Differences

This shows you the differences between two versions of the page.

--- raspberry-pi [2016/11/02 07:31] – [Cert Bot] dblume
+++ raspberry-pi [2023/04/12 20:44] (current) – external edit 127.0.0.1
@@ Line 67: / Line 67: @@
 When there are problems, check for logs in ''/var/log/syslog'' or ''/var/log/messages''.
+I think we need to update ''/etc/systemd/system/log2ram.service'' to make log2ram come after nginx, like so...
+<file bash log2ram.service>
+[Unit]
+Description=Log2Ram
+DefaultDependencies=no
+Before=basic.target rsyslog.service syslog.target systemd-journald.service sysinit.target shutdown.target apache2.service nginx.service
+After=local-fs.target
+Conflicts=shutdown.target reboot.target halt.target
+RequiresMountsFor=/var/log /var/hdd.log
+IgnoreOnIsolate=yes
+[Service]
+Type=oneshot
+ExecStart= /usr/local/bin/log2ram start
+ExecStop= /usr/local/bin/log2ram stop
+ExecReload= /usr/local/bin/log2ram write
+RemainAfterExit=yes
+[Install]
+WantedBy=sysinit.target
+</file>
+Otherwise, it turns out that log2ram does screw up nginx's ability to start on power-cycle. Maybe need something like the following...
+<file bash todo_after_powercycle.sh>
+#!/usr/bin/env bash
+# The tool we use to save flash affects the startup of nginx
+if [ ! -d "/var/log/nginx" ]; then
+  sudo mkdir /var/log/nginx
+fi
+# if service --status-all | grep -Fq '[ - ]  nginx'; then
+if ! service nginx status | grep -Fq 'active (running)'; then
+  sudo /etc/init.d/nginx start > /dev/null
+  # systemctl start nginx
+fi
+</file>
 ===== Keyboard Repeat Problem =====
@@ Line 106: / Line 145: @@
 **Note**: See history-of-nginx-start.txt, and note that the web server files are at /var/www
-===== Backing-up And Restoring the SD Card =====
+===== Backup =====
-[[http://lifehacker.com/how-to-clone-your-raspberry-pi-sd-card-for-super-easy-r-1261113524|How to Clone Your Raspberry Pi SD Card for Super Easy Reinstallations]]
+(Old link: [[http://lifehacker.com/how-to-clone-your-raspberry-pi-sd-card-for-super-easy-r-1261113524|How to Clone Your Raspberry Pi SD Card for Super Easy Reinstallations]])
-My Raspberry Pi is up-to-date as of Oct 26, 2014.
+I put the microSD in the SamSung SD Adaptor, and [[https://thepihut.com/blogs/raspberry-pi-tutorials/17789160-backing-up-and-restoring-your-raspberry-pis-sd-card|used Win32 Disk Imager]] to make a backup at H:\RasberryPi2.img
+==== Reading from Device to Image File ====
+  * Specify a new Image File name. (On a big disk.)
+  * Select "Read" to read form the Raspberry Pi's card to the file on disk.
+==== Writing from Image File to SD Card ====
+  * Specify an existing Image File.
+  * Select "Write" to write from the file on disk to the Raspberry Pi's card.
+My Raspberry Pi is up-to-date as of 2017-02-05.
 ===== Cert Bot =====
@@ Line 133: / Line 184: @@
 You should find that /etc/letsencrypt/live is populated with files like pi.dlma.com/cert1
-. Renew with
+. Renew (and reload if successful) with
-  certbot renew
+  sudo certbot renew && /usr/sbin/service nginx reload
+. Consider using a root cronjob
+   sudo crontab -e
+5 * * 0 certbot renew --post-hook "service nginx reload" >> /home/pi/letsencrypt-renew.log
 <code>
@@ Line 141: / Line 197: @@
  - Congratulations! Your certificate and chain have been saved at
    /etc/letsencrypt/live/pi.dlma.com/fullchain.pem. Your cert will
-   expire on 2017-01-31. To obtain a new or tweaked version of this
+   expire on 2017-09-31. To obtain a new or tweaked version of this
    certificate in the future, simply run certbot again. To
    non-interactively renew *all* of your certificates, run "certbot
@@ Line 158: / Line 214: @@
 </code>
 . Port forward ports 80 and 443.  At the local router:
 http://router.asus.com/Advanced_VirtualServer_Content.asp
@@ Line 164: / Line 220: @@
 WAN -> Virtual Server / Port Forwarding
 . Update nginx
 https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-for-nginx-in-ubuntu-16-04
-Update /etc/nginx/sites-available accordingly
+Update /etc/nginx/sites-available/default as per this [[https://www.nginx.com/blog/nginx-https-101-ssl-basics-getting-started/|Getting Started guide from Nginx]].
+  server {
+          listen 80 default_server;
+          listen [::]:80 default_server;
+          server_name pi.dlma.com;
+          return 301 https://$server_name$request_uri;
+  }
+  server {
+        # SSL configuration
+        #
+        listen 443 ssl default_server;
+        listen [::]:443 ssl default_server;
+        ssl_certificate /etc/letsencrypt/live/pi.dlma.com/fullchain.pem;
+        ssl_certificate_key /etc/letsencrypt/live/pi.dlma.com/privkey.pem;
+        ssl_trusted_certificate /etc/letsencrypt/live/pi.dlma.com/chain.pem;
+        ...
+**TODO**: Maybe figure out [[https://www.nginx.com/blog/nginx-https-101-ssl-basics-getting-started/|how to redirect http://wopr.dlma.com to https://wopr.dlma.com]].
+Then check and restart nginx:
+  $ sudo nginx -t
+  $ sudo systemctl restart nginx
+**TODO**: Renew with ''certbot renew --quiet'' as per [[https://certbot.eff.org/#debianjessie-nginx|certbot]] or [[https://bjornjohansen.no/letsencrypt-nginx|manually]].
