Posts by Malefunk

    i have the same problem too. When i see the certs are expired i go to the letsencrypt plugin and do a renew,
    but with the message "Cert not yet due for renewal".
    After the command was issued, i get the notice that the configuration has changed, and i need to confirm,
    like i have to do if i change any omv config. After i do that, the nginx config is reloaded with the right new cert.

    Maybe there is a problem with the automatic reload after cert renewal by the cronjob

    Also havin issues.

    Windows Firefox works fine, but Android App, Android TV App and Kodi with emby Plugin stop displaying after a ~10 seconds.
    No errors, playing time goes on, both on app and on the emby client overview on the server.

    Downgrade to Mono 4.2 and reinstall solved the problem

    you should not need any routing besides the one Default route to internet, because the 2 local networks are known to linux as they are directly attached.
    If you want internet connectivity for the vdr host, you must enable IP Forwarding in the linux kernel

    sysctl -w net.ipv4.ip_forward=1

    If you want to forbid access to from vdr net, you need an iptables rule, otherwise it would also be routed.

    DNS is more challenging, if you want name resolutin depending on the subnet you need split dns. If you don't need you own zones, and just want internet dns,
    you can directly address the router, provider dns or maybe opendns, because of the default route the dns requests are also forwarded.
    But you can also install dnsmasq on omv which justs forwards the requests to internet.
    But remember, if you want to address the fritzbox you and have forbidden access to, you need to whitelist the FB IP in iptables.

    Can you explain more about SNI proxy and how it works?

    Is this a plugin in OMV or something you installed manually?

    From what i understand LE is expecting a response for my subdomains on port 80, but as they are running on ports 9091, 8081 etc then its not getting a response? SNI proxy solves this?

    Server Name Indication is an extension to the TLS Handshake. Clients can use it to put the server name in the cleartext part of the TLS Handshake, so that webserver can use name based virtual hosting for SSL too. In fact the webserver could hold multiple certificates and present the right one to the client. Before that you needed different IPs for different SSL Servers.
    SNI Proxy takes the idea a step further, and instead of forwarding the request to the right Virtual Host, it can forward it to another server/port. HA Proxy could make that too, but SNI proxy seems to be more straight forward for this case. Typically you could also use nginx as a reverse proxy, but then you would need to configure SSL proxy in nginx. This has the benefit that you could redirect traffic also based on the complete URLs inside a ssl tunnel.

    I think he installed it manually, couldn't find a plugin. Maybe theres also a docker for that.

    Yes, SNI Proxy can forward to etc based on host names.


    openssl s_client -connect

    sollte auf jedenfall gehen.

    Abegesehen davon, zur Zertifikatsprüfung :….231.15.24&hideResults=on

    Vielleicht war das nur eine temporäre Zertifikatsumstellung? Das aktuelle ist nur noch knapp 2 Wochen gültig.

    Ansonsten : wget –no-check-certificate
    Vielleicht fehlen auch die trusted CAs unter /etc/ssl/certs/ ... eventuell schauen und selbst laden

    Bei Redhat ist es das rpm ca-certificates .. bei Debian kenne ich mich noch nich so gut aus, und bin auch grad nicht daheim am NAS

    That still means they're signing those certificates with their CA cert. If you add their CA cert to your browser, then anything else signed with that cert is immediately valid. If they re-issue a cert with your common name, it'll still come up as valid.

    And if you read the article you will see that he mentioned exactly I'm afraid about:

    To see why this is worrisome, let’s suppose, just for the sake of argument, that CNNIC were a puppet of the Chinese government. Then CNNIC’s status as a trusted CA would give it the technical power to let the Chinese government spy on its citizens’ “secure” web connections. If a Chinese citizen tried to make a secure connection to Gmail, their connection could be directed to an impostor Gmail site run by the Chinese government, and CNNIC could give the impostor a cert saying that the government impostor was the real Gmail site. The Chinese citizen would be fooled by the fake Gmail site (having no reason to suspect anything was wrong) and would happily enter his Gmail password into the impostor site, giving the Chinese government free run of the citizen’s email archive.

