[08:52:59]
<cptcurk> Hello !
I got a kind of issue.
I can't get certificate. it got stuck.
fail2ban is not working, dunno why, it looks like apps "forte" problem but 3 other app makes a problem with service.
And the last : yunopaste doesn't work.
I'm running on rasp pi4b with a VPN all ports open.
I just had an nginx problem with was "error.log is a directory". I delete and create a new one and then this issue work.
Could you help ? I can't share log... As I have this problem !
[08:57:27]
<cptcurk> so first, how could I check the logs without yunopaste ?
[08:59:47]
<isAAAc> and you can use https://paste.yunohost.org/ to c/p your logs
[09:00:48]
<isAAAc> hello cptcurk;)
in `/var/log/yunohost/\* ` ?
[09:01:09]
<isAAAc> and more general in `/var/log/\*`
[09:01:49]
<isAAAc> hello cptcurk;)
in `/var/log/yunohost/* ` ?
[09:01:59]
<isAAAc> and more general in `/var/log/*`
[09:02:13]
<cptcurk> thank you, should I use "nano" and c/p ? It looks I have api and cli logs not really the name I was looking for
[09:02:57]
<isAAAc> nano is more to edit, you should prefer `cat` of `less` and perhaps `grep`
[09:06:51]
<cptcurk> [do you know which kind of log I should find for my problem up there, let assume yunopast first ? :) ](https://paste.yunohost.org/wucayixuji.rust)
[09:07:00]
<cptcurk> I found that in the yunohost.cli.log
[09:07:55]
<cptcurk> fail2ban doesn't have log... Weird
[09:08:42]
<isAAAc> syslog perhaps ?
[09:09:23]
<isAAAc> `systemctl status fail2ban.service`
[09:09:33]
<cptcurk> got that when I read status in fail2ban
[09:09:34]
<cptcurk> configuration: broken
configuration-details:
- 2025-11-06 09:08:35,218 fail2ban.configreader [85624]: WARNING 'allowipv6' not defined in 'Definition'. Using default one: 'auto'
- 2025-11-06 09:08:35,338 fail2ban [85624]: ERROR Failed during configuration: Have not found any log file for forte jail
- 2025-11-06 09:08:35,339 fail2ban [85624]: ERROR ERROR: test configuration failed
description: Protects against brute-force and other kinds of attacks from the Internet
last_state_change: 2025-11-06 09:08:20
start_on_boot: enabled
status: failed
[09:11:00]
<cptcurk> Loaded: loaded (/lib/systemd/system/fail2ban.service; enabled; preset: enabled)
Drop-In: /etc/systemd/system/fail2ban.service.d
└─systemd-override-bind-nftables.conf
Active: failed (Result: exit-code) since Thu 2025-11-06 09:08:20 GMT; 2min 17s ago
Duration: 499ms
Docs: man:fail2ban(1)
Process: 85582 ExecStart=/usr/bin/fail2ban-server -xf start (code=exited, status=255/EXCEPTION)
Main PID: 85582 (code=exited, status=255/EXCEPTION)
CPU: 461ms
[09:11:02]
<cptcurk> got that more
[09:11:39]
<cptcurk> ahh I don't really understand the grep function...
[09:12:05]
<isAAAc> humm in root : `touch /var/log/fail2ban.log && chown root:adm /var/log/fail2ban.log && systemctl restart fail2ban.service && systemctl status fail2ban.service` ?
[09:12:30]
<cptcurk> running
[09:12:37]
<cptcurk> same than my nginx problem then... sadly
[09:13:18]
<isAAAc> is it a freshinstall of ynh ?
[09:13:18]
<cptcurk> × fail2ban.service - Fail2Ban Service
Loaded: loaded (/lib/systemd/system/fail2ban.service; enabled; preset: enabled)
Drop-In: /etc/systemd/system/fail2ban.service.d
└─systemd-override-bind-nftables.conf
Active: failed (Result: exit-code) since Thu 2025-11-06 09:12:23 GMT; 37s ago
Duration: 586ms
Docs: man:fail2ban(1)
Process: 86289 ExecStart=/usr/bin/fail2ban-server -xf start (code=exited, status=255/EXCEPTION)
Main PID: 86289 (code=exited, status=255/EXCEPTION)
CPU: 527ms
Nov 06 09:12:22 florentcurk.com systemd[1]: Started fail2ban.service - Fail2Ban Service.
