tlg/prompts
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Cleaned up Linux-Servers.md

Browse Source
This commit is contained in:
tlg
2026-03-15 13:44:31 +01:00
parent 46c6c124d1
commit 0ffab74638
1 changed files with 0 additions and 313 deletions
Download Patch File Download Diff File Expand all files Collapse all files

313
Linux-Servers.md
View File

@@ -108,316 +108,3 @@ Change the SSL certificate setup so that future renewals will work.
If not already done by completing the task before, repair the SSL connection so that "kipurchat.creature-go.com" can be used again.
## Updates
Okay, updates were done long ago because this is just an experimental server.
Good idea to run updates first.
I am running Terminal commands as root and I prefer "apt" instead of "apt-get".
Snap is not acceptable and will not be installed on the server.
Both Debian linux and Virtualmin are outdated. Which one to update first?
Please provide the Terminal commands again taking into account these preferences.
## What I did to update and certificate renewal attempt
I did to these steps to update:
### Update Debian packages
In a terminal I did run
```
apt update
apt upgrade
```
I do not want to upgrade the full distribution because it is Debian 12
which is really good enough. Any distro upgrade is a risk so when unnecessary
I won't do it. Therefore, I did not run the other Terminal commands you proposed.
I did see that webmin was upgraded during apt upgrade, too.
After rebooting the server, a previously warning in Virtualmin that the
Virtualmin version is outdated was not showing up anymore.
Therefore, I skipped Phase 2: Update Virtualmin.
### Certificate repair attempt
First I tried the renewal via the Virtualmin page but it failed:
"
Web-based validation failed :
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewing an existing certificate for kipurchat.creature-go.com
An unexpected error occurred:
AttributeError: can't set attribute
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
DNS-based validation failed :
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewing an existing certificate for kipurchat.creature-go.com
An unexpected error occurred:
AttributeError: can't set attribute
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
"
Then I tried in a terminal, I did run this without success (likely because not waiting a moment after the previous attempt):
```
root@sv005 ~ # certbot renew --force-renewal --cert-name kipurchat.creature-go.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/kipurchat.creature-go.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Renewing an existing certificate for kipurchat.creature-go.com
Failed to renew certificate kipurchat.creature-go.com with error: urn:ietf:params:acme:error:rateLimited :: There were too many requests of a given type :: Your account is temporarily prevented from requesting certificates for kipurchat.creature-go.com and possibly others. Please visit: https://portal.letsencrypt.org/sfe/v1/unpause?jwt=eyJhbGciOiJIUzI1NiJ9.eyJhdWQiOiJTRkUgVW5wYXVzZSIsImV4cCI6MTc3NDcwMTE1OCwiaWF0IjoxNzczNDkxNTU4LCJpZGVudGlmaWVycyI6ImtpcHVyY2hhdC5jcmVhdHVyZS1nby5jb20iLCJpc3MiOiJXRkUiLCJzdWIiOiIyMjc5MDc3MTg2IiwidmVyc2lvbiI6InYxIn0.0bSnk4-HuXVnUWJb-ck7aVJCPo9UaZf1xCMsQ9791ZU
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/kipurchat.creature-go.com/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
root@sv005 ~ #
```
So looks like we still have the "AttributeError: can't set attribute" problem.
## Certbot version
My certbot version is too old, I have bookworm-backports enabled but the apt install did not work:
```
root@sv005 ~ # certbot --version
certbot 2.1.0
root@sv005 ~ # grep -r "backports" /etc/apt/sources.list /etc/apt/sources.list.d/
/etc/apt/sources.list:# deb http://deb.debian.org/debian bookworm-backports main contrib non-free-firmware
/etc/apt/sources.list:# deb-src http://deb.debian.org/debian bookworm-backports main contrib non-free-firmware
root@sv005 ~ # apt install -t bookworm-backports certbot python3-certbot python3-acme
Reading package lists... Done
E: The value 'bookworm-backports' is invalid for APT::Default-Release as such a release is not available in the sources
```
What should I do now?
Enabled backports but certbot version cannot be updated:
```
root@sv005 ~ # apt install -t bookworm-backports certbot python3-certbot python3-acme
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
certbot is already the newest version (2.1.0-4).
certbot set to manually installed.
python3-certbot is already the newest version (2.1.0-4).
python3-certbot set to manually installed.
python3-acme is already the newest version (2.1.0-1).
python3-acme set to manually installed.
The following packages were automatically installed and are no longer required:
libclamav11 linux-image-6.1.0-35-amd64
Use 'apt autoremove' to remove them.
0 upgraded, 0 newly installed, 0 to remove and 54 not upgraded.
```
Enough - I will update to Trixie.
While performing "apt full-upgrade" the connection was lost.
After a while I rebooted the server and tried to run
"apt full-upgrade" again. I had to fix an issue but now there are errors:
```
root@sv005 ~ # apt full-upgrade
E: dpkg was interrupted, you must manually run 'dpkg --configure -a' to correct the problem.
root@sv005 ~ # dpkg --configure -a
Setting up libc-l10n (2.41-12+deb13u2) ...
dpkg: dependency problems prevent configuration of locales:
locales depends on libc-bin (>> 2.41); however:
Version of libc-bin on system is 2.36-9+deb12u13.
dpkg: error processing package locales (--configure):
dependency problems - leaving unconfigured
Setting up libc6:amd64 (2.41-12+deb13u2) ...
Checking for services that may need to be restarted...
Checking init scripts...
Restarting services possibly affected by the upgrade:
webmin: restarting...done.
saslauthd: restarting...done.
postfix: restarting...done.
ssh: restarting...done.
cron: restarting...done.
atd: restarting...done.
Services restarted successfully.
Setting up libc-dev-bin (2.41-12+deb13u2) ...
