openmediavault-letsencrypt

    • OMV 3.x

    This site uses cookies. By continuing to browse this site, you are agreeing to our Cookie Policy.

    • ryecoaaron wrote:

      That is exactly what the plugin does. No need to make a symlink and do anything from the command line. It creates the cert with certbot and then imports that cert into the ssl cert section of the OMV web interface. If you want to use the cert for ftp, it should be in the dropdown in the ssl tab. If you want to use it for the omv web interface, look in the web administration tab. No idea about mumble but maybe you could point it at the /etc/letsencryp/live cert.
      Ah hmm , It looks like that for some reason when the letscencrpt certs gets renewed I still see the old expired cert under Certificate SSL.
    • ryecoaaron wrote:

      happyreacer wrote:

      I think the weak point is the port 80 with bound on the OMVwebgui.
      You can change the port that the OMV web interface uses to another port. I do.
      Okay, it is long time ago, i have cange my OMV port and it doesn't work.
      but now it works.... Nice!
      omv 4.0.19 | 64 bit | omvextrasorg 4.1.2 | kernel 4.14
      used plugins: nginx | mysql | docker-gui |rsnapshot | antivirus | apt tool | letsEncrypt |
      used other: netxtcloud | logitechmediaserver | emby
    • FreshMike wrote:

      It looks like that for some reason when the letscencrpt certs gets renewed I still see the old expired cert under Certificate SSL.
      If test cert is still enabled or if certbot fails to generate the certs for some reason, the cert under Certificate SSL won't be updated. It also doesn't create a new cert when one already exists. The existing cert will be updated. So, it may just look like the cert isn't updated. I suppose I could add the date to the comment on the cert.
      omv 4.1.8.2 arrakis | 64 bit | 4.15 proxmox kernel | omvextrasorg 4.1.9
      omv-extras.org plugins source code and issue tracker - github.com/OpenMediaVault-Plugin-Developers

      Please read this before posting a question.
      Please don't PM for support... Too many PMs!
    • hi folks,

      after some troubles i get my letsencrypt cert and it seems to be working. (just startet today so dono if updates work ..)

      still some questions:
      i have to open port 80 on my router FW and forward to my OMV to get the cert - after geting it i still need to forward (for cert update maybe)?
      bevor i never forward port 80 and changed my ssl port away from default 443 so a scan to default ports will show no result and most of the bad people outside go away to other targets.
      is there a way to keep letsencrypt working without port 80 in future or to forward 80 to something other just to show letsencrypt "i'm still alive"

      what think others about for security reasons? (yeah yeah, secure = no forward and no access from outside the lan, i know :P)

      tryed to config omv to listen on port 8080 instead of port 80 but if i do so telnet can't access and i think - also letsencrypt wouldn't ...

      whats your way to go? maybe a second http "server" on the omv with a big stinky finger on port 80? like an empty page with "nothing to see here"?


      don't have much experience with webserver - so i'm happy for tipps ;)

      thanks so long
      draddy

      p.s. little offtopic: got a fritzbox - can i export the cert to import it into my fritzbox (fritzbox got option to import a cert) - so if i access my fritzbox with my dyndns i also no longer get the "cert issn't secure" warning from browser?
    • draddy wrote:

      p.s. little offtopic: got a fritzbox - can i export the cert to import it into my fritzbox (fritzbox got option to import a cert) - so if i access my fritzbox with my dyndns i also no longer get the "cert issn't secure" warning from browser?
      For this I have made a script, which is executed once a month, fot creating a certificate for the Fritzbox and send it by email.

