openmediavault-letsencrypt

tinh_x7 · Jan 20th 2016

Instead fill in several sub domains, try one sub domain.
Ensure OMV is using port 80 too.

mcloum · Jan 20th 2016

So if i just use 1 sub domain such as "service.domain.co.uk" then try?

Can i then also create certificates for the other sub domains?

I thought the beauty of this plugin was you can add multiples to 1 certificate?

OMV is using port 80 internally, but its not accessible from external. Do i need to make it accessible to the outside world?

tinh_x7 · Jan 20th 2016

Let's Encrypt let you generate multiple certificates call SAN.
However, in your case, just try one sub domain see if it work.
Or you can uninstall the plug-in, and re-install it.
You don't need to make port 80 accessible to WAN, if you don't access it remotely.

raulfg3 · Jan 20th 2016

Hello, do not work for me: Error creating new cert :: Too many certificates already issued for: zapto.org, ddns.net

complete output:

Code

>>> *************** Error ***************
Failed to execute command 'sh /opt/letsencrypt/letsencrypt-auto certonly --webroot -w /var/www/openmediavault/ --text --keep-until-expiring --agree-tos --expand --email xxxxx@gmail.com  -d raulfg3.zapto.org -d rnas.ddns.net 2>&1': Updating letsencrypt and virtual environment dependencies...
.
.
.


Requesting root privileges to run with virtualenv: ~/.local/share/letsencrypt/bin/letsencrypt certonly --webroot -w /var/www/openmediavault/ --text --keep-until-expiring --agree-tos --expand --email raulfg3@gmail.com -d raulfg3.zapto.org -d rnas.ddns.net
An unexpected error occurred:
There were too many requests of a given type :: Error creating new cert :: Too many certificates already issued for: zapto.org, ddns.net
Please see the logfiles in /var/log/letsencrypt for more details.
IMPORTANT NOTES:
 - If you lose your account credentials, you can recover through
   e-mails sent to raulfg3@gmail.com.
 - Your account credentials have been saved in your Let's Encrypt
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Let's
   Encrypt so making regular backups of this

Display More

and this is letsencrypt.log if help:

