openmediavault-letsencrypt

  • Can you explain more about SNI proxy and how it works?


    Is this a plugin in OMV or something you installed manually?


    From what i understand LE is expecting a response for my subdomains on port 80, but as they are running on ports 9091, 8081 etc then its not getting a response? SNI proxy solves this?

    • Official Post

    I too hit the too many request limit. Maybe you could add a test against the testing server that does not have a limit. Then we wont be banned for a week. Once that works we can switch to the real server.


    Code
    Hint
    
    
    During the beta phase, Let’s Encrypt enforces strict rate limits on
    the number of certificates issued for one domain. It is recommended to
    initially use the test server via --test-cert until you get the desired
    certificates.

    From http://letsencrypt.readthedocs.org/en/latest/using.html


    Thanks

  • Can you explain more about SNI proxy and how it works?


    Is this a plugin in OMV or something you installed manually?


    From what i understand LE is expecting a response for my subdomains on port 80, but as they are running on ports 9091, 8081 etc then its not getting a response? SNI proxy solves this?


    Server Name Indication is an extension to the TLS Handshake. Clients can use it to put the server name in the cleartext part of the TLS Handshake, so that webserver can use name based virtual hosting for SSL too. In fact the webserver could hold multiple certificates and present the right one to the client. Before that you needed different IPs for different SSL Servers.
    SNI Proxy takes the idea a step further, and instead of forwarding the request to the right Virtual Host, it can forward it to another server/port. HA Proxy could make that too, but SNI proxy seems to be more straight forward for this case. Typically you could also use nginx as a reverse proxy, but then you would need to configure SSL proxy in nginx. This has the benefit that you could redirect traffic also based on the complete URLs inside a ssl tunnel.


    I think he installed it manually, couldn't find a plugin. Maybe theres also a docker for that.


    Yes, SNI Proxy can forward to 127.0.0.1:9091 etc based on host names.

  • Can you explain more about SNI proxy and how it works?


    Is this a plugin in OMV or something you installed manually?


    From what i understand LE is expecting a response for my subdomains on port 80, but as they are running on ports 9091, 8081 etc then its not getting a response? SNI proxy solves this?


    I updated my second post in this thread with more details and a specific use case. There is not a plugin for OMV, I compiled the source, but the binaries are listed as well.
    To your last question, yes SNI Proxy will allow you to resolve all your authentication requests from LE on a single domain port and webroot


    I too hit the too many request limit. Maybe you could add a test against the testing server that does not have a limit. Then we wont be banned for a week. Once that works we can switch to the real server.


    A testing switch is available in the latest version now found in the omv-extras repo


    With the updated LE plug-in, where do I find the path for WebRoot at?


    It should already be populated, was it not?
    For OMV it is /var/www/openmediavault/
    If you are looking for the webroot for whatever service is running on port 443 or 80 you will need to do some investigation. Think of it this way. If you were to go to yourdomain.tld/webroot.html then on your filesystem there would be a file:
    /var/www/someservice/webroot.html The /var/www/someservice is your webroot, the root folder of your web service.

  • It isn't populated.
    I"m using LE for owncloud, not OMV.
    So my webroot should be /media/54bf67db-da31-4c50-bb3c-27140944b223/www/owncloud ?
    What if my I want to use LE for both OMV and OC?

    OMV v5.0
    Asus Z97-A/3.1; i3-4370
    32GB RAM Corsair Vengeance Pro

  • It isn't populated.
    I"m using LE for owncloud, not OMV.
    So my webroot should be /media/54bf67db-da31-4c50-bb3c-27140944b223/www/owncloud ?
    What if my I want to use LE for both OMV and OC?


    Correct your webroot is /media/54bf67db-da31-4c50-bb3c-27140944b223/www/owncloud


    Check out my second post in this thread, I elaborated on how to use SNI Proxy which will allow you to authenticate all of your lets encrypt certificates from a single location on your file system.

  • I got this error.
    By the way, where do I see LE's log at ?


    Edit: If I don't include my main domain in the cert, then it generated fine.
    I don't understand why it wouldn't allow me to include my main domain in it.


    Logs: /var/log/letsencrypt


    What is the IP of your domain, what is the IP of the subdomain?
    Are they the same?
    Do they take you to the same part of your website? Probably not. Look at where your authorization files are being placed. They are going in the same directory, but your subdomain and domain and hosted from different directories. You will need to wait until the plugin supports multi webroots or until you setup the SNI Proxy like I explained before.

    • Official Post

    really exciting! is this available in OMV-extras?

