Yes port 80 is open. Generating the certificate isn't the problem. After looking into it further I don't think this is a problem with letsencrypt and is a problem with my nginx config
openmediavault-letsencrypt
-
- OMV 3.x
- fubz
-
-
Hello,
thanks for this plugin!
If I understand correctly, it requires port 80 to be open to the internet and also the OMV Webinterface to listen on port 80. I am not so comfortable with that.What I am currently doing manually is to open Port 80 in my router via upnc only when needed:
Codeupnpc -r 80 TCP #> /dev/null 2>&1 sleep 20 letsencrypt certonly --standalone upnpc -d 80 TCP # > /dev/null 2>&1
Wouldn't it be good to add this option to the plugin?
Greetings,
Hendrik -
If I understand correctly, it requires port 80 to be open to the internet and also the OMV Webinterface to listen on port 80. I am not so comfortable with that.
It does require port 80 to be open with a listening web server but the OMV web interface does not need to be listening on that port (maybe it does if the web interface is listed in the Domains tab).
Wouldn't it be good to add this option to the plugin?
If you turn off upnp on your router, does upnpc return a non-zero error code when trying to open or close the port?
-
Hello,
so if I set the OMV Web-Interface Port to something other than 80 it will not work by default, but I need to configure nginx (or another webserver) to listen at port 80...
Regarding the return code:
Code
Alles anzeigenroot@homeserver:/etc/letsencrypt# upnpc -r 80 TCP upnpc : miniupnpc library test client. (c) 2005-2014 Thomas Bernard Go to http://miniupnp.free.fr/ or http://miniupnp.tuxfamily.org/ for more information. List of UPNP devices found on the network : desc: http://192.168.177.1:49000/igddesc.xml st: urn:schemas-upnp-org:device:InternetGatewayDevice:1 Found valid IGD : http://192.168.177.1:49000/igdupnp/control/WANIPConn1 Local LAN ip address : 192.168.177.3 InternalIP:Port = 192.168.177.3:80 external 188.108.26.52:80 TCP is redirected to internal 192.168.177.3:80 (duration=0)
This opened the port.
Code
Alles anzeigenroot@homeserver:/etc/letsencrypt# upnpc -d 80 TCP upnpc : miniupnpc library test client. (c) 2005-2014 Thomas Bernard Go to http://miniupnp.free.fr/ or http://miniupnp.tuxfamily.org/ for more information. List of UPNP devices found on the network : desc: http://192.168.177.1:49000/igddesc.xml st: urn:schemas-upnp-org:device:InternetGatewayDevice:1 Found valid IGD : http://192.168.177.1:49000/igdupnp/control/WANIPConn1 Local LAN ip address : 192.168.177.3 UPNP_DeletePortMapping() returned : 0 root@homeserver:/etc/letsencrypt# echo $? 0
This closed the port. Exit code is 0.
Let's close the port again. This will fail.
Code
Alles anzeigenroot@homeserver:/etc/letsencrypt# upnpc -d 80 TCP upnpc : miniupnpc library test client. (c) 2005-2014 Thomas Bernard Go to http://miniupnp.free.fr/ or http://miniupnp.tuxfamily.org/ for more information. List of UPNP devices found on the network : desc: http://192.168.177.1:49000/igddesc.xml st: urn:schemas-upnp-org:device:InternetGatewayDevice:1 Found valid IGD : http://192.168.177.1:49000/igdupnp/control/WANIPConn1 Local LAN ip address : 192.168.177.3 UPNP_DeletePortMapping() returned : 714 root@homeserver:/etc/letsencrypt# echo $? 0
but the return code is 0.
One can parse the commandline output of upnc though (714 in this case).
Also, upnpc will list the redirections that are active:
Code
Alles anzeigenupnpc -l upnpc : miniupnpc library test client. (c) 2005-2014 Thomas Bernard Go to http://miniupnp.free.fr/ or http://miniupnp.tuxfamily.org/ for more information. List of UPNP devices found on the network : desc: http://192.168.177.1:49000/igddesc.xml st: urn:schemas-upnp-org:device:InternetGatewayDevice:1 desc: http://192.168.177.3:8081/desc.xml st: urn:ses-com:device:SatIPServer:1 Found valid IGD : http://192.168.177.1:49000/igdupnp/control/WANIPConn1 Local LAN ip address : 192.168.177.3 Connection Type : IP_Routed Status : Connected, uptime=569744s, LastConnectionError : ERROR_NONE Time started : Sun Sep 23 00:11:46 2018 MaxBitRateDown : 106826000 bps (106.8 Mbps) MaxBitRateUp 37229000 bps (37.2 Mbps) ExternalIPAddress = x i protocol exPort->inAddr:inPort description remoteHost leaseTime 0 TCP 10624->192.168.177.3:4242 'CrashPlan' '' 0 GetGenericPortMappingEntry() returned 713 (SpecifiedArrayIndexInvalid)
and:Codei protocol exPort->inAddr:inPort description remoteHost leaseTime 0 TCP 10624->192.168.177.3:4242 'CrashPlan' '' 0 1 TCP 80->192.168.177.3:80 'libminiupnpc' '' 0
Greetings,
Hendrik -
so if I set the OMV Web-Interface Port to something other than 80 it will not work by default, but I need to configure nginx (or another webserver) to listen at port 80...
Yes. That is the only way the plugin can get a cert since it runs in the required non-interactive mode.
One can parse the commandline output of upnc though (714 in this case).