      Shell-Script

      1. #!/bin/bash
      2. clear
      3. echo "##########################################################################"
      4. echo "# #"
      5. echo "# Dieses Script erstellt ein Zertifikat fuer den Import in die Fritzbox. #"
      6. echo "# #"
      7. echo "# cert.pem, chain.pem und privkey.pem werden als fbbt.pem #"
      8. echo "# #"
      9. echo "# zusammengefuegt und im root-Verzeichnis abgespeichert #"
      10. echo "# #"
      11. echo "# und als Mail an den jeweiligen Admin verschickt! #"
      12. echo "# #"
      13. echo "##########################################################################"
      14. echo ""
      15. echo "Wechsle in Let's Encrpytverzeichnis"
      16. echo "cd /etc/letsencrypt/live/HOSTNAME_OF_YOUR_NAS_-_OR_WHAT_EVER_HERE_STANDS"
      17. cd /etc/letsencrypt/live/HOSTNAME_OF_YOUR_NAS_-_OR_WHAT_EVER_HERE_STANDS
      18. echo ""
      19. echo "Kopiere cert.pem, chain.pem und privkey.pem nach fbbt.pem in /root"
      20. echo "cat cert.pem chain.pem privkey.pem > /root/fbbt.pem"
      21. cat cert.pem chain.pem privkey.pem > /root/fbbt.pem
      22. echo ""
      23. echo "Sende Email mit erstelltem Zertifikat an root."
      24. mutt -e "set from=YOUR_NAS_MAILADDRESS" -s "Neues Fritzboxzertifikat" -a /root/fbbt.pem -- "YOUR@MAILADDRESS.TLD" <<< "Anbei das neue Fritzboxzertifikat zum Importieren!"
      25. echo ""
      26. echo "Loeschen des erstellten Zertifikats"
      27. echo "rm /root/fbbt.pem"
      28. rm /root/fbbt.pem
      29. echo ""
      30. echo ""
      31. echo "Verarbeitung beendet!"
      Display All
      After that, the certificate will be deleted from the /root directory.
      *future backup system*
      OMV 3.0.96 (Erasmus) -
      Linux 4.9.0-0.bpo.4-amd64
      Core2Quad Q8200 @2,33 GHz | 6 GB
      Intel SSD 320 40GB System |
      6x2TB WD-Red Raid5

      *replacement under construction*
      OMV 3.0.96 (Erasmus) -
      Linux 4.9.0-0.bpo.4-amd64
      i3-2120 @ 3,30 GHz | 8 GB
      Sandisk SSD 126GB System | 3x6TB WD-Red Raid5

      The post was edited 1 time, last by DanieleU. ().

    • Thanks for the link.
      It work fine with Fritzbox 6490 too. :thumbsup:
      *future backup system*
      OMV 3.0.96 (Erasmus) -
      Linux 4.9.0-0.bpo.4-amd64
      Core2Quad Q8200 @2,33 GHz | 6 GB
      Intel SSD 320 40GB System |
      6x2TB WD-Red Raid5

      *replacement under construction*
      OMV 3.0.96 (Erasmus) -
      Linux 4.9.0-0.bpo.4-amd64
      i3-2120 @ 3,30 GHz | 8 GB
      Sandisk SSD 126GB System | 3x6TB WD-Red Raid5
    • Hi guys, I'v been trying to renew my cert, but have not been successful. I originally tried it forgetting that there is a limit and reached it. So now, i'm hesitant to run it again. So far, I keep getting verification error and a message the says:

      "to fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAA record(s) for that domain contains the right IP address. additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communication with the client. if your using the webroot plugin, you should also verify that you are serving files from the webroot path you provided"

      My free domain from freeDNS is correct and I have no firewall running or blocking anything. My port also runs on 80 and was successfull when i initially set up OMV. I have also stopped nginx and tried generating cert with no luck as well. I uninstalled letsencrypt plugin and deleted the directories in ect and opt with same result.

      I'm now running it with test mode and still receiving the same error. Any help would be appreciated. TIA.
      2.2.14 (stone burner)
      AMD Athlon(tm) 5350 APU
      Linux 3.16.0-0.bpo.4-amd64
    • Just realized today that my certificates have expired and haven't been renewed - guess I missed the code change requiring now to set up the domains separately (I am now with OMV-letsencrypt version 3.4.5). Okay, managed that but I am still getting this error. I found forum threads already for that, but obviously no clear solution:

      nginx: [emerg] SSL_CTX_use_PrivateKey_file("/etc/ssl/private/openmediavault-0ca13d90-4f73-4554-890d-6d5221f9a68c.key") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)

      So I investigated futher and found out that the renewal process with certbot went just fine, meaning there is an new certificate version #7 symlinked in /etc/letsencrypt/live. But the problem is that only the .crt file has been renewed in /etc/ssl/certs/openmediavault-UID.crt but not the private key file in /etc/ssl/private/openmediavault-UID.key

      To be more precisely: The key file has a new file date, so it was overwritten during update, but the content is still the key file from an older version. Currently I have file version privkey7.pem but the certificate content in the /etc/ssl/private folder ist still from version privkey4.pem. So that is the reason why NGINX gives an error because of course certificate and key do no match. When I now start the renewal process in WebGui again, the letsencrypt.log file says "Cert not yet due for renewal", and the certs in /etc/ssl get a new file date. But same content than before.

