Playing with Debian 12 - some issues???

sorry, I meant to say we need to have certbot recreate ALL the certs after we have done the dns migration to the new server - so it will find the domains on ns11, not ns10. before we have done THAT process, certbot indeed cannot succeed. but after all domains are pointed to the new server, THEN we need to recreate all certs? or will the certs we copied over from the old server still be good?

as far as the account problems -- i think I have the explanation. there is only ONE account on the old server. the 'ns11' account on the new server (ns11 is its name after all) must have been created by the auto-installer. (which knew nothing about ns10 of course) then the migration moved over the OLDER account during the LE certs move - but left the new one in place? seems this will always cause these errors, no? and if we delete the NEWER account, we need then to ispconrfig_update.sh --force to have it create the certs for the new server, under the OLD LE account?
so maybe... so maybe migration must be followed by some efforts to clean up the LE accounts?
and I've read the LE FAQ several times. and again this morning

one other question on the migration I will need to migrate emails over no doubt several times to catch stragglers after the dns-repointing. is there a way to have it to do the migration with all prior options (in this case mail ONLY) via command line so I can put it in a cron job?

 

understand. my (small) point is that maybe the migration tutorial should point out that the multiple LE account issue WILL be a problem? I didnt see that discussed anywhere!
or somehow ispconfig when it creates a cert needs to tell certbot which account to use? (presumably account is tied to the domain)?

oh I found on the migation tool page ./migrate --syncjobs looks like it will get the stragglers for me!
thanks again for a wonderful tool and DAMMIT I'm starting to like debian. now I just have to get rid of my reflex 'systemctl restart httpd' and replace by 'systemctl restart apache2'

 

one other issue that I'm running into - and have for a long time - when I give ns10 or ns11 a LE cert via vhost that lets all webmail be handled securely (ns11.cdbsystems.com/rainloop or /roundcube) , and all mail where I tell them use ns10.xxx.com for the imap/smtp. but then when I move sites from ns10 to ns11 (for example here) all their imap/smtp would need to change on the users side (assuming I dont rejigger ns11 back to ns10 as I've been thinking).
but many sites by definition (and ispconfig when we create a new dns record) - they automatically create a mail.domain.com MX record
but there is no SSL created for mail.domain.com correct? in fact no obvious way to create one? so mail.domain.com cant really be used as imap/smtp on a site that demands ssl encryption?
and if I check the cert on such a domain it returns a cert for a different domain so names don't match. how to solve?
mail.domain.com does not return the SSL cert for domain.com. should that not have been created when the SSL boxes were ticked?
domain.com and www.domain.com are included in the cert but not mail.domain.com. am I missing something? should not mail.domain.com be included automatically? do I have to add an aliasdomain or some such? I have read various threads in the forums telling the peeps to use mail.hostingdomain.com as the mail server to tell the users, but then why bother go create a different mail MX record at all? why not have all MX records be mail.ispconfigservername.com? of course then if you move ispconfigservername all these records would be invalidated. ... just thinking out loud!


ALSO - AND IMPORTANT - ran into something REALLY REALLY weird. on my debian 12 server (ns11) I added ns11 as a vhost so that I could access ns11.cdbsystems.com without SSL error...... (it points to an old website of mine for 30 years ago). --- and I've just seen that when I log into ns11.cdbsystems.com:8080 ispconfig lists *NO* dns zones at all! not a single one!!
wtf? they are all there under /etc/bind as I would expect but none are listed under ispconfig?
I took the vhost back out but still no dns zones? where oh where have all my zones gone?
now I have been doiing a ./migrate --syncjobs from ns10 but that should not delete zones should it??
bind is still reponding properly, but why are all my zones now missing?
Inquiring minds and all that. and STILL not a threatening thread name!

 

thanks Th0m I also found this link addressing the first part of my question.
but.... how come I have NO dns zones on the new server?? now THATS important

 

Indeed till im VERY capable of doing this!
Look at attached screenshot!
your uploader only allows 1mb uploads:
check out
www.technomages.com/dnszones.jpg

noi filter of any kind!
also, would you not like a domain name like linux-hq.com? rather nice I think
cdb.

