openmediavault-letsencrypt

    • OMV 2.x

    This site uses cookies. By continuing to browse this site, you are agreeing to our Cookie Policy.

    • openmediavault-letsencrypt

      GitHub: github.com/OpenMediaVault-Plug…penmediavault-letsencrypt

      Let's Encrypt provides SSL certificates that are recognized in all major browsers.



      I have created a plugin for OpenMediaVault that will allow users to generate certificates using the Let's Encrypt service. Also a cron script is included to keep the certificate updated since the certs are only valid for 90 days. I recommend this plugin only for generating the SSL certificate that OpenMediaVault will use; however, the flexibility for more is possible. I currently have some post processing scripts (running on a cron) and hard links that disperse my certificates to multiple applications running on my server.


      Plugin is currently available in the OMV-Extras.org Testing repository




      Basic Instructions:



      1. Fill out your domain and subdomains, separated by commas, you want the certificate to be valid for. Your main domain (example.org) should be in the list first. Wildcard (*) domains are not supported by lets encrypt. You must explicitly list every subdomain you want covered by your certificate.

      2. Fill out your email address. This email address will be
      registered with Let's Encrypt and can be used to recover your keys if
      needed.

      3. Ensure Enable is checked, this will create a cron job automatically to ensure the certificate stays up to date.


      4. Click on Save then Apply configuration change

      5. Generate Certificate to create your certificate.
      This cert is added to the SSL tab in the Certificates view. Which can then be enabled for use in the General Settings view



      I tried to make the plugin as hands off as possible as I believe encryption should be available to everyone at all skill levels.
    • Extended Customization

      SNI Proxy
      Proxies incoming HTTP and TLS connections based on the hostname contained in the initial request of the TCP session. This enables HTTPS name-based virtual hosting to separate backend servers without installing the private key on the proxy machine.

      SNI Proxy Github
      SNI Proxy Binaries

      Example use case:
      Our domain is domain.tld with 2 services. The first is OMV running on port 10443, the other is couchpotato running on port 5050 under the subdomain couchpotato.domain.tld.

      Install SNI Proxy and edit the following code blocks to get the following:
      Both of your services will respond on the standard 443 port.
      All Let's Encrypt authentication will happen on a single webroot regardless of where the subdomain resides.

      /etc/sniproxy.conf

      Source Code

      1. # sniproxy example configuration file
      2. # lines that start with # are comments
      3. # lines with only white space are ignored
      4. user daemon
      5. # PID file
      6. pidfile /var/run/sniproxy.pid
      7. error_log {
      8. # Log to the daemon syslog facility
      9. #syslog daemon
      10. # Alternatively we could log to file
      11. filename /var/log/sniproxy/sniproxy.log
      12. # Control the verbosity of the log
      13. priority notice
      14. }
      15. # blocks are delimited with {...}
      16. listen 80 {
      17. proto http
      18. table http_hosts
      19. # Fallback backend server to use if we can not parse the client request
      20. fallback localhost:10080
      21. access_log {
      22. filename /var/log/sniproxy/http_access.log
      23. priority notice
      24. }
      25. }
      26. listen 443 {
      27. proto tls
      28. table https_hosts
      29. fallback 127.0.0.1:10443 #This says that if no matching redirect is found, connect to OMV
      30. access_log {
      31. filename /var/log/sniproxy/https_access.log
      32. priority notice
      33. }
      34. }
      35. # named tables are defined with the table directive
      36. table http_hosts {
      37. .*\.domain\.tld/\.well-known/.* localhost:80
      38. }
      39. # named tables are defined with the table directive
      40. table https_hosts {
      41. # When proxying to local sockets you should use different tables since the
      42. # local socket server most likely will not autodetect which protocol is
      43. # being used
      44. #example.org unix:/var/run/server.sock
      45. couchpotato.domain.tld localhost:5050
      46. }
      47. # if no table specified the default 'default' table is defined
      48. table {
      49. # if no port is specified default HTTP (80) and HTTPS (443) ports are
      50. # assumed based on the protocol of the listen block using this table
      51. }
      Display All


      Remove "SSL InsecurePlatform" Warning
      The debian dependencies needed to remove this warning are in the wheezy-backports so they will not be included until OMV 3.0
      However, if the warning bothers you or prevents a cert from generating, it can removed with the following commands:

      Source Code

      1. apt-get install python-pip
      2. pip install -U pip
      3. pip install -U pyopenssl ndg-httpsclient pyasn1



      The post was edited 2 times, last by fubz ().

