Sympl issueshttps://gitlab.com/sympl.io/sympl/-/issues2019-09-08T15:13:43Zhttps://gitlab.com/sympl.io/sympl/-/issues/263LetsEncrypt certificates not renewed early enough2019-09-08T15:13:43ZPaul CammishLetsEncrypt certificates not renewed early enough# Summary
LetsEncrypt certificates are not renewed a month before expiry (as recommended). This causes warning emails to be received from LetsEncrypt.
# Steps to reproduce
Enable LetsEncrypt certificates for a domain. Wait 60 days.
...# Summary
LetsEncrypt certificates are not renewed a month before expiry (as recommended). This causes warning emails to be received from LetsEncrypt.
# Steps to reproduce
Enable LetsEncrypt certificates for a domain. Wait 60 days.
# What is the current bug behavior?
Certificates are not renewed until 2 weeks before expiry, causing a warning.email to be received
# What is the expected correct behavior?
Certificate should be removed 30 days before expiry.
See: https://letsencrypt.org/docs/integration-guide/
for more info.
/cc @kelduumPaul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/259Running backups manually seems to cause issues2019-08-19T07:25:08ZPaul CammishRunning backups manually seems to cause issuesIt appears that running backups manually as the `sympl` user will cause the sympl-sqldump script to fail (as it's not running as root), possibly causing later backups to fail as a dump was started but not completed.
Sympl should probabl...It appears that running backups manually as the `sympl` user will cause the sympl-sqldump script to fail (as it's not running as root), possibly causing later backups to fail as a dump was started but not completed.
Sympl should probably check for a generic user with full mysql access rather than just root (or the root or Sympl user), and/or automatically use the `--force` flag when triggering backups.Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/243Buster: zz-mass-hosting doesn't appear to work.2019-08-16T17:54:56ZPaul CammishBuster: zz-mass-hosting doesn't appear to work.On boot, it's sending traffic to /var/www/html, and then after reconfiguring it seems to be only sending traffic to /srv/$localhost/public/htdocs.
It may be due to changes in the newer Apache breaking dynamic vhost configurations in gen...On boot, it's sending traffic to /var/www/html, and then after reconfiguring it seems to be only sending traffic to /srv/$localhost/public/htdocs.
It may be due to changes in the newer Apache breaking dynamic vhost configurations in general, or something else like the custom module not working right any more.Backloghttps://gitlab.com/sympl.io/sympl/-/issues/254sympl-firewall: iptables email warning (buster)2019-08-16T17:51:06ZPaul Cammishsympl-firewall: iptables email warning (buster)It appears with the change to iptables-nft, wanring are being generated about iptables-legacy having rules (although they appear to be empty).It appears with the change to iptables-nft, wanring are being generated about iptables-legacy having rules (although they appear to be empty).Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/260Extra content in /root/.ssh/authorized_keys is copied also2019-08-16T12:20:27ZPaul CammishExtra content in /root/.ssh/authorized_keys is copied alsoIn the event `/root/.ssh/authorized_keys` contains other content (such as a "command=" entry for the key [ref](https://forum.sympl.host/t/dont-login-as-root-warning/39)), then the Sympl user will be similarly restricted on first logging ...In the event `/root/.ssh/authorized_keys` contains other content (such as a "command=" entry for the key [ref](https://forum.sympl.host/t/dont-login-as-root-warning/39)), then the Sympl user will be similarly restricted on first logging in.
Not necessarily a bug, but we may want to think about excluding these entries or handling them differently.https://gitlab.com/sympl.io/sympl/-/issues/255sympl-web-rotate-logs doesnt work2019-07-09T19:27:36ZPaul Cammishsympl-web-rotate-logs doesnt workThis is due to it dropping permissions which is incompatible with the new security permissions system.
As it normally only ever runs as root, this isn't needed, and also means log rotation never happens properly as it's only telling the...This is due to it dropping permissions which is incompatible with the new security permissions system.
