openmediavault-letsencrypt

Hi,
I generated new certs.
the operation from the plugin worked.
It generated a lot of stuff in /etc/letsencrypt (mostly .pem)
... but I don't have any new certificate in the certificate section of OMV webui
how can I use this new cert ?

another thing : the renewal cron doesn't work.
I get this :

Error #0: exception 'OMV\ExecException' with message 'Failed to execute command 'export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin; export LANG=C; export SHELL=/bin/sh; sudo --shell --non-interactive --user=root -- omv-letsencrypt 2>&1' with exit code '1': Existing certificate uuid is invalid Use the Generate Certificate button in the plugin view at least once before using this script.' in /usr/share/openmediavault/engined/rpc/cron.inc:175 Stack trace: #0 /usr/share/php/openmediavault/rpc/serviceabstract.inc(528): OMVRpcServiceCron->{closure}('/tmp/bgstatusq9...', '/tmp/bgoutput3y...') #1 /usr/share/openmediavault/engined/rpc/cron.inc(179): OMV\Rpc\ServiceAbstract->execBgProc(Object(Closure)) #2 [internal function]: OMVRpcServiceCron->execute(Array, Array) #3 /usr/share/php/openmediavault/rpc/serviceabstract.inc(124): call_user_func_array(Array, Array) #4 /usr/share/php/openmediavault/rpc/rpc.inc(86): OMV\Rpc\ServiceAbstract->callMethod('execute', Array, Array) #5 /usr/sbin/omv-engined(536): OMV\Rpc\Rpc::call('Cron', 'execute', Array, Array, 1) #6 {main}

I tried to import the certificate in webui :
privkey.pem -> private key
cert.pem -> certificate

It 'works' in the webui.

But when I attempt to access the website, the certificate doesn't work:
==> CN=Fake LE Intermediate X1

I tried with this :
openmediavault-letsencrypt

same result...

ok, I found my issue ...the 'test' was enabled in the plugin

working great now :p

I have this error when try to generate my first certificate:

Traceback (most recent call last):
  File "/usr/bin/certbot", line 6, in <module>
    from pkg_resources import load_entry_point
  File "/usr/lib/python2.7/dist-packages/pkg_resources/__init__.py", line 3019, in <module>
    @_call_aside
  File "/usr/lib/python2.7/dist-packages/pkg_resources/__init__.py", line 3003, in _call_aside
    f(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/pkg_resources/__init__.py", line 3032, in _initialize_master_working_set
    working_set = WorkingSet._build_master()
  File "/usr/lib/python2.7/dist-packages/pkg_resources/__init__.py", line 655, in _build_master
    ws.require(__requires__)
  File "/usr/lib/python2.7/dist-packages/pkg_resources/__init__.py", line 963, in require
    needed = self.resolve(parse_requirements(requirements))
  File "/usr/lib/python2.7/dist-packages/pkg_resources/__init__.py", line 849, in resolve
    raise DistributionNotFound(req, requirers)
pkg_resources.DistributionNotFound: The 'ndg-httpsclient' distribution was not found and is required by requests
Hecho...

What can I do, and what info is needed to provide

I had the same problem.

apt-get install python-pip
pip install ndg-httpsclient

Then try again.

Gesendet von meinem Nexus 5X mit Tapatalk

Thanks a lot , your post solve the problem.

PD: For maintainers, it's possible to solve in new install?.

Thanks

Quote from raulfg3

Thanks a lot , your post solve the problem.

PD: For maintainers, it's possible to solve in new install?.

Thanks

Display More

Unfortunately I don't think that this package has maintainers. I'll try to do a pull-request when I have time.

Quote from fubz

Extended Customization

SNI Proxy

SNI Proxy Github
https://github.com/dlundquist/sniproxySNI Proxy Binaries

Example use case:
Our domain is domain.tld with 2 services. The first is OMV running on port 10443, the other is couchpotato running on port 5050 under the subdomain couchpotato.domain.tld.

Install SNI Proxy and edit the following code blocks to get the following:
Both of your services will respond on the standard 443 port.
All Let's Encrypt authentication will happen on a single webroot regardless of where the subdomain resides.

