Topic: Help please, certificate nightmare

[groutley]

Hi, appreciate some help from the wise here,
I run sme10 uptodate with latest updates.
On Friday 17th, my cacert.org certificates expired, and users can no longer access their emails.
I went to cacert.org to renew the certs, however it seems they have major problems and the functionality is not there to renew or create new certs.
So I started looking for alternatives, I decided to install phpki-ng latest .
Install no problem at all,
I created a new cert, hoping that would solve everything,
However I suspect there are more steps, than just generating a certificate.
My research found this.. https://forums.koozali.org/index.php/topic,51297.msg260373.html#msg260373
With it being a little dated, the concept I assumed to be correct,
So I downloaded the key.pem and crt.pem files using the phpki contib.
Then copied the text of these files into the certificate manager contrib panel and saved.
Noting this appeared to creat the appropriate crt and key files in /home/e-smith/ssl.crt and ssl.key directories.
Continued with the ‘ db configuration setprop modSSL’ command as detailed in the referenced forum post.
All ran no error, the httpd -t returned no error,
So proceeded with the service restarts,
2 of them did not work ‘not found’ error, assuming due to the date of the forum entry things have changed a lot, so ran ‘signal-event post-upgrade; signal-event reboot’
My server did not come back, on checking found it sitting there wanting a password entered,
Never had this happen before, I assumed dues to the password set on the phpki certificate I created, it wanted that password, but after entering that multiple times, tried the root password, and the boot continued to logon prompt, and sever became pingable.
But now I cannot access the server-manager page or the /phpki/ca pages
I can login to ssh fortunately!
I am assuming if I run ‘signal-event certificate-revert’ I will regain web access,
 However I simply am not moving forward here..
From previously looking, at /webmail it seems the server is no longer receiving emails either!

I am hoping for some guidance on how I cleanup my mess and get email functioning again.
This server is really only used for email, and some ibay file storage over samba, but the email is the important bit.

Looking forward to your advise
  Thank you
 Glen

[ReetP]

There is a method to reset your servers self-signed certificate as well but I can't renember how.

Have a search here or on the wiki. Someone else may post it. That will get you restarted.

Then why not use letsencrypt/dehydrated, at least in the short term?

smeserver-letsencrypt

https://wiki.koozali.org/Letsencrypt

[Jean-Philippe Pialasse]

as told by John go for lets encrypt, and i bet you will never go back !
Only exception would be if you have some insurances needs behind your cert.

phpki whil it could be used for that is not the best choice as it would not be better than simply use the self signed certificate of SME.  To use it you should just delete the modSSL property pointing to your old cert.

[groutley]

Thank you for your suggestions.

I had avoided letsencrypt, as I run it on my Home Assistant, and assumed I would end up with port forwarding issues pointing to the wrong system.
But, with your suggestions, I figured push forward with it and work out the issues as I go.

It is installed,
  but when I run the tests

Code: [Select]

dehydrated -cI get...

Code: [Select]

  "type": "urn:ietf:params:acme:error:malformed",
  "detail": "Error creating new order :: Order cannot contain more than 100 DNS names",
  "status": 400
and before that it lists all of my DNS entries for every device in my house.

I set

Code: [Select]

config setprop letsencrypt configure domainsbut it still 'Processes' every DNS entry.

Any suggestions on why / how I stop it doing that?
I used to use this SME server as my DNS for the house,
however since splitting the Network into different VLANs, I now have the UniFi Router do that.
Should I delete all the Entries in SME from the legacy DNS days?

[Stefano]

Hi Glen

first of all, another HA user here

IMVHO you don't need a letsencrypt cert for each device

[groutley]

Hi Stefano,
 Thank you for your comment, and great to see another SME and HA user

When you say I don’t need a cert for each device, are you suggesting I copy the one from HA to SME?
Only concern I have with that is I use different domains.. duckdns for HA and a dyndns $$ domain for SME / email.

[Stefano]

Hi Stefano,
 Thank you for your comment, and great to see another SME and HA user

When you say I don’t need a cert for apeach device, are you suggesting I copy the one from HA to SME?
Only concern I have with that is I use different domains.. duckdns for HA and a dyndns $$ domain for SME / email.

you'd tell us more about your setup; I mean, I guess you don't have all your devices exposed to wan

in any case, I'd use SME as DNS, both for local/internal access (something like *.home.lan) and for external.

Alternatively (but keep in mind I'm not so experienced with PKI) you's use PKI for "local" devices' certificate and letsencrypt for public.
Hope you get what I mean

[groutley]

No, I don’t have all devices exposed to WAN
I have a VLAN for IOT devices and another VLAN for general user / internet access
All running on a Unifi network,
Due to the separate VLANs I found I couldn’t use the SME for dns any more and turned off that functionality and rely on the Unifi network router to be dns for both VLANs.

Earlier I posted I was failing with ‘dehydrated -c’ due to too many dns entries,
I went ahead and deleted them all (other than ‘self’ entries) on SME..
 Now dehydrated -c gets further..
But I am now getting the dreaded ‘ Invalid response / 403’ issue
Yet ‘letsdebug’ shows all is OK..

I am not winning ;-/

[Stefano]

ok, let's start posting some info about your config and some logs

[ReetP]

You have probably configured Letsencrypt to use EVERY domain and EVERY host.

