openmediavault-letsencrypt

    • OMV 3.x

    This site uses cookies. By continuing to browse this site, you are agreeing to our Cookie Policy.

    • Hey not sure how much of tech support is going on here, but here it goes.

      It seems like the plugin is morphing the private key when it is copying it to the new location under /etc/ssl/private/openmediavault-[numbercode].key.

      The new private key does not match the one in /etc/letsencrypt/live/(name)/privkey.pem.

      Anyone experience this?
    • Hwaiting wrote:

      Anyone experience this?
      It doesn't "morph" it. When the plugin creates the cert in the ssl section of OMV, it works but when renewing a cert, OMV doesn't update the private key because it already exists. This was fixed in OMV 4.x. I just haven't come up with a workaround for OMV 3.x other than deleting the cert in the OMV Cert SSL tab and creating new.
      omv 4.1.11 arrakis | 64 bit | 4.15 proxmox kernel | omvextrasorg 4.1.11
      omv-extras.org plugins source code and issue tracker - github

      Please read this before posting a question and this and this for docker questions.
      Please don't PM for support... Too many PMs!
    • Hi there

      If anyone can support my earlier request that would be great, copied again below


      I have OMV v.4 (latest version installed) and the latest Letsencrypt plugin. When I generate a certificate in the plugin since moving to OMV v.4 it never shows up in my certificates tab of the GUI. Also, in the notes to the Letsencrypt plugin it says OMV configuration "should be applied" after set up but the "apply configuration" never appears after certificate generation or renewal. Any help would be appreciated.

      Thanks
    • newbie7800 wrote:

      I have OMV v.4 (latest version installed) and the latest Letsencrypt plugin. When I generate a certificate in the plugin since moving to OMV v.4 it never shows up in my certificates tab of the GUI. Also, in the notes to the Letsencrypt plugin it says OMV configuration "should be applied" after set up but the "apply configuration" never appears after certificate generation or renewal. Any help would be appreciated.
      Something is configured wrong. Did you try purging the plugin and reinstalling?
      omv 4.1.11 arrakis | 64 bit | 4.15 proxmox kernel | omvextrasorg 4.1.11
      omv-extras.org plugins source code and issue tracker - github

      Please read this before posting a question and this and this for docker questions.
      Please don't PM for support... Too many PMs!
    • ryecoaaron wrote:

      Hwaiting wrote:

      Anyone experience this?
      It doesn't "morph" it. When the plugin creates the cert in the ssl section of OMV, it works but when renewing a cert, OMV doesn't update the private key because it already exists. This was fixed in OMV 4.x. I just haven't come up with a workaround for OMV 3.x other than deleting the cert in the OMV Cert SSL tab and creating new.
      Is OMV 4 stable enough to upgrade to or would it be advisable to hold off on it for now? I know OMV 3 was considered stable before it was released and I'm wondering if the same holds true for OMV 4.
    • David B wrote:

      Is OMV 4 stable enough to upgrade to or would it be advisable to hold off on it for now? I know OMV 3 was considered stable before it was released and I'm wondering if the same holds true for OMV 4.
      I think it is but it depends on the plugins you use.
      omv 4.1.11 arrakis | 64 bit | 4.15 proxmox kernel | omvextrasorg 4.1.11
      omv-extras.org plugins source code and issue tracker - github

      Please read this before posting a question and this and this for docker questions.
      Please don't PM for support... Too many PMs!
    • newbie7800 wrote:

      Any other ideas?
      Not without seeing the settings you are using.
      omv 4.1.11 arrakis | 64 bit | 4.15 proxmox kernel | omvextrasorg 4.1.11
      omv-extras.org plugins source code and issue tracker - github

      Please read this before posting a question and this and this for docker questions.
      Please don't PM for support... Too many PMs!
    • I had challenge isses with LE after setting up my server. I use OMV4, Nextcloud 13, LE 3.4.5.
      I got the following error:

      Display Spoiler

      Command: export
      PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin;
      export LANG=C; /usr/bin/certbot certonly --non-interactive
      --rsa-key-size 2048 --text --keep-until-expiring --agree-tos
      --allow-subset-of-names --cert-name xyz_server_name --email xyz@my.de
      --webroot -w /sharedfolders/nextcloud -d xyz.org 2>&1


      Saving debug log to /var/log/letsencrypt/letsencrypt.log
      Obtaining a new certificate
      Performing the following challenges:
      http-01 challenge for xyz.org
      Using the webroot path /sharedfolders/nextcloud for all unmatched domains.
      Waiting for verification...
      Challenge failed for domain xyz.org
      Cleaning up challenges
      Challenges failed for all domains
      Done...


