openmediavault-letsencrypt

  • Because NAT Loopback does this right?

    Yay, NAT Loopback would do the trick but I think it is "dangerous" in security meanings.


    So I would go to change your LAN DNS server to point your domain name to OMV's LAN IP.

    DISCLAIMER: :!: I'm not a native English speaker, I'm sorry if I don't explain as good as you would want. :!:


    My NAS:
    Always the latest OMV Erasmus running on an AMD Sempron 3850 @1.3GHz with 4.9.0 Backports Kernel
    with 120GB Samsung SSD 850 EVO for OpenMediaVault & 2x500GB Primary Data HDD + 1TB Secondary HDD for Backup & 2TB USB 3.0 External HDD for offline backup


    Plugin list:
    Flash Memory, Locate, OMV-Extras.org, RSnapshot, Sensors, Syncthing, SMB/CIFS, SSH, USB Backup
    _____________________________________________________________________________________________________________________________


    Quote

    The Schrödinger's code is that one which is going to work and it's full of bugs at the same time; until you test it, you won't be able to determine it.

  • hello everybody,


    I finally managed to install omv3. I am planning to install seafile (managed by the nginx plugin, reverse proxying) and i definitely want to use lets-encrypt for its ssl connection.


    But my first question is a little bit more general:
    I have my omv installation running on port 80. Domain is owned by me. Portforwarding is 80-->80 for my omv-lan-ip. I successfully created a lets-encrypt certificate using the standard /var/www/openmediavault as webroot. This is all good.


    As far as I understood lets-encrypt needs access to my server on port 80 (all the time?). What I absolutely don't want, however, is that my omv-installation is accessible from outside my lan. So, is there any way to block this access other than changing the port 80 omv is running on??


    Despite not having seafile installed yet I already created two servers at the nginx-plugin section:
    The one running on port 80 (just showing what is set under "additional options"):


    and the one running on port 443 with the lets-encrypt certificate activated (just showing what is set under "additional options"):


    Any help is much appreciated.

  • Just to confirm, there is still the possibility to change port 80 for omv to, let's say, port 81, right? And port 81 might not be open to the internet!
    As long as my seafile service is listening on port 80 and nginx is redirecting the request of /.well-know/acme-challenge to /var/www/openmediavault... it should work, or am I misunderstanding something??
    @luxflow

  • @nasty_vibrations
    first, if you have public ip and ISP (your internet provider) doesn't block your port,
    anyone can access your seafile regardless of your listening port(80,81..82)
    you can test what ports are open in your computer with https://pentest-tools.com/netw…-port-scanner-online-nmap
    you can also block your port by using iptables
    checkout network -> firewall


    second, letsencrpyt require 80 port open to receive cert whenever you certificate (1 time per 3 month)
    after that you can use ANY port for https with that cert


    lastly, why are you blocking 80 port?
    if I were you, I only open /.well-know/acme-challenge for 80 port
    and make anything else redirect to 443(https)


    and I'm very busy these day so I maybe cannot answer more detail

    OMV3 on Proxmox
    Intel E3-1245 v5 | 32GB ECC RAM | 4x3TB RAID10 HDD
    omv-zfs | omv-nginx | omv-letsencrypt | omv-openvpn
    Click link for more details

  • Thanks for your answers @luxflow,



    anyone can access your seafile regardless of your listening port(80,81..82)

    I'm not quite sure if I understand you correctly. I have a public IP, yes. My ISP doesn't block my port 80. At the moment my router is set to forward incoming requests on port 80 to port 80 of my omv-installation. And I assume that's the prerequisit for getting a valid lets-encrypt certificate. But if I disable this port-forwarding-rule no one can access my server. At least that's my understanding.
    And currently this is also my problem. Because omv is also running on port 80 I am now able to access my omv-installation via internet, which is what I want to disable!



    why are you blocking 80 port?

