[04:41:16]
<nicfab[m]> https://aria.im/_matrix/media/v1/download/matrix.nicfab.it/DGndJJHUJarPhZrtdwUswFgh
[04:42:09]
<nicfab[m]> If I click on Confirm Security Exception it appears the message as in the following image
[04:42:13]
<nicfab[m]> https://aria.im/_matrix/media/v1/download/matrix.nicfab.it/gwabkBDqeqafrMHNPxHwjttT
[04:42:32]
<nicfab[m]> Hello!
Now it seems to be ok.
However, I am doing some tests with the email (sending and receiving), and on Thunderbird, I receive the alert related to the certificate as you can see from the image I attach.
Is there any solution?
[04:45:29]
<nicfab[m]> Hello!
Now it seems to be ok with the ports.
I also succeeded in configuring the account email in Thunderbird.
However, I am doing some tests with the email (sending and receiving), and on Thunderbird, I receive the alert related to the certificate, as you can see from the image I attached.
Is there any solution?
[06:07:52]
<nicfab[m]> I can receive emails, but I cannot send emails from the yuno account.
From **Services/dovecot/logs** `journalctl` I see:
```
-- Journal begins at Sat 2022-10-08 19:38:57 CEST, ends at Mon 2022-10-10 08:01:20 CEST. --
Oct 10 07:57:48 imap[7470]: antispam: pipe backend program = /usr/bin/rspamc
Oct 10 07:57:48 imap[7470]: antispam: pipe backend program arg[0] = -h
Oct 10 07:57:48 imap[7470]: antispam: pipe backend program arg[1] = localhost:11334
Oct 10 07:57:48 imap[7470]: antispam: pipe backend program arg[2] = -P
Oct 10 07:57:48 imap[7470]: antispam: pipe backend program arg[3] = q1
Oct 10 07:57:48 imap[7470]: antispam: pipe backend tmpdir /tmp
Oct 10 07:57:48 dovecot[6279]: imap(nicfab)<7470><OJ3Y1qfqE8Fdl/tp>: Connection closed (NOOP finished 0.011 secs ago) in=261 out=2135 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0
Oct 10 07:58:02 dovecot[6279]: imap-login: Login: user=<nicfab>, method=PLAIN, rip=93.151.251.105, lip=192.168.1.21, mpid=7472, TLS, session=<wZmn16fqf8Fdl/tp>
Oct 10 07:58:02 imap[7472]: antispam: plugin initialising (2.0-notgit)
Oct 10 07:58:02 imap[7472]: antispam: "Junk" is exact match spam folder
Oct 10 07:58:02 imap[7472]: antispam: "SPAM" is exact match spam folder
Oct 10 07:58:02 imap[7472]: antispam: no unsure folders
Oct 10 07:58:02 imap[7472]: antispam: "Trash" is exact match trash folder
Oct 10 07:58:02 imap[7472]: antispam: pipe backend spam argument = learn_spam
Oct 10 07:58:02 imap[7472]: antispam: pipe backend not-spam argument = learn_ham
Oct 10 07:58:02 imap[7472]: antispam: pipe backend program = /usr/bin/rspamc
Oct 10 07:58:02 imap[7472]: antispam: pipe backend program arg[0] = -h
Oct 10 07:58:02 imap[7472]: antispam: pipe backend program arg[1] = localhost:11334
Oct 10 07:58:02 imap[7472]: antispam: pipe backend program arg[2] = -P
Oct 10 07:58:02 imap[7472]: antispam: pipe backend program arg[3] = q1
Oct 10 07:58:02 imap[7472]: antispam: pipe backend tmpdir /tmp
Oct 10 07:58:07 dovecot[6279]: imap(nicfab)<7472><wZmn16fqf8Fdl/tp>: Connection closed (UID FETCH finished 5.857 secs ago) in=184 out=1303 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0
Oct 10 07:58:08 dovecot[6279]: imap-login: Login: user=<nicfab>, method=PLAIN, rip=93.151.251.105, lip=192.168.1.21, mpid=7474, TLS, session=<BBoD2KfqoMFdl/tp>
Oct 10 07:58:08 imap[7474]: antispam: plugin initialising (2.0-notgit)
Oct 10 07:58:08 imap[7474]: antispam: "Junk" is exact match spam folder
Oct 10 07:58:08 imap[7474]: antispam: "SPAM" is exact match spam folder
Oct 10 07:58:08 imap[7474]: antispam: no unsure folders
Oct 10 07:58:08 imap[7474]: antispam: "Trash" is exact match trash folder
Oct 10 07:58:08 imap[7474]: antispam: pipe backend spam argument = learn_spam
Oct 10 07:58:08 imap[7474]: antispam: pipe backend not-spam argument = learn_ham
Oct 10 07:58:08 imap[7474]: antispam: pipe backend program = /usr/bin/rspamc
Oct 10 07:58:08 imap[7474]: antispam: pipe backend program arg[0] = -h
Oct 10 07:58:08 imap[7474]: antispam: pipe backend program arg[1] = localhost:11334
Oct 10 07:58:08 imap[7474]: antispam: pipe backend program arg[2] = -P
Oct 10 07:58:08 imap[7474]: antispam: pipe backend program arg[3] = q1
Oct 10 07:58:08 imap[7474]: antispam: pipe backend tmpdir /tmp
