You may use postgresql12 (12.0) instead of old postgres94 (9.4) that’s not supported anymore. At the time I wrote the howto there was no nethserver-postgresql12 module.
To install postgresql12:
yum install nethserver-postgresql12
To connect to it for creating the database (uses port 55434):
su - postgres -c 'scl enable rh-postgresql94 -- psql -p 55432'
psql (9.4.14)
[root@tank ~]# su - postgres -c 'scl enable rh-postgresql12 -- psql -p 55432'
psql (12.1, server 9.4.14)
connecting to the db with rh-postgres94 after i installed 12? dropped and rebuilt the db with rh-postgres12. ran the remaining commands - again without any issues. starting the services give me the same result…
what about that?
Oct 02 00:05:52 xxx gunicorn[10982]: import uvloop
Oct 02 00:05:52 xxx gunicorn[10982]: ModuleNotFoundError: No module named ‘uvloop’
maybe i can find something else… if not… then ill try 0.20.1
ps: dunno if its related, had a error msg on the cert page requesting the funkhale cert
{
“pid”: 3304,
“status”: “failed”,
“event”: “certificate-update”
}
but the cert got added to the list…
added uvloop and httptools to the pip install command. now the server is starting up. celery worker is still refusing… dont see anything meaningful at the moment…
I need to recheck, from the howto it should work as .well-known/acme-challenge is excluded for letsencrypt in the virtualhost.
To workaround the cert issue you may move away /etc/httpd/conf.d/zzz_funkwhale.conf, reload httpd and request the cert, then move the conf file back and reload httpd.
did that. requesting the cert worked without a error. still get the server error tough. its taking the default cert. is that on purpose that you are adding another virtualhost 80 and leaving the orig one? thats what mine looks like after the sed command
<VirtualHost *:80>
ServerName ${funkwhale-sn}
RedirectMatch 301 ^(?!/.well-known/acme-challenge/).* https://${funkwhale-sn}
</VirtualHost>
# HTTP requests redirected to HTTPS
<VirtualHost *:80>
ServerName ${funkwhale-sn}
# Default is to force https
RewriteEngine on
RewriteCond %{SERVER_NAME} =${funkwhale-sn}
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]
<Location "/.well-known/acme-challenge/">
Options None
Require all granted
</Location>
</VirtualHost>
that was just a portion of the file. thats the entire content
# Following variables MUST be modified according to your setup
Define funkwhale-sn amp.domain.org
# Following variables should be modified according to your setup and if you
# use different configuration than what is described in our installation guide.
Define funkwhale-api http://localhost:5000
Define funkwhale-api-ws ws://localhost:5000
Define FUNKWHALE_ROOT_PATH /srv/funkwhale
Define MUSIC_DIRECTORY_PATH ${FUNKWHALE_ROOT_PATH}/data/music
Define MEDIA_DIRECTORY_PATH ${FUNKWHALE_ROOT_PATH}/data/media
<VirtualHost *:80>
ServerName ${funkwhale-sn}
RedirectMatch 301 ^(?!/.well-known/acme-challenge/).* https://${funkwhale-sn}
</VirtualHost>
# HTTP requests redirected to HTTPS
<VirtualHost *:80>
ServerName ${funkwhale-sn}
# Default is to force https
RewriteEngine on
RewriteCond %{SERVER_NAME} =${funkwhale-sn}
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]
<Location "/.well-known/acme-challenge/">
Options None
Require all granted
</Location>
</VirtualHost>
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName ${funkwhale-sn}
# Path to ErrorLog and access log
# ErrorLog ${APACHE_LOG_DIR}/funkwhale/error.log
# CustomLog ${APACHE_LOG_DIR}/funkwhale/access.log combined
# TLS
# Feel free to use your own configuration for SSL here or simply remove the
# lines and move the configuration to the previous server block if you
# don't want to run funkwhale behind https (this is not recommended)
# have a look here for let's encrypt configuration:
# https://certbot.eff.org/lets-encrypt/debianstretch-apache.html
SSLEngine on
SSLProxyEngine On
# SSLCertificateFile /etc/letsencrypt/live/${funkwhale-sn}/fullchain.pem
# SSLCertificateKeyFile /etc/letsencrypt/live/${funkwhale-sn}/privkey.pem
# Include /etc/letsencrypt/options-ssl-apache.conf
# Tell the api that the client is using https
RequestHeader set X-Forwarded-Proto "https"
