Merge pull request #7 from subzero79/master

Certificates section, and add some corrections

certificates.rst

@@ -0,0 +1,45 @@
+Certificates
+####
+
+This section allows to create or import SSH keys or SSL certificates.
+
+SSH (Secure Shell)
+^^^^
+
+The public/private pair keys created or imported here are for using in the rsync client (jobs) service section. Plugins can use the internal database if they want to use these keys using the ssh certificates combo class.
+
+The key pair will be stored in the internal database, but only the public key will be available for display just by clicking edit. Not displaying the private key is basic ssh security as it never has to leave the host where it was created. The public key can be copied to clipboard or any other transport to be added to a remote server.
+
+Add a comment as this will be appended to the public key, this is important if you need to revoke the key pair in the remote server in case the server that generated the pair is compromised.
+
+The keys are stored beside the database in these two files:
+
+``/etc/ssh/openmediavault-<uuid_suffix>``  --> Private key
+
+``/etc/ssh/openmediavault-<uuid_suffix>.pub`` --> Public key
+
+The <uuid> suffix is the internal |omv| reference number.
+
+.. note::
+
+	The public key is not displayed in RFC 4716. In case the remote server is also |omv| based, you need to `convert <services.html#id7>`_ it the appropiate format.
+
+
+SSL (Secure Socket Layer)
+^^^^
+
+The SSL certificates created or imported here can be used by the |webui| or FTP server. Plugins can also use them by adding the SSL certificate combo class. The create window has the most common SSL certificates fields. The certificate/private pair is stored in the internal database and as files in the linux standard SSL location.
+
+Certificate file with a <uuid> suffix, which is the internal database number:
+
+``/etc/ssl/certificates/openmediavault-<uuid>.cert`` 
+
+ Private key file with the same <uuid> suffix from to his certificate pair.
+``/etc/ssl/private/openmediavault-<uuid>.key``
+
+When importing existing ssl certificates make sure they are formated/converted appropiatly. 
+
+The command that creates the certificate runs in the PHP backend and is documented `here <https://github.com/openmediavault/openmediavault/blob/20ec529737e6eca2e1f98d0b3d1ade16a3c338e1/deb/openmediavault/usr/share/openmediavault/engined/rpc/certificatemgmt.inc#L234-L358>`_. This certificates are self signed, without root CA.
+
+LetsEncrypt
+	LE certificates can be imported directly, just locate your ``etc/letsencrypt/live/<mydomain.com>/{cert,privkey}.pem`` files and copy their contents in their respective field. No need to convert.

cron.rst

@@ -32,10 +32,10 @@ The server configures all tasks done in the |webui| creating this file ``/etc/cr
 
 
 
-The scheduled cron time and the commands are called as script files located in this folder ``/var/lib/openmediavault/cron.d/``. All files in there are prefixed with ``username`` and the internal database uuid.
+Per line is the cron time or interval, username and the command. The actual command is wrapped in a shell script located in this folder ``/var/lib/openmediavault/cron.d/``. All files in there are prefixed with ``username`` and the internal database uuid.
 
 .. warning::
-	- When using a single command to be executed, make sure this does not have any bashism. This because the cron gets executed in pure shell #!/bin/sh. If you need to use something in bash wrap your command(s) in a bash script.
+	- When using a single command to be executed, make sure this does not have any bashism. This because the cron wrapper script gets executed in pure shell #!/bin/sh. If you need to use something in bash wrap your command(s) in a bash script.
 	- @hourly, @daily, @weekly and @monthly are just nicknames. If you select @daily and your computer is shutdown at midnight the task will not run [1]_.
 
 .. [1]  https://linux.die.net/man/5/crontab

index.rst

@@ -28,6 +28,7 @@ plugins are available via the `OMV-Extras repository <http://omv-extras.org/>`_.
    prerequisites
    installation/index
    features
+   certificates
    ARM
    services
    cron

services.rst

@@ -181,12 +181,12 @@ Then that alias will have privileges assigned:::
 By default you're not allowed to write in the when you login, this means you cannot create folders in the landing directory, you have to enter one of the shared folders. Also due to the nature of the chroot, creating top level folders is pointless since they will be actually stored in /srv/ftp and not in the media disks.
 
 Remote Access
-------------^
+----
 
 FTP is a protocol intended for use in LAN and WAN. For accessing WAN it is required to forward the server port (default 21) and the passive range to the |omv| server.
 
 Anonymous Login
-------------^^^
+-----
 
 Disabled by default, the anonymous user is mapped to the system user ftp and nogroup. There is no write access for anonymous and this is configured in the ``/etc/proftpd/proftpd.conf`` file and cannot be changed as is hard coded into the default configuration script of the server. In this case there is no environmental variable to change that behaviour::
 
@@ -208,7 +208,7 @@ Disabled by default, the anonymous user is mapped to the system user ftp and nog
 
 
 FTP(S/ES)
---------^
+----
 |omv| provides two SSL/TLS modes for encrypting the FTP communication implicit and explicit FTPS.
 
