Schlagwort-Archive: Debian
Letsencrypt mit Debian
Inhaltsverzeichnis
- Erzeugen neuer letsencrypt Stern-Zertifikat
- Update des Zertifikate
- letsencrypt-Zertifikate für Courier-Server verwenden
Erzeugen neuer letsencrypt Stern-Zertifikats
Installation von certbot
# apt-get install python-certbot-apache
Erzeugen der Zertifikate
# /etc/letsencrypt/live# sudo certbot certonly --manual -d *.rana.at --agree-tos --no-bootstrap --manual-public-ip-logging-ok --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator manual, Installer None Obtaining a new certificate Performing the following challenges: dns-01 challenge for rana.at - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please deploy a DNS TXT record under the name _acme-challenge.rana.at with the following value: dfpLiD95pF30KpwyBt_E1nnpjQy5mjJbUZIuqW7nF1s Before continuing, verify the record is deployed. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Press Enter to Continue Waiting for verification... Cleaning up challenges IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/rana.at/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/rana.at/privkey.pem Your cert will expire on 2020-05-26. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
Die aktuellen Zertifikate sind im Verzeichnis /etc/letsencrypt/live/rana.at/ zu finden.
Apache-Konfiguration
/etc/apache2/sites-available/rana.at.conf:
… SSLEngine On SSLCertificateFile /etc/letsencrypt/live/rana.at/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/rana.at/privkey.pem …
Update des Zertifikate
# certbot certonly --server https://acme-v02.api.letsencrypt.org/directory --manual --preferred-challenges dns -d '*.example.org' Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator manual, Installer None Obtaining a new certificate Performing the following challenges: dns-01 challenge for example.org - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - NOTE: The IP of this machine will be publicly logged as having requested this certificate. If you're running certbot in manual mode on a machine that is not your server, please ensure you're okay with that. Are you OK with your IP being logged? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: Y - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please deploy a DNS TXT record under the name _acme-challenge.example.org with the following value: sadkljfs87q80493rdsn.kadlsf89aeduicasiodfuap Before continuing, verify the record is deployed. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Press Enter to Continue Waiting for verification... Cleaning up challenges IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/example.org/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/example.org/privkey.pem Your cert will expire on 2020-02-04. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
Wöhrend der Ausführung nach dem ersten Y den TXT-Record nach Aufforderung anpassen und die DNS-Zonendatei neu laden!
Alternativ kann man vermutlich folgendermaßen updaten, was ich mich am Beginn nicht getraut habe:
# letsencrypt renew
Das Ergebnis, wenn das Zertifikat noch nicht nahe dem Ablaufdatum sind:
# letsencrypt renew Saving debug log to /var/log/letsencrypt/letsencrypt.log - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Processing /etc/letsencrypt/renewal/gfw.at.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Cert not yet due for renewal - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Processing /etc/letsencrypt/renewal/rana.at.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Cert not yet due for renewal - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Processing /etc/letsencrypt/renewal/rana.wien.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Cert not yet due for renewal - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - The following certs are not due for renewal yet: /etc/letsencrypt/live/gfw.at/fullchain.pem expires on 2020-05-26 (skipped) /etc/letsencrypt/live/rana.at/fullchain.pem expires on 2020-05-26 (skipped) /etc/letsencrypt/live/rana.wien/fullchain.pem expires on 2020-05-26 (skipped) No renewals were attempted. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
letsencrypt-Zertifikate für Courier-Server verwenden
Um die Letsencrypt-Zertifikate für den Courier-Server verwenden zu können, müssen sowohl das Zertifikat als auch der Private Schlüssel in eine Datei gepackt werden:
# cat /etc/letsencrypt/live/rana.at/cert.pem /etc/letsencrypt/live/rana.at/privkey.pem > /etc/courier/letsencrypt/fullchain.pem
Die oben erzeugte Datei muss entsprechend eingebunden werden:
Courier imapd-ssl
/etc/courier/imapd-ssl
… # In all cases, $TLS_CERTFILE needs to be linked to one of the existing # certificate files. TLS_CERTFILE=/etc/courier/letsencrypt/fullchain.pem …
Courier pop3d-ssl
/etc/courier/pop3d-ssl
… # In all cases, $TLS_CERTFILE needs to be linked to one of the existing # certificate files. TLS_CERTFILE=/etc/courier/letsencrypt/fullchain.pem …
Upgrade von Debian 9 stretch zu Debian 10 buster
Upgrade
Man vollführe die übliche Upgrade-Prozedur, wie sie z.B. unter https://linuxconfig.org/how-to-upgrade-debian-9-stretch-to-debian-10-buster beschrieben ist. Hier die Kurzform:
Test auf Pakete aus anderen Quellen:
# aptitude search '~i(!~ODebian)'
Update von stretch (= Update aller Pakete in stretch auf die aktuellste Version):
# apt-get update # apt-get upgrade # apt-get dist-upgrade
Kontrolle, ob irgendetwas aktuell nicht stimmt:
# dpkg -C
Kontrolle, ob Pakete auf hold stehen:
# apt-mark showhold
Falls etwas aus den letzten beiden Befehlen nicht gepasst hat, hilft vielleicht dies noch weiter:
# dpkg --audit
Am besten ein Backup der aktuellen apt-Quellen machen und danach in der Datei etc/apt/sources.list überall stretch mit buster ersetzen:
# cp /etc/apt/sources.list /etc/apt/sources.list_backup
von stretch: deb http://httpredir.debian.org/debian stretch main deb http://httpredir.debian.org/debian stretch-updates main deb http://security.debian.org stretch/updates main zu buster: deb http://httpredir.debian.org/debian buster main deb http://httpredir.debian.org/debian buster-updates main deb http://security.debian.org buster/updates main
Update der Pakete:
# apt-get update
Simulation des Upgrades:
# apt list --upgradable
Der tatsächliche Upgrade:
# apt-get upgrade # apt-get dist-upgrade
Am Schluss noch einmal eine Kontrolle:
# aptitude search '~i(!~ODebian)'
Nacharbeiten
So, und jetzt zu den Problemen, die bei mir nach dem Upgrade auftraten:
bind9
bind9 im chroot startet nicht!