Since the return codes seem to always be zero, someone else will have to implement the code. I'm not a fan of parsing output and it could be in different languages (parsing for a small number is unreliable). Plus, I have no way to test. The cronjob that the plugin creates could be edited to add the upnpc commands. I would think in your case, it would be easier to open port 80 on your router and forward it to the nginx plugin running an empty site on a different port. Then you wouldn't have to move the OMV web interface from port 80.
-
Hello,
I understand. I am not just thinking about a usecase for myself, but also for the newbie user.
What is the intendet scenario? I think by default, the plugin will tend to make the user open the webinterface to the internet.Your suggestion of using a different port for letsencrypt is good. So if letsencrypt would by default listen on port 79 one could ask the user to forward port 80 to 79 and everything would work. I think that forwarding port 80 to 79 is almost as easy as forwarding 80 to 80... And this redirection could always remain open.
What do you think?
Regarding upnpc:
What would you do with the return code?
I checked with the latest upnpc version (the one I get in debian is four years old). Here I get an exit code 2 in case of the failure I provoked above and exit code 0 if everything works!Greetings,
Hendrik -
Any thoughts, Aaron?
-
Hello,
I understand. I am not just thinking about a usecase for myself, but also for the newbie user.
What is the intendet scenario? I think by default, the plugin will tend to make the user open the webinterface to the internet.Your suggestion of using a different port for letsencrypt is good. So if letsencrypt would by default listen on port 79 one could ask the user to forward port 80 to 79 and everything would work. I think that forwarding port 80 to 79 is almost as easy as forwarding 80 to 80... And this redirection could always remain open.
What do you think?
Regarding upnpc:
What would you do with the return code?
I checked with the latest upnpc version (the one I get in debian is four years old). Here I get an exit code 2 in case of the failure I provoked above and exit code 0 if everything works!To avoid this problems I use dockers and letsencrypt docker ( easy to forward port 80 to 90 etc.. you can see video of how to install on my signature.
-
Thanks.
I am a docker Fan. But I do not understand what problem Docker solves in this case?
Letsencrypt brings its own Webserver and it's port can be configured.
Why not do that?Greetings,
Hendrik -
Thanks.
I am a docker Fan. But I do not understand what problem Docker solves in this case?
Letsencrypt brings its own Webserver and it's port can be configured.
Why not do that?Greetings,
Hendrikthe problem that solve is the conflict with http & https port (80 & 443) that OMV GUI use and letsencrypt plugin need.
see: Installation and Setup Videos - Beginning, Intermediate and Advanced
-
So if letsencrypt would by default listen on port 79 one could ask the user to forward port 80 to 79 and everything would work. I think that forwarding port 80 to 79 is almost as easy as forwarding 80 to 80... And this redirection could always remain open.
What do you think?
You can't change the ports letsencrypt uses.
Any thoughts, Aaron?
I've been at a conference all week. I think I like raulfg3's idea of using docker rather than adding upnp to the plugin (it is tough to develop things that I can't test).
-
-
Hey people,
today I wanted to update OMV via the GUI interface (update management), which failed. I then tried to update via a shell by running omv-update which succeeded, but it removed without asking my letsencrypt plugin. I also cannot reinstall it, neither via the webGUI nor via a shell:
apt install openmediavault-letsencrypt fails because it cannot install certbot; apt install certbot fails because of python3-certbot and so on, untilpython3-requests : Depends: python3-chardet (>= 3.0.2) but 2.3.0-2 is to be installed
I could install python3-chardet, but apparently only a wrong version!
Is this an upstream problem or anything I can do about?Thanks for your help!
Daniel -
The following should fix it (not necessary anymore if you install omv-extras 4.1.12)
sudo apt-get -t stretch-backports install python3-chardetI need to fix the pinning in omv-extras to add the new dependency. So, either run the command or wait for the omv-extras update and install just that update. Then everything else should work.
-
The following should fix it:
sudo apt-get -t stretch-backports install python3-chardetI need to fix the pinning in omv-extras to add the new dependency. So, either run the command or wait for the omv-extras update and install just that update. Then everything else should work.
Thanks, that worked like a charm!
-
The following should fix it:
sudo apt-get -t stretch-backports install python3-chardetI need to fix the pinning in omv-extras to add the new dependency. So, either run the command or wait for the omv-extras update and install just that update. Then everything else should work.
Thx
-
omv-extras 4.1.12 in repo to fix this now.
-
My cert will expire on Nov 11. 2018, letsencrypt replaces it with a new one (no renewal needed, cert valid till 2019), but within the nginx server the old cert and under certs in OMV GUI the old one is still listed.
To resolve this issue I stopped the nginx plugin, within my server I assigned a self signed cert, deleted unter OMV certs the letsencrypt cert, started a new renewal (no renewal needed, cert is valid) and here you go, the new letsencrypt cert is now listed under OMV certs and can be assinged to my server.
Why is there no automatic replacement? Bug? Feature? On purpose? I would prefer an automatic replacement.
What about wildcards like I asked here?
Do they only support one webroot? for example: /var/www and then subdirectories nextcloud and wordpress? But what if I want to use separate webroots?
-
Why is there no automatic replacement? Bug? Feature? On purpose? I would prefer an automatic replacement.
This is a bug in the OMV 3.x plugin but the OMV 4.x plugin should replace it.
What about wildcards like I asked here?
Wildcard certs require changing things with your dns provider. So, this would be super difficult to automate and would be very dns vendor specific.
-
Thx for the quick response, actually I am on OMV4, so thats why I wonder why automatic replacement of cert will not work.
Jetzt mitmachen!
Sie haben noch kein Benutzerkonto auf unserer Seite? Registrieren Sie sich kostenlos und nehmen Sie an unserer Community teil!