Posts

Ispconfig3 certbot is not renewing certificates (Ubuntu 20)

When creating a new site, a valid certificate was issued but when expiring they where never renewed. Investigating /etc/letsencrypt directories was missing the usual subfolders, like live for example.

It turned out the server had both acme.sh and certbot installed. The solution was to remove certbot. Investigate if the directory /root/.acme.sh exists and it’s contents.

apt remove certbot
ispconfig_update.sh --force

Then in Ispconfig go to Tools -> Sync, select Web sites and the server you just removed.

apt update error message “Could not execute ‘apt-key’ to verify signature”

It turned out the reason for this was changed permissions on the /tmp folder (caused by restoring a folder with BackupPC to /tmp instead of it’s original location).

Solution:

chown root:root /tmp
chmod 1777 /tmp

After this apt update worked as normal.

/etc/cron.daily/amavisd-new: Please run this cronjob as user amavis

After a system update I started to receive cron messages saying “/etc/cron.daily/amavisd-new:
Please run this cronjob as user amavis”.

It turns out that this happens because the cron script is replaced by a new one located in /etc/cron.d and the one in /etc/cron.daily is left behind giving this error message.

Solution: After checking that the new script exists in /etc/cron.d, just delete /etc/cron.daily/amavisd-new

More information about this here (bug report).

APS package installation_task stuck in ISPConfig3

When trying to install an APS package on a ISPConfig3 system, the package was never installed and the status “installation_task” remained for the site I tried to install a package.

Investigating /var/log/ispconfig/cron.log revealed:

PHP Fatal error: Uncaught Error: Call to undefined function curl_init() in /usr/local/ispconfig/server/lib/classes/aps_installer.inc.php:627

This problem can occur when curl is not installed on the target server, but that was not the problem in this case.

The server had been upgraded to Ubuntu 16.05 which runs PHP 7.0 instead of PHP 5. Curl was installed but the problem was that php7.0-curl was missing. The problem was resolved by:

sudo apt-get install php7.0-curl

The next issue that occured according to the logs was:

PHP Fatal error: Uncaught Error: Class 'ZipArchive' not found in /usr/local/ispconfig/server/lib/classes/aps_installer.inc.php:106

This problem was resolved by:

sudo apt-get install php7.0-zip

After this nothing more had to be done. The ISPConfig cron now successfully installed the APS package automatically.

Ubuntu 14.04, 16.04 and 17.04 Unity, Dash and Launcher missing

If you end up missing the menu etc in Ubuntu 14.04, 16.04 and 17.04, i.e. you only see the desktop but nothing more. You can’t even restart the machine.

It can be resolved like this:

  • Right click on the desktop and select “Start a new terminal”
  • In the terminal window run the following commands;
    sudo apt-get update
    sudo apt-get install --reinstall ubuntu-desktop
    sudo apt-get install --reinstall unity
    sudo shutdown -r now

 

Meltdown and Spectre vulnerabilities – what to do?

Meltdown and Spectre are two vulnerabilities present in hardware making it potentially possible for programs to steal information, like passwords etc.

Meltdown affects only Intel processors while Spectre, which is more complex, also partly affects AMD and ARM based processors.

It is not yet known if these vulnerabilities has been exploited by anone. It can affect personal computers, servers, tablets and mobile phones, i.e. more or less any device containing a processor.

More information on: https://spectreattack.com/

What can you do?

  • Check your operating system for updates the upcoming weeks (this is normal good security practice, but make sure you do it frequently)
  • Install and update your virus protection. Even if the antivirus program can’t protect you from the attack it might be able to inform you that your device has got malicious code onboard

You can find security bulletins, security advisorys, faq:s etc for your operating system here: https://meltdownattack.com/#faq-advisory

High load on CPU and disk I/O every hour (Apache, MySQL and mod_pagespeed on Ubuntu)

On one of my Ubuntu servers I noticed a significant peak in CPU load (load average, LA) and disk I/O about every hour. At first, I suspected that MySQL was the cause of this, doing some houeskeeping or garbage cleaning.

However, it turned out it was caused by the Apache module mod_pagespeed. The high load occuered when pagespeed was cleaning out it’s cache.

The solution was to locate the cache on tmpfs instead. This was done by editing the file /etc/apache2/mods-available/pagespeed.conf and change the location of the cache by the line (/run is located on tmpfs which is RAM memory):

ModPagespeedFileCachePath "/run/cache/mod_pagespeed/"

Then restart Apache by:

service apache2 restart

Ispconfig3 php5-fpm Error 500 Internal server error

When trying to change a client website on a Ispconfig3 host from Fast-CGI to PHP-FPM the page just gave Error 500 Internal server error. Investigating the site error log showed lines like:

[Sat Oct 22 10:39:56 2016] [error] [client xx.xx.xx.xx] (2)No such file or directory: FastCGI: failed to connect to server "/var/www/clients/client6/web447/cgi-bin/php5-fcgi-*-80-domain.xx": connect() failed
[Sat Oct 22 10:39:56 2016] [error] [client xx.xx.xx.xx] FastCGI: incomplete headers (0 bytes) received from server "/var/www/clients/client6/web447/cgi-bin/php5-fcgi-*-80-domain.xx"

Checking the status of PHP-FPM by the command:

service php5-fpm status

gave the result “not running”.

Investigating the PHP-log file, /var/log/php5-fpm.log, displayed lines like:

[22-Oct-2016 10:34:53] ERROR: [pool web405] cannot get uid for user 'web405'
[22-Oct-2016 10:34:53] ERROR: FPM initialization failed

However, the site widh id 405 and user web405 did no longer exist on the server and has been left there by Ispconfig3 for unknown reasons.

The solution was to manually remove the file /etc/php5/fpm/pool.d/web405.conf file and then:

service php5-fpm restart
service apache2 restart

postgrey whitelisting outlook.com

Greylisting is a way of reducing the amount of incoming spam and virus emails, in addition to other counter measures. Postgrey is a good choice if you are running postfix.

However, to be able to recieve emails from senders using outlook.com you need to whitelist it. This is because outlook.com is using a different host on each try to deliver the mail, causing delays up to hours, days or the mail not being delivered at all within time limits.

Create/edit the file /etc/postgrey/whitelist_clients.local and add:

# outlook.com
/^.*\.outbound\.protection\.outlook\.com$/
/^.*\.prod\.outlook\.com$/

Then execute:

service postgrey reload

Edit December 2021: The rule is changed from /^mail-.*\.outbound\.protection\.outlook\.com$/ to /^.*\.outbound\.protection\.outlook\.com$/ as Microsoft has changed their server naming standard.