[tech] Sorting out webservers and member domains

Matt Johnston matt at ucc.asn.au
Tue Apr 23 15:18:41 AWST 2019


Hi all,

Donsuth pointed out that https://dthornton.ucc.asn.au wasn't working. It turns out mussel /etc/apache2/sites-enabled/members.conf had been replaced with a local copy dated 14 April, so member domains since then would have had problems. 

For future reference the ideal steps to fix it are:

  mussel# mv /etc/apache2/sites-enabled/members.conf
  mussel# ln -s /home/other/www/members.conf /etc/apache2/sites-enabled/members.conf
  mussel# service apache2 restart
  mussel# /home/wheel/bin/acmemembers.py

  # remake members.conf with new domain ssl certs uncommented
  mooneye# cd /etc/bind9/domains/primary
  mooneye# ./zonemake.py
  mussel# service apache2 restart

  mussel# service apache2 restart    # again for good measure.


There were a couple of gotchas though. user dragonxdoom is now donsuth, but /etc/passwd on mooneye still had dragonxdoom. That made mussel unhappy restarting. I fixed that and ran

  mooneye# cd /etc/bind9/domains/primary
  mooneye# ./zonemake.py
  mooneye# rndc reload
  mussel# service apache2 restart

But now acmemembers.py fails:

20190423145424 [ERROR] acme.storageops: could not obtain authorization for donsuth.ucc.asn.au: failed all combinations

With a bit more investigation it looks like the ns?.he.net secondary DNS servers don't update domains immediately (mooneye sends them a DNS NOTIFY when the config changes, they must ignore it). So until the change TTL expires (an hour or so) I've commented out donsuth.ucc.asn.au from members.conf - sorry Donald!

Rerun:
  mussel# /home/wheel/bin/acmemembers.py
  mooneye# cd /etc/bind9/domains/primary
  mooneye# ./zonemake.py
  mussel# service apache2 restart


And now https://dthornton.ucc.asn.au works fine, hooray.

Maybe someone should sort out that *.ucc.asn.au letsencrypt wildcard :)

Matt




More information about the tech mailing list