As it normally only ever runs as root, this isn't needed, and also means log rotation never happens properly as it's only telling the logger processes to reload, not Apache.Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/252GitLab CI Improvements2019-07-09T18:44:33ZPaul CammishGitLab CI ImprovementsWhat should be happening is the runner should strategically install the previous version (if it exists) from the relevant public repo, then install the version from the local repo. Instead, theres a common race condition meaning the publ...What should be happening is the runner should strategically install the previous version (if it exists) from the relevant public repo, then install the version from the local repo. Instead, theres a common race condition meaning the public versions are the same as the newly pushed versions.
We should also have separate upgrade tests from the stable and the testing branches, so we can be certain that we won't break stable before deploying, but we can also pre-download the dependency packages needed in the images to save time and bandwidth, negating the need for a separate image.
* [x] Versions older than the local repo installed for upgrade tests.
* [x] Upgrade tests for stable and testing.
* [x] Pre-downloaded packages in clean install.
* [x] CI tidyup, ideally both major branches from the same version.
* [x] Tests for mangled changelog entries in the build CIFuture PlansPaul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/251Dovecot doesn't reload after cert changes if config hasn't changed.2019-07-07T00:28:05ZPaul CammishDovecot doesn't reload after cert changes if config hasn't changed.In the situation where no new domains are created, but SSL certs update automatically, Dovecot would eventually expire the cached certs, so a reload is needed, as well as a check for when there are literally no certs (ie: first cert atte...In the situation where no new domains are created, but SSL certs update automatically, Dovecot would eventually expire the cached certs, so a reload is needed, as well as a check for when there are literally no certs (ie: first cert attempt fails).
In progress: sympl/sympl!76Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/250Apache config template changes from Buster need to be backported to Stretch2019-07-06T19:10:34ZPaul CammishApache config template changes from Buster need to be backported to StretchIn progress: !77In progress: !77Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/246Roundcube unable to send mail in Buster.2019-07-02T16:38:13ZPaul CammishRoundcube unable to send mail in Buster.Needs confirming if this is affecting Stretch also.Needs confirming if this is affecting Stretch also.Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/245Job Failed #83802019-07-02T16:38:11ZPaul CammishJob Failed #8380This is breaking phpMyAdmin, which should be split into a separate config as it's being retired.
Job [#8380](https://gitlab.mythic-beasts.com/sympl/sympl/-/jobs/8380) failed for 477a89553e5662f5d77f15a5ba1739cdb60ebbf8:This is breaking phpMyAdmin, which should be split into a separate config as it's being retired.
Job [#8380](https://gitlab.mythic-beasts.com/sympl/sympl/-/jobs/8380) failed for 477a89553e5662f5d77f15a5ba1739cdb60ebbf8:Sympl v9.0 (for Debian Stretch)Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/238mail: Sieve tests failing2019-07-02T16:38:04ZPaul Cammishmail: Sieve tests failingLooks like two tests are failing at present.
* test_deliver_with_sieve
* test_deliver_with_sieve_for_local_users
Likely a change to sieve configuration as with Stretch.Looks like two tests are failing at present.
* test_deliver_with_sieve
* test_deliver_with_sieve_for_local_users
Likely a change to sieve configuration as with Stretch.Sympl v10.0 (for Debian Buster)Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/248sympl-mail: Debian-exim user should be added to sympl group.2019-07-02T16:36:27ZPaul Cammishsympl-mail: Debian-exim user should be added to sympl group.As is, the Debian-exim user already has access to the ssl-certs and other things, so giving it access to the config directory shouldn't be a problem now things are properly partitioned and will allow users to still configure things via S...As is, the Debian-exim user already has access to the ssl-certs and other things, so giving it access to the config directory shouldn't be a problem now things are properly partitioned and will allow users to still configure things via SFTP.