    I am not blocking port 80, at the moment it is open. It's just that I don't want my omv to be reachable via internet, i.e. I would disable the port forwarding to port 80 completely, but then I couldn't certificate (once each 3 months).



    if I were you, I only open /.well-know/acme-challenge for 80 port
    and make anything else redirect to 443(https)

    That's what my plan is, and I actually have already set the servers in nginx plugin this way (see my first post, the two spoilers).



    Ok, so right now seafile isn't installed at all, but the server-settings in the plugin are already activated. If I now go to xxx.mydomain.tld I land on my omv login screen. That's what I don't want. So, the only way that came into my mind, was to change the port of omv, so that it isn't running on port 80 anymore.


    I hope you guys get what I want.


    Thanks a lot for your help.

  • You can use reverse proxy.
    OMV doesn't need to be on port 80 for you to use LE.
    As long as port 80/443 are open, LE will work.
    Port 80/443 are standard ports that should be opened.



    i.e:


    server {


    listen 80 default_server;


    server_name example.com http://www.example.com;
    return 301 https://$server_name$request_uri;
    }

  • Seafile installation was successful. I changed port of omv to 81. Everything seems to be working.


    Just one thing, if I try to run the "omv-letsencrypt" command via scheduled jobs I get the following error message:
    Failed to execute command 'export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin; export LANG=C; export SHELL=/bin/sh; sudo --shell --non-interactive --user=root -- omv-letsencrypt 2>&1': [b]Existing certificate uuid is invalid[/b] Use the Generate Certificate button in the plugin view at least once before using this script.
    Any idea why my certificate uuid is invalid?


    Thanks

  • Hi.


    The renew process works fine. I have the new certificate in the "live"-directory. But I still get this error during renew of the certificate:


    Waiting for verification...Cleaning up challengesGenerating key (2048 bits):/etc/letsencrypt/keys/0005_key-certbot.pemCreating CSR: /etc/letsencrypt/csr/0005_csr-certbot.pem{"response":null,"error":{"code":3002,"message":"Failedto set configuration","trace":"exception 'OMVException'with message 'Failed to set configuration' in\/usr\/share\/openmediavault\/engined\/rpc\/certificatemgmt.inc:211\nStacktrace:\n#0 [internal function]: OMVRpcServiceCertificateMgmt->set(Array,Array)\n#1 \/usr\/share\/php\/openmediavault\/rpcservice.inc(125):call_user_func_array(Array, Array)\n#2\/usr\/share\/php\/openmediavault\/rpc.inc(79):OMVRpcServiceAbstract->callMethod('set', Array, Array)\n#3 \/usr\/sbin\/omv-engined(500):OMVRpc::exec('CertificateMgmt', 'set', Array, Array, 1)\n#4 {main}"}}


    Any idea?


    Thanks for help!

  • I have a question .


    I installed LE succesfully on my maschine.
    now i want to have access to different ports/services on my server over the internet. but always on the same domain !!. for example: domain/tvserver-- domain/couchpotato-- domain/nextcloud etc.


    i read a tutorial using nginx proxy_pass function but i´m too dumb to get it to work.


    maybe someone can help an old guy..

    MSI B-250-DS3H-G4560 | some RAM | someTB WD red (snapraid) | OMV 4.x (latest) | DD Cine S2 V6.5

  • googling following keyword


    tvserver nginx reverse proxy
    couchpotato nginx reverse proxy
    nextcloud nginx reverse proxy


    give you application specific reverse proxy configuration


    if you use same domain, only different thing is path (/tvserver /couchpotato /nextcloud)
    you just get only one cert from LE for that domain

    OMV3 on Proxmox
    Intel E3-1245 v5 | 32GB ECC RAM | 4x3TB RAID10 HDD
    omv-zfs | omv-nginx | omv-letsencrypt | omv-openvpn
    Click link for more details

Participate now!

Don’t have an account yet? Register yourself now and be a part of our community!