Thread Rating:
  • 1 Vote(s) - 5 Average
  • 1
  • 2
  • 3
  • 4
  • 5
[ Letsencrypt ][ 0.31.0.0 ] Free, automated, and open Certificate Authority.
#1
[Image: letsencrypt-logo-horizontal.svg]

INFO...As from fw 3.02.02, Letsencrypt is implemented in Thecus OS7 WebUI. This module can still be installed on OS7 but not needed.

Module is available for:

x64_OS5/OS7 - last version 0.31.0.0
x86_OS5/OS6 - last version 0.22.2.1
ppc_OS6 - last version 0.13.0.1

Download:
"You have not unlocked the download links. Read here to check how you can unlock them."


Require:
Python2 > 2.05.04
FaJoCron > 1.02.01
FaJoSSHD > 1.10.02 optional

Guides to use certificates on different modules, after they've been created:

apache and modules depending on apache - http://s.go.ro/k4qvegm0

Create SSL Certificate using Let’s Encrypt
 
Requirements:

SSH enabled on your NAS or FaJoSSHD module installed (NAS SSH will be used on this guide)
For PC, you need Putty or any SSH client to connect on you NAS
On your router forward port 80 and 443 to your NAS IP

A DNS which is pointed to your external IP, you can get one from http://freeddns.noip.com and configure it on your NAS or router for automatic update, when you external IP changed. Then you can access your NAS remotely at http://example.ddns.net or securely at https://example.ddns.net

[Image: 2017-05-01_14_37_04-_N5810.png]

Enable SSH in your NAS

[Image: image.png]

Enable HTTP and HTTPS service

[Image: 2017-05-01_21_32_59-_N5810.png]

Start Putty and connect on you NAS (HOST name select your NAS IP):

[Image: image.png]

Login as : root and password: youradminpassword

[Image: image.png]

We consider in this tutorial your domain is example.ddns.net or *.example.ddns.net for wildcard certificate

Type this command to add your domain, replace example.ddns.net with your DNS

Code:
echo example.ddns.net > /raid/data/MOD_CONFIG/letsencrypt/domain

or for wildcard certificate

Code:
echo *.example.ddns.net > /raid/data/MOD_CONFIG/letsencrypt/domain

Then type this command  to register:
Code:
/raid/data/module/Letsencrypt/shell/module.rc register

It will ask you for email address to register, type your email address and hit enter.

Code:
Saving debug log to /raid/data/MOD_CONFIG/letsencrypt/log/letsencrypt.log
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel):john.doe@gmail.com

-------------------------------------------------------------------------------
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about EFF and
our work to encrypt the web, protect its users and defend digital rights.
-------------------------------------------------------------------------------
(Y)es/(N)o: N

IMPORTANT NOTES:
- Your account credentials have been saved in your Certbot
  configuration directory at /raid/data/MOD_CONFIG/letsencrypt. You
  should make a secure backup of this folder now. This configuration
  directory will also contain certificates and private keys obtained
  by Certbot so making regular backups of this folder is ideal.

Now let's create the certificates, enter the following command:

Code:
/raid/data/module/Letsencrypt/shell/module.rc certonly

or for wildcard certificate:

Code:
/raid/data/module/Letsencrypt/shell/module.rc certonly_dns_challenge

Certificates will be created and saved to /raid/data/MOD_CONFIG/letsencrypt/live/example.ddns.net

Code:
Saving debug log to /raid/data/MOD_CONFIG/letsencrypt/log/letsencrypt.log
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for example.ddns.net
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /raid/data/MOD_CONFIG/letsencrypt/keys/0000_key-certbot.pem
Creating CSR: /raid/data/MOD_CONFIG/letsencrypt/csr/0000_csr-certbot.pem
Non-standard path(s), might not work with crontab installed by your operating system package manager

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
  /raid/data/MOD_CONFIG/letsencrypt/live/example.ddns.net/fullchain.pem.
  Your cert will expire on 2017-07-30. To obtain a new or tweaked
  version of this certificate in the future, simply run certbot
  again. To non-interactively renew *all* of your certificates, run
  "certbot renew"
- If you like Certbot, please consider supporting our work by:

  Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
  Donating to EFF:                    https://eff.org/donate-le

Next we need to setup a crontab job so that the certificates are checked for automatic renew twice a month. Due to the fact the renew process need access to port 80 and 443, Thecus WebUI is stoped and restarted after the check process.