Code

2016-01-20 19:09:30,911:DEBUG:letsencrypt.cli:Root logging level set at 30
2016-01-20 19:09:30,911:INFO:letsencrypt.cli:Saving debug log to /var/log/letsencrypt/letsencrypt.log
RdU_nTi4HbVapIEWjBeebxCh1Zx9IzZ_OPlHLlhdY9WoHHdoFOuRDRvXzKQmzCd4OhCLKw8T9KGX5UhgWnrUga0yRT32lPWhUrkEuwA5aVQIvZ_wNfCjstaQs9_LeJ9xXgpOwsOQYLWXVX1t4KIp0FCCvdrTkfqWi0mZcb8Orr7J-Y767xKUaXv-yuWrlttE-DvCltr-UOr5DmpvT3i-EGIJ5SjwoK2TPlpslP9F_AwofmpYoFSVuTQmI8dJcdleWhJobemo4dx8psLfD2QLC2CfCYY0_CG5dhnDeNUUFrg"}'}
2016-01-20 19:10:40,731:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2016-01-20 19:10:41,534:DEBUG:requests.packages.urllib3.connectionpool:"POST /acme/new-cert HTTP/1.1" 429 150
2016-01-20 19:10:41,537:DEBUG:root:Received <Response [429]>. Headers: {'Content-Length': '150', 'Server': 'nginx', 'Connection': 'close', 'Date': 'Wed, 20 Jan 2016 19:08:31 GMT', 'Content-Type': 'application/problem+json', 'Replay-Nonce': 'SCHSXNWFiErze2u6H6j73ctNs29YjUCWzrD5q-9ERbE'}. Content: '{"type":"urn:acme:error:rateLimited","detail":"Error creating new cert :: Too many certificates already issued for: zapto.org, ddns.net","status":429}'
2016-01-20 19:10:41,538:DEBUG:acme.client:Storing nonce: 'H!\xd2\\\xd5\x85\x88J\xf3{k\xba\x1f\xa8\xfb\xdd\xcbM\xb3oX\x8d@\x96\xce\xb0\xf9\xab\xefDE\xb1'
2016-01-20 19:10:41,538:DEBUG:acme.client:Received response <Response [429]> (headers: {'Content-Length': '150', 'Server': 'nginx', 'Connection': 'close', 'Date': 'Wed, 20 Jan 2016 19:08:31 GMT', 'Content-Type': 'application/problem+json', 'Replay-Nonce': 'SCHSXNWFiErze2u6H6j73ctNs29YjUCWzrD5q-9ERbE'}): '{"type":"urn:acme:error:rateLimited","detail":"Error creating new cert :: Too many certificates already issued for: zapto.org, ddns.net","status":429}'
2016-01-20 19:10:41,539:DEBUG:letsencrypt.cli:Exiting abnormally:
Traceback (most recent call last):
  File "~/.local/share/letsencrypt/bin/letsencrypt", line 11, in <module>
    sys.exit(main())
  File "/~/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/cli.py", line 1398, in main
    return args.func(args, config, plugins)
  File "/~/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/cli.py", line 600, in obtain_cert
    _auth_from_domains(le_client, config, domains)
  File "/~/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/cli.py", line 404, in _auth_from_domains
    lineage = le_client.obtain_and_enroll_certificate(domains)
  File "/~/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/client.py", line 283, in obtain_and_enroll_certificate
    certr, chain, key, _ = self.obtain_certificate(domains)
  File "/~/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/client.py", line 266, in obtain_certificate
    return self._obtain_certificate(domains, csr) + (key, csr)
  File "/~/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/client.py", line 228, in _obtain_certificate
    authzr)
  File "/~/.local/share/letsencrypt/local/lib/python2.7/site-packages/acme/client.py", line 310, in request_issuance
    headers={'Accept': content_type})
  File "/~/.local/share/letsencrypt/local/lib/python2.7/site-packages/acme/client.py", line 634, in post
    return self._check_response(response, content_type=content_type)
  File "/~/.local/share/letsencrypt/local/lib/python2.7/site-packages/acme/client.py", line 550, in _check_response
    raise messages.Error.from_json(jobj)
Error: urn:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new cert :: Too many certificates already issued for: zapto.org, ddns.net

Display More

Perhaps I need to try other day to avoid diary limit?

raulfg3 · Jan 20th 2016

only as sugest to improbe pluging, if possible try to add letsencrypt.log to OMV webGUI Log so I can see what happens if something goes wrong.

Other plugin like failbam or bittorrent add his log if you want to revise code.

mcloum · Jan 20th 2016

Still not working even after a re-install and using only 1 domain

Code

>>> *************** Error ***************
Failed to execute command 'sh /opt/letsencrypt/letsencrypt-auto certonly --webroot -w /var/www/openmediavault/ --text --keep-until-expiring --agree-tos --expand --email michael.mcloughlin@email.com  -d transmission.domain.co.uk 2>&1': Updating letsencrypt and virtual environment dependencies...
.
.
.


Requesting root privileges to run with virtualenv: ~/.local/share/letsencrypt/bin/letsencrypt certonly --webroot -w /var/www/openmediavault/ --text --keep-until-expiring --agree-tos --expand --email michael.mcloughlin@email.com -d transmission.domain.co.uk
Failed authorization procedure. transmission.domain.co.uk (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Error parsing key authorization file: Invalid key authorization: 16 parts


IMPORTANT NOTES:
 - The following errors were reported by the server:


   Domain: transmission.domain.co.uk
   Type:   urn:acme:error:unauthorized
   Detail: Error parsing key authorization file: Invalid key
   authorization: 16 parts
<<< *************************************

Display More

subzero79 · Jan 20th 2016

I think we are dealing with a question wether LE supports ssl certificate generation on subdomains where you don't actually own the main domain, ddns.org for example.
i am guessing the domain owner has to authorize subdomains, providing some records at DNS.

i also important to mention that all certs for domains domains point in DNS to the actual omv wan ip.

mcloum · Jan 20th 2016

I do own my domain, i just edited it out here.

