openmediavault-letsencrypt

  • LE now offers wildcard certs.

    I will add support for those as soon as stretch has certbot 0.22 needed for wildcard cert support. I'm kind of wondering why someone would need anything other than a wildcard cert??

    omv 5.5.2 usul | 64 bit | 5.4 proxmox kernel | omvextrasorg 5.3.3
    omv-extras.org plugins source code and issue tracker - github


    Please read this before posting a question.
    Please don't PM for support... Too many PMs!

  • That will be wonderful. I have only done it once. When it renews will it reuse the text added to the dns? Will cross that bridge when it gets close to expiring.

    I'm kind of wondering why someone would need anything other than a wildcard cert??

    I am not sure but some apps may be to picky. Or windows update will break it just because it's not ms. LOL

  • I finally create a letsencrypt certificate for my nextcloud access. The certificate is saved to: /etc/letsencrypt/live/Cloud/


    but the problem is, i cant see my certificate in the OMV WebGui in „Zertifikate“. How do i move the certificate that it appears in the webGui to use it for my nextcloud? Someone could help me?



    Screenshot is showing (successfully?) created certificate:

  • When you have test cert enabled, it doesn't copy the cert to the Certificates tab. Uncheck that from the settings tab and generate your cert again.

    omv 5.5.2 usul | 64 bit | 5.4 proxmox kernel | omvextrasorg 5.3.3
    omv-extras.org plugins source code and issue tracker - github


    Please read this before posting a question.
    Please don't PM for support... Too many PMs!

  • @ryecoaaron
    Will you update for OMV3?
    new certbot should be now available :)

    Debian 8.6 Jessie + OMV 3.0.latest Kernel: Linux 4.8.0-0.bpo.2-amd64
    Processor: Intel Core 2 Duo E8400@3GHz
    Memory: 4GB RAM
    OS-HDD: Samsung SSD 120 GB +LVM


    Full media and download center configured.


    BIG and special thanks for OMV-Extras team for great plug-ins (especially: TeamSpeak, VirtualBox, Sonarr, Radarr, and rest I use :))


    ------------------------------


    Wise guy don't know everything, he can search or ask!
    Don't ask me via PM!

  • Any chance of getting this plugin to use DNS as an alternative to webroot validation. My partner and I both have OMV servers, and they can't both sit on port 80, but we do both have our own domains, so we could both have LetsEncrypt SSL certificates if we could update them via DNS token rather than webroot. (Also, I'd prefer not to have the admin console accessible over raw http if I can avoid it.)

  • Will you update for OMV3?

    Probably not due to the next answer.


    new certbot should be now available

    It is available but not in the Debian jessie or stretch repos. I doubt it will ever be available in the jessie repos (even backports). Read next answer.


    Any chance of getting this plugin to use DNS as an alternative to webroot validation. My partner and I both have OMV servers, and they can't both sit on port 80, but we do both have our own domains, so we could both have LetsEncrypt SSL certificates if we could update them via DNS token rather than webroot. (Also, I'd prefer not to have the admin console accessible over raw http if I can avoid it.)

    There is a letsencrypt wildcard cert docker image available now that should solve just about everyone's need for an alternative method.

    omv 5.5.2 usul | 64 bit | 5.4 proxmox kernel | omvextrasorg 5.3.3
    omv-extras.org plugins source code and issue tracker - github


    Please read this before posting a question.
    Please don't PM for support... Too many PMs!

  • There is a letsencrypt wildcard cert docker image available now that should solve just about everyone's need for an alternative method.

    I don't see how a docker image could allow for automatic certificate update on two separate OMV servers behind the same NAT router, but thank you for the suggestion. I really think that the only way things will work for our particular setup is if the OMV-letsencrypt plugin gets support for DNS authentication.

  • Do you have 2 real dns internet domains? If so letsencrypt will work as it verifies that you entered a text record in each dns. Not sure how a plugin would add the text file for all the different registars out there. But that is easy enough to do once you get the text.

  • The facility to authenticate via DNS exists in letsencrypt. The omv-letsencrypt plugin relies on the older method of placing a token file in the webroot of the server on port 80. There is no option to use DNS authentication in the plugin. This is why I would like the developer of omv-letsencrypt to add this as an option. Obviously one or both of us could manually configure letsencrypt to use DNS authentication, but that would not allow for automatic seemless updates of our OMV SSL certificates. Hopefully all is now clear.

  • The facility to authenticate via DNS exists in letsencrypt. The omv-letsencrypt plugin relies on the older method of placing a token file in the webroot of the server on port 80. There is no option to use DNS authentication in the plugin. This is why I would like the developer of omv-letsencrypt to add this as an option. Obviously one or both of us could manually configure letsencrypt to use DNS authentication, but that would not allow for automatic seemless updates of our OMV SSL certificates. Hopefully all is now clear.

    Doesn't the DNS auth require making a change to the DNS TXT record? This process seems like a big change in the workflow of how the plugin works. Maybe I will run into this same problem when add support for the wildcard cert (waiting for certbot 0.22+ in the debian repos) but right now I don't have a lot of time for big changes like this.

    omv 5.5.2 usul | 64 bit | 5.4 proxmox kernel | omvextrasorg 5.3.3
    omv-extras.org plugins source code and issue tracker - github


    Please read this before posting a question.
    Please don't PM for support... Too many PMs!

  • Doesn't the DNS auth require making a change to the DNS TXT record?

    Yes it does. I think the way to do it is to present the txt record and wait for the user to update the record. Sometimes it takes a while for dns to propagate. Not sure that applies here? Also not sure if the renewal uses the same txt record or it needs to be changed then also.


    I think the dns route is a very advanced method and may need to be done manually. At least for now.

  • I think the way to do it is to present the txt record and wait for the user to update the record.

    That works well from the command line but presents a problem with the plugin.

    I think the dns route is a very advanced method and may need to be done manually. At least for now.

    I agree.

    omv 5.5.2 usul | 64 bit | 5.4 proxmox kernel | omvextrasorg 5.3.3
    omv-extras.org plugins source code and issue tracker - github


    Please read this before posting a question.
    Please don't PM for support... Too many PMs!

  • I hadn't appreciated that this requires update of DNS *every time* a new certificate is generated, which I agree makes it more challenging. People have worked around this using manual hooks - see https://serverfault.com/questi…m_campaign=google_rich_qa.


    I think this means that if you used a UI dropdown to toggle authentication type, and allowed users to enter their own manual hook script in a similar way to how the nginx plugin allows you to enter web server config, then it might be possible to implement simply by calling letsencrypt with the appropriate options. (Presumably you'd need to run any such script as an untrusted user.) There's a whole bunch of hook scripts available at:


    https://github.com/lukas2511/d…Examples-for-DNS-01-hooks


    Thanks for considering anyway. I understand it won't be possible to replicate the entire certbot command line in the UI, and it may well be that there are security implications to using custom hooks via the GUI, but it would definitely my my and my partner's life easier if this were possible.

  • I'm having issues getting my certificate generated.
    Port 80 is open, i'v' changed my /etc/nginx/sites-enabled/openmediavault-webgui with this entry:



    Code
    location ^~ /.well-known/acme-challenge/ {
    allow all;
    root /var/www/openmediavault;
    try_files $uri =404;
    }

    Checked wether http://mydomain/.well-known/ is accesible by placing a text file in it.
    Upon generating my certificate I receive the following log:




    Could anyone help please?

Participate now!

Don’t have an account yet? Register yourself now and be a part of our community!