      Actually I got LE to work. This was my way:
      1) changed OMV default port from 80 to other
      2) changed Nextcloud port to 80
      3) placed an empty test.txt to nextcloud/.well-known
      4) opened all ports on my Fritzbox (exposed host) for my server
      5) run LE
      6) closed the ports on my Fritzbox
      7) changed NC port back to 90, OMV to 80


      Today I am happy, however I think this was not the best solution. Is there a way to keep the OMV and NC porst unchanged?
    • Before anyone asks, I will try to get the plugin working with the free wildcard cert as soon as I can.
      omv 4.1.11 arrakis | 64 bit | 4.15 proxmox kernel | omvextrasorg 4.1.11
      omv-extras.org plugins source code and issue tracker - github

      Please read this before posting a question and this and this for docker questions.
      Please don't PM for support... Too many PMs!
    • So I got the same problem, like a few people before. But until now i didn't fix it.
      OMV3 and I wanted to renew my cert.
      It said it is not ready to be renewed. I deleted the cert and uninstalled letsencrypt.
      Then I lost my ngnix and I'm not able to access tyhe webpanel.

      I removed the certs in /etc/ssl. The one in private and the one in certs : openmediavault-xxxx-xxxx

      But i still have problems to get ngnix back running:

      Source Code

      1. ERROR: Failed to execute command 'export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin; export LANG=C; nginx -t 2>&1' with exit code '1': nginx: [emerg] BIO_new_file("/etc/ssl/certs/openmediavault-7611bd81-d921-427d-9e58-0e7d5e14b57a.crt") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/ssl/certs/openmediavault-7611bd81-d921-427d-9e58-0e7d5e14b57a.crt','r') error:2006D080:BIO routines:BIO_new_file:no such file)
      2. nginx: configuration file /etc/nginx/nginx.conf test failed

      I tried omv-mkconf nginx and omv-firstaid . But both fail to restore my ngnix.
      Why is he still try to use ssl? There must be a process who wants to use it. I thoght I disabled all.
      Or maybe there is the reverse proxy still active?

      Any help would be nice!
    • @ryecoaaron I'm looking forward for this update! It's perfect functionality, wished by most of us!

      @phanter I'm not sure where you configured SSL to OMV web interface. But looking at your error you should look in
      /etc/nginx/nginx.conf
      for SSL block for OMV web-ui and remove it.
      Do it from SSH (install nano)

      There is block (standard settings 'coz I use SSL only for eternal access and configured it via proxy-pass):
      ##
      # SSL Settings
      ##

      ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
      ssl_prefer_server_ciphers on;

      If you have there some additional rows, delete them and restore default (upper)
      I'm also not 100% if this is only one place where you can search for SSL config for OMV web-ui
      @ryecoaaron could you advice?

      If you will need more help ask me.

      EDIT:
      If you play with certificates always remember to remove them from all used places before deleting - this will prevent future issues!
      Debian 8.6 Jessie + OMV 3.0.latest Kernel: Linux 4.8.0-0.bpo.2-amd64
      Processor: Intel Core 2 Duo E8400@3GHz
      Memory: 4GB RAM
      OS-HDD: Samsung SSD 120 GB +LVM

      Full media and download center configured.

      BIG and special thanks for OMV-Extras team for great plug-ins (especially: TeamSpeak, VirtualBox, Sonarr, Radarr, and rest I use :))

      ------------------------------

      Wise guy don't know everything, he can search or ask!
      Don't ask me via PM!

      The post was edited 1 time, last by kawu2 ().

    • I also have a problem to get the LetsEncrypt Certificate to my server.

      I get always the following Message:
      Display Spoiler

      Source Code

      1. Command: export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin; export LANG=C; /usr/bin/certbot certonly --non-interactive --rsa-key-size 2048 --text --keep-until-expiring --agree-tos --allow-subset-of-names --cert-name heiko --email heiko.xxxxxx@xxxxx.com --webroot -w /var/www/openmediavault/ -d xxxxx.hd80.de 2>&1
      2. Saving debug log to /var/log/letsencrypt/letsencrypt.log
      3. Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
      4. Obtaining a new certificate
      5. Performing the following challenges:
      6. http-01 challenge for xxxxx.hd80.de
      7. Using the webroot path /var/www/openmediavault for all unmatched domains.
      8. Waiting for verification...
      9. Challenge failed for domain xxxxx.hd80.de
      10. Cleaning up challenges
      11. Challenges failed for all domains
      12. Fertig...
      Display All



