Let's Encrypt renew problem

    • OMV 3.x
    • Resolved
    • Let's Encrypt renew problem

      Hello all,

      My Let's Encrypt plugin did not renew certificate for my subdomain.
      I don't know why, it was working whole time, but now from march 14 my certificate expired and even running cron job manually do nothing.
      Can anyone help me? Maybe look in plugin, some update needed?

      Thank you in advance for support!
      Debian 8.6 Jessie + OMV 3.0.latest Kernel: Linux 4.8.0-0.bpo.2-amd64
      Processor: Intel Core 2 Duo E8400@3GHz
      Memory: 4GB RAM
      OS-HDD: Samsung SSD 120 GB +LVM

      Full media and download center configured.

      BIG and special thanks for OMV-Extras team for great plug-ins (especially: TeamSpeak, VirtualBox, Sonarr, Radarr, and rest I use :))

      ------------------------------

      Wise guy don't know everything, he can search or ask!
      Don't ask me via PM!
    • Ok, my problem was solved.

      There is nothing wrong with plugin, I had multiple certificates generated and wrong was pointed in Nginx plugin.

      Now question is:
      Where can I find certificate files to clean them up, I need to delete 4 certs to not show in any dropdown menu.

      Thanks in advance for reply!
      Debian 8.6 Jessie + OMV 3.0.latest Kernel: Linux 4.8.0-0.bpo.2-amd64
      Processor: Intel Core 2 Duo E8400@3GHz
      Memory: 4GB RAM
      OS-HDD: Samsung SSD 120 GB +LVM

      Full media and download center configured.

      BIG and special thanks for OMV-Extras team for great plug-ins (especially: TeamSpeak, VirtualBox, Sonarr, Radarr, and rest I use :))

      ------------------------------

      Wise guy don't know everything, he can search or ask!
      Don't ask me via PM!
    • In OMV WebUI go to certificates and delete wrong entries.
      Removing Let's Encrypt folder don't remove certificates in Certificates section of OMV WebUI
      Debian 8.6 Jessie + OMV 3.0.latest Kernel: Linux 4.8.0-0.bpo.2-amd64
      Processor: Intel Core 2 Duo E8400@3GHz
      Memory: 4GB RAM
      OS-HDD: Samsung SSD 120 GB +LVM

      Full media and download center configured.

      BIG and special thanks for OMV-Extras team for great plug-ins (especially: TeamSpeak, VirtualBox, Sonarr, Radarr, and rest I use :))

      ------------------------------

      Wise guy don't know everything, he can search or ask!
      Don't ask me via PM!
    • I switched from StartSSL to Letsencrypt today. Setup with Plugin worked like a charm. I created a cron for renewal.

      Do I need port 80 for renewal as well?

      I usually serve only SSL on Port 443, mapped through Router. Port 80 is used internal only for OMV WebUI.
      Chaos is found in greatest abundance wherever order is being sought.
      It always defeats order, because it is better organized.
      Terry Pratchett
    • I run a Nextcloud-Installation with MySQL, Nginx, Fail2Ban and SSL on Port 443. Does opening Port 80 to the same web root bring some security issues with it?

      My Nginx is configured to serve only SSL/Port 443, I am a little converned pointing port 80 to that jail as well
      Chaos is found in greatest abundance wherever order is being sought.
      It always defeats order, because it is better organized.
      Terry Pratchett
    • I don't need reverse Proxy.

      I set up Nginx with one host (nextcloud) and pointed the letsencrypt-plugin directly to this host/webroot. Since this is the only service I need to be reachable from outside without using VPN, there is no need to use the reverse proxy.

      OMV WebGUI is served without certificate and only reachable within LAN.

      For security reasons I mapped as few ports as possible (only port 443) through my router to my NAS machine.

      I switched WebUI Port and opened port 80 for Letsencrypt. Accessing the domain on port 80 now redirects me to https/port 443.
      Chaos is found in greatest abundance wherever order is being sought.
      It always defeats order, because it is better organized.
      Terry Pratchett

      The post was edited 1 time, last by riff-raff ().

    • First of all,
      Do not create your own renewal cron job - use slider in plugin.
      Second one, move your OMV WebUI to another port (like 8080 or anything you like) and open 80, it is necessary.
      Debian 8.6 Jessie + OMV 3.0.latest Kernel: Linux 4.8.0-0.bpo.2-amd64
      Processor: Intel Core 2 Duo E8400@3GHz
      Memory: 4GB RAM
      OS-HDD: Samsung SSD 120 GB +LVM

      Full media and download center configured.