You need to specify JUST the hosts and domain/s that you require.

https://wiki.koozali.org/Letsencrypt#Step_by_step_configuration

You can obtain a certificate for either of the following: all domains, all hostnames, or all domains AND hostnames.

Only set one of the following.

config setprop letsencrypt configure domains
config setprop letsencrypt configure hosts
config setprop letsencrypt configure all

To use individually enabled hosts or domains leave the default none.

config setprop letsencrypt configure none

So set:

Code: [Select]

config setprop letsencrypt configure none
and then

Per host:

Code: [Select]

db hosts setprop $HOSTNAME letsencryptSSLcert enabled
Per domain

Code: [Select]

db domains setprop $DOMAIN letsencryptSSLcert enabled
Make sure you run test mode first!!

https://wiki.koozali.org/Letsencrypt#Enable_test_mode

When you are happy then:

https://wiki.koozali.org/Letsencrypt#Enable_Production_Mode

[groutley]

ok, let's start posting some info about your config and some logs

Thank you all for your patience and assistance, I just cannot get my head around how this works, (should work).
 I have been following the step by step process and definitely been in test mode.

Following ReetP instructions….

I previosly was attempting to create the cert with my $DOMAIN,
But after reading https://forums.koozali.org/index.php/topic,52028.msg266631.html#msg266631
I decided to just go with ‘www.xxxxx.homeip.net’
(I will have to reconfigure email clients pointing to mail.xxxxx.homeip.net, but if it is going to work….)
So I changed the db domains to be disabled… I hope that would be the correct thing todo?

Code: [Select]


************ Welcome to SME Server 10.1 *

[root@l1nuxsvr ~]# config setprop letsencrypt configure none
[root@l1nuxsvr ~]# db hosts setprop www.xxxxx.homeip.net letsencryptSSLcert enabled
[root@l1nuxsvr ~]# db domains setprop xxxxx.homeip.net letsencryptSSLcert disabled
[root@l1nuxsvr ~]# config setprop letsencrypt status enabled
[root@l1nuxsvr ~]# signal-event console-save
[root@l1nuxsvr ~]# dehydrated -c
# INFO: Using main config file /etc/dehydrated/config
+ Generating account key...
+ Registering account key with ACME server...
+ Fetching account URL...
Processing ftp.xxxxx.homeip.net with alternative names: mail.xxxxx.homeip.net smtp.xxxxx.homeip.net www.xxxxx.homeip.net
 + Creating new directory /etc/dehydrated/certs/ftp.xxxxx.homeip.net ...
 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting new certificate order from CA...
 + Received 4 authorizations URLs from the CA
 + Handling authorization for ftp.xxxxx.homeip.net
 + Handling authorization for mail.xxxxx.homeip.net
 + Handling authorization for smtp.xxxxx.homeip.net
 + Handling authorization for www.xxxxx.homeip.net
 + 4 pending challenge(s)
 + Deploying challenge tokens...
 + Responding to challenge for ftp.xxxxx.homeip.net authorization...
 + Cleaning challenge tokens...
 + Challenge validation has failed :(
ERROR: Challenge is invalid! (returned: invalid) (result: ["type"]      "http-01"
["status"]      "invalid"
["error","type"]        "urn:ietf:params:acme:error:unauthorized"
["error","detail"]      "1.1.5.19: Invalid response from http://ftp.xxxxx.homeip.net/.well-known/acme-challenge/vDOl6pLFkd2P5Pw37_3FxxnkGY7M_HtCPRECaERXioo: 403"
["error","status"]      403
["error"]       {"type":"urn:ietf:params:acme:error:unauthorized","detail":"1.1.5.19: Invalid response from http://ftp.xxxxx.homeip.net/.well-known/acme-challenge/vDOl6pLFkd2P5Pw37_3FxxnkGY7M_HtCPRECaERXioo: 403","status":403}
["url"] "https://acme-v02.api.letsencrypt.org/acme/chall-v3/285819578896/h2X95g"
["token"]       "vDOl6pLFkd2P5Pw37_3FxxnkGY7M_HtCPRECaERXioo"
["validationRecord",0,"url"]    "http://ftp.xxxxx.homeip.net/.well-known/acme-challenge/vDOl6pLFkd2P5Pw37_3FxxnkGY7M_HtCPRECaERXioo"
["validationRecord",0,"hostname"]       "ftp.xxxxx.homeip.net"
["validationRecord",0,"port"]   "80"
["validationRecord",0,"addressesResolved",0]    "1.1.5.19"
["validationRecord",0,"addressesResolved"]      ["1.1.5.19"]
["validationRecord",0,"addressUsed"]    "1.1.5.19"
["validationRecord",0]  {"url":"http://ftp.xxxxx.homeip.net/.well-known/acme-challenge/vDOl6pLFkd2P5Pw37_3FxxnkGY7M_HtCPRECaERXioo","hostname":"ftp.xxxxx.homeip.net","port":"80","addressesResolved":["1.1.5.19"],"addressUsed":"1.1.5.19"}
["validationRecord"]    [{"url":"http://ftp.xxxxx.homeip.net/.well-known/acme-challenge/vDOl6pLFkd2P5Pw37_3FxxnkGY7M_HtCPRECaERXioo","hostname":"ftp.xxxxxx.homeip.net","port":"80","addressesResolved":["1.1.5.19"],"addressUsed":"1.1.5.19"}]
["validated"]   "2023-11-20T21:14:53Z")
[root@l1nuxsvr ~]#

Note I redacted the IP address and domain name, but the IP is correctly resoving to my public address.

