Topic: server-manager Failure After 9 Install and Restore

[ylluminate]

Having some real headaches here after I installed 9 and performed a restore from the USB backup.  Whenever I attempt to hit the `/server-manager` now, I end up not getting a connection to the server via https and http just get's refused.  I'm not seeing any appreciable errors in /var/log/httpd-admin or /var/log/httpd except that in httpd log folder there is the following continually repeating in the error_log:

Code: [Select]

[Sat Sep 13 16:55:42 2014] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Sat Sep 13 16:55:42 2014] [warn] RSA server certificate CommonName (CN) `gateway.sub.domain.tld' does NOT match server name!?
[Sat Sep 13 16:55:42 2014] [error] Illegal attempt to re-initialise SSL for server (theoretically shouldn't happen!)

If I do it also as root on localhost I also get:

Code: [Select]

Unable to retrieve http://localhost/server-manager:
Connection refused
[ OK ]

One other odd thing I noted is that I cannot log in as admin now directly.  I have to ssh in as root and then su to admin to get the admin menu system.  Not a big deal, but wanted to make sure that it is not another issue going on.

The main problem, obviously, is no longer being able to get into `server-manager` and I need to get this resolved as soon as possible.

[Stefano]

this should not happen.. please raise a bug asap, with all the details needed to describe what you did and how you did it

thank you

[guest22]

The main problem, obviously, is no longer being able to get into `server-manager` and I need to get this resolved as soon as possible.

Try regenerating the certificates after restore.

http://wiki.contribs.org/Certificates_Concepts

Stefano is right, it should not happen. But I sense that it is expected that staff should be able to work this Monday morning.

[ylluminate]

@RequestedDeletion, this was using the stock cert that came with the 8.x installation a few years ago.  What steps, as per those instructions, do I follow to simply recreate the cert for sme server?  So far, upon following the first set of steps I found that I continue getting the same error so I figured I should get some clarification here.

[guest22]

I guess you can reach the console and login as root?

Then follow these steps: http://wiki.contribs.org/Certificates_Concepts#How_to_change_your_certificate

[guest22]

This one looks a bit the same...

http://bugs.contribs.org/show_bug.cgi?id=5022

[ylluminate]

@Stefano: As per your request, created here.  Unfortunately I am on a time limit with this server and will have to reinstall and manually reconfigure this server within the next couple of hours due to needing to have it back in production by this evening, so whatever logs or other information that may be needed to squash this bug, please let me know sooner than later since I have to move forward with this machine in some fashion to have it back up.

@RequestedDeletion: that is what I did and it did not seem to resolve the issue.

[guest22]

Your certificates are wrong and that is being detected. Hence ssl access is being refused. Can you access server manager via the console application?

[ylluminate]

@RequestedDeletion: unfortunately no, console is likewise refused as per explained in my initial post.

[guest22]

Do the listing of /home/e-smith/ssl* directories tell you something?

[guest22]

sorry, together with the command 'config show DomainName'

[guest22]

What if you do (after changing certificates)

expand-template /etc/httpd/conf/httpd.conf

and then restart apache

service httpd-e-smith restart
service httpd-admin restart

?

edit: typo

[ylluminate]

@RequestedDeletion: So here is what I have done and the results:

$ config setprop modSSL CommonName gateway.sub.domain.tld
$ expand-template /home/e-smith/ssl.crt/crt
$ expand-template /home/e-smith/ssl.key/key
$ signal-event domain-modify
$ signal-event email-update
$ config show DomainName
    Output: DomainName=sub.domain.tld

$ expand-template /etc/httpd/conf/httpd.conf
$ service e-smith restart
    Output: e-smith: unrecognized service

$ service httpd-admin restart
    Output: Restarting httpd-admin                                     [  OK  ]

$ su admin
    Output: Elinks starts request for https://gateway/server-manager   
    Output: Unable to retrieve http://localhost/server-manager: Connection refused
    # Same happens for `localhost` in place of `gateway` when `elinks` manually executed as root.

