Topic: Help please, certificate nightmare

[groutley]

Aditional note. Not sure if it makes a difference, SME is in ‘Server only’ mode

[ReetP]

Ok, more useful then thanks.

Server only - most of mine are so no issues there if you have forwarding set up correctly.

I'm out at the minute & back later. Will take a look then but the issue is accessing that URL which is what letsencrypt needs to do.

Make sure you've done signal-event webapps-update or post-upgrade/reboot so your httpd conf is expanded correctly.

[groutley]

I'm out at the minute & back later. Will take a look then but the issue is accessing that URL which is what letsencrypt needs to do.

Make sure you've done signal-event webapps-update or post-upgrade/reboot so your httpd conf is expanded correctly.

I have just run both
signal-event webapps-update
As well as
Signal-event post-upgrade; signal-event reboot

Just to be sure,but no change to the ‘Forbidden’ when trying the
http://192.168.37.251/.well-known/acme-challenge/

[Jean-Philippe Pialasse]

[root@l1nuxsvr ~]# grep www /etc/group
shared:x:500:admin,administrator,dani,groutley,jo,john,jowork,matt,mattorrents,music,public,sofia,torrents,www,zenphoto
www:x:102:admin,apache,www
thefam:x:5003:admin,dani,groutley,jo,matt,www
routley:x:5004:admin,dani,groutley,jo,matt,www
kids:x:5005:admin,dani,matt,www
parents:x:5014:admin,groutley,jo,www
mattonly:x:5021:admin,matt,mattorrents,www
danir:x:5024:admin,dani,groutley,jo,www
mattr:x:5025:admin,groutley,jo,matt,www

Not sure I follow the Bug to understand the concern.

no this is not this bug.  you have something else creating the 403 error.

check your httpd error log

[groutley]

check your httpd error log

[Wed Nov 22 05:03:53.723386 2023] [core:error] [pid 8516] [client 197.210.85.168:17201] AH00037: Symbolic link not allowed or link target not accessible: /home/e-smith/files/ibays/Primary
[Wed Nov 22 05:12:12.001911 2023] [core:error] [pid 8507] [client 67.217.57.54:40926] AH00037: Symbolic link not allowed or link target not accessible: /home/e-smith/files/ibays/Primary
[Wed Nov 22 05:16:18.993221 2023] [core:error] [pid 8513] [client 117.62.218.192:46226] AH00037: Symbolic link not allowed or link target not accessible: /home/e-smith/files/ibays/Primary, referer: https://easyseo.s-nac.com
[Wed Nov 22 05:40:37.975857 2023] [core:error] [pid 8511] [client 207.246.109.61:59348] AH00037: Symbolic link not allowed or link target not accessible: /home/e-smith/files/ibays/Primary, referer: www.google.com
[Wed Nov 22 05:51:00.732684 2023] [core:error] [pid 8510] [client 192.168.38.49:56374] AH00037: Symbolic link not allowed or link target not accessible: /home/e-smith/files/ibays/Primary


Ok.. so yes, I have my ibays on a separate RAID array to the system /boot SSD.
And history of the server is I replaced the boot drive with an SSD and clean installed SME10 on it and then added the RAID array and pointed the ibays to that, as I was unable to ‘upgrade’ from the previous SME8.
Is there something I need to do to fix the symlink permission?


root@l1nuxsvr ibays]# cd /home/e-smith/files/ibays/
[root@l1nuxsvr ibays]# ls -la
total 0
drwxr-xr-x. 7 root root 112 Apr  2  2023 .
drwxr-xr-x. 8 root root  98 Feb  1  2013 ..
drwxr-xr-x  6 root root  67 Oct 24  2010 jowork
drwxr-xr-x  6 root root  67 Dec 24  2011 mattorrents
lrwxrwxrwx  1 root root  22 Oct 15  2021 music -> /mnt/music/ibays/music
lrwxrwxrwx  1 root root  23 Nov 14  2021 Primary -> /mnt/1TB/ibays/Primary/
drwxr-xr-x  6 root root  67 May 13  2014 sofia
drwxr-xr-x  6 root root  67 Feb 27  2011 torrents
drwxr-xr-x  6 root root  67 Feb  7  2013 zenphoto
[root@l1nuxsvr ibays]#

[ReetP]

[Wed Nov 22 05:12:12.001911 2023] [core:error] [pid 8507] [client 67.217.57.54:40926] AH00037: Symbolic link not allowed or link target not accessible: /home/e-smith/files/ibays/Primary

May well be it.

