openmediavault-letsencrypt

    • OMV 3.x
    • Hello,

      thanks for this plugin!
      If I understand correctly, it requires port 80 to be open to the internet and also the OMV Webinterface to listen on port 80. I am not so comfortable with that.

      What I am currently doing manually is to open Port 80 in my router via upnc only when needed:

      Source Code

      1. upnpc -r 80 TCP #> /dev/null 2>&1
      2. sleep 20
      3. letsencrypt certonly --standalone
      4. upnpc -d 80 TCP # > /dev/null 2>&1
      Wouldn't it be good to add this option to the plugin?

      Greetings,
      Hendrik
    • henfri wrote:

      If I understand correctly, it requires port 80 to be open to the internet and also the OMV Webinterface to listen on port 80. I am not so comfortable with that.
      It does require port 80 to be open with a listening web server but the OMV web interface does not need to be listening on that port (maybe it does if the web interface is listed in the Domains tab).

      henfri wrote:

      Wouldn't it be good to add this option to the plugin?
      If you turn off upnp on your router, does upnpc return a non-zero error code when trying to open or close the port?
      omv 4.1.13 arrakis | 64 bit | 4.15 proxmox kernel | omvextrasorg 4.1.13
      omv-extras.org plugins source code and issue tracker - github

      Please read this before posting a question and this and this for docker questions.
      Please don't PM for support... Too many PMs!
    • Hello,

      so if I set the OMV Web-Interface Port to something other than 80 it will not work by default, but I need to configure nginx (or another webserver) to listen at port 80...

      Regarding the return code:

      Source Code

      1. root@homeserver:/etc/letsencrypt# upnpc -r 80 TCP
      2. upnpc : miniupnpc library test client. (c) 2005-2014 Thomas Bernard
      3. Go to http://miniupnp.free.fr/ or http://miniupnp.tuxfamily.org/
      4. for more information.
      5. List of UPNP devices found on the network :
      6. desc: http://192.168.177.1:49000/igddesc.xml
      7. st: urn:schemas-upnp-org:device:InternetGatewayDevice:1
      8. Found valid IGD : http://192.168.177.1:49000/igdupnp/control/WANIPConn1
      9. Local LAN ip address : 192.168.177.3
      10. InternalIP:Port = 192.168.177.3:80
      11. external 188.108.26.52:80 TCP is redirected to internal 192.168.177.3:80 (duration=0)
      Display All
      This opened the port.

      Source Code

      1. root@homeserver:/etc/letsencrypt# upnpc -d 80 TCP
      2. upnpc : miniupnpc library test client. (c) 2005-2014 Thomas Bernard
      3. Go to http://miniupnp.free.fr/ or http://miniupnp.tuxfamily.org/
      4. for more information.
      5. List of UPNP devices found on the network :
      6. desc: http://192.168.177.1:49000/igddesc.xml
      7. st: urn:schemas-upnp-org:device:InternetGatewayDevice:1
      8. Found valid IGD : http://192.168.177.1:49000/igdupnp/control/WANIPConn1
      9. Local LAN ip address : 192.168.177.3
      10. UPNP_DeletePortMapping() returned : 0
      11. root@homeserver:/etc/letsencrypt# echo $?
      12. 0
      Display All
      This closed the port. Exit code is 0.

      Let's close the port again. This will fail.

      Source Code

      1. root@homeserver:/etc/letsencrypt# upnpc -d 80 TCP
      2. upnpc : miniupnpc library test client. (c) 2005-2014 Thomas Bernard
      3. Go to http://miniupnp.free.fr/ or http://miniupnp.tuxfamily.org/
      4. for more information.
      5. List of UPNP devices found on the network :
      6. desc: http://192.168.177.1:49000/igddesc.xml
      7. st: urn:schemas-upnp-org:device:InternetGatewayDevice:1
      8. Found valid IGD : http://192.168.177.1:49000/igdupnp/control/WANIPConn1
      9. Local LAN ip address : 192.168.177.3
      10. UPNP_DeletePortMapping() returned : 714
      11. root@homeserver:/etc/letsencrypt# echo $?
      12. 0
      Display All
      but the return code is 0.

      One can parse the commandline output of upnc though (714 in this case).

