Set Let's Encrypt certificate for web GUI on Turris Mox (Turris OS v. 7.0.3 kernel v. 5.15.148)

Software SW help
1

I wanted to set up Set Let’s Encrypt certificate for web GUI according to the wiki - Let’s Encrypt certificate for web GUI

However, the wiki seems outdated or missing important information as I run into scores of errors upon running /root/.acme.sh/get_acme.sh

Is there anyone to guide me through the correct setup? I can even create a step by step guide for Turris Mox based on the information possibly provided in this thread, hopefully.
The full log is below:

# /root/.acme.sh/get_acme.sh
Warning: Option @zone[1].sentinel_dynfw is unknown
Warning: Option @zone[1].sentinel_fwlogs is unknown
Warning: Option @zone[1].sentinel_minipot is unknown
Warning: Option @zone[1].haas_proxy is unknown
Warning: Section 'turris_vpn_client' has no device, network, subnet or extra options
Warning: Section @zone[3] (tr_vpn_cl) has no device, network, subnet or extra options
 * Clearing IPv4 filter table
 * Clearing IPv4 nat table
 * Clearing IPv4 mangle table
 * Populating IPv4 filter table
   * Rule 'Allow-DHCP-Renew'
   * Rule 'Allow-Ping'
   * Rule 'Allow-IGMP'
   * Rule 'Allow-IPSec-ESP'
   * Rule 'Allow-ISAKMP'
   * Rule 'guest dns rule'
   * Rule 'guest dhcp rule'
   * Rule 'vpn_turris_rule'
   * Redirect 'Turris  Lets encrypt'
   * Forward 'lan' -> 'wan'
   * Forward 'tr_guest' -> 'wan'
   * Forward 'lan' -> 'tr_vpn_cl'
   * Forward 'vpn_turris' -> 'lan'
   * Forward 'lan' -> 'vpn_turris'
   * Forward 'vpn_turris' -> 'wan'
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'tr_guest'
   * Zone 'tr_vpn_cl'
   * Zone 'vpn_turris'
 * Populating IPv4 nat table
   * Redirect 'Turris  Lets encrypt'
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'tr_guest'
   * Zone 'tr_vpn_cl'
   * Zone 'vpn_turris'
 * Populating IPv4 mangle table
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'tr_guest'
   * Zone 'tr_vpn_cl'
   * Zone 'vpn_turris'
 * Clearing IPv6 filter table
 * Clearing IPv6 mangle table
 * Populating IPv6 filter table
   * Rule 'Allow-DHCPv6'
   * Rule 'Allow-MLD'
   * Rule 'Allow-ICMPv6-Input'
   * Rule 'Allow-ICMPv6-Forward'
   * Rule 'Allow-IPSec-ESP'
   * Rule 'Allow-ISAKMP'
   * Rule 'guest dns rule'
   * Rule 'guest dhcp rule'
   * Rule #11
   * Rule #12
   * Rule #13
   * Rule 'vpn_turris_rule'
   * Forward 'lan' -> 'wan'
   * Forward 'tr_guest' -> 'wan'
   * Forward 'lan' -> 'tr_vpn_cl'
   * Forward 'vpn_turris' -> 'lan'
   * Forward 'lan' -> 'vpn_turris'
   * Forward 'vpn_turris' -> 'wan'
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'tr_guest'
   * Zone 'tr_vpn_cl'
   * Zone 'vpn_turris'
 * Populating IPv6 mangle table
   * Zone 'lan'
   * Zone 'wan'

