User Tools

Site Tools



This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
raspberry-pi [2017/06/03 01:35] – [Cert Bot] dblumeraspberry-pi [2023/04/12 20:44] (current) – external edit
Line 67: Line 67:
 When there are problems, check for logs in ''/var/log/syslog'' or ''/var/log/messages''. When there are problems, check for logs in ''/var/log/syslog'' or ''/var/log/messages''.
 +I think we need to update ''/etc/systemd/system/log2ram.service'' to make log2ram come after nginx, like so...
 +<file bash log2ram.service>
 +DefaultDependencies=no rsyslog.service systemd-journald.service apache2.service nginx.service
 +RequiresMountsFor=/var/log /var/hdd.log
 +ExecStart= /usr/local/bin/log2ram start
 +ExecStop= /usr/local/bin/log2ram stop
 +ExecReload= /usr/local/bin/log2ram write
 +Otherwise, it turns out that log2ram does screw up nginx's ability to start on power-cycle. Maybe need something like the following...
 +<file bash>
 +#!/usr/bin/env bash
 +# The tool we use to save flash affects the startup of nginx
 +if [ ! -d "/var/log/nginx" ]; then
 +  sudo mkdir /var/log/nginx
 +# if service --status-all | grep -Fq '[ - ]  nginx'; then
 +if ! service nginx status | grep -Fq 'active (running)'; then
 +  sudo /etc/init.d/nginx start > /dev/null
 +  # systemctl start nginx
 ===== Keyboard Repeat Problem ===== ===== Keyboard Repeat Problem =====
Line 148: Line 187:
   sudo certbot renew && /usr/sbin/service nginx reload   sudo certbot renew && /usr/sbin/service nginx reload
 +5. Consider using a root cronjob
 +   sudo crontab -e
 +   0 5 * * 0 certbot renew --post-hook "service nginx reload" >> /home/pi/letsencrypt-renew.log
 <code> <code>
Line 170: Line 214:
 </code> </code>
-5. Port forward ports 80 and 443.  At the local router:+6. Port forward ports 80 and 443.  At the local router:
Line 176: Line 220:
 WAN -> Virtual Server / Port Forwarding WAN -> Virtual Server / Port Forwarding
-6. Update nginx+7. Update nginx
Line 186: Line 230:
           listen [::]:80 default_server;           listen [::]:80 default_server;
           server_name;           server_name;
-          return 302 https://$server_name$request_uri;+          return 301 https://$server_name$request_uri;
   }   }
Line 208: Line 252:
 **TODO**: Renew with ''certbot renew --quiet'' as per [[|certbot]] or [[|manually]]. **TODO**: Renew with ''certbot renew --quiet'' as per [[|certbot]] or [[|manually]].
 +===== Updating CertBot to use ACMEv2 =====
 +Got an email from the EFF saying my current CertBot client uses ACMEv1 and it needs to be upgraded. Followed some instructions here:[[|Debian Jessie instructions from the EFF]].
 +  sudo apt-get remove certbot
 +  wget
 +  sudo mv certbot-auto /usr/local/bin/certbot-auto
 +  sudo chown root /usr/local/bin/certbot-auto
 +  sudo chmod 0755 /usr/local/bin/certbot-auto
 +But the next step (they suggested''sudo /usr/local/bin/certbot-auto certonly --nginx''), but I tried:
 +  sudo /usr/local/bin/certbot-auto certonly --webroot -w /var/www/html -d -d
 +is broken because it first  an apt-get and Jessie Backports is gone, and then because the pip installation failed Hash verification.
 +==== Problem: Jessie Backports is gone. ====
 +Follow the instructions here: [[|Removal of Jessie-Updates and Jessie-Backports from Debian Mirrors]]
 +Remove "<nowiki>deb jessie-backports main</nowiki>" from ''/etc/apt/sources.list'' and add:
 +  deb jessie-backports main contrib non-free
 +  deb-src jessie-backports main contrib non-free
 +And then essentially (I did it with a sudo vim session):
 +  echo 'Acquire::Check-Valid-Until no;' > /etc/apt/apt.conf.d/99no-check-valid-until
 +==== Problem pip install hash verification ====
 +[[|Certbot fails when installing Python packages]]. This can be resolved by deleting the ''/etc/pip.conf'' file:
 +<file bash /etc/pip.conf>
 +===== Upgrading Distros =====
 +When upgrading from Jessie to Stretch, I followed this recipe: [[|How to Upgrade Raspbian Jessie to Raspbian Stretch]].
 +I didn't keep PiHole working, as I would get occasional network drops when working from home, and it was resolved when taking PiHole out of the mix. Will probably have to do a fresh install.
 +===== PiHole =====
 +**Note**: I've currently got an incompatibility between PiHole and HTTPS redirecting. So I'm not using CertBot at the moment. Will have to figure that out.
 +PiHole connects to FTL over port 4711.  If FTL were running, it'd have a logfile you could view like so:
 +<code bash>
 +$ cat /var/log/pihole-FTL.log
 +You could also do the following:
 +<code bash>
 +telnet 4711
 +<code bash>
 +echo ">stats" | nc 4711
 +If you can't connect, you can see which services are listening like so:
 +<code bash>
 +$ sudo netstat -tulpn
 +$ sudo netstat -tulpn | grep FTL
 +I eventually clued in to my problem here:
 +<code bash>
 +$ pihole-FTL running
 +FATAL: Opening of FTL log (/var/log/pihole-FTL.log) failed!
 +       Make sure it exists and is writeable by user pi
 +raspberrypi:~$ ls -l /var/log/pihole*
 +-rw-r--r-- 1 pihole  pihole        0 Nov 24 20:42 /var/log/pihole-FTL.log
 +-rw-r--r-- 1 pihole  pihole      312 Sep  4 00:00 /var/log/pihole-FTL.log.1
 +-rw-r----- 1 dnsmasq root   18538496 Nov 24 12:46 /var/log/pihole.log
 +-rw-r----- 1 dnsmasq root   15273984 Sep 12 00:00 /var/log/pihole.log.1
 +raspberrypi:~$ cat /var/log/pihole-FTL.log.1
 +[2017-09-03 15:17:05.038] FATAL: Opening of /var/log/pihole.log failed!
 +[2017-09-03 15:17:05.038]        Make sure it exists and is readable by user pihole
 +$ sudo chmod +r /var/log/pihole.log
 +$ sudo service pihole-FTL restart
 +$ sudo netstat -tulpn | grep FTL
 +tcp        0      0              LISTEN      11082/pihole-FTL
 +And eventually discovered that my actual problem was that my log2ram mount was full. After fixing /var/log, I still had to ask pihole to restart its DNS.
 +$ pihole restartdns
 +==== Example PiHole API ====
 +curl "http://pi.hole/admin/api.php?summary" | python -m json.tool
 +===== New ACMEv2 Certbot overwrites /etc/nginx/sites-enabled/default =====
 +We keep backups at ''~/etc_nginx_sites-enabled_default_pihole.backup''.
 +  sudo service nginx restart
 +===== Jessie or earlier: Add piwheels for fast Python pip installations =====
 +If you're not installing Stretch or later, here's [[|info on piwheels]]. Add the following to ''/etc/pip.conf'':
 +<file bash /etc/pip.conf>
 +====== Keywords ======
 +Keywords: Lets Encrypt, LetsEncrypt, Hole
raspberry-pi.1496478915.txt.gz · Last modified: 2023/04/12 20:44 (external edit)