openmediavault-letsencrypt

    • OMV 3.x

    This site uses cookies. By continuing to browse this site, you are agreeing to our Cookie Policy.

    • Update: in this plug-in version, even though that my OwnCloud installation directory is non-default, I still had to used the default path to get it to work:

      /var/www/openmediavault/

      Display Spoiler

      Source Code

      1. 2016-03-13 01:19:39,065:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
      2. 2016-03-13 01:19:39,336:DEBUG:requests.packages.urllib3.connectionpool:"POST /acme/new-authz HTTP/1.1" 201 781
      3. 2016-03-13 01:19:39,337:DEBUG:root:Received <Response [201]>. Headers: {'Content-Length': '781', 'Expires': 'Sun, 13 Mar 2016 01:19:39 GMT', 'Strict-Transport-Security$
      4. 2016-03-13 01:19:39,337:DEBUG:acme.client:Storing nonce: '\xfdD\x1d8\xcf\n\xe8\x82Cx\xa0\x8a\xe8[\x1e\xe5\x13\xd4/\xdf+\xfb\xe4\xc9\x95\xf9\x1d\x8d\xe1\xb1c\xc3'
      5. 2016-03-13 01:19:39,337:DEBUG:acme.client:Received response <Response [201]> (headers: {'Content-Length': '781', 'Expires': 'Sun, 13 Mar 2016 01:19:39 GMT', 'Strict-Tr$
      6. 2016-03-13 01:19:39,337:DEBUG:acme.challenges:dns-01 was not recognized, full message: {u'status': u'pending', u'token': u'tGRBiQj4-6SWw8seXBrKzH6Vmc9mVseHt1lyQkUilzg'$
      7. 2016-03-13 01:19:39,338:INFO:letsencrypt.auth_handler:Performing the following challenges:
      8. 2016-03-13 01:19:39,338:INFO:letsencrypt.auth_handler:http-01 challenge for xyz.abc.com
      9. 2016-03-13 01:19:39,340:DEBUG:letsencrypt.plugins.webroot:Attempting to save validation to /media/54bf67db-da31-4c50-bb3c-27140944b223/www/owncloud/.well-known/acme-ch$
      10. 2016-03-13 01:19:39,340:INFO:letsencrypt.auth_handler:Waiting for verification...
      11. 2016-03-13 01:19:39,340:DEBUG:acme.client:Serialized JSON: {"keyAuthorization": "54wTDyZ_mhAyrBM4TUzzdEgLGm9iYIdo--j3VGKzXtY.H24cPs1SHSdw-KOEirC4IQHkcg91Wb473qAoG9TYm2$
      12. 2016-03-13 01:19:39,341:DEBUG:acme.jose.json_util:Omitted empty fields: kid=None, x5c=(), crit=(), typ=None, jwk=None, alg=None, jku=None, cty=None, x5tS256=None, x5u=$
      13. 2016-03-13 01:19:39,342:DEBUG:acme.jose.json_util:Omitted empty fields: kid=None, x5c=(), crit=(), typ=None, jku=None, cty=None, x5tS256=None, x5u=None, x5t=None, nonc$
      14. 2016-03-13 01:19:39,342:DEBUG:root:Sending POST request to https://acme-v01.api.letsencrypt.org/acme/challenge/3LjWWMS2ymZ81SLg-sag8AC0CAtxeiq0_3teqntXHso/27266887. ar$
      15. 2016-03-13 01:19:39,343:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
      16. 2016-03-13 01:19:39,533:DEBUG:requests.packages.urllib3.connectionpool:"POST /acme/challenge/3LjWWMS2ymZ81SLg-sag8AC0CAtxeiq0_3teqntXHso/27266887 HTTP/1.1" 202 313
      17. 2016-03-13 01:19:39,534:DEBUG:root:Received <Response [202]>. Headers: {'Content-Length': '313', 'Expires': 'Sun, 13 Mar 2016 01:19:39 GMT', 'Server': 'nginx', 'Connec$
      18. 2016-03-13 01:19:39,534:DEBUG:acme.client:Storing nonce: 'En\xb7\x1e\xd9\x0cw\x0e\xe5:\xf6\x9d\xc6\xaaX(\xca\xe2\xb1f\xe7\x0bN\xc6\x1d1Q\xe0y\x7fw\xd8'
      19. 2016-03-13 01:19:39,534:DEBUG:acme.client:Received response <Response [202]> (headers: {'Content-Length': '313', 'Expires': 'Sun, 13 Mar 2016 01:19:39 GMT', 'Server': $
      20. 2016-03-13 01:19:42,538:DEBUG:root:Sending GET request to https://acme-v01.api.letsencrypt.org/acme/authz/3LjWWMS2ymZ81SLg-sag8AC0CAtxeiq0_3teqntXHso. args: (), kwargs$
      21. 2016-03-13 01:19:42,538:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
      22. 2016-03-13 01:19:42,730:DEBUG:requests.packages.urllib3.connectionpool:"GET /acme/authz/3LjWWMS2ymZ81SLg-sag8AC0CAtxeiq0_3teqntXHso HTTP/1.1" 200 1250
