From 0ffab7463806d3b3c1cd5d24d782ec7f30d78080 Mon Sep 17 00:00:00 2001 From: tlg Date: Sun, 15 Mar 2026 13:44:31 +0100 Subject: [PATCH] Cleaned up Linux-Servers.md --- Linux-Servers.md | 313 ----------------------------------------------- 1 file changed, 313 deletions(-) diff --git a/Linux-Servers.md b/Linux-Servers.md index 1a98d88..6eb43cc 100644 --- a/Linux-Servers.md +++ b/Linux-Servers.md @@ -108,316 +108,3 @@ Change the SSL certificate setup so that future renewals will work. If not already done by completing the task before, repair the SSL connection so that "kipurchat.creature-go.com" can be used again. - - -## Updates - -Okay, updates were done long ago because this is just an experimental server. -Good idea to run updates first. - -I am running Terminal commands as root and I prefer "apt" instead of "apt-get". -Snap is not acceptable and will not be installed on the server. - -Both Debian linux and Virtualmin are outdated. Which one to update first? - -Please provide the Terminal commands again taking into account these preferences. - - - -## What I did to update and certificate renewal attempt - -I did to these steps to update: - -### Update Debian packages - -In a terminal I did run - -``` -apt update -apt upgrade -``` - -I do not want to upgrade the full distribution because it is Debian 12 -which is really good enough. Any distro upgrade is a risk so when unnecessary -I won't do it. Therefore, I did not run the other Terminal commands you proposed. - -I did see that webmin was upgraded during apt upgrade, too. -After rebooting the server, a previously warning in Virtualmin that the -Virtualmin version is outdated was not showing up anymore. -Therefore, I skipped Phase 2: Update Virtualmin. - -### Certificate repair attempt - -First I tried the renewal via the Virtualmin page but it failed: -" -Web-based validation failed : -Saving debug log to /var/log/letsencrypt/letsencrypt.log -Renewing an existing certificate for kipurchat.creature-go.com -An unexpected error occurred: -AttributeError: can't set attribute -Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details. - DNS-based validation failed : -Saving debug log to /var/log/letsencrypt/letsencrypt.log -Renewing an existing certificate for kipurchat.creature-go.com -An unexpected error occurred: -AttributeError: can't set attribute -Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details. -" - -Then I tried in a terminal, I did run this without success (likely because not waiting a moment after the previous attempt): - -``` -root@sv005 ~ # certbot renew --force-renewal --cert-name kipurchat.creature-go.com -Saving debug log to /var/log/letsencrypt/letsencrypt.log - -- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Processing /etc/letsencrypt/renewal/kipurchat.creature-go.com.conf -- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Renewing an existing certificate for kipurchat.creature-go.com -Failed to renew certificate kipurchat.creature-go.com with error: urn:ietf:params:acme:error:rateLimited :: There were too many requests of a given type :: Your account is temporarily prevented from requesting certificates for kipurchat.creature-go.com and possibly others. Please visit: https://portal.letsencrypt.org/sfe/v1/unpause?jwt=eyJhbGciOiJIUzI1NiJ9.eyJhdWQiOiJTRkUgVW5wYXVzZSIsImV4cCI6MTc3NDcwMTE1OCwiaWF0IjoxNzczNDkxNTU4LCJpZGVudGlmaWVycyI6ImtpcHVyY2hhdC5jcmVhdHVyZS1nby5jb20iLCJpc3MiOiJXRkUiLCJzdWIiOiIyMjc5MDc3MTg2IiwidmVyc2lvbiI6InYxIn0.0bSnk4-HuXVnUWJb-ck7aVJCPo9UaZf1xCMsQ9791ZU - -- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -All renewals failed. The following certificates could not be renewed: - /etc/letsencrypt/live/kipurchat.creature-go.com/fullchain.pem (failure) -- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -1 renew failure(s), 0 parse failure(s) -Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details. -root@sv005 ~ # -``` - -So looks like we still have the "AttributeError: can't set attribute" problem. - - - -## Certbot version - -My certbot version is too old, I have bookworm-backports enabled but the apt install did not work: - -``` -root@sv005 ~ # certbot --version -certbot 2.1.0 -root@sv005 ~ # grep -r "backports" /etc/apt/sources.list /etc/apt/sources.list.d/ -/etc/apt/sources.list:# deb http://deb.debian.org/debian bookworm-backports main contrib non-free-firmware -/etc/apt/sources.list:# deb-src http://deb.debian.org/debian bookworm-backports main contrib non-free-firmware -root@sv005 ~ # apt install -t bookworm-backports certbot python3-certbot python3-acme -Reading package lists... Done -E: The value 