   * Zone 'tr_guest'
   * Zone 'tr_vpn_cl'
   * Zone 'vpn_turris'
 * Set tcp_ecn to off
 * Set tcp_syncookies to on
 * Set tcp_window_scaling to on
 * Running script '/usr/libexec/sentinel/firewall.sh'
Warning: Sentinel-firewall include reordered: another firewall reload suggested!
iptables v1.8.7 (legacy): can't initialize iptables table `raw': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
ip6tables v1.8.7 (legacy): can't initialize ip6tables table `nat': Table does not exist (do you need to insmod?)
Perhaps ip6tables or your kernel needs to be upgraded.
ip6tables v1.8.7 (legacy): can't initialize ip6tables table `raw': Table does not exist (do you need to insmod?)
Perhaps ip6tables or your kernel needs to be upgraded.
   * Dynamic blocking on zone 'wan'
     - input
     - forward
   * Logging of zone 'wan'
     - DROP
     - REJECT
   * HaaS proxy on zone 'wan' (22 -> 2525)
   * Minipot FTP on zone 'wan' (21 -> 2133)
   * Minipot HTTP on zone 'wan' (80 -> 8033)
   * Minipot SMTP on zone 'wan' (25 -> 5873)
   * Minipot SMTP submission on zone 'wan' (587 -> 5873)
   * Minipot Telnet on zone 'wan' (23 -> 2333)
/root/.acme.sh/get_acme.sh: line 17: can't open DOMAIN: no such file
/root/.acme.sh/get_acme.sh: line 20: can't open DOMAIN: no such file
2024-10-26 10:19:24: (../src/mod_openssl.c.3141) SSL:openssl library version is outdated and has reached end-of-life.  As of 11 Sep 2023, only openssl 3.0.0 and later continue to receive security patches from openssl.org
Warning: Option @zone[1].sentinel_dynfw is unknown
Warning: Option @zone[1].sentinel_fwlogs is unknown
Warning: Option @zone[1].sentinel_minipot is unknown
Warning: Option @zone[1].haas_proxy is unknown
Warning: Section 'turris_vpn_client' has no device, network, subnet or extra options
Warning: Section @zone[3] (tr_vpn_cl) has no device, network, subnet or extra options
 * Clearing IPv4 filter table
 * Clearing IPv4 nat table
 * Clearing IPv4 mangle table
 * Populating IPv4 filter table
   * Rule 'Allow-DHCP-Renew'
   * Rule 'Allow-Ping'
   * Rule 'Allow-IGMP'
   * Rule 'Allow-IPSec-ESP'
   * Rule 'Allow-ISAKMP'
   * Rule 'guest dns rule'
   * Rule 'guest dhcp rule'
   * Rule 'vpn_turris_rule'
   * Forward 'lan' -> 'wan'
   * Forward 'tr_guest' -> 'wan'
   * Forward 'lan' -> 'tr_vpn_cl'
   * Forward 'vpn_turris' -> 'lan'
   * Forward 'lan' -> 'vpn_turris'
   * Forward 'vpn_turris' -> 'wan'
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'tr_guest'
   * Zone 'tr_vpn_cl'
   * Zone 'vpn_turris'
 * Populating IPv4 nat table
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'tr_guest'
   * Zone 'tr_vpn_cl'
   * Zone 'vpn_turris'
 * Populating IPv4 mangle table
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'tr_guest'
   * Zone 'tr_vpn_cl'
   * Zone 'vpn_turris'
 * Clearing IPv6 filter table
 * Clearing IPv6 mangle table
 * Populating IPv6 filter table
   * Rule 'Allow-DHCPv6'
   * Rule 'Allow-MLD'
   * Rule 'Allow-ICMPv6-Input'
   * Rule 'Allow-ICMPv6-Forward'
   * Rule 'Allow-IPSec-ESP'
   * Rule 'Allow-ISAKMP'
   * Rule 'guest dns rule'
   * Rule 'guest dhcp rule'
   * Rule #11
   * Rule #12
   * Rule #13
   * Rule 'vpn_turris_rule'
   * Forward 'lan' -> 'wan'
   * Forward 'tr_guest' -> 'wan'
   * Forward 'lan' -> 'tr_vpn_cl'
   * Forward 'vpn_turris' -> 'lan'
   * Forward 'lan' -> 'vpn_turris'
   * Forward 'vpn_turris' -> 'wan'
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'tr_guest'
   * Zone 'tr_vpn_cl'
   * Zone 'vpn_turris'
 * Populating IPv6 mangle table
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'tr_guest'
   * Zone 'tr_vpn_cl'
   * Zone 'vpn_turris'
 * Set tcp_ecn to off
 * Set tcp_syncookies to on
 * Set tcp_window_scaling to on
 * Running script '/usr/libexec/sentinel/firewall.sh'
iptables v1.8.7 (legacy): can't initialize iptables table `raw': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
ip6tables v1.8.7 (legacy): can't initialize ip6tables table `nat': Table does not exist (do you need to insmod?)
Perhaps ip6tables or your kernel needs to be upgraded.
ip6tables v1.8.7 (legacy): can't initialize ip6tables table `raw': Table does not exist (do you need to insmod?)
Perhaps ip6tables or your kernel needs to be upgraded.
   * Dynamic blocking on zone 'wan'
     - input
     - forward
   * Logging of zone 'wan'
     - DROP
     - REJECT
   * HaaS proxy on zone 'wan' (22 -> 2525)
   * Minipot FTP on zone 'wan' (21 -> 2133)
   * Minipot HTTP on zone 'wan' (80 -> 8033)
   * Minipot SMTP on zone 'wan' (25 -> 5873)
   * Minipot SMTP submission on zone 'wan' (587 -> 5873)
   * Minipot Telnet on zone 'wan' (23 -> 2333)
2

Hi, this is the older wiki and is read-only. Please try this guide Let's Encrypt on Turris Omnia - Brainfood. I tried it personally a couple of weeks ago and everything worked for me.

4 Likes
3

More precisely, the wiki is not read-only and it can be still edited. But it is not maintained by our team anymore.

2 Likes
4

Maybe this notice could be added somewhere at the top in the old wiki’s page template? I guess many people will end up there via Google or a forum link and don’t know the information is likely out-of-date.

5

Thanks for your suggestion. For now, I’ve added some information to the home page. And we will add such information to the template too.

2 Likes