      23. 2016-03-13 01:19:42,731:DEBUG:root:Received <Response [200]>. Headers: {'Content-Length': '1250', 'Expires': 'Sun, 13 Mar 2016 01:19:42 GMT', 'Strict-Transport-Securit$
      24. 2016-03-13 01:19:42,732:DEBUG:acme.client:Received response <Response [200]> (headers: {'Content-Length': '1250', 'Expires': 'Sun, 13 Mar 2016 01:19:42 GMT', 'Strict-T$
      25. 2016-03-13 01:19:42,732:DEBUG:acme.challenges:dns-01 was not recognized, full message: {u'status': u'pending', u'token': u'tGRBiQj4-6SWw8seXBrKzH6Vmc9mVseHt1lyQkUilzg'$
      26. 2016-03-13 01:19:42,732:INFO:letsencrypt.reporter:Reporting to user: The following errors were reported by the server:
      27. Domain: xyz.abc.com
      28. Type: unauthorized
      29. Detail: Error parsing key authorization file: Invalid key authorization: 6 parts
      30. To fix these errors, please make sure that your domain name was entered correctly and the DNS A record(s) for that domain contain(s) the right IP address.
      31. 2016-03-13 01:19:42,732:INFO:letsencrypt.auth_handler:Cleaning up challenges
      32. 2016-03-13 01:19:42,733:DEBUG:letsencrypt.plugins.webroot:Removing /media/54bf67db-da31-4c50-bb3c-27140944b223/www/owncloud/.well-known/acme-challenge/54wTDyZ_mhAyrBM4$
      33. 2016-03-13 01:19:42,733:DEBUG:letsencrypt.plugins.webroot:All challenges cleaned up, removing /media/54bf67db-da31-4c50-bb3c-27140944b223/www/owncloud/.well-known/acme$
      34. 2016-03-13 01:19:42,733:DEBUG:letsencrypt.cli:Exiting abnormally:
      35. Traceback (most recent call last):
      36. File "~/.local/share/letsencrypt/bin/letsencrypt", line 9, in <module>
      37. load_entry_point('letsencrypt==0.4.2', 'console_scripts', 'letsencrypt')()
      38. File "/~/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/cli.py", line 1993, in main
      39. return config.func(config, plugins)
      40. File "/~/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/cli.py", line 707, in obtain_cert
      41. _, action = _auth_from_domains(le_client, config, domains, lineage)
      42. File "/~/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/cli.py", line 475, in _auth_from_domains
      43. lineage = le_client.obtain_and_enroll_certificate(domains)
      44. File "/~/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/client.py", line 269, in obtain_and_enroll_certificate
      45. certr, chain, key, _ = self.obtain_certificate(domains)
      46. File "/~/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/client.py", line 252, in obtain_certificate
      47. return self.obtain_certificate_from_csr(domains, csr) + (key, csr)
      48. File "/~/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/client.py", line 225, in obtain_certificate_from_csr
      49. authzr = self.auth_handler.get_authorizations(domains)
      50. File "/~/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/auth_handler.py", line 84, in get_authorizations
      51. self._respond(cont_resp, dv_resp, best_effort)
      52. File "/~/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/auth_handler.py", line 142, in _respond
      53. self._poll_challenges(chall_update, best_effort)
      54. File "/~/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/auth_handler.py", line 204, in _poll_challenges
      55. raise errors.FailedChallenges(all_failed_achalls)
      56. FailedChallenges: Failed authorization procedure. xyz.abc.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Error pars$
      Display All


      OMV v3.0
      Asus Z97-A/3.1; i3-4370
      32GB RAM Corsair Vengeance Pro
      4x3TB RAID10

      The post was edited 2 times, last by tinh_x7 ().