So it is still picking up the ‘self’ entries in SME hostnames.. should I delete those entries also?

[ReetP]

Bit hard to tell when stuff is obfuscated but this gives a clue:

["error","detail"]      "1.1.5.19: Invalid response from http://ftp.xxxxx.homeip.net/.well-known/acme-challenge/vDOl6pLFkd2P5Pw37_3FxxnkGY7M_HtCPRECaERXioo: 403"

["error"]       {"type":"urn:ietf:params:acme:error:unauthorized","detail":"1.1.5.19: Invalid response from http://ftp.xxxxx.homeip.net/.well-known/acme-challenge/vDOl6pLFkd2P5Pw37_3FxxnkGY7M_HtCPRECaERXioo: 403","status":403}

Are you on a sub domain or something odd?

Creating new directory /etc/dehydrated/certs/ftp.xxxxx.homeip.net ...

I'd expect it to say this:

xxxxx.homeip.net

Not:

ftp.xxxxx.homeip.net

I'd start with:

configure none

Now individually configure JUST the following. Make sure all other domains & hosts are disabled.

Domain
xxxxx.homeip.netetsencrypt letsencryptSSLcert enabled

Host
www.xxxxx.homeip.net letsencryptSSLcert enabled

console-save then check

Code: [Select]

cat/etc/dehydrated/domains.txt
It should ONLY have the one domain and one host as above.

Make sure you can access the directory with a browser:

http://xxxxx.homeip.net/.well-known/acme-challenge

And

http://www.xxxxx.homeip.net/.well-known/acme-challenge

Now run test mode.

Beyond that we need to see some actual detail:

db domains show
db hosts show

(Sorry I've ommitted full commands but am on mobile. Check with wiki)

[Jean-Philippe Pialasse]

grep www /etc/group
probably hit by bug https://bugs.koozali.org/show_bug.cgi?id=12146

[groutley]

grep www /etc/group
probably hit by bug https://bugs.koozali.org/show_bug.cgi?id=12146

[root@l1nuxsvr ~]# grep www /etc/group
shared:x:500:admin,administrator,dani,groutley,jo,john,jowork,matt,mattorrents,music,public,sofia,torrents,www,zenphoto
www:x:102:admin,apache,www
thefam:x:5003:admin,dani,groutley,jo,matt,www
routley:x:5004:admin,dani,groutley,jo,matt,www
kids:x:5005:admin,dani,matt,www
parents:x:5014:admin,groutley,jo,www
mattonly:x:5021:admin,matt,mattorrents,www
danir:x:5024:admin,dani,groutley,jo,www
mattr:x:5025:admin,groutley,jo,matt,www

Not sure I follow the Bug to understand the concern.

[groutley]

Bit hard to tell when stuff is obfuscated

Sorry about that, I assumed best for privacy..  but I will paste complete outputs now.

Are you on a sub domain or something odd?

No, not that I am aware of,  my SME is directly cabled to the Router to the Internet, and is using dyndns plugin to refresh the DNS entry
for the domain 'routley.homeip.net'

cat /etc/dehydrated/domains.txt

ftp.routley.homeip.net l1nuxsvr.routley.homeip.net mail.routley.homeip.net proxy.routley.homeip.net wpad.routley.homeip.net www.routley.homeip.net
[root@l1nuxsvr ~]# config setprop letsencrypt configure none
[root@l1nuxsvr ~]# cat /etc/dehydrated/domains.txt
ftp.routley.homeip.net l1nuxsvr.routley.homeip.net mail.routley.homeip.net proxy.routley.homeip.net wpad.routley.homeip.net www.routley.homeip.net

db domains show

routley.homeip.net=domain
    Content=Primary
    Description=internet
    Nameservers=localhost
    Removable=no
    SystemPrimaryDomain=yes
    letsencryptSSLcert=disabled

db hosts show

ftp.routley.homeip.net=host
    ExternalIP=
    HostType=Self
    InternalIP=
    MACAddress=
l1nuxsvr.routley.homeip.net=host
    ExternalIP=
    HostType=Self
    InternalIP=
    MACAddress=
    ReverseDNS=yes
    static=yes
mail.routley.homeip.net=host
    ExternalIP=
    HostType=Self
    InternalIP=
    MACAddress=
proxy.routley.homeip.net=host
    ExternalIP=
    HostType=Self
    InternalIP=
    MACAddress=
wpad.routley.homeip.net=host
    ExternalIP=
    HostType=Self
    InternalIP=
    MACAddress=
www.routley.homeip.net=host
    ExternalIP=
    HostType=Self
    InternalIP=
    MACAddress=
    letsencryptSSLcert=enabled

config setprop letsencrypt configure none
signal-event console-save

cat /etc/dehydrated/domains.txt

www.routley.homeip.net

Looking a bit better? only the www host?

Proceed with the setup per your advice.....