      Also, upnpc will list the redirections that are active:

      Source Code

      1. upnpc -l
      2. upnpc : miniupnpc library test client. (c) 2005-2014 Thomas Bernard
      3. Go to http://miniupnp.free.fr/ or http://miniupnp.tuxfamily.org/
      4. for more information.
      5. List of UPNP devices found on the network :
      6. desc: http://192.168.177.1:49000/igddesc.xml
      7. st: urn:schemas-upnp-org:device:InternetGatewayDevice:1
      8. desc: http://192.168.177.3:8081/desc.xml
      9. st: urn:ses-com:device:SatIPServer:1
      10. Found valid IGD : http://192.168.177.1:49000/igdupnp/control/WANIPConn1
      11. Local LAN ip address : 192.168.177.3
      12. Connection Type : IP_Routed
      13. Status : Connected, uptime=569744s, LastConnectionError : ERROR_NONE
      14. Time started : Sun Sep 23 00:11:46 2018
      15. MaxBitRateDown : 106826000 bps (106.8 Mbps) MaxBitRateUp 37229000 bps (37.2 Mbps)
      16. ExternalIPAddress = x
      17. i protocol exPort->inAddr:inPort description remoteHost leaseTime
      18. 0 TCP 10624->192.168.177.3:4242 'CrashPlan' '' 0
      19. GetGenericPortMappingEntry() returned 713 (SpecifiedArrayIndexInvalid)
      Display All

      and:

      Source Code

      1. i protocol exPort->inAddr:inPort description remoteHost leaseTime
      2. 0 TCP 10624->192.168.177.3:4242 'CrashPlan' '' 0
      3. 1 TCP 80->192.168.177.3:80 'libminiupnpc' '' 0

      Greetings,
      Hendrik
    • henfri wrote:

      so if I set the OMV Web-Interface Port to something other than 80 it will not work by default, but I need to configure nginx (or another webserver) to listen at port 80...
      Yes. That is the only way the plugin can get a cert since it runs in the required non-interactive mode.

      henfri wrote:

      One can parse the commandline output of upnc though (714 in this case).
      Since the return codes seem to always be zero, someone else will have to implement the code. I'm not a fan of parsing output and it could be in different languages (parsing for a small number is unreliable). Plus, I have no way to test. The cronjob that the plugin creates could be edited to add the upnpc commands. I would think in your case, it would be easier to open port 80 on your router and forward it to the nginx plugin running an empty site on a different port. Then you wouldn't have to move the OMV web interface from port 80.
      omv 4.1.13 arrakis | 64 bit | 4.15 proxmox kernel | omvextrasorg 4.1.13
      omv-extras.org plugins source code and issue tracker - github

      Please read this before posting a question and this and this for docker questions.
      Please don't PM for support... Too many PMs!
    • Hello,

      I understand. I am not just thinking about a usecase for myself, but also for the newbie user.
      What is the intendet scenario? I think by default, the plugin will tend to make the user open the webinterface to the internet.

      Your suggestion of using a different port for letsencrypt is good. So if letsencrypt would by default listen on port 79 one could ask the user to forward port 80 to 79 and everything would work. I think that forwarding port 80 to 79 is almost as easy as forwarding 80 to 80... And this redirection could always remain open.

      What do you think?

      Regarding upnpc:
      What would you do with the return code?
      I checked with the latest upnpc version (the one I get in debian is four years old). Here I get an exit code 2 in case of the failure I provoked above and exit code 0 if everything works!


      Greetings,
      Hendrik

      The post was edited 1 time, last by henfri ().

    • henfri wrote:

      Hello,

      I understand. I am not just thinking about a usecase for myself, but also for the newbie user.
      What is the intendet scenario? I think by default, the plugin will tend to make the user open the webinterface to the internet.

      Your suggestion of using a different port for letsencrypt is good. So if letsencrypt would by default listen on port 79 one could ask the user to forward port 80 to 79 and everything would work. I think that forwarding port 80 to 79 is almost as easy as forwarding 80 to 80... And this redirection could always remain open.

      What do you think?

      Regarding upnpc:
      What would you do with the return code?
      I checked with the latest upnpc version (the one I get in debian is four years old). Here I get an exit code 2 in case of the failure I provoked above and exit code 0 if everything works!
      To avoid this problems I use dockers and letsencrypt docker ( easy to forward port 80 to 90 etc.. you can see video of how to install on my signature.
      OMV 4.1.11 x64 on a HP T510, 16GB CF as Boot Disk & 32GB SSD 2,5" disk for Data, 4 GB RAM, CPU VIA EDEN X2 U4200 is x64 at 1GHz

      Post: HPT510 SlimNAS ; HOWTO Install Pi-Hole ; HOWTO install MLDonkey ; HOHTO Install ZFS-Plugin ; OMV_OldGUI ; ShellinaBOX ;
      Dockers: MLDonkey ; PiHole ; weTTY
      Videos: @TechnoDadLife
    • henfri wrote:

      Thanks.
      I am a docker Fan. But I do not understand what problem Docker solves in this case?
      Letsencrypt brings its own Webserver and it's port can be configured.
      Why not do that?