Nov 06 09:12:23 florentcurk.com fail2ban-server[86289]: 2025-11-06 09:12:23,076 fail2ban.configreader [86289]: WARNING 'allowipv6' not defined in 'Definition'. Using default one: 'auto'
Nov 06 09:12:23 florentcurk.com fail2ban-server[86289]: 2025-11-06 09:12:23,213 fail2ban [86289]: ERROR Failed during configuration: Have not found any log file for forte jail
Nov 06 09:12:23 florentcurk.com fail2ban-server[86289]: 2025-11-06 09:12:23,230 fail2ban [86289]: ERROR Async configuration of server failed
Nov 06 09:12:23 florentcurk.com systemd[1]: fail2ban.service: Main process exited, code=exited, status=255/EXCEPTION
Nov 06 09:12:23 florentcurk.com systemd[1]: fail2ban.service: Failed with result 'exit-code'.
root@florentcurk:/#
[09:13:29]
<cptcurk> ah no, if I'm lauching again a service status, it's not working
[09:13:48]
<cptcurk> totally not, but I moved house (with VPN it should change a single thing...)
[09:14:00]
<cptcurk> it's like 2 years working.
[09:14:23]
<bbohard> Have you checked free space (with command df and df with option -i for inode check)? In case of global unexplained failure, it always worth a look.
[09:14:44]
<isAAAc> oh yes, good idea
[09:14:59]
<isAAAc> `df -hi`
[09:15:50]
<isAAAc> and a `df -h` for the free space
[09:16:04]
<cptcurk> Ah I have external disk, for data, I though it could be the problem so I just repaired inodes with fsck. I haven't check the SD card (I need to switch for nvme, I knopw)
[09:16:45]
<cptcurk> /dev/root 29G 23G 4.6G 84% /
devtmpfs 1.7G 0 1.7G 0% /dev
tmpfs 1.9G 1.1M 1.9G 1% /dev/shm
tmpfs 759M 28M 732M 4% /run
tmpfs 5.0M 16K 5.0M 1% /run/lock
/dev/mmcblk0p1 255M 33M 223M 13% /boot
tmpfs 380M 0 380M 0% /run/user/1007
[09:17:10]
<cptcurk> looks okay isn't it ?
[09:17:58]
<bbohard> check for inode too: you can run out of inode and got plenty of space
[09:18:06]
<cptcurk> it doesn't show my hard drive... Is that a problem ?
[09:18:41]
<cptcurk> sda
├─sda1 vfat FAT32 EFI 67E3-17ED
└─sda2 ext4 1.0 b1cfe83c-16d4-4508-80c5-0a302b376e7b
mmcblk0
├─mmcblk0p1 vfat FAT32 boot D804-E55C 222.7M 13% /boot
└─mmcblk0p2 ext4 1.0 rootfs fad9bd83-03bd-41a7-91d4-f608d431854d 4.6G 80% /
[09:18:46]
<cptcurk> looks like my hard drive's not mounted ?
[09:19:00]
<cptcurk> I got the /var on it I think
[09:19:12]
<cptcurk> /var/log I mean
[09:19:41]
<cptcurk> /dev/root 1827072 764981 1062091 42% /
devtmpfs 419618 501 419117 1% /dev
tmpfs 485674 3 485671 1% /dev/shm
tmpfs 819200 1016 818184 1% /run
tmpfs 485674 8 485666 1% /run/lock
/dev/mmcblk0p1 0 0 0 - /boot
tmpfs 97134 19 97115 1% /run/user/1007
[09:19:54]
<cptcurk> for inode sorry, didn't said
[09:20:03]
<err404> Your external disk is sda?