Oct 10 07:59:57 dovecot[6279]: imap-login: Login: user=<nicfab>, method=PLAIN, rip=93.151.251.105, lip=192.168.1.21, mpid=7493, TLS, session=<KOaM3qfqJ8Jdl/tp>
Oct 10 07:59:57 imap[7493]: antispam: plugin initialising (2.0-notgit)
Oct 10 07:59:57 imap[7493]: antispam: "Junk" is exact match spam folder
Oct 10 07:59:57 imap[7493]: antispam: "SPAM" is exact match spam folder
Oct 10 07:59:57 imap[7493]: antispam: no unsure folders
Oct 10 07:59:57 imap[7493]: antispam: "Trash" is exact match trash folder
Oct 10 07:59:57 imap[7493]: antispam: pipe backend spam argument = learn_spam
Oct 10 07:59:57 imap[7493]: antispam: pipe backend not-spam argument = learn_ham
Oct 10 07:59:57 imap[7493]: antispam: pipe backend program = /usr/bin/rspamc
Oct 10 07:59:57 imap[7493]: antispam: pipe backend program arg[0] = -h
Oct 10 07:59:57 imap[7493]: antispam: pipe backend program arg[1] = localhost:11334
Oct 10 07:59:57 imap[7493]: antispam: pipe backend program arg[2] = -P
Oct 10 07:59:57 imap[7493]: antispam: pipe backend program arg[3] = q1
Oct 10 07:59:57 imap[7493]: antispam: pipe backend tmpdir /tmp
```
And from `/var/log/mail.log` I see:
```
Oct 10 07:57:43 yuno dovecot: imap(nicfab)<7379><d/jopqfqpfxdl/tp>: Logged out in=901 out=20893 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=3 body_bytes=16820
Oct 10 07:57:47 yuno dovecot: imap-login: Login: user=<nicfab>, method=PLAIN, rip=93.151.251.105, lip=192.168.1.21, mpid=7468, TLS, session=<n9TP1qfqAcFdl/tp>
Oct 10 07:57:48 yuno dovecot: imap(nicfab)<7468><n9TP1qfqAcFdl/tp>: Logged out in=420 out=2657 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0
Oct 10 07:57:48 yuno dovecot: imap-login: Login: user=<nicfab>, method=PLAIN, rip=93.151.251.105, lip=192.168.1.21, mpid=7470, TLS, session=<OJ3Y1qfqE8Fdl/tp>
Oct 10 07:57:48 yuno dovecot: imap(nicfab)<7470><OJ3Y1qfqE8Fdl/tp>: Connection closed (NOOP finished 0.011 secs ago) in=261 out=2135 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0
Oct 10 07:58:02 yuno dovecot: imap-login: Login: user=<nicfab>, method=PLAIN, rip=93.151.251.105, lip=192.168.1.21, mpid=7472, TLS, session=<wZmn16fqf8Fdl/tp>
Oct 10 07:58:07 yuno dovecot: imap(nicfab)<7472><wZmn16fqf8Fdl/tp>: Connection closed (UID FETCH finished 5.857 secs ago) in=184 out=1303 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0
Oct 10 07:58:08 yuno dovecot: imap-login: Login: user=<nicfab>, method=PLAIN, rip=93.151.251.105, lip=192.168.1.21, mpid=7474, TLS, session=<BBoD2KfqoMFdl/tp>
Oct 10 07:59:03 yuno postfix/submission/smtpd[7477]: connect from net-93-151-251-105.cust.vodafonedsl.it[93.151.251.105]
Oct 10 07:59:03 yuno postfix/submission/smtpd[7477]: Anonymous TLS connection established from net-93-151-251-105.cust.vodafonedsl.it[93.151.251.105] to yuno.nicfab.eu: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Oct 10 07:59:26 yuno postfix/submission/smtpd[7477]: 3A61C461771: client=net-93-151-251-105.cust.vodafonedsl.it[93.151.251.105], sasl_method=PLAIN, sasl_username=nicfab
Oct 10 07:59:26 yuno postsrsd[7484]: srs_forward: <nicfab@yuno.nicfab.eu> not rewritten: Domain excluded by policy
Oct 10 07:59:26 yuno postfix/cleanup[7483]: 3A61C461771: message-id=<37430591-1892-41A8-ADD9-2F5A19D63C4C@yuno.nicfab.eu>
Oct 10 07:59:26 yuno postfix/qmgr[6251]: 3A61C461771: from=<nicfab@yuno.nicfab.eu>, size=2376, nrcpt=1 (queue active)
Oct 10 07:59:29 yuno postfix/smtp[7486]: Trusted TLS connection established to mail.fabiano.law[35.152.33.230]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)
Oct 10 07:59:29 yuno postfix/smtp[7486]: 3A61C461771: to=<nicola@fabiano.law>, relay=mail.fabiano.law[35.152.33.230]:25, delay=3.3, delays=0.35/0.02/2.8/0.13, dsn=5.7.1, status=bounced (host mail.fabiano.law[35.152.33.230] said: 550 5.7.1 Service unavailable; client [93.151.251.105] blocked using zen.spamhaus.org (in reply to RCPT TO command))
Oct 10 07:59:29 yuno postsrsd[7484]: srs_forward: <""> not rewritten: No at sign in sender address
Oct 10 07:59:29 yuno postfix/cleanup[7483]: 7FA754617EC: message-id=<20221010055929.7FA754617EC@yuno.nicfab.eu>
Oct 10 07:59:29 yuno postfix/qmgr[6251]: 7FA754617EC: from=<>, size=4820, nrcpt=2 (queue active)
Oct 10 07:59:29 yuno postfix/bounce[7487]: 3A61C461771: sender non-delivery notification: 7FA754617EC
