Hey guys, I was running ubuntu server 16.04 and had letsencrypt bot running. This means I have my key and other config already in place. How would I migrate these config files to OMV to be able to use the letsencrypt plugin?
Thanks a lot
Hey guys, I was running ubuntu server 16.04 and had letsencrypt bot running. This means I have my key and other config already in place. How would I migrate these config files to OMV to be able to use the letsencrypt plugin?
Thanks a lot
You have to fill out the settings in the plugin no matter what. So, why not just generate a new cert? Then it will be in the web interface as well.
I agree with ryecoaaron, just generate a new one with the web gui and it will renew automatically. You don't need a bot, it's built into the LetsEncrypt plugin already. Just turn on the "Schedule Refresh" option, one click.
I thought that I need my old key to optain new certs. In this case I will generate a new one an revoke my old certs.
thank you both!
My latest insights: I guess the letsencrypt plugin does not replace the cert files in all cases. I will try to explain in a few more words.
At the beginning, I had copied my old (ubutu) /etc/letsencrypt folder to omv. Then I fired renew in letsencrypt plugin. As the webroot was not ready, renew did not work. But my cert appeared in omv cert manager. I could use it from there on! As I had trouble doing the generate or renew, I have deleted my old files in /etc/letsencrypt and started from scratch (advice from this thread). And it worked.
But after I have configured my ssl websites in nginx to use the new cert (the one generated from scratch) I got "error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch" when applying settings. Searching the internet turned out that the key does not match the cert. How is this possible? The cert was newly created. I had to do something. Then I studied the source code from letsencrypt plugin a bit (https://github.com/OpenMediaVa…gined/rpc/letsencrypt.inc). I renamed the key and cert file in /etc/ssl and copied the ones from /etc/letsencrypt. It worked.
So my question in assumption that deleting data in /etc/letsencrypt has no direct dependency to omv certs:
Why do you think it is possible that the key and cert was not updated accordingly by the letsencrypt plugin?
Many thanks in advance!
I came to the conclusion that the key is not updated accordingly. After a warm host restart nginx does not come up anymore:
Nov 21 02:40:58 media-server systemd[1]: Starting A high performance web server and a reverse proxy server...
Nov 21 02:40:58 media-server nginx[3650]: nginx: [emerg] SSL_CTX_use_PrivateKey_file("/etc/ssl/private/openmediavault-15317c25-b9eb-4165-8589-a53090198a4
Nov 21 02:40:58 media-server nginx[3650]: nginx: configuration file /etc/nginx/nginx.conf test failed
Nov 21 02:40:58 media-server systemd[1]: nginx.service: Control process exited, code=exited status=1
Nov 21 02:40:58 media-server systemd[1]: Failed to start A high performance web server and a reverse proxy server.
Nov 21 02:40:58 media-server systemd[1]: nginx.service: Unit entered failed state.
Nov 21 02:40:58 media-server systemd[1]: nginx.service: Failed with result 'exit-code'.
root@media-server:~# openssl rsa -noout -modulus -in /etc/ssl/private/openmediavault-15317c25-b9eb-4165-8589-a53090198a48.key | openssl md5
(stdin)= 731f5e810c7372248b8487c48d58896c
root@media-server:~# openssl x509 -noout -modulus -in /etc/ssl/certs/openmediavault-15317c25-b9eb-4165-8589-a53090198a48.crt | openssl md5
(stdin)= 2f5403303c8a447639c193ea89ef290d
root@media-server:~# cp /etc/letsencrypt/live/mydomain.de/fullchain.pem /etc/ssl/certs/openmediavault-15317c25-b9eb-4165-8589-a53090198a48.crt
root@media-server:~# cp /etc/letsencrypt/live/mydomain.de/privkey.pem /etc/ssl/private/openmediavault-15317c25-b9eb-4165-8589-a53090198a48.key
root@media-server:~# openssl rsa -noout -modulus -in /etc/ssl/private/openmediavault-15317c25-b9eb-4165-8589-a53090198a48.key | openssl md5
(stdin)= 2f5403303c8a447639c193ea89ef290d
root@media-server:~# openssl x509 -noout -modulus -in /etc/ssl/certs/openmediavault-15317c25-b9eb-4165-8589-a53090198a48.crt | openssl md5
(stdin)= 2f5403303c8a447639c193ea89ef290d
root@media-server:~# systemctl restart nginx
Alles anzeigen
Why do you think it is possible that the key and cert was not updated accordingly by the letsencrypt plugin?
The plugin doesn't state that it can update a cert manually copied in. You would need to copy the letsencrypt dir structure in, create the name in the settings tab the same as the subfolder created in letsencrypt folder, import the cert into OMV's ssl tab, and then manually put the uuid of that created cert in the uuid element of the letsencrypt section of the plugin's section in /etc/openmediavault/config.xml. So, I ask again, why not create a new cert?
Well, I did generate a new one:
[...] As I had trouble doing the generate or renew, I have deleted my old files in /etc/letsencrypt and started from scratch (advice from this thread). And it worked. [...]
I deleted files in /etc/letsencrypt. Maybe I have to delete my LE cert in omv webui as well. But somehow I can not delete it, even I tried to remove all references.
Hint: when generating certs with letsencrypt, the valid date of the cert in omv is updated. This means at least something has changed. I dont know what this means to the issue I just mentioned above with the key file not being replaced when updating certs with LE.
Sie haben noch kein Benutzerkonto auf unserer Seite? Registrieren Sie sich kostenlos und nehmen Sie an unserer Community teil!