[09:20:18]
<cptcurk> yes
[09:20:38]
<err404> Please check /etc/fstab
[09:20:53]
<cptcurk> GNU nano 7.2 /etc/fstab
proc /proc proc defaults 0 0
PARTUUID=a811d99a-01 /boot vfat defaults 0 2
PARTUUID=a811d99a-02 / ext4 defaults,noatime 0 1
#UUID="b1cfe83c-16d4-4508-80c5-0a302b376e7b" /mnt/hdd ext4 defaults,nofail 0 0
#/mnt/hdd/home/ /home/ none defaults,bind 0 0
#/mnt/hdd/var/mail /var/mail none defaults,bind 0 0
#/mnt/hdd/var/log /var/log none defaults,bind 0 0
[09:20:56]
<cptcurk> I was doing it...
[09:21:16]
<cptcurk> And the lines are commented !!
[09:21:39]
<cptcurk> do you think this is my issue ?
[09:22:47]
<err404> You can mount /dev/sda2 manualy ?
[09:23:00]
<bbohard> if hdd has been mounted once on /var and is not anymore, you probably have files on it you can’t access
[09:23:08]
<cptcurk> mount: (hint) your fstab has been modified, but systemd still uses
the old version; use 'systemctl daemon-reload' to reload.
[09:23:12]
<cptcurk> got this message, it's okay ?
[09:23:24]
<cptcurk> Do I need to manually bind ?
[09:24:21]
<bbohard> you have to reload as suggested
[09:24:35]
<err404> Your external disk is connected by usb?
[09:24:49]
<cptcurk> yes usb
[09:26:15]
<cptcurk> I did reload. But do I have to bind ?
how could I check if it is automatycly done ?
[09:27:00]
<cptcurk> command not found,
Should I do systemctl dmsg ?
[09:30:32]
<err404> thanks for the `journalctl -k` it give same as `dmesg`
[09:31:04]
<err404> Just after systemctl daemon-reload, please do a <del>'dmesg'</del> 'dmesg' to see if there is something wrong
[09:31:15]
<err404> Just after systemctl daemon-reload, please do a <del>'dmsg'</del> 'dmesg' to see if there is something wrong
[09:31:32]
<bbohard> `journalctl -k` should display messages
[09:31:48]
<bbohard> `dmesg`
[09:33:56]
<cptcurk> https://paste.yunohost.org/ewigumehij.apache
[09:35:22]
<cptcurk> I have not a single clue on what this mean. I understand the mean of kernel but I don't understand a single line.
[09:36:14]
<cptcurk> got something a bit different with dmesg (was the e missing) https://paste.yunohost.org/zivukihuye.yaml
[09:42:45]
<isAAAc> how are declared your hard drives in fstab ? via UUID ?
[09:42:52]
<isAAAc> https://www.cyberciti.biz/faq/linux-finding-using-uuids-to-update-fstab/
[09:43:03]
<cptcurk> yeah
[09:44:48]
<isAAAc> your external drive is commented
[09:45:32]
<cptcurk> I just did manually mounted, everything should be in order, I tried again the cert.. no success
[09:48:53]
<isAAAc> if it mounts but don't have read/write permission, you perhaps have issur with the perm settings ?
[09:48:58]
<isAAAc> if it mounts but don't have read/write permission, you perhaps have issue with the perm settings ?
[09:53:32]
<cptcurk> okay !
I guess the disk problem was doing bad with fail2ban
[09:53:41]
<cptcurk> it works. I'll try the cert
[09:54:54]
<bbohard> Neither do I
[09:57:03]
<cptcurk> one problem solved.
Certificat's still not working, yunopaste still not working tho.
[10:05:23]
<bbohard> Haven’t you got explicit error message from certificate obtention attempt ?
[10:21:00]
<cptcurk> https://paste.yunohost.org/ocihedemeg.rust
[10:22:04]
<cptcurk> that's for the cert.
For yunopaste, I don't have anything
[10:24:37]
<cptcurk> dans /etc/hosts, j'ai ça
127.0.1.1 yunohost
127.0.0.1 florentcurk
127.0.0.1 yunohost
[10:24:41]
<cptcurk> si jamais.
[10:27:24]
<cptcurk> I run a diag and not a single error.