    Yes

    omv 7.4.10-1 sandworm | 64 bit | 6.8 proxmox kernel

    plugins :: omvextrasorg 7.0 | kvm 7.0.14 | compose 7.2.14 | k8s 7.3.1-1 | cputemp 7.0.2 | mergerfs 7.0.5 | scripts 7.0.9


    omv-extras.org plugins source code and issue tracker - github - changelogs


    Please try ctrl-shift-R and read this before posting a question.

    Please put your OMV system details in your signature.
    Please don't PM for support... Too many PMs!

  • My IP is dynamic, that's why I'm using DDNS.
    No, my domain, and my subdomain are on different hosts with different IPs.


    That is why you cannot authenticate both of your certs. You will have to use Lets Encrypt on each machine individually.


    please revise creation of cron jobs, I finish with 3 jobs.


    Can I delete 2 of then?


    I was worried about this. I will have to investigate a way of making it more robust.


    What did you do to get multiple crons? Did you reinstall the plugin multiple times? Any info will help.


    Make a backup of /etc/openmediavault/config.xml
    Open /etc/openmediavault/config.xml navigate to /config/services/letsencrypt (Good chance it's on the bottom of the file if it's the last plugin you installed).
    Search for references to the cron_uuid <cron_uuid>422a5cd7-008f-46e7-9ce8-b874271b5e50</cron_uuid>; in VI just press #
    Delete the <job>..</job> sections that do not refer to the cron_uuid you found previously and contain the command for omv-letsencrypt

  • Quote

    What did you do to get multiple crons?

    Not totally sure, if I remember well, I first enable test mode, and check that works, then disable test mode and generate cert but this time fail or at least I think this, and finally I push other time to generate cert.


    I Atach my 3 last logs, perhaps can help to determine the problem.


    letsencrypt.zip

  • I got multiple crons also.
    Whenever LE failed to generate the certs or if you re-install the plug-ins, then you'll get duplicate cron jobs.
    I also noticed that if I uninstall the plug-in, re-install it, then regenerate the certs, the expiration date stay the same.
    I thought it suppose to extend the expiration date.

    OMV v5.0
    Asus Z97-A/3.1; i3-4370
    32GB RAM Corsair Vengeance Pro

    Edited 2 times, last by tinh_x7 ().

  • I got multiple crons also.
    Whenever LE failed to generate the certs or if you re-install the plug-ins, then you'll get duplicate cron jobs.
    I also noticed that if I uninstall the plug-in, re-install it, then regenerate the certs, the expiration date stay the same.
    I thought it suppose to extend the expiration date.


    Currently crons are not being uninstalled. I will fix that in the next release.
    Regenerating certs does not give you a new expiration date because I have the flag --keep-until-expiring on the lets-encrypt process to prevent certs from being regenerated when it is not needed. If you really want new certs you will need to delete the /etc/letsencrypt folder

  • Hi,


    I tried to get signed certificate for 2 of my ddns domains (dedyn and myds from SYNOLOGY, I specially didn't try no-ip) and no one got real issuer (always “happy hacker fake CA”) for them. I found https://jeremyfelt.com/2015/11…lets-encrypt-certificate/ and here is one interesting thing.

    Quote

    “happy hacker fake CA” is the issuer used in our staging/testing server. This is what the Let’s Encrypt client currently uses when you don’t specify a different server using the--server option like you did in the original post. Because of this, I believe the --server flag was not included when you ran the client. Try running the client again, but make sure you include the --server option from your original post.


    Production server according to reference in mentioned webpage is https://acme-v01.api.letsencrypt.org/directory
    Plugin not using --server option and inside /etc/letsencrypt/account/ I found that all activities happen with staging/testing server.


    Is this might be a case why my certificates not "real"?


    About multiple crons - looks like new cron created every time I change something in plugin definitions and apply changes (first time I filled data and turned on "Test certificate" and saved/applied changes, then I turned off "Test certificate" saved/applied changes. Finally I got 2 crons).


    Thanks for the valued plugin. Hope it will works for me in the near future.

  • If you received the cert that said "happy hacker fake CA", then that cert has been generated incorrectly.
    Double check your cert info before you generate it.

    OMV v5.0
    Asus Z97-A/3.1; i3-4370
    32GB RAM Corsair Vengeance Pro

  • But there were no errors during generation. And actually I have no idea what should I change. It's 3 fields domain/e-mail/webroot. All of them contain correct values (e-mail used for account only, for webroot used default value). Any ideas?

Participate now!

Don’t have an account yet? Register yourself now and be a part of our community!