Sympl issueshttps://gitlab.com/sympl.io/sympl/-/issues2019-06-26T14:59:50Zhttps://gitlab.com/sympl.io/sympl/-/issues/242sympl-mail-dovecot-sni should use ssl.bundle rather than ssl.crt2019-06-26T14:59:50ZPaul Cammishsympl-mail-dovecot-sni should use ssl.bundle rather than ssl.crtAs is, it provides the cert, but not the bundle, meaning the chain is broken.
It's worth investigating of the exim sni configuration has the same issue also.As is, it provides the cert, but not the bundle, meaning the chain is broken.
It's worth investigating of the exim sni configuration has the same issue also.Sympl v9.0 (for Debian Stretch)Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/243Buster: zz-mass-hosting doesn't appear to work.2019-08-16T17:54:56ZPaul CammishBuster: zz-mass-hosting doesn't appear to work.On boot, it's sending traffic to /var/www/html, and then after reconfiguring it seems to be only sending traffic to /srv/$localhost/public/htdocs.
It may be due to changes in the newer Apache breaking dynamic vhost configurations in gen...On boot, it's sending traffic to /var/www/html, and then after reconfiguring it seems to be only sending traffic to /srv/$localhost/public/htdocs.
It may be due to changes in the newer Apache breaking dynamic vhost configurations in general, or something else like the custom module not working right any more.Backloghttps://gitlab.com/sympl.io/sympl/-/issues/244Incorrect permissions on dkim selector file2019-06-28T16:43:46ZPaul CammishIncorrect permissions on dkim selector fileMy dkim selector file is currently owned by sympl:sympl, with permissions set to 660.
I received the following error in my logs overnight:
2019-06-27 06:39:42 1hgN8H-0005FM-Rw failed to expand dkim_selector: failed to open /srv/gentlys...My dkim selector file is currently owned by sympl:sympl, with permissions set to 660.
I received the following error in my logs overnight:
2019-06-27 06:39:42 1hgN8H-0005FM-Rw failed to expand dkim_selector: failed to open /srv/gentlysympl.gentlyhosting.uk/config/dkim: Permission denied (euid=105 egid=109)
What should the permissions / ownership be set to? The uid / gid referred to in the error are both Debian-exim. Can sympl automatically adjust these permissions if a specific set are required?Sympl v9.0 (for Debian Stretch)Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/245Job Failed #83802019-07-02T16:38:11ZPaul CammishJob Failed #8380This is breaking phpMyAdmin, which should be split into a separate config as it's being retired.
Job [#8380](https://gitlab.mythic-beasts.com/sympl/sympl/-/jobs/8380) failed for 477a89553e5662f5d77f15a5ba1739cdb60ebbf8:This is breaking phpMyAdmin, which should be split into a separate config as it's being retired.
Job [#8380](https://gitlab.mythic-beasts.com/sympl/sympl/-/jobs/8380) failed for 477a89553e5662f5d77f15a5ba1739cdb60ebbf8:Sympl v9.0 (for Debian Stretch)Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/246Roundcube unable to send mail in Buster.2019-07-02T16:38:13ZPaul CammishRoundcube unable to send mail in Buster.Needs confirming if this is affecting Stretch also.Needs confirming if this is affecting Stretch also.Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/248sympl-mail: Debian-exim user should be added to sympl group.2019-07-02T16:36:27ZPaul Cammishsympl-mail: Debian-exim user should be added to sympl group.As is, the Debian-exim user already has access to the ssl-certs and other things, so giving it access to the config directory shouldn't be a problem now things are properly partitioned and will allow users to still configure things via S...As is, the Debian-exim user already has access to the ssl-certs and other things, so giving it access to the config directory shouldn't be a problem now things are properly partitioned and will allow users to still configure things via SFTP.
`sympl-filesystem-security` will need adjusting for this also.Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/249sympl-ssl - IPv6 Only DNS Resolution2021-02-12T18:08:30ZPaul Cammishsympl-ssl - IPv6 Only DNS ResolutionDNS resolution times out in IPv6 Only environment when contacting Let's Encrypt.
This is due to the resolver assuming theres an IPv4 address, and binding to that for replies.
A workaround is to add the relevant host to /etc/hosts befor...DNS resolution times out in IPv6 Only environment when contacting Let's Encrypt.
This is due to the resolver assuming theres an IPv4 address, and binding to that for replies.
