OpenMediaVault SSL in conflict with Lets Encrypt certificate

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
*.martijnnas.duckdns.org

I ran this command:

It produced this output:
Lets Encrypt certificates imported directly to openmediavault SSL. From this point everything went wrong

My web server is (include version):
Openmediavault

The operating system my web server runs on is (include version):
Linux 5.10.0-0.bpo.9-amd64

My hosting provider, if applicable, is:
duckdns.org

I can login to a root shell on my machine (yes or no, or I don't know):
Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
Portainer

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.22.0


Hello Everyone,

I'm pretty new to this, but i got a problem with my Openmediavault + swag docker (portainer) + duckdns docker + any other containers (Nextcloud, radarr, sonarr etc). I want to access with wildcard on my domain. (mostly followed this guide for letsencrypt/swag Nextcloud Docker Stack With A Reverse Proxy Including SSL and DuckDNS - YouTube)

When I'm trying to access my wildcard domains like radarr.martijnnas.duckdns.org the immediately redirect to my openmediavault GUI.. Every subdomain i tried. I tried everything from reading forums, faq, reinstall, wipe, renew, other domain, port changings etc...

*! Thing to mention is that I was playing with the duckdns subdomain names etc It was even working. Later on, I discovered that you can use wildcards with duckdns. So I want to go further with martijnnas.duckdns.org. As you can see I have lots of certificates on that domain now (https://crt.sh/?q=martijnnas.duckdns.org). Don't know if that is the issue (don't know how to remove publish certificates)? !

I'm doing my best to explain what i did and how i installed swag/lets Encrypt:

  • Installed Swag docker [linuxserver/swag:latest] in Portainer (OMV-extra). ENV:
    DUCKDNSTOKEN: 71849a27-3386-4294-XXXXXXXXXXX
    EMAIL: XXXX@gmail.com|
    ONLY_SUBDOMAINS: true
    PGID: 100
    PUID: 998
    STAGING: false
    SUBDOMAINS: wildcard
    TZ: Europe/Amsterdam
    URL: martijnnas.duckdns.org
    VALIDATION: duckdns

(NET_ADMIN is added)
Port TCP: 80:80 & 444:443 (somehow port 443:443 was already used in portainer..):

  • Created user defined network with Swag and the containers i want to access trough reverse proxy:
    Non of my containers has duplicate ports

  • Forwarded the following ports on my router:
    192.168.178.220 is my server IP.
    Local <> External
    192.168.178.220 - 80 80
    192.168.178.220 - 443 443
    192.168.178.220 - 943 943
    192.168.178.220 - 51820 51820
    192.168.178.220 - 88 88 (Is my OMV GUI with port)
    192.168.178.220 - 444 444

  • Installed and started the duckdns container:

PGID: 100
PUID: 998
SUBDOMAINS: martijnnas
TOKEN: 71849a27-3386-4294-XXXXXXXXXXX
TZ: Europe/Amsterdam

It automatically set my server ip adress: 217.123.81.168 for my 'martijnnas' domain in the duckdns website.
When i visit that ip it is also rederect to OMV-GUI.

  • Started Swag (and all other containers) with the following log:
[cont-finish.d] executing container finish scripts...
[cont-finish.d] done.
[s6-finish] waiting for services.
[s6-finish] sending all processes the TERM signal.
[s6-finish] sending all processes the KILL signal and exiting.
[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 01-envfile: executing... 
[cont-init.d] 01-envfile: exited 0.
[cont-init.d] 10-adduser: executing... 
usermod: no changes

-------------------------------------
          _         ()
         | |  ___   _    __
         | | / __| | |  /  \
         | | \__ \ | | | () |
         |_| |___/ |_|  \__/


Brought to you by linuxserver.io
-------------------------------------

To support the app dev(s) visit:
Certbot: https://supporters.eff.org/donate/support-work-on-certbot

To support LSIO projects visit:
https://www.linuxserver.io/donate/
-------------------------------------
GID/UID
-------------------------------------

User uid:    998
User gid:    100
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing... 
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing... 
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing... 
Variables set:
PUID=998
PGID=100
TZ=Europe/Amsterdam
URL=martijnnas.duckdns.org
SUBDOMAINS=wildcard
EXTRA_DOMAINS=
ONLY_SUBDOMAINS=true
VALIDATION=duckdns
CERTPROVIDER=
DNSPLUGIN=
EMAIL=xxxxxxxx@gmail.com
STAGING=false

Using Let's Encrypt as the cert provider
SUBDOMAINS entered, processing
Wildcard cert for only the subdomains of martijnnas.duckdns.org will be requested
E-mail address entered: xxxxxxxxx@gmail.com
duckdns validation is selected
the resulting certificate will only cover the subdomains due to a limitation of duckdns, so it is advised to set the root location to use www.subdomain.duckdns.org
Certificate exists; parameters unchanged; starting nginx
[cont-init.d] 50-config: exited 0.
[cont-init.d] 60-renew: executing... 
The cert does not expire within the next day. Letting the cron script handle the renewal attempts overnight (2:08am).
[cont-init.d] 60-renew: exited 0.
[cont-init.d] 70-templates: executing... 
[cont-init.d] 70-templates: exited 0.
[cont-init.d] 90-custom-folders: executing... 
[cont-init.d] 90-custom-folders: exited 0.
[cont-init.d] 99-custom-files: executing... 
[custom-init] no custom files found exiting...
[cont-init.d] 99-custom-files: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.

Server ready

When I deleted or disable the Secure connection on the OMV-GUI, the (sub)domains cant be reached:

This site can’t be reached radarr.martijnnas.duckdns.org refused to connect.
Try:

Checking the connection
Checking the proxy and the firewall
ERR_CONNECTION_REFUSED

Funny thing when I user generate an SSL on OMV. It is using that certificate when i open radarr.martijnnas.duckdns.org. But with webbrowser error Your connection is not private. CA Root certificate is not trusted. My page didn't load (only the error)

  • Let's debug testdata (http-01) is:
    With letsencrypt SSL in OMV settings = All OK!
    Without letsencrypt SSL in OMV settings = IPv4 not working

  • Also empty nginx error.log.

I'm lost now. How can I go back to working solution? Is this maybe OMV related?
Hope the amount of data/text doesn't scare you :slight_smile: . Hope someone can help and guide me.

Lots of thanks!

Martijn

Found the problem...

Solution for me was, i removed all the certificates on OMV.
And was checking which PID was listening on my port 443 and 80 witrh the command lsof -i:443 , lsof -i:80. Strange enough my Plex was controlling port 443.
I stopped my Plex container. Rebuild Swag/Letencypt with port 443:443. Started first Swag and everything works. After that i started Plex. (maybe later i will check why Plex is using 443 (SSL) and/or if it's needed)

I'm happy :slight_smile:

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.