Sympl issueshttps://gitlab.com/sympl.io/sympl/-/issues2020-09-09T17:23:25Zhttps://gitlab.com/sympl.io/sympl/-/issues/296sympl-web: /etc/sympl/apache.d/non-ssl.template.erb sets ssl_access.log & ssl...2020-09-09T17:23:25ZPaul Cammishsympl-web: /etc/sympl/apache.d/non-ssl.template.erb sets ssl_access.log & ssl_error.log# Summary
Access and error logs for non-ssl enabled sites are incorrectly named, see below.
# Steps to reproduce
Create a non-ssl site in /srv, run /usr/sbin/sympl-web-configure and you'll find the logs are going into /srv/site/publi...# Summary
Access and error logs for non-ssl enabled sites are incorrectly named, see below.
# Steps to reproduce
Create a non-ssl site in /srv, run /usr/sbin/sympl-web-configure and you'll find the logs are going into /srv/site/public/logs/ssl_access.log and ssl_error.log
# Example Project
n/a
# What is the current bug behavior?
Configurations are generated for non-ssl sites where the logfiles are ssl_access.log and ssl_error.log
The non-ssl virtualhost for an ssl enabled site correctly sets access.log and error.log.
Template (/etc/sympl/apache.d/non-ssl.template.erb has typos in the relevant config lines.
# What is the expected correct behavior?
Would expect the logs to be access.log and error.log as per non-ssl virtual server on an ssl enabled site.
# Relevant logs and/or screenshots
(Paste any relevant logs - please use code blocks (```) to format console output,
logs, and code as it's very hard to read otherwise.)
# Possible fixes
```
--- non_ssl.template.erb 2020-07-01 22:25:28.000000000 +0100
+++ non_ssl.template.erb.fixed 2020-07-01 22:26:08.000000000 +0100
@@ -87,8 +87,8 @@
</Directory>
# Write logs directly.
- ErrorLog "<%= domain.log_dir %>/ssl_error.log"
- CustomLog "<%= domain.log_dir %>/ssl_access.log" combined
+ ErrorLog "<%= domain.log_dir %>/error.log"
+ CustomLog "<%= domain.log_dir %>/access.log" combined
</VirtualHost>
```
[non_ssl.template.erb.patch](/uploads/3d78c3b9e56263e31a66c8d5c513cbbf/non_ssl.template.erb.patch)
/cc @kelduumPaul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/181Symbiosis: symbiosis-email-encrypt-passwords --verbose command is not recognised2020-08-22T16:07:25ZPaul CammishSymbiosis: symbiosis-email-encrypt-passwords --verbose command is not recognisedImported from https://www.github.com/BytemarkHosting/symbiosis/issues/65
Using Symbiosis Wheezy.
I need to encrypt a users email account password. Although I remember the password file for a user usually is updated with an encrypted ve...Imported from https://www.github.com/BytemarkHosting/symbiosis/issues/65
Using Symbiosis Wheezy.
I need to encrypt a users email account password. Although I remember the password file for a user usually is updated with an encrypted version of same password this doesnt appear to be working for me at the moment.
I tried the below command from /srv as admin user
symbiosis-email-encrypt-passwords --verbose
but just get
-bash: symbiosis-email: command not foundhttps://gitlab.com/sympl.io/sympl/-/issues/143Symbiosis: I want SSL only without HSTS2020-07-11T06:36:30ZPaul CammishSymbiosis: I want SSL only without HSTSImported from https://www.github.com/BytemarkHosting/symbiosis/issues/66
I want a back-out path from ssl-only. Currently, if I deploy SSL only HSTS headers get issued, which mean I have no way to back out if I have problems with certifi...Imported from https://www.github.com/BytemarkHosting/symbiosis/issues/66
I want a back-out path from ssl-only. Currently, if I deploy SSL only HSTS headers get issued, which mean I have no way to back out if I have problems with certificate renewal or spot a problem with the way the SSL site renders
So, maybe I could make a file `config/ssl-only-no-sts` to get ssl throughout the site, and when I'm confident that I can commit to this configuration, then deploy STS.Sympl v9.0 (for Debian Stretch)https://gitlab.com/sympl.io/sympl/-/issues/297sympl-backup: `backup2l -r <regexp>` in Buster only restores directories, and...2020-07-06T12:45:46ZPaul Cammishsympl-backup: `backup2l -r <regexp>` in Buster only restores directories, and no filesFrom: https://forum.sympl.host/t/problem-restoring-with-backup2l/138/7
In short, the 'extract' functionality is missing from the TAR driver for backup2l, meaning it can do everything apart from actually extract the relevant files.
