Page 1 of 1

testing eFa v4 Release Candidate 2

Posted: 30 Jan 2019 14:11
by henk
Just did the new build from scratch. After 15 minutes ready to login :clap:

Had some minor issues. Could be related to NOT using IPV6 and using recusion. All the major issues are solved :clap: :violin:

the /etc/postfix/sender_canonical contained a malformed mailadres.

I will mention the changes made, as not all changes are required to be up and running (IPV6 disabled version)
The lines with a # are the original vaules afer running the EFA-INIT/Configure

1. EFA-Init

enable Ipv6 dns: only Y will continue (I use no Ipv6)

Code: Select all

/etc/eFa/eFa-Config
CONFIGURED:YES
HOSTNAME:sansspam
DOMAINNAME:test.lan
IPV4ADDRESS:172.16.1.15
IPV6ADDRESS:
DNSIP1:
DNSIP2:
RECURSION:ENABLED
INTERFACE:eth0
IPV4NETMASK:255.255.0.0
IPV4GATEWAY:172.16.1.1
IPV6MASK:
IPV6GATEWAY:
TZONE:Europe/Amsterdam
IANA:nl
ORGNAME:kaaskoppen.nl
MAILSERVER:127.0.0.1
ADMINEMAIL:adminuser@test.lan
ISUTC:true
#IPV6DNS:yes
IPV6DNS:no

/var/log/messages
Jan 30 12:20:29 unbound: [5360:0] error: can't bind socket: Permission denied for ::
Jan 30 12:20:29 unbound: [5360:0] error: can't bind socket: Permission denied for ::

Since unbound need to be configured per installation, al least disable ipv6 when EFA=Init enable Ipv6 is no

/etc/unbound/conf.d/unbound.conf
do-ip4: yes
do-ip6: no

2. /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
#::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
172.16.1.15 sansspam.test.lan sansspam

3. /etc/sysconfig/network-scripts/ifcfg-eth0

# Generated by parse-kickstart
#IPV6INIT=yes
IPV6INIT=no
IPV6_AUTOCONF=no
#IPV6_AUTOCONF=yes
BOOTPROTO="none"
DEVICE=eth0
ONBOOT=yes
UUID=xxxx
TYPE=Ethernet
DEFROUTE=yes
PEERDNS=yes
PEERROUTES=yes
IPV4_FAILURE_FATAL=no
#IPV6_DEFROUTE=yes
#IPV6_PEERDNS=yes
#IPV6_PEERROUTES=yes
NAME=eth0
#NAME="System eth0"
IPADDR="172.16.1.15"
NETMASK="255.255.0.0"
GATEWAY="172.16.1.1"
DNS1="127.0.0.1"
#DNS2="::1"
ZONE=public

4. the ifname.bak is still present, removed it
# ls -l
total 236
-rw-------. 1 root root 444 Jan 30 12:33 ifcfg-eth0
-rw-r--r--. 1 root root 408 Jan 30 12:04 ifcfg-eth0.bak

5./etc/sysconfig/network

# Created by anaconda and modified by henk
NETWORKING_IPV6=no
IPV6INIT=no
IPV6_AUTOCONF=no
DHCPV6=no
IPV6FORWARDING=no

6./etc/dovecot/dovecot.conf

# A comma separated list of IPs or hosts where to listen in for connections.
# "*" listens in all IPv4 interfaces, "::" listens in all IPv6 interfaces.
# If you want to specify non-default ports or anything more complex,
# edit conf.d/master.conf.
#listen = *, ::
listen = *

7./etc/postfix/main.cf

# Enable IPv4, and IPv6 if supported
#inet_protocols = ipv4, ipv6
inet_protocols = ipv4

#mynetworks = 127.0.0.0/8 [::1]/128
mynetworks = 127.0.0.0/8

#qmqpd_authorized_clients = 127.0.0.1 [::1]
qmqpd_authorized_clients = 127.0.0.1

/etc/postfix/header_checks

/^Received:\ from\ sansspam.test.lan\ \(localhost\ \[127.0.0.1/ IGNORE
#/^Received:\ from\ sansspam.test.lan\ \(localhost\ \[::1/ IGNORE

