Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Topics - puterfixer

Pages: [1]
1
E-Mail / SpamAssassin daily update error
« on: June 06, 2019, 10:57:41 AM »
For several weeks, the CRON job which runs every day:

Code: [Select]
/usr/share/spamassassin/sa-update.cron 2>&1 | tee -a /var/log/sa-update.log
sends me back an e-mail with the following error:

Code: [Select]
UTF-16 surrogate 0xd800 at /usr/share/perl5/vendor_perl/Pod/Simple/BlackBox.pm line 67.
UTF-16 surrogate 0xd800 at /usr/share/perl5/vendor_perl/Pod/Simple/BlackBox.pm line 67.
UTF-16 surrogate 0xd800 at /usr/share/perl5/vendor_perl/Pod/Simple/BlackBox.pm line 67.

Any clue what might be wrong?

I tried rebuilding the mail server (which conveniently upgraded ClamAV binary), also removing the folder with updated rules, but no idea what else may be causing this. I suspect that some updated rules are triggering the UTF issue?

2
How to / How do I get rid of Netdata?
« on: April 11, 2019, 04:55:24 PM »
Okay, I am seriously pissed. The appearance of netdata on my server was not announced, it exposes publicly internal server configuration details (such as user accounts) without requiring any authentication on the web frontend, and who knows what other issues it has - like, predefined account password?

I want it out of my server. Right. NOW.

But, after uninstalling it manually, it was re-added overnight automatically.

How do I f*ing get this piece of s* out of my system and keep it out? I mean, who's in control of my server, me or CWP?

3
SSL / Certificates not updated automatically after 90 days - fixed
« on: December 27, 2017, 09:19:03 AM »
Hi guys,

I've been enjoying the LetsEncrypt SSL certificates for 3 months. They were due to automatic renewal via CRON task yesterday, but the certificates didn't get updated, so visitors to the sites were presented with a nice browser warning that the certificate has expired and the site might be malitious. Not nice.

After getting it fixed, here's how I did it. Sorry for explaining it at noob level, that's where I am and maybe it helps other noobs as well :)


First step: resolve websites' functionality without certificate warning (some had enforced redirects from HTTP to HTTPS).

CWP-Admin -> Apache Settings -> SSL Cert Manager -> Run Auto Renewal button.

Patience - for 8 domains, the page took a few minutes to load. This action updated all domains except for one.


Second step: fix the renewal for the domain that didn't work.

In SSL Cert Manager, check which domains' certificates are still listed as expired. Sure, you can click the Run Auto Renewal button again, but let's try another way. :)

SSH into the server with your favorite terminal, get root access via su command.
For each domain with expired certificate, run the command:

Code: [Select]
/root/.acme.sh/acme.sh --home /root/.acme.sh/cwp_certs --renew -d www.domainname.tld
If successful, check again in the SSL Cert Manager that the certificate is now expiring in 89 days.
If not successful, you may need to add the --force parameter to the command, or investigate more thoroughly the error message.


Third step: figure out why the CRON command didn't update the certificates automatically. Investigation hints:

- The CRON tasks exists, and looks like this:
Code: [Select]
31 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null
- The CRON log in /var/log/cron simply shows that the CRON was running the /root/.acme.sh/acme.sh script every night, but with no additional info. That's because the CRON task redirects output to /dev/null

- The ACME log in /root/.acme.sh/acme.sh.log has not been doing anything successful in the past 90 days, because it ran into the same error:
Code: [Select]
_stopRenewOnError
di='/root/.acme.sh/*.*/
Not directory, skip: /root/.acme.sh/*.*/

- Checking the list of domains and certificates from the command line did not return anything:
Code: [Select]
/root/.acme.sh/acme.sh --list
- Checking into the /root/.acme.sh/acme.sh script for the occurrence of "Not directory", I find out that it occurs when it tries to update the certificates one by one, and loops through all files/folders in the ${CERT_HOME} variable. This variable is not set, it doesn't appear anywhere in the list of environment variables.
Code: [Select]
env
- Checking where the variable is defined in the same acme.sh script, apparently if it is not defined at the system level, it takes as default the location of the LetsEncrypt home folder, which IS defined as an environment variable ${LE_CONFIG_HOME}


Putting it all together, the LetsEncrypt script acme.sh has no idea that the certificate home folder on CWP is actually in /root/.acme.sh/cwp_certs, unless I explicitly mention it in the command line (as done in previous commands where --home parameter is mentioned) or, to save some keyboard ink, set the CERT_HOME environment variable to this path.

The solution:
1: Delete the incorrect CRON entry in the CWP-Admin, and add the custom entry with correct parameters:
Code: [Select]
31 0 * * * /root/.acme.sh/acme.sh --cron --home "/root/.acme.sh/cwp_certs" > /dev/null
2: Set the environment variable CERT_HOME so that the acme.sh script works correctly even without explicitly adding the --home parameter every time:
Code: [Select]
export CERT_HOME="/root/.acme.sh/cwp_certs"
3: Add the same command to set the environment variable to the /root/.acme.sh/acme.sh.env file, under the line defining the LE_WORKING_DIR variable, so that the variable is set even after a reboot.


After all this work, I am getting correct output from
Code: [Select]
/root/.acme.sh/acme.sh --list
and from
Code: [Select]
/root/.acme.sh/acme.sh --cron
without the need of other parameters. However, I will leave the explicit certificate home folder parameter in the CRON command, just in case something borks up the variables again.

For reference, my set-up is still with CentOS 6 and CWP 0.9.8.273.

Did this help? Please feel free to comment with any corrections/improvements I may have missed.

4
E-Mail / Replace ClamAV with BitDefender?
« on: October 10, 2017, 05:49:29 PM »
Hi,

Has anyone tried to replace ClamAV with BitDefender Security for Mail Servers suite? It's free and, from what I read, has a massively better reputation than ClamAV.

It would be nice if the next CWP major version considers including a choice of antivirus solutions.

5
Apache / Definitive guide for nginx + apache + SSL?
« on: September 26, 2017, 07:08:12 PM »
Hiya,

I'm running a production server with CentOS 6.9 and latest CWP for several domains, in nginx + Apache configuration, on a shared IP.

I'm under pressure to get SSL enabled on all domains before Google Chrome starts spewing out warnings in October for any text field submitted over http (even a friggin search), and LetsEncrypt would be a fantastic option.

Last I remember, when I tried enabling LetsEncrypt by following the Wiki tutorial, I ended up with Apache and nginx fighting each other, and all sites down. Also, if I am also not mistaken, since the Wiki article was prepared and the forum post with instructions, LetsEncrypt manager has been labeled "DO NOT USE".

Is there a definitive guide I can follow now to enable SSL successfully, please? Do I need to also edit template files, rebuild hosts, stuff like that in order to keep this running every time I compile a new version of Apache?

Many thanks in advance! :)

6
CentOS 6 Problems / nginx without Apache?
« on: July 13, 2016, 08:34:37 PM »
Hi,

For performance reason, I'd like to run nginx as the main web server, not as a reverse proxy for Apache, and completely stop using Apache. How can I do that, please? Any known watch-outs for this?

Thanks in advance!

Pages: [1]