`sympl-filesystem-security` will need adjusting for this also.Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/244Incorrect permissions on dkim selector file2019-06-28T16:43:46ZPaul CammishIncorrect permissions on dkim selector fileMy dkim selector file is currently owned by sympl:sympl, with permissions set to 660.
I received the following error in my logs overnight:
2019-06-27 06:39:42 1hgN8H-0005FM-Rw failed to expand dkim_selector: failed to open /srv/gentlys...My dkim selector file is currently owned by sympl:sympl, with permissions set to 660.
I received the following error in my logs overnight:
2019-06-27 06:39:42 1hgN8H-0005FM-Rw failed to expand dkim_selector: failed to open /srv/gentlysympl.gentlyhosting.uk/config/dkim: Permission denied (euid=105 egid=109)
What should the permissions / ownership be set to? The uid / gid referred to in the error are both Debian-exim. Can sympl automatically adjust these permissions if a specific set are required?Sympl v9.0 (for Debian Stretch)Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/224Web: `sympl-web-* --manual` requires sympl-common package2019-06-28T15:08:51ZPaul CammishWeb: `sympl-web-* --manual` requires sympl-common packageThis isn't a problem when building in gitlab-ci, but breaks otherwise.
Option 1: Add sympl-common as a build dependency. (quick but untidy!)
Option 2: Make them work like the others and output the man page without any dependencies.
Opt...This isn't a problem when building in gitlab-ci, but breaks otherwise.
Option 1: Add sympl-common as a build dependency. (quick but untidy!)
Option 2: Make them work like the others and output the man page without any dependencies.
Option 2 is the best option here, especially as the libs aren't needed elsewhere.Sympl v9.0 (for Debian Stretch)Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/240Job Failed #7680 - net_connect_unix(/var/run/dovecot/stats-writer)2019-06-26T16:11:45ZPaul CammishJob Failed #7680 - net_connect_unix(/var/run/dovecot/stats-writer)Job [#7680](https://gitlab.mythic-beasts.com/sympl/sympl/-/jobs/7680) failed for f7d32cae365d7e879cd6d3987ec68d63d0f125c8:
```
run-parts: executing autotest/test.d/90-symbiosis-test
Running sympl-test...
Loaded suite /usr/bin/sympl-test...Job [#7680](https://gitlab.mythic-beasts.com/sympl/sympl/-/jobs/7680) failed for f7d32cae365d7e879cd6d3987ec68d63d0f125c8:
```
run-parts: executing autotest/test.d/90-symbiosis-test
Running sympl-test...
Loaded suite /usr/bin/sympl-test
Started
...............................................................................
.......................................lda(test@h2t4nehquz.test,)Error: net_connect_unix(/var/run/dovecot/stats-writer) failed: Permission denied
.lda(sympl-test@quick.sympl.test,)Error: net_connect_unix(/var/run/dovecot/stats-writer) failed: Permission denied
.lda(test@tsn3b3s36c.test,)Error: net_connect_unix(/var/run/dovecot/stats-writer) failed: Permission denied
.lda(test@cu9yts5qtz.test,)Error: net_connect_unix(/var/run/dovecot/stats-writer) failed: Permission denied
F
===============================================================================
Failure: test_deliver_with_sieve(TestDovecot)
/etc/sympl/test.d/tc_dovecot.rb:371:in `do_test_deliver_with_sieve'
/etc/sympl/test.d/tc_dovecot.rb:382:in `test_deliver_with_sieve'
379:
380: def test_deliver_with_sieve
381: @mailbox.create
=> 382: do_test_deliver_with_sieve(@mailbox)
383: end
384:
385: def test_deliver_with_sieve_for_local_users
Found 1 messages in Maildir/new rather than 0
<0> expected but was
<1>
===============================================================================
.lda(sympl-test@quick.sympl.test,)Error: net_connect_unix(/var/run/dovecot/stats-writer) failed: Permission denied
F
===============================================================================
Failure: test_deliver_with_sieve_for_local_users(TestDovecot)
/etc/sympl/test.d/tc_dovecot.rb:371:in `do_test_deliver_with_sieve'
/etc/sympl/test.d/tc_dovecot.rb:391:in `test_deliver_with_sieve_for_local_users'
388: mailbox = do_setup_local_mailbox(test_user)
389: sieve_file = File.join(mailbox.directory, ".sieve")
390:
=> 391: do_test_deliver_with_sieve(mailbox)
392: ensure
393: File.unlink(sieve_file) if sieve_file and File.exist?(sieve_file)
394: end
Found 1 messages in Maildir/new rather than 0
<0> expected but was
<1>
===============================================================================
...............................................................................