/etc/postfix/sender_canonical

#root@test.lan root@sansspamtest.lan <<<<<<<<<<<<<<<<<<<<<<
root@test.lan adminuser@test.lan

postmap /etc/postfix/header_checks
postmap /etc/postfix/sender_canonical


/etc/sysctl.d/disableipv6.conf
# Ensure IPv6 is disabled
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6= 1
net.ipv6.conf.lo.disable_ipv6 = 1
net.ipv6.conf.eth0.disable_ipv6 = 1
net.ipv6.conf.all.accept_ra = 0
net.ipv6.conf.all.accept_redirects = 0

Code: Select all

sysctl -p
/etc/sysconfig/chronyd

# Command-line options for chronyd
#OPTIONS=""
OPTIONS="-4"

SSH
/etc/ssh/ssh_config
# ssh_config(5) man page.

AddressFamily inet
# Host

/etc/ssh/sshd_config
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

AddressFamily inet
ListenAddress 0.0.0.0

/etc/httpd/conf/httpd.conf

#Listen 12.34.56.78:80
#Listen 80
Listen 0.0.0.0:80
#

Code: Select all

whereis mysqltuner
mysqltuner: /usr/sbin/mysqltuner.pl

So uou need to start it incl the path : /usr/sbin/mysqltuner.pl
Create a link to it?

Re: testing eFa v4 Release Candidate 2

Posted: 30 Jan 2019 16:09
by shawniverson
@henk

Working on more fixes.

Why are you so intent on trying to remove all ipv6 bindings and disabling it at the kernel and interface levels?

Re: testing eFa v4 Release Candidate 2

Posted: 30 Jan 2019 19:55
by henk
I quess it's my nature. As I disabled IPV6 in my entire internal network on every server, it doesn't make sense for a process to listen on ipv6.
On top of that, I like to understand thinks ( a bit), just like Selinux. I always disabled it due the lack of understanding. :shhh:
As Selinux is enabled and I know how to solve, with some great advise, Selinux related errors, that was ok.

Maybe I should be less stubborn and let Efa4 be the first server to have IPV6 enabled, a bit. :roll:

Re: testing eFa v4 Release Candidate 2

Posted: 31 Jan 2019 13:02
by Glaster
Hi,
I successfully installed EFA 4 RC 2, but after login to web GUI, i see error message:

Cannot open MailScanner configuration file

see attachment

Re: testing eFa v4 Release Candidate 2

Posted: 31 Jan 2019 13:20
by shawniverson
@Glaster

What method did you use to build?

Re: testing eFa v4 Release Candidate 2

Posted: 01 Feb 2019 09:56
by Glaster
Hi,
I use: Building using github clone for development

thanks

Re: testing eFa v4 Release Candidate 2

Posted: 01 Feb 2019 16:07
by Alleyviper
Hi,

Let's not encrypt ;)

Code: Select all

Would you like to  Enable  Let's Encrypt? [y/n/c]                         y    Saving debug log to /var/log/letsencrypt/letsencrypt.log                  Error while running apachectl configtest.                                                                                                           AH00526: Syntax error on line 213 of /etc/httpd/conf.d/ssl.conf:          SSLCertificateFile takes one argument, SSL Server Certificate file ('/path/to/file' - PEM or DER encoded)

Code: Select all


Error while running apachectl configtest.                                                                                                           AH00526: Syntax error on line 213 of /etc/httpd/conf.d/ssl.conf:          SSLCertificateFile takes one argument, SSL Server Certificate file ('/path/to/file' - PEM or DER encoded)                                           
The apache plugin is not working; there may be problems with your existing configuration.
The error was: MisconfigurationError("Error while running apachectl configtest.\n\nAH00526: Syntax error on line 213 of /etc/httpd/conf.d/ssl.conf:\nSSLCertificateFile takes one argument, SSL Server Certificate file ('/path/to/file' - PEM or DER encoded)\n",)
Job for httpd.service failed because the control process exited with error code. See "systemctl status httpd.service" and "journalctl -xe" for details.