[10:30:08]
<cptcurk> it look like both cert & yunopaste need an internet connexion to get to something and can't access. And as I said, diag is all green. I have acces of everthing (like ssh and webadmin) thourgh my VPN tunnel.
[10:35:24]
<bbohard> I don’t know enough about yunohost wrapper handling certification request. I would try triggering the error using directly certbot with debug flag but I am not sure how to do this now (what parameters to pass). I think it is using webroot mode but not sure.
[11:14:24]
<isAAAc> is your raspi in DMZ ? are your ports open in the router before your raspi ? is the DNS zone updated for you ndd to the raspi ? cptcurk
[11:52:59]
<cptcurk> my raspi's not in DMZ. ports are not open in the router, as I'm using VPN, and can't open in the router, uPnP doesn't work, I guess because of the VPN.
DNS zone & ndd, I don't understand exactly what it means.
[11:53:28]
<cptcurk> I've read that online, but not confident enough to take that way without breaking the thing.
[11:54:45]
<isAAAc> request to a domain name (url) -> DNS -> IP -> your router -> your server
[11:54:48]
<cptcurk> ISP doesn't block port, I asked them.
[11:54:54]
<isAAAc> DNS --> IP is the DNS
[11:55:35]
<isAAAc> for more: https://en.wikipedia.org/wiki/Domain_Name_System
[11:56:05]
<cptcurk> it should be okay, then it's in Gandi that I'm doing that. Should I do an automaticaly.
[11:56:12]
<cptcurk> But, I'll check that later !
[11:57:04]
<cptcurk> If I move the rasp. should I update something from the DNS point of view (using a VPN) ?
[11:57:34]
<isAAAc> idon't know, depends fo how you set it
[11:57:56]
<cptcurk> then normally I shouldn't but I'll check anyway. Don't have time now, will be a bit later !
[11:59:39]
<cptcurk> gandi seems to link to the VPN everywhere, let's enscrypt is 0 issue in CAA
[12:05:01]
<isAAAc> wasn't it an error in syslog/dmesg/other about openvpn ? if the ovpn is not active , it could explain your issue with LE certification tool
[12:06:00]
<isAAAc> your ovpn master has the new ip to connect to your raspi ?
[12:47:17]
<cptcurk> hmmm. I don't know how to figure that out. you mean the conf file ?
Where should I put that ? It could be the problem actually
[12:47:44]
<cptcurk> but if I'm ssh through VPN ip.
Doesn't that mean that connection is made ?
[12:50:43]
<cptcurk> and then where to put that new ip adress, and which ip are we talking about ? The external ip of my box ?
[13:21:56]
<isAAAc> curl -I https://florentcurk.com -> time out
[13:23:00]
<isAAAc> traceroute florentcurk.com ends after iris.aquilenet.fr
[13:23:28]
<isAAAc> i presume your vpn is from aquilenet ?
[13:25:12]
<isAAAc> https://paste.yunohost.org/zivukihuye.yaml line 487
`[ 83.490546] cgroup: fork rejected by pids controller in /system.slice/system-openvpn.slice/openvpn@client.service`
[13:25:38]
<isAAAc> are you sure that your vpn is up ?
[13:26:18]
<isAAAc> florentcurk.com. 3335 IN A 185.233.101.70 DNS entry
[13:26:33]
<isAAAc> ping 185.233.101.70 answers
[13:29:22]
<isAAAc> ssh florentcurk.com answers
[13:29:43]
<isAAAc> cptcurk: restart your nginx perhaps ?
[13:30:27]
<isAAAc> `systemctl restart nginx.service`
[13:30:42]
<isAAAc> because http://florentcurk.com/ is KO
[13:31:57]
<isAAAc> and LE uses web challenge, so if web is KO, cert renw can't be played i think
[13:44:21]
<cptcurk> I just restart my nginx.service
[13:44:53]
<cptcurk> still the same problem with the vpn.
I'll contact them, or it's from my side ?
[13:45:08]
<cptcurk> yes, the vpn provider is aquilnet
[17:36:48]
<isAAAc> if you use irc, they're on libera