[root@l1nuxsvr ~]# db domains setprop routley.homeip.net letsencryptSSLcert enabled
[root@l1nuxsvr ~]# db hosts setprop www.routley.homeip.net letsencryptSSLcert enabled
[root@l1nuxsvr ~]# signal-event console-save
[root@l1nuxsvr ~]# cat /etc/dehydrated/domains.txt
routley.homeip.net www.routley.homeip.net

Looks good, as you suggest, it only has one host and one domain

However:
http://routley.homeip.net/.well-known/acme-challenge

gives:
Forbidden

You don't have permission to access /.well-known/acme-challenge on this server.

http://www.routley.homeip.net/.well-known/acme-challenge
also gives the same 'Forbidden'

Also on the local network, http://192.168.37.251/.well-known/acme-challenge
Gives the same Forbidden, so it is the server, not the network access to it.

So no point in proceeding to Test…
 So why is it not serving this url?

Both Port 80 and 443 are port forwarded on my router to the respective ports on destination IP '192.168.37.1' which is the SME Server IP address. (these ports are normally portforwarded to my Home Assistant Server, but not for the time being while I try to get this working).


/var/log/httpd/access_log shows:

routley.homeip.net 192.168.38.49 - - [21/Nov/2023:18:44:39 +1100] "GET /.well-known/acme-challenge HTTP/1.1" 403 228 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.2 Safari/605.1.15"
routley.homeip.net 192.168.38.49 - - [21/Nov/2023:18:44:40 +1100] "GET /favicon.ico HTTP/1.1" 403 213 "http://192.168.37.251/.well-known/acme-challenge" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.2 Safari/605.1.15"


Permissions:
root@l1nuxsvr ~]# cd /home/e-smith/files/ibays/Primary/
[root@l1nuxsvr Primary]# ls -la
total 20
drwxr-xr-x 5 root  root   4096 Jan  3  2013 .
drwxr-xr-x 7 root  root   4096 Oct  1  2020 ..
drwxr-s--- 2 admin shared 4096 Jan  3  2013 cgi-bin
drwxr-s--- 5 admin shared 4096 May 26  2013 files
drwxr-s--- 3 admin shared 4096 Sep 21  2020 html
[root@l1nuxsvr Primary]# ls -la html/
total 16
drwxr-s--- 3 admin  shared 4096 Sep 21  2020 .
drwxr-xr-x 5 root   root   4096 Jan  3  2013 ..
-rw-r----- 1 admin  shared  202 Nov 21  2005 index.htm
drwxrwsr-x 3 apache shared 4096 Sep 21  2020 .well-known
[root@l1nuxsvr Primary]# cd html/.well-known/
[root@l1nuxsvr .well-known]# ls -la
total 12
drwxrwsr-x 3 apache shared 4096 Sep 21  2020 .
drwxr-s--- 3 admin  shared 4096 Sep 21  2020 ..
drwxrwsr-x 2 apache shared 4096 Nov 21 18:19 acme-challenge
[root@l1nuxsvr .well-known]# cd acme-challenge/
[root@l1nuxsvr acme-challenge]# ls -la
total 8
drwxrwsr-x 2 apache shared 4096 Nov 21 18:19 .
drwxrwsr-x 3 apache shared 4096 Sep 21  2020 ..
[root@l1nuxsvr acme-challenge]#

[groutley]

Aditional note. Not sure if it makes a difference, SME is in ‘Server only’ mode

[ReetP]

Ok, more useful then thanks.

Server only - most of mine are so no issues there if you have forwarding set up correctly.

I'm out at the minute & back later. Will take a look then but the issue is accessing that URL which is what letsencrypt needs to do.

Make sure you've done signal-event webapps-update or post-upgrade/reboot so your httpd conf is expanded correctly.

[groutley]

I'm out at the minute & back later. Will take a look then but the issue is accessing that URL which is what letsencrypt needs to do.

Make sure you've done signal-event webapps-update or post-upgrade/reboot so your httpd conf is expanded correctly.

I have just run both
signal-event webapps-update
As well as
Signal-event post-upgrade; signal-event reboot

Just to be sure,but no change to the ‘Forbidden’ when trying the
http://192.168.37.251/.well-known/acme-challenge/

[Jean-Philippe Pialasse]

[root@l1nuxsvr ~]# grep www /etc/group
shared:x:500:admin,administrator,dani,groutley,jo,john,jowork,matt,mattorrents,music,public,sofia,torrents,www,zenphoto
www:x:102:admin,apache,www
thefam:x:5003:admin,dani,groutley,jo,matt,www
routley:x:5004:admin,dani,groutley,jo,matt,www
kids:x:5005:admin,dani,matt,www
parents:x:5014:admin,groutley,jo,www
mattonly:x:5021:admin,matt,mattorrents,www
danir:x:5024:admin,dani,groutley,jo,www
mattr:x:5025:admin,groutley,jo,matt,www

Not sure I follow the Bug to understand the concern.

no this is not this bug.  you have something else creating the 403 error.

check your httpd error log

[groutley]

check your httpd error log

[Wed Nov 22 05:03:53.723386 2023] [core:error] [pid 8516] [client 197.210.85.168:17201] AH00037: Symbolic link not allowed or link target not accessible: /home/e-smith/files/ibays/Primary
[Wed Nov 22 05:12:12.001911 2023] [core:error] [pid 8507] [client 67.217.57.54:40926] AH00037: Symbolic link not allowed or link target not accessible: /home/e-smith/files/ibays/Primary
[Wed Nov 22 05:16:18.993221 2023] [core:error] [pid 8513] [client 117.62.218.192:46226] AH00037: Symbolic link not allowed or link target not accessible: /home/e-smith/files/ibays/Primary, referer: https://easyseo.s-nac.com
[Wed Nov 22 05:40:37.975857 2023] [core:error] [pid 8511] [client 207.246.109.61:59348] AH00037: Symbolic link not allowed or link target not accessible: /home/e-smith/files/ibays/Primary, referer: www.google.com
[Wed Nov 22 05:51:00.732684 2023] [core:error] [pid 8510] [client 192.168.38.49:56374] AH00037: Symbolic link not allowed or link target not accessible: /home/e-smith/files/ibays/Primary


