Ok, b/c I don't see it list in the plugins website.
openmediavault-letsencrypt
-
- OMV 3.x
- fubz
-
-
Because NAT Loopback does this right?
Yay, NAT Loopback would do the trick but I think it is "dangerous" in security meanings.
So I would go to change your LAN DNS server to point your domain name to OMV's LAN IP.
-
Ok, b/c I don't see it list in the plugins website.
If you check the plugins list through the OMV-extras plugin you should see it. I may be wrong, but I believe it is located in the testing repository so if you do not see it make sure that the testing repo is enabled.
-
I'm still on OMV2, that's why I'm asking to be sure.
-
I'm still on OMV2, that's why I'm asking to be sure.
I am using OMV2 on my NAS as well, but I have tested OMV3 in a VM.
-
The LE's plugin working fine on OMV3.
However, the date that is logged are incorrect.
It's one day ahead of the actual date.
OMVs date: 12/2/16, LE's date: 12/3/16. -
Does it work with alternative port? My ISP blocks incoming from 80 and 443
-
hello everybody,
I finally managed to install omv3. I am planning to install seafile (managed by the nginx plugin, reverse proxying) and i definitely want to use lets-encrypt for its ssl connection.
But my first question is a little bit more general:
I have my omv installation running on port 80. Domain is owned by me. Portforwarding is 80-->80 for my omv-lan-ip. I successfully created a lets-encrypt certificate using the standard /var/www/openmediavault as webroot. This is all good.As far as I understood lets-encrypt needs access to my server on port 80 (all the time?). What I absolutely don't want, however, is that my omv-installation is accessible from outside my lan. So, is there any way to block this access other than changing the port 80 omv is running on??
Despite not having seafile installed yet I already created two servers at the nginx-plugin section:
The one running on port 80 (just showing what is set under "additional options"):
location /.well-known/acme-challenge {
alias /var/www/openmediavault;
}
return 301 https://$http_host$request_uri;
and the one running on port 443 with the lets-encrypt certificate activated (just showing what is set under "additional options"):
proxy_set_header X-Forwarded-For $remote_addr;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
server_tokens off;
gzip off;include /etc/nginx/perfect-forward-secrecy.conf;
location /.well-known/acme-challenge {
alias /var/www/openmediavault;
}location / {
fastcgi_pass 127.0.0.1:8000;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_script_name;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;
fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param HTTPS on;
fastcgi_param HTTP_SCHEME https;
access_log /var/log/nginx/seahub.access.log;
error_log /var/log/nginx/seahub.error.log;
}location /seafhttp {
rewrite ^/seafhttp(.*)$ $1 break;
proxy_pass http://127.0.0.1:8082;
client_max_body_size 0;
proxy_connect_timeout 36000s;
proxy_read_timeout 36000s;
proxy_send_timeout 36000s;
}location /media {
root /opt/seafile/seafile-server-latest/seahub;
}location /seafdav {
fastcgi_pass 127.0.0.1:8080;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_script_name;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;
fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param HTTPS on;
client_max_body_size 0;
access_log /var/log/nginx/seafdav.access.log;
error_log /var/log/nginx/seafdav.error.log;
}
Any help is much appreciated. -
As long as you don't open your OMV to the world, they can't access it.
Use VPN instead. -
Just to confirm, there is still the possibility to change port 80 for omv to, let's say, port 81, right? And port 81 might not be open to the internet!
As long as my seafile service is listening on port 80 and nginx is redirecting the request of /.well-know/acme-challenge to /var/www/openmediavault... it should work, or am I misunderstanding something??
@luxflow -
@nasty_vibrations
first, if you have public ip and ISP (your internet provider) doesn't block your port,
anyone can access your seafile regardless of your listening port(80,81..82)
you can test what ports are open in your computer with https://pentest-tools.com/netw…-port-scanner-online-nmap
you can also block your port by using iptables
checkout network -> firewallsecond, letsencrpyt require 80 port open to receive cert whenever you certificate (1 time per 3 month)
after that you can use ANY port for https with that certlastly, why are you blocking 80 port?
if I were you, I only open /.well-know/acme-challenge for 80 port
and make anything else redirect to 443(https)and I'm very busy these day so I maybe cannot answer more detail
-
Thanks for your answers @luxflow,
anyone can access your seafile regardless of your listening port(80,81..82)
I'm not quite sure if I understand you correctly. I have a public IP, yes. My ISP doesn't block my port 80. At the moment my router is set to forward incoming requests on port 80 to port 80 of my omv-installation. And I assume that's the prerequisit for getting a valid lets-encrypt certificate. But if I disable this port-forwarding-rule no one can access my server. At least that's my understanding.
