steve_adams

I'm running Froxlor V2 and added a new domains to my resources with a Let's Encrypt certificate. When rebuilding the config files, the cert never gets generated. I ran the froxlor-cli froxlor:cron -d -f and get the follwing information: [error] Could not find file 'DOMAIN.com.cer' in '/root/.acme.sh/DOMAIN.com/' [error] Could not find file 'ca.cer' in '/root/.acme.sh/DOMAIN.com/' [error] Could not find file 'fullchain.cer' in '/root/.acme.sh/DOMAIN.com/' [error] Could not get Let's Encrypt certificate for DOMAIN.com: If I run certbot and renew the certificates by force, it works fine until the froxlor cron job runs again and overwrites the apache configs to point the certs back to the /root/.acme.sh/DOMAIN directory. Then the error becomes that the signing request doesn't match? I have a dozen domains on the server and I'm only having issue with about 3 domains... If I try to force renew though froxlor with /root/.acme.sh/acme.sh --renew --force -d DOMAIN.com I receive a 404 error like so: Invalid response from https://DOMAIN.com/.well-known/acme-challenge/br1Vv8R8osLylM9TcRlSb9Q-3Bro3PH76jykk0FrnPA: 404 Despite having validated the web roots with bin/froxlor-cli froxlor:validate-acme-webroot -A

thanks

Is there any documentation on how to enable and configure DNSSEC for a BIND based nameserver managed by Froxlor? The domain in question is radicalcomputingconcepts.com

It would appear the error was cause by updating Apache and that in turn updated the ports.conf with additional Listen:443 statements and after the froxlor-master-cron ran it refused to listen on port 443 because that was already occupied by the main apache conf and the vhosts could not load 😕

