Debian-openogo-100
Related Media: Debian
Schlagwort-Archive: Debian
Letsencrypt mit Debian
Inhaltsverzeichnis
- Erzeugen neuer letsencrypt Stern-Zertifikat
- Update des Zertifikate
- letsencrypt-Zertifikate für Courier-Server verwenden
Erzeugen neuer letsencrypt Stern-Zertifikats
Installation von certbot
# apt-get install python-certbot-apache
Erzeugen der Zertifikate
# /etc/letsencrypt/live# sudo certbot certonly --manual -d *.rana.at --agree-tos --no-bootstrap --manual-public-ip-logging-ok --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator manual, Installer None Obtaining a new certificate Performing the following challenges: dns-01 challenge for rana.at - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please deploy a DNS TXT record under the name _acme-challenge.rana.at with the following value: dfpLiD95pF30KpwyBt_E1nnpjQy5mjJbUZIuqW7nF1s Before continuing, verify the record is deployed. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Press Enter to Continue Waiting for verification... Cleaning up challenges IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/rana.at/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/rana.at/privkey.pem Your cert will expire on 2020-05-26. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
Die aktuellen Zertifikate sind im Verzeichnis /etc/letsencrypt/live/rana.at/ zu finden. /etc/apache2/sites-available/rana.at.conf: Wöhrend der Ausführung nach dem ersten Y den TXT-Record nach Aufforderung anpassen und die DNS-Zonendatei neu laden! Alternativ kann man vermutlich folgendermaßen updaten, was ich mich am Beginn nicht getraut habe: Das Ergebnis, wenn das Zertifikat noch nicht nahe dem Ablaufdatum sind: Um die Letsencrypt-Zertifikate für den Courier-Server verwenden zu können, müssen sowohl das Zertifikat als auch der Private Schlüssel in eine Datei gepackt werden: Die oben erzeugte Datei muss entsprechend eingebunden werden: /etc/courier/imapd-ssl /etc/courier/pop3d-ssl # systemctl reload apache2.service # cd /etc
…
SSLEngine On
SSLCertificateFile /etc/letsencrypt/live/rana.at/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/rana.at/privkey.pem
…
Update des Zertifikate
# certbot certonly --server https://acme-v02.api.letsencrypt.org/directory --manual --preferred-challenges dns -d '*.example.org'
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for example.org
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.
Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.example.org with the following value:
sadkljfs87q80493rdsn.kadlsf89aeduicasiodfuap
Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/example.org/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/example.org/privkey.pem
Your cert will expire on 2020-02-04. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
# letsencrypt renew
# letsencrypt renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/gfw.at.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/rana.at.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/rana.wien.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The following certs are not due for renewal yet:
/etc/letsencrypt/live/gfw.at/fullchain.pem expires on 2020-05-26 (skipped)
/etc/letsencrypt/live/rana.at/fullchain.pem expires on 2020-05-26 (skipped)
/etc/letsencrypt/live/rana.wien/fullchain.pem expires on 2020-05-26 (skipped)
No renewals were attempted.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
letsencrypt-Zertifikate für Courier-Server verwenden
# cat /etc/letsencrypt/live/rana.at/cert.pem /etc/letsencrypt/live/rana.at/privkey.pem > /etc/courier/letsencrypt/fullchain.pem
Courier imapd-ssl
…
# In all cases, $TLS_CERTFILE needs to be linked to one of the existing
# certificate files.
TLS_CERTFILE=/etc/courier/letsencrypt/fullchain.pem
…
Courier pop3d-ssl
…
# In all cases, $TLS_CERTFILE needs to be linked to one of the existing
# certificate files.
TLS_CERTFILE=/etc/courier/letsencrypt/fullchain.pem
…
Neustart der Prozesse
# systemctl restart courier-pop-ssl.service
# systemctl restart courier-imap-ssl.serviceSichern und kopieren der Zertifikate
# tar -cvf letsencrypt.tar letsencrypt
# scp letsencrypt.tar user@server:
Upgrade von Debian 9 stretch zu Debian 10 buster
Upgrade
Man vollführe die übliche Upgrade-Prozedur, wie sie z.B. unter https://linuxconfig.org/how-to-upgrade-debian-9-stretch-to-debian-10-buster beschrieben ist. Hier die Kurzform:
Test auf Pakete aus anderen Quellen:
# aptitude search '~i(!~ODebian)'
Update von stretch (= Update aller Pakete in stretch auf die aktuellste Version):
# apt-get update # apt-get upgrade # apt-get dist-upgrade
Kontrolle, ob irgendetwas aktuell nicht stimmt:
# dpkg -C
Kontrolle, ob Pakete auf hold stehen:
# apt-mark showhold
Falls etwas aus den letzten beiden Befehlen nicht gepasst hat, hilft vielleicht dies noch weiter:
# dpkg --audit
Am besten ein Backup der aktuellen apt-Quellen machen und danach in der Datei etc/apt/sources.list überall stretch mit buster ersetzen:
# cp /etc/apt/sources.list /etc/apt/sources.list_backup
von stretch: deb http://httpredir.debian.org/debian stretch main deb http://httpredir.debian.org/debian stretch-updates main deb http://security.debian.org stretch/updates main zu buster: deb http://httpredir.debian.org/debian buster main deb http://httpredir.debian.org/debian buster-updates main deb http://security.debian.org buster/updates main
Update der Pakete:
# apt-get update
Simulation des Upgrades:
# apt list --upgradable
Der tatsächliche Upgrade:
# apt-get upgrade # apt-get dist-upgrade
Am Schluss noch einmal eine Kontrolle:
# aptitude search '~i(!~ODebian)'
Nacharbeiten
So, und jetzt zu den Problemen, die bei mir nach dem Upgrade auftraten:
bind9
bind9 im chroot startet nicht!
