Koozali.org: home of the SME Server
Contribs.org Forums => Koozali SME Server 10.x => Topic started by: toothandnail on February 17, 2022, 10:13:05 PM
-
I've been having problems with LetsEncrypt not being presented on anything other than port 443. While trying to solve that problem, I've hit another on one SME 10 system. This one has been in service for quite a while - started life as an SME 7.2 system and has been migrated through several hardware changes as well as upgraded through different SME versions.
I was about to remove the LetsEncrypt setup completely, then reinstall it it see if I could solve the ongoing certificate problem when I discovered that the self-signed certificate what being renewed every 24 hours. No changes have been made to the templates in that area (I had a look at the Wiki item on changing the expiry date), and in each instance, the certificate was being renewed for a full year. The time stamp on the certificate was around 03:40 each night.
Since I wasn't sure whether this was connected to the problems I'm having with the LetsEncrypt certificates (see https://forums.koozali.org/index.php/topic,54761.0.html), I removed LetsEncrypt and regenerated the self-signed certificate. After doing so, I found that the newly generated certificate was also being renewed every 24 hours. I then moved the conf-mod_ssl script out of /etc/cron.daily, which stopped the constant renewal, at least until there was an upgrade and I did a signal-event post-upgrade; signal-event reboot, which caused the certificate to be renewed again.
I've currently no idea what is causing this renewal, and I can't leave the daily check of the certificate disabled indefinately. I'm hoping somone may know what I need to look at to find the source of the problem.
-
At a wild guess I'd say these are all related but nowhere near enough info to really know. Most likely a hangover/hack from v9.
Go back to basics. Fix one box first.
Bug report from server manager and then the output from:
/sbin/e-smith/audittools/
newrpms
templates
repositories
JP might have some more suggestions.
-
for both your original issue with let’s encrypt and there an issue with templates-custom is highly probable.
also self signed certificate is now including all domains and main server ip.
so every time you change a host or a domain of the server , the certificate will be renewed.
everytime the ip is updated on interface where it is configured as static, it will be renewed.
again if the template / script is changing the certificate this is because something changed or is not set right (eg custom template). please rather than trying to workaround things by randomly removing things, help us to help you and this time give the information John is requesting.
-
Thanks for the replies.
Here is the output from the server-manger bug report:
Configuration report created Fri 18 Feb 2022 07:51:06 AM GMT
==================
Base configuration
==================
SME server version: 10.0
SME server mode: servergateway
SME server previous mode: servergateway
Running Kernel: 3.10.0-1160.53.1.el7.x86_64
===========================
New RPMs not in base system
===========================
Loaded plugins: fastestmirror, post-transaction-actions, priorities, smeserver