A workaround is to add the relevant host to /etc/hosts before running.Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/250Apache config template changes from Buster need to be backported to Stretch2019-07-06T19:10:34ZPaul CammishApache config template changes from Buster need to be backported to StretchIn progress: !77In progress: !77Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/251Dovecot doesn't reload after cert changes if config hasn't changed.2019-07-07T00:28:05ZPaul CammishDovecot doesn't reload after cert changes if config hasn't changed.In the situation where no new domains are created, but SSL certs update automatically, Dovecot would eventually expire the cached certs, so a reload is needed, as well as a check for when there are literally no certs (ie: first cert atte...In the situation where no new domains are created, but SSL certs update automatically, Dovecot would eventually expire the cached certs, so a reload is needed, as well as a check for when there are literally no certs (ie: first cert attempt fails).
In progress: sympl/sympl!76Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/252GitLab CI Improvements2019-07-09T18:44:33ZPaul CammishGitLab CI ImprovementsWhat should be happening is the runner should strategically install the previous version (if it exists) from the relevant public repo, then install the version from the local repo. Instead, theres a common race condition meaning the publ...What should be happening is the runner should strategically install the previous version (if it exists) from the relevant public repo, then install the version from the local repo. Instead, theres a common race condition meaning the public versions are the same as the newly pushed versions.
We should also have separate upgrade tests from the stable and the testing branches, so we can be certain that we won't break stable before deploying, but we can also pre-download the dependency packages needed in the images to save time and bandwidth, negating the need for a separate image.
* [x] Versions older than the local repo installed for upgrade tests.
* [x] Upgrade tests for stable and testing.
* [x] Pre-downloaded packages in clean install.
* [x] CI tidyup, ideally both major branches from the same version.
* [x] Tests for mangled changelog entries in the build CIFuture PlansPaul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/253sympl-test: Race condition with certificate testing2021-02-12T18:08:31ZPaul Cammishsympl-test: Race condition with certificate testingIt looks like on occasion a self-signed cert is being created, but being tested before it's valid.
Job [#9899](https://gitlab.mythic-beasts.com/sympl/sympl/-/jobs/9899) failed for 80f6dd1c78f1401f5980105fc948fa74a2f01759:
```
=========...It looks like on occasion a self-signed cert is being created, but being tested before it's valid.
Job [#9899](https://gitlab.mythic-beasts.com/sympl/sympl/-/jobs/9899) failed for 80f6dd1c78f1401f5980105fc948fa74a2f01759:
```
===============================================================================
Failure:
Exception raised:
OpenSSL::X509::CertificateError(<Not valid for rcyexz5q3p.test -- certificate is not yet valid (9)>)
test_ssl_verify_with_root_ca(SSLTest)
/etc/sympl/test.d/tc_ssl.rb:562:in `test_ssl_verify_with_root_ca'
559: #
560: assert_nothing_raised{ @domain.ssl_x509_certificate_file = @domain.directory+"/config/ssl.combined" }
561: assert_nothing_raised{ @domain.ssl_key_file = @domain.directory+"/config/ssl.combined" }
=> 562: assert_nothing_raised{ @domain.ssl_verify(@domain.ssl_x509_certificate, @domain.ssl_key, @domain.ssl_certificate_store, true) }
563: end
564:
565: def test_ssl_verify_with_intermediate_ca
===============================================================================
```https://gitlab.com/sympl.io/sympl/-/issues/254sympl-firewall: iptables email warning (buster)2019-08-16T17:51:06ZPaul Cammishsympl-firewall: iptables email warning (buster)It appears with the change to iptables-nft, wanring are being generated about iptables-legacy having rules (although they appear to be empty).It appears with the change to iptables-nft, wanring are being generated about iptables-legacy having rules (although they appear to be empty).Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/255sympl-web-rotate-logs doesnt work2019-07-09T19:27:36ZPaul Cammishsympl-web-rotate-logs doesnt workThis is due to it dropping permissions which is incompatible with the new security permissions system.
As it normally only ever runs as root, this isn't needed, and also means log rotation never happens properly as it's only telling the...This is due to it dropping permissions which is incompatible with the new security permissions system.
