Omv5 and Letsencrypt plugin

Zitat von macom

I still don't understand where you are heading. If you have a certificate for your OMV, you can connect to the GUI, but not to the files on your server.

Toho531 wants to use LetsEncrypt certs for the OMV GUI, and not have to manually copy/paste the key and cert.

Getting a LetsEncrypt cert is easy enough via Docker, but Toho is looking for a more automated way to import into the OMV GUI (I am too).

I don't NEED SSL on my OMV GUI as I'm just on my LAN...but just looking to do it because I can.

Zitat von macom

https://openmediavault.readthe…general/certificates.html

So there is no way to specify path to cert and key files? Only hard import available? How do we do automatic renewal using cron jobs then? The renewal command updated cert files on the disk, not in OMV database ...

I see that in /etc/nginx/sites-available/openmediavault-webgui it links to uuid-ed files.

ssl_certificate /etc/ssl/certs/openmediavault-xxxxx-xxxx-xxxx-xxxxxxx.crt;
ssl_certificate_key /etc/ssl/private/openmediavault-xxxxx-xxxx-xxxx-xxxxxxx.key;

Will it work, and stay working, If I do

cd /etc/ssl/certs/
rm openmediavault-xxxxx-xxxx-xxxx-xxxxxxx.crt
ln -s /real/path/to/mysite.crt openmediavault-xxxxx-xxxx-xxxx-xxxxxxx.crt
(plus same for key)

Hi,

Will be very interested in a way to automaticaly renew LetsEncrypt certificates in OMV as, at the moment, it's really a pain in the ass every 3 months to :
1 - Renew the LetsEncrypt certificate by cron or CLI,
2 - Copy/Paste the info in OMV GUI to generate the OMV one,
3 - Copy/Paste the path to the new OMV certificate in every nginx site conf file (yes, I have some reverse proxy sites that use my wildcard certicate !)

So many sources of errors...

Why can OMV have the option to use directly the LetsEncrypt certificate (which is automatically renew) by simply giving its path ? It would be so easy !

OMV is mean to be easy on those things, no ?

P.S.: Please, don't tell me to use docker as it's a PERSONNAL NAS that don't need this complexity to automaticaly renew a certificat ! OMV is supposed to be a user friendly experience.

Zitat von ryecoaaron

There is a plugin that does this but I stopped maintaining it because certbot is a moving target

Yes, plugin following another piece of sw is a pain. But I think its not needed, just giving users a way to enter path to their certificates will be sufficient, imho. They already have autorenewal configured by other means (I use acme.sh and dns-01 validation).

Zitat von ryecoaaron

There is a plugin that does this but I stopped maintaining it because certbot is a moving target and the version in the Debian repo is rarely up to date enough for a lot of people. The wildcard feature that most people want is very difficult to automate as well.

And yes, I do tell people to use docker. I use certbot myself. Putting it in docker doesn't change that much. It actually makes it easier if the system you are generating the cert on does not have a web server or you do not want the current web server exposed to the internet (like OMV's web server).

I can totally understand that. I personnaly recompile the latest versions of handbrake, qbittorrent-nox to be up to date in debian 10, and this can be a real pain

Certificates are much more used and useful. As said just before, maybe a path to the automated certificat in the Certificates or General Settings tabs in OMV could be a huge help for a lot of people ?

Cheers.

Old thread, but this is something that has annoyed me for a while! I've come up with a way to solve it using certbot and post-renewal hooks. I've only given this minimal testing so far.. time will tell in a few months if this worked.

* Set up certbot normally using nginx and the web root /var/www/openmediavault/

* Create a post-renewal script using the code below. You'll need to customise the domain name in the 4th line. Put the script somewhere sensible, make it chmod a+x

* Edit the certbot config file for your domain name to call this script using renew_hook

I have no idea what the uuid is for the RPC call. It works for me, but it seems like a magic number. If it doesn't work for you, try uploading a certificate through the UI and use your browser's developer tools to divine the number. Maybe it changes with each login session? I have no idea!

Anyway, hope this helps someone.

#!/bin/sh

certname="LetsEncrypt $(date +%Y%m%d)"
domain="hc.your.domain.name"

# Upload new certificate
/sbin/omv-rpc -u admin CertificateMgmt set   "{\"uuid\":\"fa4b1c66-ef79-11e5-87a0-0002b3a176b4\", \"privatekey\":\"$(cat /etc/letsencrypt/live/${domain}/privkey.pem | awk '{printf "%s\\n", $0}')\",\"certificate\":\"$(cat /etc/letsencrypt/live/${domain}/cert.pem | awk '{printf "%s\\n", $0}' )\",\"comment\":\"${certname}\"}"

# Fetch the ID of the newly uploaded certificate
certref=$(/sbin/omv-rpc  CertificateMgmt getList   '{"start": 0, "limit": -1}' | jq ".data[] | select (.comment==\"$certname\").uuid" -r)

# Set the new certificate for the OMV web interface
/sbin/omv-rpc WebGui setSettings "{\"port\":80,\"timeout\":1440,\"enablessl\":true,\"sslcertificateref\":\"${certref}\",\"sslport\":443,\"forcesslonly\":false}"

# Apply changes
/sbin/omv-rpc Config applyChangesBg '{"modules": [], "force": false}'