      BIG and special thanks for OMV-Extras team for great plug-ins (especially: TeamSpeak, VirtualBox, Sonarr, Radarr, and rest I use :))

      ------------------------------

      Wise guy don't know everything, he can search or ask!
      Don't ask me via PM!
    • SO this is all you need to have. Your NC should be protected with SSL and SSL should be renewed automatically w/o problems in future.
      Debian 8.6 Jessie + OMV 3.0.latest Kernel: Linux 4.8.0-0.bpo.2-amd64
      Processor: Intel Core 2 Duo E8400@3GHz
      Memory: 4GB RAM
      OS-HDD: Samsung SSD 120 GB +LVM

      Full media and download center configured.

      BIG and special thanks for OMV-Extras team for great plug-ins (especially: TeamSpeak, VirtualBox, Sonarr, Radarr, and rest I use :))

      ------------------------------

      Wise guy don't know everything, he can search or ask!
      Don't ask me via PM!
    • Letsencrypt tries to renew my cert, but gets an error because of .well-known subdirectory in my webroot. .well-known has no subdir or file within. Permissions are root:www-data with drwxr-s---+


      HTML Source Code

      1. 2017-07-08 22:36:11,189:DEBUG:certbot.reporter:Reporting to user: The following errors were reported by the server:
      2. Domain: xxxxxxxxxx
      3. Type: unauthorized
      4. Detail: Invalid response from http://xxxxxxxxxx/.well-known/acme-challenge/xxxxxxxxxx_oC_xxxxxxxxxx: "<!DOCTYPE html>
      5. <html class="ng-csp" data-placeholder-focus="false" lang="en" >
      6. <head data-requesttoken="xxxxxxxxxx"
      7. To fix these errors, please make sure that your domain name was entered correctly and the DNS A record(s) for that domain contain(s) the right IP address.
      8. 2017-07-08 22:36:11,190:INFO:certbot.auth_handler:Cleaning up challenges
      9. 2017-07-08 22:36:11,190:DEBUG:certbot.plugins.webroot:Removing /srv/dev-disk-by-label-Storage/nextcloud/.well-known/acme-challenge/xxxxxxxxxx_oC_xxxxxxxxxx
      10. 2017-07-08 22:36:11,192:DEBUG:certbot.plugins.webroot:All challenges cleaned up, removing /srv/dev-disk-by-label-Storage/nextcloud/.well-known/acme-challenge
      11. 2017-07-08 22:36:11,192:WARNING:certbot.renewal:Attempting to renew cert from /etc/letsencrypt/renewal/xxxxxxxxxx.conf produced an unexpected error: Failed authorization procedure. xxxxxxxxxx (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://xxxxxxxxxx/.well-known/acme-challenge/xxxxxxxxxx_oC_xxxxxxxxxx: "<!DOCTYPE html>
      12. <html class="ng-csp" data-placeholder-focus="false" lang="en" >
      13. <head data-requesttoken="xxxxxxxxxx". Skipping.
      14. 2017-07-08 22:36:11,196:DEBUG:certbot.renewal:Traceback was:
      15. Traceback (most recent call last):
      16. File "/usr/lib/python2.7/dist-packages/certbot/renewal.py", line 413, in handle_renewal_request
      17. main.obtain_cert(lineage_config, plugins, renewal_candidate)
      18. File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 626, in obtain_cert
      19. action, _ = _auth_from_available(le_client, config, domains, certname, lineage)
      20. File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 103, in _auth_from_available
      21. renewal.renew_cert(config, domains, le_client, lineage)
      22. File "/usr/lib/python2.7/dist-packages/certbot/renewal.py", line 296, in renew_cert
      23. new_certr, new_chain, new_key, _ = le_client.obtain_certificate(domains)
      24. File "/usr/lib/python2.7/dist-packages/certbot/client.py", line 262, in obtain_certificate
      25. self.config.allow_subset_of_names)
      26. File "/usr/lib/python2.7/dist-packages/certbot/auth_handler.py", line 77, in get_authorizations
      27. self._respond(resp, best_effort)
      28. File "/usr/lib/python2.7/dist-packages/certbot/auth_handler.py", line 134, in _respond
      29. self._poll_challenges(chall_update, best_effort)
      30. File "/usr/lib/python2.7/dist-packages/certbot/auth_handler.py", line 198, in _poll_challenges
      31. raise errors.FailedChallenges(all_failed_achalls)
      32. FailedChallenges: Failed authorization procedure. xxxxxxxxxx (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://xxxxxxxxxx/.well-known/acme-challenge/xxxxxxxxxx_oC_xxxxxxxxxx: "<!DOCTYPE html>
      33. <html class="ng-csp" data-placeholder-focus="false" lang="en" >
      34. <head data-requesttoken="xxxxxxxxxx"
      35. 2017-07-08 22:36:11,197:DEBUG:certbot.main:Exiting abnormally:
      36. Traceback (most recent call last):
      37. File "/usr/bin/certbot", line 11, in <module>
      38. load_entry_point('certbot==0.10.2', 'console_scripts', 'certbot')()
      39. File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 849, in main
      40. return config.func(config, plugins)
      41. File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 655, in renew
      42. renewal.handle_renewal_request(config)
      43. File "/usr/lib/python2.7/dist-packages/certbot/renewal.py", line 430, in handle_renewal_request
      44. len(renew_failures), len(parse_failures)))
      45. Error: 1 renew failure(s), 0 parse failure(s)
      Display All