      By the way: Same is true with the config file /etc/openmediavault/config.xml: Whereas the uuid stays the same all the time, only the XML-section <certificate> seems to be updated, not the <privatekey>.
      I was following the trace of the function call in the code and saw that in letsencrypt.inc there is a RPC to CertificateMgmt - that should do the update both in the config and for the files, but maybe it does not, at least not for me. I gave up at that point and hope for help.

      Thank you,
      Gerald
    • I don't think there is any reason to keep the old private or public key. I would uninstall the plugin and re-install it. I would delete the other cert in the ssl tab. When the RPC call to Certificate Management is made, it passes the newly created private and public keys. Because you upgraded, it might have been trying to use the old cert uuid causing problems.
      omv 4.1.8.2 arrakis | 64 bit | 4.15 proxmox kernel | omvextrasorg 4.1.9
      omv-extras.org plugins source code and issue tracker - github.com/OpenMediaVault-Plugin-Developers

      Please read this before posting a question.
      Please don't PM for support... Too many PMs!
    • I don't need to keep old certificates - certbot does in the archive folder, so I thought that should not cause trouble.

      Anyway you gave me an idea and I tried something else first: I deleted the Letsencrypt certificate in WebGUI System -> Certificates and afterwards did a Certificate Renew by pressing the button in the plugin. Now it worked - it regenerated the certificate in the OMV Certificate Management with a different certuuid and a correct pair of public and private key.

      I reenabled the certificate for all my services and at the moment I'm fine, thank you!
    • Hi there,

      I have a new topic for the letsencrypt plugin and I wasn't sure if I should post it here or in a new thread. Please move it if necessary.

      The plugin was working for me for over a year when it suddenly vanished (not the plugin but the certificate). I had to renew it, which worked. But before I had deleted the monthly task in "scheduled tasks" (which was stupid as it clearly states do not delete this). but I couldn't delete it from the certificates page since there was no certifcate. So I made the wrong decision to manually delete the task :(

      Anyways: I have a new certificate and told letsencrypt to also create a scheduled task, but it won't show up in the GUI in "scheduled tasks". I went as far as completely deinstalling the letsencrypt plugin, deleting all certificates and making sure, that in /etc/cron.d/ there is nothing about letsencrypt nor anywhere else on the filesystem. Then I reinstalled everything, created the cert and everything works but I still don't see the cronjob in "scheduled tasks" in the GUI.

      Letsencrypt did create a file in /etc/cron.d/ called openmediavault-letsencrypt

      However there is nothing about letsencrypt in /var/lib/openmediavault/cron.d/ where all my other scheduled tasks show up.

      What can I do now? Will the cronjob work anyways without showing up in the GUI or in /var/lib/openmediavault/cron.d/ How can I get the GUI to show me the task again?

      Thanks for your help!
      Alex
    • laxon wrote:

      What can I do now? Will the cronjob work anyways without showing up in the GUI or in /var/lib/openmediavault/cron.d/ How can I get the GUI to show me the task again?
      You worry too much. The old plugin added a scheduled job. I removed that because I thought there was no reason for it to be editable. In its place, the plugin creates a real cron entry that makes an rpc call instead of calling a script with redundant code in it. That is why there is nothing for it in /var/lib/openmediavault/cron.d/. So, deleting the scheduled job is the correct thing to do.
      omv 4.1.8.2 arrakis | 64 bit | 4.15 proxmox kernel | omvextrasorg 4.1.9
      omv-extras.org plugins source code and issue tracker - github.com/OpenMediaVault-Plugin-Developers

      Please read this before posting a question.
      Please don't PM for support... Too many PMs!
    • Gerald wrote:

      Just realized today that my certificates have expired and haven't been renewed - guess I missed the code change requiring now to set up the domains separately (I am now with OMV-letsencrypt version 3.4.5). Okay, managed that but I am still getting this error. I found forum threads already for that, but obviously no clear solution:

      nginx: [emerg] SSL_CTX_use_PrivateKey_file("/etc/ssl/private/openmediavault-0ca13d90-4f73-4554-890d-6d5221f9a68c.key") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)

      So I investigated futher and found out that the renewal process with certbot went just fine, meaning there is an new certificate version #7 symlinked in /etc/letsencrypt/live. But the problem is that only the .crt file has been renewed in /etc/ssl/certs/openmediavault-UID.crt but not the private key file in /etc/ssl/private/openmediavault-UID.key

      To be more precisely: The key file has a new file date, so it was overwritten during update, but the content is still the key file from an older version. Currently I have file version privkey7.pem but the certificate content in the /etc/ssl/private folder ist still from version privkey4.pem. So that is the reason why NGINX gives an error because of course certificate and key do no match. When I now start the renewal process in WebGui again, the letsencrypt.log file says "Cert not yet due for renewal", and the certs in /etc/ssl get a new file date. But same content than before.

