openmediavault-letsencrypt

  • GitHub: https://github.com/OpenMediaVa…penmediavault-letsencrypt


    Let's Encrypt provides SSL certificates that are recognized in all major browsers.



    I have created a plugin for OpenMediaVault that will allow users to generate certificates using the Let's Encrypt service. Also a cron script is included to keep the certificate updated since the certs are only valid for 90 days. I recommend this plugin only for generating the SSL certificate that OpenMediaVault will use; however, the flexibility for more is possible. I currently have some post processing scripts (running on a cron) and hard links that disperse my certificates to multiple applications running on my server.



    Plugin is currently available in the OMV-Extras.org Testing repository




    Basic Instructions:



    1. Fill out your domain and subdomains, separated by commas, you want the certificate to be valid for. Your main domain (example.org) should be in the list first. Wildcard (*) domains are not supported by lets encrypt. You must explicitly list every subdomain you want covered by your certificate.


    2. Fill out your email address. This email address will be
    registered with Let's Encrypt and can be used to recover your keys if
    needed.


    3. Ensure Enable is checked, this will create a cron job automatically to ensure the certificate stays up to date.


    4. Click on Save then Apply configuration change


    5. Generate Certificate to create your certificate.
    This cert is added to the SSL tab in the Certificates view. Which can then be enabled for use in the General Settings view



    I tried to make the plugin as hands off as possible as I believe encryption should be available to everyone at all skill levels.

  • Extended Customization

    SNI Proxy

    Zitat

    Proxies incoming HTTP and TLS connections based on the hostname contained in the initial request of the TCP session. This enables HTTPS name-based virtual hosting to separate backend servers without installing the private key on the proxy machine.


    SNI Proxy Github
    SNI Proxy Binaries


    Example use case:
    Our domain is domain.tld with 2 services. The first is OMV running on port 10443, the other is couchpotato running on port 5050 under the subdomain couchpotato.domain.tld.


    Install SNI Proxy and edit the following code blocks to get the following:
    Both of your services will respond on the standard 443 port.
    All Let's Encrypt authentication will happen on a single webroot regardless of where the subdomain resides.


    /etc/sniproxy.conf


    Remove "SSL InsecurePlatform" Warning
    The debian dependencies needed to remove this warning are in the wheezy-backports so they will not be included until OMV 3.0
    However, if the warning bothers you or prevents a cert from generating, it can removed with the following commands:

    Code
    apt-get install python-pip
    pip install -U pip
    pip install -U pyopenssl ndg-httpsclient pyasn1
  • Great work fubz!
    I tried to install the plugin and I found some errors at installation:



    I think it's not my fault: I installed the plugin normally and before finishing installation, this error appears. It seems like it is installed (with the tick when looking at the plugin list) but it does not show anywhere in the web interface :(



    EDIT: after installing and uninstalling several times, the plugin has finally appeared. It seems like it's fine until, after following the steps, when I click to create the certificate, the plugin shows this:


    Code
    >>> *************** Error ***************
    Failed to execute command 'sh /opt/letsencrypt/letsencrypt-auto certonly --webroot -w /var/www/openmediavault/ --text --keep-until-expiring --agree-tos --email "gsola96@gmail.com" -d "gsola96.no-ip.org" 2>&1': sh: 0: Can't open /opt/letsencrypt/letsencrypt-auto
    <<< *************************************


    PS: My port 80 of the router is open and tested from outside my LAN.

    DISCLAIMER: :!: I'm not a native English speaker, I'm sorry if I don't explain as good as you would want. :!:


    My NAS:
    Always the latest OMV Erasmus running on an AMD Sempron 3850 @1.3GHz with 4.9.0 Backports Kernel
    with 120GB Samsung SSD 850 EVO for OpenMediaVault & 2x500GB Primary Data HDD + 1TB Secondary HDD for Backup & 2TB USB 3.0 External HDD for offline backup


    Plugin list:
    Flash Memory, Locate, OMV-Extras.org, RSnapshot, Sensors, Syncthing, SMB/CIFS, SSH, USB Backup
    _____________________________________________________________________________________________________________________________


    Zitat

    The Schrödinger's code is that one which is going to work and it's full of bugs at the same time; until you test it, you won't be able to determine it.

    2 Mal editiert, zuletzt von Lord Wektabyte ()

  • Thanks @tekkb! That worked!
    Thanks also to fubz, I think it's a great contribution since I've been using let's encrypt for a while now.

