openmediavault-letsencrypt

Zitat von ryecoaaron

That is exactly what the plugin does. No need to make a symlink and do anything from the command line. It creates the cert with certbot and then imports that cert into the ssl cert section of the OMV web interface. If you want to use the cert for ftp, it should be in the dropdown in the ssl tab. If you want to use it for the omv web interface, look in the web administration tab. No idea about mumble but maybe you could point it at the /etc/letsencryp/live cert.

Ah hmm , It looks like that for some reason when the letscencrpt certs gets renewed I still see the old expired cert under Certificate SSL.

Zitat von ryecoaaron

You can change the port that the OMV web interface uses to another port. I do.

Okay, it is long time ago, i have cange my OMV port and it doesn't work.
but now it works.... Nice!

hi folks,

after some troubles i get my letsencrypt cert and it seems to be working. (just startet today so dono if updates work ..)

still some questions:
i have to open port 80 on my router FW and forward to my OMV to get the cert - after geting it i still need to forward (for cert update maybe)?
bevor i never forward port 80 and changed my ssl port away from default 443 so a scan to default ports will show no result and most of the bad people outside go away to other targets.
is there a way to keep letsencrypt working without port 80 in future or to forward 80 to something other just to show letsencrypt "i'm still alive"

what think others about for security reasons? (yeah yeah, secure = no forward and no access from outside the lan, i know :P)

tryed to config omv to listen on port 8080 instead of port 80 but if i do so telnet can't access and i think - also letsencrypt wouldn't ...

whats your way to go? maybe a second http "server" on the omv with a big stinky finger on port 80? like an empty page with "nothing to see here"?

don't have much experience with webserver - so i'm happy for tipps

thanks so long
draddy

p.s. little offtopic: got a fritzbox - can i export the cert to import it into my fritzbox (fritzbox got option to import a cert) - so if i access my fritzbox with my dyndns i also no longer get the "cert issn't secure" warning from browser?

Zitat von draddy

p.s. little offtopic: got a fritzbox - can i export the cert to import it into my fritzbox (fritzbox got option to import a cert) - so if i access my fritzbox with my dyndns i also no longer get the "cert issn't secure" warning from browser?

For this I have made a script, which is executed once a month, fot creating a certificate for the Fritzbox and send it by email.

#!/bin/bash
clear
echo "##########################################################################"
echo "#                                                                        #"
echo "# Dieses Script erstellt ein Zertifikat fuer den Import in die Fritzbox. #"
echo "#                                                                        #"
echo "#        cert.pem, chain.pem und privkey.pem werden als fbbt.pem         #"
echo "#                                                                        #"
echo "#         zusammengefuegt und im root-Verzeichnis abgespeichert          #"
echo "#                                                                        #"
echo "#            und als Mail an den jeweiligen Admin verschickt!            #"
echo "#                                                                        #"
echo "##########################################################################"
echo ""
echo "Wechsle in Let's Encrpytverzeichnis"
echo "cd /etc/letsencrypt/live/HOSTNAME_OF_YOUR_NAS_-_OR_WHAT_EVER_HERE_STANDS"
cd /etc/letsencrypt/live/HOSTNAME_OF_YOUR_NAS_-_OR_WHAT_EVER_HERE_STANDS
echo ""
echo "Kopiere cert.pem, chain.pem und privkey.pem nach fbbt.pem in /root"
echo "cat cert.pem chain.pem privkey.pem > /root/fbbt.pem"
cat cert.pem chain.pem privkey.pem > /root/fbbt.pem
echo ""
echo "Sende Email mit erstelltem Zertifikat an root."
mutt -e "set from=YOUR_NAS_MAILADDRESS" -s "Neues Fritzboxzertifikat" -a /root/fbbt.pem -- "YOUR@MAILADDRESS.TLD" <<< "Anbei das neue Fritzboxzertifikat zum Importieren!"
echo ""
echo "Loeschen des erstellten Zertifikats"
echo "rm /root/fbbt.pem"
rm /root/fbbt.pem
echo ""
echo ""
echo "Verarbeitung beendet!"