/etc/sniproxy.conf

Code

# sniproxy example configuration file
# lines that start with # are comments
# lines with only white space are ignored


user daemon


# PID file
pidfile /var/run/sniproxy.pid


error_log {
    # Log to the daemon syslog facility
    #syslog daemon


    # Alternatively we could log to file
    filename /var/log/sniproxy/sniproxy.log


    # Control the verbosity of the log
    priority notice
}


# blocks are delimited with {...}
listen 80 {
    proto http
    table http_hosts
    # Fallback backend server to use if we can not parse the client request
    fallback localhost:10080


    access_log {
        filename /var/log/sniproxy/http_access.log
        priority notice
    }
}


listen 443 {
    proto tls
    table https_hosts
    fallback 127.0.0.1:10443  #This says that if no matching redirect is found, connect to OMV


    access_log {
        filename /var/log/sniproxy/https_access.log
        priority notice
    }
}


# named tables are defined with the table directive
table http_hosts {
    .*\.domain\.tld/\.well-known/.*    localhost:80
}


# named tables are defined with the table directive
table https_hosts {
    # When proxying to local sockets you should use different tables since the
    # local socket server most likely will not autodetect which protocol is
    # being used
    #example.org unix:/var/run/server.sock
    couchpotato.domain.tld      localhost:5050
}


# if no table specified the default 'default' table is defined
table {
    # if no port is specified default HTTP (80) and HTTPS (443) ports are
    # assumed based on the protocol of the listen block using this table
}

Display More

Remove "SSL InsecurePlatform" Warning
The debian dependencies needed to remove this warning are in the wheezy-backports so they will not be included until OMV 3.0
However, if the warning bothers you or prevents a cert from generating, it can removed with the following commands:

Code

apt-get install python-pip
pip install -U pip
pip install -U pyopenssl ndg-httpsclient pyasn1

Display More

My OMV is behind my router, so where should the SNI proxy be installed?

Quote from fubz

Extended Customization

SNI Proxy

SNI Proxy Github
https://github.com/dlundquist/sniproxySNI Proxy Binaries

Example use case:
Our domain is domain.tld with 2 services. The first is OMV running on port 10443, the other is couchpotato running on port 5050 under the subdomain couchpotato.domain.tld.

Install SNI Proxy and edit the following code blocks to get the following:
Both of your services will respond on the standard 443 port.
All Let's Encrypt authentication will happen on a single webroot regardless of where the subdomain resides.

/etc/sniproxy.conf

Code

# sniproxy example configuration file
# lines that start with # are comments
# lines with only white space are ignored


user daemon


# PID file
pidfile /var/run/sniproxy.pid


error_log {
    # Log to the daemon syslog facility
    #syslog daemon


    # Alternatively we could log to file
    filename /var/log/sniproxy/sniproxy.log


    # Control the verbosity of the log
    priority notice
}


# blocks are delimited with {...}
listen 80 {
    proto http
    table http_hosts
    # Fallback backend server to use if we can not parse the client request
    fallback localhost:10080


    access_log {
        filename /var/log/sniproxy/http_access.log
        priority notice
    }
}


listen 443 {
    proto tls
    table https_hosts
    fallback 127.0.0.1:10443  #This says that if no matching redirect is found, connect to OMV


    access_log {
        filename /var/log/sniproxy/https_access.log
        priority notice
    }
}


# named tables are defined with the table directive
table http_hosts {
    .*\.domain\.tld/\.well-known/.*    localhost:80
}


# named tables are defined with the table directive
table https_hosts {
    # When proxying to local sockets you should use different tables since the
    # local socket server most likely will not autodetect which protocol is
    # being used
    #example.org unix:/var/run/server.sock
    couchpotato.domain.tld      localhost:5050
}


# if no table specified the default 'default' table is defined
table {
    # if no port is specified default HTTP (80) and HTTPS (443) ports are
    # assumed based on the protocol of the listen block using this table
}

Display More

Remove "SSL InsecurePlatform" Warning
The debian dependencies needed to remove this warning are in the wheezy-backports so they will not be included until OMV 3.0
However, if the warning bothers you or prevents a cert from generating, it can removed with the following commands:

Code

apt-get install python-pip
pip install -U pip
pip install -U pyopenssl ndg-httpsclient pyasn1

Display More

My OMV is behind my router, so where should the SNI proxy be installed?