Ok.. so yes, I have my ibays on a separate RAID array to the system /boot SSD.
And history of the server is I replaced the boot drive with an SSD and clean installed SME10 on it and then added the RAID array and pointed the ibays to that, as I was unable to ‘upgrade’ from the previous SME8.
Is there something I need to do to fix the symlink permission?


root@l1nuxsvr ibays]# cd /home/e-smith/files/ibays/
[root@l1nuxsvr ibays]# ls -la
total 0
drwxr-xr-x. 7 root root 112 Apr  2  2023 .
drwxr-xr-x. 8 root root  98 Feb  1  2013 ..
drwxr-xr-x  6 root root  67 Oct 24  2010 jowork
drwxr-xr-x  6 root root  67 Dec 24  2011 mattorrents
lrwxrwxrwx  1 root root  22 Oct 15  2021 music -> /mnt/music/ibays/music
lrwxrwxrwx  1 root root  23 Nov 14  2021 Primary -> /mnt/1TB/ibays/Primary/
drwxr-xr-x  6 root root  67 May 13  2014 sofia
drwxr-xr-x  6 root root  67 Feb 27  2011 torrents
drwxr-xr-x  6 root root  67 Feb  7  2013 zenphoto
[root@l1nuxsvr ibays]#

[ReetP]

[Wed Nov 22 05:12:12.001911 2023] [core:error] [pid 8507] [client 67.217.57.54:40926] AH00037: Symbolic link not allowed or link target not accessible: /home/e-smith/files/ibays/Primary

May well be it.

Ok.. so yes, I have my ibays on a separate RAID array to the system /boot SSD.
And history of the server is I replaced the boot drive with an SSD and clean installed SME10 on it and then added the RAID array and pointed the ibays to that, as I was unable to ‘upgrade’ from the previous SME8.
Is there something I need to do to fix the symlink permission?

Ah OK. Probably.

I have similar setups on most of my servers now but with no issues

Supply the output of the each of the following commands please:

Code: [Select]

cat /etc fstab
cat /etc/mtab
/sbin/e-smith/audittools/newrpm
/sbin/e-smith/audittools/templates


[groutley]

Supply the output of the each of the following commands please:

Code: [Select]

cat /etc fstab
cat /etc/mtab
/sbin/e-smith/audittools/newrpm
/sbin/e-smith/audittools/templates


cat /etc fstab

[root@l1nuxsvr ibays]# cat /etc/fstab
#------------------------------------------------------------
# BE CAREFUL WHEN MODIFYING THIS FILE! It is updated automatically
# by the SME server software. A few entries are updated during
# the template processing of the file and white space is removed,
# but otherwise changes to the file are preserved.
# For more information, see http://www.e-smith.org/custom/ and
# the template fragments in /etc/e-smith/templates/etc/fstab/.
#
# copyright (C) 2002 Mitel Networks Corporation
#------------------------------------------------------------
#
# /etc/fstab
# Created by anaconda on Sun Oct 24 23:03:39 2021
#
# Accessible filesystems, by reference, are maintained under '/dev/disk'
# See man pages fstab(5), findfs(, mount( and/or blkid( for more info
#
UUID=f954c4cf-7717-406b-89b3-b8d2cf65f616 /                       xfs     uquota,gquota   0 0
UUID=13ca4949-b311-4803-b928-bc6393a4d939 /boot                   xfs     defaults        0 0
UUID=e12b6f25-fd55-4030-be94-a0689f50a96a /home                   xfs     defaults        0 0
UUID=fb0953e0-e59f-446c-8150-38fd05143966 swap                    swap    defaults        0 0
/dev/sdc1                                 /var/affa               ext3    usrquota,grpquota 1 0
/dev/sdd1                                 /mnt/music              ext3    usrquota,grpquota 1 0
/dev/md127                                /mnt/1TB                ext4    defaults        1 2
[root@l1nuxsvr ibays]#

