openmediavault-letsencrypt

  • Hey not sure how much of tech support is going on here, but here it goes.


    It seems like the plugin is morphing the private key when it is copying it to the new location under /etc/ssl/private/openmediavault-[numbercode].key.


    The new private key does not match the one in /etc/letsencrypt/live/(name)/privkey.pem.


    Anyone experience this?

    • Offizieller Beitrag

    Anyone experience this?

    It doesn't "morph" it. When the plugin creates the cert in the ssl section of OMV, it works but when renewing a cert, OMV doesn't update the private key because it already exists. This was fixed in OMV 4.x. I just haven't come up with a workaround for OMV 3.x other than deleting the cert in the OMV Cert SSL tab and creating new.

    omv 7.0.4-2 sandworm | 64 bit | 6.5 proxmox kernel

    plugins :: omvextrasorg 7.0 | kvm 7.0.10 | compose 7.1.2 | k8s 7.0-6 | cputemp 7.0 | mergerfs 7.0.3


    omv-extras.org plugins source code and issue tracker - github


    Please try ctrl-shift-R and read this before posting a question.

    Please put your OMV system details in your signature.
    Please don't PM for support... Too many PMs!

  • Hi there


    If anyone can support my earlier request that would be great, copied again below



    I have OMV v.4 (latest version installed) and the latest Letsencrypt plugin. When I generate a certificate in the plugin since moving to OMV v.4 it never shows up in my certificates tab of the GUI. Also, in the notes to the Letsencrypt plugin it says OMV configuration "should be applied" after set up but the "apply configuration" never appears after certificate generation or renewal. Any help would be appreciated.


    Thanks

    • Offizieller Beitrag

    I have OMV v.4 (latest version installed) and the latest Letsencrypt plugin. When I generate a certificate in the plugin since moving to OMV v.4 it never shows up in my certificates tab of the GUI. Also, in the notes to the Letsencrypt plugin it says OMV configuration "should be applied" after set up but the "apply configuration" never appears after certificate generation or renewal. Any help would be appreciated.

    Something is configured wrong. Did you try purging the plugin and reinstalling?

    omv 7.0.4-2 sandworm | 64 bit | 6.5 proxmox kernel

    plugins :: omvextrasorg 7.0 | kvm 7.0.10 | compose 7.1.2 | k8s 7.0-6 | cputemp 7.0 | mergerfs 7.0.3


    omv-extras.org plugins source code and issue tracker - github


    Please try ctrl-shift-R and read this before posting a question.

    Please put your OMV system details in your signature.
    Please don't PM for support... Too many PMs!

  • It doesn't "morph" it. When the plugin creates the cert in the ssl section of OMV, it works but when renewing a cert, OMV doesn't update the private key because it already exists. This was fixed in OMV 4.x. I just haven't come up with a workaround for OMV 3.x other than deleting the cert in the OMV Cert SSL tab and creating new.

    Is OMV 4 stable enough to upgrade to or would it be advisable to hold off on it for now? I know OMV 3 was considered stable before it was released and I'm wondering if the same holds true for OMV 4.

    • Offizieller Beitrag

    Is OMV 4 stable enough to upgrade to or would it be advisable to hold off on it for now? I know OMV 3 was considered stable before it was released and I'm wondering if the same holds true for OMV 4.

    I think it is but it depends on the plugins you use.

    omv 7.0.4-2 sandworm | 64 bit | 6.5 proxmox kernel

    plugins :: omvextrasorg 7.0 | kvm 7.0.10 | compose 7.1.2 | k8s 7.0-6 | cputemp 7.0 | mergerfs 7.0.3


    omv-extras.org plugins source code and issue tracker - github


    Please try ctrl-shift-R and read this before posting a question.

    Please put your OMV system details in your signature.
    Please don't PM for support... Too many PMs!

    • Offizieller Beitrag

    Any other ideas?

    Not without seeing the settings you are using.

    omv 7.0.4-2 sandworm | 64 bit | 6.5 proxmox kernel

    plugins :: omvextrasorg 7.0 | kvm 7.0.10 | compose 7.1.2 | k8s 7.0-6 | cputemp 7.0 | mergerfs 7.0.3


    omv-extras.org plugins source code and issue tracker - github


    Please try ctrl-shift-R and read this before posting a question.