"The apache sites-enabled conf files created by Froxlor are blank". This is not clear enough? There are 3 sites on my server with Let's Encrypt certs, and all of their conf files are blank. Example below: # 35_froxlor_ssl_vhost_XXXXXXXX.com.conf # Created 25.08.2021 16:31 # Do NOT manually edit this file, all changes will be deleted after the next domain change at the panel. # Domain ID: 4 (SSL) - CustomerID: 4 - CustomerLogin: XXXX # no ssl-certificate was specified for this domain, therefore no explicit vhost is being generated Upon accessing the ssl vhost in a web browser, no domain specific error logs from apache are generated because there's no vhost direction. A 404 error is generated in the browser, so...logically I look in the apache errors where I see: [Fri Aug 27 10:48:19.885758 2021] [php7:error] [pid 7367] [client XXX.XXX.XXX.XXX:51060] script '/var/www/html/index.php' not found or unable to stat Again, circling back, the SSL vhosts config files are blank! Assuming they're created by Froxlor's cron job, I ran that in debug mode with the following command: php /var/www/html/froxlor/scripts/froxlor_master_cronjob.php --force --debug Here's the copied output where the errors occur: [error] Could not find file 'keystonedesign.com.cer' in '/root/.acme.sh/keystonedesign.com/' [error] Could not find file 'ca.cer' in '/root/.acme.sh/keystonedesign.com/' [error] Could not find file 'fullchain.cer' in '/root/.acme.sh/keystonedesign.com/' [error] Could not get Let's Encrypt certificate for keystonedesign.com: [error] Could not find file 'mail.radicalcomputingconcepts.com.cer' in '/root/.acme.sh/mail.radicalcomputingconcepts.com/' [error] Could not find file 'ca.cer' in '/root/.acme.sh/mail.radicalcomputingconcepts.com/' [error] Could not find file 'fullchain.cer' in '/root/.acme.sh/mail.radicalcomputingconcepts.com/' [error] Could not get Let's Encrypt certificate for mail.radicalcomputingconcepts.com: [error] Could not find file 'flatironscannabis.com.cer' in '/root/.acme.sh/flatironscannabis.com/' [error] Could not find file 'ca.cer' in '/root/.acme.sh/flatironscannabis.com/' [error] Could not find file 'fullchain.cer' in '/root/.acme.sh/flatironscannabis.com/' [error] Could not get Let's Encrypt certificate for flatironscannabis.com: [information] Let's Encrypt certificates have been updated [information] apache::createIpPort: creating ip/port settings for 149.56.97.154:80 [notice] 149.56.97.154:80 :: namevirtualhost-statement no longer needed for apache-2.4 [debug] 149.56.97.154:80 :: inserted vhostcontainer [information] apache::createIpPort: creating ip/port settings for 149.56.97.154:443 [debug] System certificate key-file "/etc/letsencrypt/live/radicalcomputingconcepts.com-0001/pirvkey.pem" does not seem to exist. Disabling SSL-vhost for "mail.radicalcomputingconcepts.com" [error] mail.radicalcomputingconcepts.com :: empty certificate file! Cannot create ssl-directives [debug] 149.56.97.154:443 :: inserted vhostcontainer [information] apache::createVirtualHosts: creating vhost container for domain 30, customer oddballs [debug] System certificate key-file "/etc/letsencrypt/live/radicalcomputingconcepts.com-0001/pirvkey.pem" does not seem to exist. Disabling SSL-vhost for "blank.oddballsinvitations.net" [error] blank.oddballsinvitations.net :: empty certificate file! Cannot create ssl-directives [information] apache::createVirtualHosts: creating vhost container for domain 25, customer steve [information] apache::createVirtualHosts: creating vhost container for domain 29, customer oddballs [information] apache::createVirtualHosts: creating vhost container for domain 22, customer billyg [debug] System certificate key-file "/etc/letsencrypt/live/radicalcomputingconcepts.com-0001/pirvkey.pem" does not seem to exist. Disabling SSL-vhost for "flatironscannabis.com" [error] flatironscannabis.com :: empty certificate file! Cannot create ssl-directives [information] apache::createVirtualHosts: creating vhost container for domain 4, customer steve [debug] System certificate key-file "/etc/letsencrypt/live/radicalcomputingconcepts.com-0001/pirvkey.pem" does not seem to exist. Disabling SSL-vhost for "keystonedesign.com" [error] keystonedesign.com :: empty certificate file! Cannot create ssl-directives [information] apache::createVirtualHosts: creating vhost container for domain 23, customer steve [debug] System certificate key-file "/etc/letsencrypt/live/radicalcomputingconcepts.com-0001/pirvkey.pem" does not seem to exist. Disabling SSL-vhost for "mail.radicalcomputingconcepts.com" [error] mail.radicalcomputingconcepts.com :: empty certificate file! Cannot create ssl-directives [information] apache::createVirtualHosts: creating vhost container for domain 26, customer steve [information] apache::createVirtualHosts: creating vhost container for domain 1, customer oddballs [debug] System certificate key-file "/etc/letsencrypt/live/radicalcomputingconcepts.com-0001/pirvkey.pem" does not seem to exist. Disabling SSL-vhost for "oddballsinvitations.net" [error] oddballsinvitations.net :: empty certificate file! Cannot create ssl-directives Analyzing this information would explain that the vhost config files are blank because let's encrypt isn't creating the certificates....or rather, creating 'empty' certificates like my empty apache conf files. Could you suggest a way to trouble shoot the Lets' Encrypt installation please? Or point me to where I might look for Let's Encrypt misconfiguration?

I recently updated my server OS and froxlor is responding oddly. My domains with Let's Encrypt SSL certificates are yielding a 404 page and the vhost containers for them are blank!? # 35_froxlor_ssl_vhost_XXXXXXXX.com.conf # Created 25.08.2021 16:31 # Do NOT manually edit this file, all changes will be deleted after the next domain change at the panel. # Domain ID: 4 (SSL) - CustomerID: 4 - CustomerLogin: XXXX # no ssl-certificate was specified for this domain, therefore no explicit vhost is being generated Furthermore, when I try to access the auto-update from the backend, it presents a blank page! I'm running version 0.10.27

I managed to resolve my issue by manually configuring Rspamd to inject the keys Froxlor created. I realize it's a low priority as there are few people as stubborn as I am when it comes to running a DNS server and hosting my own mail server, but it would be nice to incorporate opendkim and rspamd configurations into Froxlor. I am extremely grateful to the Froxlor community for the present solution. I'd like to contribute these feature requests myself; however, I'm reluctant because I don't think you'd want me sticking my dirty novice hands into the community food bowl!