Ok.. so yes, I have my ibays on a separate RAID array to the system /boot SSD.
And history of the server is I replaced the boot drive with an SSD and clean installed SME10 on it and then added the RAID array and pointed the ibays to that, as I was unable to ‘upgrade’ from the previous SME8.
Is there something I need to do to fix the symlink permission?

Ah OK. Probably.

I have similar setups on most of my servers now but with no issues

Supply the output of the each of the following commands please:

Code: [Select]

cat /etc fstab
cat /etc/mtab
/sbin/e-smith/audittools/newrpm
/sbin/e-smith/audittools/templates


[groutley]

Supply the output of the each of the following commands please:

Code: [Select]

cat /etc fstab
cat /etc/mtab
/sbin/e-smith/audittools/newrpm
/sbin/e-smith/audittools/templates


cat /etc fstab

[root@l1nuxsvr ibays]# cat /etc/fstab
#------------------------------------------------------------
# BE CAREFUL WHEN MODIFYING THIS FILE! It is updated automatically
# by the SME server software. A few entries are updated during
# the template processing of the file and white space is removed,
# but otherwise changes to the file are preserved.
# For more information, see http://www.e-smith.org/custom/ and
# the template fragments in /etc/e-smith/templates/etc/fstab/.
#
# copyright (C) 2002 Mitel Networks Corporation
#------------------------------------------------------------
#
# /etc/fstab
# Created by anaconda on Sun Oct 24 23:03:39 2021
#
# Accessible filesystems, by reference, are maintained under '/dev/disk'
# See man pages fstab(5), findfs(, mount( and/or blkid( for more info
#
UUID=f954c4cf-7717-406b-89b3-b8d2cf65f616 /                       xfs     uquota,gquota   0 0
UUID=13ca4949-b311-4803-b928-bc6393a4d939 /boot                   xfs     defaults        0 0
UUID=e12b6f25-fd55-4030-be94-a0689f50a96a /home                   xfs     defaults        0 0
UUID=fb0953e0-e59f-446c-8150-38fd05143966 swap                    swap    defaults        0 0
/dev/sdc1                                 /var/affa               ext3    usrquota,grpquota 1 0
/dev/sdd1                                 /mnt/music              ext3    usrquota,grpquota 1 0
/dev/md127                                /mnt/1TB                ext4    defaults        1 2
[root@l1nuxsvr ibays]#

