openmediavault-letsencrypt

    • OMV 2.x

    This site uses cookies. By continuing to browse this site, you are agreeing to our Cookie Policy.

    • Hi,
      I generated new certs.
      the operation from the plugin worked.
      It generated a lot of stuff in /etc/letsencrypt (mostly .pem)
      ... but I don't have any new certificate in the certificate section of OMV webui :/
      how can I use this new cert ?

      another thing : the renewal cron doesn't work.
      I get this :

      Source Code

      1. Error #0: exception 'OMV\ExecException' with message 'Failed to execute command 'export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin; export LANG=C; export SHELL=/bin/sh; sudo --shell --non-interactive --user=root -- omv-letsencrypt 2>&1' with exit code '1': Existing certificate uuid is invalid Use the Generate Certificate button in the plugin view at least once before using this script.' in /usr/share/openmediavault/engined/rpc/cron.inc:175 Stack trace: #0 /usr/share/php/openmediavault/rpc/serviceabstract.inc(528): OMVRpcServiceCron->{closure}('/tmp/bgstatusq9...', '/tmp/bgoutput3y...') #1 /usr/share/openmediavault/engined/rpc/cron.inc(179): OMV\Rpc\ServiceAbstract->execBgProc(Object(Closure)) #2 [internal function]: OMVRpcServiceCron->execute(Array, Array) #3 /usr/share/php/openmediavault/rpc/serviceabstract.inc(124): call_user_func_array(Array, Array) #4 /usr/share/php/openmediavault/rpc/rpc.inc(86): OMV\Rpc\ServiceAbstract->callMethod('execute', Array, Array) #5 /usr/sbin/omv-engined(536): OMV\Rpc\Rpc::call('Cron', 'execute', Array, Array, 1) #6 {main}
    • I have this error when try to generate my first certificate:

      Source Code

      1. Traceback (most recent call last):
      2. File "/usr/bin/certbot", line 6, in <module>
      3. from pkg_resources import load_entry_point
      4. File "/usr/lib/python2.7/dist-packages/pkg_resources/__init__.py", line 3019, in <module>
      5. @_call_aside
      6. File "/usr/lib/python2.7/dist-packages/pkg_resources/__init__.py", line 3003, in _call_aside
      7. f(*args, **kwargs)
      8. File "/usr/lib/python2.7/dist-packages/pkg_resources/__init__.py", line 3032, in _initialize_master_working_set
      9. working_set = WorkingSet._build_master()
      10. File "/usr/lib/python2.7/dist-packages/pkg_resources/__init__.py", line 655, in _build_master
      11. ws.require(__requires__)
      12. File "/usr/lib/python2.7/dist-packages/pkg_resources/__init__.py", line 963, in require
      13. needed = self.resolve(parse_requirements(requirements))
      14. File "/usr/lib/python2.7/dist-packages/pkg_resources/__init__.py", line 849, in resolve
      15. raise DistributionNotFound(req, requirers)
      16. pkg_resources.DistributionNotFound: The 'ndg-httpsclient' distribution was not found and is required by requests
      17. Hecho...
      Display All


      What can I do, and what info is needed to provide
      OMV 3.0.84 x64 on a HP T510, 32GB SSD 2,5" disk, 4 GB RAM, CPU VIA EDEN X2 U4200 is x64 at 1GHz

      Post: HPT510 SlimNAS ; HOWTO Install Pi-Hole ; HOWTO install MLDonkey ; HOHTO Install ZFS-Plugin ; OMV_OldGUI ; ShellinaBOX ;
    • fubz wrote:

      Extended Customization

      SNI Proxy
      Proxies incoming HTTP and TLS connections based on the hostname contained in the initial request of the TCP session. This enables HTTPS name-based virtual hosting to separate backend servers without installing the private key on the proxy machine.
      SNI Proxy Github
      SNI Proxy Binaries

      Example use case:
      Our domain is domain.tld with 2 services. The first is OMV running on port 10443, the other is couchpotato running on port 5050 under the subdomain couchpotato.domain.tld.

      Install SNI Proxy and edit the following code blocks to get the following:
      Both of your services will respond on the standard 443 port.
      All Let's Encrypt authentication will happen on a single webroot regardless of where the subdomain resides.