Its registered through 1and1.co.uk and i created a frame redirect to my public IP along with the ports for my services running on OMV, this part works. Just the generating of the certs for subdomain.mydomain.co.uk

subzero79 · Jan 20th 2016

Quote from mcloum

I do own my domain, i just edited it out here.

I know that, i am referring to ddns or noip that got mentioned before.

tinh_x7 · Jan 20th 2016

I can't access OMV webgui after I enabled Let's Encrypt for OMV.

Code

This webpage is not available


ERR_CONNECTION_REFUSED

I tried OMV-firstaid, and got this the error:

Code

Updating web administration settings. Please wait ...
{"response":null,"error":{"code":7001,"message":"Failed to connect to socket: No such file or directory","trace":"exception 'OMVException' with message 'Failed to connect to socket: No such file or directory' in \/usr\/share\/php\/openmediavault\/rpc.inc:135\nStack trace:\n#0 \/usr\/sbin\/omv-rpc(107): OMVRpc::exec('WebGui', 'setSettings', Array, Array, 2)\n#1 {main}"}}
Failed to execute RPC (service=WebGui, method=setSettings)

tekkb · Jan 20th 2016

It would be nice if someone made a Guide for this.

Lord Wektabyte · Jan 20th 2016

For me, after adding a dependency, the plugin is working like a charm. I only got a problem because of too much certificates requests

Maybe @fubz could do a guide as the developer.

tekkb · Jan 20th 2016

I would but I have done my share..

tinh_x7 · Jan 20th 2016

Anybody know how to fix my error?
I've tried with HTTPS and without HTTPS, but no luck.

fubz · Jan 21st 2016

Quote from raulfg3

Hello, do not work for me: Error creating new cert :: Too many certificates already issued for: zapto.org, ddns.net
...

Perhaps I need to try other day to avoid diary limit?

There is no way around this except to wait until Lets Encrypt allows you to request a cert again.

Quote from raulfg3

only as sugest to improbe pluging, if possible try to add letsencrypt.log to OMV webGUI Log so I can see what happens if something goes wrong.

Other plugin like failbam or bittorrent add his log if you want to revise code.

I will work on that

Quote from mcloum

Still not working even after a re-install and using only 1 domain

Code

>>> *************** Error ***************
Failed to execute command 'sh /opt/letsencrypt/letsencrypt-auto certonly --webroot -w /var/www/openmediavault/ --text --keep-until-expiring --agree-tos --expand --email michael.mcloughlin@email.com  -d transmission.domain.co.uk 2>&1': Updating letsencrypt and virtual environment dependencies...
.
.
.


Requesting root privileges to run with virtualenv: ~/.local/share/letsencrypt/bin/letsencrypt certonly --webroot -w /var/www/openmediavault/ --text --keep-until-expiring --agree-tos --expand --email michael.mcloughlin@email.com -d transmission.domain.co.uk
Failed authorization procedure. transmission.domain.co.uk (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Error parsing key authorization file: Invalid key authorization: 16 parts


IMPORTANT NOTES:
 - The following errors were reported by the server:


   Domain: transmission.domain.co.uk
   Type:   urn:acme:error:unauthorized
   Detail: Error parsing key authorization file: Invalid key
   authorization: 16 parts
<<< *************************************

Display More

Your domain transmission.domain.co.uk points to your OMV installation? Port 80 is open?

Quote from tinh_x7

I can't access OMV webgui after I enabled Let's Encrypt for OMV.