      By the way: Same is true with the config file /etc/openmediavault/config.xml: Whereas the uuid stays the same all the time, only the XML-section <certificate> seems to be updated, not the <privatekey>.
      I was following the trace of the function call in the code and saw that in letsencrypt.inc there is a RPC to CertificateMgmt - that should do the update both in the config and for the files, but maybe it does not, at least not for me. I gave up at that point and hope for help.

      Thank you,
      Gerald
      That's what happened to me too.

      I'm just restoring old certificate from backup just to get things working again.

      Have you changed key size to 4096? I had 2048 bit key size, and changed it to 4096 before certificate renew, and then...
      OMV 3.0 (amd64) @ HP Microserver gen8 | Intel Xeon E1265L-V2 | 16 GB ECC RAM | 1 x 256GB Crucial M4 | 4 x 3 TB WD Red in RAID5
    • After comparing last generated certificate hash agaisnt every private key hash I could find under /etc/letsencrypt using

      openssl pkey -in privateKey.key -pubout -outform pem | sha256sum
      openssl x509 -in certificate.crt -pubkey -noout -outform pem | sha256sum

      I've found the private key at /etc/letsencrypt/keys/000X_key-certboot.pem

      I've copied it and renamed acordingly and now everthing works fine.

      I wonder if it's a certbot bug...
      OMV 3.0 (amd64) @ HP Microserver gen8 | Intel Xeon E1265L-V2 | 16 GB ECC RAM | 1 x 256GB Crucial M4 | 4 x 3 TB WD Red in RAID5
    • diego wrote:

      I wonder if it's a certbot bug...
      My system seems to be working fine and renewed a few days ago. Seems to be more of an issue with upgrades from the old plugin.
      omv 4.1.8.2 arrakis | 64 bit | 4.15 proxmox kernel | omvextrasorg 4.1.9
      omv-extras.org plugins source code and issue tracker - github.com/OpenMediaVault-Plugin-Developers

      Please read this before posting a question.
      Please don't PM for support... Too many PMs!
    • I cant create on a new omv4 system a certificate. At the end of my logfile i have see the following lines

      Source Code

      1. Traceback (most recent call last):
      2. File "/usr/bin/certbot", line 11, in <module>
      3. load_entry_point('certbot==0.10.2', 'console_scripts', 'certbot')()
      4. File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 849, in main
      5. return config.func(config, plugins)
      6. File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 626, in obtain_cert
      7. action, _ = _auth_from_available(le_client, config, domains, certname, lineage)
      8. File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 107, in _auth_from_available
      9. lineage = le_client.obtain_and_enroll_certificate(domains, certname)
      10. File "/usr/lib/python2.7/dist-packages/certbot/client.py", line 291, in obtain_and_enroll_certificate
      11. certr, chain, key, _ = self.obtain_certificate(domains)
      12. File "/usr/lib/python2.7/dist-packages/certbot/client.py", line 262, in obtain_certificate
      13. self.config.allow_subset_of_names)
      14. File "/usr/lib/python2.7/dist-packages/certbot/auth_handler.py", line 88, in get_authorizations
      15. "Challenges failed for all domains")
      16. AuthorizationError: Challenges failed for all domains
      Display All
      I dont know what is the problem.
      I took in the options in letsencrypt for the web root only a "/" is it okay? and in the nginx-plugin i use only namebased option for the domains. for more infos i have the complete letsencrypt logfile
      It would be nice if anybody can help.
      Greetings
      omv 4.0.19 | 64 bit | omvextrasorg 4.1.2 | kernel 4.14
      used plugins: nginx | mysql | docker-gui |rsnapshot | antivirus | apt tool | letsEncrypt |
      used other: netxtcloud | logitechmediaserver | emby

      The post was edited 1 time, last by happyreacer ().