Man muss jetzt ein wenig mehr in den Käfig verschieben:
# mkdir -p /var/bind9/chroot/run/named chown bind:bind /var/bind9/chroot/run/named … mkdir -p /var/bind9/chroot/usr/share/dns cp /usr/share/dns/root.hints /var/bind9/chroot/usr/share/dns/ systemctl restart bind9.service
Zusätzlich muss in der Datei /etc/systemd/system/bind9.service/chroot.conf der Type auf simple umgestellt werden:
[Service] ExecStart= ExecStart=/usr/sbin/named -f -u bind -t /var/bind9/chroot Type=simple
Icinga2
dns-Abfragen, bei denen IPv4 und IPv6 konfiguriert sind, habe ich deaktiviert. Das Plugin schrieb: erwarte IPv4 Adresse, bekomme IPv6 Adresse. Muss ich mich erst einlesen, was da geändert wurde.
Upgrade von Seafile (Pro-Version)
Im seafile-Verzeichnis mit der Struktur
dccnet conf installed logs pids pro-data seafile-data seafile-pro-server-6.2.13 seafile-server-latest -> seafile-pro-server-6.2.13 seahub-data
das aktuelle Paket laden und entpacken:
dccnet conf installed logs pids pro-data seafile-data seafile-pro-server-6.2.13 seafile-pro-server-6.3.9 seafile-server-latest -> seafile-pro-server-6.2.13 seahub-data
Den seafile– und seahub-Server stoppen:
$ seafile-server-latest/seahub.sh stop $ seafile-server-latest/seafile.sh stop
Das Upgrade-Skript laufen lassen:
$ seafile-server-latest/upgrade/upgrade_6.2_6.3.sh ------------------------------------------------------------- This script would upgrade your seafile server from 6.2 to 6.3 Press [ENTER] to contiune ------------------------------------------------------------- Updating seafile/seahub database ... [INFO] You are using MySQL [INFO] updating ccnet database... /path-to/seafile-pro/seafile-pro-server-6.3.9/upgrade/db_update_helper.py:354: Warning: Table 'LDAPConfig' already exists cursor.execute(sql) /path-to/seafile-pro/seafile-pro-server-6.3.9/upgrade/db_update_helper.py:354: Warning: Table 'GroupStructure' already exists cursor.execute(sql) [INFO] updating seafile database... /path-to/seafile-pro/seafile-pro-server-6.3.9/upgrade/db_update_helper.py:354: Warning: Table 'SeafileConf' already exists cursor.execute(sql) /path-to/seafile-pro/seafile-pro-server-6.3.9/upgrade/db_update_helper.py:354: Warning: Table 'RepoInfo' already exists cursor.execute(sql) [INFO] updating seahub database... /path-to/seafile-pro/seafile-pro-server-6.3.9/upgrade/db_update_helper.py:354: Warning: Table 'organizations_orgmemberquota' already exists cursor.execute(sql) [WARNING] Failed to execute sql: (1061, "Duplicate key name 'ix_event_timestamp'") [WARNING] Failed to execute sql: (1061, "Duplicate key name 'ix_FileAudit_timestamp'") [WARNING] Failed to execute sql: (1061, "Duplicate key name 'ix_FileUpdate_timestamp'") [WARNING] Failed to execute sql: (1061, "Duplicate key name 'ix_UserTrafficStat_month'") Done migrating avatars ... Done updating /path-to/seafile-pro/seafile-server-latest symbolic link to /path-to/seafile-pro/seafile-pro-server-6.3.9 ... ----------------------------------------------------------------- Upgraded your seafile server successfully. -----------------------------------------------------------------
Starten des Seahub-Servers:
$ seafile-server-latest/seafile.sh start ** Message: seafile-controller.c(1155): loading seafdav config from /path-to/seafile-pro/conf/seafdav.conf [05/14/19 21:27:18] ../common/session.c(139): using config file /path-to/seafile-pro/conf/ccnet.conf [05/14/19 21:27:18] ../common/license.c(406): Loading license file /path-to/seafile-pro/seafile-license.txt .. [05/14/19 21:27:18] ../common/license.c(409): License file /path-to/seafile-pro/seafile-license.txt does not exist, allow at most 3 trial users License file /path-to/seafile-pro/seafile-license.txt does not exist, allow at most 3 trial users Starting seafile server, please wait ... ** Message: seafile-controller.c(1155): loading seafdav config from /path-to/seafile-pro/conf/seafdav.conf Seafile server started Done. $ seafile-server-latest/seahub.sh start LC_ALL is not set in ENV, set to en_US.UTF-8 Starting seahub at port 8000 ... Seahub is started Done.