Playing with Debian 12 - some issues???

I used the auto-installer and all apparently worked - but it says roundcube is installed - where is it put? and how to get into it?
ns11.cdbsystems.com/webmail produces nothing
and I've been looking at snappymail - a replacement for rainloop that seems to have expired. anyone have any experience?

 

ok. there is no admin panel (like rainloop) just setup the email box and we are good to go?
ever played with snappymail? (rainloop replacement).
so far pretty nice debian 12. had to note that /etc/httpd is now /etc/apache2. I note snappymail has a debian installer installed it. now when we so chown for these data files whats the debian version of www-data. still apache?
as I noted deb12 has difference in installing googleauthenticator. ChallengeResponse has been replaced...
so far... so good.
I wiped and resetup server with --use-certbot so migtool should now work flawlessly?
also - curious - why is acme.sh a thing anyway? is certbot bad in some sense?

 

ok I'm trying migtool but it fails to talk to the other server:

Code:

2023-10-16 23:23:00 - [ERROR] Could not log in to api at https://ns11.cdbsystems.com/remote/ with user adminremote.
2023-10-16 23:25:24 - [WARN] Curl exception: cURL error: [35] error:1408F10B:SSL routines:ssl3_get_record:wrong version number
2023-10-16 23:25:24 - [ERROR] JSON API ERROR in API call (login): NO ACCESS
2023-10-16 23:25:24 - [INFO] Trying again (login)
2023-10-16 23:25:26 - [WARN] Curl exception: cURL error: [35] error:1408F10B:SSL routines:ssl3_get_record:wrong version number
2023-10-16 23:25:26 - [ERROR] JSON API ERROR in API call (login): NO ACCESS
2023-10-16 23:25:26 - [INFO] Trying again (login)
2023-10-16 23:25:28 - [WARN] Curl exception: cURL error: [35] error:1408F10B:SSL routines:ssl3_get_record:wrong version number
2023-10-16 23:25:28 - [ERROR] JSON API ERROR in API call (login): NO ACCESS
2023-10-16 23:25:28 - [ERROR] API call to login failed.
2023-10-16 23:25:28 - [ERROR] JSON API ERROR. Arguments sent were: array (

any idea whats doing this? remote user and password absolutely correct!
also, any reason I cant supply the ip address of the TARGET server - they are on the same local subnet. is it any faster?

some extra info:
root@ns11:/etc/apache2# ls sites-enabled
000-apps.vhost 000-default.conf 000-ispconfig.conf 000-ispconfig.vhost 999-acme.conf
root@ns11:/etc/apache2# ls sites-available
000-default.conf acme.conf apps.vhost default-ssl.conf ispconfig.conf ispconfig.vhost
root@ns11:/etc/apache2#

should these not be the same? and why is acme present if we are using certbot?

I also ran apache2ctl -S and get:

Code:

AH00548: NameVirtualHost has no effect and will be removed in the next release /etc/apache2/sites-enabled/000-ispconfig.vhost:7
VirtualHost configuration:
*:8081                 ns11.cdbsystems.com (/etc/apache2/sites-enabled/000-apps.vhost:9)
*:80                   ns11.cdbsystems.com (/etc/apache2/sites-enabled/000-default.conf:1)
*:8080                 ns11.cdbsystems.com (/etc/apache2/sites-enabled/000-ispconfig.vhost:9)
ServerRoot: "/etc/apache2"
--etc

so it lists NO hosts on 443?? hmm he says. a CLUE?
well, I changed the url of target to https://ns11.cdbsystems.com:8080/remote
and it seemed to proceed - so we needed 8080 it seems as there were no hosts on 443.

but when I try to run migtool I get this error:

Code:

Now we transfer the key to the target server.
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa_migration.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
SHA256:ViwZz5tOHD7URal3TrIiIYOGV/aForDgAaRZo0L3LHk.
Please contact your system administrator.
Add correct host key in /root/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /root/.ssh/known_hosts:3
Password authentication is disabled to avoid man-in-the-middle attacks.
Keyboard-interactive authentication is disabled to avoid man-in-the-middle attacks.
[email protected]: Permission denied (publickey,password,keyboard-interactive).
What is the ip for the target web server to connect via SSH? [108.18.202.58]:

and it just loops. I've permitted root login, and i've enabled keyboard-interactive authentication.
but it never asks for a password, just fails. whats up?

 

I did use the correct url but I've wiped server and are redoing it WITHOUT google-authenticator.
are you sure --use-certbot works? I did see the acme in the vhost folder!
also -= does migtool migrate things like contents of root folder? and the contents of the ftp download folders?
and we can redo mail-only xfer to get the straggler emails that go to the old mx address after percolation starts?
and as part of my bigger plan, when migration complete, I need to mysqlupdate all the ipaddresses in dns entries to the new server. and change all the ns10 NS record entries to ns11.
I can do this on ns10 as well - then a resync on both servers? then all should work with all hundredplus sites being served by ns11.
finally, the issue of all the registrars that list ns10 as a nameserver on the 200 or so domains. If I want to retire ns10 then either I have to manually change them all from ns10 to ns11 - OR I rename ns10 (on godaddy as a hostname) to the ns11 ip address.
now all the ns10 references will point to ns11 ip address - but then I would need to change the ns11 NS records back to NS10 (or just dont change them to ns11 in the first place) - and change the hostname on ns11 to ns10 in ispconfig. but now the certs will have to be redone as they still point to ns11. what else would I need to do?
advice?