 The differences and features are explained `here <https://en.wikipedia.org/wiki/FTPS>`_ and `here <http://www.jscape.com/blog/bid/75602/Understanding-Key-Differences-Between-FTP-FTPS-and-SFTP>`_.
@@ -234,13 +234,15 @@ Home Folders
 	What will happen here if users will log in straight into their home folders. If you add shared folders to the server they will be displayed inside the user home folder plus any other folder present in their home folder.
 
 LetsEncrypt
-	TO Be added
+	Just import your LE certificate in the ``General->Certificates->SSL`` `section <certificates.html#ssl-secure-socket-layer>`_. Then in the TLS/SSL tab, select the imported cert from the dropdown menu. Do not enable implicit ssl. You need also to add the chain file. So in the extra option field text add:
+
+	``TLSCACertificateFile <yourpathtoLE>/etc/letsencrypt/live/<yourdomain>/chain.pem``
 
 NFS
 ====
 
 Overview
---------
+----
 
 The configuration of the server is done using the common `NFS guidelines <https://help.ubuntu.com/community/SettingUpNFSHowTo>`_. Shared folders are actually binded to the /export directory. You can check by examining the ``/etc/fstab`` file after you have added a folder to the server. All NFS server configured folders are in /etc/exports as follows:::
 
@@ -252,7 +254,7 @@ The first two lines are examples, the last line is the NFSv4 pseudo file system.
 
 
 Server Shares
-------------^
+----
 
 The following options are available to configure from the |webui|:
 
@@ -264,7 +266,7 @@ The following options are available to configure from the |webui|:
 	The server also shares by default the pseudo root filesystem of /exports as NFSv4.
 
 Clients
-----^^^
+----
 To access NFS shares using any debian derived linux distro:
 
 * Mount as NFSv4 all folders in ``/export/`` in ``/mnt/nfs``::
@@ -285,12 +287,12 @@ To access NFS shares using any debian derived linux distro:
 
 Check your distro on how to proceed with different NFS versions.
 
-NFSv4 Pseudo root filesystem
-----------------------------
+NFSv4 Pseudo filesystem
+----
 The default /export folder is shared with this default options ``ro,wdelay,root_squash,no_subtree_check,fsid=0`` only available to change via environmental variables, so be aware that mounting this path you will encounter permission problems.
 
 Permissions
---------^^^
+----
 NFS relies on uid/gid matching at the remote/local filesystem and it doesn't provide any authentication/security at all. Basic security is provided by using network allow, and squash options. If you want extra security in NFS, you will need to configure it to use kerberos ticketing system.
 
 Tips
@@ -316,7 +318,7 @@ SSH
 ====
 
 Overview
---------
+----
 Secure shell comes disabled by default in OMV, if you install |omv| on top a Debian installation, the systemd unit will be disabled after the server packages are installed. Just login into |webui| to re-enable the ssh service.
 
 The configuration options are minimal, But you can:
@@ -466,10 +468,10 @@ Destination/Source Server
 .. warning::
 	When the rsync task is configured using ssh with PKA, the script that runs the jobs is non-interactive, this means there cannot be a neither a passphrase for the private key or a login password. Make sure your private is not created with a password (in case is imported). Also make sure the remote server can accept PKA and not enforce password login.
 
-Authentication (remote)
+**Authentication (remote)**
 
-	- **Password**: The password is for a remote rsync daemon module. Is not the username login password defined in the Rights Management section of the server. Read ahead in server tab.
-	- **Public Key**: Select a key. These are created/imported from ``General->Certificates->SSH``.
+	- **Password**: For the remote rsync daemon module. Is not the username login password defined in the Rights Management section of the server. Read ahead in server tab.
+	- **Public Key**: Select a key. These are created/imported from ``General->Certificates->SSH`` `section <certificates.html#ssh-secure-shell>`_.
 
 There are options are available which are the most commonly used in rsync. At the end there is an extra text field where you add more `options <http://linux.die.net/man/1/rsync>`_.
 
@@ -485,7 +487,7 @@ Modules
 	This is where you add shared folders to be available to the daemon. The options are explained in the module web panel. If you want to protect the modules you can select the next tab and choose a server username and establish a password. Be aware the password is only for the modules, is not the linux password. Documentation for the extra options for the modules is provided by rsyncd manual.
 
 Configuration
-	The server makes the tasks run by placing them in ``/etc/cron.d/openmediavault-rsync`` one line per job. You can see the cron time at the beginning, then user (root) and target file that holds the actual rsync file with the final command. The files are stored in ``/var/lib/openmediavault/cron.d/``, prefixed with ``rsync`` and a <uuid>. A default ssh rsync job looks like this.
+	The server makes the tasks run by placing them in ``/etc/cron.d/openmediavault-rsync`` in one line per job. You can see the cron time at the beginning, then user (root) and target file that holds the actual rsync file with the final command. The files are stored in ``/var/lib/openmediavault/cron.d/``, prefixed with ``rsync`` and a <uuid>. A default ssh rsync job looks like this.
 
 .. code-block:: shell