Oct 10 07:59:29 yuno postfix/qmgr[6251]: 3A61C461771: removed
Oct 10 07:59:30 yuno dovecot: lda(nicfab@yuno.nicfab.eu)<7490><3NQVJsG0Q2NCHQAAW2KlYw>: sieve: msgid=<20221010055929.7FA754617EC@yuno.nicfab.eu>: stored mail into mailbox 'INBOX'
Oct 10 07:59:30 yuno postfix/pipe[7488]: 7FA754617EC: to=<nicfab@yuno.nicfab.eu>, relay=dovecot, delay=0.61, delays=0.09/0.01/0/0.52, dsn=2.0.0, status=sent (delivered via dovecot service)
Oct 10 07:59:34 yuno postfix/smtp[7486]: Trusted TLS connection established to mail.fabiano.law[35.152.33.230]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)
Oct 10 07:59:34 yuno postfix/smtp[7486]: 7FA754617EC: to=<system@fabiano.law>, orig_to=<nicfab@yuno.nicfab.eu>, relay=mail.fabiano.law[35.152.33.230]:25, delay=5.1, delays=0.09/4.5/0.31/0.13, dsn=5.7.1, status=bounced (host mail.fabiano.law[35.152.33.230] said: 550 5.7.1 Service unavailable; client [93.151.251.105] blocked using zen.spamhaus.org (in reply to RCPT TO command))
Oct 10 07:59:34 yuno postfix/qmgr[6251]: 7FA754617EC: removed
Oct 10 07:59:56 yuno postfix/submission/smtpd[7477]: disconnect from net-93-151-251-105.cust.vodafonedsl.it[93.151.251.105] ehlo=2 starttls=1 auth=1 mail=1 rcpt=1 data=1 quit=1 commands=8
Oct 10 07:59:57 yuno dovecot: imap-login: Login: user=<nicfab>, method=PLAIN, rip=93.151.251.105, lip=192.168.1.21, mpid=7493, TLS, session=<KOaM3qfqJ8Jdl/tp>
```
I understand that it's there is an issue related to the reverse DNS.
Is it so or there is anything else?
[06:32:12]
<nicfab[m]> I think that - apart from the reverse DNS - there is also something else that block sending emails.
[06:39:15]
<nicfab[m]> It seems to be working fine now because I am using another client email.
The issue was related to the blacklisted IP, which I removed
However, I continue having the same issue on Thunderbird.
Any suggestion?
[08:23:16]
<Fritjof> How do I find /bl-themes/ to upload a bludit theme to via ssh on my YNH VPS?
[09:03:23]
<Guillaume Bouzige> > <@nic:matrix.nicfab.it> It seems to be working fine now because I am using another client email.
> The issue was related to the blacklisted IP, which I removed
> However, I continue having the same issue on Thunderbird.
> Any suggestion?
I had similar issue but not sure exactly how i sort this out. i remember there is a security documentation on yunohost doc that gives you command to use latest security cert standard. you might want to try that
[09:04:32]
<Guillaume Bouzige> > I had similar issue but not sure exactly how i sort this out. i remember there is a security documentation on yunohost doc that gives you command to use latest security cert standard. you might want to try that
if you have already verify that the domain you are using with email has correct DNS param and certificates generated by LE
[09:28:44]
<nicfab[m]> > I had similar issue but not sure exactly how i sort this out. i remember there is a security documentation on yunohost doc that gives you command to use latest security cert standard. you might want to try that
Thank you. I did a deep search on the yunohost documentation, but I didn't find any useful resources related to my case.
I would be grateful if you provide me with any useful resources.
[09:30:48]
<Guillaume Bouzige> > <@nic:matrix.nicfab.it> Thank you. I did a deep search on the yunohost documentation, but I didn't find any useful resources related to my case.
> I would be grateful if you provide me with any useful resources.
https://yunohost.org/en/security
[09:31:03]
<Guillaume Bouzige> > <@nic:matrix.nicfab.it> Thank you. I did a deep search on the yunohost documentation, but I didn't find any useful resources related to my case.
> I would be grateful if you provide me with any useful resources.
https://yunohost.org/en/security#change-cipher-compatibili
[09:31:18]
<Guillaume Bouzige> this `sudo yunohost settings set security.nginx.compatibility -v modern`
[09:44:00]
<chen> nj
[09:45:04]
<nicfab[m]> > this `sudo yunohost settings set security.nginx.compatibility -v modern`
Thank you. I did it but nothing changed on the Thunderbird side
[09:45:40]
<Guillaume Bouzige> have you make sure the certificate has been correctly generated by let's encrypt ?
