diff --git a/Linux-Servers.md b/Linux-Servers.md index 6eb43cc..1a98d88 100644 --- a/Linux-Servers.md +++ b/Linux-Servers.md @@ -108,3 +108,316 @@ Change the SSL certificate setup so that future renewals will work. If not already done by completing the task before, repair the SSL connection so that "kipurchat.creature-go.com" can be used again. + + +## Updates + +Okay, updates were done long ago because this is just an experimental server. +Good idea to run updates first. + +I am running Terminal commands as root and I prefer "apt" instead of "apt-get". +Snap is not acceptable and will not be installed on the server. + +Both Debian linux and Virtualmin are outdated. Which one to update first? + +Please provide the Terminal commands again taking into account these preferences. + + + +## What I did to update and certificate renewal attempt + +I did to these steps to update: + +### Update Debian packages + +In a terminal I did run + +``` +apt update +apt upgrade +``` + +I do not want to upgrade the full distribution because it is Debian 12 +which is really good enough. Any distro upgrade is a risk so when unnecessary +I won't do it. Therefore, I did not run the other Terminal commands you proposed. + +I did see that webmin was upgraded during apt upgrade, too. +After rebooting the server, a previously warning in Virtualmin that the +Virtualmin version is outdated was not showing up anymore. +Therefore, I skipped Phase 2: Update Virtualmin. + +### Certificate repair attempt + +First I tried the renewal via the Virtualmin page but it failed: +" +Web-based validation failed : +Saving debug log to /var/log/letsencrypt/letsencrypt.log +Renewing an existing certificate for kipurchat.creature-go.com +An unexpected error occurred: +AttributeError: can't set attribute +Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details. + DNS-based validation failed : +Saving debug log to /var/log/letsencrypt/letsencrypt.log +Renewing an existing certificate for kipurchat.creature-go.com +An unexpected error occurred: +AttributeError: can't set attribute +Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details. +" + +Then I tried in a terminal, I did run this without success (likely because not waiting a moment after the previous attempt): + +``` +root@sv005 ~ # certbot renew --force-renewal --cert-name kipurchat.creature-go.com +Saving debug log to /var/log/letsencrypt/letsencrypt.log + +- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +Processing /etc/letsencrypt/renewal/kipurchat.creature-go.com.conf +- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +Renewing an existing certificate for kipurchat.creature-go.com +Failed to renew certificate kipurchat.creature-go.com with error: urn:ietf:params:acme:error:rateLimited :: There were too many requests of a given type :: Your account is temporarily prevented from requesting certificates for kipurchat.creature-go.com and possibly others. Please visit: https://portal.letsencrypt.org/sfe/v1/unpause?jwt=eyJhbGciOiJIUzI1NiJ9.eyJhdWQiOiJTRkUgVW5wYXVzZSIsImV4cCI6MTc3NDcwMTE1OCwiaWF0IjoxNzczNDkxNTU4LCJpZGVudGlmaWVycyI6ImtpcHVyY2hhdC5jcmVhdHVyZS1nby5jb20iLCJpc3MiOiJXRkUiLCJzdWIiOiIyMjc5MDc3MTg2IiwidmVyc2lvbiI6InYxIn0.0bSnk4-HuXVnUWJb-ck7aVJCPo9UaZf1xCMsQ9791ZU + +- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +All renewals failed. The following certificates could not be renewed: + /etc/letsencrypt/live/kipurchat.creature-go.com/fullchain.pem (failure) +- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +1 renew failure(s), 0 parse failure(s) +Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details. +root@sv005 ~ # +``` + +So looks like we still have the "AttributeError: can't set attribute" problem. + + + +## Certbot version + +My certbot version is too old, I have bookworm-backports enabled but the apt install did not work: + +``` +root@sv005 ~ # certbot --version +certbot 2.1.0 +root@sv005 ~ # grep -r "backports" /etc/apt/sources.list /etc/apt/sources.list.d/ +/etc/apt/sources.list:# deb http://deb.debian.org/debian bookworm-backports main contrib non-free-firmware +/etc/apt/sources.list:# deb-src http://deb.debian.org/debian bookworm-backports main contrib non-free-firmware +root@sv005 ~ # apt install -t bookworm-backports certbot python3-certbot python3-acme +Reading package lists... Done +E: The value 'bookworm-backports' is invalid for APT::Default-Release as such a release is not available in the sources +``` + +What should I do now? + + +Enabled backports but certbot version cannot