cat /etc/mtab

root@l1nuxsvr ibays]# cat /etc/mtab
sysfs /sys sysfs rw,nosuid,nodev,noexec,relatime 0 0
proc /proc proc rw,nosuid,nodev,noexec,relatime 0 0
devtmpfs /dev devtmpfs rw,nosuid,size=4046676k,nr_inodes=1011669,mode=755 0 0
securityfs /sys/kernel/security securityfs rw,nosuid,nodev,noexec,relatime 0 0
tmpfs /dev/shm tmpfs rw,nosuid,nodev 0 0
devpts /dev/pts devpts rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000 0 0
tmpfs /run tmpfs rw,nosuid,nodev,mode=755 0 0
tmpfs /sys/fs/cgroup tmpfs ro,nosuid,nodev,noexec,mode=755 0 0
cgroup /sys/fs/cgroup/systemd cgroup rw,nosuid,nodev,noexec,relatime,xattr,release_agent=/usr/lib/systemd/systemd-cgroups-agent,name=systemd 0 0
pstore /sys/fs/pstore pstore rw,nosuid,nodev,noexec,relatime 0 0
cgroup /sys/fs/cgroup/pids cgroup rw,nosuid,nodev,noexec,relatime,pids 0 0
cgroup /sys/fs/cgroup/cpu,cpuacct cgroup rw,nosuid,nodev,noexec,relatime,cpuacct,cpu 0 0
cgroup /sys/fs/cgroup/hugetlb cgroup rw,nosuid,nodev,noexec,relatime,hugetlb 0 0
cgroup /sys/fs/cgroup/net_cls,net_prio cgroup rw,nosuid,nodev,noexec,relatime,net_prio,net_cls 0 0
cgroup /sys/fs/cgroup/cpuset cgroup rw,nosuid,nodev,noexec,relatime,cpuset 0 0
cgroup /sys/fs/cgroup/perf_event cgroup rw,nosuid,nodev,noexec,relatime,perf_event 0 0
cgroup /sys/fs/cgroup/memory cgroup rw,nosuid,nodev,noexec,relatime,memory 0 0
cgroup /sys/fs/cgroup/blkio cgroup rw,nosuid,nodev,noexec,relatime,blkio 0 0
cgroup /sys/fs/cgroup/freezer cgroup rw,nosuid,nodev,noexec,relatime,freezer 0 0
cgroup /sys/fs/cgroup/devices cgroup rw,nosuid,nodev,noexec,relatime,devices 0 0
configfs /sys/kernel/config configfs rw,relatime 0 0
/dev/sda3 / xfs rw,relatime,attr2,inode64,usrquota,prjquota 0 0
debugfs /sys/kernel/debug debugfs rw,relatime 0 0
systemd-1 /proc/sys/fs/binfmt_misc autofs rw,relatime,fd=31,pgrp=1,timeout=0,minproto=5,maxproto=5,direct,pipe_ino=12731 0 0
hugetlbfs /dev/hugepages hugetlbfs rw,relatime 0 0
mqueue /dev/mqueue mqueue rw,relatime 0 0
nfsd /proc/fs/nfsd nfsd rw,relatime 0 0
/dev/sda1 /boot xfs rw,relatime,attr2,inode64,noquota 0 0
/dev/sda5 /home xfs rw,relatime,attr2,inode64,noquota 0 0
/dev/sdc1 /var/affa ext3 rw,relatime,quota,usrquota,grpquota,data=ordered 0 0
/dev/sdd1 /mnt/music ext3 rw,relatime,quota,usrquota,grpquota,data=ordered 0 0
/dev/md127 /mnt/1TB ext4 rw,relatime,data=ordered 0 0
sunrpc /var/lib/nfs/rpc_pipefs rpc_pipefs rw,relatime 0 0
fusectl /sys/fs/fuse/connections fusectl rw,relatime 0 0
tmpfs /run/user/0 tmpfs rw,nosuid,nodev,relatime,size=811156k,mode=700 0 0
[root@l1nuxsvr ibays]#

/sbin/e-smith/audittools/newrpm

root@l1nuxsvr audittools]# /sbin/e-smith/audittools/newrpms
Loaded plugins: fastestmirror, post-transaction-actions, priorities, smeserver
Loading mirror speeds from cached hostfile
 * base: ftp.swin.edu.au
 * smeaddons: ibsgaarden.dk
 * smeos: ibsgaarden.dk
 * smeupdates: ibsgaarden.dk
 * updates: ftp.swin.edu.au
Extra Packages
GeoIP.x86_64                    1.6.12-9.el7.sme        @smecontribs           
GeoIP-GeoLite-data.noarch       2018.06-7.el7.sme       @smecontribs           
GeoIP-GeoLite-data-extra.noarch 2018.06-7.el7.sme       @smecontribs           
fail2ban-sendmail.noarch        0.11.2-3.el7            @smecontribs           
fail2ban-server.noarch          0.11.2-3.el7            @smecontribs           
hddtemp.x86_64                  0.3-0.31.beta15.el7     @smecontribs           
kmod-r8168.x86_64               8.049.02-1.el7_9.elrepo @/kmod-r8168-8.049.02-1.el7_9.elrepo.x86_64
linux_logo.x86_64               5.11-7.el7              @smecontribs           
openvpn.x86_64                  2.4.12-1.el7            @smecontribs           
perl-Data-Validate-IP.noarch    0.27-13.el7             @smecontribs           
phpMyAdmin.noarch               5.1.0-1.el7.sme         @smecontribs           
phpki-ng.noarch                 0.84-16.el7.sme         @smecontribs           
pkcs11-helper.x86_64            1.11-3.el7              @smecontribs           
smeserver-certificate.noarch    0.0.4-13.el7.sme        @smecontribs           
smeserver-dovecot-extras.noarch 0.1.6-8.el7.sme         @smecontribs           
smeserver-fail2ban.noarch       9:0.1.18-30.el7.sme     @smecontribs           
smeserver-hwinfo.noarch         1.2-5.el7.sme           @smecontribs           
smeserver-learn.noarch          1.0-16.el7.sme          @smecontribs           
smeserver-phpki-ng.noarch       0.3-22.el7.sme          @smecontribs           
smeserver-phpmyadmin.noarch     4.0.10.2-13.el7.sme     @smecontribs           
smeserver-pxe.noarch            0.1-4.el7.sme           @smecontribs           
smeserver-smeadmin.noarch       1.6-10.el7.sme          @smecontribs           
smeserver-tftp-server.noarch    1.2-12.el7.sme          @smecontribs           
smeserver-thinclient.noarch     2.2-3.el7.sme           @smecontribs           
[root@l1nuxsvr audittools]#

