Is it possible to generate a certificate without webroot.
Not with the plugin.
Is it possible to generate a certificate without webroot.
Not with the plugin.
LE now offers wildcard certs. *.example.org It requires adding a text file to your dns record. Not sure that could be automated. I am sure some dns host will offer that someday soon.
LE now offers wildcard certs.
I will add support for those as soon as stretch has certbot 0.22 needed for wildcard cert support. I'm kind of wondering why someone would need anything other than a wildcard cert??
That will be wonderful. I have only done it once. When it renews will it reuse the text added to the dns? Will cross that bridge when it gets close to expiring.
I'm kind of wondering why someone would need anything other than a wildcard cert??
I am not sure but some apps may be to picky. Or windows update will break it just because it's not ms. LOL
Maybe someone could help me to set the right Webroot and Permissions, so i could get the LE Cert running in my OMV Installation
Didn't get the point what i did configure in the wrong way...
I finally create a letsencrypt certificate for my nextcloud access. The certificate is saved to: /etc/letsencrypt/live/Cloud/
but the problem is, i cant see my certificate in the OMV WebGui in „Zertifikate“. How do i move the certificate that it appears in the webGui to use it for my nextcloud? Someone could help me?
When you have test cert enabled, it doesn't copy the cert to the Certificates tab. Uncheck that from the settings tab and generate your cert again.
Thats it! Thank you @ryecoaaron !
@ryecoaaron
Will you update for OMV3?
new certbot should be now available
Any chance of getting this plugin to use DNS as an alternative to webroot validation. My partner and I both have OMV servers, and they can't both sit on port 80, but we do both have our own domains, so we could both have LetsEncrypt SSL certificates if we could update them via DNS token rather than webroot. (Also, I'd prefer not to have the admin console accessible over raw http if I can avoid it.)
Will you update for OMV3?
Probably not due to the next answer.
new certbot should be now available
It is available but not in the Debian jessie or stretch repos. I doubt it will ever be available in the jessie repos (even backports). Read next answer.
Any chance of getting this plugin to use DNS as an alternative to webroot validation. My partner and I both have OMV servers, and they can't both sit on port 80, but we do both have our own domains, so we could both have LetsEncrypt SSL certificates if we could update them via DNS token rather than webroot. (Also, I'd prefer not to have the admin console accessible over raw http if I can avoid it.)
There is a letsencrypt wildcard cert docker image available now that should solve just about everyone's need for an alternative method.
There is a letsencrypt wildcard cert docker image available now that should solve just about everyone's need for an alternative method.
I don't see how a docker image could allow for automatic certificate update on two separate OMV servers behind the same NAT router, but thank you for the suggestion. I really think that the only way things will work for our particular setup is if the OMV-letsencrypt plugin gets support for DNS authentication.
Do you have 2 real dns internet domains? If so letsencrypt will work as it verifies that you entered a text record in each dns. Not sure how a plugin would add the text file for all the different registars out there. But that is easy enough to do once you get the text.
The facility to authenticate via DNS exists in letsencrypt. The omv-letsencrypt plugin relies on the older method of placing a token file in the webroot of the server on port 80. There is no option to use DNS authentication in the plugin. This is why I would like the developer of omv-letsencrypt to add this as an option. Obviously one or both of us could manually configure letsencrypt to use DNS authentication, but that would not allow for automatic seemless updates of our OMV SSL certificates. Hopefully all is now clear.
He has not updated the plugin yet so you will need to do it manually. I used the acme.sh method on the cli. I did it the first day, there may be automatic ways now.
The facility to authenticate via DNS exists in letsencrypt. The omv-letsencrypt plugin relies on the older method of placing a token file in the webroot of the server on port 80. There is no option to use DNS authentication in the plugin. This is why I would like the developer of omv-letsencrypt to add this as an option. Obviously one or both of us could manually configure letsencrypt to use DNS authentication, but that would not allow for automatic seemless updates of our OMV SSL certificates. Hopefully all is now clear.
Doesn't the DNS auth require making a change to the DNS TXT record? This process seems like a big change in the workflow of how the plugin works. Maybe I will run into this same problem when add support for the wildcard cert (waiting for certbot 0.22+ in the debian repos) but right now I don't have a lot of time for big changes like this.
Doesn't the DNS auth require making a change to the DNS TXT record?
Yes it does. I think the way to do it is to present the txt record and wait for the user to update the record. Sometimes it takes a while for dns to propagate. Not sure that applies here? Also not sure if the renewal uses the same txt record or it needs to be changed then also.
I think the dns route is a very advanced method and may need to be done manually. At least for now.
I think the way to do it is to present the txt record and wait for the user to update the record.
That works well from the command line but presents a problem with the plugin.
I think the dns route is a very advanced method and may need to be done manually. At least for now.
I agree.
I hadn't appreciated that this requires update of DNS *every time* a new certificate is generated, which I agree makes it more challenging. People have worked around this using manual hooks - see https://serverfault.com/questi…m_campaign=google_rich_qa.