      Greetings,
      Hendrik
      the problem that solve is the conflict with http & https port (80 & 443) that OMV GUI use and letsencrypt plugin need.


      see: Installation and Setup Videos - Beginning, Intermediate and Advanced
      OMV 4.1.11 x64 on a HP T510, 16GB CF as Boot Disk & 32GB SSD 2,5" disk for Data, 4 GB RAM, CPU VIA EDEN X2 U4200 is x64 at 1GHz

      Post: HPT510 SlimNAS ; HOWTO Install Pi-Hole ; HOWTO install MLDonkey ; HOHTO Install ZFS-Plugin ; OMV_OldGUI ; ShellinaBOX ;
      Dockers: MLDonkey ; PiHole ; weTTY
      Videos: @TechnoDadLife
    • henfri wrote:

      So if letsencrypt would by default listen on port 79 one could ask the user to forward port 80 to 79 and everything would work. I think that forwarding port 80 to 79 is almost as easy as forwarding 80 to 80... And this redirection could always remain open.

      What do you think?
      You can't change the ports letsencrypt uses.

      henfri wrote:

      Any thoughts, Aaron?
      I've been at a conference all week. I think I like raulfg3's idea of using docker rather than adding upnp to the plugin (it is tough to develop things that I can't test).
      omv 4.1.13 arrakis | 64 bit | 4.15 proxmox kernel | omvextrasorg 4.1.13
      omv-extras.org plugins source code and issue tracker - github

      Please read this before posting a question and this and this for docker questions.
      Please don't PM for support... Too many PMs!
    • Hey people,
      today I wanted to update OMV via the GUI interface (update management), which failed. I then tried to update via a shell by running omv-update which succeeded, but it removed without asking my letsencrypt plugin. I also cannot reinstall it, neither via the webGUI nor via a shell:
      apt install openmediavault-letsencrypt fails because it cannot install certbot; apt install certbot fails because of python3-certbot and so on, until

      python3-requests : Depends: python3-chardet (>= 3.0.2) but 2.3.0-2 is to be installed

      I could install python3-chardet, but apparently only a wrong version!
      Is this an upstream problem or anything I can do about?

      Thanks for your help!
      Daniel
    • The following should fix it (not necessary anymore if you install omv-extras 4.1.12)
      sudo apt-get -t stretch-backports install python3-chardet

      I need to fix the pinning in omv-extras to add the new dependency. So, either run the command or wait for the omv-extras update and install just that update. Then everything else should work.
      omv 4.1.13 arrakis | 64 bit | 4.15 proxmox kernel | omvextrasorg 4.1.13
      omv-extras.org plugins source code and issue tracker - github

      Please read this before posting a question and this and this for docker questions.
      Please don't PM for support... Too many PMs!

      The post was edited 1 time, last by ryecoaaron ().

    • My cert will expire on Nov 11. 2018, letsencrypt replaces it with a new one (no renewal needed, cert valid till 2019), but within the nginx server the old cert and under certs in OMV GUI the old one is still listed.

      To resolve this issue I stopped the nginx plugin, within my server I assigned a self signed cert, deleted unter OMV certs the letsencrypt cert, started a new renewal (no renewal needed, cert is valid) and here you go, the new letsencrypt cert is now listed under OMV certs and can be assinged to my server.

      Why is there no automatic replacement? Bug? Feature? On purpose? I would prefer an automatic replacement.

      What about wildcards like I asked here?

      Do they only support one webroot? for example: /var/www and then subdirectories nextcloud and wordpress? But what if I want to use separate webroots?
      Chaos is found in greatest abundance wherever order is being sought.
      It always defeats order, because it is better organized.
      Terry Pratchett
    • riff-raff wrote:

      Why is there no automatic replacement? Bug? Feature? On purpose? I would prefer an automatic replacement.
      This is a bug in the OMV 3.x plugin but the OMV 4.x plugin should replace it.

      riff-raff wrote:

      What about wildcards like I asked here?
      Wildcard certs require changing things with your dns provider. So, this would be super difficult to automate and would be very dns vendor specific.
      omv 4.1.13 arrakis | 64 bit | 4.15 proxmox kernel | omvextrasorg 4.1.13
      omv-extras.org plugins source code and issue tracker - github

      Please read this before posting a question and this and this for docker questions.
      Please don't PM for support... Too many PMs!