The ...From: https://forum.sympl.host/t/problem-restoring-with-backup2l/138/7
In short, the 'extract' functionality is missing from the TAR driver for backup2l, meaning it can do everything apart from actually extract the relevant files.
The files are backed up okay, but the automatic restore functionality is broken.Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/290sympl-core: sympl-filesystem-security removes +x flag from /etc/sympl/firewal...2020-04-27T17:06:12ZPaul Cammishsympl-core: sympl-filesystem-security removes +x flag from /etc/sympl/firewall/local.d/*The directory contains scripts run at the end of sympl-firewall, which need to be executable, but `sympl-filesystem-security` currently removes that flag.The directory contains scripts run at the end of sympl-firewall, which need to be executable, but `sympl-filesystem-security` currently removes that flag.Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/293sympl-web: SSL Stapling is enabled for self-signed certs2020-04-22T11:58:37ZPaul Cammishsympl-web: SSL Stapling is enabled for self-signed certsFrom https://forum.sympl.host/t/error-message-in-apache-error-log/113/4?u=kelduum
```
[Tue Apr 21 19:07:29.793000 2020] [ssl:error] [pid 585] AH02217: ssl_stapling_init_cert: can’t retrieve issuer certificate! [subject: CN=raspberrypi.l...From https://forum.sympl.host/t/error-message-in-apache-error-log/113/4?u=kelduum
```
[Tue Apr 21 19:07:29.793000 2020] [ssl:error] [pid 585] AH02217: ssl_stapling_init_cert: can’t retrieve issuer certificate! [subject: CN=raspberrypi.localdomain / issuer: CN=raspberrypi.localdomain / serial: 5E9F307C / notbefore: Apr 21 17:42:20 2020 GMT / notafter: Apr 21 17:42:20 2021 GMT]
[Tue Apr 21 19:07:29.793961 2020] [ssl:error] [pid 585] AH02604: Unable to configure certificate raspberrypi.localdomain:443:0 for stapling
```
It looks like `sympl-web/lib/symbiosis/config_files/apache.rb` has the relevant code, and probably needs a tweak to move the decision to use SSL stapling there if it's a self-signed cert, and out of the templates.Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/292sympl-web: Seperate packages needed for i386, amd64 and armhf2020-04-22T11:56:50ZPaul Cammishsympl-web: Seperate packages needed for i386, amd64 and armhfAt the moment, the `sympl-web` package is marked as 'all' architectures, but contains some compiled Go in the form of sympl-web-logger, which isn't portable to armhf, and logs continual errors to /var/log/apache2/error.log as it can't st...At the moment, the `sympl-web` package is marked as 'all' architectures, but contains some compiled Go in the form of sympl-web-logger, which isn't portable to armhf, and logs continual errors to /var/log/apache2/error.log as it can't start it.
This should be a reasonably simple fix to cross-compile it and package it appropriately.Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/291sympl-webmail: Getting roundcube to work2020-04-22T11:49:34ZPaul Cammishsympl-webmail: Getting roundcube to workNot that I use roundcube - but it's useful backup. The system seems to have the right database tables, but cannot access them and there are some other minor tiny changes to make to it work. Now it maybe that it does work... I couldn't ge...Not that I use roundcube - but it's useful backup. The system seems to have the right database tables, but cannot access them and there are some other minor tiny changes to make to it work. Now it maybe that it does work... I couldn't get it to log me in. So I did this lot:
1) Install apt install php-net-idna2
the install script complains about this
2) ```cd /usr/share/roundcube```
```ln -s /var/lib/roundcube/temp```
Roundcube is looking in /var/lib/roundcube or so it says.
3) Change /etc/defaults.inc.php
This line:
```
$config['db_dsnw'] = 'mysql://roundcube:@localhost/roundcubemail';
```
points to roundcubeemail - where the mysql database is roundcube. So change that.
Now run dpkg-reconfigure roundcube-core
it creates debian-db.php, which contains a password. This still isn't roundcube's password,
so
```
# mysql mysql
> alter user 'roundcube'@'localhost' identified by 'THE PASSWORD IN THE FILE';
> FLUSH PRIVILEGES;
```
check that the password works - and add it into /etc/defaults.inc.php after the colon.