/sbin/e-smith/audittools/templates

root@l1nuxsvr audittools]# /sbin/e-smith/audittools/templates
/etc/e-smith/templates-custom/etc/yum.conf/10main_installonlypkgs: MANUALLY_ADDED, ADDITION
/etc/e-smith/templates-custom/etc/rc.d/init.d/masq/40DenyMulticast: MANUALLY_ADDED, OVERRIDE
/etc/e-smith/templates-custom/etc/hosts.allow/sshd: MANUALLY_ADDED, OVERRIDE
/etc/e-smith/templates-custom/etc/sysconfig/syslog/90AllowRemoteSyslog: MANUALLY_ADDED, ADDITION
/etc/e-smith/templates-custom/etc/resolv.conf/10domain: MANUALLY_ADDED, OVERRIDE
/etc/e-smith/templates-custom/etc/resolv.conf/30timeout: MANUALLY_ADDED, OVERRIDE
/etc/e-smith/templates-custom/etc/resolv.conf/25nameserver: MANUALLY_ADDED, OVERRIDE
[root@l1nuxsvr audittools]#

[ReetP]

OK - thanks and well done.

Well amongst other questionable bits in there (templates?) I think the symlinks are the issue.

Here's my fstab. The old ibays are on vdb3 and it is not a RAID array as this is a Proxmox VM. But the same principle applies.

Need to lose your symlinks and then mount the old dirs into the file structure.

/

Code: [Select]

# My root LVM
/dev/mapper/main-root   /                       xfs     uquota,gquota        0 0
UUID=b143846e-27a4-4b7a-b07c-05c8cd55fa10 /boot                   xfs     defaults        0 0
#My swap
/dev/mapper/main-swap   swap                    swap    defaults        0 0
#BLKID for the partition
UUID=85d40fa6-8e7b-41b4-be8c-566813997c82 /mnt/vdb3 ext4 defaults 0 0
# Mount the dirs to the right place.
/mnt/vdb3/home/e-smith/files/ibays /home/e-smith/files/ibays ext4 bind,uquota,gquota,noatime 0 0
/mnt/vdb3/home/e-smith/files/users /home/e-smith/files/users ext4 bind,uquota,gquota,noatime 0 0

You might need something a bit different at the BLKID part. JP will probably fill in some more.

[Jean-Philippe Pialasse]

symlink are the issue. 
the lig says it.

if you want to point your ibay to another drive you need to use mount and fstab.
symlink are ddactivated cor security reason in most web orientes services. eg httpd and proftpd. you can enable them in specific situations knowing the risk, but what you do has two secure alternatives

- mount disk to /home/e-smith/files/ibays
- mount diak elsewhare then mount bind every folder needed to an ibay path

[groutley]

Thank you to you both!

I have progressed !
I made a mess of the stab a few times and SME would only boot to recovery mode,
but looks like I got it right finally, however now I have to move a lot of the bay data as it has ended up nested
i.e. /home/e-smith/files/ibays/ibays/xxx
So I have fixed the Primary bay, and....

Code: [Select]

[root@l1nuxsvr ~]# dehydrated -c
# INFO: Using main config file /etc/dehydrated/config
Processing routley.homeip.net with alternative names: www.routley.homeip.net
 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting new certificate order from CA...
 + Received 2 authorizations URLs from the CA
 + Handling authorization for www.routley.homeip.net
 + Handling authorization for routley.homeip.net
 + 2 pending challenge(s)
 + Deploying challenge tokens...
 + Responding to challenge for www.routley.homeip.net authorization...
 + Challenge is valid!
 + Responding to challenge for routley.homeip.net authorization...
 + Challenge is valid!
 + Cleaning challenge tokens...
 + Requesting certificate...
 + Order is processing...
 + Checking certificate...
 + Done!
 + Creating fullchain.pem...
Set up modSSL db keys
Signal events
All complete
 + Done!
Now to make it live !!
  Stay tuned....

