TLS/SSL Connection Issue (Can't do anything involving TLS/SSL)

MarkTwo · 8. März 2021

I am following up to my previous thread here:

Locked out of OMV5 after setting connection to Port 81, and ongoing SSL/TLS connection issue

I cannot solve that thread, until I solve a fundamental issue with my server:

I cannot use TLS/SSL in my server.

I have set HTTP to 81 and HTTPS to 443. My server will only connect to the OMV5 Control Panel if I type 192.168.1.103 or specify http://192.168.1.103:81/ or https://192.168.1.103:443.

But when I attempt a connection with HTTPS via 443, it will show an insecure connection only (of HTTP). I have checked both the "Enable secure connection" and "Force secure connection only" options, and I have rebuilt my certificate, but nothing is working.

Something is wrong with my configuration. Without TLS/SSL working properly I will never be able to have a secure connection using tools like LetsEncrypt (to access my server remotely) or anything. I have searched online and cannot find any information on how to fix this.

Please assist if you can.

cubemin · 8. März 2021

You state that https://<your local IP>:443 works, then you say it doesn't and kicks you back to http. Did you mean to say that https://<your public hostname>:443 doesn't work?

I'm assuming you have a hostname registered via a dynamic DNS service. Are you on a typical home LAN behind a router?

Side note: I recommend not forcing secure connections only. It's generally safe, and easier, to use plain HTTP on the local network, and the http port won't be exposed to the Internet.

MarkTwo · 10. März 2021

Zitat von cubemin

You state that https://<your local IP>:443 works, then you say it doesn't and kicks you back to http. Did you mean to say that https://<your public hostname>:443 doesn't work?
I'm assuming you have a hostname registered via a dynamic DNS service. Are you on a typical home LAN behind a router?

Side note: I recommend not forcing secure connections only. It's generally safe, and easier, to use plain HTTP on the local network, and the http port won't be exposed to the Internet.

Sir, I meant my local IP. Yes - I have a DuckDNS set up for my Public IP (for remote access) but I intend to use that later. If I were to connect outside my LAN using my Public IP, with port forwarding, the connection still shows as insecure, just like inside my LAN.

My issue still stands: I can't get TLS/SSL working in OMV5.

I need to know what I have to configure to get it to work. Please assist.

dsm1212 · 10. März 2021

Make sure your browser has not cached a bad certificate. Probably not it but that can be a really pernicious problem. I wanted to suggest another option is using the swag docker image. For me it was much easier and is a more complete solution. Especially if you are already using duckdns. It has a config file for each of about a 100 apps you can enable. I'm running some apps in a secure vpn network so I had to tweak a few of the files, but it wasn't hard. So I moved the omv5 port to some odd number and then used swag for everything. Certs work, it takes care of letsencrypt, all apps are securely at appname.yyyy.duckdns.org, and browsers are happy.

MarkTwo · 12. März 2021

Zitat von dsm1212

Make sure your browser has not cached a bad certificate. Probably not it but that can be a really pernicious problem. I wanted to suggest another option is using the swag docker image. For me it was much easier and is a more complete solution. Especially if you are already using duckdns. It has a config file for each of about a 100 apps you can enable. I'm running some apps in a secure vpn network so I had to tweak a few of the files, but it wasn't hard. So I moved the omv5 port to some odd number and then used swag for everything. Certs work, it takes care of letsencrypt, all apps are securely at appname.yyyy.duckdns.org, and browsers are happy.

But I don't see how this solves my fundamental problem. SWAG is going to ask for a secure TLS/SSL connection just like letsencrypt, and letsencrypt failed when I tried to set it up. My OMV5 server does not seem to be able to use TLS/SSL.

I know this, because if a select "force SSL connection" and my browser attempts to connect using a bad certificate (which I don't think is the case because I have always used the same cert since setting up the server) then it shouldn't be able to connect.

But it still connects - just using only HTTP!

So I need to understand what is going wrong with my OMV5 server and why TLS is having issues.

I've been working on this issue for months and it is very frustrating. I need assistance.

cubemin · 12. März 2021

Are you using certbot (the tool recommended by LetsEncrypt)? If so, what certbot command did you run to register your certificate?

MarkTwo · 12. März 2021

Zitat von cubemin

Are you using certbot (the tool recommended by LetsEncrypt)? If so, what certbot command did you run to register your certificate?

I did not use Certbot.

I simply generated a certificate using my OMV5 control panel > "certificates."

Do you think my certificate is not being accepted, and that is why TLS/SSL will not work?

cubemin · 12. März 2021

I don't know. I assumed you were trying to generate/use a LetsEncrypt certificate to use with your server's public hostname. You're trying to use a self-signed certificate which is fine of course, but will always trigger a browser warning the first time you try to connect to the server via https (since it's self-signed.)

