Sympl issueshttps://gitlab.com/sympl.io/sympl/-/issues2021-08-13T16:12:17Zhttps://gitlab.com/sympl.io/sympl/-/issues/308sympl11 - Re-enable testing CI2021-08-13T16:12:17ZPaul Cammishsympl11 - Re-enable testing CINo testing branch at present with public packages to test against, so CI was disabled temporarily in 05713c43.
Will need re-enabling once the testing branch has been publicly built.No testing branch at present with public packages to test against, so CI was disabled temporarily in 05713c43.
Will need re-enabling once the testing branch has been publicly built.Sympl 11 for Debian BullseyePaul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/307Sympl 11: sympl-mail - Update exim configurations (historic)2021-02-12T18:21:16ZPaul CammishSympl 11: sympl-mail - Update exim configurations (historic)Changes to the Exim configuration were needed to pass the existing test suite.
These were done in 7dc9c294 15c8c20f 5a1b47ae 33d97665 6b4fbe1c
See also #304 which is related as it involved a workaround.Changes to the Exim configuration were needed to pass the existing test suite.
These were done in 7dc9c294 15c8c20f 5a1b47ae 33d97665 6b4fbe1c
See also #304 which is related as it involved a workaround.Sympl 11 for Debian Bullseyehttps://gitlab.com/sympl.io/sympl/-/issues/306Sympl 11: Installing sympl-mysql doesnt write the password to /home/sympl2021-02-15T11:33:44ZPaul CammishSympl 11: Installing sympl-mysql doesnt write the password to /home/symplThis is currently causing the testing to fail, and will need looking into.This is currently causing the testing to fail, and will need looking into.Sympl 11 for Debian BullseyePaul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/305Update copyright dates to 2023, and license to GPL32023-05-26T10:55:17ZPaul CammishUpdate copyright dates to 2023, and license to GPL3The licence for Sympl 11 should be updated to the more modern GPL3, which is a bit clearer in a few cases.
Similarly, copyright dates should also be updated.The licence for Sympl 11 should be updated to the more modern GPL3, which is a bit clearer in a few cases.
Similarly, copyright dates should also be updated.Sympl 12 (bookworm)https://gitlab.com/sympl.io/sympl/-/issues/304sympl11 - Exim configuration uses tainting workaround2021-08-13T16:12:36ZPaul Cammishsympl11 - Exim configuration uses tainting workaroundThe configuration in Exim 4.94 has introduced the concept of training for user-submitted variables.
This causes some issues with the Sympl configuration as we need to be able to read the relevant information based on the input to route ...The configuration in Exim 4.94 has introduced the concept of training for user-submitted variables.
This causes some issues with the Sympl configuration as we need to be able to read the relevant information based on the input to route mail correctly.
A workaround has been applied to the relevant parts, but this should be removed before it leaves testing.https://gitlab.com/sympl.io/sympl/-/issues/303sympl-firewall: Traffic on the local IPv6 network can trigger blacklisting of...2021-01-23T17:45:17ZPaul Cammishsympl-firewall: Traffic on the local IPv6 network can trigger blacklisting of the LANSympl will track IPv6 traffic at a /64 resolution, but this means if something on the same LAN is flagged and blacklisted, it will effectively disable IPv6 traffic from the same /64, which can interfere with monitoring or similar.
What ...Sympl will track IPv6 traffic at a /64 resolution, but this means if something on the same LAN is flagged and blacklisted, it will effectively disable IPv6 traffic from the same /64, which can interfere with monitoring or similar.
What should probably happen is that Sympl is a bit more granular with it's filtering of V6 addresses on the same /64, and instead only blocks individual IPs if it sees them acting suspicious.https://gitlab.com/sympl.io/sympl/-/issues/302sympl-ssl and sympl-web-configure don't show automatic www subdomains2020-10-18T11:49:59ZPaul Cammishsympl-ssl and sympl-web-configure don't show automatic www subdomains`sympl-ssl --verbose` and `sympl-web-configure --verbose` don't list the www subdomains if they are created automatically, i.e. they don't have their own `/srv/www.example.org` but instead exist as a result of `/srv/example.org`. I was s...`sympl-ssl --verbose` and `sympl-web-configure --verbose` don't list the www subdomains if they are created automatically, i.e. they don't have their own `/srv/www.example.org` but instead exist as a result of `/srv/example.org`. I was struggling to diagnose a configuration problem today and I couldn't work out whether my .htaccess file was incorrect or the www subdomain wasn't configured, and the fact that it wasn't listed in the output of either command made me think the latter.