Let's Encrypt has been enabled/code]

Re: testing eFa v4 Release Candidate 2

Posted: 01 Feb 2019 22:37
by shawniverson
@Alleyviper

Can you share what that line 213 looks like (sanitized)? It sounds like certbot mangled the ssl.conf file, and I'd like to know why.

Also /var/log/letsencrypt/letsencrypt.log would be very helpful, if you can sanitize and share it.

Re: testing eFa v4 Release Candidate 2

Posted: 01 Feb 2019 22:49
by shawniverson
Glaster wrote:
01 Feb 2019 09:56
Hi,
I use: Building using github clone for development

thanks
Did you restart the environment after building?

Re: testing eFa v4 Release Candidate 2

Posted: 04 Feb 2019 09:50
by Glaster
shawniverson wrote:
01 Feb 2019 22:49
Did you restart the environment after building?
restart done several times, but the problem persists

Re: testing eFa v4 Release Candidate 2

Posted: 04 Feb 2019 15:47
by henk
logs?

Re: testing eFa v4 Release Candidate 2

Posted: 10 Feb 2019 21:25
by Alleyviper
Hi there,

I´ve been working like crazy. unfortunately my vps data got lost, so i´m installing from scratch and see it Letsencrypt fails again.

See you later, today... :)

Re: testing eFa v4 Release Candidate 2

Posted: 10 Feb 2019 23:13
by Alleyviper
Hi there,

Now it works! :D The self-generated certificate remained after deploying letsencrypt. I had to restart Apache.

Code: Select all

sudo service httpd restart
sudo service httpd status




First, deployed Lestencrypt

Code: Select all

[eFa] server.domain.tld

[eFa] If this is not correct, please update your Hostname and Domain Name within main menu #4.

[eFa] Please also make sure the name above is externally resolvabe before continuing.
[eFa] Please also make sure that TCP 80 and 443 is opened from the WAN to EFA.
[eFa] By continuing, you agree to the Terms Of Service for Let's Encrypt and EFF.


Would you like to  Enable  Let's Encrypt? [y/n/c]
y
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for server.domain.tld
Waiting for verification...
Cleaning up challenges
Resetting dropped connection: acme-v02.api.letsencrypt.org
Deploying Certificate to VirtualHost /etc/httpd/conf.d/ssl.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://server.domain.tld

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=server.domain.tld
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/server.domain.tld/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/server.domain.tld/privkey.pem
   Your cert will expire on 2019-05-11. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le


Let's Encrypt has been enabled

Press [Enter] key to continue...


Code: Select all

[eFa] : 1
[user@server ~]$ sudo service httpd restart

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for user:
Redirecting to /bin/systemctl restart httpd.service
[user@server ~]$ sudo service httpd status
Redirecting to /bin/systemctl status httpd.service
● httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled)
   Active: active (running) since Sun 2019-02-10 23:03:57 WET; 6s ago
     Docs: man:httpd.service(8)
  Process: 18444 ExecReload=/usr/sbin/httpd $OPTIONS -k graceful (code=exited, status=0/SUCCESS)
 Main PID: 19072 (httpd)
   Status: "Started, listening on: port 443, port 80"
   CGroup: /system.slice/httpd.service
           ├─19072 /usr/sbin/httpd -DFOREGROUND
           ├─19073 /usr/sbin/httpd -DFOREGROUND
           ├─19074 /usr/sbin/httpd -DFOREGROUND
           ├─19075 /usr/sbin/httpd -DFOREGROUND
           ├─19076 /usr/sbin/httpd -DFOREGROUND
           └─19302 /usr/sbin/httpd -DFOREGROUND

Feb 10 23:03:57 server.domain.tld systemd[1]: Starting The Apache HTTP Server...
Feb 10 23:03:57 server.domain.tld httpd[19072]: Server configured, listening on: port 443, port 80
Feb 10 23:03:57 server.domain.tld systemd[1]: Started The Apache HTTP Server.
[user@server ~]$

Anyone had issues with Letsencrypt?


Best regards,

Alleyviper