And currently this is also my problem. Because omv is also running on port 80 I am now able to access my omv-installation via internet, which is what I want to disable!why are you blocking 80 port?
I am not blocking port 80, at the moment it is open. It's just that I don't want my omv to be reachable via internet, i.e. I would disable the port forwarding to port 80 completely, but then I couldn't certificate (once each 3 months).
if I were you, I only open /.well-know/acme-challenge for 80 port
and make anything else redirect to 443(https)That's what my plan is, and I actually have already set the servers in nginx plugin this way (see my first post, the two spoilers).
Ok, so right now seafile isn't installed at all, but the server-settings in the plugin are already activated. If I now go to xxx.mydomain.tld I land on my omv login screen. That's what I don't want. So, the only way that came into my mind, was to change the port of omv, so that it isn't running on port 80 anymore.
I hope you guys get what I want.
Thanks a lot for your help.
-
You can use reverse proxy.
OMV doesn't need to be on port 80 for you to use LE.
As long as port 80/443 are open, LE will work.
Port 80/443 are standard ports that should be opened.i.e:
server {
listen 80 default_server;
server_name example.com http://www.example.com;
return 301 https://$server_name$request_uri;
} -
Seafile installation was successful. I changed port of omv to 81. Everything seems to be working.
Just one thing, if I try to run the "omv-letsencrypt" command via scheduled jobs I get the following error message:
Failed to execute command 'export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin; export LANG=C; export SHELL=/bin/sh; sudo --shell --non-interactive --user=root -- omv-letsencrypt 2>&1': [b]Existing certificate uuid is invalid[/b] Use the Generate Certificate button in the plugin view at least once before using this script.
Any idea why my certificate uuid is invalid?Thanks
-
Use the Generate Certificate button in the plugin view at least once before using this script.
-
Hi.
The renew process works fine. I have the new certificate in the "live"-directory. But I still get this error during renew of the certificate:
Waiting for verification...Cleaning up challengesGenerating key (2048 bits):/etc/letsencrypt/keys/0005_key-certbot.pemCreating CSR: /etc/letsencrypt/csr/0005_csr-certbot.pem{"response":null,"error":{"code":3002,"message":"Failedto set configuration","trace":"exception 'OMVException'with message 'Failed to set configuration' in\/usr\/share\/openmediavault\/engined\/rpc\/certificatemgmt.inc:211\nStacktrace:\n#0 [internal function]: OMVRpcServiceCertificateMgmt->set(Array,Array)\n#1 \/usr\/share\/php\/openmediavault\/rpcservice.inc(125):call_user_func_array(Array, Array)\n#2\/usr\/share\/php\/openmediavault\/rpc.inc(79):OMVRpcServiceAbstract->callMethod('set', Array, Array)\n#3 \/usr\/sbin\/omv-engined(500):OMVRpc::exec('CertificateMgmt', 'set', Array, Array, 1)\n#4 {main}"}}
Any idea?
Thanks for help!
-
I have a question .
I installed LE succesfully on my maschine.
now i want to have access to different ports/services on my server over the internet. but always on the same domain !!. for example: domain/tvserver-- domain/couchpotato-- domain/nextcloud etc.i read a tutorial using nginx proxy_pass function but i´m too dumb to get it to work.
maybe someone can help an old guy..
-
googling following keyword
tvserver nginx reverse proxy
couchpotato nginx reverse proxy
nextcloud nginx reverse proxygive you application specific reverse proxy configuration
if you use same domain, only different thing is path (/tvserver /couchpotato /nextcloud)
you just get only one cert from LE for that domain -
Can somebody fix the LE's date & time?
It's incorrect.My OMV system is displaying correct time in EST.
LE is displaying different.OMV: 9:37PM EST Friday
LE: 2:32AM Saturday -
Jetzt mitmachen!
Sie haben noch kein Benutzerkonto auf unserer Seite? Registrieren Sie sich kostenlos und nehmen Sie an unserer Community teil!