Automatic lets encrypt renewal breaks HTTPS every time.

  • Hi guys


    I am really at a loss as to why my lets encrypt, nginx, omv setup breaks everytime the renewal of lets encrypt certificate runs. For some reason the certificate i can see exposed in Google Chrome is located in etc/letsencrypt/archive even though the certificate in etc/letsencrypt/live/site/fullchain.pem is renewed and has an expiration in October.


    My openmediavault-webgui in etc/nginx/sites-available looks like this:


    Code
    }
        listen 81;
        listen 443 ssl deferred;
        ssl_certificate      /etc/letsencrypt/live/sitename/fullchain.pem;
        ssl_certificate_key  /etc/letsencrypt/live/sitename/privkey.pem;
        include /etc/nginx/openmediavault-webgui.d/*.conf;

    Does anybody have a clue as to why nginx, omv or whatever is exposing another certificate than what is located in etc/letsencrypt/live/sitename?

    • Offizieller Beitrag

    You must be editing the config file by hand which is overwritten when the cert updates. I can tell that because you are using the letsencrypt directory instead of the directory that OMV puts certs. When the automatic update runs, it edits the certs which will cause all config files using the cert to be overwritten.

    omv 7.0.4-2 sandworm | 64 bit | 6.5 proxmox kernel

    plugins :: omvextrasorg 7.0 | kvm 7.0.10 | compose 7.1.2 | k8s 7.0-6 | cputemp 7.0 | mergerfs 7.0.3


    omv-extras.org plugins source code and issue tracker - github


    Please try ctrl-shift-R and read this before posting a question.

    Please put your OMV system details in your signature.
    Please don't PM for support... Too many PMs!

    • Offizieller Beitrag

    That males sense. Is there an easy way to fix this eg. what config files do i need to change to what?

    That is the problem. You don't want to change any config files manually. The letsencrypt plugin creates a cert in the cert tab in the OMV web interface. You can use this cert in the web administration tab (and in the nginx plugin) to do what you want

    omv 7.0.4-2 sandworm | 64 bit | 6.5 proxmox kernel

    plugins :: omvextrasorg 7.0 | kvm 7.0.10 | compose 7.1.2 | k8s 7.0-6 | cputemp 7.0 | mergerfs 7.0.3


    omv-extras.org plugins source code and issue tracker - github


    Please try ctrl-shift-R and read this before posting a question.

    Please put your OMV system details in your signature.
    Please don't PM for support... Too many PMs!

    • Offizieller Beitrag

    What am i doing wrong? Could it be the port?

    In the Cert tab, what does the detail button tell you about the cert?

    omv 7.0.4-2 sandworm | 64 bit | 6.5 proxmox kernel

    plugins :: omvextrasorg 7.0 | kvm 7.0.10 | compose 7.1.2 | k8s 7.0-6 | cputemp 7.0 | mergerfs 7.0.3


    omv-extras.org plugins source code and issue tracker - github


    Please try ctrl-shift-R and read this before posting a question.

    Please put your OMV system details in your signature.
    Please don't PM for support... Too many PMs!

    • Offizieller Beitrag

    Reboot the server?

    omv 7.0.4-2 sandworm | 64 bit | 6.5 proxmox kernel

    plugins :: omvextrasorg 7.0 | kvm 7.0.10 | compose 7.1.2 | k8s 7.0-6 | cputemp 7.0 | mergerfs 7.0.3


    omv-extras.org plugins source code and issue tracker - github


    Please try ctrl-shift-R and read this before posting a question.

    Please put your OMV system details in your signature.
    Please don't PM for support... Too many PMs!

  • Actually, I have found the same issue and I am able to use the new certificate the following way:


    1. Open the Lets Encrypt entry in the menu and select your certificate.
    2. from the options, select "Renew certificate". It will tell you that no renewal is needed as the certificate is not yet due to renewal.
    3. You will get the "Apply changes" dialog. Once you click apply, the new certificate will be used.


    My question would be:
    Why is the Lets Encrypt plugin not able to handle that configuration update on its own once the certificate got renewed?


    Anybody able to answer that?


    Thanks!

    • Offizieller Beitrag

    Why is the Lets Encrypt plugin not able to handle that configuration update on its own once the certificate got renewed?

    It should be able to but I pretty have given up on maintaining it since I don't have a good way to test it.

    omv 7.0.4-2 sandworm | 64 bit | 6.5 proxmox kernel

    plugins :: omvextrasorg 7.0 | kvm 7.0.10 | compose 7.1.2 | k8s 7.0-6 | cputemp 7.0 | mergerfs 7.0.3


    omv-extras.org plugins source code and issue tracker - github


    Please try ctrl-shift-R and read this before posting a question.

    Please put your OMV system details in your signature.
    Please don't PM for support... Too many PMs!

Jetzt mitmachen!

Sie haben noch kein Benutzerkonto auf unserer Seite? Registrieren Sie sich kostenlos und nehmen Sie an unserer Community teil!