Hinweis: es wurde eine bereits bestehende Davical-Datenbank transferiert!
Postgres in der Version 11
Davical 1.1.8

Davical und postgres installieren

apt-get install davical
apt-get install postgres

Davical konfigurieren

vim /etc/davical/cal3.example.com-conf.php

domain_name  = 'cal3.example.com';
  $c->sysabbr     = 'davical';
  $c->system_name = 'DAViCal CalDAV Server';

  $c->admin_email  = 'davical@example.com';
  $c->pg_connect[] = 'dbname=davical port=5432 user=davical_app';
  $c->default_locale = "de_DE";

Achtung: der Name der Konfigurationsdatei muss mit dem Hostnamen des Kalenderserver übereinstimmen!

postgres konfigurieren

vim /etc/postgresql/11/main/pg_hba.conf

…
# Database administrative login by Unix domain socket
local   all             postgres                                peer

# TYPE  DATABASE        USER            ADDRESS                 METHOD
# Allow local access for davical
local   davical         davical_app                             trust
local   davical         davical_dba                             trust
host    davical         davical_app     127.0.0.1/32            trust
host    davical         davical_dba     127.0.0.1/32            trust
host    davical         davical_app     ::1/128                 trust
host    davical         davical_dba     ::1/128                 trust

# "local" is for Unix domain socket connections only
local   all             all                                     peer
…

Hinweis: der fett ausgeführte Teil muss vor allen anderen Definitienen erolgen, damit sie greifen!

Konfiguration Apache

Erweiterung der Ports

vim /etc/apache2/ports.conf

# If you just change the port or add more ports here, you will likely also
# have to change the VirtualHost statement in
# /etc/apache2/sites-enabled/000-default.conf

Listen 80

<IfModule ssl_module>
        Listen 443
        <strong>>isten 8443</strong>
</IfModule>

<IfModule mod_gnutls.c>
        Listen 443
</IfModule>

Davical Konfiguration

vim /etc/apache2/conf-available/davical.conf

## /etc/apache2/conf-available/davical.conf


<IfModule mod_ssl.c>
Alias /davical /usr/share/davical/htdocs
<Directory /usr/share/davical/htdocs>


       Require all granted
       Options Indexes
       DirectoryIndex index.php
#       php_flag magic_quotes_gpc Off
#       php_flag register_globals Off
</Directory>
</IfModule>

Davical-Site-Konfiguration

vim /etc/apache2/sites-available/davical.conf

<VirtualHost *:8443 >
  DocumentRoot /usr/share/davical/htdocs
  SSLEngine on
  SSLCertificateFile /etc/ssl/2018/STAR_example_at.crt
  SSLCertificateKeyFile /etc/ssl/2018/example.at.key
  DirectoryIndex index.php index.html
  ServerName cal3.example.com
  ServerAlias cal.example.com
  Alias /images/ /usr/share/davical/htdocs/images/
  CustomLog /var/log/apache2/davical_access.log combined
  ErrorLog /var/log/apache2/davical-error.log
  <Directory /usr/share/davical/htdocs/>
      AllowOverride None
      Order allow,deny
      Allow from all
  </Directory>
  AcceptPathInfo On
  php_value include_path /usr/share/awl/inc
  php_value magic_quotes_gpc 0
  php_value register_globals 0
  php_value error_reporting "E_ALL & ~E_NOTICE"
  php_value default_charset "utf-8"
  php_admin_flag suhosin.server.strip off
  RewriteEngine On
  RewriteCond %{REQUEST_URI} !^/$
  RewriteCond %{REQUEST_URI} !/.(php|css|js|png|gif|jpg)
  RewriteRule ^(/principals/users.*)$ /caldav.php$1 [NC,L]
</VirtualHost>

Aktivierung der Apachen-Konfiguration

a2enconf davical
a2ensite davical
systemctl restart apache2

Aus unbekannten Gründen musste auch noch die Datenbank upgedatet werden (wie nach einem Davical Upgrade):
/usr/share/davical/dba/update-davical-database

Anleitung zur kompletten Neuinstallation (inkl. anlegen der Datenbanken)

Davical Installation

Vor einem Update von WordPress wollte ich wie gewohnt meine Datenbank sichern:

# mysqldump -u username -p wordpress > wordpress.sql
# mysql -u username -p wordpress_bu_20191113 < wordpress.sql

Leider brach der Import mit der Fehlermeldung "ERROR 1118 (42000) at line 2239: Row size too large (> 8126). Changing some columns to TEXT or BLOB may help. In current row format, BLOB prefix of 0 bytes is stored inline." ab.
Nach kurzer Recherche entschied ich mich für folgenden Workaround:
Setzen der Variable innodb_strict_mode auf OFF in der Datei /etc/mysql/mariadb.conf.d/50-server.cnf:

…
# This group is only read by MariaDB servers, not by MySQL.
# If you use the same .cnf file for MySQL and MariaDB,
# you can put MariaDB-only options here
[mariadb]
# Rana
# Kommentarzeichen entfernen wenn der Fehler
# "ERROR 1118 (42000) at line 2239: Row size too large (> 8126). Changing some columns to TEXT or BLOB may help. In
# current row format, BLOB prefix of 0 bytes is stored inline." auftritt:
#
innodb_strict_mode=OFF

Nach der Änderung nicht auf den Neustart der Datenbank-Daemon vergessen!

# systemctl restart mysqld.service

Danach funktionierte der Import ohne Probleme.
Ich habe nach dem Import die Variable in der Konfigurationsdatei /etc/mysql/mariadb.conf.d/50-server.cnf wieder auskommentiert und den Daemon neu gestartet.
Weitere Infos zu dem Thema sind in der Knowledgebase zu MariaDB unter Troubleshooting Row Size Too Large Errors with InnoDB zu finden.

Inhaltsverzeichnis

Erzeugen neuer letsencrypt Stern-Zertifikats

Installation von certbot

# apt-get install python-certbot-apache

Erzeugen der Zertifikate

# /etc/letsencrypt/live# sudo certbot certonly --manual -d *.rana.at --agree-tos --no-bootstrap --manual-public-ip-logging-ok --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for rana.at

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.rana.at with the following value:

dfpLiD95pF30KpwyBt_E1nnpjQy5mjJbUZIuqW7nF1s

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/rana.at/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/rana.at/privkey.pem
   Your cert will expire on 2020-05-26. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Die aktuellen Zertifikate sind im Verzeichnis /etc/letsencrypt/live/rana.at/ zu finden.
Apache-Konfiguration

/etc/apache2/sites-available/rana.at.conf:

…
    SSLEngine On
    SSLCertificateFile /etc/letsencrypt/live/rana.at/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/rana.at/privkey.pem

Update des Zertifikate

# certbot certonly --server https://acme-v02.api.letsencrypt.org/directory --manual --preferred-challenges dns -d '*.example.org'
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for example.org

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.example.org with the following value:

sadkljfs87q80493rdsn.kadlsf89aeduicasiodfuap

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/example.org/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/example.org/privkey.pem
   Your cert will expire on 2020-02-04. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Wöhrend der Ausführung nach dem ersten Y den TXT-Record nach Aufforderung anpassen und die DNS-Zonendatei neu laden!

Alternativ kann man vermutlich folgendermaßen updaten, was ich mich am Beginn nicht getraut habe:

# letsencrypt renew

Das Ergebnis, wenn das Zertifikat noch nicht nahe dem Ablaufdatum sind:

# letsencrypt renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/gfw.at.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/rana.at.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/rana.wien.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

The following certs are not due for renewal yet:
  /etc/letsencrypt/live/gfw.at/fullchain.pem expires on 2020-05-26 (skipped)
  /etc/letsencrypt/live/rana.at/fullchain.pem expires on 2020-05-26 (skipped)
  /etc/letsencrypt/live/rana.wien/fullchain.pem expires on 2020-05-26 (skipped)
No renewals were attempted.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

letsencrypt-Zertifikate für Courier-Server verwenden

Um die Letsencrypt-Zertifikate für den Courier-Server verwenden zu können, müssen sowohl das Zertifikat als auch der Private Schlüssel in eine Datei gepackt werden:

# cat /etc/letsencrypt/live/rana.at/cert.pem /etc/letsencrypt/live/rana.at/privkey.pem > /etc/courier/letsencrypt/fullchain.pem

Die oben erzeugte Datei muss entsprechend eingebunden werden:

Courier imapd-ssl

/etc/courier/imapd-ssl

…
# In all cases, $TLS_CERTFILE needs to be linked to one of the existing
# certificate files.

TLS_CERTFILE=/etc/courier/letsencrypt/fullchain.pem
…

Courier pop3d-ssl

/etc/courier/pop3d-ssl

…
# In all cases, $TLS_CERTFILE needs to be linked to one of the existing
# certificate files.

TLS_CERTFILE=/etc/courier/letsencrypt/fullchain.pem
…