Open FaJoCron WebUI and add the following line in crontab file:

PHP Code:
0 5 */15 * * root /raid/data/module/Letsencrypt/shell/module.rc renew 

Should look like below

[Image: 2017-05-01_21_13_48-_Mozilla_Firefox.png]

Now we should configure Thecus WebUI to use our certificates. This is needed just once.
Copy the certificates from NAS somewhere locally on your PC. Certicates are stored to /raid/data/MOD_CONFIG/letsencrypt/archive/example.ddns.net, so copy the folder example.ddns.net somewhere on your PC. You can use any client you want, WinSCP or modules like eXTPlorer or MonstaFTP. Folder contain the following files:

[Image: 2017-05-01_21_35_08--_N5810_-_Win_SCP.png]

In Thecus WebUI go to Services >> Web Service >> Advanced
Certifcate file: select cert1.pem
Certificate Key file: select privkey1.pem
CA Certificate file: select chain1.pem

OS7
[Image: 2017-05-01_21_32_59-_N5810.png]

OS5
[Image: 2017-05-01_21_49_12-_N2800.png]

Click apply and reboot your NAS
Enjoy secure connection
------------------------------------------------------------------------
[Image: linkedinbutton.jpg][Image: btn_donate_LG.gif]
Please respect my work and dont share my modules
Reply
#2
added 0.13.0.0
------------------------------------------------------------------------
[Image: linkedinbutton.jpg][Image: btn_donate_LG.gif]
Please respect my work and dont share my modules
Reply
#3
added guide for using certificates on apache and modules depending of apache like owncloud, nextcloud, eXtplorer, MonstaFTP
updated to 0.13.0.1
------------------------------------------------------------------------
[Image: linkedinbutton.jpg][Image: btn_donate_LG.gif]
Please respect my work and dont share my modules
[-] The following 1 user says Thank You to outkastm for this post:
  • Eduard
Reply
#4
added x86_OS6
------------------------------------------------------------------------
[Image: linkedinbutton.jpg][Image: btn_donate_LG.gif]
Please respect my work and dont share my modules
Reply
#5
added ppc_OS6
------------------------------------------------------------------------
[Image: linkedinbutton.jpg][Image: btn_donate_LG.gif]
Please respect my work and dont share my modules
Reply
#6
I've created a script that works with DuckDNS to use DNS authorization for Let's Encrypt.
DuckDNS allows the publication of TXT records, if you are using Let's Encrypt and want to do DNS validation this might be an alternative.
https://github.com/AlwindB/LetsEncrypt-DuckDNS-update

In my case I am not allowing access on port 80 or 443, then the only solution is DNS validation.

Using a separate cron script to kickstart the Let's Encrypt process

Code:
#!/bin/bash
source /raid/data/module/Letsencrypt/sys/venv/bin/activate
certbot certonly -d YOURDUCKDNSDOMAIN.duckdns.org --preferred-challenges=dns-01 --config-dir /raid/data/MOD_CONFIG/letsencrypt --logs-dir /raid/data/MOD_CONFIG/letsencrypt/log --work-dir /raid/data/MOD_CONFIG/letsencrypt/lib --manual-auth-hook /raid/data/DuckDNS/LetsEncrypt_DuckDNS_update.sh --manual --agree-tos --manual-public-ip-logging-ok --quiet
Reply
#7
(28-05-2017, 04:23 PM)outkastm Wrote: in order to finish these module for x86 OS6 and x86 OS5 i need some info (i dont own any x86 NAS) from someone who own one of these models
Command to run in SSH and post the results:

Hi, I would really appreciate it if you could finish this module for x86 OS5.
Here are the requested results:

Code:
root@127.0.0.1:/# cat /etc/version | awk '-F' '.' '{print $1}'
5

Code:
root@127.0.0.1:/# ps | grep httpd
3443 root       1060 S   /raid/data/module/apache/sys/bin/httpd -f /raid/data/
3444 root       1060 S   /raid/data/module/apache/sys/bin/httpd -f /raid/data/
3445 root       1360 S   /raid/data/module/apache/sys/bin/httpd -f /raid/data/
3446 root       1084 S   /raid/data/module/apache/sys/bin/httpd -f /raid/data/
3872 root        644 S   /raid/data/module/apache/sys/bin/httpd -f /raid/data/
6013 root      19720 S   /raid/data/module/apache/sys/bin/httpd -f /raid/data/
6124 root       7948 S   /raid/data/module/apache/sys/bin/httpd -f /raid/data/
6142 root      31916 S   /raid/data/module/apache/sys/bin/httpd -f /raid/data/
6143 root      35752 S   /raid/data/module/apache/sys/bin/httpd -f /raid/data/
6144 root      32200 S   /raid/data/module/apache/sys/bin/httpd -f /raid/data/
6149 root      34152 S   /raid/data/module/apache/sys/bin/httpd -f /raid/data/
6156 root      33428 S   /raid/data/module/apache/sys/bin/httpd -f /raid/data/
6181 root      34544 S   /raid/data/module/apache/sys/bin/httpd -f /raid/data/
6182 root      35384 S   /raid/data/module/apache/sys/bin/httpd -f /raid/data/
6184 root      30884 S   /raid/data/module/apache/sys/bin/httpd -f /raid/data/
6538 root      11836 S   /raid/data/module/apache/sys/bin/httpd -f /raid/data/
7064 root      11144 S   /raid/data/module/apache/sys/bin/httpd -f /raid/data/
7068 root      10348 S   /raid/data/module/apache/sys/bin/httpd -f /raid/data/
7069 root      10928 S   /raid/data/module/apache/sys/bin/httpd -f /raid/data/
7070 root      10904 S   /raid/data/module/apache/sys/bin/httpd -f /raid/data/
7237 root        716 S   /opt/apache/bin/httpd -k start
7514 root       5864 S   /opt/apache/bin/httpd -k start
7578 root       6128 S   /opt/apache/bin/httpd -k start
7580 root       6676 S   /opt/apache/bin/httpd -k start
9149 root        832 S   /raid/data/module/apache24/sys/bin/httpd -f /raid/dat
9151 root        524 S   /raid/data/module/apache24/sys/bin/httpd -f /raid/dat
9152 root        488 S   /raid/data/module/apache24/sys/bin/httpd -f /raid/dat
9153 root        488 S   /raid/data/module/apache24/sys/bin/httpd -f /raid/dat
9154 root        488 S   /raid/data/module/apache24/sys/bin/httpd -f /raid/dat
9155 root        488 S   /raid/data/module/apache24/sys/bin/httpd -f /raid/dat
10159 root        972 S   /raid/data/module/apache/sys/bin/httpd -f /raid/data/
10180 root        436 S   /raid/data/module/apache/sys/bin/httpd -f /raid/data/
10358 root      10644 S   /raid/data/module/apache/sys/bin/httpd -f /raid/data/
10362 root      10348 S   /raid/data/module/apache/sys/bin/httpd -f /raid/data/
10366 root      14716 S   /raid/data/module/apache/sys/bin/httpd -f /raid/data/
12497 root        912 S   /raid/data/module/apache/sys/bin/httpd -f /raid/data/
12555 root        424 S   /raid/data/module/apache/sys/bin/httpd -f /raid/data/
12577 root       1224 S   /raid/data/module/apache/sys/bin/httpd -f /raid/data/
12580 root       1356 S   /raid/data/module/apache/sys/bin/httpd -f /raid/data/
12581 root       1320 S   /raid/data/module/apache/sys/bin/httpd -f /raid/data/
12610 root       1324 S   /raid/data/module/apache/sys/bin/httpd -f /raid/data/
12701 root       1324 S   /raid/data/module/apache/sys/bin/httpd -f /raid/data/
13134 root      12132 S   /raid/data/module/apache/sys/bin/httpd -f /raid/data/
16173 root       6036 S   /opt/apache/bin/httpd -k start
16174 root       6564 S   /opt/apache/bin/httpd -k start
16500 root       7232 S   /opt/apache/bin/httpd -k start
17612 root       6796 S   /opt/apache/bin/httpd -k start
17902 root      31712 S   /raid/data/module/apache/sys/bin/httpd -f /raid/data/
18007 root      30920 S   /raid/data/module/apache/sys/bin/httpd -f /raid/data/
22227 root       9248 S   /raid/data/module/apache/sys/bin/httpd -f /raid/data/
22284 root        364 S   grep httpd
30185 root       5972 S   /opt/apache/bin/httpd -k start