In the immortal words of Homer Simpson, "D'oh!" I think I found it! I was running Rspamd in order to supply DKIM and it was occupying port 53 with records for the NS1 and NS2. So when the named-checkzone ran it detected that there were pre-existing A records and refused to load the zone! Doop, vielen dank für deine geduld mit mir !

HA! Please forgive me....I mistyped the domain in my named-checkzone query. Fat fingers and not enough coffee! root@mail:/etc/bind/domains# named-checkzone radicalcomputingconcepts.com /etc/bind/domains/radicalcomputingconcepts.com.zone zone radicalcomputingconcepts.com/IN: NS 'ns1.radicalcomputingconcepts.com' has no address records (A or AAAA) zone radicalcomputingconcepts.com/IN: NS 'ns2.radicalcomputingconcepts.com' has no address records (A or AAAA) zone radicalcomputingconcepts.com/IN: not loaded due to errors. FYI, Glue records are in place at the registrar and have been for almost a decade or more... root@mail# dig ns com ; <<>> DiG 9.11.5-P4-5.1+deb10u5-Debian <<>> ns com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37906 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ;; QUESTION SECTION: ;com. IN NS ;; ANSWER SECTION: com. 86400 IN NS g.gtld-servers.net. com. 86400 IN NS a.gtld-servers.net. com. 86400 IN NS e.gtld-servers.net. com. 86400 IN NS d.gtld-servers.net. com. 86400 IN NS j.gtld-servers.net. com. 86400 IN NS k.gtld-servers.net. com. 86400 IN NS c.gtld-servers.net. com. 86400 IN NS f.gtld-servers.net. com. 86400 IN NS l.gtld-servers.net. com. 86400 IN NS b.gtld-servers.net. com. 86400 IN NS m.gtld-servers.net. com. 86400 IN NS i.gtld-servers.net. com. 86400 IN NS h.gtld-servers.net. ;; Query time: 88 msec ;; SERVER: 213.186.33.99#53(213.186.33.99) ;; WHEN: Fri Jul 30 12:43:11 EDT 2021 ;; MSG SIZE rcvd: 256 root@mail:/etc/bind# dig ns radicalcomputingconcepts.com @e.gtld-servers.net ; <<>> DiG 9.11.5-P4-5.1+deb10u5-Debian <<>> ns radicalcomputingconcepts.com @e.gtld-servers.net ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57187 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 3 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;radicalcomputingconcepts.com. IN NS ;; AUTHORITY SECTION: radicalcomputingconcepts.com. 172800 IN NS ns1.radicalcomputingconcepts.com. radicalcomputingconcepts.com. 172800 IN NS ns2.radicalcomputingconcepts.com. ;; ADDITIONAL SECTION: ns1.radicalcomputingconcepts.com. 172800 IN A 149.56.97.154 ns2.radicalcomputingconcepts.com. 172800 IN A 96.81.53.27 ;; Query time: 68 msec ;; SERVER: 2001:502:1ca1::30#53(2001:502:1ca1::30) ;; WHEN: Fri Jul 30 12:44:09 EDT 2021 ;; MSG SIZE rcvd: 125

