Open godfuture opened 6 years ago
ryecoaaron
commented
6 years ago This would be a better question for the certbot people. That said, the OMV 3.x plugin doesn't update the private key in the OMV database. So, you website won't use it if configured from the OMV web interface.
godfuture
commented
6 years ago Updating the omv ssl cert seems not the problem, at least not on 4.x. The ssl cert looks exactly like the LE key. I have compared the cert details on webinterface with:
openssl x509 -in /etc/letsencrypt/live/mydomain.de/fullchain.pem -noout -text | less
If the alternative domain name feature of certbot would be broken, we had a whole community being locked out of valid LE certs. Therefore and due to the fact that wildcard support was only introduced recently, I think a problem with certbot in this area is very unlikely.
I guess it is more likely that the omv plugin does not feed the certbot correctly. How could I prove it? How could I debug the certbot cmdline request?
ryecoaaron
commented
6 years ago I figured you were using OMV 3.x. 4.x isn't broken when it comes to updating the cert in OMV's database.
Your same logic applies to the plugin. If it wasn't passing all of the domain names, more people would be complaining. I wasn't saying certbot is broken. I was just saying I don't know enough about certbot to help in the particular area and that the certbot people might be able to help more.
You can see here (https://github.com/OpenMediaVault-Plugin-Developers/openmediavault-letsencrypt/blob/master/usr/share/openmediavault/engined/rpc/letsencrypt.inc#L194) that it is looping through all domain names.
You can see here (https://github.com/OpenMediaVault-Plugin-Developers/openmediavault-letsencrypt/blob/master/usr/share/openmediavault/engined/rpc/letsencrypt.inc#L207) that it outputs the exact certbot command it uses on every run.
So just run omv-rpc "LetsEncrypt" "generateCertificate" "{\"command\":\"renew\"}" and see what the command is at the top of the output.
godfuture
commented
6 years ago Alright. I did as you suggested and triggered the LE plugin:
omv-rpc "LetsEncrypt" "generateCertificate" "{\"command\":\"renew\"}"
This is returned:
{
"pid": 6315,
"running": false,
"outputfilename": "\/tmp\/bgoutputqCxLeO",
"result": [
"Saving debug log to \/var\/log\/letsencrypt\/letsencrypt.log",
"",
"-------------------------------------------------------------------------------",
"Processing \/etc\/letsencrypt\/renewal\/mydomain.de.conf",
"-------------------------------------------------------------------------------",
"Cert not yet due for renewal",
"Plugins selected: Authenticator webroot, Installer None",
"",
"-------------------------------------------------------------------------------",
"",
"The following certs are not due for renewal yet:",
" \/etc\/letsencrypt\/live\/mydomain.de\/fullchain.pem expires on 2018-11-06 (skipped)",
"No renewals were attempted.",
"-------------------------------------------------------------------------------"
],
"error": null
} Unfortunately I don't know how to force the renewal. I tried to replace the "renew" with "generate". But it didn't change the result in the end. Nevertheless, this omv plugin request did not work previously. Instead the fetched command finishes on server shell without any problems and all the domain names are included:
/usr/bin/certbot certonly --non-interactive --rsa-key-size 4096 --text --keep-until-expiring --agree-tos --allow-subset-of-names --cert-name mydomain.de --email my@email.de --webroot -w /var/omvconf/.nginx/lewebroot -d mydomain.de -d ffsync.mydomain.de -d emby.mydomain.de -d vpn.mydomain.de -d collabora.mydomain.deIMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/...How to proceed?
ryecoaaron
commented
6 years ago There is no way to force renewal that I know of. If it worked this time, I don't know why it wouldn't work every time. Not sure what to do.
maxlesniper
commented
5 years ago Hello. I have the same problem. I use this plugin to have a valid certificate for multiple domain names. At the generation, I have no problem. Everything works fine for every domain name. But after a renewal, only the first domain name in the list is taken into account. How to get around this problem without having to recreate everything? Thank you
godfuture
commented
5 years ago A removed the schudule flag in the letsencrypt plugin, and added a scheduled task in omv executing certbot directly. This implies you inform yourself about all commandline parameters needed for your setup.
ryecoaaron
commented
5 years ago @godfuture this won't update the cert used in the SSL certs section of the OMV web interface though. I still don't know why the renew function of certbot doesn't do the right thing. This problem should be brought up on the certbot forum. I'm not going to do testing on my production system.
godfuture
commented
5 years ago Couldnt the update of the OMV key be part to the certbot scheduled task?
ryecoaaron
commented
5 years ago I was just saying that when you call certbot directly, it won't update the OMV SSL section certs. If you don't renew with the plugin, then it won't know the uuid of the cert to update.
maxlesniper
commented
5 years ago I started from scratch for the generation of a new certificate by specifying several domain names. Only the first is taken into account :(
godfuture
commented
5 years ago @ryecoaaron
I have to disagree. I just checked my live cert of letsencrypt:
openssl x509 -in /etc/letsencrypt/live/mydomain/cert.pem -noout -text
It contains the correct alternative domains and was also correctly renewed. This means certbot works totally fine.
But you are right about the update of omv cert. Letsencrypt is younger than omv. The "transfer" from LE to omv did not happen.
godfuture
commented
5 years ago Can we see what certbot cmd was generated by omv LE plugin?
ryecoaaron
commented
5 years ago @godfuture Disagree with what? Of course your letsencrypt folder certs are updated when running certbot. I was only referring to the OMV certs that plugin copies from the letsencrypt folder - which you have found.
You can see the certbot cmd when executing from the web interface - https://github.com/OpenMediaVault-Plugin-Developers/openmediavault-letsencrypt/blob/master/usr/share/openmediavault/engined/rpc/letsencrypt.inc#L207 - but it does not log the command anywhere. When renewing, the only certbot argument is "renew" - https://github.com/OpenMediaVault-Plugin-Developers/openmediavault-letsencrypt/blob/master/usr/share/openmediavault/engined/rpc/letsencrypt.inc#L175
I know the command is correct when initially generating the cert (at least when parameters are entered correctly) because I use it myself for multiple domains.
godfuture
commented
5 years ago Couldnt the update of the OMV key be part to the certbot scheduled task? You were answering it is already. This is true for the LE plugin. What I have meant is to manually execute the certbot and the update of the OMV key in a cron.
I have read about the certbot renew. It seems that certbot is storing a config file which is created when the user generated the cert. Maybe this cerbot config file looks different than the LE plugin settings?
I saw that the automatic renewal did not work, because only my main domain was included in the cert.
omv-rpc "LetsEncrypt" "generateCertificate" "{\"command\":\"renew\"}" > /dev/null 2>&1Then I tried to force the refresh of the cert by the plugin. This time non of the comma separated domains mentioned in the plugin made its way into the cert. Then I tried again. This time only three domains were validated. Two were missing.
letsencrypt.txt
How does it come sometimes none, another three are validated?
OMV-LE 3.4.5