[09:47:08]
<Guillaume Bouzige> if it is a new domain you must run diagnosis in order to generate certificate
[09:49:54]
<nicfab[m]> > have you make sure the certificate has been correctly generated by let's encrypt ?
Now I cannot reach the domain.
Error 502 nginx
[09:50:27]
<Guillaume Bouzige> well here is your issue to solve !
[09:50:45]
<Guillaume Bouzige> have you configured your DNS provider accordingly ?
[09:53:47]
<nicfab[m]> The DNSs are all ok, and it worked till some minutes ago.
I start becoming crazy, and I am deciding to remove all
[09:54:10]
<Guillaume Bouzige> no be careful with DNS
[09:54:18]
<Guillaume Bouzige> the changes are never instantaneous
[09:54:34]
<nicfab[m]> I didn't change the DNSs
[09:54:49]
<Guillaume Bouzige> your install was already setup and working previously ?
[09:56:36]
<nicfab[m]> > your install was already setup and working previously ?
Yes. Now from Firefox I see
`Error code: SSL_ERROR_BAD_CERT_DOMAIN`
[09:57:00]
<Guillaume Bouzige> have you run the diagnosis page and what are the results ?
[10:00:02]
<nicfab[m]> Now I see from the logs:
```
2022/10/10 11:58:52 [error] 27666#27666: *1 SSL_do_handshake() failed (SSL: error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:SSL alert number 70) while SSL handshaking to upstream, client: 93.151.251.105, server: yuno.nicfab.eu, request: "GET /favicon.ico HTTP/2.0", upstream: "https://192.168.1.21:443/favicon.ico", host: "yuno.nicfab.eu", referrer: "https://yuno.nicfab.eu/"
```
[10:01:19]
<Guillaume Bouzige> check this https://www.whatsmydns.net/#A/yuno.nicfab.eu
[10:01:47]
<nicfab[m]> The DNSs are correct and working
[10:02:01]
<nicfab[m]> I think that there is some issue on the yuno machine
[10:02:16]
<Guillaume Bouzige> you sure you haven't been modifying anything lately ?
[10:02:50]
<Guillaume Bouzige> > have you run the diagnosis page and what are the results ?
nicfab: have you
[10:04:16]
<nicfab[m]> > you sure you haven't been modifying anything lately ?
My configuration is the following:
- A firewall => correctly set
- A VM that redirects the requests to the other VM on the server => correctly configured NGINX withe the proxy server to Yuno VM and also the SSL certificates
- Yuno server
[10:04:52]
<nicfab[m]> All the other services (VM) I have on that server work fine
[10:05:01]
<Guillaume Bouzige> I see
[10:05:19]
<Guillaume Bouzige> only emails is not working ?>
[10:06:55]
<nicfab[m]> The following NGINX error is on the VM that redirects requests
```
2022/10/10 12:05:22 [error] 27721#27721: *4 SSL_do_handshake() failed (SSL: error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:SSL alert number 70) while SSL handshaking to upstream, client: 93.151.251.105, server: yuno.nicfab.eu, request: "GET /favicon.ico HTTP/2.0", upstream: "https://192.168.1.21:443/favicon.ico", host: "yuno.nicfab.eu", referrer: "https://yuno.nicfab.eu/"
```
[10:07:43]
<Guillaume Bouzige> > <@nic:matrix.nicfab.it> sent an image.
if you view the certificate here you might know where the problem stand
[10:08:56]
<Guillaume Bouzige> > <@nic:matrix.nicfab.it> The following NGINX error is on the VM that redirects requests
>
> ```
> 2022/10/10 12:05:22 [error] 27721#27721: *4 SSL_do_handshake() failed (SSL: error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:SSL alert number 70) while SSL handshaking to upstream, client: 93.151.251.105, server: yuno.nicfab.eu, request: "GET /favicon.ico HTTP/2.0", upstream: "https://192.168.1.21:443/favicon.ico", host: "yuno.nicfab.eu", referrer: "https://yuno.nicfab.eu/"
> ```
this sound like a protocol version error
[10:09:24]
<c> nicfab[m], that error is just for HTTP, also if your reverse proxy is on same machine no need for TLS in upstream
[10:10:06]
<c> "view" certificate in thunderbird or other will tell you more
[10:15:05]
<nicfab[m]> Nothing 502
[10:15:31]
<c> 502 is HTTP error code not email?
[10:16:50]
<c> https://aria.im/_matrix/media/v1/download/matrix.nicfab.it/DGndJJHUJarPhZrtdwUswFgh
^ on this screen click "view"
[10:20:11]
<nicfab[m]> > <c> https://aria.im/_matrix/media/v1/download/matrix.nicfab.it/DGndJJHUJarPhZrtdwUswFgh
> ^ on this screen click "view"
I see the attached
[10:20:16]
<nicfab[m]> https://aria.im/_matrix/media/v1/download/matrix.nicfab.it/tLdLGUqdZoqRrKIHsKkVjeTZ
[10:20:17]
<Guillaume Bouzige> but if you store the execption you wont see it again
[10:21:50]
<c> looks correct but self generation... did you generate letsencrypt?
maybe systemctl restart postfix dovecot
[10:22:09]
<c> to find new certificate
[10:22:12]
<nicfab[m]> Anyway, the email work. The issue is on NGINX
[10:22:35]
<nicfab[m]> > <c> looks correct but self generation... did you generate letsencrypt?