cat /etc/mtab

root@l1nuxsvr ibays]# cat /etc/mtab
sysfs /sys sysfs rw,nosuid,nodev,noexec,relatime 0 0
proc /proc proc rw,nosuid,nodev,noexec,relatime 0 0
devtmpfs /dev devtmpfs rw,nosuid,size=4046676k,nr_inodes=1011669,mode=755 0 0
securityfs /sys/kernel/security securityfs rw,nosuid,nodev,noexec,relatime 0 0
tmpfs /dev/shm tmpfs rw,nosuid,nodev 0 0
devpts /dev/pts devpts rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000 0 0
tmpfs /run tmpfs rw,nosuid,nodev,mode=755 0 0
tmpfs /sys/fs/cgroup tmpfs ro,nosuid,nodev,noexec,mode=755 0 0
cgroup /sys/fs/cgroup/systemd cgroup rw,nosuid,nodev,noexec,relatime,xattr,release_agent=/usr/lib/systemd/systemd-cgroups-agent,name=systemd 0 0
pstore /sys/fs/pstore pstore rw,nosuid,nodev,noexec,relatime 0 0
cgroup /sys/fs/cgroup/pids cgroup rw,nosuid,nodev,noexec,relatime,pids 0 0
cgroup /sys/fs/cgroup/cpu,cpuacct cgroup rw,nosuid,nodev,noexec,relatime,cpuacct,cpu 0 0
cgroup /sys/fs/cgroup/hugetlb cgroup rw,nosuid,nodev,noexec,relatime,hugetlb 0 0
cgroup /sys/fs/cgroup/net_cls,net_prio cgroup rw,nosuid,nodev,noexec,relatime,net_prio,net_cls 0 0
cgroup /sys/fs/cgroup/cpuset cgroup rw,nosuid,nodev,noexec,relatime,cpuset 0 0
cgroup /sys/fs/cgroup/perf_event cgroup rw,nosuid,nodev,noexec,relatime,perf_event 0 0
cgroup /sys/fs/cgroup/memory cgroup rw,nosuid,nodev,noexec,relatime,memory 0 0
cgroup /sys/fs/cgroup/blkio cgroup rw,nosuid,nodev,noexec,relatime,blkio 0 0
cgroup /sys/fs/cgroup/freezer cgroup rw,nosuid,nodev,noexec,relatime,freezer 0 0
cgroup /sys/fs/cgroup/devices cgroup rw,nosuid,nodev,noexec,relatime,devices 0 0
configfs /sys/kernel/config configfs rw,relatime 0 0
/dev/sda3 / xfs rw,relatime,attr2,inode64,usrquota,prjquota 0 0
debugfs /sys/kernel/debug debugfs rw,relatime 0 0
systemd-1 /proc/sys/fs/binfmt_misc autofs rw,relatime,fd=31,pgrp=1,timeout=0,minproto=5,maxproto=5,direct,pipe_ino=12731 0 0
hugetlbfs /dev/hugepages hugetlbfs rw,relatime 0 0
mqueue /dev/mqueue mqueue rw,relatime 0 0
nfsd /proc/fs/nfsd nfsd rw,relatime 0 0
/dev/sda1 /boot xfs rw,relatime,attr2,inode64,noquota 0 0
/dev/sda5 /home xfs rw,relatime,attr2,inode64,noquota 0 0
/dev/sdc1 /var/affa ext3 rw,relatime,quota,usrquota,grpquota,data=ordered 0 0
/dev/sdd1 /mnt/music ext3 rw,relatime,quota,usrquota,grpquota,data=ordered 0 0
/dev/md127 /mnt/1TB ext4 rw,relatime,data=ordered 0 0
sunrpc /var/lib/nfs/rpc_pipefs rpc_pipefs rw,relatime 0 0
fusectl /sys/fs/fuse/connections fusectl rw,relatime 0 0
tmpfs /run/user/0 tmpfs rw,nosuid,nodev,relatime,size=811156k,mode=700 0 0
[root@l1nuxsvr ibays]#

/sbin/e-smith/audittools/newrpm

root@l1nuxsvr audittools]# /sbin/e-smith/audittools/newrpms
Loaded plugins: fastestmirror, post-transaction-actions, priorities, smeserver
Loading mirror speeds from cached hostfile
 * base: ftp.swin.edu.au
 * smeaddons: ibsgaarden.dk
 * smeos: ibsgaarden.dk
 * smeupdates: ibsgaarden.dk
 * updates: ftp.swin.edu.au
Extra Packages
GeoIP.x86_64                    1.6.12-9.el7.sme        @smecontribs           
GeoIP-GeoLite-data.noarch       2018.06-7.el7.sme       @smecontribs           
GeoIP-GeoLite-data-extra.noarch 2018.06-7.el7.sme       @smecontribs           
fail2ban-sendmail.noarch        0.11.2-3.el7            @smecontribs           
fail2ban-server.noarch          0.11.2-3.el7            @smecontribs           
hddtemp.x86_64                  0.3-0.31.beta15.el7     @smecontribs           
kmod-r8168.x86_64               8.049.02-1.el7_9.elrepo @/kmod-r8168-8.049.02-1.el7_9.elrepo.x86_64
linux_logo.x86_64               5.11-7.el7              @smecontribs           
openvpn.x86_64                  2.4.12-1.el7            @smecontribs           
perl-Data-Validate-IP.noarch    0.27-13.el7             @smecontribs           
phpMyAdmin.noarch               5.1.0-1.el7.sme         @smecontribs           
phpki-ng.noarch                 0.84-16.el7.sme         @smecontribs           
pkcs11-helper.x86_64            1.11-3.el7              @smecontribs           
smeserver-certificate.noarch    0.0.4-13.el7.sme        @smecontribs           
smeserver-dovecot-extras.noarch 0.1.6-8.el7.sme         @smecontribs           
smeserver-fail2ban.noarch       9:0.1.18-30.el7.sme     @smecontribs           
smeserver-hwinfo.noarch         1.2-5.el7.sme           @smecontribs           
smeserver-learn.noarch          1.0-16.el7.sme          @smecontribs           
smeserver-phpki-ng.noarch       0.3-22.el7.sme          @smecontribs           
smeserver-phpmyadmin.noarch     4.0.10.2-13.el7.sme     @smecontribs           
smeserver-pxe.noarch            0.1-4.el7.sme           @smecontribs           
smeserver-smeadmin.noarch       1.6-10.el7.sme          @smecontribs           
smeserver-tftp-server.noarch    1.2-12.el7.sme          @smecontribs           
smeserver-thinclient.noarch     2.2-3.el7.sme           @smecontribs           
[root@l1nuxsvr audittools]#