After that, the certificate will be deleted from the /root directory.

hi,

thanks Daniel, but for this i found something better (its also german - so you shouldn't have a problem ^^)

hope ext. links are OK! if not - Sorry
https://christiandietze.de/aut…fikates-auf-die-fritzbox/

will create the Cert and upload it to fritzbox - just make a job for it and thats it

Thanks for the link.
It work fine with Fritzbox 6490 too.

Hi guys, I'v been trying to renew my cert, but have not been successful. I originally tried it forgetting that there is a limit and reached it. So now, i'm hesitant to run it again. So far, I keep getting verification error and a message the says:

"to fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAA record(s) for that domain contains the right IP address. additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communication with the client. if your using the webroot plugin, you should also verify that you are serving files from the webroot path you provided"

My free domain from freeDNS is correct and I have no firewall running or blocking anything. My port also runs on 80 and was successfull when i initially set up OMV. I have also stopped nginx and tried generating cert with no luck as well. I uninstalled letsencrypt plugin and deleted the directories in ect and opt with same result.

I'm now running it with test mode and still receiving the same error. Any help would be appreciated. TIA.

Nevermind, I fixed it. Thanks for your help.

Just realized today that my certificates have expired and haven't been renewed - guess I missed the code change requiring now to set up the domains separately (I am now with OMV-letsencrypt version 3.4.5). Okay, managed that but I am still getting this error. I found forum threads already for that, but obviously no clear solution:

nginx: [emerg] SSL_CTX_use_PrivateKey_file("/etc/ssl/private/openmediavault-0ca13d90-4f73-4554-890d-6d5221f9a68c.key") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)

So I investigated futher and found out that the renewal process with certbot went just fine, meaning there is an new certificate version #7 symlinked in /etc/letsencrypt/live. But the problem is that only the .crt file has been renewed in /etc/ssl/certs/openmediavault-UID.crt but not the private key file in /etc/ssl/private/openmediavault-UID.key

To be more precisely: The key file has a new file date, so it was overwritten during update, but the content is still the key file from an older version. Currently I have file version privkey7.pem but the certificate content in the /etc/ssl/private folder ist still from version privkey4.pem. So that is the reason why NGINX gives an error because of course certificate and key do no match. When I now start the renewal process in WebGui again, the letsencrypt.log file says "Cert not yet due for renewal", and the certs in /etc/ssl get a new file date. But same content than before.

By the way: Same is true with the config file /etc/openmediavault/config.xml: Whereas the uuid stays the same all the time, only the XML-section <certificate> seems to be updated, not the <privatekey>.
I was following the trace of the function call in the code and saw that in letsencrypt.inc there is a RPC to CertificateMgmt - that should do the update both in the config and for the files, but maybe it does not, at least not for me. I gave up at that point and hope for help.

Thank you,
Gerald

I don't need to keep old certificates - certbot does in the archive folder, so I thought that should not cause trouble.

Anyway you gave me an idea and I tried something else first: I deleted the Letsencrypt certificate in WebGUI System -> Certificates and afterwards did a Certificate Renew by pressing the button in the plugin. Now it worked - it regenerated the certificate in the OMV Certificate Management with a different certuuid and a correct pair of public and private key.

I reenabled the certificate for all my services and at the moment I'm fine, thank you!

Hi there,

I have a new topic for the letsencrypt plugin and I wasn't sure if I should post it here or in a new thread. Please move it if necessary.

The plugin was working for me for over a year when it suddenly vanished (not the plugin but the certificate). I had to renew it, which worked. But before I had deleted the monthly task in "scheduled tasks" (which was stupid as it clearly states do not delete this). but I couldn't delete it from the certificates page since there was no certifcate. So I made the wrong decision to manually delete the task

Anyways: I have a new certificate and told letsencrypt to also create a scheduled task, but it won't show up in the GUI in "scheduled tasks". I went as far as completely deinstalling the letsencrypt plugin, deleting all certificates and making sure, that in /etc/cron.d/ there is nothing about letsencrypt nor anywhere else on the filesystem. Then I reinstalled everything, created the cert and everything works but I still don't see the cronjob in "scheduled tasks" in the GUI.