> maybe systemctl restart postfix dovecot
I followed the instructions
[10:23:00]
<c> certificate valid until 2032 means it's not letsencrypt... maybe email server was not restart automatically
[10:23:22]
<c> what issue on nginx?
[10:24:43]
<nicfab[m]> > <c> what issue on nginx?
502 and the following
```
2022/10/10 12:16:50 [error] 27974#27974: *1 SSL_do_handshake() failed (SSL: error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:SSL alert number 70) while SSL handshaking to upstream, client: 93.151.251.105, server: yuno.nicfab.eu, request: "GET /favicon.ico HTTP/2.0", upstream: "https://192.168.1.21:443/favicon.ico", host: "yuno.nicfab.eu", referrer: "https://yuno.nicfab.eu/"
```
[10:25:31]
<c> show your reverse proxy config
[10:26:44]
<c> (or maybe check service status for yunonost-api service on yunohost.. restart if dead?)
[10:27:08]
<nicfab[m]> > <c> (or maybe check service status for yunonost-api service on yunohost.. restart if dead?)
How can I restart yunohost?
[10:27:46]
<c> the systemd service is yunohost-api (if that is problem)
[10:28:36]
<c> is that your first time doing sysadmin? if yes it's 100% easier for install yunohost directly on hardware not inside VM (it was not made for this)
[10:29:03]
<nicfab[m]> > <c> is that your first time doing sysadmin? if yes it's 100% easier for install yunohost directly on hardware not inside VM (it was not made for this)
Yes 😀
Already done
[10:29:34]
<c> so what is your ubuntu reverse proxy config? :)
[10:29:37]
<nicfab[m]> Sorry, no, it's not the first time 🙂
[10:30:11]
<nicfab[m]> > <c> so what is your ubuntu reverse proxy config? :)
server {
server_name yuno.nicfab.eu;
location / {
proxy_pass https://192.168.1.21;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host yuno.nicfab.eu;
proxy_ssl_server_name on;
# proxy_set_header Host $host;
# proxy_http_version 1.1;
# proxy_set_header Upgrade $http_upgrade;
# proxy_set_header Connection "upgrade";
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/yuno.nicfab.eu/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/yuno.nicfab.eu/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = yuno.nicfab.eu) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name yuno.nicfab.eu;
return 404; # managed by Certbot
}
[10:30:48]
<nicfab[m]> > <c> so what is your ubuntu reverse proxy config? :)
```
server {
server_name yuno.nicfab.eu;
location / {
proxy_pass https://192.168.1.21;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host yuno.nicfab.eu;
proxy_ssl_server_name on;
# proxy_set_header Host $host;
# proxy_http_version 1.1;
# proxy_set_header Upgrade $http_upgrade;
# proxy_set_header Connection "upgrade";
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/yuno.nicfab.eu/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/yuno.nicfab.eu/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = yuno.nicfab.eu) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name yuno.nicfab.eu;
return 404; # managed by Certbot
}
```
[10:32:29]
<c> oO
[10:33:18]
<c> you have 2 different certificates? 1 managed by yunohost 1 managed by ubuntu? for same domain?
[10:34:15]
<nicfab[m]> > <c> you have 2 different certificates? 1 managed by yunohost 1 managed by ubuntu? for same domain?
Yes, because otherwise, the proxy pass doesn't work if there isn't a redirect to https.
[10:34:36]
<c> or is /etc/letsencrypt/live/yuno.nicfab.eu/ bind mount to inside the yuno VM?
[10:34:43]
<c> ok...
[10:34:57]
<c> wait a minute let me find documentation
[10:35:07]
<nicfab[m]> > <c> wait a minute let me find documentation
Ok
[10:36:19]
<c> do you need web services on ubuntu host?
[10:36:57]
<c> if not easiest is just firewall rule to redirect port 80/443 direct to yunohost and ALL PROBLEM SOLVED
[10:37:08]
<c> if yes you need sni-aware reverse proxy
[10:37:20]
<c> https://nginx.org/en/docs/stream/ngx_stream_proxy_module.html
[10:37:38]
<c> (it goes in stream block, not server block in nginx conf)
[10:39:11]
<c> errr sorry wrong doc page... this one is the one: https://nginx.org/en/docs/stream/ngx_stream_ssl_preread_module.html
[10:40:09]
<c> but SNI TLS header do not exist with all protocol so if you want install lot things on yunohost it's not best solution (works fine with HTTPS but not SSH/XMPP by example)
[10:41:23]
<c> and that's why share 1 IP for many servers/services is super advanced sysadmin ninjutsu not "just start a VM in ubuntu and all is good"
[10:42:00]
<nicfab[m]> > <c> and that's why share 1 IP for many servers/services is super advanced sysadmin ninjutsu not "just start a VM in ubuntu and all is good"
So, what directive should I change or add?