/sbin/e-smith/audittools/templates

root@l1nuxsvr audittools]# /sbin/e-smith/audittools/templates
/etc/e-smith/templates-custom/etc/yum.conf/10main_installonlypkgs: MANUALLY_ADDED, ADDITION
/etc/e-smith/templates-custom/etc/rc.d/init.d/masq/40DenyMulticast: MANUALLY_ADDED, OVERRIDE
/etc/e-smith/templates-custom/etc/hosts.allow/sshd: MANUALLY_ADDED, OVERRIDE
/etc/e-smith/templates-custom/etc/sysconfig/syslog/90AllowRemoteSyslog: MANUALLY_ADDED, ADDITION
/etc/e-smith/templates-custom/etc/resolv.conf/10domain: MANUALLY_ADDED, OVERRIDE
/etc/e-smith/templates-custom/etc/resolv.conf/30timeout: MANUALLY_ADDED, OVERRIDE
/etc/e-smith/templates-custom/etc/resolv.conf/25nameserver: MANUALLY_ADDED, OVERRIDE
[root@l1nuxsvr audittools]#

[ReetP]

OK - thanks and well done.

Well amongst other questionable bits in there (templates?) I think the symlinks are the issue.

Here's my fstab. The old ibays are on vdb3 and it is not a RAID array as this is a Proxmox VM. But the same principle applies.

Need to lose your symlinks and then mount the old dirs into the file structure.

/

Code: [Select]

# My root LVM
/dev/mapper/main-root   /                       xfs     uquota,gquota        0 0
UUID=b143846e-27a4-4b7a-b07c-05c8cd55fa10 /boot                   xfs     defaults        0 0
#My swap
/dev/mapper/main-swap   swap                    swap    defaults        0 0
#BLKID for the partition
UUID=85d40fa6-8e7b-41b4-be8c-566813997c82 /mnt/vdb3 ext4 defaults 0 0
# Mount the dirs to the right place.
/mnt/vdb3/home/e-smith/files/ibays /home/e-smith/files/ibays ext4 bind,uquota,gquota,noatime 0 0
/mnt/vdb3/home/e-smith/files/users /home/e-smith/files/users ext4 bind,uquota,gquota,noatime 0 0

You might need something a bit different at the BLKID part. JP will probably fill in some more.

[Jean-Philippe Pialasse]

symlink are the issue. 
the lig says it.

if you want to point your ibay to another drive you need to use mount and fstab.
symlink are ddactivated cor security reason in most web orientes services. eg httpd and proftpd. you can enable them in specific situations knowing the risk, but what you do has two secure alternatives

- mount disk to /home/e-smith/files/ibays
- mount diak elsewhare then mount bind every folder needed to an ibay path

[groutley]

Thank you to you both!

I have progressed !
I made a mess of the stab a few times and SME would only boot to recovery mode,
but looks like I got it right finally, however now I have to move a lot of the bay data as it has ended up nested
i.e. /home/e-smith/files/ibays/ibays/xxx
So I have fixed the Primary bay, and....

Code: [Select]

[root@l1nuxsvr ~]# dehydrated -c
# INFO: Using main config file /etc/dehydrated/config
Processing routley.homeip.net with alternative names: www.routley.homeip.net
 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting new certificate order from CA...
 + Received 2 authorizations URLs from the CA
 + Handling authorization for www.routley.homeip.net
 + Handling authorization for routley.homeip.net
 + 2 pending challenge(s)
 + Deploying challenge tokens...
 + Responding to challenge for www.routley.homeip.net authorization...
 + Challenge is valid!
 + Responding to challenge for routley.homeip.net authorization...
 + Challenge is valid!
 + Cleaning challenge tokens...
 + Requesting certificate...
 + Order is processing...
 + Checking certificate...
 + Done!
 + Creating fullchain.pem...
Set up modSSL db keys
Signal events
All complete
 + Done!
Now to make it live !!
  Stay tuned....

[groutley]

Looking good !
 in Production mode, and reconfiguring email clients to remove the 'smtp and mail.' addresses and replace with 'www.'
once done email starts flowing

I still have a lot of file moving to sort out the ibays, but that I can manage.

I do need to work out how I will manage 2 different servers using lets encrypt, and how I port forward to both, but that is another challenge.
Thank you so much for your patience and assistance.
 

[ReetP]

Looking good !
 in Production mode, and reconfiguring email clients to remove the 'smtp and mail.' addresses and replace with 'www.'
once done email starts flowing

Cool.

So setup/add your smtp/imap hosts correctly and get certificates for them as well.

Same drill. Add them, console-save then dehydrated -c -x to force renewal.

I do need to work out how I will manage 2 different servers using lets encrypt, and how I port forward to both, but that is another challenge.

That is trickier. Letsencrypt will only contact 80 or 443 and you can only run one server on each port. (There are some fancier methods but we do not manage them)

So you might have to get all the certificates for hosts/domains that you require on your SME and then use a hook script to copy the certificates to the other server.