Code:
root@127.0.0.1:/# cat /etc/httpd/conf.d/ssl.conf | grep SSLCertificateFile
cat: /etc/httpd/conf.d/ssl.conf: No such file or directory

Code:
root@127.0.0.1:/# cat /etc/httpd/conf/ssl.conf | grep SSLCertificateFile
SSLCertificateFile /opt/apache/conf/ssl.crt/server.crt
Reply
#8
I'll have a look these days
------------------------------------------------------------------------
[Image: linkedinbutton.jpg][Image: btn_donate_LG.gif]
Please respect my work and dont share my modules
Reply
#9
added 0.13.0.2 with support for x86 OS5 (to be tested by an owner)
------------------------------------------------------------------------
[Image: linkedinbutton.jpg][Image: btn_donate_LG.gif]
Please respect my work and dont share my modules
[-] The following 1 user says Thank You to outkastm for this post:
  • kos
Reply
#10
Installation went smoothly.
However trying to register my domain resulted in these errors :

Code:
root@127.0.0.1:/# /raid/data/module/Letsencrypt/shell/module.rc register
Traceback (most recent call last):
  File "/raid/data/module/Letsencrypt/sys/venv/bin/certbot", line 6, in <module>
    from pkg_resources import load_entry_point
  File "/raid/data/module/Letsencrypt/sys/venv/lib/python2.7/site-packages/pkg_resources/__init__.py", line 3036, in <module>
    @_call_aside
  File "/raid/data/module/Letsencrypt/sys/venv/lib/python2.7/site-packages/pkg_resources/__init__.py", line 3020, in _call_aside
    f(*args, **kwargs)
  File "/raid/data/module/Letsencrypt/sys/venv/lib/python2.7/site-packages/pkg_resources/__init__.py", line 3049, in _initialize_master_working_set
    working_set = WorkingSet._build_master()
  File "/raid/data/module/Letsencrypt/sys/venv/lib/python2.7/site-packages/pkg_resources/__init__.py", line 654, in _build_master
    ws.require(__requires__)
  File "/raid/data/module/Letsencrypt/sys/venv/lib/python2.7/site-packages/pkg_resources/__init__.py", line 968, in require
    needed = self.resolve(parse_requirements(requirements))
  File "/raid/data/module/Letsencrypt/sys/venv/lib/python2.7/site-packages/pkg_resources/__init__.py", line 854, in resolve
    raise DistributionNotFound(req, requirers)
pkg_resources.DistributionNotFound: The 'cffi>=1.4.1' distribution was not found and is required by cryptography
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)