Sympl issueshttps://gitlab.com/sympl.io/sympl/-/issues2020-04-22T11:58:37Zhttps://gitlab.com/sympl.io/sympl/-/issues/293sympl-web: SSL Stapling is enabled for self-signed certs2020-04-22T11:58:37ZPaul Cammishsympl-web: SSL Stapling is enabled for self-signed certsFrom https://forum.sympl.host/t/error-message-in-apache-error-log/113/4?u=kelduum
```
[Tue Apr 21 19:07:29.793000 2020] [ssl:error] [pid 585] AH02217: ssl_stapling_init_cert: can’t retrieve issuer certificate! [subject: CN=raspberrypi.l...From https://forum.sympl.host/t/error-message-in-apache-error-log/113/4?u=kelduum
```
[Tue Apr 21 19:07:29.793000 2020] [ssl:error] [pid 585] AH02217: ssl_stapling_init_cert: can’t retrieve issuer certificate! [subject: CN=raspberrypi.localdomain / issuer: CN=raspberrypi.localdomain / serial: 5E9F307C / notbefore: Apr 21 17:42:20 2020 GMT / notafter: Apr 21 17:42:20 2021 GMT]
[Tue Apr 21 19:07:29.793961 2020] [ssl:error] [pid 585] AH02604: Unable to configure certificate raspberrypi.localdomain:443:0 for stapling
```
It looks like `sympl-web/lib/symbiosis/config_files/apache.rb` has the relevant code, and probably needs a tweak to move the decision to use SSL stapling there if it's a self-signed cert, and out of the templates.Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/292sympl-web: Seperate packages needed for i386, amd64 and armhf2020-04-22T11:56:50ZPaul Cammishsympl-web: Seperate packages needed for i386, amd64 and armhfAt the moment, the `sympl-web` package is marked as 'all' architectures, but contains some compiled Go in the form of sympl-web-logger, which isn't portable to armhf, and logs continual errors to /var/log/apache2/error.log as it can't st...At the moment, the `sympl-web` package is marked as 'all' architectures, but contains some compiled Go in the form of sympl-web-logger, which isn't portable to armhf, and logs continual errors to /var/log/apache2/error.log as it can't start it.
This should be a reasonably simple fix to cross-compile it and package it appropriately.Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/290sympl-core: sympl-filesystem-security removes +x flag from /etc/sympl/firewal...2020-04-27T17:06:12ZPaul Cammishsympl-core: sympl-filesystem-security removes +x flag from /etc/sympl/firewall/local.d/*The directory contains scripts run at the end of sympl-firewall, which need to be executable, but `sympl-filesystem-security` currently removes that flag.The directory contains scripts run at the end of sympl-firewall, which need to be executable, but `sympl-filesystem-security` currently removes that flag.Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/288sympl-core: Man page broken for sympl-ssl2020-04-20T11:37:33ZPaul Cammishsympl-core: Man page broken for sympl-sslThis is likely as the sympl-ssl man pages are built from the ruby normally, which currently has a wrapper to fix IPv6 support.
This should be fixed soon if possible, otherwise it will be fixed as part of issue #278.This is likely as the sympl-ssl man pages are built from the ruby normally, which currently has a wrapper to fix IPv6 support.