.......................
Finished in 102.66534708 seconds.
-------------------------------------------------------------------------------
226 tests, 1495 assertions, 2 failures, 0 errors, 0 pendings, 0 omissions, 0 notifications
99.115% passed
-------------------------------------------------------------------------------
2.20 tests/s, 14.56 assertions/s
```
This may simply be the way the testing interfaces with dovecot, as the 'stats' functionality in Dovecot has changed.Sympl v10.0 (for Debian Buster)Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/242sympl-mail-dovecot-sni should use ssl.bundle rather than ssl.crt2019-06-26T14:59:50ZPaul Cammishsympl-mail-dovecot-sni should use ssl.bundle rather than ssl.crtAs is, it provides the cert, but not the bundle, meaning the chain is broken.
It's worth investigating of the exim sni configuration has the same issue also.As is, it provides the cert, but not the bundle, meaning the chain is broken.
It's worth investigating of the exim sni configuration has the same issue also.Sympl v9.0 (for Debian Stretch)Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/241stretch-testing -> stretch2019-06-25T08:36:27ZPaul Cammishstretch-testing -> stretch# Testing to Stable
## Setup
* [x] Add example.com to /etc/hosts.
* [x] Start with a clean machine running the relevant version of Debian.
## Install
* [x] Run Install script as per https://wiki.sympl.host/Installation_Instructions w...# Testing to Stable
## Setup
* [x] Add example.com to /etc/hosts.
* [x] Start with a clean machine running the relevant version of Debian.
## Install
* [x] Run Install script as per https://wiki.sympl.host/Installation_Instructions without dpkg prompts.
* [x] User is pointed to https://wiki.sympl.host for docs, and https://forum.sympl.host for issues.
* [x] User has to set a new password for `sympl`, and is suggested to use an SSH key.
* [x] User can log in as the `sympl` user.
## Core
* [x] Banner happens on login and provides correct version/system stats.
* [x] Typical utilities such as vim, htop, etc are installed and work normally.
## Web
* [x] `mkdir -p /srv/example.com/public/htdocs`, make sure you are served a 'theres nothing here yet' page.
* [x] `echo 'Testing example.com' > /srv/example.com/public/htdocs/index.html`, check the page loads with the new content.
* [x] `echo '<?php phpinfo() ?>' > /srv/example.com/public/htdocs/index.php`, check the page loads with phpinfo.
* [x] `sudo sympl-web-configure --verbose`, check /srv/example.com/ contains public/logs, php_tmp, php_sessions.
* [x] Browse to http://example.com again, check logs are being written to `public/logs/access.log`.
* [x] Browse to https://example.com again (expect browser warning), check logs are being written to `public/logs/ssl_access.log`.
* [x] `sudo sympl-web-rotate-logs`, check logs have rotated.
* [x] `sudo sympl-web-generate-stats --verbose`, check stats have NOT been created.
* [x] `mkdir -p /srv/example.com/config ; echo selfsigned > /srv/example.com/config/ssl-provider ; sudo sympl-ssl --verbose`, check cert is generated.
* [x] `sudo sympl-web-configure --verbose`, check site now loads with self-signed certificate.
## FTP
* [x] Confirm you cannot login anonymously via FTP.