    DISCLAIMER: :!: I'm not a native English speaker, I'm sorry if I don't explain as good as you would want. :!:


    My NAS:
    Always the latest OMV Erasmus running on an AMD Sempron 3850 @1.3GHz with 4.9.0 Backports Kernel
    with 120GB Samsung SSD 850 EVO for OpenMediaVault & 2x500GB Primary Data HDD + 1TB Secondary HDD for Backup & 2TB USB 3.0 External HDD for offline backup


    Plugin list:
    Flash Memory, Locate, OMV-Extras.org, RSnapshot, Sensors, Syncthing, SMB/CIFS, SSH, USB Backup
    _____________________________________________________________________________________________________________________________


    Zitat

    The Schrödinger's code is that one which is going to work and it's full of bugs at the same time; until you test it, you won't be able to determine it.

  • I post it here so maybe other people have the same problem after using Let'sEncrypt certificates.
    I'm, now using the certificate for the webGUI, WordPress blog, OpenVPN-AS UI and also OwnCloud but when I access the BitTorrent Sync web interface, Firefox complains that the certificate is invalid. I did some research and I found that the certificate which is using is not the Let'sEncryt one. Is one self-signed for the same "BitTorrent" and I can't find a way to change it and tell BTSync to use the reliable Let'sEncrypt one.


    Hope someone can help!



    Thanks in advance.
    Guillem

    DISCLAIMER: :!: I'm not a native English speaker, I'm sorry if I don't explain as good as you would want. :!:


    My NAS:
    Always the latest OMV Erasmus running on an AMD Sempron 3850 @1.3GHz with 4.9.0 Backports Kernel
    with 120GB Samsung SSD 850 EVO for OpenMediaVault & 2x500GB Primary Data HDD + 1TB Secondary HDD for Backup & 2TB USB 3.0 External HDD for offline backup


    Plugin list:
    Flash Memory, Locate, OMV-Extras.org, RSnapshot, Sensors, Syncthing, SMB/CIFS, SSH, USB Backup
    _____________________________________________________________________________________________________________________________


    Zitat

    The Schrödinger's code is that one which is going to work and it's full of bugs at the same time; until you test it, you won't be able to determine it.

  • @fubz,


    My OMV doesn't use port 80, will this work?



    @ gsola96,


    I haven't try out this plug-in yet, but if you using LAN IP to access with Let's Encrypt cert, then that warning notification is normal on browsers.
    However, if you still have this warning notification when you accessing from WAN/URL, then somewhere in the certs has wrong keys or something.

    OMV v5.0
    Asus Z97-A/3.1; i3-4370
    32GB RAM Corsair Vengeance Pro

  • @tinh_x7
    When it says that you have to open port 80, I think it's the port 80 on the router (outside WAN), after that, you forward this port to whichever other port your OMV is using in your LAN.
    That's what I understand... Maybe i'm wrong


    I'll try to access it from WAN to see if the certificate error persists

    DISCLAIMER: :!: I'm not a native English speaker, I'm sorry if I don't explain as good as you would want. :!:


    My NAS:
    Always the latest OMV Erasmus running on an AMD Sempron 3850 @1.3GHz with 4.9.0 Backports Kernel
    with 120GB Samsung SSD 850 EVO for OpenMediaVault & 2x500GB Primary Data HDD + 1TB Secondary HDD for Backup & 2TB USB 3.0 External HDD for offline backup


    Plugin list:
    Flash Memory, Locate, OMV-Extras.org, RSnapshot, Sensors, Syncthing, SMB/CIFS, SSH, USB Backup
    _____________________________________________________________________________________________________________________________


    Zitat

    The Schrödinger's code is that one which is going to work and it's full of bugs at the same time; until you test it, you won't be able to determine it.

  • @fubz


    Before I could start to generate a certificate I had an "SSL InsecurePlatform error".


    I solved it by installing pyhton-pip package and afterwards executing:
    pip install 'requests[security]'
    to install necessary packages.


    Just consider this in the further development ;)

    OMV 5.x | Banana PI (M1) | Seafile Server
    OMV 4.x | ShuttlePC SH55J2

  • Is it possible to add a webroot configuration to the plugin ?


    Now its only possible to generate a certificate if the openmediavault interface is exposed to the web. i would like to use another configured website (that has another webroot)

  • Is one self-signed for the same "BitTorrent" and I can't find a way to change it and tell BTSync to use the reliable Let'sEncrypt one.