    Please put your OMV system details in your signature.
    Please don't PM for support... Too many PMs!

  • I had challenge isses with LE after setting up my server. I use OMV4, Nextcloud 13, LE 3.4.5.
    I got the following error:



    Actually I got LE to work. This was my way:
    1) changed OMV default port from 80 to other
    2) changed Nextcloud port to 80
    3) placed an empty test.txt to nextcloud/.well-known
    4) opened all ports on my Fritzbox (exposed host) for my server
    5) run LE
    6) closed the ports on my Fritzbox
    7) changed NC port back to 90, OMV to 80



    Today I am happy, however I think this was not the best solution. Is there a way to keep the OMV and NC porst unchanged?

  • LE needs port 80 to be open and point to your webroot. So use OMV-GUI on a diffrent port (e.g. 8080) and point port 443 (ssl) and 80 to your NC with LE.

    Chaos is found in greatest abundance wherever order is being sought.
    It always defeats order, because it is better organized.
    Terry Pratchett

    • Offizieller Beitrag

    Before anyone asks, I will try to get the plugin working with the free wildcard cert as soon as I can.

    omv 7.0.4-2 sandworm | 64 bit | 6.5 proxmox kernel

    plugins :: omvextrasorg 7.0 | kvm 7.0.10 | compose 7.1.2 | k8s 7.0-6 | cputemp 7.0 | mergerfs 7.0.3


    omv-extras.org plugins source code and issue tracker - github


    Please try ctrl-shift-R and read this before posting a question.

    Please put your OMV system details in your signature.
    Please don't PM for support... Too many PMs!

  • So I got the same problem, like a few people before. But until now i didn't fix it.
    OMV3 and I wanted to renew my cert.
    It said it is not ready to be renewed. I deleted the cert and uninstalled letsencrypt.
    Then I lost my ngnix and I'm not able to access tyhe webpanel.


    I removed the certs in /etc/ssl. The one in private and the one in certs : openmediavault-xxxx-xxxx


    But i still have problems to get ngnix back running:

    Code
    ERROR: Failed to execute command 'export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin; export LANG=C; nginx -t 2>&1' with exit code '1': nginx: [emerg] BIO_new_file("/etc/ssl/certs/openmediavault-7611bd81-d921-427d-9e58-0e7d5e14b57a.crt") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/ssl/certs/openmediavault-7611bd81-d921-427d-9e58-0e7d5e14b57a.crt','r') error:2006D080:BIO routines:BIO_new_file:no such file)
    nginx: configuration file /etc/nginx/nginx.conf test failed


    I tried omv-mkconf nginx and omv-firstaid . But both fail to restore my ngnix.
    Why is he still try to use ssl? There must be a process who wants to use it. I thoght I disabled all.
    Or maybe there is the reverse proxy still active?


    Any help would be nice!

  • @ryecoaaron I'm looking forward for this update! It's perfect functionality, wished by most of us!


    @phanter I'm not sure where you configured SSL to OMV web interface. But looking at your error you should look in
    /etc/nginx/nginx.conf
    for SSL block for OMV web-ui and remove it.
    Do it from SSH (install nano)


    There is block (standard settings 'coz I use SSL only for eternal access and configured it via proxy-pass):
    ##
    # SSL Settings
    ##


    ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
    ssl_prefer_server_ciphers on;


    If you have there some additional rows, delete them and restore default (upper)
    I'm also not 100% if this is only one place where you can search for SSL config for OMV web-ui
    @ryecoaaron could you advice?


    If you will need more help ask me.


    EDIT:
    If you play with certificates always remember to remove them from all used places before deleting - this will prevent future issues!

    Debian 8.6 Jessie + OMV 3.0.latest Kernel: Linux 4.8.0-0.bpo.2-amd64
    Processor: Intel Core 2 Duo E8400@3GHz
    Memory: 4GB RAM
    OS-HDD: Samsung SSD 120 GB +LVM


    Full media and download center configured.


