openmediavault-letsencrypt

  • Dont know which update gave me this but,


  • This is VERY important!


    Last January 20th Lets Encrypt put in prodution the long expected ACME DNS Challenge, where people like me that CANT (Damn ISP) open ports 80 or 443 , now are eligible to validate the domain via DNS server TXT record. It's actually MUCH easier than opening ports in my server.


    Official Let's Encrypt announe: https://twitter.com/letsencrypt/status/689919523164721152


    Example of a shell-script client that supports it : https://github.com/lukas2511/l….sh/blob/master/README.md
    Others: https://community.letsencrypt.…ient-implementations/2103
    Example of a hook (auxiliary script used by letsencrypt.sh above):

    Externer Inhalt gist.github.com
    Inhalte von externen Seiten werden ohne Ihre Zustimmung nicht automatisch geladen und angezeigt.
    Durch die Aktivierung der externen Inhalte erklären Sie sich damit einverstanden, dass personenbezogene Daten an Drittplattformen übermittelt werden. Mehr Informationen dazu haben wir in unserer Datenschutzerklärung zur Verfügung gestellt.


    PLEASE look into this!
    I've generated mine manually today, but having it as a plugin would be MUCH better, because Let'sEncrypt expires every 90 days.


    Thanks a lot!

  • But there were no errors during generation. And actually I have no idea what should I change. It's 3 fields domain/e-mail/webroot. All of them contain correct values (e-mail used for account only, for webroot used default value). Any ideas?


    I've seen the happy hacker ca root cert before. I'm still struggling to figure out why this happens. I know it happens when a cert is acquired from the Let's Encrypt Test server; however, the plugin never changes what server the cert is acquired from. The Test option just tells LE to do a dry run and not generate a certificate. I'm still investigating but I am still unsure.
    My best suggestion is to completely uninstall the plugin and manually delete /etc/letsencrypt and /opt/letsencrypt


    Dont know which update gave me this but,


    Your webroot parameter is not filled out. It should be /var/www/openmediavault



    Last January 20th Lets Encrypt put in prodution the long expected ACME DNS Challenge, where people like me that CANT (Damn ISP) open ports 80 or 443 , now are eligible to validate the domain via DNS server TXT record. It's actually MUCH easier than opening ports in my server.


    Thank you for this information. I will look into getting it added to the plugin ASAP.

  • I've seen the happy hacker ca root cert before. I'm still struggling to figure out why this happens. I know it happens when a cert is acquired from the Let's Encrypt Test server; however, the plugin never changes what server the cert is acquired from. The Test option just tells LE to do a dry run and not generate a certificate. I'm still investigating but I am still unsure.My best suggestion is to completely uninstall the plugin and manually delete /etc/letsencrypt and /opt/letsencrypt


    I will try today. Before I tried to reinstall and removed only /etc/letsencrypt.


    Your webroot parameter is not filled out. It should be /var/www/openmediavault


    I set up webroot to /var/www/openmediavault, but got same error.

  • The default path is /var/www/openmediavault , but your web server could be installed on a different path.
    If it does, you need change it to reflect the proper path.

    OMV v5.0
    Asus Z97-A/3.1; i3-4370
    32GB RAM Corsair Vengeance Pro

  • Web server exactly on default path. :(


    Tried to reinstall with removing from /etc and /opt. Nothing changed.

    Code
    Issuer: CN=happy hacker fake CA
    .....
                Authority Information Access:
                    OCSP - URI:http://ocsp.staging-x1.letsencrypt.org/
                    CA Issuers - URI:http://cert.staging-x1.letsencrypt.org/


    Have no idea why it's not working....
    This happen when run "Generate certificate":


    And this happen when run a cron:


    Same commands - but different result.

  • According to https://letsencrypt.github.io/acme-spec/#simple-http one could when doing the acme-challenge set tls to true and that would make the letsencrypt server challenge over https


    Zitat

    {
    "type": "simpleHttp",
    "tls": false
    }
    /* Signed as JWS */


    So if one could do that (with the plugin) you could then via the nginx websites plugin set up an default landing page with https (and change the letsencrypt webroot to wherever landing page's root is)


    How about that? No need for SNI proxy.


    PS: This is a feature request (acme-challenge over HTTPS instead of HTTP)

  • Finally problem found! Actually, if you want to get correct certificate - you should't try "Test certificate". Once you tried - you always will get connected to wrong staging server.
    So sequence should be like: install plugin / provide email, webroot, enable monthly update, do not enable "Test certificate", apply changes / generate certificate. And no happy hacker on the horizon. :)
    Hope this will help to anybody.

  • Well getting this error now;



    Running from CLI:


    My settings:

  • Hey jkaberg,


    please stop all the references of the certificate in your system , then generating a new certificate.


    german:
    bitte stoppe alle Referenzierungen des Zertifikates in Deinem System, dann generiere ein neues Zertifikat.

