openmediavault-letsencrypt

    • OMV 3.x (stable)
    • ill back, i have my first certificate, but only for the side in my ngnix-plugin with my cloud program by the way i don't know how i can makes certifikate for subdomain with proxy_pass-
      BUT i cant use the certificate.
      The error is:

      Source Code

      1. Failed to execute command 'export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin; export LANG=C; nginx -t 2>&1' with exit code '1': nginx: [emerg] SSL_CTX_use_PrivateKey_file("/etc/ssl/private/openmediavault-e814a850-7e12-4d0c-8cd5-b03857808755.key") failed

      Source Code

      1. Fehler #0:
      2. OMV\ExecException: Failed to execute command 'export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin; export LANG=C; nginx -t 2>&1' with exit code '1': nginx: [emerg] SSL_CTX_use_PrivateKey_file("/etc/ssl/private/openmediavault-e814a850-7e12-4d0c-8cd5-b03857808755.key") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)
      3. nginx: configuration file /etc/nginx/nginx.conf test failed in /usr/share/php/openmediavault/system/process.inc:175
      4. Stack trace:
      5. #0 /usr/share/openmediavault/engined/module/webserver.inc(40): OMV\System\Process->execute()
      6. #1 /usr/share/openmediavault/engined/rpc/config.inc(168): OMVModuleNginxAbstract->applyConfig()
      7. #2 [internal function]: OMVRpcServiceConfig->applyChanges(Array, Array)
      8. #3 /usr/share/php/openmediavault/rpc/serviceabstract.inc(123): call_user_func_array(Array, Array)
      9. #4 /usr/share/php/openmediavault/rpc/serviceabstract.inc(150): OMV\Rpc\ServiceAbstract->callMethod('applyChanges', Array, Array)
      10. #5 /usr/share/php/openmediavault/rpc/serviceabstract.inc(528): OMV\Rpc\ServiceAbstract->OMV\Rpc\{closure}('/tmp/bgstatuskZ...', '/tmp/bgoutputR9...')
      11. #6 /usr/share/php/openmediavault/rpc/serviceabstract.inc(151): OMV\Rpc\ServiceAbstract->execBgProc(Object(Closure))
      12. #7 /usr/share/openmediavault/engined/rpc/config.inc(213): OMV\Rpc\ServiceAbstract->callMethodBg('applyChanges', Array, Array)
      13. #8 [internal function]: OMVRpcServiceConfig->applyChangesBg(Array, Array)
      14. #9 /usr/share/php/openmediavault/rpc/serviceabstract.inc(123): call_user_func_array(Array, Array)
      15. #10 /usr/share/php/openmediavault/rpc/rpc.inc(86): OMV\Rpc\ServiceAbstract->callMethod('applyChangesBg', Array, Array)
      16. #11 /usr/sbin/omv-engined(536): OMV\Rpc\Rpc::call('Config', 'applyChangesBg', Array, Array, 1)
      17. #12 {main}
      Display All
      omv 4.0.15 | 64 bit | omvextrasorg 4.1.2 | kernel 4.13
      used plugins: nginx | mysql | docker-gui | flashmemory |rsnapshot | antivirus | apt tool | letsEncrypt |
      used other: netxtcloud | logitechmediaserver | emby

      The post was edited 2 times, last by happyreacer: EDIT: i make the certificate again and i can use it, ().

    • Hi there,

      first of all, thank you for this wonderful plugin. Unfortunately, I can't get it to work for me. I am running Erasmus on a Debian Jessie install, which I only made, because I wanted a different partition layout. Otherwise I would have gone straight to the OpenMediaVault iso. Thus I installed Debian Jessie with SSH and then OpenMediaVault on top. Then I installed omv-extras and the letsencrypt plugin. Then I wanted to use letsencrypt, but can't get it to work.

      I have a static IPv4 from Deutsche Telekom. I set up a DNS entry like so: locality.company.tld
      The OpenMediaVault box has it's own name, but knows about the domain, so it calls itself omvbox.locality.company.tld
      But because I only have one IPv4, when I login from remote, I need to use locality.company.tld. I use that for ssh and can connect to the box with a self signed ssl cert or over port 80.

