In portainer you find some icons on the right side of your container. One of the icons will show you the log file. You can check it for error messages.
Omv5 and Letsencrypt plugin
-
- gelöst
- OMV 5.x
- Toho531
-
-
you mean
/config/letsencrypt:/config?
Usually you would put the config folder on one of your data drives.
The user that is running the container has most likely no write access to your OS drive.
The certificates should be in
/<path you specified for config>/etc/letsencrypt/live/<domain.name>/
Great answer! Thank you.
Found the files in /config/letsencrypt/etc/letsencrypt/live/<><domain.name>/
I don't wanted to use a folder on my data drives because for me this is all configuration stuff
-
I found a great video regarding letsencrypt docker / portainer configuration:
Externer Inhalt www.youtube.comInhalte von externen Seiten werden ohne Ihre Zustimmung nicht automatisch geladen und angezeigt.Durch die Aktivierung der externen Inhalte erklären Sie sich damit einverstanden, dass personenbezogene Daten an Drittplattformen übermittelt werden. Mehr Informationen dazu haben wir in unserer Datenschutzerklärung zur Verfügung gestellt.It's in french but even if I can't spreak french it's better unterstandable than many english videos.
Now the question is just how to link the pem files to OMV. In case I re-new the certificates OMV should use them automatically.
-
You can create symlinks with ln -s target linkname
-
Where are the certificates created via the OMV GUI located? Are these pem-files, too?
-
Okay now I see the SSL certificate is inside the config.xml file so no chance to auto-renew the cerificate. Seems like I have a very unusual case here...
-
-
Thank you for this. I've already seen that documentation but to copy the content manually is really bad.
-
It mentions also where the self signed certificates are stored.
-
I still don't understand where you are heading. If you have a certificate for your OMV, you can connect to the GUI, but not to the files on your server.
-
I still don't understand where you are heading. If you have a certificate for your OMV, you can connect to the GUI, but not to the files on your server.
Toho531 wants to use LetsEncrypt certs for the OMV GUI, and not have to manually copy/paste the key and cert.
Getting a LetsEncrypt cert is easy enough via Docker, but Toho is looking for a more automated way to import into the OMV GUI (I am too).
I don't NEED SSL on my OMV GUI as I'm just on my LAN...but just looking to do it because I can.
-
Toho531
Hat das Label gelöst hinzugefügt. -
Toho531
Hat das Label OMV 5.x hinzugefügt. -
So there is no way to specify path to cert and key files? Only hard import available? How do we do automatic renewal using cron jobs then? The renewal command updated cert files on the disk, not in OMV database ...
I see that in /etc/nginx/sites-available/openmediavault-webgui it links to uuid-ed files.Codessl_certificate /etc/ssl/certs/openmediavault-xxxxx-xxxx-xxxx-xxxxxxx.crt; ssl_certificate_key /etc/ssl/private/openmediavault-xxxxx-xxxx-xxxx-xxxxxxx.key;
Will it work, and stay working, If I do
-
Hi,
Will be very interested in a way to automaticaly renew LetsEncrypt certificates in OMV as, at the moment, it's really a pain in the ass every 3 months to :
1 - Renew the LetsEncrypt certificate by cron or CLI,
2 - Copy/Paste the info in OMV GUI to generate the OMV one,
3 - Copy/Paste the path to the new OMV certificate in every nginx site conf file (yes, I have some reverse proxy sites that use my wildcard certicate !)So many sources of errors...
Why can OMV have the option to use directly the LetsEncrypt certificate (which is automatically renew) by simply giving its path ? It would be so easy !OMV is mean to be easy on those things, no ?
P.S.: Please, don't tell me to use docker as it's a PERSONNAL NAS that don't need this complexity to automaticaly renew a certificat ! OMV is supposed to be a user friendly experience. -
Why can OMV have the option to use directly the LetsEncrypt certificate (which is automatically renew) by simply giving its path ? It would be so easy !
OMV is mean to be easy on those things, no ?
P.S.: Please, don't tell me to use docker as it's a PERSONNAL NAS that don't need this complexity to automaticaly renew a certificat ! OMV is supposed to be a user friendly experience.