      /etc/sniproxy.conf

      Source Code

      1. # sniproxy example configuration file
      2. # lines that start with # are comments
      3. # lines with only white space are ignored
      4. user daemon
      5. # PID file
      6. pidfile /var/run/sniproxy.pid
      7. error_log {
      8. # Log to the daemon syslog facility
      9. #syslog daemon
      10. # Alternatively we could log to file
      11. filename /var/log/sniproxy/sniproxy.log
      12. # Control the verbosity of the log
      13. priority notice
      14. }
      15. # blocks are delimited with {...}
      16. listen 80 {
      17. proto http
      18. table http_hosts
      19. # Fallback backend server to use if we can not parse the client request
      20. fallback localhost:10080
      21. access_log {
      22. filename /var/log/sniproxy/http_access.log
      23. priority notice
      24. }
      25. }
      26. listen 443 {
      27. proto tls
      28. table https_hosts
      29. fallback 127.0.0.1:10443 #This says that if no matching redirect is found, connect to OMV
      30. access_log {
      31. filename /var/log/sniproxy/https_access.log
      32. priority notice
      33. }
      34. }
      35. # named tables are defined with the table directive
      36. table http_hosts {
      37. .*\.domain\.tld/\.well-known/.* localhost:80
      38. }
      39. # named tables are defined with the table directive
      40. table https_hosts {
      41. # When proxying to local sockets you should use different tables since the
      42. # local socket server most likely will not autodetect which protocol is
      43. # being used
      44. #example.org unix:/var/run/server.sock
      45. couchpotato.domain.tld localhost:5050
      46. }
      47. # if no table specified the default 'default' table is defined
      48. table {
      49. # if no port is specified default HTTP (80) and HTTPS (443) ports are
      50. # assumed based on the protocol of the listen block using this table
      51. }
      Display All

      Remove "SSL InsecurePlatform" Warning
      The debian dependencies needed to remove this warning are in the wheezy-backports so they will not be included until OMV 3.0
      However, if the warning bothers you or prevents a cert from generating, it can removed with the following commands:

      Source Code

      1. apt-get install python-pip
      2. pip install -U pip
      3. pip install -U pyopenssl ndg-httpsclient pyasn1
      My OMV is behind my router, so where should the SNI proxy be installed?
    • fubz wrote:

      Extended Customization

      SNI Proxy
      Proxies incoming HTTP and TLS connections based on the hostname contained in the initial request of the TCP session. This enables HTTPS name-based virtual hosting to separate backend servers without installing the private key on the proxy machine.
      SNI Proxy Github
      SNI Proxy Binaries

      Example use case:
      Our domain is domain.tld with 2 services. The first is OMV running on port 10443, the other is couchpotato running on port 5050 under the subdomain couchpotato.domain.tld.

      Install SNI Proxy and edit the following code blocks to get the following:
      Both of your services will respond on the standard 443 port.
      All Let's Encrypt authentication will happen on a single webroot regardless of where the subdomain resides.

      /etc/sniproxy.conf

      Source Code

      1. # sniproxy example configuration file
      2. # lines that start with # are comments
      3. # lines with only white space are ignored
      4. user daemon
      5. # PID file
      6. pidfile /var/run/sniproxy.pid
      7. error_log {
      8. # Log to the daemon syslog facility
      9. #syslog daemon
      10. # Alternatively we could log to file
      11. filename /var/log/sniproxy/sniproxy.log
      12. # Control the verbosity of the log
      13. priority notice
      14. }
      15. # blocks are delimited with {...}
      16. listen 80 {
      17. proto http
      18. table http_hosts
      19. # Fallback backend server to use if we can not parse the client request
      20. fallback localhost:10080
      21. access_log {
      22. filename /var/log/sniproxy/http_access.log
      23. priority notice
      24. }
      25. }
      26. listen 443 {
      27. proto tls
      28. table https_hosts
      29. fallback 127.0.0.1:10443 #This says that if no matching redirect is found, connect to OMV
      30. access_log {
      31. filename /var/log/sniproxy/https_access.log
      32. priority notice
      33. }
      34. }
      35. # named tables are defined with the table directive
      36. table http_hosts {
      37. .*\.domain\.tld/\.well-known/.* localhost:80
      38. }
      39. # named tables are defined with the table directive
      40. table https_hosts {
      41. # When proxying to local sockets you should use different tables since the
      42. # local socket server most likely will not autodetect which protocol is
      43. # being used
      44. #example.org unix:/var/run/server.sock
      45. couchpotato.domain.tld localhost:5050
      46. }
      47. # if no table specified the default 'default' table is defined
      48. table {
      49. # if no port is specified default HTTP (80) and HTTPS (443) ports are
      50. # assumed based on the protocol of the listen block using this table
      51. }
      Display All

      Remove "SSL InsecurePlatform" Warning
      The debian dependencies needed to remove this warning are in the wheezy-backports so they will not be included until OMV 3.0
      However, if the warning bothers you or prevents a cert from generating, it can removed with the following commands:

      Source Code

      1. apt-get install python-pip
      2. pip install -U pip
      3. pip install -U pyopenssl ndg-httpsclient pyasn1
      My OMV is behind my router, so where should the SNI proxy be installed?
    • Hello, i need some help with letsencrypt for my Nextcloud server.
      I've created 2 host names with no-ip: one for my omv panel, and the second one for nextcloud. Nextcloud works very well with the Nginx and MySQL plugin. The only thing i need is a second letsencrypt certificate for my second hostname. The http version works flawlessly. When i a the second domain name to letsencrypt, nothing happens. I've added a image for help.
      Does anyone knows how to add multiple certificates ? Thank in advance!
      Images
      • Schermopname (1)_LI.jpg

        825.73 kB, 1,920×1,080, viewed 80 times
    • akruidenberg wrote:

      Hello, i need some help with letsencrypt for my Nextcloud server.
      I've created 2 host names with no-ip: one for my omv panel, and the second one for nextcloud. Nextcloud works very well with the Nginx and MySQL plugin. The only thing i need is a second letsencrypt certificate for my second hostname. The http version works flawlessly. When i a the second domain name to letsencrypt, nothing happens. I've added a image for help.
      Does anyone knows how to add multiple certificates ? Thank in advance!
      you must disable the certificate in your nginix and probaply in your omv webpage. In the moment when you create a new certification
      you dont use on every nginx-plugin or omv the old letsencrypt certificat
      omv 3.0.88 | 64 bit | omvextrasorg 3.4.26 | kernel 4.9
      used plugins: nginx | mysql | docker-gui | flashmemory |rsnapshot | antivirus | apt tool | letsEncrypt | fail2ban for omv-webgui/Nextcloud/emby
      used other: netxtcloud | logitechmediaserver | emby
    • Hello,

      I do not see the relation between upnp and SSL.

      I need the certificate for some services not running on Port 443. I do not want to expose the Web-Interface to the web.
      I think, that will be similar for other users.
      Thus, I intend to open 443 just for the renewal of the certificate and this is done with upnpc.

      Is that clearer now?

      Regards,
      Hendrik
    • henfri wrote:

      Hello,

      I do not see the relation between upnp and SSL.

      I need the certificate for some services not running on Port 443. I do not want to expose the Web-Interface to the web.
      I think, that will be similar for other users.
      Thus, I intend to open 443 just for the renewal of the certificate and this is done with upnpc.

      Is that clearer now?

      Regards,
      Hendrik
      Oh, I understand now! I made the ridiculous assumption that you wouldn't be using it for anything other than your OMV control panel. That was stupid on my part. Sorry about that.
    • Hey there.
      I have an installation of omv 3.0.88 running and I try to install the plugin. But I get an error saying
      "The following packages have unmet dependencies:
      openmediavault-letsencrypt : Depends: certbot but it is not installable
      E: Unable to correct problems, you have held broken packages."
      And I cannot install certbot either since it is apparently not a valid package... I am puzzled at this stage how to get the plugin installed now... any suggestions anyone?
    • happyreacer wrote:

      akruidenberg wrote:

      Hello, i need some help with letsencrypt for my Nextcloud server.
      I've created 2 host names with no-ip: one for my omv panel, and the second one for nextcloud. Nextcloud works very well with the Nginx and MySQL plugin. The only thing i need is a second letsencrypt certificate for my second hostname. The http version works flawlessly. When i a the second domain name to letsencrypt, nothing happens. I've added a image for help.
      Does anyone knows how to add multiple certificates ? Thank in advance!
      you must disable the certificate in your nginix and probaply in your omv webpage. In the moment when you create a new certificationyou dont use on every nginx-plugin or omv the old letsencrypt certificat
      I've tried that multiple times. the second certifite will not appeard in the list of the nginx plugin. Did you mean a second certifite is not needed for both omv web and nextcloud?
      Im back from vacation, thats the reason why my replay is a little bit late.
      A new domain with no-ip give the same result. i think its not an domain problem. Maybe the plugin?
    • Okay, since I didn't know about backports, I couldn't find it because of that I guess...
      so, will try to install tonight or tomorrow morning and get back to you.


      (although I think this is obsolete now, the output:

      ryecoaaron wrote:

      certbot is in jessie-backports. What is the output of: apt-cache policy certbot
      certbot:
      Installed: (none)
      Candidate: (none)
      Package pin: (not found)
      Version table:
    • Hey there,
      I just found out that my OMV does not generate the certificate for a second given domain.
      In the plugin section I defined: "a.mydomain.com,b.mydomain.com" (without quotes) as domains.
      After Pressing "Generate Certificates" I only receive a.mydomain.com in my "live" folder from LetsEncrypt.

      Do you know this issue?

      Best regards
      Benedikt