Sympl issueshttps://gitlab.com/sympl.io/sympl/-/issues2023-05-26T10:54:12Zhttps://gitlab.com/sympl.io/sympl/-/issues/331Failure: test_cgi(TestHTTP)2023-05-26T10:54:12ZPaul CammishFailure: test_cgi(TestHTTP)```
Failure: test_cgi(TestHTTP)
/etc/sympl/test.d/tc_http.rb:140:in `block in test_cgi'
137:
138: system ('sympl-web-configure')
139:
=> 140: assert_equal( "500", getCode( "/cgi-bin/test.cgi", @domain.name )...```
Failure: test_cgi(TestHTTP)
/etc/sympl/test.d/tc_http.rb:140:in `block in test_cgi'
137:
138: system ('sympl-web-configure')
139:
=> 140: assert_equal( "500", getCode( "/cgi-bin/test.cgi", @domain.name ),
141: "Fetching /cgi-bin/test.cgi did not return 500" )
142:
143: assert_equal( "500", getCode( "/cgi-bin/test.cgi", "www.#{@domain.name}" ),
/etc/sympl/test.d/tc_http.rb:131:in `test_cgi'
Fetching /cgi-bin/test.cgi did not return 500
<"500">(UTF-8) expected but was
<"404">(ASCII-8BIT)
diff:
? 500
? 4 4
? ? ?
? Encoding: UTF -8
? ASCII BIT
? ??? +++
```Sympl 12 (bookworm)https://gitlab.com/sympl.io/sympl/-/issues/329Removal of sympl-ftp package doesn't remove /etc/sympl/monit.d/pure-ftp symlink2023-06-10T21:36:53ZPaul CammishRemoval of sympl-ftp package doesn't remove /etc/sympl/monit.d/pure-ftp symlink# What is the current bug behavior?
When you remove sympl-ftp (`apt remove --purge sympl-ftp`), the file `/usr/share/sympl/monit/checks/pure-ftpd` is removed but the symlink `/etc/sympl/monit.d/pure-ftpd` remains, causing the monitoring...# What is the current bug behavior?
When you remove sympl-ftp (`apt remove --purge sympl-ftp`), the file `/usr/share/sympl/monit/checks/pure-ftpd` is removed but the symlink `/etc/sympl/monit.d/pure-ftpd` remains, causing the monitoring to whine.
# What is the expected correct behavior?
The symlink `/etc/sympl/monit.d/pure-ftpd` should be removed also
/cc @kelduumhttps://gitlab.com/sympl.io/sympl/-/issues/328sympl-mail: Emailing mailbox quota functionality prevents mail delivery on Bu...2022-10-05T08:22:43ZPaul Cammishsympl-mail: Emailing mailbox quota functionality prevents mail delivery on BullseyeIdentified in an install migrated from Sympl 10, Exim considers the `mailboxes/example/quota`, `config/mailbox-quota` and `/etc/sympl/exim4/mailbox-quota` files tainted.
Mail is received and waits in the local spool, but cannot be deliv...Identified in an install migrated from Sympl 10, Exim considers the `mailboxes/example/quota`, `config/mailbox-quota` and `/etc/sympl/exim4/mailbox-quota` files tainted.
Mail is received and waits in the local spool, but cannot be delivered to user mailboxes until the quota is disabled.
Relevant variables will need de-tainting before they can be used.
Relevant file is `mail/exim4/sympl.d/30-transports/30-address-directory`Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/323disable-filesystem-security: Can’t disable with config/disable-filesystem-sec...2024-03-19T17:05:31ZPaul Cammishdisable-filesystem-security: Can’t disable with config/disable-filesystem-security# Summary
According to multiple pages in the wiki, you can use `/srv/example.com/config/disable-filesystem-security` to disable on a **per-site** basis. However only `${domain}/config/do-not-secure` for per-site or `/etc/sympl/disable-f...# Summary
According to multiple pages in the wiki, you can use `/srv/example.com/config/disable-filesystem-security` to disable on a **per-site** basis. However only `${domain}/config/do-not-secure` for per-site or `/etc/sympl/disable-filesystem-security` for server-wide works.
https://wiki.sympl.io/view/Website_Configuration_Reference#Filesystem_Permissions
https://wiki.sympl.io/view/Configuration_Reference
See line 170 in the `sympl-filesystem-security` script
https://gitlab.mythic-beasts.com/sympl/sympl/-/blob/bullseye/core/sbin/sympl-filesystem-security#L170
# Steps to reproduce
- Create `/srv/example.com/config/disable-filesystem-security`
- change ownership of any file in the `public` directory
- run `sudo sympl-filesystem-security`
- the ownership is changed back, despite the script supposedly being disabled for this domain
# Example Project
See the script’s code, it doesn’t check on the file described in the wiki. It only checks the **global** config file, not the **domain specific** one.