Loading mirror speeds from cached hostfile
* base: uk.mirrors.clouvider.net
* smeaddons: mirror.pialasse.com
* smeos: mirror.pialasse.com
* smeupdates: mirror.pialasse.com
* updates: mirror.sov.uk.goscomb.net
Extra Packages
GeoIP.x86_64 1.6.12-9.el7.sme @smecontribs
GeoIP-GeoLite-data.noarch 2018.06-7.el7.sme @smecontribs
GeoIP-GeoLite-data-extra.noarch 2018.06-7.el7.sme @smecontribs
fail2ban-sendmail.noarch 0.11.2-3.el7 @smecontribs
fail2ban-server.noarch 0.11.2-3.el7 @smecontribs
libicu69.x86_64 69.1-2.el7.remi @remi-safe
mc.x86_64 1:4.8.23-1.1 installed
ncdu.x86_64 1.16-1.el7 @epel
perl-Data-Validate-IP.noarch 0.27-13.el7 @smecontribs
php74-php.x86_64 7.4.28-1.el7.remi @remi-safe
php74-php-bcmath.x86_64 7.4.28-1.el7.remi @remi-safe
php74-php-cli.x86_64 7.4.28-1.el7.remi @remi-safe
php74-php-common.x86_64 7.4.28-1.el7.remi @remi-safe
php74-php-enchant.x86_64 7.4.28-1.el7.remi @remi-safe
php74-php-fpm.x86_64 7.4.28-1.el7.remi @remi-safe
php74-php-gd.x86_64 7.4.28-1.el7.remi @remi-safe
php74-php-imap.x86_64 7.4.28-1.el7.remi @remi-safe
php74-php-intl.x86_64 7.4.28-1.el7.remi @remi-safe
php74-php-json.x86_64 7.4.28-1.el7.remi @remi-safe
php74-php-ldap.x86_64 7.4.28-1.el7.remi @remi-safe
php74-php-mbstring.x86_64 7.4.28-1.el7.remi @remi-safe
php74-php-mysqlnd.x86_64 7.4.28-1.el7.remi @remi-safe
php74-php-opcache.x86_64 7.4.28-1.el7.remi @remi-safe
php74-php-pdo.x86_64 7.4.28-1.el7.remi @remi-safe
php74-php-process.x86_64 7.4.28-1.el7.remi @remi-safe
php74-php-snmp.x86_64 7.4.28-1.el7.remi @remi-safe
php74-php-soap.x86_64 7.4.28-1.el7.remi @remi-safe
php74-php-sodium.x86_64 7.4.28-1.el7.remi @remi-safe
php74-php-tidy.x86_64 7.4.28-1.el7.remi @remi-safe
php74-php-xml.x86_64 7.4.28-1.el7.remi @remi-safe
php74-php-xmlrpc.x86_64 7.4.28-1.el7.remi @remi-safe
php80-php.x86_64 8.0.16-1.el7.remi @remi-safe
php80-php-bcmath.x86_64 8.0.16-1.el7.remi @remi-safe
php80-php-cli.x86_64 8.0.16-1.el7.remi @remi-safe
php80-php-common.x86_64 8.0.16-1.el7.remi @remi-safe
php80-php-enchant.x86_64 8.0.16-1.el7.remi @remi-safe
php80-php-fpm.x86_64 8.0.16-1.el7.remi @remi-safe
php80-php-gd.x86_64 8.0.16-1.el7.remi @remi-safe
php80-php-imap.x86_64 8.0.16-1.el7.remi @remi-safe
php80-php-intl.x86_64 8.0.16-1.el7.remi @remi-safe
php80-php-ldap.x86_64 8.0.16-1.el7.remi @remi-safe
php80-php-mbstring.x86_64 8.0.16-1.el7.remi @remi-safe
php80-php-mysqlnd.x86_64 8.0.16-1.el7.remi @remi-safe
php80-php-opcache.x86_64 8.0.16-1.el7.remi @remi-safe
php80-php-pdo.x86_64 8.0.16-1.el7.remi @remi-safe
php80-php-process.x86_64 8.0.16-1.el7.remi @remi-safe
php80-php-snmp.x86_64 8.0.16-1.el7.remi @remi-safe
php80-php-soap.x86_64 8.0.16-1.el7.remi @remi-safe
php80-php-sodium.x86_64 8.0.16-1.el7.remi @remi-safe
php80-php-tidy.x86_64 8.0.16-1.el7.remi @remi-safe
php80-php-xml.x86_64 8.0.16-1.el7.remi @remi-safe
php81-php.x86_64 8.1.3-1.el7.remi @remi-safe
php81-php-bcmath.x86_64 8.1.3-1.el7.remi @remi-safe
php81-php-cli.x86_64 8.1.3-1.el7.remi @remi-safe
php81-php-common.x86_64 8.1.3-1.el7.remi @remi-safe
php81-php-enchant.x86_64 8.1.3-1.el7.remi @remi-safe
php81-php-fpm.x86_64 8.1.3-1.el7.remi @remi-safe
php81-php-gd.x86_64 8.1.3-1.el7.remi @remi-safe
php81-php-imap.x86_64 8.1.3-1.el7.remi @remi-safe
php81-php-intl.x86_64 8.1.3-1.el7.remi @remi-safe