[10:43:48]
<c> your HTTP block should not 404 but reverse proxy http://192.168...
your HTTPS block should not be server block but stream block with ssl_preread on
[10:44:13]
<c> i don't remember all detail about this config i just know it's possible and last time it take me some hours to find correct config ^^
[10:45:29]
<c> sorry i meant server block should in stream context not http context
[10:46:46]
<c> this method make yunohost manage TLS, ubuntu doesn't decrypt just pass TLS requests for "yuno.nicfab.eu" to yunohost
[10:47:05]
<c> buuuut if you dont need web service on ubuntu it's very easier just firewall redirect trafic direct to yuno VM
[10:48:02]
<Guillaume Bouzige> > <@nic:matrix.nicfab.it> So, what directive should I change or add?
can't tell much, I use mainly Caddy and try to avoid NGINX when possible :/
[10:48:25]
<c> Guillaume Bouzige, caddy support SNI aware proxy?
[10:50:49]
<Guillaume Bouzige> > <c> Guillaume Bouzige, caddy support SNI aware proxy?
I am not enough SNI aware myself to tell but I have been very satisfied with Caddy
[10:52:42]
<Guillaume Bouzige> all puns aside Caddy2 does support SNI aware proxy 🤓
[10:52:46]
<nicfab[m]> Ok, I set the firewall to allow the Yuno VM http and https and I removed the nginx conf on the other VM that usually redirects the requests.
Now I reach yuno, but Firefox shows me an alert on the certificate; I accepted
[10:53:21]
<nicfab[m]> https://aria.im/_matrix/media/v1/download/matrix.nicfab.it/OPplxZCcVOFBgyszGkBIIpxW
[10:53:33]
<nicfab[m]> Is there any way to avoid it on the yunohost side?
[10:54:06]
<nicfab[m]> If I click on Advanced I see
[10:54:10]
<nicfab[m]> https://aria.im/_matrix/media/v1/download/matrix.nicfab.it/XHxxJNgYMhtefykNAmjmUdjo
[10:54:25]
<nicfab[m]> So, there is something on the yuonohost side
[10:55:00]
<nicfab[m]> If I click on "View Certificate" I see that one I already posted
[10:55:16]
<c> Guillaume Bouzige, https://github.com/mholt/caddy-l4
"If the HTTP Host is example.com or the TLS ServerName is example.com, then proxy to 192.168.0.4."
possible with plugin :)
[10:55:40]
<c> nicfab[m], you have generated letsencrypt certificate in yunohost?
[10:56:23]
<c> in admin -> domains -> yuno.nicfab.eu -> manage SSL
[10:56:23]
<nicfab[m]> > <c> nicfab[m], you have generated letsencrypt certificate in yunohost?
Yes
[10:57:13]
<c> ha now there is no HTTPS on yuno.nicfab.eu just HTTP!
[10:57:30]
<c> you do not answer my question do you need HTTP(S) services on ubuntu host?
[10:57:58]
<nicfab[m]> I see:
_This domain doesn't seem ready for a Let's Encrypt certificate. Please check your DNS configuration and HTTP server reachability. The 'DNS records' and 'Web' section in the diagnosis page can help you understand what is misconfigured._
Why?
[10:58:16]
<nicfab[m]> The DNSs are ok. Mah !!
[10:58:17]
<c> (my bad there is HTTPS)
[10:58:52]
<nicfab[m]> What should I do?
[11:00:31]
<c> server {
listen 80;
server_name yuno.nicfab.eu;
proxy_pass http://192.168.1.21;
}
^ so letsencrypt can find yunohost (your ubuntu nginx config did 404)
[11:06:47]
<nicfab[m]> I run the diagnosis and it was ok
I installed the Let's encrypt certificate and the procedure was completed.
I continue seeing the alert and it seems like something else is needed on the yuno server.
What should I do?
[11:07:02]
<nicfab[m]> > <c> server {
> listen 80;
> server_name yuno.nicfab.eu;
> proxy_pass http://192.168.1.21;
> }
> ^ so letsencrypt can find yunohost (your ubuntu nginx config did 404)
I don't need it now because I used the firewal
[11:08:18]
<c> maybe just maybe systemctl restart nginx to find new certificate?
[11:09:26]
<nicfab[m]> I see
[11:09:30]
<nicfab[m]> https://aria.im/_matrix/media/v1/download/matrix.nicfab.it/fUpddTclaBZlJvAEVLvQXVAy
[11:09:38]
<nicfab[m]> How can I remove the old certificates?
[11:10:56]
<c> "Install letsencrypt certificate" ?
[11:11:01]
<nicfab[m]> I did it but nothing
[11:11:25]
<nicfab[m]> Yes the procedure starts and completes
[11:11:37]
<c> but when you reload that page it still show same?
[11:11:46]
<nicfab[m]> > <c> but when you reload that page it still show same?
Yes
[11:12:22]
<c> this i don't know it's yunohost stuff maybe someone with more yunohost experience can help?!
(maybe try again?)
[11:12:40]
<nicfab[m]> > <c> this i don't know it's yunohost stuff maybe someone with more yunohost experience can help?!
> (maybe try again?)
I tried it several times
[11:13:59]
<c> maybe Guillaume Bouzige if still here?