      For the time being, I forward port 80 and port 443 directly from the router to the openmediavault box. Currently I can access them from outside using a web browser.

      I wanted to secure them with letsencrypt, to get rid of the error message.

      First of all I found it strange that I had to search around to find out which root directory to fill in: "/var/www/openmediavault/" Why wasn't this in the official documentation? Most people will want to secure access to the web admin first. Then I used the domain locality.company.tld, because that is the domain where the box will be at from the outside.

      But when I try to attain a cert from letsencrypt, the challenge fails, even though the domain is correct, path is correct and the ports are open. What am I missing?
    • Speedrunner wrote:

      Hi there,

      first of all, thank you for this wonderful plugin. Unfortunately, I can't get it to work for me. I am running Erasmus on a Debian Jessie install, which I only made, because I wanted a different partition layout. Otherwise I would have gone straight to the OpenMediaVault iso. Thus I installed Debian Jessie with SSH and then OpenMediaVault on top. Then I installed omv-extras and the letsencrypt plugin. Then I wanted to use letsencrypt, but can't get it to work.
      Letsencryt is testing on OMV install (from official *.ISO), not in a debian install, with OMV on top of them, is not the same.
      OMV 3.0.96 x64 on a HP T510, 8GB CF as Boot Disk & 32GB SSD 2,5" disk for Data, 4 GB RAM, CPU VIA EDEN X2 U4200 is x64 at 1GHz

      Post: HPT510 SlimNAS ; HOWTO Install Pi-Hole ; HOWTO install MLDonkey ; HOHTO Install ZFS-Plugin ; OMV_OldGUI ; ShellinaBOX ;

      Post by Speedrunner ().

      This post was deleted by votdev ().

      Post by Speedrunner ().

      This post was deleted by WastlJ: duplicate ().
    • raulfg3 wrote:

      Speedrunner wrote:

      Hi there,

      first of all, thank you for this wonderful plugin. Unfortunately, I can't get it to work for me. I am running Erasmus on a Debian Jessie install, which I only made, because I wanted a different partition layout. Otherwise I would have gone straight to the OpenMediaVault iso. Thus I installed Debian Jessie with SSH and then OpenMediaVault on top. Then I installed omv-extras and the letsencrypt plugin. Then I wanted to use letsencrypt, but can't get it to work.
      Letsencryt is testing on OMV install (from official *.ISO), not in a debian install, with OMV on top of them, is not the same.
      The letsencrypt plugin is listed under stable:

      omv-extras.org/joomla/index.php/omv-plugins-3

      I installed omv-extras like described in the documentation and then installed the letsencrypt plugin from there. I was under the impression, that here isn't a big difference between installing Debian Jessie minimal and then installing omv on top and simply using the omv iso. So if I install from Debian Jessie, I can't use plugins?

      Here is the output from the plugin:

      Source Code

      1. Command: export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin; export LANG=C; /usr/bin/certbot certonly --non-interactive --rsa-key-size 2048 --text --keep-until-expiring --agree-tos --allow-subset-of-names --cert-name locality.company.tld --email email@company.tld --webroot -w /var/www/openmediavault/ -d locality.company.tld 2>&1
      2. Saving debug log to /var/log/letsencrypt/letsencrypt.log
      3. Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
      4. Obtaining a new certificate
      5. Performing the following challenges:
      6. http-01 challenge for locality.company.tld
      7. Using the webroot path /var/www/openmediavault for all unmatched domains.
      8. Waiting for verification...
      9. Challenge failed for domain locality.company.tld
      10. Cleaning up challenges
      11. Challenges failed for all domains
      12. Fertig...
      Display All

      I checked the location /var/www/openmediavault/.well-known/ and the plugin creates a file there (and then deletes it after). I also put a file there and I can open it up from a remote webbrowser with the appropriate domain. I also fail to see anything interesting in the debug logs located at /var/log/letsencrypt/

      I am at a loss here.

      I almost forgot: I enabled the jessie-backports Debian repository in the web interface of openmediavault. Again: I didn't do anything in with Debian Jessie except use their installer and then immediately put omv on top. I was also locked out using this procedure, because the omv install creates a new sshd that only allows members of the group ssh to login remotely.