This should be fixed soon if possible, otherwise it will be fixed as part of issue #278.https://gitlab.com/sympl.io/sympl/-/issues/287sympl-mail: Man pages broken for support scripts2020-04-20T11:35:18ZPaul Cammishsympl-mail: Man pages broken for support scriptsThe man pages for:
```text
sympl-mail-dict-proxy
sympl-mail-encrypt-passwords
sympl-mail-poppassd
```
Only contain the Groff header, and should be fixed.The man pages for:
```text
sympl-mail-dict-proxy
sympl-mail-encrypt-passwords
sympl-mail-poppassd
```
Only contain the Groff header, and should be fixed.https://gitlab.com/sympl.io/sympl/-/issues/279sympl-monit: Security warning emails on hostname resolution failure2020-04-20T10:41:34ZPaul Cammishsympl-monit: Security warning emails on hostname resolution failureIf for some reason DNS fails for the system hostname, the systemd service at `/usr/lib/systemd/system/sympl-monit.service` will throw security warnings at the root user via email as sudo is not happy.If for some reason DNS fails for the system hostname, the systemd service at `/usr/lib/systemd/system/sympl-monit.service` will throw security warnings at the root user via email as sudo is not happy.Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/276sympl-webmail: Roundcube fails to import contacts2020-01-28T13:26:56ZPaul Cammishsympl-webmail: Roundcube fails to import contactsSee https://forum.sympl.host/t/roundcube-fails-importing-contact-list/92?u=kelduum for details.
In short, uploads work fine for attachments but fail for contacts uploads, and likely other cases.See https://forum.sympl.host/t/roundcube-fails-importing-contact-list/92?u=kelduum for details.
In short, uploads work fine for attachments but fail for contacts uploads, and likely other cases.Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/272Update sympl-ssl IPv6 only to support Let's Encrypt ACMEv22019-12-27T18:11:03ZPaul CammishUpdate sympl-ssl IPv6 only to support Let's Encrypt ACMEv2I've been wondering why a Mythic Beasts hosted RPi site wasn't updating the SSL certificate. (Luckily I've got an alert through Status Cake for it.)
Looking in the `/etc/hosts` file, I noticed many lines of the form (output from `cat`):...I've been wondering why a Mythic Beasts hosted RPi site wasn't updating the SSL certificate. (Luckily I've got an alert through Status Cake for it.)
Looking in the `/etc/hosts` file, I noticed many lines of the form (output from `cat`):
```
2606:4700:60:0:f53d:5624:85c7:3a2c
acme-v01.api.letsencrypt.org # sympl-ssl workaround
2606:4700:60:0:f53d:5624:85c7:3a2c
acme-v01.api.letsencrypt.org # sympl-ssl workaround
2606:4700:60:0:f53d:5624:85c7:3a2c
acme-v01.api.letsencrypt.org # sympl-ssl workaround
```
Knowing that the v02 API is now needed, I adjusted it to remove the new line, and switched to the v2 url, and then running `sudo sympl-ssl --verbose subdomain.example.com` worked as expected instead of giving the error:
```
Current SSL set 14: signed by /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3, expires 2019-12-08 06:19:41 UTC
The current certificate expires in 4 days.
Fetching a new certificate from LetsEncrypt.
!! Failed: execution expired
```
Could the workaround please be updated for the new API (changing the 1 to a 2 in the url)?Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/268DKIM signature covers the sender address, but should cover the FROM HEADER ad...2020-09-24T06:23:41ZPaul CammishDKIM signature covers the sender address, but should cover the FROM HEADER address.# Summary
DKIM signatures are based on the SMTP sender address, not the email FROM HEADER address, which is the wrong thing to do. When the FROM address is local, and there's a DKIM key to sign with, then that should be done.
If there...# Summary
DKIM signatures are based on the SMTP sender address, not the email FROM HEADER address, which is the wrong thing to do. When the FROM address is local, and there's a DKIM key to sign with, then that should be done.
If there's no key to sign with, then perhaps we should not be sending the email!?
# Steps to reproduce
Send an email with a FROM address that doesn't match the SMTP sender address. You should notice that the DKIM header doesn't cover the FROM address.