    • I installed the letsencrypt plugin, when I click "Generate certificate" i run into this issue

      Source Code

      1. Suggested packages:
      2. augeas-doc augeas-tools
      3. The following packages will be upgraded:
      4. augeas-lenses libaugeas0
      5. 2 upgraded, 0 newly installed, 0 to remove and 71 not upgraded.
      6. Need to get 646 kB of archives.
      7. After this operation, 380 kB of additional disk space will be used.
      8. WARNING: The following packages cannot be authenticated!
      9. augeas-lenses libaugeas0
      10. E: There are problems and -y was used without --force-yes
      Display All


      what's wrong?
    • fubz wrote:

      try:
      Source Code
      apt-key update
      apt-get update
      apt-get install augeas-lenses libaugeas0


      Same problem here. apt-get says that „augeas-lenses is already the newest version. libaugeas0 is already the newest version.“

      Solved as showed here.

      OK, now it ended with this:

      Source Code

      1. Requesting root privileges to run letsencrypt...
      2. ~/.local/share/letsencrypt/bin/letsencrypt certonly --webroot -w /var/www/openmediavault/ --text --keep-until-expiring --agree-tos --expand --email admin@moonlightwell.tk -d moonlightwell.tk -d mydata.moonlightwell.tk -d jirafeau.moonlightwell.tk -d baikal.moonlightwell.tk -d rainloop.moonlightwell.tk -d tools.moonlightwell.tk -d phpsysinfo.moonlightwell.tk
      3. Illegal instruction
      4. <<< *************************************


      Ah, yes, I'm using Raspberry Pi, if that matters.

      The post was edited 2 times, last by Fullmoon ().

    • Hello community.

      I've got a problem while i try to generate certificates for my virtual hosts.

      Creating the certificate for the omv-domain succeeded, but not for the vhosts.

      Here the pluginconfig from omv:
      forum.openmediavault.org/index…cece23fd2b6df7bcad39166e6

      Here the errors from generating the certificates:

      Source Code

      1. The following errors were reported by the server:
      2. Domain: vhost1
      3. Type: unauthorized
      4. Detail: Invalid response from http://vhost1/.well-known
      5. /acme-challenge/EOxxb9hGfkyPKEtkTU1m1cmCFUD0DLGGkPElmMTrqeY
      6. [IP]: 404
      7. Domain: vhost2
      8. Type: unauthorized
      9. Detail: Invalid response from http://vhost2/.well-known
      10. /acme-challenge/Nnx32syvtHVo5L2ZhRgEKpZPYaz1ecmwkyRhiLl67OQ
      11. [IP]: 404
      12. Domain: vhost3
      13. Type: unauthorized
      14. Detail: Invalid response from http://vhost3/.well-known
      15. /acme-challenge/p5_vhTdyxd-KZt54K33eFABnuZAxewrGYYPqf6e8yw8
      16. [IP]: 404
      17. Domain: vhost4
      18. Type: unauthorized
      19. Detail: Invalid response from http://vhost4/.well-known
      20. /acme-challenge/b8zT503i6-FONP-JFInRC9_dbnTR6Cp3M-cGiTyUB0w
      21. [IP]: 404
      22. To fix these errors, please make sure that your domain name was
      23. entered correctly and the DNS A record(s) for that domain
      24. contain(s) the right IP address.​
      Display All

      Webroot in the config is standard from omv.
      My vhosts are in /media/UUID/vhost1.tld, /media/UUID/vhost2.tld and so on.
      Ports are open, otherwise generating the certificate for the omv-domain runs in a error.
      How to direct to the webroot of each vhosts to prevent running in errors?
      The hosts are all reachable from the web.

      Thanks for your attention and sorry for my english. ;)
      Images
      • LE.png

        41.42 kB, 1,191×464, viewed 272 times
    • The LetsEncrypt client is trying to verify that you are the owner of the given domains by placing some files in your webroot and then access it via http. It fails as it cannot access vhost1.tld/.well-known/acme-ch…gEKpZPYaz1ecmwkyRhiLl67OQ
      So it comes to the conclusion you are not the owner. That's the way LetsEncrypt works.