I don't know all the steps you've taken since generating your cert, so it's difficult to say where the problem lies.

MarkTwo · 12. März 2021

Zitat von cubemin

I don't know. I assumed you were trying to generate/use a LetsEncrypt certificate to use with your server's public hostname. You're trying to use a self-signed certificate which is fine of course, but will always trigger a browser warning the first time you try to connect to the server via https (since it's self-signed.)
I don't know all the steps you've taken since generating your cert, so it's difficult to say where the problem lies.

Well firstly I generated the cert in "certificates" months ago, before I even knew about LetsEncrypt. I was following TechnoDadLife's tutorial for setting up OMV5 for the first time.

But months later when I am trying to get remote access set up, I follow the tutorial mentioned in my other thread here:

Locked out of OMV5 after setting connection to Port 81, and ongoing SSL/TLS connection issue

And when following the tutorial - I proceeded use that same cert.

Now I was troubleshooting last night, and I created another self-signed cert. (And deleted my old one). However I am getting the same error as before:

Its not the first time I try to connect, it is every time.... "The connection is not secure." I can't get TLS/SSL to work.

First and foremost I don't understand the difference between signed and self signed certs, and how that could be affecting this issue. If you want to enlighten me that would be appreciated.

Now I could try Certbot to generate a cert but I would need some guidance on how to add that to my OMV5 so it can be selected. Then I could try to connect again to see if HTTPS is working properly and/or if TLS/SSL is working properly.

MarkTwo · 15. März 2021

Bumping thread in hopes of getting a solution.

MarkTwo · 18. März 2021

I am bumping this thread again because I truly need assistance.

cubemin · 18. März 2021

Have you looked at this?

MarkTwo · 24. März 2021

Zitat von cubemin

Have you looked at this?

Alright so I looked at that guide and let me do a brief recap here:

It says that LetsEncrypt is essentially a Certificate Authority (CA).

Okay... TLS/SSL works by using a CA, like LetsEncrypt. And TLS/SSL is not working on my OMV5 which is the problem of this thread.

My TLS/SSL wasn't working before I installed LetsEncrypt, and still doesn't work after I tried to install it using the guide I posted in my first post, which was this. It only partially installs, minus the TLS/SSL secure connection.

It fails to install, I suspect, because there was something wrong with my TLS/SSL in OMV5 in the first place. Which is why I made this thread. But what? Well I guess that brings us to the certificate itself.... I tried re-generating the certificate in OMV5 several times.... but TLS/SSL still doesn't work.

Then you suggested using CertBot instead. I have not done that yet, because I am stuck on one thing, I need to know what to input on this page take a look). I am searching for the correct installation instructions. I am putting down: "My HTTP website is running "Web Hosting Product" on "Debian 10 (buster)."" Because OMV5 is Debian based.

Okay... once I get that solved, I will try to install Certbot. I should also mention a few things too:

-I use DuckDNS to resolve a URL for my "website" but just to keep this simple I will install CertBot using my public IP. I don't need a URL yet.

-When generating my certificate in OMV5, I just used my personal Gmail email to fill out that field that asks you for an email. My personal email has nothing to do with my server, and I don't know the purpose of there being an email in the certificate. Why do we need an email? Is there a technical reason?

So if I get CertBot installed then maybe LetsEncrypt will have a "good" certificate to now use, and therefore my TLS/SSL will work?

cubemin · 25. März 2021

Instead of "Web Hosting Product," select "None of the above." Then just follow the instructions. Provided that you have the OMV GUI set to be accessed through a port other than 80, use the certbot standalone command, otherwise go with the webroot one.

And yes, you do need that DuckDNS URL... certificates work with hostnames, not IP addresses (as far as I can tell), at least those tied to a proper CA like LetsEncrypt.

I don't know the answer to your question re: email... or why TLS won't work for you. But something tells me the problem isn't with the certificates you're generating. Regardless, maybe the certbot route will give us some clues.

dsm1212 · 30. März 2021

Sorry I don't come here often, replying back to my original swag suggestion: When you use the swag container it has everything it needs to support https, it's own ssl libs, etc. If you have something missing or misconfigured in your os install that has broken tls it shouldn't matter. Really, its pretty easy if you can use portainer. You just need your duckdns domain and token. The only manual part is enabling the apps you want to proxy from the shell. Most apps are already there, you just need to rename files. I didn't want to expose my omv5 console to the web but if you want to do that you would need a proxy config for it. Just copy one of the others there and edit it.