https://gitlab.mythic-beasts.com/sympl/sympl/-/blob/bullseye/core/sbin/sympl-filesystem-security#L170
# What is the current bug behavior?
Doesn’t disable filesystem ownership changes in the domain
`/srv/example.com/config/disable-filesystem-security`
# What is the expected correct behavior?
According to multiple pages in the wiki, you can use `/srv/example.com/config/disable-filesystem-security` to disable on a **per-site** basis. However only `${domain}/config/do-not-secure` works.
https://wiki.sympl.io/view/Website_Configuration_Reference#Filesystem_Permissions
https://wiki.sympl.io/view/Configuration_Reference
# Possible fixes
See line 170 in the `sympl-filesystem-security` script
https://gitlab.mythic-beasts.com/sympl/sympl/-/blob/bullseye/core/sbin/sympl-filesystem-security#L170
/cc @kelduumPaul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/318sympl-core: Cross signed Let's Encrypt bundle flags all LE certs as expired2021-10-04T10:11:53ZPaul Cammishsympl-core: Cross signed Let's Encrypt bundle flags all LE certs as expiredThis is caused by the current Ruby codebase which uses the OpenSSL library to build a certificate store, used to validate certificates.
The bundle now includes an extra cert with a copy of the normal intermediate signed by the now-expir...This is caused by the current Ruby codebase which uses the OpenSSL library to build a certificate store, used to validate certificates.
The bundle now includes an extra cert with a copy of the normal intermediate signed by the now-expired DST X3 Root certificate (used as a workaround for old devices which don't have the new X1 root cert), meaning the bundle is effectively signed twice.
This is fine in the vast majority of cases, but in this instance, the presence of an intermediate signed by an expired root raises an error, which then means sympl-ssl.rb considers the whole chain invalid, leading to it retrieving new certs on every run.
A workaround has been put together in sympl-ssl to remove the expired intermediate from the ssl.bundle and ssl.combined when preceded by the normal cert in !243 !244 !245.
Longer-term, the existing sympl-ssl will be replaced by the new version in development.Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/317sympl-mail: /srv/example.com/mailboxes is required to accept mail2021-09-23T21:15:58ZPaul Cammishsympl-mail: /srv/example.com/mailboxes is required to accept mailDue to the changes in Exim in Debian 11, the config now expects the /srv/example.com/mailboxes directory to exist for incoming mail, and fails if it doesn't (ie: theres aliases or default forward, etc).
Reported in https://forum.sympl.h...Due to the changes in Exim in Debian 11, the config now expects the /srv/example.com/mailboxes directory to exist for incoming mail, and fails if it doesn't (ie: theres aliases or default forward, etc).
Reported in https://forum.sympl.host/t/mail-aliases-in-config-aliases/234Paul CammishPaul Cammish2021-09-24https://gitlab.com/sympl.io/sympl/-/issues/316install: fails on Debian 11 without gnupg if debconf-set-selections already i...2021-08-23T07:37:11ZPaul Cammishinstall: fails on Debian 11 without gnupg if debconf-set-selections already installed# Summary
Using a fresh Debian 11 image on Linode, the install script exits at the following line due to lack of gnupg
```
root@localhost:~# wget -qO- https://mirror.mythic-beasts.com/mythic/support@mythic-beasts.com.gpg.key | apt-key ...# Summary
Using a fresh Debian 11 image on Linode, the install script exits at the following line due to lack of gnupg
```
root@localhost:~# wget -qO- https://mirror.mythic-beasts.com/mythic/support@mythic-beasts.com.gpg.key | apt-key add -
E: gnupg, gnupg2 and gnupg1 do not seem to be installed, but one of them is required for this operation
```
# Steps to reproduce
Using a fresh Debian 11 image on Linode, the install script exits at the following line due to lack of gnupg
- create linode with Debian 11 image
- follow documentation to install (https://wiki.sympl.host/view/Installing_Sympl)
- a) `wget https://gitlab.mythic-beasts.com/sympl/install/raw/master/install.sh`
- b) `bash install.sh`
- watch installer die at `Adding repository key...`
- specifically, `apt-key` fails to add the gpg public key due to missing dependency, see logs below
EDIT: It appears that `gnupg` is already listed as a dependency in the install script, but never installed since `debconf-set-selections` is already installed on the Linode image
# Example Project
Follow documentation (https://wiki.sympl.host/view/Installing_Sympl) on Debian 11 image which doesn't contain a gnupg package, such as Linode's Debian 11 image