    • Great work fubz!
      I tried to install the plugin and I found some errors at installation:

      Source Code

      1. (...)
      2. /var/lib/dpkg/info/openmediavault-letsencrypt.postinst: git: not found
      3. dpkg: error processing openmediavault-letsencrypt (--configure):
      4. subprocess installed post-installation script returned error exit status 127
      5. Processing triggers for openmediavault ...
      6. Restarting engine daemon ...
      7. Errors were encountered while processing:
      8. openmediavault-letsencrypt
      9. Creating index of upgradeable packages ...
      10. Creating index of openmediavault plugins ...
      11. E: Sub-process /usr/bin/dpkg returned an error code (1)
      12. <<< *************************************
      Display All



      I think it's not my fault: I installed the plugin normally and before finishing installation, this error appears. It seems like it is installed (with the tick when looking at the plugin list) but it does not show anywhere in the web interface :(


      EDIT: after installing and uninstalling several times, the plugin has finally appeared. It seems like it's fine until, after following the steps, when I click to create the certificate, the plugin shows this:

      Source Code

      1. >>> *************** Error ***************
      2. Failed to execute command 'sh /opt/letsencrypt/letsencrypt-auto certonly --webroot -w /var/www/openmediavault/ --text --keep-until-expiring --agree-tos --email "gsola96@gmail.com" -d "gsola96.no-ip.org" 2>&1': sh: 0: Can't open /opt/letsencrypt/letsencrypt-auto
      3. <<< *************************************


      PS: My port 80 of the router is open and tested from outside my LAN.
      DISCLAIMER: :!: I'm not a native English speaker, I'm sorry if I don't explain as good as you would want. :!:

      My NAS:
      Always the latest OMV Erasmus running on an AMD Sempron 3850 @1.3GHz with 4.9.0 Backports Kernel
      with 120GB Samsung SSD 850 EVO for OpenMediaVault & 2x500GB Primary Data HDD + 1TB Secondary HDD for Backup & 2TB USB 3.0 External HDD for offline backup

      Plugin list:
      Flash Memory, Locate, OMV-Extras.org, RSnapshot, Sensors, Syncthing, SMB/CIFS, SSH, USB Backup
      _____________________________________________________________________________________________________________________________

      The Schrödinger's code is that one which is going to work and it's full of bugs at the same time; until you test it, you won't be able to determine it.

      The post was edited 2 times, last by Lord Wektabyte ().

    • Thanks @tekkb! That worked!
      Thanks also to fubz, I think it's a great contribution since I've been using let's encrypt for a while now.
      DISCLAIMER: :!: I'm not a native English speaker, I'm sorry if I don't explain as good as you would want. :!:

      My NAS:
      Always the latest OMV Erasmus running on an AMD Sempron 3850 @1.3GHz with 4.9.0 Backports Kernel
      with 120GB Samsung SSD 850 EVO for OpenMediaVault & 2x500GB Primary Data HDD + 1TB Secondary HDD for Backup & 2TB USB 3.0 External HDD for offline backup

      Plugin list:
      Flash Memory, Locate, OMV-Extras.org, RSnapshot, Sensors, Syncthing, SMB/CIFS, SSH, USB Backup
      _____________________________________________________________________________________________________________________________

      The Schrödinger's code is that one which is going to work and it's full of bugs at the same time; until you test it, you won't be able to determine it.
    • I post it here so maybe other people have the same problem after using Let'sEncrypt certificates.
      I'm, now using the certificate for the webGUI, WordPress blog, OpenVPN-AS UI and also OwnCloud but when I access the BitTorrent Sync web interface, Firefox complains that the certificate is invalid. I did some research and I found that the certificate which is using is not the Let'sEncryt one. Is one self-signed for the same "BitTorrent" and I can't find a way to change it and tell BTSync to use the reliable Let'sEncrypt one.