[11:14:18]
<Guillaume Bouzige> yup
[11:14:28]
<Guillaume Bouzige> I have a setup with caddy and yunohost
[11:15:40]
<Guillaume Bouzige> on yunhost side I am still self signed
[11:16:00]
<Guillaume Bouzige> on my reverse_proxy I skip TLS errors or something
[11:16:02]
<c> :(
[11:17:19]
<Guillaume Bouzige> like that `transport http {
tls
tls_insecure_skip_verify
}
`
[11:17:29]
<Guillaume Bouzige> in caddy
[11:17:34]
<Guillaume Bouzige> I have no VM
[11:17:49]
<nicfab[m]> I am looking here https://yunohost.org/en/certificate
And I see that there is only a shell command fot the self-signed certificate
[11:18:06]
<c> the problem now is yunohost does not generate/use letsencrypt
[11:18:23]
<nicfab[m]> However, c and Guillaume Bouzige thank you for your support
[11:18:25]
<Guillaume Bouzige> you have to delete and re-create the domain it will be selfsigned at creation
[11:19:03]
<nicfab[m]> > you have to delete and re-create the domain it will be selfsigned at creation
Yes, but I cannot delete the domain because is the only one.
I try with another no-domain feature
[11:19:25]
<Guillaume Bouzige> do a domain toto.local
[11:19:34]
<Guillaume Bouzige> switch it has main domain
[11:20:04]
<Guillaume Bouzige> then delete and re-create the one domain you need
[11:26:03]
<nicfab[m]> > then delete and re-create the one domain you need
I did it.
Crazy!!!! It returned with self-signed certificates
[11:41:30]
<Guillaume Bouzige> > <@nic:matrix.nicfab.it> I did it.
> Crazy!!!! It returned with self-signed certificates
great so you are sorted ?
[11:45:40]
<nicfab[m]> No.
I created another yuno domain following I do not have a domain.
Then, I deleted my domain.
Hence, I added my domain again.
I asked for the LE certificates and it put the self-certificates again.
[11:47:13]
<Guillaume Bouzige> the machine behind your proxy cannot reach the outside WAN so it won't be able to process the ACME verification to produce the certificates
[11:47:45]
<c> Guillaume Bouzige, why?
[11:48:20]
<Guillaume Bouzige> I mean if it is made that way
[11:48:20]
<nicfab[m]> > the machine behind your proxy cannot reach the outside WAN so it won't be able to process the ACME verification to produce the certificates
For the external all ports are opened
[11:48:54]
<c> also it should make error if problem not silent fail
[11:49:06]
<Guillaume Bouzige> depend what are you trying to achieve with your setup at the end of the day
[11:49:38]
<nicfab[m]> And now it disappeared the LE button
[11:49:43]
<nicfab[m]> https://aria.im/_matrix/media/v1/download/matrix.nicfab.it/qdjTtnRBdHMFjOWqcFNgMOlg
[11:50:11]
<nicfab[m]> I am going to delete this VM and goodby yunohost.
I tried it
[11:50:25]
<Guillaume Bouzige> > <@nic:matrix.nicfab.it> For the external all ports are opened
what do you mean ? your machine is in your LAN behind a router no
[11:51:31]
<nicfab[m]> > what do you mean ? your machine is in your LAN behind a router no
In my LAN the firewall is set so that any connection from the outside is allowed, while I have to set the inbound ones.
[11:52:23]
<Guillaume Bouzige> in our case Lets Encrypt needs 80 and 443 to generate certificates so you got those ones covered right ?>
[11:52:38]
<nicfab[m]> > in our case Lets Encrypt needs 80 and 443 to generate certificates so you got those ones covered right ?>
Of course
[11:53:37]
<c> sorry you had bad experience nicfab[m] i'm not part of yunohost team but just know "yunohost in VM" is really not supposed/supported usecase so far... and it works really nice when you install bare metal (i mean some apps are broken but base system is solid)
[11:54:35]
<c> if you want easy route just install yunohost and install your VM inside yunohost (it's just debian so it's ok)
if you want hard route you can do manual sysadmin to learn more for nginx, reverse proxying, etc...
but mixing two is dangerous :D
[11:55:50]
<nicfab[m]> > <c> sorry you had bad experience nicfab[m] i'm not part of yunohost team but just know "yunohost in VM" is really not supposed/supported usecase so far... and it works really nice when you install bare metal (i mean some apps are broken but base system is solid)
Yunohost was my worst experience since I have been sysadmin
[11:56:55]
<nicfab[m]> > <c> if you want easy route just install yunohost and install your VM inside yunohost (it's just debian so it's ok)
> if you want hard route you can do manual sysadmin to learn more for nginx, reverse proxying, etc...
> but mixing two is dangerous :D
I understand that yunohost works with packages and it's quite difficult to manage if you do not know how it was built
[11:58:28]
<c> yes but also yunohost is just debian so you can install custom stuff no problem :)
[12:00:23]
<nicfab[m]> I'll do some other tests, an then I'll decide what to do
[12:02:43]
<c> if it can make you happier there's also libreserver.org and freedombox.net doing same as yunohost (also based debian)
[12:02:58]
<c> (all other solutions are weird docker/kubernetes shit)
[12:07:20]
<nicfab[m]> Tks
[12:08:20]
<nicfab[m]> However, it seems like there are traces of my domain on the server and it retrieves them without doing real checks
[12:16:19]
<nicfab[m]> I thought that LE allowed issuing the certificates for few times in seven days.