* [x] `echo some-password > /srv/example.com/config/ftp-password`, check you can log in with user `example.com` password `some-password` via FTP and are placed in public.
* [x] Confirm you can upload/download/delete files via FTP.
* [x] `echo someuser:someotherpass:htdocs:0M > /srv/example.com/config/ftp-users`, check you can log in with user `someuser@example.com` password `someotherpass` via FTP and are placed in htdocs.
* [x] Confirm you can download but not upload files via FTP.
* [x] `sudo sympl-password-test --verbose`, confirm password warning.
## Mail & WebMail
* [x] `mkdir -p /srv/example.com/mailboxes/user ; echo some-password > /srv/example.com/mailboxes/user/password ; sudo sympl-password-test --verbose`, confirm password warning.
* [x] Browse to https://example.com/webmail, log in with `user` and `password`
* [x] `echo new-password > /srv/example.com/mailboxes/user/password`, log out of webmail.
* [x] Confirm you cannot log in with old password.
* [x] Confirm you can log in with new password.
* [x] `sudo sympl-mail-encrypt-passwords --verbose`
* [x] Log out and back in again.
* [x] Send mail to a gmail address, confirm bounce/delivery.
* [x] `openssl genrsa -out /srv/example.com/config/dkim.key 2048 ; chmod 640 /srv/example.com/config/dkim.key ; chown admin:Debian-exim /srv/example.com/config/dkim.key ; touch /srv/example.com/config/dkim`
* [x] Send email again, check for DKIM record in bounce/delivery.
## Network
* [x] `ip a ; sympl-ip`, confirm IPs match.
* [x] `echo 10.111.234.56 > /srv/example.com/config/ip ; sudo sympl-configure-ips --verbose`, confirm new IP picked up.
* [x] `ip a ; sympl-ip`, confirm '10.111.234.56' now listed on both results.
* [x] `sudo iptables -L -n | grep -c ':1234'`, confirm result is 0.
* [x] `touch /etc/sympl/firewall/incoming.d/99-1234 ; sudo sympl-firewall`
* [x] `sudo iptables -L -n | grep -c ':1234'`, confirm result is 2.
* [x] `touch '/etc/sympl/firewall/blacklist.d/10.9.8.7|31' ; sudo sympl-firewall`
* [x] `sudo iptables -L -n | grep -c '10.9.8.6'`, confirm result is 1.
## MySQL / MariaDB & phpMyAdmin
* [x] `mysql -e 'show databases'`, confirm databases are listed.
* [x] Browse to http://example.com/phpmyadmin, confirm redirected to HTTPS.
* [x] `cat ~/mysql_password`, log in with user `sympl` and password.
* [x] Confirm no errors/warnings, database can be created.
## Monit
* [x] `sudo service apache2 stop ; sudo service apache2 status ; sudo sympl-monit ; sudo service apache2 status ;`, confirm apache is started again.Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/236mail: Exim - Warning: purging the environment.2019-06-24T14:24:24ZPaul Cammishmail: Exim - Warning: purging the environment.On starting exim reports:
`Warning: purging the environment.`
`use keep_environment`
IIRC this is a thing from Jessie, so may have turned up again (or just not been fixed).On starting exim reports:
`Warning: purging the environment.`
`use keep_environment`
IIRC this is a thing from Jessie, so may have turned up again (or just not been fixed).Sympl v10.0 (for Debian Buster)Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/235mail: Dovecot config entries obsoleted.2019-06-24T14:12:23ZPaul Cammishmail: Dovecot config entries obsoleted.```
ssl_protocols -> ssl_min_protocol
ssl_dh_parameters_length -> x
```
Possibly some others, so worth checking against a plain config.```
ssl_protocols -> ssl_min_protocol
ssl_dh_parameters_length -> x
```
Possibly some others, so worth checking against a plain config.Sympl v10.0 (for Debian Buster)Paul CammishPaul Cammish