    I've never used BTSync but it looks like it may create a domain in nginx (/etc/nginx/sites-available/btsync)
    in that configuration you can add entries to the lets encrypt certs
    ssl_certificate /etc/letsencrypt/live/domain/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/domain/privkey.pem;


    @fubz,
    My OMV doesn't use port 80, will this work?


    No not currently. There is not an option to allow lets encrypt to verify your domain on another port. There is a manual verification that I've only glossed over, it seems very involved and defeats the purpose of being able to automatically generate a certificate.
    If you discover a process flow for generating a certificate with lets encrypt without using port 80 we can discuss how to properly implement the solution.




    Before I could start to generate a certificate I had an "SSL InsecurePlatform error".


    I solved it by installing pyhton-pip package and afterwards executing:
    pip install 'requests[security]'
    to install necessary packages.


    Just consider this in the further development ;)


    Interesting, thank you for the heads-up. I noticed the warning and just ignored it since the plugins and certificates have been working as expected. Since including a dependency is trivial I will be sure that package is added to future releases. Thanks.


    Is it possible to add a webroot configuration to the plugin ?


    Now its only possible to generate a certificate if the openmediavault interface is exposed to the web. i would like to use another configured website (that has another webroot)


    That is a wonderful idea, I will add that option. Thanks for the suggestion.

  • Got blank screen after install of your plug-in.


    Have to remove it to get GUI again.


    Got this message in syslog (don't know if it has a link)

    Zitat

    'nginx' failed protocol test [HTTP] at INET[127.0.0.1:80] via TCP -- HTTP: Error receiving data -- Resource temporarily unavailable#012"


    Git is installed.

    HP ProLiant MicroServer G7 N54L (8 GB RAM | OMV installed on 8 GB USB Flash | HDD: 2TB + 500 GB + 250 GB + 160 GB)
    OMV 2 | 64 bits | 3.16 backport kernel | omv-extras 2

  • I got this error during installation.
    Can't generate the certs.


    Code
    Error: unauthorized :: The client lacks sufficient authorization ::


    Edit: I fixed the error by not put in my main domain for the cert generation.
    Note: You can change your non-standard port to 80 for this process, then change it back after Let's Encrypt cert generation is done.


    Overall, it's look good.
    Thanks, fubz for the plug-in.


  • When you refresh your browser does the web-gui load? How about after reboot?


    Connecting with another browser, give the same result after connecting with admin account
    Connecting with a std user account didn't show any problem


    Didn't had time to look at your link.

    HP ProLiant MicroServer G7 N54L (8 GB RAM | OMV installed on 8 GB USB Flash | HDD: 2TB + 500 GB + 250 GB + 160 GB)
    OMV 2 | 64 bits | 3.16 backport kernel | omv-extras 2

    • Offizieller Beitrag

    Nice work. Seems to have created a cert. Where is the certificate stored? Do I use the same cert for multiple names.


    One thing you might mention somewhere is that there is a limit on certificates at least until the beta is over. 5 per week but they can have multiple names.


    Thanks!!

  • The certificate appears with the other certs in the WebGUI, then you can choose this cert for the web.

    DISCLAIMER: :!: I'm not a native English speaker, I'm sorry if I don't explain as good as you would want. :!:


    My NAS:
    Always the latest OMV Erasmus running on an AMD Sempron 3850 @1.3GHz with 4.9.0 Backports Kernel
    with 120GB Samsung SSD 850 EVO for OpenMediaVault & 2x500GB Primary Data HDD + 1TB Secondary HDD for Backup & 2TB USB 3.0 External HDD for offline backup


    Plugin list:
    Flash Memory, Locate, OMV-Extras.org, RSnapshot, Sensors, Syncthing, SMB/CIFS, SSH, USB Backup
    _____________________________________________________________________________________________________________________________


    Zitat

    The Schrödinger's code is that one which is going to work and it's full of bugs at the same time; until you test it, you won't be able to determine it.

  • Im also getting "Client Lacks sufficient authorization" error.


    I've removed my main domain from the certificate list but still no go :(


    Any ideas?


    Im using a 1and1 frame redirect to direct my domain to my public IP and using sub domains to point to each service running on my server if thats any use?


    Internally i use just IPs to access my server

Jetzt mitmachen!

Sie haben noch kein Benutzerkonto auf unserer Seite? Registrieren Sie sich kostenlos und nehmen Sie an unserer Community teil!