    2 BananaPi, 1 OrangePiPC+, 1 OrangePiPC with OMV 6.0.x

    Einmal editiert, zuletzt von omavoss ()

  • Hey jkaberg,


    please stop all the references of the certificate in your system , then generating a new certificate.


    german:
    bitte stoppe alle Referenzierungen des Zertifikates in Deinem System, dann generiere ein neues Zertifikat.


    Please elaborate, what do you mean? Remove the "old" certs?

  • Hey jkaberg,


    in german in my thread:
    Wenn man zuerst ein Test-Zertifikat erstellen lässt, wird das gelingen, aber es wird ein TEST-Zertifikat sein, dass von der von mir oben erwähnten happy-hacker-fake-CA zertifiziert ist, auch wenn man HINTERHER versucht, ein "richtiges" Zertifikat zu bekommen. Man wird immer wieder zu dem "happy-hacker-fake-CA"-Server verbunden werden. Das will ich aber nicht, ich will ein "richtiges" Zertifikat. Deshalb habe ich die im OMV-System referenzierten Zugriffe auf das happy-hacker-fake-CA-letsencrypt-Zertifikat zurückgenommen, das Plugin deinstalliert und mittels SSH-Client alle Zertifikate unter /etc/letsencrypt/keys und /etc/letsencrypt/csr gelöscht. Danach habe ich das Plugin wieder installiert, aber den "Test"-Button nicht angerührt.


    Dann habe ich mit dem letsencrypt-Plugin ein neues Zertifikat generiert.


    google translated:
    If you can first create a test certificate that will succeed, but it will be a TEST certificate that is certified by the above mentioned by me happy-hacker-fake-CA, even if one tries AFTERWARDS, a "real" to get certificate. You will be always connected to the "happy-hacker-fake-CA" server. but I do not want, I want a "real" certificate. I have therefore withdrawn the referenced in OMV system accesses to the happy-hacker-fake-CA letsencrypt certificate, uninstall the plugin and deleted using SSH client all certificates in / etc / letsencrypt / keys and / etc / letsencrypt / csr , Then I installed the plugin again, but the "Test" button not touched.


    Then I with the letsencrypt plugin generates a new certificate.


    Many greetings.

    2 BananaPi, 1 OrangePiPC+, 1 OrangePiPC with OMV 6.0.x

  • new problem detected.


    cron job is always generated neverless status of generated cert, this mean that if generation fails and cert is NOT generated, the cron job is always created, and you have one cron job for each time that you apply the generate button.

  • Ok so I think I understod you correctly, steps to fix my issue

    • Remove omv letsencrypt plugin
    • delete /etc/letsencrypt and /opt/letsencrypt
    • Install omvletsencrypt plugin
    • Regenerate certs with plugin (do not enable test option!)
    • (Optional) change certs for webUI, and if you got nginx websites plugin enabled

    This fixed it for me atleast

  • only as sugest to improbe pluging, if possible try to add letsencrypt.log to OMV webGUI Log so I can see what happens if something goes wrong.


    Other plugin like failbam or bittorrent add his log if you want to revise code.


    The log is now in OMV with the new 2.4 release


    Finally problem found! Actually, if you want to get correct certificate - you should't try "Test certificate". Once you tried - you always will get connected to wrong staging server.
    So sequence should be like: install plugin / provide email, webroot, enable monthly update, do not enable "Test certificate", apply changes / generate certificate. And no happy hacker on the horizon. :)
    Hope this will help to anybody.


    Thank you very much for this information! I've changed the plugins tips to encourage this workflow.


    new problem detected.


    cron job is always generated neverless status of generated cert, this mean that if generation fails and cert is NOT generated, the cron job is always created, and you have one cron job for each time that you apply the generate button.


    I've fixed this issue in the latest release.



    2.4 of the plugin has been submitted to the extras repository. As of writing this post it is not available but it will be asap.


    Duplicate crons has been fixed
    If you currently have duplicate scheduled jobs:
    1. Turn off the "Schedule Refresh" (new text, use to be "Enable") switch in the plugin
    2. Go to Scheduled Jobs and remove all of the omv-letsencrypt entries
    3. Save + Apply all changes
    4. Switch on "Schedule Refresh" in plugin, save + apply.


    A bug in the system omv-letsencrypt script has been fixed


    Log is not viewable in OMV System Logs
    **Note the Let's Encrypt log rolls every time the letsencrypt command has been run, thus you will still need to view them from the CLI if you need anything later than your previous run.

Jetzt mitmachen!

Sie haben noch kein Benutzerkonto auf unserer Seite? Registrieren Sie sich kostenlos und nehmen Sie an unserer Community teil!