+===== Updating CertBot to use ACMEv2 =====
+Got an email from the EFF saying my current CertBot client uses ACMEv1 and it needs to be upgraded. Followed some instructions here:[[https://certbot.eff.org/lets-encrypt/debianother-nginx|Debian Jessie instructions from the EFF]].
+  sudo apt-get remove certbot
+  wget https://dl.eff.org/certbot-auto
+  sudo mv certbot-auto /usr/local/bin/certbot-auto
+  sudo chown root /usr/local/bin/certbot-auto
+  sudo chmod 0755 /usr/local/bin/certbot-auto
+But the next step (they suggested''sudo /usr/local/bin/certbot-auto certonly --nginx''), but I tried:
+  sudo /usr/local/bin/certbot-auto certonly --webroot -w /var/www/html -d pi.dlma.com -d wopr.dlma.com
+is broken because it first  an apt-get and Jessie Backports is gone, and then because the pip installation failed Hash verification.
+==== Problem: Jessie Backports is gone. ====
+Follow the instructions here: [[https://www.lucas-nussbaum.net/blog/?p=947|Removal of Jessie-Updates and Jessie-Backports from Debian Mirrors]]
+Remove "<nowiki>deb http://ftp.debian.org/debian jessie-backports main</nowiki>" from ''/etc/apt/sources.list'' and add:
+  deb http://archive.debian.org/debian/ jessie-backports main contrib non-free
+  deb-src http://archive.debian.org/debian/ jessie-backports main contrib non-free
+And then essentially (I did it with a sudo vim session):
+  echo 'Acquire::Check-Valid-Until no;' > /etc/apt/apt.conf.d/99no-check-valid-until
+==== Problem pip install hash verification ====
+[[https://community.letsencrypt.org/t/certbot-auto-certificates-fails-while-installing-phyton-packages-with-these-packages-do-not-match-the-hashes/90363/5|Certbot fails when installing Python packages]]. This can be resolved by deleting the ''/etc/pip.conf'' file:
+<file bash /etc/pip.conf>
+[global]
+extra-index-url=https://www.piwheels.org/simple
+</file>
+===== Upgrading Distros =====
+When upgrading from Jessie to Stretch, I followed this recipe: [[https://pimylifeup.com/upgrade-raspbian-jessie-to-raspbian-stretch/|How to Upgrade Raspbian Jessie to Raspbian Stretch]].
+I didn't keep PiHole working, as I would get occasional network drops when working from home, and it was resolved when taking PiHole out of the mix. Will probably have to do a fresh install.
+===== PiHole =====
+**Note**: I've currently got an incompatibility between PiHole and HTTPS redirecting. So I'm not using CertBot at the moment. Will have to figure that out.
+PiHole connects to FTL over port 4711.  If FTL were running, it'd have a logfile you could view like so:
+<code bash>
+$ cat /var/log/pihole-FTL.log
+</code>
+You could also do the following:
+<code bash>
+telnet 127.0.0.1 4711
+>stats
+</code>
+or
+<code bash>
+echo ">stats" | nc 127.0.0.1 4711
+</code>
+If you can't connect, you can see which services are listening like so:
+<code bash>
+$ sudo netstat -tulpn
+$ sudo netstat -tulpn | grep FTL
+</code>
+I eventually clued in to my problem here:
+<code bash>
+$ pihole-FTL running
+FATAL: Opening of FTL log (/var/log/pihole-FTL.log) failed!
+       Make sure it exists and is writeable by user pi
+raspberrypi:~$ ls -l /var/log/pihole*
+-rw-r--r-- 1 pihole  pihole        0 Nov 24 20:42 /var/log/pihole-FTL.log
+-rw-r--r-- 1 pihole  pihole      312 Sep  4 00:00 /var/log/pihole-FTL.log.1
+-rw-r----- 1 dnsmasq root   18538496 Nov 24 12:46 /var/log/pihole.log
+-rw-r----- 1 dnsmasq root   15273984 Sep 12 00:00 /var/log/pihole.log.1
+...
+raspberrypi:~$ cat /var/log/pihole-FTL.log.1
+[2017-09-03 15:17:05.038] FATAL: Opening of /var/log/pihole.log failed!
+[2017-09-03 15:17:05.038]        Make sure it exists and is readable by user pihole
+$ sudo chmod +r /var/log/pihole.log
+$ sudo service pihole-FTL restart
+$ sudo netstat -tulpn | grep FTL
+tcp        0      0 127.0.0.1:4711          0.0.0.0:*               LISTEN      11082/pihole-FTL
+</code>
+And eventually discovered that my actual problem was that my log2ram mount was full. After fixing /var/log, I still had to ask pihole to restart its DNS.
+<code>
+$ pihole restartdns
+</code>
+==== Example PiHole API ====
+<code>
+curl "http://pi.hole/admin/api.php?summary" | python -m json.tool
+</code>
+===== New ACMEv2 Certbot overwrites /etc/nginx/sites-enabled/default =====
+We keep backups at ''~/etc_nginx_sites-enabled_default_pihole.backup''.
+  sudo service nginx restart
+===== Jessie or earlier: Add piwheels for fast Python pip installations =====
+If you're not installing Stretch or later, here's [[https://www.piwheels.hostedpi.com/|info on piwheels]]. Add the following to ''/etc/pip.conf'':
+<file bash /etc/pip.conf>
+[global]
+extra-index-url=https://www.piwheels.org/simple
+</file>
+====== Keywords ======
-**Note**: Maybe there's a --ngingx mod for certbot
+Keywords: Lets Encrypt, LetsEncrypt, Hole