'bookworm-backports' is invalid for APT::Default-Release as such a release is not available in the sources -``` - -What should I do now? - - -Enabled backports but certbot version cannot be updated: -``` -root@sv005 ~ # apt install -t bookworm-backports certbot python3-certbot python3-acme -Reading package lists... Done -Building dependency tree... Done -Reading state information... Done -certbot is already the newest version (2.1.0-4). -certbot set to manually installed. -python3-certbot is already the newest version (2.1.0-4). -python3-certbot set to manually installed. -python3-acme is already the newest version (2.1.0-1). -python3-acme set to manually installed. -The following packages were automatically installed and are no longer required: - libclamav11 linux-image-6.1.0-35-amd64 -Use 'apt autoremove' to remove them. -0 upgraded, 0 newly installed, 0 to remove and 54 not upgraded. -``` - - -Enough - I will update to Trixie. - - - -While performing "apt full-upgrade" the connection was lost. -After a while I rebooted the server and tried to run -"apt full-upgrade" again. I had to fix an issue but now there are errors: - -``` -root@sv005 ~ # apt full-upgrade -E: dpkg was interrupted, you must manually run 'dpkg --configure -a' to correct the problem. -root@sv005 ~ # dpkg --configure -a -Setting up libc-l10n (2.41-12+deb13u2) ... -dpkg: dependency problems prevent configuration of locales: - locales depends on libc-bin (>> 2.41); however: - Version of libc-bin on system is 2.36-9+deb12u13. - -dpkg: error processing package locales (--configure): - dependency problems - leaving unconfigured -Setting up libc6:amd64 (2.41-12+deb13u2) ... -Checking for services that may need to be restarted... -Checking init scripts... - -Restarting services possibly affected by the upgrade: - webmin: restarting...done. - saslauthd: restarting...done. - postfix: restarting...done. - ssh: restarting...done. - cron: restarting...done. - atd: restarting...done. - -Services restarted successfully. -Setting up libc-dev-bin (2.41-12+deb13u2) ... -Setting up libc-devtools (2.41-12+deb13u2) ... -Processing triggers for man-db (2.11.2-2) ... -dpkg: dependency problems prevent processing triggers for libc-bin: - libc-bin depends on libc6 (<< 2.37); however: - Version of libc6:amd64 on system is 2.41-12+deb13u2. - -dpkg: error processing package libc-bin (--configure): - dependency problems - leaving triggers unprocessed -Errors were encountered while processing: - locales - libc-bin -root@sv005 ~ # -``` - -How to proceed? - - -1. did not trigger an error but asks me this: -``` -root@sv005 ~ # certbot certonly --webroot -w /home/admincg/domains/kipurchat.creature-go.com/public_html -d kipurchat.creature-go.com -Saving debug log to /var/log/letsencrypt/letsencrypt.log - -- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -An RSA certificate named kipurchat.creature-go.com already exists. Do you want -to update its key type to ECDSA? -- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -(U)pdate key type/(K)eep existing key type: -``` - - -I unpaused on Let's Encrypt page and retried but got an error: -``` -root@sv005 ~ # certbot certonly --webroot -w /home/admincg/domains/kipurchat.creature-go.com/public_html -d kipurchat.creature-go.com -Saving debug log to /var/log/letsencrypt/letsencrypt.log - -- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -An RSA certificate named kipurchat.creature-go.com already exists. Do you want -to update its key type to ECDSA? -- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -(U)pdate key type/(K)eep existing key type: U -Renewing an existing certificate for kipurchat.creature-go.com - -Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems: - Domain: kipurchat.creature-go.com - Type: unauthorized - Detail: 65.108.193.31: Invalid response from https://kipurchat.creature-go.com/.well-known/acme-challenge/51dsdhWws4UEpTuZGIyeFXbYU8J2DpeKFQuACHvcTzA: 503 - -Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet. - -Some challenges have failed. -Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details. -``` - -On the Virtualmin page it failed, too. But certificate type still was RSA. -I changed to ECC and requested a new certificate but it failed: -" -Request Certificate -In domain kipurchat.creature-go.com -Requesting a certificate for kipurchat.creature-go.com from Let's Encrypt .. -.. request failed : Web-based validation failed : -Saving debug log to /var/log/letsencrypt/letsencrypt.log -Renewing an existing certificate for kipurchat.creature-go.com - -Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems: - Domain: kipurchat.creature-go.com - Type: unauthorized - Detail: 65.108.193.31: Invalid response from https://kipurchat.creature-go.com/.well-known/acme-challenge/-c7GdKxe8NtwulzVb8gYjF0WoMc9TVomdqJi_RA8ILU: 503 - -Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet. - -Some challenges have failed. -Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details. - DNS-based validation failed : -Saving debug log to /var/log/letsencrypt/letsencrypt.log -Renewing an existing certificate for kipurchat.creature-go.com - -Certbot failed to authenticate some domains (authenticator: manual). The Certificate Authority reported these problems: - Domain: kipurchat.creature-go.com - Type: dns - Detail: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.kipurchat.creature-go.com - check that a DNS record exists for this domain - -Hint: The Certificate Authority failed to verify the DNS TXT records created by the --manual-auth-hook. Ensure that this hook is functioning correctly and that it waits a sufficient duration of time for DNS propagation. Refer to "certbot --help manual" and the Certbot User Guide. - -Some challenges have failed. -Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details. -" - - - -The Step 1 test does not work: -``` -root@sv005 ~ # mkdir -p /home/admincg/domains/kipurchat.creature-go.com/public_html/.well-known/acme-challenge/ -root@sv005 ~ # echo "Success" > /home/admincg/domains/kipurchat.creature-go.com/public_html/.well-known/acme-challenge/test -root@sv005 ~ # ls -Maildir backups virtualmin-install.log virtualmin-install.log.1 work -root@sv005 ~ # cd work -root@sv005 ~/work # ls -alhrt -total 12K -drwxr-xr-x 3 root root 4.0K Oct 24 16:05 . -drwxr-xr-x 2 root root 4.0K Oct 24 19:21 wireguard-setup -drwx------ 11 root root 4.0K Jan 9 14:49 .. -root@sv005 ~/work # curl -IL http://kipurchat.creature-go.com/.well-known/acme-challenge/test -HTTP/1.1 301 Moved Permanently -Date: Sat, 14 Mar 2026 20:58:36 GMT -Server: Apache -Location: https://kipurchat.creature-go.com/.well-known/acme-challenge/test -Content-Type: text/html; charset=iso-8859-1 - -curl: (60) SSL certificate problem: certificate has expired -More details here: https://curl.se/docs/sslcerts.html - -curl failed to verify the legitimacy of the server and therefore could not -establish a secure connection to it. To learn more about this situation and -how to fix it, please visit the webpage mentioned above. -``` - - - -Okay, after modifying -/etc/apache2/sites-available/kipurchat.creature-go.com.conf -according your instructions and restarting Apache -the certbot repair was successful: -``` -root@sv005 ~/work # certbot certonly --webroot -w /home/admincg/domains/kipurchat.creature-go.com/public_html -d kipurchat.creature-go.com -Saving debug log to /var/log/letsencrypt/letsencrypt.log - -- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -An RSA certificate named kipurchat.creature-go.com already exists. Do you want -to update its key type to ECDSA? -- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -(U)pdate key type/(K)eep existing key type: U -Renewing an existing certificate for kipurchat.creature-go.com - -Successfully received certificate. -Certificate is saved at: /etc/letsencrypt/live/kipurchat.creature-go.com/fullchain.pem -Key is saved at: /etc/letsencrypt/live/kipurchat.creature-go.com/privkey.pem -This certificate expires on 2026-06-12. -These files will be updated when the certificate renews. -Certbot has set up a scheduled task to automatically renew this certificate in the background. - -- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -If you like Certbot, please consider supporting our work by: - * Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate - * Donating to EFF: https://eff.org/donate-le -- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -``` - -But the webpage at kipurchat.creature-go.com still shows the same error and -Virtualmin still shows a not-working SSL Certificate. How to fix this? - - - -Step 1 fails, I get the Error "Failed to install certificate : Certificate file /etc/letsencrypt/live/kipurchat.creature-go.com/fullchain.pem must be under the virtual server's home directory". - -Instead of running terminal commands and pointing Virtualmin to uncommon directories, wouldn't it be better to go the standard Virtualmin way: On tab "SSL Providers" Request Certificate ? -If this way would be better, which Certificate hash type should I select, -RSA or ECC? - - -Okay, after requesting a new certificate with ECC hash type the -kipurchat.creature-go.com has a valid certificate for https:// now. -