Setting up libc-devtools (2.41-12+deb13u2) ...
Processing triggers for man-db (2.11.2-2) ...
dpkg: dependency problems prevent processing triggers for libc-bin:
libc-bin depends on libc6 (<< 2.37); however:
Version of libc6:amd64 on system is 2.41-12+deb13u2.
dpkg: error processing package libc-bin (--configure):
dependency problems - leaving triggers unprocessed
Errors were encountered while processing:
locales
libc-bin
root@sv005 ~ #
```
How to proceed?
1. did not trigger an error but asks me this:
```
root@sv005 ~ # certbot certonly --webroot -w /home/admincg/domains/kipurchat.creature-go.com/public_html -d kipurchat.creature-go.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
An RSA certificate named kipurchat.creature-go.com already exists. Do you want
to update its key type to ECDSA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(U)pdate key type/(K)eep existing key type:
```
I unpaused on Let's Encrypt page and retried but got an error:
```
root@sv005 ~ # certbot certonly --webroot -w /home/admincg/domains/kipurchat.creature-go.com/public_html -d kipurchat.creature-go.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
An RSA certificate named kipurchat.creature-go.com already exists. Do you want
to update its key type to ECDSA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(U)pdate key type/(K)eep existing key type: U
Renewing an existing certificate for kipurchat.creature-go.com
Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: kipurchat.creature-go.com
Type: unauthorized
Detail: 65.108.193.31: Invalid response from https://kipurchat.creature-go.com/.well-known/acme-challenge/51dsdhWws4UEpTuZGIyeFXbYU8J2DpeKFQuACHvcTzA: 503
Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
```
On the Virtualmin page it failed, too. But certificate type still was RSA.
I changed to ECC and requested a new certificate but it failed:
"
Request Certificate
In domain kipurchat.creature-go.com
Requesting a certificate for kipurchat.creature-go.com from Let's Encrypt ..
.. request failed : Web-based validation failed :
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewing an existing certificate for kipurchat.creature-go.com
Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: kipurchat.creature-go.com
Type: unauthorized
Detail: 65.108.193.31: Invalid response from https://kipurchat.creature-go.com/.well-known/acme-challenge/-c7GdKxe8NtwulzVb8gYjF0WoMc9TVomdqJi_RA8ILU: 503
Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
DNS-based validation failed :
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewing an existing certificate for kipurchat.creature-go.com
Certbot failed to authenticate some domains (authenticator: manual). The Certificate Authority reported these problems:
Domain: kipurchat.creature-go.com
Type: dns
Detail: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.kipurchat.creature-go.com - check that a DNS record exists for this domain
Hint: The Certificate Authority failed to verify the DNS TXT records created by the --manual-auth-hook. Ensure that this hook is functioning correctly and that it waits a sufficient duration of time for DNS propagation. Refer to "certbot --help manual" and the Certbot User Guide.
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
"
The Step 1 test does not work:
```
root@sv005 ~ # mkdir -p /home/admincg/domains/kipurchat.creature-go.com/public_html/.well-known/acme-challenge/
root@sv005 ~ # echo "Success" > /home/admincg/domains/kipurchat.creature-go.com/public_html/.well-known/acme-challenge/test
root@sv005 ~ # ls
Maildir backups virtualmin-install.log virtualmin-install.log.1 work
root@sv005 ~ # cd work
root@sv005 ~/work # ls -alhrt
total 12K
drwxr-xr-x 3 root root 4.0K Oct 24 16:05 .
drwxr-xr-x 2 root root 4.0K Oct 24 19:21 wireguard-setup
drwx------ 11 root root 4.0K Jan 9 14:49 ..
root@sv005 ~/work # curl -IL http://kipurchat.creature-go.com/.well-known/acme-challenge/test
HTTP/1.1 301 Moved Permanently
Date: Sat, 14 Mar 2026 20:58:36 GMT
Server: Apache
Location: https://kipurchat.creature-go.com/.well-known/acme-challenge/test
Content-Type: text/html; charset=iso-8859-1
curl: (60) SSL certificate problem: certificate has expired
More details here: https://curl.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the webpage mentioned above.
```
Okay, after modifying
/etc/apache2/sites-available/kipurchat.creature-go.com.conf
according your instructions and restarting Apache
the certbot repair was successful:
```
root@sv005 ~/work # certbot certonly --webroot -w /home/admincg/domains/kipurchat.creature-go.com/public_html -d kipurchat.creature-go.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
An RSA certificate named kipurchat.creature-go.com already exists. Do you want
to update its key type to ECDSA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(U)pdate key type/(K)eep existing key type: U
Renewing an existing certificate for kipurchat.creature-go.com
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/kipurchat.creature-go.com/fullchain.pem
Key is saved at: /etc/letsencrypt/live/kipurchat.creature-go.com/privkey.pem
This certificate expires on 2026-06-12.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
* Donating to EFF: https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
```
But the webpage at kipurchat.creature-go.com still shows the same error and
Virtualmin still shows a not-working SSL Certificate. How to fix this?
Step 1 fails, I get the Error "Failed to install certificate : Certificate file /etc/letsencrypt/live/kipurchat.creature-go.com/fullchain.pem must be under the virtual server's home directory".
Instead of running terminal commands and pointing Virtualmin to uncommon directories, wouldn't it be better to go the standard Virtualmin way: On tab "SSL Providers" Request Certificate ?
If this way would be better, which Certificate hash type should I select,
RSA or ECC?
Okay, after requesting a new certificate with ECC hash type the
kipurchat.creature-go.com has a valid certificate for https:// now.