Home
Welcome
About This Wiki
sandbox (play here)
This shows you the differences between two versions of the page.
raspberry-pi [2016/11/01 21:43] dblume [Cert Bot] |
raspberry-pi [2018/01/07 22:33] (current) dblume [Logs] |
||
---|---|---|---|
Line 67: | Line 67: | ||
When there are problems, check for logs in ''/var/log/syslog'' or ''/var/log/messages''. | When there are problems, check for logs in ''/var/log/syslog'' or ''/var/log/messages''. | ||
+ | I think we need to update ''/etc/systemd/system/log2ram.service'' to make log2ram come after nginx, like so... | ||
+ | |||
+ | <file bash log2ram.service> | ||
+ | [Unit] | ||
+ | Description=Log2Ram | ||
+ | DefaultDependencies=no | ||
+ | Before=basic.target rsyslog.service syslog.target systemd-journald.service sysinit.target shutdown.target apache2.service nginx.service | ||
+ | After=local-fs.target | ||
+ | Conflicts=shutdown.target reboot.target halt.target | ||
+ | RequiresMountsFor=/var/log /var/hdd.log | ||
+ | IgnoreOnIsolate=yes | ||
+ | |||
+ | [Service] | ||
+ | Type=oneshot | ||
+ | ExecStart= /usr/local/bin/log2ram start | ||
+ | ExecStop= /usr/local/bin/log2ram stop | ||
+ | ExecReload= /usr/local/bin/log2ram write | ||
+ | RemainAfterExit=yes | ||
+ | |||
+ | [Install] | ||
+ | WantedBy=sysinit.target | ||
+ | </file> | ||
+ | |||
+ | Otherwise, it turns out that log2ram does screw up nginx's ability to start on power-cycle. Maybe need something like the following... | ||
+ | |||
+ | <file bash todo_after_powercycle.sh> | ||
+ | #!/usr/bin/env bash | ||
+ | |||
+ | # The tool we use to save flash affects the startup of nginx | ||
+ | if [ ! -d "/var/log/nginx" ]; then | ||
+ | sudo mkdir /var/log/nginx | ||
+ | fi | ||
+ | |||
+ | # if service --status-all | grep -Fq '[ - ] nginx'; then | ||
+ | if ! service nginx status | grep -Fq 'active (running)'; then | ||
+ | sudo /etc/init.d/nginx start > /dev/null | ||
+ | # systemctl start nginx | ||
+ | fi | ||
+ | </file> | ||
===== Keyboard Repeat Problem ===== | ===== Keyboard Repeat Problem ===== | ||
Line 106: | Line 145: | ||
**Note**: See history-of-nginx-start.txt, and note that the web server files are at /var/www | **Note**: See history-of-nginx-start.txt, and note that the web server files are at /var/www | ||
- | ===== Backing-up And Restoring the SD Card ===== | + | ===== Backup ===== |
- | [[http://lifehacker.com/how-to-clone-your-raspberry-pi-sd-card-for-super-easy-r-1261113524|How to Clone Your Raspberry Pi SD Card for Super Easy Reinstallations]] | + | (Old link: [[http://lifehacker.com/how-to-clone-your-raspberry-pi-sd-card-for-super-easy-r-1261113524|How to Clone Your Raspberry Pi SD Card for Super Easy Reinstallations]]) |
- | My Raspberry Pi is up-to-date as of Oct 26, 2014. | + | I put the microSD in the SamSung SD Adaptor, and [[https://thepihut.com/blogs/raspberry-pi-tutorials/17789160-backing-up-and-restoring-your-raspberry-pis-sd-card|used Win32 Disk Imager]] to make a backup at H:\RasberryPi2.img |
+ | ==== Reading from Device to Image File ==== | ||
+ | |||
+ | * Specify a new Image File name. (On a big disk.) | ||
+ | * Select "Read" to read form the Raspberry Pi's card to the file on disk. | ||
+ | |||
+ | |||
+ | ==== Writing from Image File to SD Card ==== | ||
+ | |||
+ | * Specify an existing Image File. | ||
+ | * Select "Write" to write from the file on disk to the Raspberry Pi's card. | ||
+ | |||
+ | My Raspberry Pi is up-to-date as of 2017-02-05. | ||
===== Cert Bot ===== | ===== Cert Bot ===== | ||
- https://certbot.eff.org/#debianjessie-nginx | - https://certbot.eff.org/#debianjessie-nginx | ||
- | - Fix it with this recipe: https://github.com/certbot/certbot/issues/2673 | + | - Fix it with this recipe: https://github.com/certbot/certbot/issues/2673 (Maybe not needed!) |
+ | |||
+ | This seems useful: https://bjornjohansen.no/letsencrypt-nginx | ||
In detail: | In detail: | ||
Line 129: | Line 182: | ||
sudo certbot certonly --webroot -w /var/www/html -d pi.dlma.com -d wopr.dlma.com | sudo certbot certonly --webroot -w /var/www/html -d pi.dlma.com -d wopr.dlma.com | ||
- | 4. Renew with | + | You should find that /etc/letsencrypt/live is populated with files like pi.dlma.com/cert1 |
+ | |||
+ | 4. Renew (and reload if successful) with | ||
+ | |||
+ | sudo certbot renew && /usr/sbin/service nginx reload | ||
+ | |||
+ | 5. Consider using a root cronjob | ||
- | certbot renew | + | sudo crontab -e |
+ | 0 5 * * 0 certbot renew --post-hook "service nginx reload" >> /var/log/letsencrypt-renew.log | ||
<code> | <code> | ||
Line 137: | Line 197: | ||