/cc @kelduumhttps://gitlab.com/sympl.io/sympl/-/issues/266sympl-firewall uses incron, which is incompatible with some systems2019-09-17T13:58:20ZPaul Cammishsympl-firewall uses incron, which is incompatible with some systemsIn short, incron should be removed if possible - this doesn't work on all filesystems, and many systems use NFS for the filesystem (the Mythic Beasts RPi platform) which causes problems.In short, incron should be removed if possible - this doesn't work on all filesystems, and many systems use NFS for the filesystem (the Mythic Beasts RPi platform) which causes problems.Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/265sympl-backup triggers `tar` warnings2019-09-17T13:45:19ZPaul Cammishsympl-backup triggers `tar` warningshttps://forum.sympl.host/t/backups-tar-warning-about-non-optional-arguments/44
## Problem Description
When doing backups, the following message is shown, with the backup succeeding:
```
Creating archive using 'DRIVER_TAR_GZ'...
tar:...https://forum.sympl.host/t/backups-tar-warning-about-non-optional-arguments/44
## Problem Description
When doing backups, the following message is shown, with the backup succeeding:
```
Creating archive using 'DRIVER_TAR_GZ'...
tar: The following options were used after any non-optional arguments in archive create or update mode. These options are positional and affect only arguments that follow them. Please, rearrange them properly.
tar: --no-recursion has no effect
tar: Exiting with failure status due to previous errors
Checking TOC of archive file (< real file, > archive entry)...
```
This is due to changes to `tar` in Buster.
Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/264Default IP confusion with other services2020-04-21T21:19:55ZPaul CammishDefault IP confusion with other services# What is the current bug behavior?
When adding extra IPs manually (such as an IPv6 address), Sympl can get confused as to which is the primary IP, in cases where the IPs are listed out-of order in the output of `ip a`
# What is the e...# What is the current bug behavior?
When adding extra IPs manually (such as an IPv6 address), Sympl can get confused as to which is the primary IP, in cases where the IPs are listed out-of order in the output of `ip a`
# What is the expected correct behavior?
Sympl should probably take the IP(s) of the default domain `/srv/$HOSTNAME` as the default IP, only using the `config/ip` file to override this.
/cc @kelduumhttps://gitlab.com/sympl.io/sympl/-/issues/261sympl-ssl fails in NAT64 environments with IPv4 addresses2019-09-17T13:45:19ZPaul Cammishsympl-ssl fails in NAT64 environments with IPv4 addressesThis is due to the old Ruby library being used, which defaults to IPv4.
A workaround exists for this, which adds an entry to the hosts file, but fails to detect NAT64 setups.This is due to the old Ruby library being used, which defaults to IPv4.
A workaround exists for this, which adds an entry to the hosts file, but fails to detect NAT64 setups.Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/259Running backups manually seems to cause issues2019-08-19T07:25:08ZPaul CammishRunning backups manually seems to cause issuesIt appears that running backups manually as the `sympl` user will cause the sympl-sqldump script to fail (as it's not running as root), possibly causing later backups to fail as a dump was started but not completed.
Sympl should probabl...It appears that running backups manually as the `sympl` user will cause the sympl-sqldump script to fail (as it's not running as root), possibly causing later backups to fail as a dump was started but not completed.
Sympl should probably check for a generic user with full mysql access rather than just root (or the root or Sympl user), and/or automatically use the `--force` flag when triggering backups.Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/258Occasional short-term failures reported by monitoring2019-07-31T17:52:47ZPaul CammishOccasional short-term failures reported by monitoringRecently received the following report from the automatic monitoring. It resolved itself a few minutes later.
[paste_1093477.txt](/uploads/b13f16c409a7c2c5791a95e3d7601585/paste_1093477.txt)
I've seen similar short-term failures a coup...Recently received the following report from the automatic monitoring. It resolved itself a few minutes later.