Code

This webpage is not available


ERR_CONNECTION_REFUSED

I tried OMV-firstaid, and got this the error:

Code

Updating web administration settings. Please wait ...
{"response":null,"error":{"code":7001,"message":"Failed to connect to socket: No such file or directory","trace":"exception 'OMVException' with message 'Failed to connect to socket: No such file or directory' in \/usr\/share\/php\/openmediavault\/rpc.inc:135\nStack trace:\n#0 \/usr\/sbin\/omv-rpc(107): OMVRpc::exec('WebGui', 'setSettings', Array, Array, 2)\n#1 {main}"}}
Failed to execute RPC (service=WebGui, method=setSettings)

I really have no idea what this issue is. It certainly could be the plugin; however, my understanding of OMV inner workings is still limited. I would create a new thread to get more visibility to the issue.

Quote from tekkb

It would be nice if someone made a Guide for this.

What would you like to see added to what I have now? I will do my best to create one.

mcloum · Jan 21st 2016

Yes but not the OMV gui, it points to the transmission install that is running on OMV on port 9091. If i point my browser at transmission.domain.co.uk i get access to my transmission so i know DNS is resolving correctly.

The only thing i though was because transmission is protected by a password that letsencrypt wasnt getting the response it needed? I tested by turning off the authentication on transmission but still didn't work.

subzero79 · Jan 21st 2016

It should be an open website. Before the plugin I used plain LE to generate one with the sonarr webui and I had to turn authentication off while LE was doing verification.
i have to admit that is not easy, I went to bunch of switches in cli until finally got it working, but my impression is that the whole LE is not ready. Sometimes work sometimes doesnt.

tinh_x7 · Jan 21st 2016

My OMV webgui is back working after I turned the server off and turned it back on.
Not sure why Let's Encrypt cert caused it.
So far so good.

fubz · Jan 22nd 2016

Quote from mcloum

Yes but not the OMV gui, it points to the transmission install that is running on OMV on port 9091. If i point my browser at transmission.domain.co.uk i get access to my transmission so i know DNS is resolving correctly.

The only thing i though was because transmission is protected by a password that letsencrypt wasnt getting the response it needed? I tested by turning off the authentication on transmission but still didn't work.

What are you serving on port 80? more specifically, if you were to traverse your file system to where your transmission.domain.co.uk/index.html loads, what is that path? Currently the plugin is putting your authentication file in /var/www/openmediavault/.well-known/acme-challenge/haskeyhere. Thus, if I go to transmission.domain.co.uk/.well-known/acme-challenge/haskeyhere I would be able to see that file that lets encrypt placed. If this is not the case you have a couple of solutions.
Use the SNI Proxy I posted to serve all your external content on the default ports 80 and 443. This way if you were to go to transmission.domain.co.uk in your browser, the SNI Proxy would forward the traffic from your transmission install. Also you can then point to your OMV installation on port 9091 through port 80 by specifying SNI Proxy to forward traffic from say for example omv.domain.co.uk.
Otherwise you will need to set a custom webroot, this is coming in the next release of plugin that is just waiting to be pushed to the repository. In this case you set your web root to /var/www/transmission-where-your-application-is/ This way when lets encrypt goes to your domain it will be able to find the files it placed in the root directory.
You can also try to read the documentation if my rambling does not make sense https://letsencrypt.org/howitworks/
Let me know what else I can clarify, I would be glad to help where I can.

Quote from subzero79

It should be an open website. Before the plugin I used plain LE to generate one with the sonarr webui and I had to turn authentication off while LE was doing verification.
i have to admit that is not easy, I went to bunch of switches in cli until finally got it working, but my impression is that the whole LE is not ready. Sometimes work sometimes doesnt.

If you use SNI Proxy you can avoid that whole headache. I route all Lets Encrypt validations for all my subdomains to the same directory. Check out the configuration I posted and let me know if I need to clarify anything. After spending so much time learning about LE and the proxy I take for granted the knowledge.

Quote from tinh_x7

My OMV webgui is back working after I turned the server off and turned it back on.
Not sure why Let's Encrypt cert caused it.
So far so good.

I'm glad it got fixed with a "simple" solution Sorry If I borked your system.

raulfg3 · Jan 22nd 2016

More info about: Too many certificates already issued

https://community.letsencrypt.…cates-already-issued/6481

https://community.letsencrypt.…dy-issued-rate-limit/4184

Participate now!