    BIG and special thanks for OMV-Extras team for great plug-ins (especially: TeamSpeak, VirtualBox, Sonarr, Radarr, and rest I use :))


    ------------------------------


    Wise guy don't know everything, he can search or ask!
    Don't ask me via PM!

    Einmal editiert, zuletzt von kawu2 ()

  • I also have a problem to get the LetsEncrypt Certificate to my server.


    I get always the following Message:


    Tried all solutions i can find here in Forum, but it seems there is anything is missed :(
    The Server is (temporary) a exposed host, so all ports are directly reachable from Internet. I can also reach the Webinterface from Internet without problems trough xxxxx.hd80.de

  • Hey vcdwelt,
    It is probably (99%) permissions problem. Eventually you pointed wrong path to webroot
    If acme challenge fails you have to check permissions.
    IDK how you build your wwwroot (for me 2 avoid problems each wbsite I host have separate shared folder created via OMV web-ui with permissions for www-data user and group full access and rest full access also)
    Challenge create new folders and files in webroot directory, s it also need permissions :)

    Debian 8.6 Jessie + OMV 3.0.latest Kernel: Linux 4.8.0-0.bpo.2-amd64
    Processor: Intel Core 2 Duo E8400@3GHz
    Memory: 4GB RAM
    OS-HDD: Samsung SSD 120 GB +LVM


    Full media and download center configured.


    BIG and special thanks for OMV-Extras team for great plug-ins (especially: TeamSpeak, VirtualBox, Sonarr, Radarr, and rest I use :))


    ------------------------------


    Wise guy don't know everything, he can search or ask!
    Don't ask me via PM!

  • Checked the permission and gave 777 to the .well-known subdirectory.
    It seems it could write to it, because it will create a directory called "acme-challenge" insite it.



    drwxrwxrwx 2 www-data www-data 4096 Mär 16 17:04 .well-known
    root@omv:/var/www/openmediavault/.well-known# ll
    insgesamt 4
    drwxr-xr-x 2 openmediavault-webgui openmediavault-webgui 4096 Mär 16 17:04 acme-challenge
    root@omv:/var/www/openmediavault/.well-known#


    But i'm far away from a linux expert :(


  • Thanks for the hint. But sadly it is still default. There must be another entry in the system, where ssl is configured...


    EDIT: I Solved it :) There was still a entry in the sites-enabled folder, with my domain. After deleting it, i could start ngnix. I created a new ssl cert. But i can choose the old one. There has to be a configuration, where it is still there. I will look for it.

  • Hi @ryecoaaron,


    just to make this clear - you say the problem that I posted in #431 about 3 months ago is fixed in OMV4 by now but not in OMV3 (yet)? Correct?


    Because I still have this problem that my private key does not get renewed during certificate update which gives an error (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch).


    My current certicates will finally expire in about one week so I am curious: Will there be a permament fix for version 3 as well or do I need to plan for V4?


    At the moment you still recommend deleting the certificate in OMV cert tab and then renewing?


    thx, Gerald

    • Offizieller Beitrag

    Yep. Volker fixed it core OMV for 4.x but not 3.x I guess because I didn't send him a pull request explicitly fixing it. It isn't really a bug for OMV. It is just an issue for letsencrypt. So, I was going to try to fix it in the plugin but have had time. Deleting the cert or manually copying the private cert to the OMV location will fix the "problem".

    omv 7.0.4-2 sandworm | 64 bit | 6.5 proxmox kernel

    plugins :: omvextrasorg 7.0 | kvm 7.0.10 | compose 7.1.2 | k8s 7.0-6 | cputemp 7.0 | mergerfs 7.0.3


    omv-extras.org plugins source code and issue tracker - github


    Please try ctrl-shift-R and read this before posting a question.

    Please put your OMV system details in your signature.
    Please don't PM for support... Too many PMs!

  • Short question: Is it possible to generate a certificate without webroot. I woult like the to use different certifactes for docker/nginx reverse.

    OMV3.X
    Intel i5-4590 / 8GB DDR3 / 30GB SSD OS / 3 x 4TB WD RED / Fractal Design Node 304 white

Jetzt mitmachen!

Sie haben noch kein Benutzerkonto auf unserer Seite? Registrieren Sie sich kostenlos und nehmen Sie an unserer Community teil!