DuckDNS: Generated SSL certificate via CLI - How to automatically use in OMV 4.x web UI upon renewal?

    • OMV 4.x
    • CLI generate LetsEncrypt SSL certificate for DuckDNS and help to use in OMV 4.x web UI somewhat automatically upon renewal

      Hello to forum members, thanks to everyone for your valuable input that was very helpful while browsing for solutions and tips/hints.

      First of all, please know that in this question/request for help, I chose to not use the openmediavault-letsencrypt 3.4.5 plugin as I do not want to leave port 80 open on my home DSL. I am a power user but not fully knowledgeable in SSL or Linux services, so your help is appreciated.

      I had found a great tip posted in LetsEncrypt.org forum by user jmorahan that actually works on my Intel NUC running OMV 4.1.2.

      So, when connected as 'root' via SSH Terminal (MacOS X) the following tip/script works 100% for my DuckDNS entry:

      jmorahan wrote:

      Duck DNS has an API that you can use with the DNS-01 challenge. Create the following script files:

      auth.sh

      Shell-Script

      1. #!/bin/bash
      2. DUCKDNS_TOKEN="your_token_here"
      3. [[ "$(curl -s "https://www.duckdns.org/update?domains=${CERTBOT_DOMAIN%.duckdns.org}&token=${DUCKDNS_TOKEN}&txt=${CERTBOT_VALIDATION}")" = "OK" ]]

      cleanup.sh

      Shell-Script

      1. #!/bin/bash
      2. DUCKDNS_TOKEN="your_token_here"
      3. [[ "$(curl -s "https://www.duckdns.org/update?domains=${CERTBOT_DOMAIN%.duckdns.org}&token=${DUCKDNS_TOKEN}&txt=${CERTBOT_VALIDATION}&clear=true")" = "OK" ]]

      Put in your real Duck DNS token instead of “your_token_here”. Make both scripts executable with chmod +x auth.sh cleanup.sh

      Then you can run certbot:

      Source Code

      1. sudo certbot certonly --manual --preferred-challenges dns --manual-auth-hook /path/to/auth.sh --manual-cleanup-hook /path/to/cleanup.sh

      (obviously use the real location of the scripts instead of /path/to)

      The method described above uses the DNS API of Duck DNS, so the validation looks for a DNS TXT record to verify your control of the (sub)domain and does not need to connect to your server at all.

      Some home ISPs do block some ports from being accessed from the internet. If your ISP is blocking both 80 and 443, you might try forwarding an alternative port such as 8443 to your raspberry pi.

      This procedure required that I installed certbot via apt-get install certbot in CLI, and produced results as expected i.e. the 4 certificate files were created in /etc/letsencrypt/live/DOMAIN_NAME/*pem

      According to the OpenMediaVault Wiki on certificates, I can create a new SSL certificate in the web UI by manually importing the values from the created .pem into the respective fields/text boxes:

      Private key : copy and paste contents of 'privkey.pem' file;
      Certificate : copy and paste contents of 'fullchain.pem' file;
      Comment : mention the domain name.

      Setting later the home DSL router to forward port 443 to the OMV server (Intel NUC) and enabling SSL/TLS in System > General > Web Administration > Secure connection, actually produced results.

      My questions are the following:

      1. Can anyone help me by giving me the command parameters to actually refresh the certificate in 3 months, i.e. near expiration? Do I run the exact same certbot command or is there another parameter for updating instead of creating?

      The documentation here wasn't too clear for my knowledge: letsencrypt.readthedocs.io/en/latest/using.html

      Perhaps you suggest an alternative parameter than the above?

      2. When I connect to the OMV via internal home network e.g. 192.168.1.100 via Chrome or Safari, I get an error that the connection is not private; specifically, in Chrome it's "ERR_CERT_COMMON_NAME_INVALID". Is this due to the fact that I am using a different name compared to the certificate? Noob question, I know!

      When I run whatsmychaincert.com/ and enter my DuckDNS subdomain, it passes.

      3. I found that the OMV certificates (in this case, the imported/created one) are stored in:

      /etc/ssl/certs/openmediavault-{UUID}.crt
      /etc/ssl/private/openmediavault-{UUID}.key


      Does it make sense to replace these by an alias pointing to /etc/letsencrypt/live/DOMAIN_NAME/*pem file(s)? This way any change (upon renewal via certbot) won't need me to manually delete and recreate the certificate...

      Any other method you'd consider suggesting perhaps?

      Am I right assuming that any renewal of the certificate will actually change the .pem files contents?

      I also found out that /etc/openmediavault/config.xml also stores the content of the imported .pem data... so symbolic links may not work.

      Any other ideas?

      Thank you in advance.
      OpenMediaVault 4.1.2 on Intel NUC6CAYH with 4GB RAM and single 2TB HDD configuration (incl. tweaks)

      The post was edited 1 time, last by Konsti ().

    • Users Online 1

      1 Guest