Posts by fubz

Quote from tinh_x7

After I changed the WebRoot path from /var/www/openmediavault/ to /media/54bf67db-da31-4c50-bb3c-27140944b223/www/owncloud, this is the new log:

It said>>Error: the configuration object is in use...

It looks like your dns entries are not setup correctly, based on:
"To fix these errors, please make sure that your domain name was entered correctly and the DNS A record(s) for that domain contain(s) the right IP address"

Have you recently made a change to your DNS records? It can take a while to populate.
Also try manually creating the folder and files in your webroot to test and make sure those directories are accessible. For example:

mkdir /media/54bf67db-da31-4c50-bb3c-27140944b223/www/owncloud/.well-known
mkdir /media/54bf67db-da31-4c50-bb3c-27140944b223/www/owncloud/.well-known/acme-challenge
echo "<body>Test</body>" > /media/54bf67db-da31-4c50-bb3c-27140944b223/www/owncloud/.well-known/acme-challenge/test.html

Then go to server.xyz.com/test.html
If you do not get a webpage that says "Test" then your webroot is configured wrong.
(Clean up your test files: rm -r /media/54bf67db-da31-4c50-bb3c-27140944b223/www/owncloud/.well-known)

Otherwise I would post on the Lets Encrypt forums, you will get more prompt and knowledgeable support. My knowledge domain is limited to this one specific use case of Let's Encrypt. If you find anything else please bring back the information so we can try to incorporate it into the plug-in.

p.s. force-renew is coming to the plugin shortly

Quote from gsola96

I posted some time ago answering tinh_x7 and because of that, I found that I cannot renew or create new certificates. I have port 80 forwarded to my OMV box but I get an error that let's encrypt can't "access" /var/www/openmediavault/acme-challenge/(some random string of numbers/letters).

what does your lets encrypt log say?
/var/log/letsencrypt/letsencrypt.log

Quote from mcgyver83

WARNING: The following packages cannot be authenticated!
augeas-lenses libaugeas0
[/code]

what's wrong?

try:

apt-key update
apt-get update
apt-get install augeas-lenses libaugeas0

Quote from gsola96

I installed the let's encrypt client and when I try to run "letsencrypt (..............)" with the arguments, it keeps telling me that letsencrypt command does not exist.

Are you running the command from the directory you cloned the github repository? The plugin clones it to /opt/letsencrypt

Quote from gsola96

I clicked in the LetsEncrypt.js and it opened another tab with adress: view-source:http://192.168.1.230/js/omv/module/admin/diagnostic/log/plugin/LetsEncrypt.js
So I think is the first case.

Thanks for your time.

I'm having trouble reproducing the issue; I've tried on multiple virtual machines. Have you tried uninstalling the plugin and reinstalling? How about restarting your computer?

Quote from gsola96

This is my web console. 3 errors. The last one is related to Let's encrypt:

Does it say which LetsEncrypt.js file it is? There are two:
module/admin/diagnostic/log/plugin/LetsEncrypt.js
module/admin/service/letsencrypt/LetsEncrypt.js

Quote from gsola96

I don't know what happens but I can't access the plugin configuration now. I tried installing and uninstalling several times and no luck. When I click the let's encrypt plugin in the web, I don't get any response.

Any ideas?

If you open your web browsers web console do you see any errors? (Firefox: Options > Developer > Web Console)

Quote from raulfg3

only as sugest to improbe pluging, if possible try to add letsencrypt.log to OMV webGUI Log so I can see what happens if something goes wrong.

Other plugin like failbam or bittorrent add his log if you want to revise code.

The log is now in OMV with the new 2.4 release

Quote from papka__

Finally problem found! Actually, if you want to get correct certificate - you should't try "Test certificate". Once you tried - you always will get connected to wrong staging server.
So sequence should be like: install plugin / provide email, webroot, enable monthly update, do not enable "Test certificate", apply changes / generate certificate. And no happy hacker on the horizon.
Hope this will help to anybody.

Thank you very much for this information! I've changed the plugins tips to encourage this workflow.

Quote from raulfg3

new problem detected.

cron job is always generated neverless status of generated cert, this mean that if generation fails and cert is NOT generated, the cron job is always created, and you have one cron job for each time that you apply the generate button.

I've fixed this issue in the latest release.

