openmediavault-letsencrypt

    • OMV 3.x
    • I have upgraded from OMV 3.x to 4.x, and Let's Encrypt used to work, but now it doesn't.

      I have tried everything 5 times: Forwarding ports, reinstalling plugin, updating everything incl. OMV-Extras, running apt clean, checking DNS-settings, asking nicely, yelling at my monitor. Nothing helps. I just get this message every time:

      Source Code

      1. Command: export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin; export LANG=C; /usr/bin/certbot certonly --non-interactive --rsa-key-size 2048 --text --keep-until-expiring --agree-tos --allow-subset-of-names --cert-name MYDOMAIN.COM-cert --email MY@MAIL.COM --webroot -w /var/www/openmediavault -d MYDOMAIN.COM 2>&1
      2. Saving debug log to /var/log/letsencrypt/letsencrypt.log
      3. Plugins selected: Authenticator webroot, Installer None
      4. Obtaining a new certificate
      5. Performing the following challenges:
      6. http-01 challenge for MYDOMAIN.COM
      7. Using the webroot path /var/www/openmediavault for all unmatched domains.
      8. Waiting for verification...
      9. Challenge failed for domain MYDOMAIN.COM
      10. Cleaning up challenges
      11. Challenges failed for all domains
      12. Done...
      Display All

      I'm not good at using Linux, I have SSH-access but mainly use OMV WebUI.
      Any suggestions? Thank you ;)
    • Hi,

      I am on OMV 4.x, I don't have the "Test Certificate" button enabled, certbot is running fine, BUT ...

      Certificate in Tab "SSL" does NOT get renewed - it also tells me an old date in the comment: "LetsEncrypt - home.stockinger.name (20180911)"

      when I directly look into corresponding directories I see that there are new certificates in the letsencrypt directory (dated 29th of Dec), but in the OMV cert and key directory they are still from 11th of Sept.

      Source Code

      1. ls /etc/letsencrypt/live/home.stockinger.name -al
      2. lrwxrwxrwx 1 root root45 Dez 29 14:26 cert.pem -> ../../archive/home.stockinger.name/cert13.pem
      3. lrwxrwxrwx 1 root root46 Dez 29 14:26 chain.pem -> ../../archive/home.stockinger.name/chain13.pem
      4. lrwxrwxrwx 1 root root50 Dez 29 14:26 fullchain.pem -> ../../archive/home.stockinger.name/fullchain13.pem
      5. lrwxrwxrwx 1 root root48 Dez 29 14:26 privkey.pem -> ../../archive/home.stockinger.name/privkey13.pe
      6. ls /etc/ssl/certs/openmediavault-* -al
      7. -rw-r--r-- 1 root root 1826 Sep 11 14:21 /etc/ssl/certs/openmediavault-54f42090-ca0b-4565-976a-d6e42b2c1203.crt
      8. -rw-r--r-- 1 root root 3875 Sep 11 14:21 /etc/ssl/certs/openmediavault-7f34f58c-3f7c-4866-a209-4492770c7754.crt
      9. ls /etc/ssl/private/openmediavault-* -al
      10. -rw-r----- 1 root root 3272 Sep 11 14:21 /etc/ssl/private/openmediavault-54f42090-ca0b-4565-976a-d6e42b2c1203.key
      11. -rw-r----- 1 root root 1704 Sep 11 14:21 /etc/ssl/private/openmediavault-7f34f58c-3f7c-4866-a209-4492770c7754.key
      Display All

      I also cannot find anything in the logs:


      letsencrypt.log


      Display Spoiler

      Last lines after renewal:

      2018-12-29 14:26:05,722:DEBUG:certbot.storage:Writing new private key to /etc/letsencrypt/archive/home.stockinger.name/privkey13.pem.

      2018-12-29 14:26:05,723:DEBUG:certbot.storage:Writing certificate to /etc/letsencrypt/archive/home.stockinger.name/cert13.pem.

      2018-12-29 14:26:05,723:DEBUG:certbot.storage:Writing chain to /etc/letsencrypt/archive/home.stockinger.name/chain13.pem.

      2018-12-29 14:26:05,723:DEBUG:certbot.storage:Writing full chain to /etc/letsencrypt/archive/home.stockinger.name/fullchain13.pem.

      2018-12-29 14:26:05,749:DEBUG:certbot.storage:Writing new config /etc/letsencrypt/renewal/home.stockinger.name.conf.new.

      2018-12-29 14:26:05,795:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None

      2018-12-29 14:26:05,796:DEBUG:certbot.renewal:no renewal failures




      syslog (no trace for a call to Certifcate Management at that time):


      Display Spoiler

      Dec 29 14:25:53 datacenter systemd[1]: Starting Certbot...

      Dec 29 14:26:05 datacenter systemd[1]: Started Certbot.

      Dec 29 14:26:05 datacenter systemd[1]: certbot.timer: Adding 2h 21min 55.240251s random time.

      Dec 29 14:26:05 datacenter systemd[1]: certbot.timer: Adding 1h 48min 51.393595s random time.