There is a plugin that does this but I stopped maintaining it because certbot is a moving target and the version in the Debian repo is rarely up to date enough for a lot of people. The wildcard feature that most people want is very difficult to automate as well.
And yes, I do tell people to use docker. I use certbot myself. Putting it in docker doesn't change that much. It actually makes it easier if the system you are generating the cert on does not have a web server or you do not want the current web server exposed to the internet (like OMV's web server).
-
There is a plugin that does this but I stopped maintaining it because certbot is a moving target
Yes, plugin following another piece of sw is a pain. But I think its not needed, just giving users a way to enter path to their certificates will be sufficient, imho. They already have autorenewal configured by other means (I use acme.sh and dns-01 validation).
-
There is a plugin that does this but I stopped maintaining it because certbot is a moving target and the version in the Debian repo is rarely up to date enough for a lot of people. The wildcard feature that most people want is very difficult to automate as well.
And yes, I do tell people to use docker. I use certbot myself. Putting it in docker doesn't change that much. It actually makes it easier if the system you are generating the cert on does not have a web server or you do not want the current web server exposed to the internet (like OMV's web server).
I can totally understand that. I personnaly recompile the latest versions of handbrake, qbittorrent-nox to be up to date in debian 10, and this can be a real pain
Certificates are much more used and useful. As said just before, maybe a path to the automated certificat in the Certificates or General Settings tabs in OMV could be a huge help for a lot of people ?
Cheers. -
Old thread, but this is something that has annoyed me for a while! I've come up with a way to solve it using certbot and post-renewal hooks. I've only given this minimal testing so far.. time will tell in a few months if this worked.
* Set up certbot normally using nginx and the web root /var/www/openmediavault/
* Create a post-renewal script using the code below. You'll need to customise the domain name in the 4th line. Put the script somewhere sensible, make it chmod a+x
* Edit the certbot config file for your domain name to call this script using renew_hook
I have no idea what the uuid is for the RPC call. It works for me, but it seems like a magic number. If it doesn't work for you, try uploading a certificate through the UI and use your browser's developer tools to divine the number. Maybe it changes with each login session? I have no idea!
Anyway, hope this helps someone.
Bash
Alles anzeigen#!/bin/sh certname="LetsEncrypt $(date +%Y%m%d)" domain="hc.your.domain.name" # Upload new certificate /sbin/omv-rpc -u admin CertificateMgmt set "{\"uuid\":\"fa4b1c66-ef79-11e5-87a0-0002b3a176b4\", \"privatekey\":\"$(cat /etc/letsencrypt/live/${domain}/privkey.pem | awk '{printf "%s\\n", $0}')\",\"certificate\":\"$(cat /etc/letsencrypt/live/${domain}/cert.pem | awk '{printf "%s\\n", $0}' )\",\"comment\":\"${certname}\"}" # Fetch the ID of the newly uploaded certificate certref=$(/sbin/omv-rpc CertificateMgmt getList '{"start": 0, "limit": -1}' | jq ".data[] | select (.comment==\"$certname\").uuid" -r) # Set the new certificate for the OMV web interface /sbin/omv-rpc WebGui setSettings "{\"port\":80,\"timeout\":1440,\"enablessl\":true,\"sslcertificateref\":\"${certref}\",\"sslport\":443,\"forcesslonly\":false}" # Apply changes /sbin/omv-rpc Config applyChangesBg '{"modules": [], "force": false}'
-
I have no idea what the uuid is for the RPC call. It works for me, but it seems like a magic number.
It is the uuid reserved for new objects set in /etc/default/openmediavault under OMV_CONFIGOBJECT_NEW_UUID. You could actually source /etc/default/openmediavault in your script and replace the uuid with ${OMV_CONFIGOBJECT_NEW_UUID}.
The only problem I can see with this script is that it will create a new cert every time instead of updating the current cert on future runs. I wrote a script that does that (doesn't default to certbot locations) - https://github.com/ryecoaaron/…/blob/main/update_cert.sh
Jetzt mitmachen!
Sie haben noch kein Benutzerkonto auf unserer Seite? Registrieren Sie sich kostenlos und nehmen Sie an unserer Community teil!