Probably, this is the reason why I don't see the LE button anymore.
I will wait some days, and I will check it again.
[15:35:22]
<jamniczek> Hey All, I'm super new to Yunohost, so forgive me for silly questions, but is there a way to see how much space do I have left on my server in webadmin view?
[15:39:10]
<Aleks (he/him/il/lui)> there is some info in the Diagnosis section, in System resource
[15:46:23]
<c> or you can do df -h in terminal
[15:46:26]
<c> but if you like web
[15:46:28]
<c> that's ok:)
[16:17:23]
<Aleks (he/him/il/lui)> yeah the idea of yunohost is that you should not have 3 PhD in computer science and command line to administrate a server ...
[16:23:46]
<syl02> je suis tout nouveau sur yuno et j'ai voulu installer la version 11 sur mon pi 3 mais au moment de choisir ma langue de clavier il me demande de renommer l'user chose que je ne sais pas
[16:23:51]
<syl02> bref je suis mal embarquer
[16:23:53]
<nicfab[m]> Hello guys!
I removed the old VM with yunohost and I created a new one reinstalling yuonohost.
Now in the Diagnosis ==> System configurations, I read 2 issues:
1. **Configuration file /etc/ssh/sshd\_config appears to have been manually modified.**
**This is probably OK if you know what you're doing! YunoHost will stop updating this file automatically... But beware that YunoHost upgrades could contain important recommended changes. If you want to, you can inspect the differences with yunohost tools regen-conf ssh --dry-run --with-diff and force the reset to the recommended configuration with yunohost tools regen-conf ssh --force**
2. **The SSH configuration appears to have been manually modified, and is insecure because it contains no 'AllowGroups' or 'AllowUsers' directive to limit access to authorized users.**
Regarding n. 1, I run `yunohost tools regen-conf ssh --dry-run --with-diff` and I see
```
PermitRootLogin yes
status: modified
```
My question is: "If I run `yunohost tools regen-conf ssh --force` can I continue access via ssh?"
Regarding n. 2 what should I do?
[16:24:48]
<Aleks (he/him/il/lui)> mouarf ouai raspberry pi a encore changé son process d'install et ça interfère dans le process d'install de yunohost T_T
[16:25:24]
<syl02> ok quel galere
[16:26:38]
<syl02> je voulais installer nextcloud directement mais toujours un truc pour me bloquer et suis tomber sur cette distrib mais je suis deja bloqué je vais vraiment lacher l'affaire :)
[16:29:17]
<c> nicfab[m], not a problem, you modified for do what you want so keep it like this no need for force config
[16:30:09]
<c> "This is probably OK if you know what you're doing!"
[16:31:32]
<Aleks (he/him/il/lui)> > <@nic:matrix.nicfab.it> Hello guys!
> I removed the old VM with yunohost and I created a new one reinstalling yuonohost.
> Now in the Diagnosis ==> System configurations, I read 2 issues:
>
> 1. **Configuration file /etc/ssh/sshd\_config appears to have been manually modified.**
> **This is probably OK if you know what you're doing! YunoHost will stop updating this file automatically... But beware that YunoHost upgrades could contain important recommended changes. If you want to, you can inspect the differences with yunohost tools regen-conf ssh --dry-run --with-diff and force the reset to the recommended configuration with yunohost tools regen-conf ssh --force**
> 2. **The SSH configuration appears to have been manually modified, and is insecure because it contains no 'AllowGroups' or 'AllowUsers' directive to limit access to authorized users.**
>
> Regarding n. 1, I run `yunohost tools regen-conf ssh --dry-run --with-diff` and I see
>
> ```
> PermitRootLogin yes
> status: modified
> ```
>
> My question is: "If I run `yunohost tools regen-conf ssh --force` can I continue access via ssh?"
>
> Regarding n. 2 what should I do?
this is most likely because during the install with `curl | bash` you told the installer that you didnt want it to take over the ssh config
[16:44:59]
<nicfab[m]> > <@Alekswag:matrix.org> this is most likely because during the install with `curl | bash` you told the installer that you didnt want it to take over the ssh config
Indeed
[16:45:47]
<nicfab[m]> Can I run the command `yunohost tools regen-conf ssh --force` without losing the ssh access?
[16:51:36]
<Aleks (he/him/il/lui)> i suppose, but beware that by default root login is disabled except from the local network
[16:51:43]
<Aleks (he/him/il/lui)> otherwise you should use the admin user
[16:52:11]
<Aleks (he/him/il/lui)> (though the admin user is gonna get somewhat dropped in version 11.1)
[17:12:22]
<nicfab[m]> Is there any command to install LE certificates instead of the browser?
[17:15:44]
<tituspijean> nicfab: `yunohost domain cert install <the domain>`
[17:16:08]
<tituspijean> Check it out with `--help` for more information
[17:16:20]
<nicfab[m]> > <@titus:pijean.ovh> Check it out with `--help` for more information
Tks