[groutley]

Looking good !
 in Production mode, and reconfiguring email clients to remove the 'smtp and mail.' addresses and replace with 'www.'
once done email starts flowing

I still have a lot of file moving to sort out the ibays, but that I can manage.

I do need to work out how I will manage 2 different servers using lets encrypt, and how I port forward to both, but that is another challenge.
Thank you so much for your patience and assistance.
 

[ReetP]

Looking good !
 in Production mode, and reconfiguring email clients to remove the 'smtp and mail.' addresses and replace with 'www.'
once done email starts flowing

Cool.

So setup/add your smtp/imap hosts correctly and get certificates for them as well.

Same drill. Add them, console-save then dehydrated -c -x to force renewal.

I do need to work out how I will manage 2 different servers using lets encrypt, and how I port forward to both, but that is another challenge.

That is trickier. Letsencrypt will only contact 80 or 443 and you can only run one server on each port. (There are some fancier methods but we do not manage them)

So you might have to get all the certificates for hosts/domains that you require on your SME and then use a hook script to copy the certificates to the other server.

There are basic templates there which you can add too.

Look in /etc/e-smith/templates/usr/bin/hook-script.sh

Add your own in:

/etc/e-smith/templates-custom/usr/bin/hook-script.sh

Here's one of my templates - I have media.mydomain.com running on 8440 and ubiquiti.mydomain.com on 8441

Code: [Select]

{
# Probably not required but I was faffing and testing
    use strict;
    use warnings;
    use esmith::ConfigDB;

    my $configDB = esmith::ConfigDB->open_ro or die("can't open Config DB");
    my $letsencryptStatus = $configDB->get_prop( 'letsencrypt', 'status' ) || 'disabled';
# To here

# For Testing
#    $OUT .= "    echo \"\$2 certificate renewal\\n 1 \$1 3 \$3 4 \$4 5 \$5 6 \$6\" | mail -s \"Certificate renewals\" admin\@impamark.com\n\n";

# Notes from here https://gist.github.com/jrotello/18ab3e1982d46b04a269dfbc63aa097f
# https://www.werts.nl/ssl-certificate-installation-on-the-ubiquiti-unifi-controller-linux/

    if ( $letsencryptStatus ne 'disabled' ) {

        $OUT .=<<'_EOF';


    if [ $1 = "deploy_cert" ]; then
            KEY=$3
            CERT=$4
            CHAIN=$6
            scp -P 22 $CERT root@192.168.10.191://etc/dehydrated/certs/mydomain.net/cert.pem
            scp -P 22 $KEY root@192.168.10.191://etc/dehydrated/certs/mydomain.net/privkey.pem
            scp -P 22 $CHAIN root@192.168.10.191://etc/dehydrated/certs/mydomain.net/chain.pem
            scp -P 22 /etc/dehydrated/certs/mydomain.net/fullchain.pem root@192.168.10.191:/etc/dehydrated/certs/mydomain.net/fullchain.pem
            ssh -p 22 root@192.168.10.191 "/usr/bin/systemctl restart jellyfin"
            ssh -p 22 root@192.168.10.191 "/root/scripts/unifi_ssl_import.sh"

            echo "ubuntu-media  $2 certificate renewed\n 1 $1 3 $3 4 $4 5 $5 6 $6" | mail -s "Certificate renewal ubuntu-media" admin@mydomain.net
    fi

_EOF
    }
}


[groutley]

Thanks for that info..
 I’ll dable with the hook-script later..
 For now I tried adding the additional hosts mail and smtp ,
It took mail, but for some reason will not add smtp?

Code: [Select]

root@l1nuxsvr ~]# cat /etc/dehydrated/domains.txt
routley.homeip.net mail.routley.homeip.net www.routley.homeip.net
[root@l1nuxsvr ~]# db hosts setprop smtp.routley.homeip.net letsencryptSSLcert enabled
[root@l1nuxsvr ~]# signal-event console-save
[root@l1nuxsvr ~]# cat /etc/dehydrated/domains.txt
routley.homeip.net mail.routley.homeip.net www.routley.homeip.net
[root@l1nuxsvr ~]#
Of course when I ran dehydrated -c -x it generated the new cert only adding mail. To it..

[ReetP]

First, smtp. Check your spelling of the letsencryptssl key (and your message log)

Second, there is a reason for test mode.... Don't get rate limited.

[groutley]

Second, there is a reason for test mode.... Don't get rate limited.

Good point! Thank you,  I’ll check the logs