      Seems that because of a lack of authorization no renewal is possible. Strange is the cleanup within .well-known

      Pushing the monthly cron renewal manually gives me this

      Source Code

      1. Fehler #0:
      2. exception 'OMV\ExecException' with message 'Failed to execute command 'export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin; export LANG=C; export SHELL=/bin/sh; sudo --shell --non-interactive --user=root -- omv-letsencrypt 2>&1' with exit code '1': Existing certificate uuid is invalid
      3. Use the Generate Certificate button in the plugin view at least once before using this script.' in /usr/share/openmediavault/engined/rpc/cron.inc:175
      4. Stack trace:
      5. #0 /usr/share/php/openmediavault/rpc/serviceabstract.inc(528): OMVRpcServiceCron->{closure}('/tmp/bgstatuslh...', '/tmp/bgoutputiY...')
      6. #1 /usr/share/openmediavault/engined/rpc/cron.inc(179): OMV\Rpc\ServiceAbstract->execBgProc(Object(Closure))
      7. #2 [internal function]: OMVRpcServiceCron->execute(Array, Array)
      8. #3 /usr/share/php/openmediavault/rpc/serviceabstract.inc(124): call_user_func_array(Array, Array)
      9. #4 /usr/share/php/openmediavault/rpc/rpc.inc(86): OMV\Rpc\ServiceAbstract->callMethod('execute', Array, Array)
      10. #5 /usr/sbin/omv-engined(536): OMV\Rpc\Rpc::call('Cron', 'execute', Array, Array, 1)
      11. #6 {main}
      Display All
      Using google, there seems to be a solution through DNS Record. I checked, there is a A record for my domain, http and www. Ports 80 and 443 are opened through router. The web root is used for Nextcloud.

      How can i resolve this issue?

      Edit: Solved it by editing the nginx v-host config.

      Edit 2: My letsencrypt-cert checks for monthly renewal, but the job says no renewal is needed, even 5 days before cert will expire. I receive Email from letsencrypt saying I have to check my cert.

      When I push a creation of a new cert manually, a new cert is created, but it does not replace the old one, it will be placed as second cert. (I use my cert with nginx for nextcloud)

      How can I resolve this issue?
      Chaos is found in greatest abundance wherever order is being sought.
      It always defeats order, because it is better organized.
      Terry Pratchett

      The post was edited 5 times, last by riff-raff ().

    • Hi ysl,
      OMV web-ui
      Services
      LetsEncrypt
      Configuration tab
      Schedule refresh (make it green :))
      This will create cron job in OMV
      Debian 8.6 Jessie + OMV 3.0.latest Kernel: Linux 4.8.0-0.bpo.2-amd64
      Processor: Intel Core 2 Duo E8400@3GHz
      Memory: 4GB RAM
      OS-HDD: Samsung SSD 120 GB +LVM

      Full media and download center configured.

      BIG and special thanks for OMV-Extras team for great plug-ins (especially: TeamSpeak, VirtualBox, Sonarr, Radarr, and rest I use :))

      ------------------------------

      Wise guy don't know everything, he can search or ask!
      Don't ask me via PM!