I think it would be useful if the two commands printed the www subdomains as well, either by default or as an extra flag.
Example:
```
sudo sympl-ssl --verbose
[sudo] password for sympl:
* Examining certificates for politicsgeek.com
Current SSL set 0: signed by /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3, expires 2021-01-16 10:11:33 UTC
```
politicsgeek.com is included because it is the CN for the certificate, but there's no mention that the certificate also includes www.politicsgeek.com as the Subject Alternative Name.https://gitlab.com/sympl.io/sympl/-/issues/301sympl-firewall: "Another app is currently holding the xtables lock"2020-09-17T13:30:58ZPaul Cammishsympl-firewall: "Another app is currently holding the xtables lock"One user was reporting emails like this, coming from `/usr/sbin/sympl-firewall` and `/usr/sbin/sympl-firewall-blacklist` on two hosts.
```text
From: Cron Daemon <root@hostname.fqdn>
Date: Mon, 14 Sep 2020 at 19:00
Subject: Cron <root@ho...One user was reporting emails like this, coming from `/usr/sbin/sympl-firewall` and `/usr/sbin/sympl-firewall-blacklist` on two hosts.
```text
From: Cron Daemon <root@hostname.fqdn>
Date: Mon, 14 Sep 2020 at 19:00
Subject: Cron <root@hostname> [ -x /usr/sbin/sympl-firewall ] &&
/usr/sbin/sympl-firewall
To: <root@hostname.fqdn>
Another app is currently holding the xtables lock. Perhaps you want to use
the -w option?
sympl-firewall: Firewall script failed.
sympl-firewall: Flushing /sbin/iptables rules and chains.
sympl-firewall: Flushing /sbin/ip6tables rules and chains.
sympl-firewall: Restoring old iptables rules and chains.
sympl-firewall: Restoring old ip6tables rules and chains.
sympl-firewall: Left firewall script in
/tmp/user/0/sympl-firewall-20200914-1505-1srb1j3-saved for inspection.
```
The direct cause is unclear at the moment, and they don't happen all the time (once a day or so, apparently), so it may simply be a race condition.https://gitlab.com/sympl.io/sympl/-/issues/300sympl-web: Support for Apache Includes2020-09-10T08:28:06ZPaul Cammishsympl-web: Support for Apache IncludesA great idea in https://forum.sympl.host/t/auto-updating-ssl-certs-with-custom-apache-site-config/69/3?u=kelduum is to add an IncludeOptional directive to load extra configuration files from the config directory.A great idea in https://forum.sympl.host/t/auto-updating-ssl-certs-with-custom-apache-site-config/69/3?u=kelduum is to add an IncludeOptional directive to load extra configuration files from the config directory.Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/299sympl-core: sympl-filesystem-security reset permissions on public/cgi-bin2020-09-09T17:23:53ZPaul Cammishsympl-core: sympl-filesystem-security reset permissions on public/cgi-binThis causes cgi-bin scripts to fail, and various headaches for anyone with older stuff.This causes cgi-bin scripts to fail, and various headaches for anyone with older stuff.Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/298sympl-filesystem-security: public-group doesn't work2020-09-09T17:23:53ZPaul Cammishsympl-filesystem-security: public-group doesn't work# Summary
When putting a group into `<domain>/config/public-group`, running `sympl-filesystem-security` produces the output `id: ‘<group>’: no such user`. Found on sympl-core/stretch 9.0.200510.0.
# Steps to reproduce
Place the name o...# Summary
When putting a group into `<domain>/config/public-group`, running `sympl-filesystem-security` produces the output `id: ‘<group>’: no such user`. Found on sympl-core/stretch 9.0.200510.0.
# Steps to reproduce
Place the name of a group that isn't `www-data` in `<domain>/config/public-group` and run `sympl-filesystem-security`.
# Possible fixes
https://gitlab.mythic-beasts.com/sympl/sympl/-/blob/buster/core/sbin/sympl-filesystem-security#L50 (and 51) use `id -g $gid`, which seems like it should find the GID of a group, but actually finds the GID of the primary group of user $gid. If no user of the same name as the requested group exists, this fails. The script seems like it will need to use `getent group` and `cut` or `awk` to get the right fields.