      Here is the output for the generated key, which has a different UUID - so the old one was not replaced.
      omv-showkey letsencrypt

      Source Code

      1. <letsencrypt>
      2. <enable>1</enable>
      3. <test_cert>0</test_cert>
      4. <email>gerald@stockinger.name</email>
      5. <name>home.stockinger.name</name>
      6. <certuuid>7f34f58c-3f7c-4866-a209-4492770c7754</certuuid>
      7. <keylength>2048</keylength>
      8. <extraoptions/>
      9. <domains>
      10. <domain>
      11. <uuid>c1ceba72-82d4-436e-b8e3-25fbac4c63f4</uuid>
      12. <domain>home.stockinger.name,ftp.stockinger.name,share.stockinger.name</domain>
      13. <webroot>/media/c8529c27-fd7a-4cd9-abf6-64d26c7489c2/Applications/www/home/public</webroot>
      14. </domain>
      15. </domains>
      16. </letsencrypt>
      Display All


      Any ideas?

      Thx, Gerald
    • joaquinain wrote:

      Now if I change this port to another of mi like when I have to renew the certificate wil I have problems?
      yes
      omv 4.1.19 arrakis | 64 bit | 4.15 proxmox kernel | omvextrasorg 4.1.15
      omv-extras.org plugins source code and issue tracker - github

      Please read this before posting a question and this and this for docker questions.
      Please don't PM for support... Too many PMs!
    • joaquinain wrote:

      I guess I need por 80 to be open to keep the certificate OK, right?
      No, you just need it open to renew the cert. If you manually open the port and renew it, you wouldn't need to keep it open all the time.
      omv 4.1.19 arrakis | 64 bit | 4.15 proxmox kernel | omvextrasorg 4.1.15
      omv-extras.org plugins source code and issue tracker - github

      Please read this before posting a question and this and this for docker questions.
      Please don't PM for support... Too many PMs!
    • I have an issue with my letsencrypt, every renewal I have the problem, that the cert gets renewed, but the older one kept in use by nginx. I need to apply a self-signed one to nginx, manually delete the letsentcrypt-cert in cert organisation of OMV and then try to renew the letsencrypt cert. It says that the cert is already up to date and then lists the new letsencrypt cert in OMV so that I can use it in nginx.

      IS there a way to automaticly replace the cert in OMV & nginx with the new one when it gets renewed automaticly?
      Chaos is found in greatest abundance wherever order is being sought.
      It always defeats order, because it is better organized.
      Terry Pratchett
    • riff-raff wrote:

      IS there a way to automaticly replace the cert in OMV & nginx with the new one when it gets renewed automaticly?
      The OMV 4.x version of the plugin is supposed to do this.
      omv 4.1.19 arrakis | 64 bit | 4.15 proxmox kernel | omvextrasorg 4.1.15
      omv-extras.org plugins source code and issue tracker - github

      Please read this before posting a question and this and this for docker questions.
      Please don't PM for support... Too many PMs!
    • I would like to point out that I have the same problem like riff-raff and I am using OMV 4.0 as well for some time.

      I described my problem a few posts above - maybe my explanation had too much details and was therefore confusing ...

      Result is the same: Letsencrypt gets a new certifcate but OMV does not use it. Need to manually delete it in OMV Frontend and then renew.
    • New

      i have the same problem too. When i see the certs are expired i go to the letsencrypt plugin and do a renew,
      but with the message "Cert not yet due for renewal".
      After the command was issued, i get the notice that the configuration has changed, and i need to confirm,
      like i have to do if i change any omv config. After i do that, the nginx config is reloaded with the right new cert.

      Maybe there is a problem with the automatic reload after cert renewal by the cronjob
    • New

      I have read through this thread - all thirty-one pages and I still have a few questions. The look and functionality of this Letsencrypt plugin has changed since it first was introduced on page one. I have Nextcloud/Letsencrypt running per @TechnoDadLife video on an Odroid HC2. It's all great except when it comes time to renew my cert. Last night, after my certificate expired a couple days ago, I did a fresh install on the Letsencrypt container and received a new certification.

      In the Letsencrypt plugin GUI:
      1. Under the Domains tab should I type only the one subdomain I use on this server, or all five (from DuckDNS)? I only have Nextcloud and Plex running on the server. I know this is going to generate tons of guffaws, but what do I do with the other four? What can I make? Edit: I might add, I included all five subdomains in the certificate generated last night.
      2. Under the Domains tab Is /var/www/openmediavault the correct webroot for the Nextcloud/Letsencrypt install I described above?
      3. Since I just received a new certificate by a fresh install of the letsencrypt container, when if ever should I generate or renew a certificate?
      4. Under the Settings tab what should be typed in the "Certificate Name" field?
      5. How does the System/Certificates/SSL section of OMV tie into the Letsencrypt plugin? Under the SSL tab I have the Letsencrypt certificate that just expired there and the delete button is greyed out. What do I do with that?
      If someone could please help me on these few points, I would greatly appreciate it. What would be really nice would be if someone would put together a simple "Letsencrypt Plugin Installation Guide." Thanks.
      Retired. Love to garden and mess with computers. The more I mess with both the less I know about either.
      OMV 4.1.14-1, Odroid hc2 w/ 4TB WD Blue.
    • New

      Nefertiti wrote:

      About renewing the certificate,for sure you do not need to do a fresh install of the container just pass
      docker logs -f letsencrypt
      Not to steal away the thread (after 31 pages!) but I got that impression after I did so. I deleted the Letsencrypt folder completely as well as the container before restarting, but when I got to the end where you modify the config.php file it was already customized - ready to go; which makes me wonder why even bother with the Letsencrypt plugin for renewals if you can just run docker logs -f letsencrypt a few weeks before expiration. Just set a reminder on your calendar and you're done. Thanks for the observation.
      Retired. Love to garden and mess with computers. The more I mess with both the less I know about either.
      OMV 4.1.14-1, Odroid hc2 w/ 4TB WD Blue.