I think this means that if you used a UI dropdown to toggle authentication type, and allowed users to enter their own manual hook script in a similar way to how the nginx plugin allows you to enter web server config, then it might be possible to implement simply by calling letsencrypt with the appropriate options. (Presumably you'd need to run any such script as an untrusted user.) There's a whole bunch of hook scripts available at:
https://github.com/lukas2511/d…Examples-for-DNS-01-hooks
Thanks for considering anyway. I understand it won't be possible to replicate the entire certbot command line in the UI, and it may well be that there are security implications to using custom hooks via the GUI, but it would definitely my my and my partner's life easier if this were possible.
I'm having issues getting my certificate generated.
Port 80 is open, i'v' changed my /etc/nginx/sites-enabled/openmediavault-webgui with this entry:
location ^~ /.well-known/acme-challenge/ {
allow all;
root /var/www/openmediavault;
try_files $uri =404;
}
Checked wether http://mydomain/.well-known/ is accesible by placing a text file in it.
Upon generating my certificate I receive the following log:
Date: Sat, 14 Apr 2018 14:42:32 GMT
Connection: keep-alive
{
"identifier": {
"type": "dns",
"value": "mydomain"
},
"status": "invalid",
"expires": "2018-04-21T14:42:29Z",
"challenges": [
{
"type": "http-01",
"status": "invalid",
"error": {
"type": "urn:acme:error:unauthorized",
"detail": "Invalid response from http://mydomain/.well-known/ac…QmhlqxQn4zK_-xdOsSsQhAI0: \"\u003c!DOCTYPE html\u003e\n\u003chtml\u003e\n\t\u003chead\u003e\n\t\t\u003ctitle\u003eopenmediavault - Page not found\u003c/title\u003e\n\t\t\u003cmeta http-equiv=\"Content-Type\" content=\"text/\"",
"status": 403
},
"uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/YRyU8k91j9H1hjatCLA2sErZkyTMpbZaGh-FDbb43u0/4218992936",
"token": "xTrhsGliROpDfjRA06kQmhlqxQn4zK_-xdOsSsQhAI0",
"keyAuthorization": "xTrhsGliROpDfjRA06kQmhlqxQn4zK_-xdOsSsQhAI0.errqse64j7KBKEwPHE5x3t5cl_eEbCKDmT1nDgElmrg",
"validationRecord": [
{
"url": "http://mydomain/.well-known/acme-challenge/xTrhsGliROpDfjRA06kQmhlqxQn4zK_-xdOsSsQhAI0",
"hostname": "mydomain,
"port": "80",
"addressesResolved": [
"my ip addres"
],
"addressUsed": "my ip address"
}
]
},
{
"type": "dns-01",
"status": "invalid",
"uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/YRyU8k91j9H1hjatCLA2sErZkyTMpbZaGh-FDbb43u0/4218992937",
"token": "gJlWsxS70VXeqXJ7MuAsFTCbBqmXydKhWjEJXRsi4HQ"
}
],
"combinations": [
[
0
],
[
1
]
]
}
2018-04-14 14:42:32,873:WARNING:certbot.auth_handler:Challenge failed for domain mydomain
2018-04-14 14:42:32,874:INFO:certbot.auth_handler:Cleaning up challenges
2018-04-14 14:42:32,874:DEBUG:certbot.plugins.webroot:Removing /var/www/openmediavault/.well-known/acme-challenge/xTrhsGliROpDfjRA06kQmhlqxQn4zK_-xdOsSsQhAI0
2018-04-14 14:42:32,876:DEBUG:certbot.plugins.webroot:All challenges cleaned up, removing /var/www/openmediavault/.well-known/acme-challenge
2018-04-14 14:42:32,878:DEBUG:certbot.main:Exiting abnormally:
Traceback (most recent call last):
File "/usr/bin/certbot", line 11, in <module>
load_entry_point('certbot==0.10.2', 'console_scripts', 'certbot')()
File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 849, in main
return config.func(config, plugins)
File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 626, in obtain_cert
action, _ = _auth_from_available(le_client, config, domains, certname, lineage)
File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 107, in _auth_from_available
lineage = le_client.obtain_and_enroll_certificate(domains, certname)
File "/usr/lib/python2.7/dist-packages/certbot/client.py", line 291, in obtain_and_enroll_certificate
certr, chain, key, _ = self.obtain_certificate(domains)
File "/usr/lib/python2.7/dist-packages/certbot/client.py", line 262, in obtain_certificate
self.config.allow_subset_of_names)
File "/usr/lib/python2.7/dist-packages/certbot/auth_handler.py", line 88, in get_authorizations
"Challenges failed for all domains")
AuthorizationError: Challenges failed for all domains
Could anyone help please?
Sie haben noch kein Benutzerkonto auf unserer Seite? Registrieren Sie sich kostenlos und nehmen Sie an unserer Community teil!