      The post was edited 2 times, last by Speedrunner ().

    • Output from /var/log/letsencrypt/letsencrypt.log

      Source Code: letsencrypt.og

      1. 2018-01-15 12:12:34,632:DEBUG:acme.client:Storing nonce: wa82WLbQaGXORJI_zQqov-NHcxa8iFNxyf1wF4vgmZs
      2. 2018-01-15 12:12:34,633:INFO:certbot.auth_handler:Performing the following challenges:
      3. 2018-01-15 12:12:34,633:INFO:certbot.auth_handler:http-01 challenge for locality.company.tld
      4. 2018-01-15 12:12:34,634:INFO:certbot.plugins.webroot:Using the webroot path /var/www/openmediavault for all unmatched domains.
      5. 2018-01-15 12:12:34,634:DEBUG:certbot.plugins.webroot:Creating root challenges validation dir at /var/www/openmediavault/.well-known/acme-challenge
      6. 2018-01-15 12:12:34,643:DEBUG:certbot.plugins.webroot:Attempting to save validation to /var/www/openmediavault/.well-known/acme-challenge/UZ8IS80vpeIJwLg8MIitT6rd-quOsMh1P7NtYbl_vy4
      7. 2018-01-15 12:12:34,644:INFO:certbot.auth_handler:Waiting for verification...
      8. 2018-01-15 12:12:34,644:DEBUG:acme.client:JWS payload:
      9. {
      10. "keyAuthorization": "UZ8IS80vpeIJwLg8MIitT6rd-quOsMh1P7NtYbl_vy4._1REN1RZoBZrRPaTtpWHtNIvyPgFoJ13cgoZ1M2ac5A",
      11. "type": "http-01",
      12. "resource": "challenge"
      13. }
      14. 2018-01-15 12:12:34,653:DEBUG:root:Sending POST request to https://acme-v01.api.letsencrypt.org/acme/challenge/j8OSiXV1DPxMlaIwRtgu12Cb0XSnN2wzoCRCU022Ep8/3103096588:
      15. {
      16. "header": {
      17. "alg": "RS256",
      18. "jwk": {
      19. "e": "AQAB",
      20. "kty": "RSA",
      21. "n": "wQz4rAkxLOsSpX1gBRgWnmUZpMHPhpnZnvfMJQiL0MBMfKOGINmMP-NyqnAzusL51GpIrJfj5q7aS4wGtqH7LWcIcuigAYeTm2PN5UvP2Z4t0ooCAXD6QIFKOrit6UB8a6oYPbIZP7sbjJyl8u_luOnLEZ8SlHJkrly9my864zWdBPELOTfhJhcwNsu6SkWFBi4IYuTXBlqEY-jztDaNIIlAk8IY8cK1jGmrJiS4bcS6tuIDAvBdxV6Xxw4eOhhLemV7-wwiRQdiiJiintapGvB7-WnaM46yClnQuVN_C3M0BxcU_R3VCEbVSlmVdDcum9JmPDkv48uGtT1V8A9NGQ"
      22. }
      23. },
      24. "protected": "eyJub25jZSI6ICJ3YTgyV0xiUWFHWE9SSklfelFxb3YtTkhjeGE4aUZOeHlmMXdGNHZnbVpzIn0",
      25. "payload": "ewogICJrZXlBdXRob3JpemF0aW9uIjogIlVaOElTODB2cGVJSndMZzhNSWl0VDZyZC1xdU9zTWgxUDdOdFlibF92eTQuXzFSRU4xUlpvQlpyUlBhVHRwV0h0Tkl2eVBnRm9KMTNjZ29aMU0yYWM1QSIsIAogICJ0eXBlIjogImh0dHAtMDEiLCAKICAicmVzb3VyY2UiOiAiY2hhbGxlbmdlIgp9",
      26. "signature": "NoXG1Nw5RVEKNrbgSlPE2AlPs4pmMikUokngr8ZwjXhmuP_RlSWO62YzzYuTO2B2Umkzp0YwXFTGL4cAQdsQWdvFhCTxZRHsSxrLt0_pe2SE6f8K4VPIz49Fiy4Ciu2zmEdQVIwtKPVmAQzZ2J2cXNGOXW-5yXMTj6FZZw2v3jrih2ii_5yA5OJSfW021p6YtBcWz8g2NgRpPcPHbxw1J8gMFVoYlRLxR40H15log-4uwR6jRtJLxDnduF532wMwPQLEmjWQdgfg7rYWM0lmPr5VL1vkh3VUpb2dbNldX-Qu2xKLen1deyWopK5Xv98HnG4hmNNu2J-7BjvLw2nc6g"
      27. }
      28. 2018-01-15 12:12:34,961:DEBUG:requests.packages.urllib3.connectionpool:"POST /acme/challenge/j8OSiXV1DPxMlaIwRtgu12Cb0XSnN2wzoCRCU022Ep8/3103096588 HTTP/1.1" 202 336
      29. 2018-01-15 12:12:34,963:DEBUG:acme.client:Received response:
      30. HTTP 202
      31. Server: nginx
      32. Content-Type: application/json
      33. Content-Length: 336
      34. Boulder-Requester: 27632158
      35. Link: <https://acme-v01.api.letsencrypt.org/acme/authz/j8OSiXV1DPxMlaIwRtgu12Cb0XSnN2wzoCRCU022Ep8>;rel="up"
      36. Location: https://acme-v01.api.letsencrypt.org/acme/challenge/j8OSiXV1DPxMlaIwRtgu12Cb0XSnN2wzoCRCU022Ep8/3103096588
      37. Replay-Nonce: qTq613KNb9YmNGb2y_fDtiKVkgSPME5jIIvE_zFlfH4
      38. Expires: Mon, 15 Jan 2018 12:12:34 GMT
      39. Cache-Control: max-age=0, no-cache, no-store
      40. Pragma: no-cache
      41. Date: Mon, 15 Jan 2018 12:12:34 GMT
      42. Connection: keep-alive
      43. {
      44. "type": "http-01",
      45. "status": "pending",
      46. "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/j8OSiXV1DPxMlaIwRtgu12Cb0XSnN2wzoCRCU022Ep8/3103096588",
      47. "token": "UZ8IS80vpeIJwLg8MIitT6rd-quOsMh1P7NtYbl_vy4",
      48. "keyAuthorization": "UZ8IS80vpeIJwLg8MIitT6rd-quOsMh1P7NtYbl_vy4._1REN1RZoBZrRPaTtpWHtNIvyPgFoJ13cgoZ1M2ac5A"
      49. }
      50. 2018-01-15 12:12:34,963:DEBUG:acme.client:Storing nonce: qTq613KNb9YmNGb2y_fDtiKVkgSPME5jIIvE_zFlfH4
      51. 2018-01-15 12:12:37,967:DEBUG:root:Sending GET request to https://acme-v01.api.letsencrypt.org/acme/authz/j8OSiXV1DPxMlaIwRtgu12Cb0XSnN2wzoCRCU022Ep8.
      52. 2018-01-15 12:12:38,212:DEBUG:requests.packages.urllib3.connectionpool:"GET /acme/authz/j8OSiXV1DPxMlaIwRtgu12Cb0XSnN2wzoCRCU022Ep8 HTTP/1.1" 200 1737
      53. 2018-01-15 12:12:38,213:DEBUG:acme.client:Received response:
      54. HTTP 200
      55. Server: nginx
      56. Content-Type: application/json
      57. Content-Length: 1737
      58. Link: <https://acme-v01.api.letsencrypt.org/acme/new-cert>;rel="next"
      59. Replay-Nonce: JYzN8BuSFTfQbMJKi2ZSLBrxCWKvF78Dsfp8nZaPLlg
      60. X-Frame-Options: DENY
      61. Strict-Transport-Security: max-age=604800
      62. Expires: Mon, 15 Jan 2018 12:12:38 GMT
      63. Cache-Control: max-age=0, no-cache, no-store
      64. Pragma: no-cache
      65. Date: Mon, 15 Jan 2018 12:12:38 GMT
      66. Connection: keep-alive
      67. {
      68. "identifier": {
      69. "type": "dns",
      70. "value": "locality.company.tld"
      71. },
      72. "status": "invalid",
      73. "expires": "2018-01-22T12:12:34Z",
      74. "challenges": [
      75. {
      76. "type": "http-01",
      77. "status": "invalid",
      78. "error": {
      79. "type": "urn:acme:error:unauthorized",
      80. "detail": "Invalid response from http://locality.company.tld/.well-known/acme-challenge/UZ8IS80vpeIJwLg8MIitT6rd-quOsMh1P7NtYbl_vy4: \"\u003c!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\"\u003e\n\u003chtml\u003e\u003chead\u003e\n\u003ctitle\u003e300 Multiple Choices\u003c/title\u003e\n\u003c/head\u003e\u003cbody\u003e\n\u003ch1\u003eMultiple C\"",
      81. "status": 403
      82. },