/cc @kelduumPaul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/297sympl-backup: `backup2l -r <regexp>` in Buster only restores directories, and...2020-07-06T12:45:46ZPaul Cammishsympl-backup: `backup2l -r <regexp>` in Buster only restores directories, and no filesFrom: https://forum.sympl.host/t/problem-restoring-with-backup2l/138/7
In short, the 'extract' functionality is missing from the TAR driver for backup2l, meaning it can do everything apart from actually extract the relevant files.
The ...From: https://forum.sympl.host/t/problem-restoring-with-backup2l/138/7
In short, the 'extract' functionality is missing from the TAR driver for backup2l, meaning it can do everything apart from actually extract the relevant files.
The files are backed up okay, but the automatic restore functionality is broken.Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/296sympl-web: /etc/sympl/apache.d/non-ssl.template.erb sets ssl_access.log & ssl...2020-09-09T17:23:25ZPaul Cammishsympl-web: /etc/sympl/apache.d/non-ssl.template.erb sets ssl_access.log & ssl_error.log# Summary
Access and error logs for non-ssl enabled sites are incorrectly named, see below.
# Steps to reproduce
Create a non-ssl site in /srv, run /usr/sbin/sympl-web-configure and you'll find the logs are going into /srv/site/publi...# Summary
Access and error logs for non-ssl enabled sites are incorrectly named, see below.
# Steps to reproduce
Create a non-ssl site in /srv, run /usr/sbin/sympl-web-configure and you'll find the logs are going into /srv/site/public/logs/ssl_access.log and ssl_error.log
# Example Project
n/a
# What is the current bug behavior?
Configurations are generated for non-ssl sites where the logfiles are ssl_access.log and ssl_error.log
The non-ssl virtualhost for an ssl enabled site correctly sets access.log and error.log.
Template (/etc/sympl/apache.d/non-ssl.template.erb has typos in the relevant config lines.
# What is the expected correct behavior?
Would expect the logs to be access.log and error.log as per non-ssl virtual server on an ssl enabled site.
# Relevant logs and/or screenshots
(Paste any relevant logs - please use code blocks (```) to format console output,
logs, and code as it's very hard to read otherwise.)
# Possible fixes
```
--- non_ssl.template.erb 2020-07-01 22:25:28.000000000 +0100
+++ non_ssl.template.erb.fixed 2020-07-01 22:26:08.000000000 +0100
@@ -87,8 +87,8 @@
</Directory>
# Write logs directly.
- ErrorLog "<%= domain.log_dir %>/ssl_error.log"
- CustomLog "<%= domain.log_dir %>/ssl_access.log" combined
+ ErrorLog "<%= domain.log_dir %>/error.log"
+ CustomLog "<%= domain.log_dir %>/access.log" combined
</VirtualHost>
```
[non_ssl.template.erb.patch](/uploads/3d78c3b9e56263e31a66c8d5c513cbbf/non_ssl.template.erb.patch)
/cc @kelduumPaul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/295sympl-cli: running some commands as root doesn't ensure result has the right ...2020-09-09T17:23:53ZPaul Cammishsympl-cli: running some commands as root doesn't ensure result has the right ownerExample: `sudo sympl web create example.com` creates the directory in /srv with the owner as root.
https://forum.sympl.host/t/sympl-cli-feature-discussion/30/8Example: `sudo sympl web create example.com` creates the directory in /srv with the owner as root.