# What is the current bug behavior?
Installer dies part way though, as above
# What is the expected correct behavior?
Installer completes successfully! :sunglasses:
# Relevant logs and/or screenshots
Before running script
```
root@localhost:~# which debconf-set-selections
/usr/bin/debconf-set-selections
```
Installer failing:
```
-----------------------------------------------------------------------
Sympl Installer v20210818
-----------------------------------------------------------------------
This script will help you install Sympl on a Debian Linux or Raspberry
Pi OS server with minimal hassle, and give you some intial pointers.
Installing initial dependencies...
All packages are up to date.
Installing Sympl from 'bullseye' repository.
Setting defaults...
Adding repository key...root@localhost:~#
```
Failing line ran separately:
```
root@localhost:~# wget -qO- https://mirror.mythic-beasts.com/mythic/support@mythic-beasts.com.gpg.key | apt-key add -
E: gnupg, gnupg2 and gnupg1 do not seem to be installed, but one of them is required for this operation
```
# Possible fixes
Lines causing issues:
- `if [ "x$(which debconf-set-selections)" = "x" ]; then`
- `wget -qO- https://mirror.mythic-beasts.com/mythic/support@mythic-beasts.com.gpg.key | apt-key add -`
Either remove the check around dependency `debconf-set-selections` installation, or separate `gnupg` into a separate dependency installation block
/cc @kelduumPaul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/315sympl-mail: sympl-mail-poppassd fails to start in Bullseye IPv6-only2021-08-23T07:35:18ZPaul Cammishsympl-mail: sympl-mail-poppassd fails to start in Bullseye IPv6-onlyIt seems that on an IPv6-only instance running Bullseye falls fowl of a change in Ruby which prevents it from binding to 127.0.0.1, but adding a IPv4 address on loopback means it's okay, and this is fine with prior debian versions.
As a...It seems that on an IPv6-only instance running Bullseye falls fowl of a change in Ruby which prevents it from binding to 127.0.0.1, but adding a IPv4 address on loopback means it's okay, and this is fine with prior debian versions.
As a short-term work-around, adjusting https://gitlab.mythic-beasts.com/sympl/sympl/-/blob/bullseye/mail/sbin/sympl-mail-poppassd and changing:
```ruby
EventMachine.run do
begin
EventMachine.start_server "127.0.0.1", port, Symbiosis::Email::PoppassHandler
rescue StandardError => err
syslog.info "Caught #{err.to_s} "
EM.stop
end
end
```
to:
```ruby
EventMachine.run do
begin
EventMachine.start_server "127.0.0.1", port, Symbiosis::Email::PoppassHandler
rescue StandardError => err
begin
EventMachine.start_server "::", port, Symbiosis::Email::PoppassHandler
rescue StandardError => err
syslog.info "Caught #{err.to_s} "
EM.stop
end
end
end
```
Will have it fallback and still bind to 127.0.0.1. This also binds to other addresses, but it's firewalled so shouldn't be an issue.Sympl 11 for Debian BullseyePaul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/310sympl-mail: config/antispam doesn't work as expected2024-03-19T17:05:32ZPaul Cammishsympl-mail: config/antispam doesn't work as expectedWhat is expected to happen:
* With the `antispam` file at `/srv/example.com/config/antispam` and empty, spam mail identified as spam should be rejected.
* With the `antispam` file at `/srv/example.com/config/antispam` and containing `t...What is expected to happen:
* With the `antispam` file at `/srv/example.com/config/antispam` and empty, spam mail identified as spam should be rejected.
* With the `antispam` file at `/srv/example.com/config/antispam` and containing `tag`, spam mail should:
1. have the `X-Spam-Status: spam` header set, and the mail accepted.
2. be delivered to the `Spam` mail folder of the user.
What actually happens is that `1` works as expected, but `2` rejects the mail as spam regardless of the tag setting, *unless* the `config/antispam` file is world-readable, which it likely shouldn't be.
In no instance (apparently inherited from Symbiosis) does the mail actually get placed in the users Spam folder, although it would be *possible* to create a sieve filter to do this, or for Dovecot to handle it, the mail is placed in the normal mail folder.