    That's a general problem of Chain of Trust infrastructure... WoSign could make a duplicate certificate of mine ( it wouldn't be the same, as they don't have my private key ) and it would be trusted by any browser. But for that you could use certificate pinning. Or CA pinning if trust your favourite CA . CA pinning simplifies Cert changes without wait time.

    Indeed, I don't know about Lets Encrypt, but I would rather add my own trusted CA than someone else's. I use the CA tools provided by on my router.

    Let's encrypt will be Cross Signed by IdenTrust, so all their free certificates will be "green" by all well known browser.

    Wosign is properly owned by the Chinese government, whicw gives them the possibility to decrypt all information encrypted with a wosign certificate. Because have easy access to your private key.

    A self signed certificate where you keep the private key secret is very hard to decrypt.

    WoSign accepts certificate signing requests, so no private key involed. I tried it and it worked. For me it's a goog choice, because you can get certificates for dyndns hostnames (where you don't own the domain).

    Thx, maybe i will try that. Altough a CA from China ... wouldn't be my first choice ^^

    Let's encrypt has the benefit of an automated, open process which would integrate nicely into omv, my opinion

    Let's Encrypt is a project for free and easy deployment of ssl certificates.

    Wouldn't it be nice to have it implemented in OMV, so that everyone with a domain can easyly set up a secure web server?
    The certificates rollout will begin in november, but you could already test with the demo CA.

    That's normal behavior. With LACP you can use only 1 physical trunk at a time with the same session.
    LACP uses different load balancing methods, for example mac address, or an IP/Port combination.

    If your devices only support mac hash, you will never get more than 1gb from the same device, but other devices can use the second trunk.

    The bonding module on omv should support other methods :

    modinfo bonding
    filename: /lib/modules/3.16.0-0.bpo.4-amd64/kernel/drivers/net/bonding/bonding.ko
    author: Thomas Davis, and many others
    description: Ethernet Channel Bonding Driver, v3.7.1
    version: 3.7.1

    What is used you can see here:

    cat /proc/net/bonding/bond0
    Ethernet Channel Bonding Driver: v3.5.0 (November 4, 2008)
    Bonding Mode: IEEE 802.3ad Dynamic link aggregation
    Transmit Hash Policy: layer2 (0)


    i wanted to move my emby db from the media partition to a new ssd partion.
    I stopped emby, rsynced the complete DB folder, changed the DB Volume Setting to the new Partition an restarted emby.

    It seemed to work, as my emby users and settings are all there, but the media library is empty! Rescan Library didn't do anything.
    When i change back to old DB Folder, my Library is still complete..
    Is there any other config i need to adjust?

    PS: Log shows no errors too

    @Malefunk Here is what I do. I don't use RAID or Union Filesystem. I do it my own way.

    How to share your data across Drives with symlinks and no pooling.

    Yeah read that already ;) As long as i distribute my mediafolders manually everything is good too.

    After the reorganistaion of my folder, emby was completely messed up, so i did a new clean install, everythings perfect now ;) thanks for your support @tekkb

    in the fresh install there is now the right symlinc :

    ok that's what i thought too :)

    I'll try it later, currently i try to get rid of aufs .. it's a very strange system .. after moving and renaming Folders with root,
    i cant access it any more with any other user, although the perms on the pool device are right. The folders on the data
    partition are really messed up and show 4 different versions of the Folder names ...
    How can anyone use that filesystem practically !?

    I know. But the log File indicates that the binary on the media share is called.

    Datei: „/usr/local/bin/ffmpeg/20150331/ffmpeg“
    Größe: 28714176 Blöcke: 56088 EA Block: 4096 reguläre Datei
    Gerät: 831h/2097d Inode: 926773 Verknüpfungen: 1
    Zugriff: (0755/-rwxr-xr-x) Uid: ( 112/ emby) Gid: (65534/ nogroup)
    Zugriff : 2015-08-08 17:45:39.000000000 +0200
    Modifiziert: 2015-08-08 17:45:41.000000000 +0200
    Geändert : 2015-08-09 09:35:15.665124882 +0200
    Geburt : -