https://forum.sympl.host/t/sympl-cli-feature-discussion/30/8Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/294sympl-web: php-zip package is not installed by default2020-09-09T17:23:53ZPaul Cammishsympl-web: php-zip package is not installed by defaultIt probably should be included in typical installs, as windows-centric stuff is likely to expect it to be there.It probably should be included in typical installs, as windows-centric stuff is likely to expect it to be there.Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/293sympl-web: SSL Stapling is enabled for self-signed certs2020-04-22T11:58:37ZPaul Cammishsympl-web: SSL Stapling is enabled for self-signed certsFrom https://forum.sympl.host/t/error-message-in-apache-error-log/113/4?u=kelduum
```
[Tue Apr 21 19:07:29.793000 2020] [ssl:error] [pid 585] AH02217: ssl_stapling_init_cert: can’t retrieve issuer certificate! [subject: CN=raspberrypi.l...From https://forum.sympl.host/t/error-message-in-apache-error-log/113/4?u=kelduum
```
[Tue Apr 21 19:07:29.793000 2020] [ssl:error] [pid 585] AH02217: ssl_stapling_init_cert: can’t retrieve issuer certificate! [subject: CN=raspberrypi.localdomain / issuer: CN=raspberrypi.localdomain / serial: 5E9F307C / notbefore: Apr 21 17:42:20 2020 GMT / notafter: Apr 21 17:42:20 2021 GMT]
[Tue Apr 21 19:07:29.793961 2020] [ssl:error] [pid 585] AH02604: Unable to configure certificate raspberrypi.localdomain:443:0 for stapling
```
It looks like `sympl-web/lib/symbiosis/config_files/apache.rb` has the relevant code, and probably needs a tweak to move the decision to use SSL stapling there if it's a self-signed cert, and out of the templates.Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/292sympl-web: Seperate packages needed for i386, amd64 and armhf2020-04-22T11:56:50ZPaul Cammishsympl-web: Seperate packages needed for i386, amd64 and armhfAt the moment, the `sympl-web` package is marked as 'all' architectures, but contains some compiled Go in the form of sympl-web-logger, which isn't portable to armhf, and logs continual errors to /var/log/apache2/error.log as it can't st...At the moment, the `sympl-web` package is marked as 'all' architectures, but contains some compiled Go in the form of sympl-web-logger, which isn't portable to armhf, and logs continual errors to /var/log/apache2/error.log as it can't start it.
This should be a reasonably simple fix to cross-compile it and package it appropriately.Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/291sympl-webmail: Getting roundcube to work2020-04-22T11:49:34ZPaul Cammishsympl-webmail: Getting roundcube to workNot that I use roundcube - but it's useful backup. The system seems to have the right database tables, but cannot access them and there are some other minor tiny changes to make to it work. Now it maybe that it does work... I couldn't ge...Not that I use roundcube - but it's useful backup. The system seems to have the right database tables, but cannot access them and there are some other minor tiny changes to make to it work. Now it maybe that it does work... I couldn't get it to log me in. So I did this lot:
1) Install apt install php-net-idna2
the install script complains about this
2) ```cd /usr/share/roundcube```
```ln -s /var/lib/roundcube/temp```
Roundcube is looking in /var/lib/roundcube or so it says.
3) Change /etc/defaults.inc.php
This line:
```
$config['db_dsnw'] = 'mysql://roundcube:@localhost/roundcubemail';
```
points to roundcubeemail - where the mysql database is roundcube. So change that.
Now run dpkg-reconfigure roundcube-core
it creates debian-db.php, which contains a password. This still isn't roundcube's password,
so
```
# mysql mysql
> alter user 'roundcube'@'localhost' identified by 'THE PASSWORD IN THE FILE';
> FLUSH PRIVILEGES;
```
check that the password works - and add it into /etc/defaults.inc.php after the colon.
It should all now spring into life.Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/290sympl-core: sympl-filesystem-security removes +x flag from /etc/sympl/firewal...2020-04-27T17:06:12ZPaul Cammishsympl-core: sympl-filesystem-security removes +x flag from /etc/sympl/firewall/local.d/*The directory contains scripts run at the end of sympl-firewall, which need to be executable, but `sympl-filesystem-security` currently removes that flag.The directory contains scripts run at the end of sympl-firewall, which need to be executable, but `sympl-filesystem-security` currently removes that flag.Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/289sympl-firewall: The firewall shouldn't destroy other chains, and should be le...2020-04-20T14:05:48ZPaul Cammishsympl-firewall: The firewall shouldn't destroy other chains, and should be less ambiguous.This would be a change to existing operation, but Sympl shouldn't wipe out the all other iptables chains when it runs, and only modify rules it created itself (ie: comments).
Similarly, the ambiguously named blacklist and whitelist shou...This would be a change to existing operation, but Sympl shouldn't wipe out the all other iptables chains when it runs, and only modify rules it created itself (ie: comments).
Similarly, the ambiguously named blacklist and whitelist should have names referencing Sympl.