Hello, i need some help with letsencrypt for my Nextcloud server.
I've created 2 host names with no-ip: one for my omv panel, and the second one for nextcloud. Nextcloud works very well with the Nginx and MySQL plugin. The only thing i need is a second letsencrypt certificate for my second hostname. The http version works flawlessly. When i a the second domain name to letsencrypt, nothing happens. I've added a image for help.
Does anyone knows how to add multiple certificates ? Thank in advance!

Quote from akruidenberg

Hello, i need some help with letsencrypt for my Nextcloud server.
I've created 2 host names with no-ip: one for my omv panel, and the second one for nextcloud. Nextcloud works very well with the Nginx and MySQL plugin. The only thing i need is a second letsencrypt certificate for my second hostname. The http version works flawlessly. When i a the second domain name to letsencrypt, nothing happens. I've added a image for help.
Does anyone knows how to add multiple certificates ? Thank in advance!

you must disable the certificate in your nginix and probaply in your omv webpage. In the moment when you create a new certification
you dont use on every nginx-plugin or omv the old letsencrypt certificat

Hello,

what do you think about optionally opening the port for the webserver during the renewal:

apt-get install upnpc
upnpc -d 443 TCP


letsencrypt renew


upnpc -r 443 TCP

Quote from henfri

Hello,

what do you think about optionally opening the port for the webserver during the renewal:

Code

apt-get install upnpc
upnpc -d 443 TCP


letsencrypt renew


upnpc -r 443 TCP

That could work in theory, but what's the purpose of using an SSL certificate if you're using UPnP?

Hello,

I do not see the relation between upnp and SSL.

I need the certificate for some services not running on Port 443. I do not want to expose the Web-Interface to the web.
I think, that will be similar for other users.
Thus, I intend to open 443 just for the renewal of the certificate and this is done with upnpc.

Is that clearer now?

Regards,
Hendrik

Quote from henfri

Hello,

I do not see the relation between upnp and SSL.

I need the certificate for some services not running on Port 443. I do not want to expose the Web-Interface to the web.
I think, that will be similar for other users.
Thus, I intend to open 443 just for the renewal of the certificate and this is done with upnpc.

Is that clearer now?

Regards,
Hendrik

Display More

Oh, I understand now! I made the ridiculous assumption that you wouldn't be using it for anything other than your OMV control panel. That was stupid on my part. Sorry about that.

Hey there.
I have an installation of omv 3.0.88 running and I try to install the plugin. But I get an error saying
"The following packages have unmet dependencies:
openmediavault-letsencrypt : Depends: certbot but it is not installable
E: Unable to correct problems, you have held broken packages."
And I cannot install certbot either since it is apparently not a valid package... I am puzzled at this stage how to get the plugin installed now... any suggestions anyone?

Quote from happyreacer

you must disable the certificate in your nginix and probaply in your omv webpage. In the moment when you create a new certificationyou dont use on every nginx-plugin or omv the old letsencrypt certificat

I've tried that multiple times. the second certifite will not appeard in the list of the nginx plugin. Did you mean a second certifite is not needed for both omv web and nextcloud?
Im back from vacation, thats the reason why my replay is a little bit late.
A new domain with no-ip give the same result. i think its not an domain problem. Maybe the plugin?

Okay, since I didn't know about backports, I couldn't find it because of that I guess...
so, will try to install tonight or tomorrow morning and get back to you.

(although I think this is obsolete now, the output:

Quote from ryecoaaron

certbot is in jessie-backports. What is the output of: apt-cache policy certbot

certbot:
Installed: (none)
Candidate: (none)
Package pin: (not found)
Version table:

Hey there,
I just found out that my OMV does not generate the certificate for a second given domain.
In the plugin section I defined: "a.mydomain.com,b.mydomain.com" (without quotes) as domains.
After Pressing "Generate Certificates" I only receive a.mydomain.com in my "live" folder from LetsEncrypt.

Do you know this issue?

Best regards
Benedikt