      Hope someone can help!


      Thanks in advance.
      Guillem
      DISCLAIMER: :!: I'm not a native English speaker, I'm sorry if I don't explain as good as you would want. :!:

      My NAS:
      Always the latest OMV Erasmus running on an AMD Sempron 3850 @1.3GHz with 4.9.0 Backports Kernel
      with 120GB Samsung SSD 850 EVO for OpenMediaVault & 2x500GB Primary Data HDD + 1TB Secondary HDD for Backup & 2TB USB 3.0 External HDD for offline backup

      Plugin list:
      Flash Memory, Locate, OMV-Extras.org, RSnapshot, Sensors, Syncthing, SMB/CIFS, SSH, USB Backup
      _____________________________________________________________________________________________________________________________

      The Schrödinger's code is that one which is going to work and it's full of bugs at the same time; until you test it, you won't be able to determine it.
    • @fubz,

      My OMV doesn't use port 80, will this work?


      @ gsola96,

      I haven't try out this plug-in yet, but if you using LAN IP to access with Let's Encrypt cert, then that warning notification is normal on browsers.
      However, if you still have this warning notification when you accessing from WAN/URL, then somewhere in the certs has wrong keys or something.
      OMV v3.0
      Asus Z97-A/3.1; i3-4370
      32GB RAM Corsair Vengeance Pro
      4x3TB RAID10
    • @tinh_x7
      When it says that you have to open port 80, I think it's the port 80 on the router (outside WAN), after that, you forward this port to whichever other port your OMV is using in your LAN.
      That's what I understand... Maybe i'm wrong

      I'll try to access it from WAN to see if the certificate error persists
      DISCLAIMER: :!: I'm not a native English speaker, I'm sorry if I don't explain as good as you would want. :!:

      My NAS:
      Always the latest OMV Erasmus running on an AMD Sempron 3850 @1.3GHz with 4.9.0 Backports Kernel
      with 120GB Samsung SSD 850 EVO for OpenMediaVault & 2x500GB Primary Data HDD + 1TB Secondary HDD for Backup & 2TB USB 3.0 External HDD for offline backup

      Plugin list:
      Flash Memory, Locate, OMV-Extras.org, RSnapshot, Sensors, Syncthing, SMB/CIFS, SSH, USB Backup
      _____________________________________________________________________________________________________________________________

      The Schrödinger's code is that one which is going to work and it's full of bugs at the same time; until you test it, you won't be able to determine it.
    • @fubz

      Before I could start to generate a certificate I had an "SSL InsecurePlatform error".

      I solved it by installing pyhton-pip package and afterwards executing:
      pip install 'requests[security]'
      to install necessary packages.

      Just consider this in the further development ;)
      OMV 2.x stoneburner | Banana PI | Kernel 3.4.108+ | | Seafile Server | FTP | SMB | Kodi DB
      OMV 3.x erasmus | ShuttlePC SH55J2 | intel i3 3.2 GHZ | Kernel 3.16.0-0.bpo.4-amd64
    • gsola96 wrote:

      Is one self-signed for the same "BitTorrent" and I can't find a way to change it and tell BTSync to use the reliable Let'sEncrypt one.

      I've never used BTSync but it looks like it may create a domain in nginx (/etc/nginx/sites-available/btsync)
      in that configuration you can add entries to the lets encrypt certs
      ssl_certificate /etc/letsencrypt/live/domain/fullchain.pem;
      ssl_certificate_key /etc/letsencrypt/live/domain/privkey.pem;

      tinh_x7 wrote:

      @fubz,
      My OMV doesn't use port 80, will this work?

      No not currently. There is not an option to allow lets encrypt to verify your domain on another port. There is a manual verification that I've only glossed over, it seems very involved and defeats the purpose of being able to automatically generate a certificate.
      If you discover a process flow for generating a certificate with lets encrypt without using port 80 we can discuss how to properly implement the solution.


      sieben wrote:


      Before I could start to generate a certificate I had an "SSL InsecurePlatform error".

      I solved it by installing pyhton-pip package and afterwards executing:
      pip install 'requests[security]'
      to install necessary packages.