A quick fix would be to change `/etc/exim4/sympl.d/10-acl/50-acl-check-rcpt/80-enable-antispam-check` to:
```
${if match{${extract{smode}{${stat:VHOST_DIR/${domain}/VHOST_CONFIG_DIR/antispam}}}}{\Nr\N}{\
```
A fix for tagging spam properly would be to enable the subject rewrites by default, by adding the following to `/etc/exim4/system_filter`:
```
if $h_X-Spam-Status: contains "spam"
then
headers add "Original-Subject: $h_subject"
headers remove "Subject"
headers add "Subject: *** SPAM *** $h_original-subject"
endif
```
Note this also affects config/antivirus, which has a similar (undocumented) tagging function for virus infected emails in `/etc/exim4/sympl.d/10-acl/50-acl-check-rcpt/85-enable-antivirus-check`.Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/309sympl11 - Re-enable stable CI2021-08-13T16:08:34ZPaul Cammishsympl11 - Re-enable stable CINo stable branch at present with public packages to test against, so CI was disabled temporarily in 05713c43.
Will need re-enabling once the stable branch has been publicly built.No stable branch at present with public packages to test against, so CI was disabled temporarily in 05713c43.
Will need re-enabling once the stable branch has been publicly built.Sympl 11 for Debian BullseyePaul CammishPaul Cammish2021-06-01https://gitlab.com/sympl.io/sympl/-/issues/308sympl11 - Re-enable testing CI2021-08-13T16:12:17ZPaul Cammishsympl11 - Re-enable testing CINo testing branch at present with public packages to test against, so CI was disabled temporarily in 05713c43.
Will need re-enabling once the testing branch has been publicly built.No testing branch at present with public packages to test against, so CI was disabled temporarily in 05713c43.
Will need re-enabling once the testing branch has been publicly built.Sympl 11 for Debian BullseyePaul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/307Sympl 11: sympl-mail - Update exim configurations (historic)2021-02-12T18:21:16ZPaul CammishSympl 11: sympl-mail - Update exim configurations (historic)Changes to the Exim configuration were needed to pass the existing test suite.
These were done in 7dc9c294 15c8c20f 5a1b47ae 33d97665 6b4fbe1c
See also #304 which is related as it involved a workaround.Changes to the Exim configuration were needed to pass the existing test suite.
These were done in 7dc9c294 15c8c20f 5a1b47ae 33d97665 6b4fbe1c
See also #304 which is related as it involved a workaround.Sympl 11 for Debian Bullseyehttps://gitlab.com/sympl.io/sympl/-/issues/306Sympl 11: Installing sympl-mysql doesnt write the password to /home/sympl2021-02-15T11:33:44ZPaul CammishSympl 11: Installing sympl-mysql doesnt write the password to /home/symplThis is currently causing the testing to fail, and will need looking into.This is currently causing the testing to fail, and will need looking into.Sympl 11 for Debian BullseyePaul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/305Update copyright dates to 2023, and license to GPL32023-05-26T10:55:17ZPaul CammishUpdate copyright dates to 2023, and license to GPL3The licence for Sympl 11 should be updated to the more modern GPL3, which is a bit clearer in a few cases.
Similarly, copyright dates should also be updated.The licence for Sympl 11 should be updated to the more modern GPL3, which is a bit clearer in a few cases.
Similarly, copyright dates should also be updated.Sympl 12 (bookworm)https://gitlab.com/sympl.io/sympl/-/issues/300sympl-web: Support for Apache Includes2020-09-10T08:28:06ZPaul Cammishsympl-web: Support for Apache IncludesA great idea in https://forum.sympl.host/t/auto-updating-ssl-certs-with-custom-apache-site-config/69/3?u=kelduum is to add an IncludeOptional directive to load extra configuration files from the config directory.A great idea in https://forum.sympl.host/t/auto-updating-ssl-certs-with-custom-apache-site-config/69/3?u=kelduum is to add an IncludeOptional directive to load extra configuration files from the config directory.Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/299sympl-core: sympl-filesystem-security reset permissions on public/cgi-bin2020-09-09T17:23:53ZPaul Cammishsympl-core: sympl-filesystem-security reset permissions on public/cgi-binThis causes cgi-bin scripts to fail, and various headaches for anyone with older stuff.This causes cgi-bin scripts to fail, and various headaches for anyone with older stuff.Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/298sympl-filesystem-security: public-group doesn't work2020-09-09T17:23:53ZPaul Cammishsympl-filesystem-security: public-group doesn't work# Summary
When putting a group into `<domain>/config/public-group`, running `sympl-filesystem-security` produces the output `id: ‘<group>’: no such user`. Found on sympl-core/stretch 9.0.200510.0.