I added a domain in froxlor control panel for radicalcomputingconcepts.com. The zone file looks like this: $TTL 600 $ORIGIN radicalcomputingconcepts.com. @ 600 IN SOA ns1.radicalcomputingconcepts.com. steve.keystonedesign.com. 2021073002 3600 900 604800 600 @ 600 IN A 149.56.97.154 www 600 IN A 149.56.97.154 @ 600 IN NS ns1.radicalcomputingconcepts.com. @ 600 IN NS ns2.radicalcomputingconcepts.com. running named-checkzone yields: named-checkzone radicalcomputingconepts.com /etc/bind/domains/radicalcomputingconcepts.com.zone /etc/bind/domains/radicalcomputingconcepts.com.zone:3: ignoring out-of-zone data (radicalcomputingconcepts.com) /etc/bind/domains/radicalcomputingconcepts.com.zone:5: ignoring out-of-zone data (radicalcomputingconcepts.com) /etc/bind/domains/radicalcomputingconcepts.com.zone:6: ignoring out-of-zone data (www.radicalcomputingconcepts.com) /etc/bind/domains/radicalcomputingconcepts.com.zone:7: ignoring out-of-zone data (radicalcomputingconcepts.com) /etc/bind/domains/radicalcomputingconcepts.com.zone:8: ignoring out-of-zone data (radicalcomputingconcepts.com) /etc/bind/domains/radicalcomputingconcepts.com.zone:12: ignoring out-of-zone data (mail.radicalcomputingconcepts.com) /etc/bind/domains/radicalcomputingconcepts.com.zone:13: ignoring out-of-zone data (mail.radicalcomputingconcepts.com) zone radicalcomputingconepts.com/IN: has 0 SOA records zone radicalcomputingconepts.com/IN: has no NS records zone radicalcomputingconepts.com/IN: not loaded due to errors. I can find no documentation on the Froxlor site nor in the forums on configuration of GLUE records...please advise

I've installed ipv6 information into my network interfaces and eliminated the bind errors in syslog. From and external host name resolution fails for the primary domain, the domain specified in the system settings, and dig responses are missing answer sections: syslog: Restarting bind9 (via systemctl): bind9.service. root@mail:/home/steve# tail -f /var/log/syslog Jul 29 18:11:27 mail named[6374]: zone flatironscannabis.com/IN: sending notifies (serial 2021072900) Jul 29 18:11:27 mail named[6374]: zone jaith.net/IN: sending notifies (serial 2021072900) Jul 29 18:11:27 mail named[6374]: zone mailinglist.boulevardbread.com/IN: sending notifies (serial 2021072900) Jul 29 18:11:27 mail named[6374]: zone ragustudio.com/IN: sending notifies (serial 2021072900) Jul 29 18:11:27 mail named[6374]: zone oddballsinvitations.net/IN: sending notifies (serial 2021072900) Jul 29 18:11:27 mail named[6374]: zone boulevardbread.com/IN: sending notifies (serial 2021072900) Jul 29 18:11:27 mail named[6374]: managed-keys-zone: Key 20326 for zone . acceptance timer complete: key now trusted Jul 29 18:11:27 mail named[6374]: resolver priming query complete external host resolution: ping mail.radicalcomputingconcepts.com ping: cannot resolve mail.radicalcomputingconcepts.com: Unknown host ping radicalcomputingconcepts.com ping: cannot resolve radicalcomputingconcepts.com: Unknown host zone files for hosts that are failing resolution: $TTL 600 $ORIGIN radicalcomputingconcepts.com. @ 600 IN SOA ns1.radicalcomputingconcepts.com. steve.keystonedesign.com. 2021072901 3600 900 604800 600 @ 600 IN A 149.56.97.154 www 600 IN A 149.56.97.154 @ 600 IN NS ns1.radicalcomputingconcepts.com. @ 600 IN NS ns2.radicalcomputingconcepts.com. $TTL 600 $ORIGIN mail.radicalcomputingconcepts.com. @ 600 IN SOA ns1.radicalcomputingconcepts.com. steve.keystonedesign.com. 2021072901 3600 900 604800 600 @ 600 IN A 149.56.97.154 @ 600 IN NS ns1.radicalcomputingconcepts.com. @ 600 IN NS ns2.radicalcomputingconcepts.com. @ 600 IN CAA 0 issue "letsencrypt.org" missing answer sections from dig: dig radicalcomputingconcepts.com ; <<>> DiG 9.11.5-P4-5.1+deb10u5-Debian <<>> radicalcomputingconcepts.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 31804 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: e05667de07e9c60614b1b8ed610328e82bba2257178535e9 (good) ;; QUESTION SECTION: ;radicalcomputingconcepts.com. IN A ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Thu Jul 29 18:17:12 EDT 2021 ;; MSG SIZE rcvd: 85

