[BlueOnyx:24844] Re: EasyMigrate question

Michael Stauber mstauber at blueonyx.it
Tue Mar 23 11:45:15 -05 2021 

Hi Jeff,

> This time around, got all sites migrated, changed the server IP,
> MassIPChange’d all the sites. Had to make some corrections to index
> files in /web to get a couple sites working again. Working.

Very well.

> Moving on to a LetsEncrypt cert for the server - Clicked the button, and
> it looked like it was doing its thing, then admserv dies.
> 
> lets encrypt log shows many verification and sleeps, then failed. This
> log entry is odd:
> [Tue Mar 23 10:55:40 CDT 2021] box1.qzoneinc.net
> <http://box1.qzoneinc.net>:Verify error:During secondary validation: DNS
> problem: query timed out looking up CAA for box1.qzoneinc.net
> <http://box1.qzoneinc.net>

Could it be that qzoneinc.net has a DNS CAA record that doesn't allow
usage of Let's Encrypt as CA authority?

Other than that it could indeed be a DNS lookup issue.

> Anyway, I need some help trying to get admserv back up. When I try
> emptying the /etc/admserv/certs directory, it appears admserv is
> running, but a browser can’t connect.

To shake that situation loose you can do this:

rm -R /etc/admserv/certs/
mkdir /etc/admserv/certs/

Then restart CCEd to let it regenerate a self signed SSL certificate for
the GUI:

/usr/sausalito/sbin/cced.init restart

Restart AdmServ:

systemctl restart admserv

Check if AdmServ is running:

systemctl status admserv

Normally it now should be running *and* have the self signed
certificate. BUT: It could also be that it shows this error:

[root at alma admserv]# systemctl restart admserv
Job for admserv.service failed because the service did not take the
steps required by its unit configuration.
See "systemctl status admserv.service" and "journalctl -xe" for details.
[root at alma admserv]# systemctl status admserv
● admserv.service - SYSV: Apache is a World Wide Web server.  It is used
to serve HTML files and CGI.
   Loaded: loaded (/etc/rc.d/init.d/admserv; generated)
   Active: failed (Result: protocol) since Tue 2021-03-23 11:38:26 -05;
5s ago
     Docs: man:systemd-sysv-generator(8)
  Process: 3717925 ExecStart=/etc/rc.d/init.d/admserv start
(code=exited, status=0/SUCCESS)
 Main PID: 11727 (code=exited, status=1/FAILURE)

Mär 23 11:38:26 alma.smd.net systemd[1]: Starting SYSV: Apache is a
World Wide Web server.  It is used to serve HTML files and CGI....
Mär 23 11:38:26 alma.smd.net admserv[3717925]: Starting admin web
server: AH00526: Syntax error on line 55 of /etc/admserv/conf.d/ssl.conf:
Mär 23 11:38:26 alma.smd.net admserv[3717925]: SSLCACertificateFile:
file '/etc/admserv/certs/ca-certs' does not exist or is empty
Mär 23 11:38:26 alma.smd.net admserv[3717925]: [FAILED]


As you can see the problem is this:

Syntax error on line 55 of /etc/admserv/conf.d/ssl.conf
SSLCACertificateFile: file '/etc/admserv/certs/ca-certs' does not exist
or is empty

The self signed SSL certificate doesn't have CA-Certs, but our
/etc/admserv/conf.d/ssl.conf still has an entry that calls for their
presence.

The fix: Edit /etc/admserv/conf.d/ssl.conf and remove this line:

SSLCACertificateFile /etc/admserv/certs/ca-certs

That allows you to then restart Admserv again:

systemctl restart admserv

-- 
With best regards

Michael Stauber

More information about the Blueonyx mailing list