Symbiosis Jessie + LetsEncrypt released


#1

Hi everyone

I’ve pushed the button on getting the latest round of updates to Symbiosis out. These are quite large changes, especially around the way SSL certificates are handled. There are also a number of bug fixes.

All domains will now automatically receive trusted SSL certificates for free from LetsEncrypt. The precise way this works is described in my earlier post. This closes three feature requests.

Bugfixes

There are quite a few bugfixes included in these updates.

symbiosis-backup

  • Updated the available space checker to parse the backup2l.conf more accurately. Closes #12483

symbiosis-common

  • The DKIM selector code has been tidied to work if the hostname doesn’t match the selector regex.

symbiosis-dns

  • Avoid generating invalid SPF records by stripping any potential newline characters prior to generating them.
  • Fixed up DMARC record generation to produce valid records.

symbiosis-email

  • Fixed symbiosis-email-encrypt-passwords not to have $VERBOSE flag set permanently. Closes #12463.
  • Removed useless test files from /etc/symbiosis/test.d/exim4_acl_tests. Closes #12388
  • Home direcotory now set for the vhost_vacation router in Exim.
  • Exim was using the whole hostname instead of the first component in as the DKIM selector, which differed from how symbiosis-common was doing things. Helps close #8803.

symbiosis-firewall

  • Updated code to work with the new version of symbiosis-common.

symbiosis-httpd

  • When ssl-only is set, the SSL template should redirect to the HTTP Host given in the request, instead of assuming that the request should go to the “bare” domain. Closes #12383.
  • Updated zz-mass-hosting templates to have a wildcard alias in order to work when sharing the IP with other name-based virtual hosts. Closes #12423
  • Fixed race condition in logger. Closes #12378
  • Fixed typo on holding page. Closes #12433

symbiosis-xmpp

  • XMPP configuration generated a line consisting of just a semi-colon when no SSL certificates were available for a domain. This has been fixed (closes #12473).

symbiosis-webmail

  • Fixed login_lc logic in the symbiosis extra config file. Closes #12453.

Symbiosis Stretch Update
#2

This. Is. AWESOME

The letsencrypt stuff is going to save me so much grief!

Will these roll out in overnight updates automatically, or do they have to be applied?

Cheers
Jon


#3

Hi Jon

The should roll out overnight, but the certificates probably won’t go live until the next apach2 reload, i.e. the next morning when logs are rotated.

There’s a bit of polish missing there!

Patrick


#4

I’ve tried to invoke the new magic on a test domain by renaming config/ssl.[crt/key/bundle] a few days ago and running sudo /etc/init.d/apache2 reload an hour or so ago… should I expect things to have happened by now? Also, is dpkg-reconfigure symbiosis-httpd the way to go for instant results?

(Incidentally, the certificateless domain picks up the cert from the first site on the machine [but I think this is old behaviour]).


#5

If you run

sudo symbiosis-ssl --verbose

you should see some certificates get generated. After that you can run

sudo symbiosios-httpd-configure --verbose

to get them going.

Normally symbiosis-ssl only runs on a daily basis so things would have taken their natural course by tomorrow morning.


#6

Magic, thanks. That was a little bit more exciting than I was expecting – as luck would have it there are/were quite a few certs due to expire in the next week…


#7

… and it’s all looking brilliant !


#8

Just a minor warning in case it hits people like it did me.

The beta LetsEncrypt service is rate limited, at something like 5 certificate generations per domain per week. While the messages that whiz by when you run ‘sudo symbiosis-ssl --verbose’ do mention the reason for a certificate failing, it’s easy for these to get lost in the ‘noise’.

I moved all my hosting from an old BigV instance to a new one, which included a number of sub-domains of my main domain. It took me a little while to work out why the first few to be transferred appeared to get SSL certificates generated without any problem, but after a while new ones stopped getting certificates.

I just left it alone for a week or so and the overnight process eventually generated certificates appropriately.

Andy


#9

Having experienced a problem site, two other 'gotcha’s to watch out for:

1) .htaccess blocking htdocs/.well-known/acme-challenge/ requests*
For example, drupal 7, out of the box, will block the verification:

  # Block access to "hidden" directories whose names begin with a period. This
  # includes directories used by version control systems such as Subversion or
  # Git to store control files. 

  RewriteRule "(^|/)\." - [F]

This results in symbiosis-ssl -v saying things like:

Examining certificates for my-brilliant-site.com
        The current certificate expires in 6 days.
        Fetching a new certificate from LetsEncrypt.
net/http: warning: Content-Type did not set; using application/x-www-form-urlencoded
        Requesting verification for my-brilliant-site.com from https://acme-v01.api.letsencrypt.org/directory
net/http: warning: Content-Type did not set; using application/x-www-form-urlencoded
net/http: warning: Content-Type did not set; using application/x-www-form-urlencoded
        !! Unable to verify my-brilliant-site.com (status: invalid)
        !! Check http://my-brilliant-site.com/.well-known/acme-challenge/uKNXV1Uo6rVE_nLsW3pU0oALnUqdfICF4dVc8NzFLNw works.
net/http: warning: Content-Type did not set; using application/x-www-form-urlencoded
        Requesting verification for www.my-brilliant-site.com from https://acme-v01.api.letsencrypt.org/directory
net/http: warning: Content-Type did not set; using application/x-www-form-urlencoded
net/http: warning: Content-Type did not set; using application/x-www-form-urlencoded
        !! Unable to verify www.my-brilliant-site.com (status: invalid)
        !! Check http://www.my-brilliant-site.com/.well-known/acme-challenge/iDxGvUDQAOmNH432K5jONHI5X2HevJrKfGYh8fSut1A works.
        !! Failed: Failed to fetch certificate

2) Ownership & permissions for .well-known

After CMS updates I usually run scripts to reset ownership & permissions. By default they set admin:www-data rwx,r on everything in htdocs. This appears to have led to errors like:

        !! Unable to verify my-brilliant-site.com (status: invalid)
        !! Check http://my-brilliant-site.com/.well-known/acme-challenge/uKNXV1Uo6rVV_nLsW8pU0oALnUqdsICF4dVc8NzFLNw works.
        !! Failed: Operation not permitted @ rb_file_chown - /srv/my-brilliant-site.com/public/htdocs/.well-known/acme-challenge/zJT2Cxsq0r0m5sWQ9qnBGlruylDYk3x4b2lRrdFW_fM
        Unable to use 'ssl-cert' group (Operation not permitted) when writing SSL Set 0
        Rolled over to SSL set 0

Both 'gotcha’s easily fixed/avoided when you know how… thank you support. :wink:


[Solved] LetsEncrypt & Certificate Name Mismatch