      Tried all solutions i can find here in Forum, but it seems there is anything is missed :(
      The Server is (temporary) a exposed host, so all ports are directly reachable from Internet. I can also reach the Webinterface from Internet without problems trough xxxxx.hd80.de
    • Hey vcdwelt,
      It is probably (99%) permissions problem. Eventually you pointed wrong path to webroot
      If acme challenge fails you have to check permissions.
      IDK how you build your wwwroot (for me 2 avoid problems each wbsite I host have separate shared folder created via OMV web-ui with permissions for www-data user and group full access and rest full access also)
      Challenge create new folders and files in webroot directory, s it also need permissions :)
      Debian 8.6 Jessie + OMV 3.0.latest Kernel: Linux 4.8.0-0.bpo.2-amd64
      Processor: Intel Core 2 Duo E8400@3GHz
      Memory: 4GB RAM
      OS-HDD: Samsung SSD 120 GB +LVM

      Full media and download center configured.

      BIG and special thanks for OMV-Extras team for great plug-ins (especially: TeamSpeak, VirtualBox, Sonarr, Radarr, and rest I use :))

      ------------------------------

      Wise guy don't know everything, he can search or ask!
      Don't ask me via PM!
    • Checked the permission and gave 777 to the .well-known subdirectory.
      It seems it could write to it, because it will create a directory called "acme-challenge" insite it.


      drwxrwxrwx 2 www-data www-data 4096 Mär 16 17:04 .well-known
      root@omv:/var/www/openmediavault/.well-known# ll
      insgesamt 4
      drwxr-xr-x 2 openmediavault-webgui openmediavault-webgui 4096 Mär 16 17:04 acme-challenge
      root@omv:/var/www/openmediavault/.well-known#

      But i'm far away from a linux expert :(
    • kawu2 wrote:

      @ryecoaaron I'm looking forward for this update! It's perfect functionality, wished by most of us!

      @phanter I'm not sure where you configured SSL to OMV web interface. But looking at your error you should look in
      /etc/nginx/nginx.conf
      for SSL block for OMV web-ui and remove it.
      Do it from SSH (install nano)

      There is block (standard settings 'coz I use SSL only for eternal access and configured it via proxy-pass):
      ##
      # SSL Settings
      ##

      ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
      ssl_prefer_server_ciphers on;

      If you have there some additional rows, delete them and restore default (upper)
      I'm also not 100% if this is only one place where you can search for SSL config for OMV web-ui
      @ryecoaaron could you advice?

      If you will need more help ask me.

      EDIT:
      If you play with certificates always remember to remove them from all used places before deleting - this will prevent future issues!

      Thanks for the hint. But sadly it is still default. There must be another entry in the system, where ssl is configured...

      EDIT: I Solved it :) There was still a entry in the sites-enabled folder, with my domain. After deleting it, i could start ngnix. I created a new ssl cert. But i can choose the old one. There has to be a configuration, where it is still there. I will look for it.

      The post was edited 1 time, last by phanter ().

    • Hi @ryecoaaron,

      just to make this clear - you say the problem that I posted in #431 about 3 months ago is fixed in OMV4 by now but not in OMV3 (yet)? Correct?

      Because I still have this problem that my private key does not get renewed during certificate update which gives an error (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch).

      My current certicates will finally expire in about one week so I am curious: Will there be a permament fix for version 3 as well or do I need to plan for V4?

      At the moment you still recommend deleting the certificate in OMV cert tab and then renewing?

      thx, Gerald
    • Gerald wrote:

      just to make this clear - you say the problem that I posted in #431 about 3 months ago is fixed in OMV4 by now but not in OMV3 (yet)? Correct?

      Because I still have this problem that my private key does not get renewed during certificate update which gives an error (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch).

      My current certicates will finally expire in about one week so I am curious: Will there be a permament fix for version 3 as well or do I need to plan for V4?

      At the moment you still recommend deleting the certificate in OMV cert tab and then renewing?
      Yep. Volker fixed it core OMV for 4.x but not 3.x I guess because I didn't send him a pull request explicitly fixing it. It isn't really a bug for OMV. It is just an issue for letsencrypt. So, I was going to try to fix it in the plugin but have had time. Deleting the cert or manually copying the private cert to the OMV location will fix the "problem".
      omv 4.1.11 arrakis | 64 bit | 4.15 proxmox kernel | omvextrasorg 4.1.11
      omv-extras.org plugins source code and issue tracker - github

      Please read this before posting a question and this and this for docker questions.
      Please don't PM for support... Too many PMs!