 

further developments - migtool is running. but I get
ERROR API call to mail_mailinglist_add failed. check log.
is this expected due to lack of Mailman?
still chugging along....

oh and it gives warning:
Testing MySQL connection ... OK
Testing target server's MySQL setting ...Warning
Warning Your max_allowed_packet setting is < 128M (16M). DB import might fail.

should it not have installed a bigger packet size when autoconfig installed mysql? and can I assume db import fail would give a nice big red error? or just not functioning as expected?

oh I had to set PermitRootlogin to yes in sshd_config that was why the original effort logins failed it seems...
also I noted and have a small question - when did we quit chrooting BIND? thought that was a big thing a while ago?

oh and btw migtool is pretty DAM awesome

maybe I spoke too soon? we are seemingly hung at this line:
[29/4297] Setting chmod in /var/www/clients/client0/web3/web to a+r (for .htaccess)

surely that should not take 10 minutes?
and grepping ps says rsync is not active.

also, I cannot access https://ns11.cdbsystems.com:8080/webmail - says cert is no longer valid. and the cert you view says its for ns10? should we have overwritten the certs for ns11?

 

its picked back up now on 450/4200 --- patience is a virtue.
the webmail url still gives ns10.cdbsystems.com as its cert. why would this have been overridden?
but ns11.cdbsystems.com:8080 gives the correct cert. only ns11.cdbsystems.com:8080/webmail claims its ns10!

 

I click on the icon under email boxes under ispconfig so its whatever you tied that icon to!
the link is https://ns11.cdbsystems.com:8081/webmail
and cant login - cert error. cert is for ns10!

 

hmm the apps.vhost and the ispconfig.vhost DO point to the same place:

Code:

thats funny - termius control-shift-c does NOT copy text from vi under debian. it does under anything else!
but nano works:
######################################################
# This virtual host contains the configuration
# for the ISPConfig apps vhost
######################################################

 Listen 8081
# NameVirtualHost *:8081

<VirtualHost _default_:8081>
  ServerAdmin webmaster@localhost

  <Directory /var/www/apps>
    <FilesMatch "\.ph(p3?|tml)$">
      SetHandler None
    </FilesMatch>
  </Directory>
  # SSL Configuration
  SSLEngine On
    SSLProtocol All -SSLv3 -TLSv1 -TLSv1.1
    SSLCertificateFile /usr/local/ispconfig/interface/ssl/ispserver.crt
  SSLCertificateKeyFile /usr/local/ispconfig/interface/ssl/ispserver.key
  #SSLCACertificateFile /usr/local/ispconfig/interface/ssl/ispserver.bundle

and now ispconfig.vhost

Code:

######################################################
# This virtual host contains the configuration
# for the ISPConfig apps vhost
######################################################

 Listen 8081
# NameVirtualHost *:8081
<VirtualHost _default_:8081>
  ServerAdmin webmaster@localhost
<Directory /var/www/apps>
    <FilesMatch "\.ph(p3?|tml)$">
      SetHandler None
    </FilesMatch>
  </Directory>
  # SSL Configuration
  SSLEngine On
    SSLProtocol All -SSLv3 -TLSv1 -TLSv1.1
    SSLCertificateFile /usr/local/ispconfig/interface/ssl/ispserver.crt
  SSLCertificateKeyFile /usr/local/ispconfig/interface/ssl/ispserver.key
  #SSLCACertificateFile /usr/local/ispconfig/interface/ssl/ispserver.bundle

so the SSL paths - they are the same!

and systemctl restart apache2 - same results from apache2ctl -S -

 

maybe migtool accidently copies over the ns10 cert? otherwise how to you explain on a NEW WIPED SERVER - how it could possibly know about ns10 at all its had nothing to do with n10!! looks like migtool is the only possible explanation?
and ns11.cdbsystems.com:8080/webmail works fine -ts only ns11.cdbsystems.com:8081/webmail that has the bad cert

 

I've used it too myself several times. but going to a brand new server? how would deb12 know ns10 ever existed??

 

one other point - will bind/ispconfig act as a 'normal' backup dns? if ns10 has it in the 'also notify' list - will ns11 update its own dns records? or no? and if so do I need to tell ispconfig to accept such notifications?

 

also I just installed nextcloud on deb12 and it complains that php memory limit is <512mb. Now php version gives us 8.2 and the doc says edit /etc/php/8.2/apache2/php.ini which does not exist (apache2 folder does not exist). do I need to create this file? we have under /etc/php/8.2 cli,fpm,cgi,mods-available, but no apache2!
where do I need to alter memory_limit to make it happy?

and just for the amusement is debian 12 fips compliant? inquiring minds!