DuckDNS: Generated SSL certificate via CLI - How to automatically use in OMV 4.x web UI upon renewal?

  • Hello to forum members, thanks to everyone for your valuable input that was very helpful while browsing for solutions and tips/hints.


    First of all, please know that in this question/request for help, I chose to not use the openmediavault-letsencrypt 3.4.5 plugin as I do not want to leave port 80 open on my home DSL. I am a power user but not fully knowledgeable in SSL or Linux services, so your help is appreciated.


    I had found a great tip posted in LetsEncrypt.org forum by user jmorahan that actually works on my Intel NUC running OMV 4.1.2.


    So, when connected as 'root' via SSH Terminal (MacOS X) the following tip/script works 100% for my DuckDNS entry:



    This procedure required that I installed certbot via apt-get install certbot in CLI, and produced results as expected i.e. the 4 certificate files were created in /etc/letsencrypt/live/DOMAIN_NAME/*pem


    According to the OpenMediaVault Wiki on certificates, I can create a new SSL certificate in the web UI by manually importing the values from the created .pem into the respective fields/text boxes:


    Private key : copy and paste contents of 'privkey.pem' file;
    Certificate : copy and paste contents of 'fullchain.pem' file;
    Comment : mention the domain name.


    Setting later the home DSL router to forward port 443 to the OMV server (Intel NUC) and enabling SSL/TLS in System > General > Web Administration > Secure connection, actually produced results.


    My questions are the following:


    1. Can anyone help me by giving me the command parameters to actually refresh the certificate in 3 months, i.e. near expiration? Do I run the exact same certbot command or is there another parameter for updating instead of creating?


    The documentation here wasn't too clear for my knowledge: https://letsencrypt.readthedocs.io/en/latest/using.html


    Perhaps you suggest an alternative parameter than the above?


    2. When I connect to the OMV via internal home network e.g. 192.168.1.100 via Chrome or Safari, I get an error that the connection is not private; specifically, in Chrome it's "ERR_CERT_COMMON_NAME_INVALID". Is this due to the fact that I am using a different name compared to the certificate? Noob question, I know!


    When I run https://whatsmychaincert.com/ and enter my DuckDNS subdomain, it passes.


    3. I found that the OMV certificates (in this case, the imported/created one) are stored in:


    /etc/ssl/certs/openmediavault-{UUID}.crt
    /etc/ssl/private/openmediavault-{UUID}.key


    Does it make sense to replace these by an alias pointing to /etc/letsencrypt/live/DOMAIN_NAME/*pem file(s)? This way any change (upon renewal via certbot) won't need me to manually delete and recreate the certificate...


    Any other method you'd consider suggesting perhaps?


    Am I right assuming that any renewal of the certificate will actually change the .pem files contents?


    I also found out that /etc/openmediavault/config.xml also stores the content of the imported .pem data... so symbolic links may not work.


    Any other ideas?


    Thank you in advance.

    OpenMediaVault 6.9.13-1 • Intel NUC NUC6CAYH • Intel Celeron J3455 • 2x4GB RAM • Samsung 870 QVO 4TB • USB Boot (System)

    Einmal editiert, zuletzt von Konsti ()

  • Where are those files supposed to be created? The letsencrypt folder or the root folder?

  • KM0201

    Hat das Thema geschlossen.

Jetzt mitmachen!

Sie haben noch kein Benutzerkonto auf unserer Seite? Registrieren Sie sich kostenlos und nehmen Sie an unserer Community teil!