As it normally only ever runs as root, this isn't needed, and also means log rotation never happens properly as it's only telling the logger processes to reload, not Apache.Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/256sympl-firewall: Failed to acquire lock on /var/lock/sympl-firewall.lock2019-07-17T15:47:39ZPaul Cammishsympl-firewall: Failed to acquire lock on /var/lock/sympl-firewall.lockJob [#11106](https://gitlab.mythic-beasts.com/sympl/sympl/-/jobs/11106) failed for 89b35a9928e5c77aa5ea832fb4a0e851cc3cd601:
```
+ symbiosis-firewall --verbose
sympl-firewall: Failed to acquire lock on /var/lock/sympl-firewall.lock: No ...Job [#11106](https://gitlab.mythic-beasts.com/sympl/sympl/-/jobs/11106) failed for 89b35a9928e5c77aa5ea832fb4a0e851cc3cd601:
```
+ symbiosis-firewall --verbose
sympl-firewall: Failed to acquire lock on /var/lock/sympl-firewall.lock: No locks available - Unable to acquire lock -- Resource temporarily unavailable
run-parts: autotest/test.d/50-test-cli exited with return code 1
ERROR: Job failed: Process exited with: 1. Reason was: ()
```
This is the testing job accidentally aligning with a scheduled run - it's only a few seconds of window, but it happens more often than I'd like.https://gitlab.com/sympl.io/sympl/-/issues/257Sympl should automatically update it's configuration near-instantly2020-01-28T13:33:20ZPaul CammishSympl should automatically update it's configuration near-instantlyWhen changes are made, typically it can take up to an hour to a day for everything to have run.
It would be nice if Sympl used [incrond](https://linux.die.net/man/8/incrond) (currently used by sympl-firewall) to detect changes to the co...When changes are made, typically it can take up to an hour to a day for everything to have run.
It would be nice if Sympl used [incrond](https://linux.die.net/man/8/incrond) (currently used by sympl-firewall) to detect changes to the configuration and update as needed, adding to incrond's config where needed as domains are added/removed.
This would make configuration practically instant, so would need some kind of logging/admin notification so you can see what's actually going on.Future Planshttps://gitlab.com/sympl.io/sympl/-/issues/258Occasional short-term failures reported by monitoring2019-07-31T17:52:47ZPaul CammishOccasional short-term failures reported by monitoringRecently received the following report from the automatic monitoring. It resolved itself a few minutes later.
[paste_1093477.txt](/uploads/b13f16c409a7c2c5791a95e3d7601585/paste_1093477.txt)
I've seen similar short-term failures a coup...Recently received the following report from the automatic monitoring. It resolved itself a few minutes later.
[paste_1093477.txt](/uploads/b13f16c409a7c2c5791a95e3d7601585/paste_1093477.txt)
I've seen similar short-term failures a couple of timeshttps://gitlab.com/sympl.io/sympl/-/issues/259Running backups manually seems to cause issues2019-08-19T07:25:08ZPaul CammishRunning backups manually seems to cause issuesIt appears that running backups manually as the `sympl` user will cause the sympl-sqldump script to fail (as it's not running as root), possibly causing later backups to fail as a dump was started but not completed.
Sympl should probabl...It appears that running backups manually as the `sympl` user will cause the sympl-sqldump script to fail (as it's not running as root), possibly causing later backups to fail as a dump was started but not completed.
Sympl should probably check for a generic user with full mysql access rather than just root (or the root or Sympl user), and/or automatically use the `--force` flag when triggering backups.Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/260Extra content in /root/.ssh/authorized_keys is copied also2019-08-16T12:20:27ZPaul CammishExtra content in /root/.ssh/authorized_keys is copied alsoIn the event `/root/.ssh/authorized_keys` contains other content (such as a "command=" entry for the key [ref](https://forum.sympl.host/t/dont-login-as-root-warning/39)), then the Sympl user will be similarly restricted on first logging ...In the event `/root/.ssh/authorized_keys` contains other content (such as a "command=" entry for the key [ref](https://forum.sympl.host/t/dont-login-as-root-warning/39)), then the Sympl user will be similarly restricted on first logging in.
Not necessarily a bug, but we may want to think about excluding these entries or handling them differently.https://gitlab.com/sympl.io/sympl/-/issues/261sympl-ssl fails in NAT64 environments with IPv4 addresses2019-09-17T13:45:19ZPaul Cammishsympl-ssl fails in NAT64 environments with IPv4 addressesThis is due to the old Ruby library being used, which defaults to IPv4.
A workaround exists for this, which adds an entry to the hosts file, but fails to detect NAT64 setups.This is due to the old Ruby library being used, which defaults to IPv4.
A workaround exists for this, which adds an entry to the hosts file, but fails to detect NAT64 setups.Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/262sympl-firewall v10.0 uses iptables-legacy2019-08-16T17:52:37ZPaul Cammishsympl-firewall v10.0 uses iptables-legacyBuster has migrated to nftables, so Sympl should move in that direction also.
It's mostly compatible at the moment, however it does throw warnings when using the now default `iptables` in Buster.
Workround in sympl/sympl!124 to swap to...Buster has migrated to nftables, so Sympl should move in that direction also.
It's mostly compatible at the moment, however it does throw warnings when using the now default `iptables` in Buster.
Workround in sympl/sympl!124 to swap to `iptables-legacy`, but this should be investigated futher.