It appears I still had ipv6 enabled. I disabled it by adding GRUB_CMDLINE_LINUX_DEFAULT="ipv6.disable=1" GRUB_CMDLINE_LINUX="ipv6.disable=1" to /etc/default/grub and restarting. Upon restart, postfix is broken and cannot authenticate via SASL: warning: SASL: Connect to private/auth failed: Connection refused Jul 29 15:07:01 mail postfix/smtpd[1490]: fatal: no SASL authentication mechanisms Jul 29 15:07:01 mail postfix/master[1147]: warning: process /usr/lib/postfix/sbin/smtpd pid 1481 exit status 1 Jul 29 15:07:01 mail postfix/master[1147]: warning: /usr/lib/postfix/sbin/smtpd: bad command startup -- throttling Jul 29 15:07:01 mail postfix/master[1147]: warning: process /usr/lib/postfix/sbin/smtpd pid 1482 exit status 1 Jul 29 15:07:01 mail postfix/master[1147]: warning: process /usr/lib/postfix/sbin/smtpd pid 1483 exit status 1 I appear to have a conflict with Bind9 and IPv6? Please advise

I've got a Froxlor install on Debian Buster configured with Bind9 as an authoritative nameserver and I'm experiencing missing information in the dig results. dig ns1.radicalcomputingconcepts.com ; <<>> DiG 9.10.6 <<>> ns2.radicalcomputingconcepts.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 27849 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;ns2.radicalcomputingconcepts.com. IN A ;; Query time: 94 msec ;; SERVER: 2001:558:feed::1#53(2001:558:feed::1) ;; WHEN: Wed Jul 28 17:35:38 MDT 2021 ;; MSG SIZE rcvd: 61 ============= Prior to installing Bind9 I had DjbDns installed and results looked like this: dig ns1.radicalcomputingconcepts.com ; <<>> DiG 9.10.6 <<>> ns1.radicalcomputingconcepts.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17268 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;ns1.radicalcomputingconcepts.com. IN A ;; ANSWER SECTION: ns1.radicalcomputingconcepts.com. 86339 IN A 149.56.97.154 ns1.radicalcomputingconcepts.com. 86339 IN A 149.56.97.154 ;; Query time: 85 msec ;; SERVER: 2603:300b:7d6:1800:82b2:34ff:fe4b:1789#53(2603:300b:7d6:1800:82b2:34ff:fe4b:1789) ;; WHEN: Wed Jul 28 17:37:23 MDT 2021 ;; MSG SIZE rcvd: 82 =================== Further irregularities occur as the parent domain to the NS is not responsive to DNS lookups and ping attempts: ping radicalcomputingconcepts.com ping: cannot resolve radicalcomputingconcepts.com: Unknown host AND the domain of my froxlor server as set in the system settings also becomes unresponsive as well ping mail.radicalcomputingconcepts.com ping: cannot resolve mail.radicalcomputingconcepts.com: Unknown host There is nothing unusual about the Bind installation and all the services have been configured according to the tempates

has anyone put together a version of /lib/Froxlor/Dns/Dns.php or DnsBase.php that alters the construction of $selector or $domain that would enable a reformatting of the keys in /etc/postfix/dkim to an OpenDkim suitable KeyTable formula?

Yes, I configured opendkim and have located the /etc/postfix/KeyTable file as the file to correctly change the path to the key files generated by Froxlor. The issue now remains that the formatting of the path in the KeyTable doesn't readily jive Froxlor's selector._domainkey.domain.dom style. Effectively, Froxlor formulates the domain_id into the selector. I'm wondering if it might make more sense to use Rspamd since their path formatting relies on $domain and $selector variables rather than a uniform key formula. Or, perhaps try to store the path names in a database? Yes, I can see connection in the log files, but not to the correct path where the Froxlor generated keys exist.