Letsencrypt did create a file in /etc/cron.d/ called openmediavault-letsencrypt

However there is nothing about letsencrypt in /var/lib/openmediavault/cron.d/ where all my other scheduled tasks show up.

What can I do now? Will the cronjob work anyways without showing up in the GUI or in /var/lib/openmediavault/cron.d/ How can I get the GUI to show me the task again?

Thanks for your help!
Alex

thanks! no wonder it didn't work. I must have missed that there was a new version of the plugin. great, so everything is fine and my cert should renew automatically in a month.

Thanks by the way for this awesome plugin!

Zitat von Gerald

Just realized today that my certificates have expired and haven't been renewed - guess I missed the code change requiring now to set up the domains separately (I am now with OMV-letsencrypt version 3.4.5). Okay, managed that but I am still getting this error. I found forum threads already for that, but obviously no clear solution:

nginx: [emerg] SSL_CTX_use_PrivateKey_file("/etc/ssl/private/openmediavault-0ca13d90-4f73-4554-890d-6d5221f9a68c.key") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)

So I investigated futher and found out that the renewal process with certbot went just fine, meaning there is an new certificate version #7 symlinked in /etc/letsencrypt/live. But the problem is that only the .crt file has been renewed in /etc/ssl/certs/openmediavault-UID.crt but not the private key file in /etc/ssl/private/openmediavault-UID.key

To be more precisely: The key file has a new file date, so it was overwritten during update, but the content is still the key file from an older version. Currently I have file version privkey7.pem but the certificate content in the /etc/ssl/private folder ist still from version privkey4.pem. So that is the reason why NGINX gives an error because of course certificate and key do no match. When I now start the renewal process in WebGui again, the letsencrypt.log file says "Cert not yet due for renewal", and the certs in /etc/ssl get a new file date. But same content than before.

By the way: Same is true with the config file /etc/openmediavault/config.xml: Whereas the uuid stays the same all the time, only the XML-section <certificate> seems to be updated, not the <privatekey>.
I was following the trace of the function call in the code and saw that in letsencrypt.inc there is a RPC to CertificateMgmt - that should do the update both in the config and for the files, but maybe it does not, at least not for me. I gave up at that point and hope for help.

Thank you,
Gerald

Alles anzeigen

That's what happened to me too.

I'm just restoring old certificate from backup just to get things working again.

Have you changed key size to 4096? I had 2048 bit key size, and changed it to 4096 before certificate renew, and then...

After comparing last generated certificate hash agaisnt every private key hash I could find under /etc/letsencrypt using

openssl pkey -in privateKey.key -pubout -outform pem | sha256sum
openssl x509 -in certificate.crt -pubkey -noout -outform pem | sha256sum

I've found the private key at /etc/letsencrypt/keys/000X_key-certboot.pem

I've copied it and renamed acordingly and now everthing works fine.

I wonder if it's a certbot bug...

I cant create on a new omv4 system a certificate. At the end of my logfile i have see the following lines

Traceback (most recent call last):
  File "/usr/bin/certbot", line 11, in <module>
    load_entry_point('certbot==0.10.2', 'console_scripts', 'certbot')()
  File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 849, in main
    return config.func(config, plugins)
  File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 626, in obtain_cert
    action, _ = _auth_from_available(le_client, config, domains, certname, lineage)
  File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 107, in _auth_from_available
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/usr/lib/python2.7/dist-packages/certbot/client.py", line 291, in obtain_and_enroll_certificate
    certr, chain, key, _ = self.obtain_certificate(domains)
  File "/usr/lib/python2.7/dist-packages/certbot/client.py", line 262, in obtain_certificate
    self.config.allow_subset_of_names)
  File "/usr/lib/python2.7/dist-packages/certbot/auth_handler.py", line 88, in get_authorizations
    "Challenges failed for all domains")
AuthorizationError: Challenges failed for all domains

I dont know what is the problem.
I took in the options in letsencrypt for the web root only a "/" is it okay? and in the nginx-plugin i use only namebased option for the domains. for more infos i have the complete letsencrypt logfile
It would be nice if anybody can help.
Greetings