- Congratulations! Your certificate and chain have been saved at | - Congratulations! Your certificate and chain have been saved at | ||
/etc/letsencrypt/live/pi.dlma.com/fullchain.pem. Your cert will | /etc/letsencrypt/live/pi.dlma.com/fullchain.pem. Your cert will | ||
- | expire on 2017-01-31. To obtain a new or tweaked version of this | + | expire on 2017-09-31. To obtain a new or tweaked version of this |
certificate in the future, simply run certbot again. To | certificate in the future, simply run certbot again. To | ||
non-interactively renew *all* of your certificates, run "certbot | non-interactively renew *all* of your certificates, run "certbot | ||
Line 164: | Line 224: | ||
https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-for-nginx-in-ubuntu-16-04 | https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-for-nginx-in-ubuntu-16-04 | ||
- | Update /etc/nginx/sites-available accordingly | + | Update /etc/nginx/sites-available/default as per this [[https://www.nginx.com/blog/nginx-https-101-ssl-basics-getting-started/|Getting Started guide from Nginx]]. |
+ | |||
+ | server { | ||
+ | listen 80 default_server; | ||
+ | listen [::]:80 default_server; | ||
+ | server_name pi.dlma.com; | ||
+ | return 301 https://$server_name$request_uri; | ||
+ | } | ||
+ | |||
+ | server { | ||
+ | # SSL configuration | ||
+ | # | ||
+ | listen 443 ssl default_server; | ||
+ | listen [::]:443 ssl default_server; | ||
+ | |||
+ | ssl_certificate /etc/letsencrypt/live/pi.dlma.com/fullchain.pem; | ||
+ | ssl_certificate_key /etc/letsencrypt/live/pi.dlma.com/privkey.pem; | ||
+ | ssl_trusted_certificate /etc/letsencrypt/live/pi.dlma.com/chain.pem; | ||
+ | ... | ||
+ | |||
+ | **TODO**: Maybe figure out [[https://www.nginx.com/blog/nginx-https-101-ssl-basics-getting-started/|how to redirect http://wopr.dlma.com to https://wopr.dlma.com]]. | ||
+ | |||
+ | Then check and restart nginx: | ||
+ | |||
+ | $ sudo nginx -t | ||
+ | $ sudo systemctl restart nginx | ||
+ | |||
+ | **TODO**: Renew with ''certbot renew --quiet'' as per [[https://certbot.eff.org/#debianjessie-nginx|certbot]] or [[https://bjornjohansen.no/letsencrypt-nginx|manually]]. | ||
+ | |||
+ | ===== PiHole ===== | ||
+ | |||
+ | **Note**: I've currently got an incompatibility between PiHole and HTTPS redirecting. So I'm not using CertBot at the moment. Will have to figure that out. | ||
+ | |||
+ | PiHole connects to FTL over port 4711. If FTL were running, it'd have a logfile you could view like so: | ||
+ | |||
+ | <code bash> | ||
+ | $ cat /var/log/pihole-FTL.log | ||
+ | </code> | ||
+ | |||
+ | You could also do the following: | ||
+ | |||
+ | <code bash> | ||
+ | telnet 127.0.0.1 4711 | ||
+ | >stats | ||
+ | </code> | ||
+ | |||
+ | or | ||
+ | |||
+ | <code bash> | ||
+ | echo ">stats" | nc 127.0.0.1 4711 | ||
+ | </code> | ||
+ | |||
+ | If you can't connect, you can see which services are listening like so: | ||
+ | |||
+ | <code bash> | ||
+ | $ sudo netstat -tulpn | ||
+ | $ sudo netstat -tulpn | grep FTL | ||
+ | </code> | ||
+ | |||
+ | I eventually clued in to my problem here: | ||
+ | |||
+ | <code bash> | ||
+ | $ pihole-FTL running | ||
+ | FATAL: Opening of FTL log (/var/log/pihole-FTL.log) failed! | ||
+ | Make sure it exists and is writeable by user pi | ||
+ | raspberrypi:~$ ls -l /var/log/pihole* | ||
+ | -rw-r--r-- 1 pihole pihole 0 Nov 24 20:42 /var/log/pihole-FTL.log | ||
+ | -rw-r--r-- 1 pihole pihole 312 Sep 4 00:00 /var/log/pihole-FTL.log.1 | ||
+ | -rw-r----- 1 dnsmasq root 18538496 Nov 24 12:46 /var/log/pihole.log | ||
+ | -rw-r----- 1 dnsmasq root 15273984 Sep 12 00:00 /var/log/pihole.log.1 | ||
+ | ... | ||
+ | raspberrypi:~$ cat /var/log/pihole-FTL.log.1 | ||
+ | [2017-09-03 15:17:05.038] FATAL: Opening of /var/log/pihole.log failed! | ||
+ | [2017-09-03 15:17:05.038] Make sure it exists and is readable by user pihole | ||
+ | $ sudo chmod +r /var/log/pihole.log | ||
+ | $ sudo service pihole-FTL restart | ||
+ | $ sudo netstat -tulpn | grep FTL | ||
+ | tcp 0 0 127.0.0.1:4711 0.0.0.0:* LISTEN 11082/pihole-FTL | ||
+ | </code> | ||
+ | |||
+ | And eventually discovered that my actual problem was that my log2ram mount was full. After fixing /var/log, I still had to ask pihole to restart its DNS. | ||
+ | |||
+ | <code> | ||
+ | $ pihole restartdns | ||
+ | </code> | ||
+ | |||
+ | ==== Example PiHole API ==== | ||
+ | |||
+ | <code> | ||
+ | curl "http://pi.hole/admin/api.php?summary" | python -m json.tool | ||
+ | </code> | ||
- | **Note**: Maybe there's a --ngingx mod for certbot | + | Keywords: Lets Encrypt, LetsEncrypt, Hole |