2.4 of the plugin has been submitted to the extras repository. As of writing this post it is not available but it will be asap.

Duplicate crons has been fixed
If you currently have duplicate scheduled jobs:
1. Turn off the "Schedule Refresh" (new text, use to be "Enable") switch in the plugin
2. Go to Scheduled Jobs and remove all of the omv-letsencrypt entries
3. Save + Apply all changes
4. Switch on "Schedule Refresh" in plugin, save + apply.

A bug in the system omv-letsencrypt script has been fixed

Log is not viewable in OMV System Logs
**Note the Let's Encrypt log rolls every time the letsencrypt command has been run, thus you will still need to view them from the CLI if you need anything later than your previous run.

Quote from papka__

But there were no errors during generation. And actually I have no idea what should I change. It's 3 fields domain/e-mail/webroot. All of them contain correct values (e-mail used for account only, for webroot used default value). Any ideas?

I've seen the happy hacker ca root cert before. I'm still struggling to figure out why this happens. I know it happens when a cert is acquired from the Let's Encrypt Test server; however, the plugin never changes what server the cert is acquired from. The Test option just tells LE to do a dry run and not generate a certificate. I'm still investigating but I am still unsure.
My best suggestion is to completely uninstall the plugin and manually delete /etc/letsencrypt and /opt/letsencrypt

Quote from jkaberg

Dont know which update gave me this but,

Your webroot parameter is not filled out. It should be /var/www/openmediavault

Quote from anderbytes

Last January 20th Lets Encrypt put in prodution the long expected ACME DNS Challenge, where people like me that CANT (Damn ISP) open ports 80 or 443 , now are eligible to validate the domain via DNS server TXT record. It's actually MUCH easier than opening ports in my server.

Thank you for this information. I will look into getting it added to the plugin ASAP.

Quote from tinh_x7

I got multiple crons also.
Whenever LE failed to generate the certs or if you re-install the plug-ins, then you'll get duplicate cron jobs.
I also noticed that if I uninstall the plug-in, re-install it, then regenerate the certs, the expiration date stay the same.
I thought it suppose to extend the expiration date.

Currently crons are not being uninstalled. I will fix that in the next release.
Regenerating certs does not give you a new expiration date because I have the flag --keep-until-expiring on the lets-encrypt process to prevent certs from being regenerated when it is not needed. If you really want new certs you will need to delete the /etc/letsencrypt folder

Quote from tinh_x7

My IP is dynamic, that's why I'm using DDNS.
No, my domain, and my subdomain are on different hosts with different IPs.

That is why you cannot authenticate both of your certs. You will have to use Lets Encrypt on each machine individually.

Quote from raulfg3

please revise creation of cron jobs, I finish with 3 jobs.

Can I delete 2 of then?

I was worried about this. I will have to investigate a way of making it more robust.

What did you do to get multiple crons? Did you reinstall the plugin multiple times? Any info will help.

Make a backup of /etc/openmediavault/config.xml
Open /etc/openmediavault/config.xml navigate to /config/services/letsencrypt (Good chance it's on the bottom of the file if it's the last plugin you installed).
Search for references to the cron_uuid <cron_uuid>422a5cd7-008f-46e7-9ce8-b874271b5e50</cron_uuid>; in VI just press #
Delete the <job>..</job> sections that do not refer to the cron_uuid you found previously and contain the command for omv-letsencrypt

Quote from tinh_x7

I got this error.
By the way, where do I see LE's log at ?

Edit: If I don't include my main domain in the cert, then it generated fine.
I don't understand why it wouldn't allow me to include my main domain in it.

Logs: /var/log/letsencrypt

What is the IP of your domain, what is the IP of the subdomain?
Are they the same?
Do they take you to the same part of your website? Probably not. Look at where your authorization files are being placed. They are going in the same directory, but your subdomain and domain and hosted from different directories. You will need to wait until the plugin supports multi webroots or until you setup the SNI Proxy like I explained before.

Quote from tinh_x7

It isn't populated.
I"m using LE for owncloud, not OMV.
So my webroot should be /media/54bf67db-da31-4c50-bb3c-27140944b223/www/owncloud ?
What if my I want to use LE for both OMV and OC?