It should all now spring into life.Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/280sympl-core: sympl-filesystem-security breaks access to config/stats-htaccess2020-04-20T10:41:34ZPaul Cammishsympl-core: sympl-filesystem-security breaks access to config/stats-htaccessReported by a user, the `config/stats-htaccess` file has it's permissions reset by `sympl-filesystem-security` to a configuration which prevents access by www-data, and therefore Apache denied all access to example.com/statsReported by a user, the `config/stats-htaccess` file has it's permissions reset by `sympl-filesystem-security` to a configuration which prevents access by www-data, and therefore Apache denied all access to example.com/statsPaul CammishPaul Cammish2020-04-20https://gitlab.com/sympl.io/sympl/-/issues/279sympl-monit: Security warning emails on hostname resolution failure2020-04-20T10:41:34ZPaul Cammishsympl-monit: Security warning emails on hostname resolution failureIf for some reason DNS fails for the system hostname, the systemd service at `/usr/lib/systemd/system/sympl-monit.service` will throw security warnings at the root user via email as sudo is not happy.If for some reason DNS fails for the system hostname, the systemd service at `/usr/lib/systemd/system/sympl-monit.service` will throw security warnings at the root user via email as sudo is not happy.Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/281sympl-mail: filesystem loop in /srv causes errors with sympl-mail-dovecot-sni2020-04-20T10:41:32ZPaul Cammishsympl-mail: filesystem loop in /srv causes errors with sympl-mail-dovecot-sniObviously it should do this, and it looks like the search for certificates is looking far too wide, searching all of /srv rather than just /srv/*/config/ssl/current/Obviously it should do this, and it looks like the search for certificates is looking far too wide, searching all of /srv rather than just /srv/*/config/ssl/current/Paul CammishPaul Cammish2020-04-20https://gitlab.com/sympl.io/sympl/-/issues/276sympl-webmail: Roundcube fails to import contacts2020-01-28T13:26:56ZPaul Cammishsympl-webmail: Roundcube fails to import contactsSee https://forum.sympl.host/t/roundcube-fails-importing-contact-list/92?u=kelduum for details.
In short, uploads work fine for attachments but fail for contacts uploads, and likely other cases.See https://forum.sympl.host/t/roundcube-fails-importing-contact-list/92?u=kelduum for details.
In short, uploads work fine for attachments but fail for contacts uploads, and likely other cases.Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/271sympl-core: On each install, check the user is in the right groups2020-01-28T00:25:25ZPaul Cammishsympl-core: On each install, check the user is in the right groupsAt the moment, the `sympl` user is only added to the relevant groups (notably www-data) when the user is created, rather than on installation of `sympl-core`.
This can cause some issues if the sympl user already exists (from a removed i...At the moment, the `sympl` user is only added to the relevant groups (notably www-data) when the user is created, rather than on installation of `sympl-core`.
This can cause some issues if the sympl user already exists (from a removed install, or it was created before installing), so it would be safer to check each time `sympl-core` is installed.Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/275"doveconf: Warning: please set ssl_dh"2020-01-28T00:25:23ZPaul Cammish"doveconf: Warning: please set ssl_dh"I'm getting an hourly email from /etc/cron.hourly/sympl-mail-dovecot-sni saying:
> doveconf: Warning: please set ssl_dh=</etc/dovecot/dh.pem
> doveconf: Warning: You can generate it with: dd if=/var/lib/dovecot/ssl-parameters.dat bs=1 s...I'm getting an hourly email from /etc/cron.hourly/sympl-mail-dovecot-sni saying:
> doveconf: Warning: please set ssl_dh=</etc/dovecot/dh.pem
> doveconf: Warning: You can generate it with: dd if=/var/lib/dovecot/ssl-parameters.dat bs=1 skip=88 | openssl dhparam -inform der > /etc/dovecot/dh.pem
It looks like from https://wiki2.dovecot.org/Upgrading/2.3#dhparams you can do just that in order to fix the issue, but not sure if there's something else that should be done instead/as well. I'm running the buster version of Sympl.Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/272Update sympl-ssl IPv6 only to support Let's Encrypt ACMEv22019-12-27T18:11:03ZPaul CammishUpdate sympl-ssl IPv6 only to support Let's Encrypt ACMEv2I've been wondering why a Mythic Beasts hosted RPi site wasn't updating the SSL certificate. (Luckily I've got an alert through Status Cake for it.)