      83. "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/j8OSiXV1DPxMlaIwRtgu12Cb0XSnN2wzoCRCU022Ep8/3103096588",
      84. "token": "UZ8IS80vpeIJwLg8MIitT6rd-quOsMh1P7NtYbl_vy4",
      85. "keyAuthorization": "UZ8IS80vpeIJwLg8MIitT6rd-quOsMh1P7NtYbl_vy4._1REN1RZoBZrRPaTtpWHtNIvyPgFoJ13cgoZ1M2ac5A",
      86. "validationRecord": [
      87. {
      88. "url": "http://locality.company.tld/.well-known/acme-challenge/UZ8IS80vpeIJwLg8MIitT6rd-quOsMh1P7NtYbl_vy4",
      89. "hostname": "locality.company.tld",
      90. "port": "80",
      91. "addressesResolved": [
      92. "87.128.72.128",
      93. "2001:8d8:100f:f000::2d0"
      94. ],
      95. "addressUsed": "2001:8d8:100f:f000::2d0",
      96. "addressesTried": []
      97. }
      98. ]
      99. },
      100. {
      101. "type": "dns-01",
      102. "status": "pending",
      103. "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/j8OSiXV1DPxMlaIwRtgu12Cb0XSnN2wzoCRCU022Ep8/3103096589",
      104. "token": "tAIlg-Fqb7VtPRIVDrq5dXYcAZ44J-Tf6BXGesKFb94"
      105. }
      106. ],
      107. "combinations": [
      108. [
      109. 1
      110. ],
      111. [
      112. 0
      113. ]
      114. ]
      115. }
      116. 2018-01-15 12:12:38,214:WARNING:certbot.auth_handler:Challenge failed for domain locality.company.tld
      117. 2018-01-15 12:12:38,214:INFO:certbot.auth_handler:Cleaning up challenges
      118. 2018-01-15 12:12:38,215:DEBUG:certbot.plugins.webroot:Removing /var/www/openmediavault/.well-known/acme-challenge/UZ8IS80vpeIJwLg8MIitT6rd-quOsMh1P7NtYbl_vy4
      119. 2018-01-15 12:12:38,215:DEBUG:certbot.plugins.webroot:All challenges cleaned up, removing /var/www/openmediavault/.well-known/acme-challenge
      120. 2018-01-15 12:12:38,217:DEBUG:certbot.main:Exiting abnormally:
      121. Traceback (most recent call last):
      122. File "/usr/bin/certbot", line 11, in <module>
      123. load_entry_point('certbot==0.10.2', 'console_scripts', 'certbot')()
      124. File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 849, in main
      125. return config.func(config, plugins)
      126. File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 626, in obtain_cert
      127. action, _ = _auth_from_available(le_client, config, domains, certname, lineage)
      128. File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 107, in _auth_from_available
      129. lineage = le_client.obtain_and_enroll_certificate(domains, certname)
      130. File "/usr/lib/python2.7/dist-packages/certbot/client.py", line 291, in obtain_and_enroll_certificate
      131. certr, chain, key, _ = self.obtain_certificate(domains)
      132. File "/usr/lib/python2.7/dist-packages/certbot/client.py", line 262, in obtain_certificate
      133. self.config.allow_subset_of_names)
      134. File "/usr/lib/python2.7/dist-packages/certbot/auth_handler.py", line 88, in get_authorizations
      135. "Challenges failed for all domains")
      136. AuthorizationError: Challenges failed for all domains
      Display All