Correct your webroot is /media/54bf67db-da31-4c50-bb3c-27140944b223/www/owncloud

Check out my second post in this thread, I elaborated on how to use SNI Proxy which will allow you to authenticate all of your lets encrypt certificates from a single location on your file system.

Quote from mcloum

Can you explain more about SNI proxy and how it works?

Is this a plugin in OMV or something you installed manually?

From what i understand LE is expecting a response for my subdomains on port 80, but as they are running on ports 9091, 8081 etc then its not getting a response? SNI proxy solves this?

I updated my second post in this thread with more details and a specific use case. There is not a plugin for OMV, I compiled the source, but the binaries are listed as well.
To your last question, yes SNI Proxy will allow you to resolve all your authentication requests from LE on a single domain port and webroot

Quote from donh

I too hit the too many request limit. Maybe you could add a test against the testing server that does not have a limit. Then we wont be banned for a week. Once that works we can switch to the real server.

A testing switch is available in the latest version now found in the omv-extras repo

Quote from tinh_x7

With the updated LE plug-in, where do I find the path for WebRoot at?

It should already be populated, was it not?
For OMV it is /var/www/openmediavault/
If you are looking for the webroot for whatever service is running on port 443 or 80 you will need to do some investigation. Think of it this way. If you were to go to yourdomain.tld/webroot.html then on your filesystem there would be a file:
/var/www/someservice/webroot.html The /var/www/someservice is your webroot, the root folder of your web service.

Quote from mcloum

Yes but not the OMV gui, it points to the transmission install that is running on OMV on port 9091. If i point my browser at transmission.domain.co.uk i get access to my transmission so i know DNS is resolving correctly.

The only thing i though was because transmission is protected by a password that letsencrypt wasnt getting the response it needed? I tested by turning off the authentication on transmission but still didn't work.

What are you serving on port 80? more specifically, if you were to traverse your file system to where your transmission.domain.co.uk/index.html loads, what is that path? Currently the plugin is putting your authentication file in /var/www/openmediavault/.well-known/acme-challenge/haskeyhere. Thus, if I go to transmission.domain.co.uk/.well-known/acme-challenge/haskeyhere I would be able to see that file that lets encrypt placed. If this is not the case you have a couple of solutions.
Use the SNI Proxy I posted to serve all your external content on the default ports 80 and 443. This way if you were to go to transmission.domain.co.uk in your browser, the SNI Proxy would forward the traffic from your transmission install. Also you can then point to your OMV installation on port 9091 through port 80 by specifying SNI Proxy to forward traffic from say for example omv.domain.co.uk.
Otherwise you will need to set a custom webroot, this is coming in the next release of plugin that is just waiting to be pushed to the repository. In this case you set your web root to /var/www/transmission-where-your-application-is/ This way when lets encrypt goes to your domain it will be able to find the files it placed in the root directory.
You can also try to read the documentation if my rambling does not make sense https://letsencrypt.org/howitworks/
Let me know what else I can clarify, I would be glad to help where I can.

Quote from subzero79

It should be an open website. Before the plugin I used plain LE to generate one with the sonarr webui and I had to turn authentication off while LE was doing verification.
i have to admit that is not easy, I went to bunch of switches in cli until finally got it working, but my impression is that the whole LE is not ready. Sometimes work sometimes doesnt.

If you use SNI Proxy you can avoid that whole headache. I route all Lets Encrypt validations for all my subdomains to the same directory. Check out the configuration I posted and let me know if I need to clarify anything. After spending so much time learning about LE and the proxy I take for granted the knowledge.

Quote from tinh_x7

My OMV webgui is back working after I turned the server off and turned it back on.
Not sure why Let's Encrypt cert caused it.
So far so good.

I'm glad it got fixed with a "simple" solution Sorry If I borked your system.

Quote from raulfg3

Hello, do not work for me: Error creating new cert :: Too many certificates already issued for: zapto.org, ddns.net
...

Perhaps I need to try other day to avoid diary limit?

There is no way around this except to wait until Lets Encrypt allows you to request a cert again.

Quote from raulfg3

only as sugest to improbe pluging, if possible try to add letsencrypt.log to OMV webGUI Log so I can see what happens if something goes wrong.

Other plugin like failbam or bittorrent add his log if you want to revise code.

