Playing with Debian 12 - some issues???

yes! though ispconfig was updated, there was no entry for 'DKIM-selector'. change it to default, saved it, and migration proceeding!

 

just noticed that i'm getting a warning that max_allowed_packet is 16m on the target server (deb12) and the import may fail!
turns out on deb12 you have that variable in /etc/mysql/mariadb.conf.d/50-server.conf
might be nice to have the autoinstaller bump that number up so that we dont have to go hunting!

 

further poking around I notice the syslog (not messages anymore ) contains lines like:
2023-11-16T03:02:41.182468-05:00 ns11 named[205026]: network unreachable resolving 'zen.spamhaus.org/NS/IN': 2400:cb00:2049:1::a29f:1823#53
2400:cb00:2049:1::a29f:191b#53
2023-11-16T03:02:41.205876-05:00 ns11 named[205026]: network unreachable resolving '127.zen.spamhaus.org/NS/IN': 2001:19f0:6401:1496:da7c:2e:b904:61fa#53
2023-11-16T03:02:41.237220-05:00 ns11 named[205026]: network unreachable resolving '1.0.0.127.zen.spamhaus.org/A/IN': 2001:4800:1da0:107:e0:86a0:d7:98c4#53
these seem to be all related to ipv6? from what I can tell verizon fios is not providing me with an ipv6 address.
so t hese are all ignorable? any way to determine if I actually CAN get a static ipv6 to go with my static ipv4?
and if not should I not turn OFF ipv6 in deb12? if so how?
thanks. enjoying debian sofar... some wrinkles.
cdb.

 

one more little thing after migration on ns11.cdbsystems.com - I no longer have a valid LE cert (not for 8080, for 443). on the ns10.cdbsystems.com we had the 000local as I remember that pointed to a website (my almost 40 year old cdbsystems.com - check THAT out for some fine 40 year old website design! LOL) -but it comes up with a good cert. the LE cert associated with ns11.cdbsytems.com refers to another site entirely! not a bit thing but I wanted to checkout roundcube and ns11.cdbsytems.com/roundcube SHOULD pull up the site on the new server - but now it give unreachable site due to wrong SSL.
also I assume I can just add /rainloop under the roundcube.conf file as folks are using rainloop which seemingly has been abandoned!

 

dont I want to just disable ipv6? surely I still want it for ipv4? that site is just fine...

 

Internet Search Engines with

Code:

 turn OFF ipv6 in deb12?

find instructions.

 

yes taleman I had already googled the debian-ipv6 disable seems there are a number of methods. though you might have a preference!
I'll take out spamhous. used them for many years they used to be good!
anyone to put in its place? its the only RBL listed under server>config>mail

 

just noticed on my new shiny debian 12 server (that I'm transferring to) that I registered a new domain (potomaccharter.com) but LE fails - boxes stay checked!
we are using certbot (since the migration had --use-certbox)
in /var/log/letsencrypt/letsencrypt.log we find:

Code:

2023-11-17 17:39:02,033:DEBUG:certbot._internal.main:certbot version: 2.1.0
2023-11-17 17:39:02,033:DEBUG:certbot._internal.main:Location of certbot entry point: /usr/bin/certbot
2023-11-17 17:39:02,033:DEBUG:certbot._internal.main:Arguments: ['--domains', 'potomaccharter.com', '--domains', 'www.potomaccharter.com']
2023-11-17 17:39:02,033:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2023-11-17 17:39:02,038:DEBUG:certbot._internal.log:Root logging level set at 30
2023-11-17 17:39:02,097:WARNING:certbot._internal.cert_manager:Renewal configuration file /etc/letsencrypt/renewal/pinnaclehealthcaredmv.com-0001.conf produced an unexpected error: renewal config file {} is missing a required file reference. Skipping.
2023-11-17 17:39:02,098:DEBUG:certbot._internal.cert_manager:Traceback was:
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/_internal/cert_manager.py", line 85, in certificates
    renewal_candidate = storage.RenewableCert(renewal_file, config)
                        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/certbot/_internal/storage.py", line 485, in __init__
    raise errors.CertStorageError(
certbot.errors.CertStorageError: renewal config file {} is missing a required file reference

2023-11-17 17:39:02,100:WARNING:certbot._internal.cert_manager:Renewal configuration file /etc/letsencrypt/renewal/pinnaclehealthcaredmv.com.conf produced an unexpected error: renewal config file {} is missing a required file reference. Skipping.
2023-11-17 17:39:02,100:DEBUG:certbot._internal.cert_manager:Traceback was:
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/_internal/cert_manager.py", line 85, in certificates
    renewal_candidate = storage.RenewableCert(renewal_file, config)
                        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/certbot/_internal/storage.py", line 485, in __init__
    raise errors.CertStorageError(
certbot.errors.CertStorageError: renewal config file {} is missing a required file reference

2023-11-17 17:39:02,176:DEBUG:certbot._internal.display.obj:Notifying user: Found the following matching certs:


The following renewal configurations were invalid:
  /etc/letsencrypt/renewal/pinnaclehealthcaredmv.com-0001.conf

what do you think is going on? need to get this straightened out
did the migration fail in some subtle way?