      Just consider this in the further development ;)

      Interesting, thank you for the heads-up. I noticed the warning and just ignored it since the plugins and certificates have been working as expected. Since including a dependency is trivial I will be sure that package is added to future releases. Thanks.

      msoute wrote:

      Is it possible to add a webroot configuration to the plugin ?

      Now its only possible to generate a certificate if the openmediavault interface is exposed to the web. i would like to use another configured website (that has another webroot)

      That is a wonderful idea, I will add that option. Thanks for the suggestion.
    • Blank screnn after login

      Got blank screen after install of your plug-in.

      Have to remove it to get GUI again.

      Got this message in syslog (don't know if it has a link)
      'nginx' failed protocol test [HTTP] at INET[127.0.0.1:80] via TCP -- HTTP: Error receiving data -- Resource temporarily unavailable#012"

      Git is installed.
      HP ProLiant MicroServer G7 N54L (8 GB RAM | OMV installed on 8 GB USB Flash | HDD: 2TB + 500 GB + 250 GB + 160 GB)
      OMV 2 | 64 bits | 3.16 backport kernel | omv-extras 2
    • I got this error during installation.
      Can't generate the certs.

      Source Code

      1. Error: unauthorized :: The client lacks sufficient authorization ::


      Edit: I fixed the error by not put in my main domain for the cert generation.
      Note: You can change your non-standard port to 80 for this process, then change it back after Let's Encrypt cert generation is done.

      Overall, it's look good.
      Thanks, fubz for the plug-in.
      Images
      • let's encrypt.png

        35.11 kB, 504×319, viewed 508 times
      • Let's Encrypt_plug-in.png

        19.98 kB, 390×510, viewed 502 times
      • Let's Encrypt_plug-in_2.png

        13.81 kB, 410×503, viewed 511 times
      OMV v3.0
      Asus Z97-A/3.1; i3-4370
      32GB RAM Corsair Vengeance Pro
      4x3TB RAID10

      The post was edited 4 times, last by tinh_x7 ().

    • fubz wrote:

      Foo Bar wrote:

      Got blank screen after install of your plug-in

      When you refresh your browser does the web-gui load? How about after reboot?

      Connecting with another browser, give the same result after connecting with admin account
      Connecting with a std user account didn't show any problem

      Didn't had time to look at your link.
      HP ProLiant MicroServer G7 N54L (8 GB RAM | OMV installed on 8 GB USB Flash | HDD: 2TB + 500 GB + 250 GB + 160 GB)
      OMV 2 | 64 bits | 3.16 backport kernel | omv-extras 2
    • Nice work. Seems to have created a cert. Where is the certificate stored? Do I use the same cert for multiple names.

      One thing you might mention somewhere is that there is a limit on certificates at least until the beta is over. 5 per week but they can have multiple names.

      Thanks!!
      If you make it idiot proof, somebody will build a better idiot.
    • The certificate appears with the other certs in the WebGUI, then you can choose this cert for the web.
      DISCLAIMER: :!: I'm not a native English speaker, I'm sorry if I don't explain as good as you would want. :!:

      My NAS:
      Always the latest OMV Erasmus running on an AMD Sempron 3850 @1.3GHz with 4.9.0 Backports Kernel
      with 120GB Samsung SSD 850 EVO for OpenMediaVault & 2x500GB Primary Data HDD + 1TB Secondary HDD for Backup & 2TB USB 3.0 External HDD for offline backup

      Plugin list:
      Flash Memory, Locate, OMV-Extras.org, RSnapshot, Sensors, Syncthing, SMB/CIFS, SSH, USB Backup
      _____________________________________________________________________________________________________________________________

      The Schrödinger's code is that one which is going to work and it's full of bugs at the same time; until you test it, you won't be able to determine it.
    • Im also getting "Client Lacks sufficient authorization" error.

      I've removed my main domain from the certificate list but still no go :(

      Any ideas?

      Im using a 1and1 frame redirect to direct my domain to my public IP and using sub domains to point to each service running on my server if thats any use?

      Internally i use just IPs to access my server

      The post was edited 1 time, last by mcloum ().