[paste_1093477.txt](/uploads/b13f16c409a7c2c5791a95e3d7601585/paste_1093477.txt)
I've seen similar short-term failures a couple of timeshttps://gitlab.com/sympl.io/sympl/-/issues/256sympl-firewall: Failed to acquire lock on /var/lock/sympl-firewall.lock2019-07-17T15:47:39ZPaul Cammishsympl-firewall: Failed to acquire lock on /var/lock/sympl-firewall.lockJob [#11106](https://gitlab.mythic-beasts.com/sympl/sympl/-/jobs/11106) failed for 89b35a9928e5c77aa5ea832fb4a0e851cc3cd601:
```
+ symbiosis-firewall --verbose
sympl-firewall: Failed to acquire lock on /var/lock/sympl-firewall.lock: No ...Job [#11106](https://gitlab.mythic-beasts.com/sympl/sympl/-/jobs/11106) failed for 89b35a9928e5c77aa5ea832fb4a0e851cc3cd601:
```
+ symbiosis-firewall --verbose
sympl-firewall: Failed to acquire lock on /var/lock/sympl-firewall.lock: No locks available - Unable to acquire lock -- Resource temporarily unavailable
run-parts: autotest/test.d/50-test-cli exited with return code 1
ERROR: Job failed: Process exited with: 1. Reason was: ()
```
This is the testing job accidentally aligning with a scheduled run - it's only a few seconds of window, but it happens more often than I'd like.https://gitlab.com/sympl.io/sympl/-/issues/255sympl-web-rotate-logs doesnt work2019-07-09T19:27:36ZPaul Cammishsympl-web-rotate-logs doesnt workThis is due to it dropping permissions which is incompatible with the new security permissions system.
As it normally only ever runs as root, this isn't needed, and also means log rotation never happens properly as it's only telling the...This is due to it dropping permissions which is incompatible with the new security permissions system.
As it normally only ever runs as root, this isn't needed, and also means log rotation never happens properly as it's only telling the logger processes to reload, not Apache.Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/254sympl-firewall: iptables email warning (buster)2019-08-16T17:51:06ZPaul Cammishsympl-firewall: iptables email warning (buster)It appears with the change to iptables-nft, wanring are being generated about iptables-legacy having rules (although they appear to be empty).It appears with the change to iptables-nft, wanring are being generated about iptables-legacy having rules (although they appear to be empty).Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/253sympl-test: Race condition with certificate testing2021-02-12T18:08:31ZPaul Cammishsympl-test: Race condition with certificate testingIt looks like on occasion a self-signed cert is being created, but being tested before it's valid.
Job [#9899](https://gitlab.mythic-beasts.com/sympl/sympl/-/jobs/9899) failed for 80f6dd1c78f1401f5980105fc948fa74a2f01759:
```
=========...It looks like on occasion a self-signed cert is being created, but being tested before it's valid.
Job [#9899](https://gitlab.mythic-beasts.com/sympl/sympl/-/jobs/9899) failed for 80f6dd1c78f1401f5980105fc948fa74a2f01759:
```
===============================================================================
Failure:
Exception raised:
OpenSSL::X509::CertificateError(<Not valid for rcyexz5q3p.test -- certificate is not yet valid (9)>)
test_ssl_verify_with_root_ca(SSLTest)
/etc/sympl/test.d/tc_ssl.rb:562:in `test_ssl_verify_with_root_ca'
559: #
560: assert_nothing_raised{ @domain.ssl_x509_certificate_file = @domain.directory+"/config/ssl.combined" }
561: assert_nothing_raised{ @domain.ssl_key_file = @domain.directory+"/config/ssl.combined" }
=> 562: assert_nothing_raised{ @domain.ssl_verify(@domain.ssl_x509_certificate, @domain.ssl_key, @domain.ssl_certificate_store, true) }
563: end
564:
565: def test_ssl_verify_with_intermediate_ca
===============================================================================
```https://gitlab.com/sympl.io/sympl/-/issues/249sympl-ssl - IPv6 Only DNS Resolution2021-02-12T18:08:30ZPaul Cammishsympl-ssl - IPv6 Only DNS ResolutionDNS resolution times out in IPv6 Only environment when contacting Let's Encrypt.
This is due to the resolver assuming theres an IPv4 address, and binding to that for replies.
A workaround is to add the relevant host to /etc/hosts befor...DNS resolution times out in IPv6 Only environment when contacting Let's Encrypt.
This is due to the resolver assuming theres an IPv4 address, and binding to that for replies.
A workaround is to add the relevant host to /etc/hosts before running.Paul CammishPaul Cammish