filled out. It should be /var/www/openmediavault

      anderbytes wrote:


      Last January 20th Lets Encrypt put in prodution the long expected ACME DNS Challenge, where people like me that CANT (Damn ISP) open ports 80 or 443 , now are eligible to validate the domain via DNS server TXT record. It's actually MUCH easier than opening ports in my server.

      Thank you for this information. I will look into getting it added to the plugin ASAP.
    • fubz wrote:

      I've seen the happy hacker ca root cert before. I'm still struggling to figure out why this happens. I know it happens when a cert is acquired from the Let's Encrypt Test server; however, the plugin never changes what server the cert is acquired from. The Test option just tells LE to do a dry run and not generate a certificate. I'm still investigating but I am still unsure.My best suggestion is to completely uninstall the plugin and manually delete /etc/letsencrypt and /opt/letsencrypt


      I will try today. Before I tried to reinstall and removed only /etc/letsencrypt.

      fubz wrote:

      Your webroot parameter is not filled out. It should be /var/www/openmediavault


      I set up webroot to /var/www/openmediavault, but got same error.
    • Web server exactly on default path. :(

      Tried to reinstall with removing from /etc and /opt. Nothing changed.

      Source Code

      1. Issuer: CN=happy hacker fake CA
      2. .....
      3. Authority Information Access:
      4. OCSP - URI:http://ocsp.staging-x1.letsencrypt.org/
      5. CA Issuers - URI:http://cert.staging-x1.letsencrypt.org/


      Have no idea why it's not working....
      This happen when run "Generate certificate":

      Source Code

      1. ​Updating letsencrypt and virtual environment dependencies......
      2. Requesting root privileges to run with virtualenv: ~/.local/share/letsencrypt/bin/letsencrypt certonly --webroot -w /var/www/openmediavault/ --text --keep-until-expiring --agree-tos --expand --email {my mail} -d {my domain}
      3. IMPORTANT NOTES:
      4. - If you like Let's Encrypt, please consider supporting our work by:
      5. Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
      6. Donating to EFF: https://eff.org/donate-le
      7. Done...


      And this happen when run a cron:

      Source Code

      1. Generating New Certificates
      2. Getting certificates from /etc/letsencrypt/live/{my domain}/
      3. Updating letsencrypt and virtual environment dependencies......
      4. Requesting root privileges to run with virtualenv: /root/.local/share/letsencrypt/bin/letsencrypt certonly --webroot -w /var/www/openmediavault/ --text --keep-until-expiring --agree-tos --expand --email {my mail} -d {my domain}
      5. IMPORTANT NOTES:
      6. - If you like Let's Encrypt, please consider supporting our work by:
      7. Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
      8. Donating to EFF: https://eff.org/donate-le
      9. ERROR: The params argument is no valid JSON
      10. Applying Configuration Changes
      Display All


      Same commands - but different result.

      The post was edited 2 times, last by papka__ ().

    • According to letsencrypt.github.io/acme-spec/#simple-http one could when doing the acme-challenge set tls to true and that would make the letsencrypt server challenge over https

      {
      "type": "simpleHttp",
      "tls": false
      }
      /* Signed as JWS */


      So if one could do that (with the plugin) you could then via the nginx websites plugin set up an default landing page with https (and change the letsencrypt webroot to wherever landing page's root is)

      How about that? No need for SNI proxy.

      PS: This is a feature request (acme-challenge over HTTPS instead of HTTP)
    • Finally problem found! Actually, if you want to get correct certificate - you should't try "Test certificate". Once you tried - you always will get connected to wrong staging server.
      So sequence should be like: install plugin / provide email, webroot, enable monthly update, do not enable "Test certificate", apply changes / generate certificate. And no happy hacker on the horizon. :)
      Hope this will help to anybody.
    • Well getting this error now;

      Source Code

      1. Updating letsencrypt and virtual environment dependencies......
      2. Requesting root privileges to run with virtualenv: ~/.local/share/letsencrypt/bin/letsencrypt certonly --webroot -w /media/xfiles/www --text --keep-until-expiring --agree-tos --expand --email xxxx@xxxx.com -d xxx.com -d www.xxx.com -d omv.xxx.com -d sbox.xxx.com
      3. >>> *************** Error ***************
      4. The configuration object is in use
      5. <<< *************************************
      6. >>> *************** Error ***************
      7. The configuration object is in use
      8. <<< *************************************
      9. >>> *************** Error ***************
      10. The configuration object is in use
      11. <<< *************************************
      12. >>> *************** Error ***************
      13. The configuration object is in use
      14. <<< *************************************
      15. >>> *************** Error ***************
      16. The configuration object is in use
      17. <<< *************************************
      18. >>> *************** Error ***************
      19. The configuration object is in use
      20. <<< *************************************
      Display All


      Running from CLI:

      Source Code

      1. Generating New Certificates
      2. Getting certificates from /etc/letsencrypt/live/xxx.com/
      3. Updating letsencrypt and virtual environment dependencies......
      4. Requesting root privileges to run with virtualenv: /root/.local/share/letsencrypt/bin/letsencrypt certonly --webroot -w /media/xfiles/www --text --keep-until-expiring --agree-tos --expand --email xxxx@xxxx.com -d xxx.com -d www.xxx.com -d omv.xxx.com -d sbox.xxx.com
      5. IMPORTANT NOTES:
      6. - If you like Let's Encrypt, please consider supporting our work by:
      7. Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
      8. Donating to EFF: https://eff.org/donate-le
      9. ERROR: The params argument is no valid JSON
      10. Applying Configuration Changes
      Display All


      My settings:
    • Hey jkaberg,

      in german in my thread:
      Wenn man zuerst ein Test-Zertifikat erstellen lässt, wird das gelingen, aber es wird ein TEST-Zertifikat sein, dass von der von mir oben erwähnten happy-hacker-fake-CA zertifiziert ist, auch wenn man HINTERHER versucht, ein "richtiges" Zertifikat zu bekommen. Man wird immer wieder zu dem "happy-hacker-fake-CA"-Server verbunden werden. Das will ich aber nicht, ich will ein "richtiges" Zertifikat. Deshalb habe ich die im OMV-System referenzierten Zugriffe auf das happy-hacker-fake-CA-letsencrypt-Zertifikat zurückgenommen, das Plugin deinstalliert und mittels SSH-Client alle Zertifikate unter /etc/letsencrypt/keys und /etc/letsencrypt/csr gelöscht. Danach habe ich das Plugin wieder installiert, aber den "Test"-Button nicht angerührt.

      Dann habe ich mit dem letsencrypt-Plugin ein neues Zertifikat generiert.

      google translated:
      If you can first create a test certificate that will succeed, but it will be a TEST certificate that is certified by the above mentioned by me happy-hacker-fake-CA, even if one tries AFTERWARDS, a "real" to get certificate. You will be always connected to the "happy-hacker-fake-CA" server. but I do not want, I want a "real" certificate. I have therefore withdrawn the referenced in OMV system accesses to the happy-hacker-fake-CA letsencrypt certificate, uninstall the plugin and deleted using SSH client all certificates in / etc / letsencrypt / keys and / etc / letsencrypt / csr , Then I installed the plugin again, but the "Test" button not touched.

      Then I with the letsencrypt plugin generates a new certificate.

      Many greetings.
    • new problem detected.

      cron job is always generated neverless status of generated cert, this mean that if generation fails and cert is NOT generated, the cron job is always created, and you have one cron job for each time that you apply the generate button.
      Images
      • 1.jpg

        53.12 kB, 1,215×300, viewed 189 times
      • 2.jpg

        23.46 kB, 760×339, viewed 180 times
      OMV 3.0.88 x64 on a HP T510, 8GB CF as Boot Disk & 32GB SSD 2,5" disk for Data, 4 GB RAM, CPU VIA EDEN X2 U4200 is x64 at 1GHz

      Post: HPT510 SlimNAS ; HOWTO Install Pi-Hole ; HOWTO install MLDonkey ; HOHTO Install ZFS-Plugin ; OMV_OldGUI ; ShellinaBOX ;
    • Ok so I think I understod you correctly, steps to fix my issue
      1. Remove omv letsencrypt plugin
      2. delete /etc/letsencrypt and /opt/letsencrypt
      3. Install omvletsencrypt plugin
      4. Regenerate certs with plugin (do not enable test option!)
      5. (Optional) change certs for webUI, and if you got nginx websites plugin enabled
      This fixed it for me atleast
    • raulfg3 wrote:

      only as sugest to improbe pluging, if possible try to add letsencrypt.log to OMV webGUI Log so I can see what happens if something goes wrong.

      Other plugin like failbam or bittorrent add his log if you want to revise code.

      The log is now in OMV with the new 2.4 release

      papka__ wrote:

      Finally problem found! Actually, if you want to get correct certificate - you should't try "Test certificate". Once you tried - you always will get connected to wrong staging server.
      So sequence should be like: install plugin / provide email, webroot, enable monthly update, do not enable "Test certificate", apply changes / generate certificate. And no happy hacker on the horizon. :)
      Hope this will help to anybody.

      Thank you very much for this information! I've changed the plugins tips to encourage this workflow.

      raulfg3 wrote:

      new problem detected.

      cron job is always generated neverless status of generated cert, this mean that if generation fails and cert is NOT generated, the cron job is always created, and you have one cron job for each time that you apply the generate button.

      I've fixed this issue in the latest release.


      2.4 of the plugin has been submitted to the extras repository. As of writing this post it is not available but it will be asap.

      Duplicate crons has been fixed
      If you currently have duplicate scheduled jobs:
      1. Turn off the "Schedule Refresh" (new text, use to be "Enable") switch in the plugin
      2. Go to Scheduled Jobs and remove all of the omv-letsencrypt entries
      3. Save + Apply all changes
      4. Switch on "Schedule Refresh" in plugin, save + apply.

      A bug in the system omv-letsencrypt script has been fixed

      Log is not viewable in OMV System Logs
      **Note the Let's Encrypt log rolls every time the letsencrypt command has been run, thus you will still need to view them from the CLI if you need anything later than your previous run.