 

well I eliminated all the pinnacle health files (I can just recheck the create SSL I assume).
From the later run for potomaccharter (which also failed):

Code:

2023-11-18 07:27:01,830:DEBUG:certbot._internal.main:certbot version: 2.1.0
2023-11-18 07:27:01,830:DEBUG:certbot._internal.main:Location of certbot entry point: /usr/bin/certbot
2023-11-18 07:27:01,830:DEBUG:certbot._internal.main:Arguments: ['-n', '--text', '--agree-tos', '--cert-name', 'potomaccharter.com', '--authenticator', 'webroot', '--server', 'https://acme-v02.api.letsencrypt.org/directory', '--rsa-key-size', '4096', '--email', '[email protected]', '--webroot-map', '{"potomaccharter.com":"\\/usr\\/local\\/ispconfig\\/interface\\/acme","www.potomaccharter.com":"\\/usr\\/local\\/ispconfig\\/interface\\/acme"}']
2023-11-18 07:27:01,830:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2023-11-18 07:27:01,836:DEBUG:certbot._internal.log:Root logging level set at 30
2023-11-18 07:27:01,836:DEBUG:certbot._internal.plugins.selection:Requested authenticator webroot and installer None
2023-11-18 07:27:01,836:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * webroot
Description: Place files in webroot directory
Interfaces: Authenticator, Plugin
Entry point: webroot = certbot._internal.plugins.webroot:Authenticator
Initialized: <certbot._internal.plugins.webroot.Authenticator object at 0x7fd3c73a3390>
Prep: True
2023-11-18 07:27:01,837:DEBUG:certbot._internal.plugins.selection:Selected authenticator <certbot._internal.plugins.webroot.Authenticator object at 0x7fd3c73a3390> and installer None
2023-11-18 07:27:01,837:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator webroot, Installer None
2023-11-18 07:27:02,208:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 33, in <module>
    sys.exit(load_entry_point('certbot==2.1.0', 'console_scripts', 'certbot')())
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 19, in main
    return internal_main.main(cli_args)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 1736, in main
    return config.func(config, plugins)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 1572, in certonly
    le_client = _init_le_client(config, auth, installer)
                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 827, in _init_le_client
    acc, acme = _determine_account(config)
                ^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 725, in _determine_account
    potential_acc = display_ops.choose_account(accounts)
                    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/certbot/display/ops.py", line 86, in choose_account
    code, index = display_util.menu("Please choose an account", labels, force_interactive=True)
                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/certbot/display/util.py", line 80, in menu
    return obj.get_display().menu(message, choices, default=default, cli_flag=cli_flag,
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/certbot/_internal/display/obj.py", line 470, in menu
    raise self._interaction_fail(message, cli_flag, "Choices: " + repr(choices))
certbot.errors.MissingCommandlineFlag: Missing command line flag or config entry for this setting:
Please choose an account
Choices: ['ns9.cdbsystems.com@2018-03-09T14:07:50Z (6476)', 'ns11.cdbsystems.com@2023-11-16T00:55:27Z (9bf0)']
2023-11-18 07:27:02,239:ERROR:certbot._internal.log:Missing command line flag or config entry for this setting:
Please choose an account
Choices: ['ns9.cdbsystems.com@2018-03-09T14:07:50Z (6476)', 'ns11.cdbsystems.com@2023-11-16T00:55:27Z (9bf0)']
2023-11-18 07:27:02,579:DEBUG:certbot._internal.main:certbot version: 2.1.0
2023-11-18 07:27:02,579:DEBUG:certbot._internal.main:Location of certbot entry point: /usr/bin/certbot
2023-11-18 07:27:02,579:DEBUG:certbot._internal.main:Arguments: ['--domains', 'potomaccharter.com', '--domains', 'www.potomaccharter.com']
2023-11-18 07:27:02,579:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2023-11-18 07:27:02,585:DEBUG:certbot._internal.log:Root logging level set at 30
2023-11-18 07:27:02,723:DEBUG:certbot._internal.display.obj:Notifying user: Found the following matching certs:

so it seems it gets confused and wants CLI input which is not provided?
now this is on the new server, so any dns resolutions (either here or on the old server) will all point back to old server, so certbot should have access to all sites. potomac ONLY exists on the new server...

 

further information - the files /etc/letsencrypt/renewal/pinnaclehealth*.conf (there were 3 of them) - 2 were zero length and those were t he files it complained about initially. I deleted the zero length files and those errors disappeared.
but it still seems to want an account to be chosen (ns9 or ns11) and how do we do that?
under /etc/letsencrypt/accounts we have:
root@ns11:/etc/letsencrypt/accounts# ls -al
total 16
drwx------ 4 root root 4096 Nov 9 2021 .
drwxr-xr-x 9 root root 4096 Nov 18 07:49 ..
drwx------ 3 root root 4096 Mar 9 2018 acme-v01.api.letsencrypt.org
drwx------ 3 root root 4096 Nov 9 2021 acme-v02.api.letsencrypt.org
so seems they have both been there on the original server for years! how could certbot work on the OLD server?
the /accounts folder on the old server has both these entries as well!
and which do we delete? 2021?
further info - I moved the v02 folder to /root/saveacme and now the cert seems saved for potomaccharter. but how about all the other certs? how many others mght be affected?
can I force certbot to recreate ALL certs to ensure they are all correct?

 

ok I moved the v02 folder back.
ok in the v02 directory one account points to the v01 directory. I'm assuming thats the older one, so I moved the other account# to my /root/saveacme folder.
potomaccharter saves ssl just fine, but now pinnaclehealth will NOT save an SSL and puts nothing in the /var/log/letsencrypt log? very odd. no messages AT all. its like it has no idea pinnaclehealth exists?
but surelly unchecking the boxes, saving and rechecking and saving should recreate the SSL? or at least post something to the logs?
any way to force certbot to just reissue EVERYTHING to sync up?

 

I thought it was just necessary for pinnacle to be REACHABLE (which it is) for the cert to be issued. on the old server I'll repoint pinnacle to ns11 see if that then works... and its not sufficient I assume to just change the A records on NS11 (as NS10 is still the name server).
thanks!
so no way to tell certbot through Ispconfig to just recreate EVERYTHING?