 

Ok i feel like an idiot - note to god-like ispconfig developer! strip whitespace from the zone, server, email and NS fields before doing the search LOL
the link above was to the screenshot. but when I got home all is good. and I put a double space in the zone field and all the zones vanish!
that must have happened as I was looking for a zone must have put a space in one of the fields inadvertantly.

cdb.

 

One more thing (been watching columbo) will migrate -syncjobs propagate dns changes? So if i mass change ips with phpmyadmin then syncjobs does that update dns on the target?
And after the phpmyadmin ip changes i have to do a sync in ispconfig to propagate the changes? Before or after the syncjobs? And on both servers of just the source?

 

data including mail I assume??
I'm writing up a little tutorial on this server-change-process I see lots of others are asking the same question!

1) do the ./migration process. this transfers all data to the new server.
NOTE - you need to add --use-certbot if the ORIGINAL server used certbot for LE (like mine does) otherwise certs get hammered!
In the case of migration cert failures, as I ran into. they are due to there now being TWO LE accounts - one from when the server was initially setup, and the other as a result of migration. You must DELETE the newer account (which invalidates the certs when you setup the new server) and then do
ispconfig_update.sh --force
and have it issue new SSL certs which then would all be in the original (now only) LE account.

2) phpmyadmin change dns_rr and dns_soa records with:
UPDATE dns_rr SET data = 'newip' WHERE data = 'oldip';
and
UPDATE dns_soa SET xfer = 'newip' WHERE xfer = 'oldip';
(the latter when my xfer fields refer to the retiring server).

This has to be done on BOTH servers since the new server has all the old ip addresses. and migrate -syncjobs does not
copy over changed dns entries. (if you have been running it to 'update' the new server as I have)

2) ipconfig-tools-resync to propogate everything. on old server. OLD SERVER ONLY. Not needed on new server.
At this point wait a bit for propagation to take place.
3) IF REPLACING OLD SERVER we need to change new server hostname to old host name.
this is in /etc/hosts
/etc/hostname
also chheck /etc/resolv.conf

4) REBOOT newserver,
5) At registrar (godaddy in my case) where you have your 'extra' hostnames listed (for private name servers).
In my case I had ns10 (old server) and ns11 (new server).
Change Old server IP (ns10 in my case) to the NewIp.
Also add a NEW Oldhostname (say ns10x) with the OLDip address.
Now all the registrar dns entries will NOT have to be changed and http/etc access to oldserver will be directed to newserver.

6) one final (or maybe more than one) migrate --syncjobs (TO CATCH STRAGGLING EMAILS THAT WENT TO OLD SERVER IP address)
But now ./migrate has to have new parameters as we are migrating not from oldhostname to newhostname, but from new-oldhostname (ns10x in my case) to oldhostname (which now points to the NEW server).

after stragglers stop (till can we do JUST mail and know when it has not seen anything new?)

have I missed anything?? I'll try clean i up so where is is a suitable tutorial for you.
Version 1 - both hosts on same internal network (then we can use internal ip addresses)
version 2 - hosts on different networks.
ps get my question? would you not love to have the linux-hq.com domain? (its mine by the way)

 

do my instructions look good? miss anything?
also on deb12 any plans to incorporate mailman3? or phplist? or any other newsletter system?

 

ONE MORE THING - just noticed a bug (methinks?).
after the migration from ns10 to ns11 I notice that when I'm on ns11 looking at databases - the link that fires up phpmyadmin is to
https://ns11.cdbsystems.com:8080/sites/database_phpmyadmin.php?id=11 for example -
when I click on this link I find myself on:
https://ns11.cdbsystems.com:8081/phpmyadmin
I cant get to it because the SSL cert that is pulled up - is for ns10 not ns11!!! how did this happen? and what is to be done?