MarkTwo · 10. April 2021

Zitat von cubemin

Instead of "Web Hosting Product," select "None of the above." Then just follow the instructions. Provided that you have the OMV GUI set to be accessed through a port other than 80, use the certbot standalone command, otherwise go with the webroot one.
And yes, you do need that DuckDNS URL... certificates work with hostnames, not IP addresses (as far as I can tell), at least those tied to a proper CA like LetsEncrypt.
I don't know the answer to your question re: email... or why TLS won't work for you. But something tells me the problem isn't with the certificates you're generating. Regardless, maybe the certbot route will give us some clues.

Sorry for the long delay I have been busy with life.

I installed snapd and certbot, so those are both done.

I am now running into an issue when I try to perform a certificate validation. I have taken a screen capture of the issue below, and I scratched out my domain name. Basically when I put in my DuckDNS url, it failed to generate a certificate. I checked and my DucKDNS url does have my public IP address assigned. My ports 80, 81 and 443 are forwarded (TCP and UDP) in my router to my server. It says the challenge has failed.

Any thoughts? I don't see how networking could be an issue, it is a pretty simple setup, the server is directly connected to the router via ethernet. What else could cause a failure to set up certificates?

cubemin · 10. April 2021

Well, first of all, don't use sudo if you're already root.

Second, do you have your OMV GUI on port 80? If so, change it - otherwise certbot is unable to spin up its own web server on the same port for authentication. Or use webroot instead of standalone.

Other than that, I don't have any ideas... unless your router is interfering with port 80 forwarding for some reason. (You don't need 81 and 443, btw.)

MarkTwo · 29. Mai 2021

Zitat von cubemin

Well, first of all, don't use sudo if you're already root.

Second, do you have your OMV GUI on port 80? If so, change it - otherwise certbot is unable to spin up its own web server on the same port for authentication. Or use webroot instead of standalone.

Other than that, I don't have any ideas... unless your router is interfering with port 80 forwarding for some reason. (You don't need 81 and 443, btw.)

I gave that a try. I will tell you what happened....

I set my OMV port to 81 in "General Settings". Then I opened up PuTTy and SSH'd into my server, logged in, and ran the following command:

Code

$ sudo certbot certonly --standalone

I was prompted to put in my domain name so I put in my DuckDNS domain name for my server (IPv4 address and everything all correct).

I got this error.

So when I do port 81, the challenges fail.

I tried setting it to port 80 and running it again. The challenge seems to work, BUT then it gives me this error: "Problem binding to port 80: Could not bind to IPv4 or IPv6."

I looked online and basically what people say for this error is that something is already using port 80, and so it cannot do it.

But I ran netstat -ano on my home desktop to find anything using port 80 in my home network, and there isn't anything. There is the option possibly bypassing this error and removing the --standalone from the command so that it looks like:

Code

$ sudo certbot certonly

Which will then prompt you to choose from a few options like 1) Use the Nginx webserver plugin 2) Spin up a temporary webserver 3) Place files in webroot directory.

Anyways I don't want to use those, I want to figure out what is going on with the "Problem binding to port 80: Could not bind to IPv4 or IPv6." error.

So are there any reasons why it can't bind to port 80?

Soma · 29. Mai 2021

TL;DR

Is this what you're trying to set up?!? Secure access to OMV from WAN?

Run SWAG on docker with "VALIDATION=duckdns && DUCKDNS_TOKEN=<your token> && SUBDOMAINS=wildcard"

After that, use this code on a file in the <path-to-swag>/config/nginx/proxy-confs/ dir (name it as "omv.subdomain.conf" for eg).

NOTE: edit the IP Address and the Port used of the OMV server:

Code

# Conf Sample to be used by SWAG Reverse Proxy for access via HTTPS to OpenMediaVault.yourdomain.url
# Example: 'h**ps://omv.yoursubdomain.duckdns.org/'
# If 2 or more instances of OMV are running on the same network, it is necessary to create a .conf
# to each one, with different names and pointing to the proper IPs.

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name omv.*; # note: Set this with a unique name IF running 2 or more OMV servers eg: omvraspi.*
    include /config/nginx/ssl.conf;
    client_max_body_size 0;

    location / {
        include /config/nginx/proxy.conf;
        set $upstream_app 192.168.1.200; # note: edit with the LAN IP of your OpenMediaVault server.
        set $upstream_port 35000;      # note: same port used on the server for OpenMediaVault. Here is port:35000
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;
        access_log off;
    }
}

Alles anzeigen

Restart SWAG and profit.

See this thread to read the whole context: RE: SWAG, Let’s Encrypt and Web GUI

TLS/SSL Connection Issue (Can't do anything involving TLS/SSL)

MarkTwo 8. März 2021

Agricola 8. März 2021

Jetzt mitmachen!

Tags