Man muss jetzt ein wenig mehr in den Käfig verschieben:
# mkdir -p /var/bind9/chroot/run/named chown bind:bind /var/bind9/chroot/run/named … mkdir -p /var/bind9/chroot/usr/share/dns cp /usr/share/dns/root.hints /var/bind9/chroot/usr/share/dns/ systemctl restart bind9.service
Zusätzlich muss in der Datei /etc/systemd/system/bind9.service/chroot.conf der Type auf simple umgestellt werden:
[Service] ExecStart= ExecStart=/usr/sbin/named -f -u bind -t /var/bind9/chroot Type=simple
Icinga2
dns-Abfragen, bei denen IPv4 und IPv6 konfiguriert sind, habe ich deaktiviert. Das Plugin schrieb: erwarte IPv4 Adresse, bekomme IPv6 Adresse. Muss ich mich erst einlesen, was da geändert wurde.
Upgrade von Seafile (Pro-Version)
Im seafile-Verzeichnis mit der Struktur
dccnet conf installed logs pids pro-data seafile-data seafile-pro-server-6.2.13 seafile-server-latest -> seafile-pro-server-6.2.13 seahub-data
das aktuelle Paket laden und entpacken:
dccnet conf installed logs pids pro-data seafile-data seafile-pro-server-6.2.13 seafile-pro-server-6.3.9 seafile-server-latest -> seafile-pro-server-6.2.13 seahub-data
Den seafile– und seahub-Server stoppen:
$ seafile-server-latest/seahub.sh stop $ seafile-server-latest/seafile.sh stop
Das Upgrade-Skript laufen lassen:
$ seafile-server-latest/upgrade/upgrade_6.2_6.3.sh ------------------------------------------------------------- This script would upgrade your seafile server from 6.2 to 6.3 Press [ENTER] to contiune ------------------------------------------------------------- Updating seafile/seahub database ... [INFO] You are using MySQL [INFO] updating ccnet database... /path-to/seafile-pro/seafile-pro-server-6.3.9/upgrade/db_update_helper.py:354: Warning: Table 'LDAPConfig' already exists cursor.execute(sql) /path-to/seafile-pro/seafile-pro-server-6.3.9/upgrade/db_update_helper.py:354: Warning: Table 'GroupStructure' already exists cursor.execute(sql) [INFO] updating seafile database... /path-to/seafile-pro/seafile-pro-server-6.3.9/upgrade/db_update_helper.py:354: Warning: Table 'SeafileConf' already exists cursor.execute(sql) /path-to/seafile-pro/seafile-pro-server-6.3.9/upgrade/db_update_helper.py:354: Warning: Table 'RepoInfo' already exists cursor.execute(sql) [INFO] updating seahub database... /path-to/seafile-pro/seafile-pro-server-6.3.9/upgrade/db_update_helper.py:354: Warning: Table 'organizations_orgmemberquota' already exists cursor.execute(sql) [WARNING] Failed to execute sql: (1061, "Duplicate key name 'ix_event_timestamp'") [WARNING] Failed to execute sql: (1061, "Duplicate key name 'ix_FileAudit_timestamp'") [WARNING] Failed to execute sql: (1061, "Duplicate key name 'ix_FileUpdate_timestamp'") [WARNING] Failed to execute sql: (1061, "Duplicate key name 'ix_UserTrafficStat_month'") Done migrating avatars ... Done updating /path-to/seafile-pro/seafile-server-latest symbolic link to /path-to/seafile-pro/seafile-pro-server-6.3.9 ... ----------------------------------------------------------------- Upgraded your seafile server successfully. -----------------------------------------------------------------
Starten des Seahub-Servers:
$ seafile-server-latest/seafile.sh start ** Message: seafile-controller.c(1155): loading seafdav config from /path-to/seafile-pro/conf/seafdav.conf [05/14/19 21:27:18] ../common/session.c(139): using config file /path-to/seafile-pro/conf/ccnet.conf [05/14/19 21:27:18] ../common/license.c(406): Loading license file /path-to/seafile-pro/seafile-license.txt .. [05/14/19 21:27:18] ../common/license.c(409): License file /path-to/seafile-pro/seafile-license.txt does not exist, allow at most 3 trial users License file /path-to/seafile-pro/seafile-license.txt does not exist, allow at most 3 trial users Starting seafile server, please wait ... ** Message: seafile-controller.c(1155): loading seafdav config from /path-to/seafile-pro/conf/seafdav.conf Seafile server started Done. $ seafile-server-latest/seahub.sh start LC_ALL is not set in ENV, set to en_US.UTF-8 Starting seahub at port 8000 ... Seahub is started Done.