There are basic templates there which you can add too.

Look in /etc/e-smith/templates/usr/bin/hook-script.sh

Add your own in:

/etc/e-smith/templates-custom/usr/bin/hook-script.sh

Here's one of my templates - I have media.mydomain.com running on 8440 and ubiquiti.mydomain.com on 8441

Code: [Select]

{
# Probably not required but I was faffing and testing
    use strict;
    use warnings;
    use esmith::ConfigDB;

    my $configDB = esmith::ConfigDB->open_ro or die("can't open Config DB");
    my $letsencryptStatus = $configDB->get_prop( 'letsencrypt', 'status' ) || 'disabled';
# To here

# For Testing
#    $OUT .= "    echo \"\$2 certificate renewal\\n 1 \$1 3 \$3 4 \$4 5 \$5 6 \$6\" | mail -s \"Certificate renewals\" admin\@impamark.com\n\n";

# Notes from here https://gist.github.com/jrotello/18ab3e1982d46b04a269dfbc63aa097f
# https://www.werts.nl/ssl-certificate-installation-on-the-ubiquiti-unifi-controller-linux/

    if ( $letsencryptStatus ne 'disabled' ) {

        $OUT .=<<'_EOF';


    if [ $1 = "deploy_cert" ]; then
            KEY=$3
            CERT=$4
            CHAIN=$6
            scp -P 22 $CERT root@192.168.10.191://etc/dehydrated/certs/mydomain.net/cert.pem
            scp -P 22 $KEY root@192.168.10.191://etc/dehydrated/certs/mydomain.net/privkey.pem
            scp -P 22 $CHAIN root@192.168.10.191://etc/dehydrated/certs/mydomain.net/chain.pem
            scp -P 22 /etc/dehydrated/certs/mydomain.net/fullchain.pem root@192.168.10.191:/etc/dehydrated/certs/mydomain.net/fullchain.pem
            ssh -p 22 root@192.168.10.191 "/usr/bin/systemctl restart jellyfin"
            ssh -p 22 root@192.168.10.191 "/root/scripts/unifi_ssl_import.sh"

            echo "ubuntu-media  $2 certificate renewed\n 1 $1 3 $3 4 $4 5 $5 6 $6" | mail -s "Certificate renewal ubuntu-media" admin@mydomain.net
    fi

_EOF
    }
}


[groutley]

Thanks for that info..
 I’ll dable with the hook-script later..
 For now I tried adding the additional hosts mail and smtp ,
It took mail, but for some reason will not add smtp?

Code: [Select]

root@l1nuxsvr ~]# cat /etc/dehydrated/domains.txt
routley.homeip.net mail.routley.homeip.net www.routley.homeip.net
[root@l1nuxsvr ~]# db hosts setprop smtp.routley.homeip.net letsencryptSSLcert enabled
[root@l1nuxsvr ~]# signal-event console-save
[root@l1nuxsvr ~]# cat /etc/dehydrated/domains.txt
routley.homeip.net mail.routley.homeip.net www.routley.homeip.net
[root@l1nuxsvr ~]#
Of course when I ran dehydrated -c -x it generated the new cert only adding mail. To it..

[ReetP]

First, smtp. Check your spelling of the letsencryptssl key (and your message log)

Second, there is a reason for test mode.... Don't get rate limited.

[groutley]

Second, there is a reason for test mode.... Don't get rate limited.

Good point! Thank you,  I’ll check the logs

[groutley]

Wow.. I struggled all day to understand why it would not add enable ‘letsencryptSSLcert’ for host ‘smtp’.
I couldnt see anything in the logs that came close to suggesting an issue when the console-save ran.
There was no typo.. couldnt be.. I had recalled the previous command that successfully did this for ‘mail’ and all I had changed was ‘mail’ to ‘smtp’..
 This evening I had a mic drop moment!
I looked at ‘db hosts show’ and it did not have a ‘smtp’ host..
So a few days ago, I went and deleted all the hostnames, including the ‘smtp’ hostname..
Now I overlooked this, because SME recreated most of the ‘self’ alias hostnames itself.
But apparently ‘smtp’ is not one of them, and must be one I created many many years ago, on probably SME3 or 4!
Would you believe, when I added the hostname, the db setprop hosts command then successfully added the ‘letsencryptSSLcert’ propert.. and after the console save the ‘/etc/dehydrated/domains.txt’
Showed the ‘smtp’ host and the dehydrated -c successfully updated the cert with that host !
Yay!
Thank you for all your help and expertise, your help has been invaluable in getting this sorted for me.
 Thank you, thank you thank you.. merci.. I just cannot say it enough.

[ReetP]

Fab and glad you got it sorted. 

Well done for being patient and supplying the requested info.

One thing to consider - not just for you but anyone else following this - is that when you have issues, document things as best you can right at the start. (trying to educate here, not criticise!!)

If you read back here you can see the sort of info we requested and it is probably all quite obvious now! If some of it had been provided right at the start it would have probably shortened the debug process.

I did write this some while ago and worth a read to understand the methods. The 'Documenting things' is the real key (and not running off making random changes in the hope of fixing things without telling us what you are doing!).

https://forums.koozali.org/index.php/topic,54724.0.html

The more you document things at the start, the easier and quicker it is to fix!!

Anyways, once again I am pleased we got it working, and well done.