I will work on that

Quote from mcloum

Still not working even after a re-install and using only 1 domain

Code

>>> *************** Error ***************
Failed to execute command 'sh /opt/letsencrypt/letsencrypt-auto certonly --webroot -w /var/www/openmediavault/ --text --keep-until-expiring --agree-tos --expand --email michael.mcloughlin@email.com  -d transmission.domain.co.uk 2>&1': Updating letsencrypt and virtual environment dependencies...
.
.
.


Requesting root privileges to run with virtualenv: ~/.local/share/letsencrypt/bin/letsencrypt certonly --webroot -w /var/www/openmediavault/ --text --keep-until-expiring --agree-tos --expand --email michael.mcloughlin@email.com -d transmission.domain.co.uk
Failed authorization procedure. transmission.domain.co.uk (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Error parsing key authorization file: Invalid key authorization: 16 parts


IMPORTANT NOTES:
 - The following errors were reported by the server:


   Domain: transmission.domain.co.uk
   Type:   urn:acme:error:unauthorized
   Detail: Error parsing key authorization file: Invalid key
   authorization: 16 parts
<<< *************************************

Display More

Your domain transmission.domain.co.uk points to your OMV installation? Port 80 is open?

Quote from tinh_x7

I can't access OMV webgui after I enabled Let's Encrypt for OMV.

Code

This webpage is not available


ERR_CONNECTION_REFUSED

I tried OMV-firstaid, and got this the error:

Code

Updating web administration settings. Please wait ...
{"response":null,"error":{"code":7001,"message":"Failed to connect to socket: No such file or directory","trace":"exception 'OMVException' with message 'Failed to connect to socket: No such file or directory' in \/usr\/share\/php\/openmediavault\/rpc.inc:135\nStack trace:\n#0 \/usr\/sbin\/omv-rpc(107): OMVRpc::exec('WebGui', 'setSettings', Array, Array, 2)\n#1 {main}"}}
Failed to execute RPC (service=WebGui, method=setSettings)

I really have no idea what this issue is. It certainly could be the plugin; however, my understanding of OMV inner workings is still limited. I would create a new thread to get more visibility to the issue.

Quote from tekkb

It would be nice if someone made a Guide for this.

What would you like to see added to what I have now? I will do my best to create one.

Quote from Foo Bar

Got blank screen after install of your plug-in

When you refresh your browser does the web-gui load? How about after reboot?

Maybe this will provide some insight: Constant WebGUI timeout errors

Quote from gsola96

Is one self-signed for the same "BitTorrent" and I can't find a way to change it and tell BTSync to use the reliable Let'sEncrypt one.

I've never used BTSync but it looks like it may create a domain in nginx (/etc/nginx/sites-available/btsync)
in that configuration you can add entries to the lets encrypt certs
ssl_certificate /etc/letsencrypt/live/domain/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/domain/privkey.pem;

Quote from tinh_x7

@fubz,
My OMV doesn't use port 80, will this work?

No not currently. There is not an option to allow lets encrypt to verify your domain on another port. There is a manual verification that I've only glossed over, it seems very involved and defeats the purpose of being able to automatically generate a certificate.
If you discover a process flow for generating a certificate with lets encrypt without using port 80 we can discuss how to properly implement the solution.

Quote from sieben

Before I could start to generate a certificate I had an "SSL InsecurePlatform error".

I solved it by installing pyhton-pip package and afterwards executing:
pip install 'requests[security]'
to install necessary packages.

Just consider this in the further development

Interesting, thank you for the heads-up. I noticed the warning and just ignored it since the plugins and certificates have been working as expected. Since including a dependency is trivial I will be sure that package is added to future releases. Thanks.

Quote from msoute

Is it possible to add a webroot configuration to the plugin ?

Now its only possible to generate a certificate if the openmediavault interface is exposed to the web. i would like to use another configured website (that has another webroot)

That is a wonderful idea, I will add that option. Thanks for the suggestion.

Quote from tekkb

@fubz you need to add git as a dependency in your control file.
@ryecoaaron

Oops, Added. Thank you

Quote from gsola96

Thanks also to fubz, I think it's a great contribution since I've been using let's encrypt for a while now.

You're welcome!

Quote from tinh_x7

Does the plug-in has the feature for auto-renewal?

Yes it does.

The plugin is now available in the OMV-Extras.org Testing repository. See my post here