Differences

This shows you the differences between two versions of the page.

Link to this comparison view

raspberry-pi [2017/11/24 21:23]
dblume [Cert Bot]
raspberry-pi [2020/04/05 18:12] (current)
dblume
Line 67: Line 67:
 When there are problems, check for logs in ''/var/log/syslog'' or ''/var/log/messages''. When there are problems, check for logs in ''/var/log/syslog'' or ''/var/log/messages''.
  
-It turns out that log2ram does screw up nginx's ability to start on power-cycle. Maybe need something like the following...+I think we need to update ''/etc/systemd/system/log2ram.service'' to make log2ram come after nginx, like so... 
 + 
 +<file bash log2ram.service> 
 +[Unit] 
 +Description=Log2Ram 
 +DefaultDependencies=no 
 +Before=basic.target rsyslog.service syslog.target systemd-journald.service sysinit.target shutdown.target apache2.service nginx.service 
 +After=local-fs.target 
 +Conflicts=shutdown.target reboot.target halt.target 
 +RequiresMountsFor=/var/log /var/hdd.log 
 +IgnoreOnIsolate=yes 
 + 
 +[Service] 
 +Type=oneshot 
 +ExecStart= /usr/local/bin/log2ram start 
 +ExecStop= /usr/local/bin/log2ram stop 
 +ExecReload= /usr/local/bin/log2ram write 
 +RemainAfterExit=yes 
 + 
 +[Install] 
 +WantedBy=sysinit.target 
 +</file> 
 + 
 +Otherwise, it turns out that log2ram does screw up nginx's ability to start on power-cycle. Maybe need something like the following...
  
 <file bash todo_after_powercycle.sh> <file bash todo_after_powercycle.sh>
Line 168: Line 191:
  
    sudo crontab -e    sudo crontab -e
-   0 5 * * 0 certbot renew --post-hook "service nginx reload" >> /var/log/letsencrypt-renew.log+   0 5 * * 0 certbot renew --post-hook "service nginx reload" >> /home/pi/letsencrypt-renew.log
  
 <code> <code>
Line 191: Line 214:
 </code> </code>
  
-5. Port forward ports 80 and 443.  At the local router:+6. Port forward ports 80 and 443.  At the local router:
  
 http://router.asus.com/Advanced_VirtualServer_Content.asp http://router.asus.com/Advanced_VirtualServer_Content.asp
Line 197: Line 220:
 WAN -> Virtual Server / Port Forwarding WAN -> Virtual Server / Port Forwarding
  
-6. Update nginx+7. Update nginx
  
 https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-for-nginx-in-ubuntu-16-04 https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-for-nginx-in-ubuntu-16-04
Line 230: Line 253:
 **TODO**: Renew with ''certbot renew --quiet'' as per [[https://certbot.eff.org/#debianjessie-nginx|certbot]] or [[https://bjornjohansen.no/letsencrypt-nginx|manually]]. **TODO**: Renew with ''certbot renew --quiet'' as per [[https://certbot.eff.org/#debianjessie-nginx|certbot]] or [[https://bjornjohansen.no/letsencrypt-nginx|manually]].
  
 +===== Updating CertBot to use ACMEv2 =====
 +
 +Got an email from the EFF saying my current CertBot client uses ACMEv1 and it needs to be upgraded. Followed some instructions here:[[https://certbot.eff.org/lets-encrypt/debianother-nginx|Debian Jessie instructions from the EFF]].
 +
 +  sudo apt-get remove certbot
 +  wget https://dl.eff.org/certbot-auto
 +  sudo mv certbot-auto /usr/local/bin/certbot-auto
 +  sudo chown root /usr/local/bin/certbot-auto
 +  sudo chmod 0755 /usr/local/bin/certbot-auto
 +
 +But the next step (they suggested''sudo /usr/local/bin/certbot-auto certonly --nginx''), but I tried:
 +
 +  sudo /usr/local/bin/certbot-auto certonly --webroot -w /var/www/html -d pi.dlma.com -d wopr.dlma.com
 +  
 +is broken because it first  an apt-get and Jessie Backports is gone, and then because the pip installation failed Hash verification.
 +
 +==== Problem: Jessie Backports is gone. ====
 +
 +Follow the instructions here: [[https://www.lucas-nussbaum.net/blog/?p=947|Removal of Jessie-Updates and Jessie-Backports from Debian Mirrors]]
 +
 +Remove "<nowiki>deb http://ftp.debian.org/debian jessie-backports main</nowiki>" from ''/etc/apt/sources.list'' and add:
 +
 +  deb http://archive.debian.org/debian/ jessie-backports main contrib non-free
 +  deb-src http://archive.debian.org/debian/ jessie-backports main contrib non-free
 +
 +And then essentially (I did it with a sudo vim session):
 +
 +  echo 'Acquire::Check-Valid-Until no;' > /etc/apt/apt.conf.d/99no-check-valid-until
 +  
 +==== Problem pip install hash verification ====
 +
 +[[https://community.letsencrypt.org/t/certbot-auto-certificates-fails-while-installing-phyton-packages-with-these-packages-do-not-match-the-hashes/90363/5|Certbot fails when installing Python packages]]. This can be resolved by deleting the ''/etc/pip.conf'' file:
 +
 +<file bash /etc/pip.conf>
 +[global]
 +extra-index-url=https://www.piwheels.org/simple
 +</file>
 ===== PiHole ===== ===== PiHole =====
  
Line 245: Line 305:
 telnet 127.0.0.1 4711 telnet 127.0.0.1 4711
 >stats >stats
 +</code>
 +
 +or
 +
 +<code bash>
 +echo ">stats" | nc 127.0.0.1 4711
 </code> </code>
  
Line 275: Line 341:
 </code> </code>
  
 +And eventually discovered that my actual problem was that my log2ram mount was full. After fixing /var/log, I still had to ask pihole to restart its DNS.
 +
 +<code>
 +$ pihole restartdns
 +</code>
 +
 +==== Example PiHole API ====
 +
 +<code>
 +curl "http://pi.hole/admin/api.php?summary" | python -m json.tool
 +</code>
 +
 +===== New ACMEv2 Certbot overwrites /etc/nginx/sites-enabled/default =====
 +
 +We keep backups at ''~/etc_nginx_sites-enabled_default_pihole.backup''.
 +
 +  sudo service nginx restart
 +
 +===== Jessie or earlier: Add piwheels for fast Python pip installations =====
 +
 +If you're not installing Stretch or later, here's [[https://www.piwheels.hostedpi.com/|info on piwheels]]. Add the following to ''/etc/pip.conf'':
 +<file bash /etc/pip.conf>
 +[global]
 +extra-index-url=https://www.piwheels.org/simple
 +</file>
  
 +====== Keywords ======
  
-Keywords: Lets Encrypt, LetsEncrypt+Keywords: Lets Encrypt, LetsEncrypt, Hole
raspberry-pi.1511587403.txt.gz · Last modified: 2017/11/24 21:23 by dblume
 
Recent changes RSS feed Driven by DokuWiki