[guest22]

$ service e-smith restart
    Output: e-smith: unrecognized service

That was my bad.

[guest22]

$ config setprop modSSL CommonName gateway.sub.domain.tld
$ config show DomainName
    Output: DomainName=sub.domain.tld

These domains are not the same...

[ylluminate]

These domains are not the same...

No?  I thought that we were setting the cert for the host and then this was showing the domain of the host, ie:  `gateway` is the server / host name and `sub.domain.tld` is the domain and therefore this is right...

[guest22]

Try the certification without the "gateway" according the wiki steps

[ylluminate]

Try the certification without the "gateway" according the wiki steps

Okay, so after doing as instructed I have the same exact result except with the output you expected for the show domain.

[guest22]

Ok, then I must be fair to say to you that I myself am out of options on this one.

I hope someone else will kick in to try to assist.

Good luck.

[ylluminate]

@Stefano & @RequestedDeletion: if I can't get this resolved here shortly and have to proceed with a fresh reinstall + manual reconfig, how do I lift out old configs such as port forwards and dns name / dhcp ip lease assignments?  Is this in mysql or in a text file or flat db somewhere?  I was hunting a bit, but found nothing more than log entries so far for some of the hostname assignments.

[guest22]

config show > mysetings.txt

will be a start on that. Obviously the file mysettings.txt needs to be copied off the server

[ReetP]

@Stefano & @RequestedDeletion: if I can't get this resolved here shortly and have to proceed with a fresh reinstall + manual reconfig, how do I lift out old configs such as port forwards and dns name / dhcp ip lease assignments?  Is this in mysql or in a text file or flat db somewhere?  I was hunting a bit, but found nothing more than log entries so far for some of the hostname assignments.

As per HSF above, most settings should be stored in text files in /home/e-smith/db

However, you CANNOT just copy those over and expect them to work - but you can use them for reference.

A shame we can't get to the bottom of this is your time frame - might have been better if you had reported all of the info on the bug tracker as some devs don't read much in here.

If you keep your original backup, is there a chance that you can try and restore to a test server to try and replicate the issue so it can be looked at ? If so, follow up with a précis of the notes here on your bug.

B. Rgds
John

[ylluminate]

Thanks guys.  That is exactly what I needed.  I have perhaps another hour here before I have to dig in... I'll try whatever else I can before I have to plow it over if I get some more requests for things to try.  I certainly would like to resolve the bug as it is most definitely a hassle to reconfig, but obviously a necessity with the time constraints.

[ylluminate]

*** OOPS *** I spoke too soon. 

`config show` does not seem to output MAC address -> IP and hostname + port forwarding assignments.  I can dig about the db, but wanted to note that this does not print those.

[guest22]

*** OOPS *** I spoke too soon. 

`config show` does not seem to output MAC address -> IP and hostname + port forwarding assignments.  I can dig about the db, but wanted to note that this does not print those.

Mac Addresses are only used as an unique identifier by UDEV when SME Server boots. SME Serevr itself will no longer keep track of them

iptables -L > mynetwork.txt

will list your networking part

[CharlieBrady]

$ config setprop modSSL CommonName gateway.sub.domain.tld

Why did you do that step? That's not usually done, and could be the cause of at least some of your problems.

[CharlieBrady]

You have at least two problems. One is the 'admin' login problem, and the other is the SSL certificate problem with apache.

[CharlieBrady]

@RequestedDeletion, this was using the stock cert that came with the 8.x installation a few years ago.

I think that's unlikely. SME server never used a CA certificate for its self-signed cert.

What steps, as per those instructions, do I follow to simply recreate the cert for sme server?

rm /home/e-smith/ssl.{crt,key,pem}/*
config delprop modSSL CommonName
config delprop modSSL crt
config delprop modSSL key
signal-event post-upgrade
signal-event reboot