Inhaltsverzeichnis

Erzeugen neuer letsencrypt Stern-Zertifikats

Installation von certbot

# apt-get install python-certbot-apache

Erzeugen der Zertifikate

# /etc/letsencrypt/live# sudo certbot certonly --manual -d *.rana.at --agree-tos --no-bootstrap --manual-public-ip-logging-ok --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for rana.at

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.rana.at with the following value:

dfpLiD95pF30KpwyBt_E1nnpjQy5mjJbUZIuqW7nF1s

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/rana.at/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/rana.at/privkey.pem
   Your cert will expire on 2020-05-26. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Die aktuellen Zertifikate sind im Verzeichnis /etc/letsencrypt/live/rana.at/ zu finden.
Apache-Konfiguration

/etc/apache2/sites-available/rana.at.conf:

…
    SSLEngine On
    SSLCertificateFile /etc/letsencrypt/live/rana.at/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/rana.at/privkey.pem

Update des Zertifikate

# certbot certonly --server https://acme-v02.api.letsencrypt.org/directory --manual --preferred-challenges dns -d '*.example.org'
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for example.org

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.example.org with the following value:

sadkljfs87q80493rdsn.kadlsf89aeduicasiodfuap

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/example.org/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/example.org/privkey.pem
   Your cert will expire on 2020-02-04. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Wöhrend der Ausführung nach dem ersten Y den TXT-Record nach Aufforderung anpassen und die DNS-Zonendatei neu laden!

Alternativ kann man vermutlich folgendermaßen updaten, was ich mich am Beginn nicht getraut habe:

# letsencrypt renew

Das Ergebnis, wenn das Zertifikat noch nicht nahe dem Ablaufdatum sind:

# letsencrypt renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/gfw.at.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/rana.at.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/rana.wien.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

The following certs are not due for renewal yet:
  /etc/letsencrypt/live/gfw.at/fullchain.pem expires on 2020-05-26 (skipped)
  /etc/letsencrypt/live/rana.at/fullchain.pem expires on 2020-05-26 (skipped)
  /etc/letsencrypt/live/rana.wien/fullchain.pem expires on 2020-05-26 (skipped)
No renewals were attempted.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

letsencrypt-Zertifikate für Courier-Server verwenden

Um die Letsencrypt-Zertifikate für den Courier-Server verwenden zu können, müssen sowohl das Zertifikat als auch der Private Schlüssel in eine Datei gepackt werden:

# cat /etc/letsencrypt/live/rana.at/cert.pem /etc/letsencrypt/live/rana.at/privkey.pem > /etc/courier/letsencrypt/fullchain.pem

Die oben erzeugte Datei muss entsprechend eingebunden werden:

Courier imapd-ssl

/etc/courier/imapd-ssl

…
# In all cases, $TLS_CERTFILE needs to be linked to one of the existing
# certificate files.

TLS_CERTFILE=/etc/courier/letsencrypt/fullchain.pem
…

Courier pop3d-ssl

/etc/courier/pop3d-ssl

…
# In all cases, $TLS_CERTFILE needs to be linked to one of the existing
# certificate files.

TLS_CERTFILE=/etc/courier/letsencrypt/fullchain.pem
…

Upgrade

Man vollführe die übliche Upgrade-Prozedur, wie sie z.B. unter https://linuxconfig.org/how-to-upgrade-debian-9-stretch-to-debian-10-buster beschrieben ist. Hier die Kurzform:
Test auf Pakete aus anderen Quellen:

# aptitude search '~i(!~ODebian)'

Update von stretch (= Update aller Pakete in stretch auf die aktuellste Version):

# apt-get update
# apt-get upgrade
# apt-get dist-upgrade

Kontrolle, ob irgendetwas aktuell nicht stimmt:

# dpkg -C

Kontrolle, ob Pakete auf hold stehen:

# apt-mark showhold

Falls etwas aus den letzten beiden Befehlen nicht gepasst hat, hilft vielleicht dies noch weiter:

# dpkg --audit

Am besten ein Backup der aktuellen apt-Quellen machen und danach in der Datei etc/apt/sources.list überall stretch mit buster ersetzen:

# cp /etc/apt/sources.list /etc/apt/sources.list_backup
von stretch:
deb http://httpredir.debian.org/debian stretch main
deb http://httpredir.debian.org/debian stretch-updates main
deb http://security.debian.org stretch/updates main

zu buster:
deb http://httpredir.debian.org/debian buster main
deb http://httpredir.debian.org/debian buster-updates main
deb http://security.debian.org buster/updates main

Update der Pakete:

# apt-get update

Simulation des Upgrades:

# apt list --upgradable

Der tatsächliche Upgrade:

# apt-get upgrade
# apt-get dist-upgrade

Am Schluss noch einmal eine Kontrolle:

# aptitude search '~i(!~ODebian)'

Nacharbeiten

So, und jetzt zu den Problemen, die bei mir nach dem Upgrade auftraten:

bind9

bind9 im chroot startet nicht!
Man muss jetzt ein wenig mehr in den Käfig verschieben:

# mkdir -p /var/bind9/chroot/run/named
chown bind:bind /var/bind9/chroot/run/named
…
mkdir -p /var/bind9/chroot/usr/share/dns
cp /usr/share/dns/root.hints /var/bind9/chroot/usr/share/dns/
systemctl restart bind9.service

Zusätzlich muss in der Datei /etc/systemd/system/bind9.service/chroot.conf der Type auf simple umgestellt werden:

[Service]
ExecStart=
ExecStart=/usr/sbin/named -f -u bind -t /var/bind9/chroot
Type=simple

Icinga2

dns-Abfragen, bei denen IPv4 und IPv6 konfiguriert sind, habe ich deaktiviert. Das Plugin schrieb: erwarte IPv4 Adresse, bekomme IPv6 Adresse. Muss ich mich erst einlesen, was da geändert wurde.

Im seafile-Verzeichnis mit der Struktur

dccnet
conf
installed
logs
pids
pro-data
seafile-data
seafile-pro-server-6.2.13
seafile-server-latest -> seafile-pro-server-6.2.13
seahub-data

das aktuelle Paket laden und entpacken:

dccnet
conf
installed
logs
pids
pro-data
seafile-data
seafile-pro-server-6.2.13
seafile-pro-server-6.3.9
seafile-server-latest -> seafile-pro-server-6.2.13
seahub-data

Den seafile– und seahub-Server stoppen:

$ seafile-server-latest/seahub.sh stop
$ seafile-server-latest/seafile.sh stop

Das Upgrade-Skript laufen lassen:

$ seafile-server-latest/upgrade/upgrade_6.2_6.3.sh

-------------------------------------------------------------
This script would upgrade your seafile server from 6.2 to 6.3
Press [ENTER] to contiune
-------------------------------------------------------------



Updating seafile/seahub database ...

[INFO] You are using MySQL
[INFO] updating ccnet database...
/path-to/seafile-pro/seafile-pro-server-6.3.9/upgrade/db_update_helper.py:354: Warning: Table 'LDAPConfig' already exists
  cursor.execute(sql)
/path-to/seafile-pro/seafile-pro-server-6.3.9/upgrade/db_update_helper.py:354: Warning: Table 'GroupStructure' already exists
  cursor.execute(sql)

[INFO] updating seafile database...
/path-to/seafile-pro/seafile-pro-server-6.3.9/upgrade/db_update_helper.py:354: Warning: Table 'SeafileConf' already exists
  cursor.execute(sql)
/path-to/seafile-pro/seafile-pro-server-6.3.9/upgrade/db_update_helper.py:354: Warning: Table 'RepoInfo' already exists
  cursor.execute(sql)

[INFO] updating seahub database...
/path-to/seafile-pro/seafile-pro-server-6.3.9/upgrade/db_update_helper.py:354: Warning: Table 'organizations_orgmemberquota' already exists
  cursor.execute(sql)
[WARNING] Failed to execute sql: (1061, "Duplicate key name 'ix_event_timestamp'")
[WARNING] Failed to execute sql: (1061, "Duplicate key name 'ix_FileAudit_timestamp'")
[WARNING] Failed to execute sql: (1061, "Duplicate key name 'ix_FileUpdate_timestamp'")
[WARNING] Failed to execute sql: (1061, "Duplicate key name 'ix_UserTrafficStat_month'")
Done

migrating avatars ...

Done

updating /path-to/seafile-pro/seafile-server-latest symbolic link to /path-to/seafile-pro/seafile-pro-server-6.3.9 ...



-----------------------------------------------------------------
Upgraded your seafile server successfully.
-----------------------------------------------------------------

Starten des Seahub-Servers:

$ seafile-server-latest/seafile.sh start

** Message: seafile-controller.c(1155): loading seafdav config from /path-to/seafile-pro/conf/seafdav.conf

[05/14/19 21:27:18] ../common/session.c(139): using config file /path-to/seafile-pro/conf/ccnet.conf
[05/14/19 21:27:18] ../common/license.c(406): Loading license file /path-to/seafile-pro/seafile-license.txt ..
[05/14/19 21:27:18] ../common/license.c(409): License file /path-to/seafile-pro/seafile-license.txt does not exist, allow at most 3 trial users
License file /path-to/seafile-pro/seafile-license.txt does not exist, allow at most 3 trial users
Starting seafile server, please wait ...
** Message: seafile-controller.c(1155): loading seafdav config from /path-to/seafile-pro/conf/seafdav.conf

Seafile server started

Done.
$ seafile-server-latest/seahub.sh start

LC_ALL is not set in ENV, set to en_US.UTF-8
Starting seahub at port 8000 ...

Seahub is started

Done.