[tech] Sorting out webservers and member domains
Matt Johnston
matt at ucc.asn.au
Tue Apr 23 15:18:41 AWST 2019
Hi all,
Donsuth pointed out that https://dthornton.ucc.asn.au wasn't working. It turns out mussel /etc/apache2/sites-enabled/members.conf had been replaced with a local copy dated 14 April, so member domains since then would have had problems.
For future reference the ideal steps to fix it are:
mussel# mv /etc/apache2/sites-enabled/members.conf
mussel# ln -s /home/other/www/members.conf /etc/apache2/sites-enabled/members.conf
mussel# service apache2 restart
mussel# /home/wheel/bin/acmemembers.py
# remake members.conf with new domain ssl certs uncommented
mooneye# cd /etc/bind9/domains/primary
mooneye# ./zonemake.py
mussel# service apache2 restart
mussel# service apache2 restart # again for good measure.
There were a couple of gotchas though. user dragonxdoom is now donsuth, but /etc/passwd on mooneye still had dragonxdoom. That made mussel unhappy restarting. I fixed that and ran
mooneye# cd /etc/bind9/domains/primary
mooneye# ./zonemake.py
mooneye# rndc reload
mussel# service apache2 restart
But now acmemembers.py fails:
20190423145424 [ERROR] acme.storageops: could not obtain authorization for donsuth.ucc.asn.au: failed all combinations
With a bit more investigation it looks like the ns?.he.net secondary DNS servers don't update domains immediately (mooneye sends them a DNS NOTIFY when the config changes, they must ignore it). So until the change TTL expires (an hour or so) I've commented out donsuth.ucc.asn.au from members.conf - sorry Donald!
Rerun:
mussel# /home/wheel/bin/acmemembers.py
mooneye# cd /etc/bind9/domains/primary
mooneye# ./zonemake.py
mussel# service apache2 restart
And now https://dthornton.ucc.asn.au works fine, hooray.
Maybe someone should sort out that *.ucc.asn.au letsencrypt wildcard :)
Matt
More information about the tech
mailing list