      So you just cannot place anything in the "domain" field. It must lead to a domain owned by you and be reachable via http://... for verification.

      At least that is my understanding.
      OMV 2.x - Kralizec // Hardware: HP Microserver N54L, 4GB RAM, 2x3TB WD Red - RAID 1, Sandisk SSD 60GB for system
    • @fubz,

      Thanks for the plugin. I am running OMV on port 81, put a nginx (using nginx plugins) on port 80 just for webroot validation and redirecting all other things to https://. My https nginx do reverse proxy for every other service (transmission, omv on port 81, etc). In this way I did not need to mass with internal services ssl configuration, good enough.

      I had an error that took me a while to figure out. I removed, by accident, the certificate created by plugin using webgui/certificates page. After this letsencrypt plugin start fail because it cannot find the UUID of certificate object in OMV system. There is no way to configure this item through webgui and letsencrypt plugin has no fall-back-create-again-solution. If a complete remove and reinstall resulted in the same error. I manage to solve it by editing config.xml and removing letsencrypt config by hand. After reinstalling plugin I could generate certificate again.
      Suggestion: implement a bailout plan in case the configured uuid is missing, in my opinion create a new on would be the best way to do. This should be done even if letsencrypt returns "no renew necessary" because if someone, like me, is dumb enough to delete certificate by mistake, a renew would restore it in place.

      Suggestion 2: Implement some way to generate independent certificates. Lets assume someone host two completely different domains, one for OMV and other under omv-nginx plugin for serve a different site. This person will not want to use combined certificate for those two domains but separated certificates to completely separate both domains (imagine if this second domain is, someday, moved to another server, the combined cert does not make sense anymore).

      Thanks for the great work!

      att,
      Benito
    • Hi

      first of all, thanks for the plugin!

      I just set up letsencrypt without knowing this plugin existed. After I got it working I was trying to find a way to automatically update the certificates in omv and found this thread. :)

      So now that I already have a working cert and the --force-renew option does not exist yet (which I would also be happy to see). I need to ask: Does this plugin automatically update the certificates for omv usage?
    • abpostelnicu wrote:

      Also the plugin is compatible with omv 3.0 if anyone is interested in this plugin i can fork it on github an continue the work just let me know and paste here what you would like to have.


      The plugin is probably compatible with up to version 3.0.13, plugins need to be adapted for datamodels to work in omv 3.0.15 and future versions.
      So if you want to fork and PR to do the work...wouldn't be a problem I guess. Don't know if @fubz is aware of the changes.
      There are some plugins at github that have been ported already if you want to take a look on what has to be done.
      chat support at #openmediavault@freenode IRC | Spanish & English | GMT+10
      telegram.me/openmediavault broadcast channel
      openmediavault discord server
    • I posted some time ago answering tinh_x7 and because of that, I found that I cannot renew or create new certificates. I have port 80 forwarded to my OMV box but I get an error that let's encrypt can't "access" /var/www/openmediavault/acme-challenge/(some random string of numbers/letters).

      Anyone know what is happening? I had let's encrypt running for some time now (so I thought it was renewing the certificate automatically) and I found out that in the plugin says "you have to do a reverse proxy to redirect all the yourdomain.tld/acme-challenge/* to your webroot but I don't understand what does it mean (neither I know what is a reverse proxy and how to set it up).

      Hope someone can give a clue on that also...
      DISCLAIMER: :!: I'm not a native English speaker, I'm sorry if I don't explain as good as you would want. :!:

      My NAS:
      Always the latest OMV Erasmus running on an AMD Sempron 3850 @1.3GHz with 4.9.0 Backports Kernel
      with 120GB Samsung SSD 850 EVO for OpenMediaVault & 2x500GB Primary Data HDD + 1TB Secondary HDD for Backup & 2TB USB 3.0 External HDD for offline backup

      Plugin list:
      Flash Memory, Locate, OMV-Extras.org, RSnapshot, Sensors, Syncthing, SMB/CIFS, SSH, USB Backup
      _____________________________________________________________________________________________________________________________

      The Schrödinger's code is that one which is going to work and it's full of bugs at the same time; until you test it, you won't be able to determine it.