be updated: +``` +root@sv005 ~ # apt install -t bookworm-backports certbot python3-certbot python3-acme +Reading package lists... Done +Building dependency tree... Done +Reading state information... Done +certbot is already the newest version (2.1.0-4). +certbot set to manually installed. +python3-certbot is already the newest version (2.1.0-4). +python3-certbot set to manually installed. +python3-acme is already the newest version (2.1.0-1). +python3-acme set to manually installed. +The following packages were automatically installed and are no longer required: + libclamav11 linux-image-6.1.0-35-amd64 +Use 'apt autoremove' to remove them. +0 upgraded, 0 newly installed, 0 to remove and 54 not upgraded. +``` + + +Enough - I will update to Trixie. + + + +While performing "apt full-upgrade" the connection was lost. +After a while I rebooted the server and tried to run +"apt full-upgrade" again. I had to fix an issue but now there are errors: + +``` +root@sv005 ~ # apt full-upgrade +E: dpkg was interrupted, you must manually run 'dpkg --configure -a' to correct the problem. +root@sv005 ~ # dpkg --configure -a +Setting up libc-l10n (2.41-12+deb13u2) ... +dpkg: dependency problems prevent configuration of locales: + locales depends on libc-bin (>> 2.41); however: + Version of libc-bin on system is 2.36-9+deb12u13. + +dpkg: error processing package locales (--configure): + dependency problems - leaving unconfigured +Setting up libc6:amd64 (2.41-12+deb13u2) ... +Checking for services that may need to be restarted... +Checking init scripts... + +Restarting services possibly affected by the upgrade: + webmin: restarting...done. + saslauthd: restarting...done. + postfix: restarting...done. + ssh: restarting...done. + cron: restarting...done. + atd: restarting...done. + +Services restarted successfully. +Setting up libc-dev-bin (2.41-12+deb13u2) ... +Setting up libc-devtools (2.41-12+deb13u2) ... +Processing triggers for man-db (2.11.2-2) ... +dpkg: dependency problems prevent processing triggers for libc-bin: + libc-bin depends on libc6 (<< 2.37); however: + Version of libc6:amd64 on system is 2.41-12+deb13u2. + +dpkg: error processing package libc-bin (--configure): + dependency problems - leaving triggers unprocessed +Errors were encountered while processing: + locales + libc-bin +root@sv005 ~ # +``` + +How to proceed? + + +1. did not trigger an error but asks me this: +``` +root@sv005 ~ # certbot certonly --webroot -w /home/admincg/domains/kipurchat.creature-go.com/public_html -d kipurchat.creature-go.com +Saving debug log to /var/log/letsencrypt/letsencrypt.log + +- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +An RSA certificate named kipurchat.creature-go.com already exists. Do you want +to update its key type to ECDSA? +- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +(U)pdate key type/(K)eep existing key type: +``` + + +I unpaused on Let's Encrypt page and retried but got an error: +``` +root@sv005 ~ # certbot certonly --webroot -w /home/admincg/domains/kipurchat.creature-go.com/public_html -d kipurchat.creature-go.com +Saving debug log to /var/log/letsencrypt/letsencrypt.log + +- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +An RSA certificate named kipurchat.creature-go.com already exists. Do you want +to update its key type to ECDSA? +- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +(U)pdate key type/(K)eep existing key type: U +Renewing an existing certificate for kipurchat.creature-go.com + +Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems: + Domain: kipurchat.creature-go.com + Type: unauthorized + Detail: 65.108.193.31: Invalid response from https://kipurchat.creature-go.com/.well-known/acme-challenge/51dsdhWws4UEpTuZGIyeFXbYU8J2DpeKFQuACHvcTzA: 503 + +Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet. + +Some challenges have failed. +Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details. +``` + +On the Virtualmin page it failed, too. But certificate type still was RSA. +I changed to ECC and requested a new certificate but it failed: +" +Request Certificate +In domain kipurchat.creature-go.com +Requesting a certificate for kipurchat.creature-go.com from Let's Encrypt .. +.. request failed : Web-based validation failed : +Saving debug log to /var/log/letsencrypt/letsencrypt.log +Renewing an existing certificate for kipurchat.creature-go.com + +Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems: + Domain: kipurchat.creature-go.com + Type: unauthorized + Detail: 65.108.193.31: Invalid response from https://kipurchat.creature-go.com/.well-known/acme-challenge/-c7GdKxe8NtwulzVb8gYjF0WoMc9TVomdqJi_RA8ILU: 503 + +Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet. + +Some challenges have failed. +Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details. + DNS-based validation failed : +Saving debug log to /var/log/letsencrypt/letsencrypt.log +Renewing an existing certificate for kipurchat.creature-go.com + +Certbot failed to authenticate some domains (authenticator: manual). The Certificate Authority reported these problems: + Domain: kipurchat.creature-go.com + Type: dns + Detail: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.kipurchat.creature-go.com - check that a DNS record exists for this domain + +Hint: The Certificate Authority failed to verify the DNS TXT records created by the --manual-auth-hook. Ensure that this hook is functioning correctly and that it waits a sufficient duration of time for DNS propagation. Refer to "certbot --help manual" and the Certbot User Guide. + +Some challenges have failed. +Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details. +" + + + +The Step 1 test does not work: +``` +root@sv005 ~ # mkdir -p /home/admincg/domains/kipurchat.creature-go.com/public_html/.well-known/acme-challenge/ +root@sv005 ~ # echo "Success" > /home/admincg/domains/kipurchat.creature-go.com/public_html/.well-known/acme-challenge/test +root@sv005 ~ # ls +Maildir backups virtualmin-install.log virtualmin-install.log.1 work +root@sv005 ~ # cd work +root@sv005 ~/work # ls -alhrt +total 12K +drwxr-xr-x 3 root root 4.0K Oct 24 16:05 . +drwxr-xr-x 2 root root 4.0K Oct 24 19:21 wireguard-setup +drwx------ 11 root root 4.0K Jan 9 14:49 .. +root@sv005 ~/work # curl -IL http://kipurchat.creature-go.com/.well-known/acme-challenge/test +HTTP/1.1 301 Moved Permanently +Date: Sat, 14 Mar 2026 20:58:36 GMT +Server: Apache +Location: https://kipurchat.creature-go.com/.well-known/acme-challenge/test +Content-Type: text/html; charset=iso-8859-1 + +curl: (60) SSL certificate problem: certificate has expired +More details here: https://curl.se/docs/sslcerts.html + +curl failed to verify the legitimacy of the server and therefore could not +establish a secure connection to it. To learn more about this situation and +how to fix it, please visit the webpage mentioned above. +``` + + + +Okay, after modifying +/etc/apache2/sites-available/kipurchat.creature-go.com.conf +according your instructions and restarting Apache +the certbot repair was successful: +``` +root@sv005 ~/work # certbot certonly --webroot -w /home/admincg/domains/kipurchat.creature-go.com/public_html -d kipurchat.creature-go.com +Saving debug log to /var/log/letsencrypt/letsencrypt.log + +- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +An RSA certificate named kipurchat.creature-go.com already exists. Do you want +to update its key type to ECDSA? +- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +(U)pdate key type/(K)eep existing key type: U +Renewing an existing certificate for kipurchat.creature-go.com + +Successfully received certificate. +Certificate is saved at: /etc/letsencrypt/live/kipurchat.creature-go.com/fullchain.pem +Key is saved at: /etc/letsencrypt/live/kipurchat.creature-go.com/privkey.pem +This certificate expires on 2026-06-12. +These files will be updated when the certificate renews. +Certbot has set up a scheduled task to automatically renew this certificate in the background. + +- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +If you like Certbot, please consider supporting our work by: + * Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate + * Donating to EFF: https://eff.org/donate-le +- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +``` + +But the webpage at kipurchat.creature-go.com still shows the same error and +Virtualmin still shows a not-working SSL Certificate. How to fix this? + + + +Step 1 fails, I get the Error "Failed to install certificate : Certificate file /etc/letsencrypt/live/kipurchat.creature-go.com/fullchain.pem must be under the virtual server's home directory". + +Instead of running terminal commands and pointing Virtualmin to uncommon directories, wouldn't it be better to go the standard Virtualmin way: On tab "SSL Providers" Request Certificate ? +If this way would be better, which Certificate hash type should I select, +RSA or ECC? + + +Okay, after requesting a new certificate with ECC hash type the +kipurchat.creature-go.com has a valid certificate for https:// now. +