php81-php-ldap.x86_64 8.1.3-1.el7.remi @remi-safe
php81-php-mbstring.x86_64 8.1.3-1.el7.remi @remi-safe
php81-php-mysqlnd.x86_64 8.1.3-1.el7.remi @remi-safe
php81-php-opcache.x86_64 8.1.3-1.el7.remi @remi-safe
php81-php-pdo.x86_64 8.1.3-1.el7.remi @remi-safe
php81-php-pear.noarch 1:1.10.13-1.el7.remi @remi-safe
php81-php-pecl-xmlrpc.x86_64 1.0.0~rc3-1.el7.remi @remi-safe
php81-php-pecl-zip.x86_64 1.20.0-1.el7.remi @remi-safe
php81-php-process.x86_64 8.1.3-1.el7.remi @remi-safe
php81-php-snmp.x86_64 8.1.3-1.el7.remi @remi-safe
php81-php-soap.x86_64 8.1.3-1.el7.remi @remi-safe
php81-php-sodium.x86_64 8.1.3-1.el7.remi @remi-safe
php81-php-tidy.x86_64 8.1.3-1.el7.remi @remi-safe
php81-php-xml.x86_64 8.1.3-1.el7.remi @remi-safe
php81-runtime.x86_64 8.1-1.el7.remi @remi-safe
smeserver-dhcp-dns.noarch 1.2.0-5.el7.sme @smecontribs
smeserver-dhcpmanager.noarch 2.0.4-12.el7.sme @smecontribs
smeserver-fail2ban.noarch 9:0.1.18-25.el7.sme @smecontribs
smeserver-qmHandle.noarch 1.4-16.el7.sme @smecontribs
smeserver-userpanel.noarch 1.4-3.el7.sme @smecontribs
smeserver-vacation.noarch 1.1-33.el7.sme @smecontribs
smeserver-wsdd.noarch 0.2-5.el7.sme @smecontribs
synbak.noarch 3.6-1 installed
wsdd.noarch 0.7.0-1.el7 @smecontribs
===========================
Custom and modified templates
===========================
/etc/e-smith/templates-custom/etc/ups/upsd.users/admin: MANUALLY_ADDED, ADDITION
/etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/VirtualHosts40ACME: MANUALLY_ADDED, ADDITION
/etc/e-smith/templates-custom/etc/crontab/synbak: MANUALLY_ADDED, ADDITION
===========================
Modified events
===========================
=======================
Additional repositories
=======================
base: enabled
centosplus: disabled
epel: disabled
extras: disabled
fasttrack: disabled
fws: disabled
nethsme: disabled
remi-safe: enabled
sme7contribs: disabled
smeaddons: enabled
smecontribs: disabled
smedev: disabled
smeextras: enabled
smeos: enabled
smetest: disabled
smeupdates: enabled
smeupdates-testing: disabled
sogo: disabled
stephdl: disabled
updates: enabled
DONE!
I've not added the output from newrpms, templates or repositories since the server-manager bug report seems to include everything they produce. I can if needed.
There haven't been any recent changes made to a host or a domain on the server. They've remained static since well before the upgrade to SME 10. No changes to IPs on any of the interfaces set as static either. The upgrade was done using the migratehelper script, but with both files and mail rsynced in as a separate operation.
-
OK, you are in server gateway. Bearing in mind JPs comments, how is the IP set on the WAN interface? DHCP or Static?
Check your logs to see what occurs at the time the certificates are generated - you will see a trigger. What is it?
Next I would rid yourself of these as you are not using them so save confusion:
fws: disabled
sme7contribs: disabled
nethsme: disabled
sogo: disabled
stephdl: disabled
Then remove this and any other dehydrated detritus:
/etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/VirtualHosts40ACME: MANUALLY_ADDED, ADDITION
Then install smeserver-dehydrated, run it in test mode and get your certificates right.
You are far less likely to have mistakes with a contrib.