# Configure Proxy settings
# ProxyPreserveHost pass the original Host header to the backend server
ProxyVia On
ProxyPreserveHost On
<IfModule mod_remoteip.c>
RemoteIPHeader X-Forwarded-For
</IfModule>
# Turning ProxyRequests on and allowing proxying from all may allow
# spammers to use your proxy to send email.
ProxyRequests Off
<Proxy *>
AddDefaultCharset off
Order Allow,Deny
Allow from all
</Proxy>
<Location "/">
# similar to nginx 'client_max_body_size 100M;'
LimitRequestBody 104857600
ProxyPass ${funkwhale-api}/
ProxyPassReverse ${funkwhale-api}/
</Location>
<Location "/federation">
ProxyPass ${funkwhale-api}/federation
ProxyPassReverse ${funkwhale-api}/federation
</Location>
# You can comment this if you don't plan to use the Subsonic API
<Location "/rest">
ProxyPass ${funkwhale-api}/api/subsonic/rest
ProxyPassReverse ${funkwhale-api}/api/subsonic/rest
</Location>
<Location "/.well-known/">
ProxyPass ${funkwhale-api}/.well-known/
ProxyPassReverse ${funkwhale-api}/.well-known/
</Location>
<Location "/front">
ProxyPass "!"
</Location>
Alias /front ${FUNKWHALE_ROOT_PATH}/front/dist
<Location "/media">
ProxyPass "!"
</Location>
Alias /media ${MEDIA_DIRECTORY_PATH}
<Location "/staticfiles">
ProxyPass "!"
</Location>
Alias /staticfiles ${FUNKWHALE_ROOT_PATH}/data/static
# Activating WebSockets
<Location "/api/v1/activity">
ProxyPass ${funkwhale-api-ws}/api/v1/activity
</Location>
# Setting appropriate access levels to serve frontend
<Directory "${FUNKWHALE_ROOT_PATH}/data/static">
Options FollowSymLinks
AllowOverride None
Require all granted
</Directory>
<Directory "${FUNKWHALE_ROOT_PATH}/front/dist">
Options FollowSymLinks
AllowOverride None
Require all granted
</Directory>
<Directory "${MEDIA_DIRECTORY_PATH}">
Options FollowSymLinks
AllowOverride None
Require all granted
</Directory>
# XSendFile is serving audio files
# WARNING : permissions on paths specified below overrides previous definition,
# everything under those paths is potentially exposed.
# Following directive may be needed to ensure xsendfile is loaded
#LoadModule xsendfile_module modules/mod_xsendfile.so
<IfModule mod_xsendfile.c>
XSendFile On
XSendFilePath ${MEDIA_DIRECTORY_PATH}
XSendFilePath ${MUSIC_DIRECTORY_PATH}
SetEnv MOD_X_SENDFILE_ENABLED 1
</IfModule>
</VirtualHost>
</IfModule>
No, I think they updated/adapted the apache config, you may try to comment out the first virtualhost 80.
ok cool. thank you!
thats what i get from journalctl -xn -u funkwhale-server
requests.exceptions.SSLError: HTTPSConnectionPool(host='amp.domain.org', port=443): Max retries exceeded with url: /front/index.html (Caused by SSLError(CertificateError("hostname 'amp.domain.org' doesn't match 'next.domain.org'",),))
I think it’s easier to have one default cert with all domains included, so it will just work because Nethserver uses the default certificate in it’s virtualhost configs, if undefined.
But if you like a separate cert, you need to define it in the zzz_funkwhale.conf, just uncomment and edit the cert lines and reload httpd.
yeah, that actually worked! how awesome is that. thanks!
combining those two subdomains would mean requesting both certs again at once? and would i have to delete them first? dunno is it worth it? i would be fine with the current solution.
i read through the guide on certs again, if that is all the NS info out there on certs then it might need some additions…
hey, thanks for this. ill try combining them asap and let u know.
regarding the ns cert docs. dunno… some usercase examples would help i guess. but in the end it comes down to that i have very little knowledge of that stuff in general. requesting that cert stuff also freaks me out for what ever reason that might be. looks kinda simple now that u layed it out with one screenshot ill try it later in the day
nope, requesting the combined certs did not work “Validation failed: Challenge failed for this domain(s)” that msg came for both certs.
But I think there’s still the cert request issue?
To workaround the cert issue you may move away /etc/httpd/conf.d/zzz_funkwhale.conf , reload httpd and request the cert, then move the conf file back and reload httpd.
i thought it was solved, cause those instructions did not throw an error msg.
another weird thing is that the NS admin site is still using the original self signed nethserver cert. which does not bother me cause i disabled access from the red eth.
did that no change (would have surprised me. the cert setup as it is has been up for 2-3 days)
i got the ip in the browsers url which then uses the unsigned NS cert. if i put the domain name/hostname into the url then it uses the default cert but thinks its invalid.