# Steps to reproduce
Place the name o...# Summary
When putting a group into `<domain>/config/public-group`, running `sympl-filesystem-security` produces the output `id: ‘<group>’: no such user`. Found on sympl-core/stretch 9.0.200510.0.
# Steps to reproduce
Place the name of a group that isn't `www-data` in `<domain>/config/public-group` and run `sympl-filesystem-security`.
# Possible fixes
https://gitlab.mythic-beasts.com/sympl/sympl/-/blob/buster/core/sbin/sympl-filesystem-security#L50 (and 51) use `id -g $gid`, which seems like it should find the GID of a group, but actually finds the GID of the primary group of user $gid. If no user of the same name as the requested group exists, this fails. The script seems like it will need to use `getent group` and `cut` or `awk` to get the right fields.
/cc @kelduumPaul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/297sympl-backup: `backup2l -r <regexp>` in Buster only restores directories, and...2020-07-06T12:45:46ZPaul Cammishsympl-backup: `backup2l -r <regexp>` in Buster only restores directories, and no filesFrom: https://forum.sympl.host/t/problem-restoring-with-backup2l/138/7
In short, the 'extract' functionality is missing from the TAR driver for backup2l, meaning it can do everything apart from actually extract the relevant files.
The ...From: https://forum.sympl.host/t/problem-restoring-with-backup2l/138/7
In short, the 'extract' functionality is missing from the TAR driver for backup2l, meaning it can do everything apart from actually extract the relevant files.
The files are backed up okay, but the automatic restore functionality is broken.Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/296sympl-web: /etc/sympl/apache.d/non-ssl.template.erb sets ssl_access.log & ssl...2020-09-09T17:23:25ZPaul Cammishsympl-web: /etc/sympl/apache.d/non-ssl.template.erb sets ssl_access.log & ssl_error.log# Summary
Access and error logs for non-ssl enabled sites are incorrectly named, see below.
# Steps to reproduce
Create a non-ssl site in /srv, run /usr/sbin/sympl-web-configure and you'll find the logs are going into /srv/site/publi...# Summary
Access and error logs for non-ssl enabled sites are incorrectly named, see below.
# Steps to reproduce
Create a non-ssl site in /srv, run /usr/sbin/sympl-web-configure and you'll find the logs are going into /srv/site/public/logs/ssl_access.log and ssl_error.log
# Example Project
n/a
# What is the current bug behavior?
Configurations are generated for non-ssl sites where the logfiles are ssl_access.log and ssl_error.log
The non-ssl virtualhost for an ssl enabled site correctly sets access.log and error.log.
Template (/etc/sympl/apache.d/non-ssl.template.erb has typos in the relevant config lines.
# What is the expected correct behavior?
Would expect the logs to be access.log and error.log as per non-ssl virtual server on an ssl enabled site.
# Relevant logs and/or screenshots
(Paste any relevant logs - please use code blocks (```) to format console output,
logs, and code as it's very hard to read otherwise.)
# Possible fixes
```
--- non_ssl.template.erb 2020-07-01 22:25:28.000000000 +0100
+++ non_ssl.template.erb.fixed 2020-07-01 22:26:08.000000000 +0100
@@ -87,8 +87,8 @@
</Directory>
# Write logs directly.
- ErrorLog "<%= domain.log_dir %>/ssl_error.log"
- CustomLog "<%= domain.log_dir %>/ssl_access.log" combined
+ ErrorLog "<%= domain.log_dir %>/error.log"
+ CustomLog "<%= domain.log_dir %>/access.log" combined
</VirtualHost>
```
[non_ssl.template.erb.patch](/uploads/3d78c3b9e56263e31a66c8d5c513cbbf/non_ssl.template.erb.patch)
/cc @kelduumPaul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/295sympl-cli: running some commands as root doesn't ensure result has the right ...2020-09-09T17:23:53ZPaul Cammishsympl-cli: running some commands as root doesn't ensure result has the right ownerExample: `sudo sympl web create example.com` creates the directory in /srv with the owner as root.
https://forum.sympl.host/t/sympl-cli-feature-discussion/30/8Example: `sudo sympl web create example.com` creates the directory in /srv with the owner as root.
https://forum.sympl.host/t/sympl-cli-feature-discussion/30/8Paul CammishPaul Cammish