Looking in the `/etc/hosts` file, I noticed many lines of the form (output from `cat`):...I've been wondering why a Mythic Beasts hosted RPi site wasn't updating the SSL certificate. (Luckily I've got an alert through Status Cake for it.)
Looking in the `/etc/hosts` file, I noticed many lines of the form (output from `cat`):
```
2606:4700:60:0:f53d:5624:85c7:3a2c
acme-v01.api.letsencrypt.org # sympl-ssl workaround
2606:4700:60:0:f53d:5624:85c7:3a2c
acme-v01.api.letsencrypt.org # sympl-ssl workaround
2606:4700:60:0:f53d:5624:85c7:3a2c
acme-v01.api.letsencrypt.org # sympl-ssl workaround
```
Knowing that the v02 API is now needed, I adjusted it to remove the new line, and switched to the v2 url, and then running `sudo sympl-ssl --verbose subdomain.example.com` worked as expected instead of giving the error:
```
Current SSL set 14: signed by /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3, expires 2019-12-08 06:19:41 UTC
The current certificate expires in 4 days.
Fetching a new certificate from LetsEncrypt.
!! Failed: execution expired
```
Could the workaround please be updated for the new API (changing the 1 to a 2 in the url)?Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/274ChangeLog needs updating with the major changes.2019-12-13T16:51:16ZPaul CammishChangeLog needs updating with the major changes.As per !146, the changelog needs some updates with the service affecting changes.As per !146, the changelog needs some updates with the service affecting changes.Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/201`sympl-ssl` does not support Let's Encrypt v2 API2019-10-30T09:16:52ZPaul Cammish`sympl-ssl` does not support Let's Encrypt v2 APIAt present, as it's using an old Ruby library, `symbiosis-ssl` does not support the updated version of the Let's Encrypt API, meaning that as per [this notice](https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430), it wi...At present, as it's using an old Ruby library, `symbiosis-ssl` does not support the updated version of the Let's Encrypt API, meaning that as per [this notice](https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430), it will begin to stop working in November of 2019 for new installs, and through the next year, slowly stop working.
With this in mind, it would make sense to refactor this element of Sympl into a wrapper around existing Let's Encrypt tools, such as certbot or acmetool, rather than using a third party library, retaining the existing generation of self-signed certs and general cert management.Paul CammishPaul Cammish2019-10-31https://gitlab.com/sympl.io/sympl/-/issues/266sympl-firewall uses incron, which is incompatible with some systems2019-09-17T13:58:20ZPaul Cammishsympl-firewall uses incron, which is incompatible with some systemsIn short, incron should be removed if possible - this doesn't work on all filesystems, and many systems use NFS for the filesystem (the Mythic Beasts RPi platform) which causes problems.In short, incron should be removed if possible - this doesn't work on all filesystems, and many systems use NFS for the filesystem (the Mythic Beasts RPi platform) which causes problems.Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/261sympl-ssl fails in NAT64 environments with IPv4 addresses2019-09-17T13:45:19ZPaul Cammishsympl-ssl fails in NAT64 environments with IPv4 addressesThis is due to the old Ruby library being used, which defaults to IPv4.
A workaround exists for this, which adds an entry to the hosts file, but fails to detect NAT64 setups.This is due to the old Ruby library being used, which defaults to IPv4.
A workaround exists for this, which adds an entry to the hosts file, but fails to detect NAT64 setups.Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/265sympl-backup triggers `tar` warnings2019-09-17T13:45:19ZPaul Cammishsympl-backup triggers `tar` warningshttps://forum.sympl.host/t/backups-tar-warning-about-non-optional-arguments/44
## Problem Description
When doing backups, the following message is shown, with the backup succeeding:
```
Creating archive using 'DRIVER_TAR_GZ'...
tar:...https://forum.sympl.host/t/backups-tar-warning-about-non-optional-arguments/44
## Problem Description
When doing backups, the following message is shown, with the backup succeeding:
```
Creating archive using 'DRIVER_TAR_GZ'...
tar: The following options were used after any non-optional arguments in archive create or update mode. These options are positional and affect only arguments that follow them. Please, rearrange them properly.
tar: --no-recursion has no effect
tar: Exiting with failure status due to previous errors
Checking TOC of archive file (< real file, > archive entry)...
```
This is due to changes to `tar` in Buster.
Paul CammishPaul Cammish