PHABRICATOR on NS

@danb35 and everyone else.

I new this day would come.
generally I have been using phabricator on a producton server, iand so fa it has worked great for us internally. no any issue.

Now the issue am facing is with regards to ssl certificates.
How did you guys solve the issue of issuing ssl when phabricator is already installed.

at the moment am getting an issue while trying to renew let ssl on the server.

The technique currently in the wiki should allow certbot to renew the cert without issues. Personally, I use DNS validation using acme-dns.

…and what would that issue be?


Domains

Failed authorization procedure. sub.domain.tld (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://sub.domain.tld/.well-known/acme-challenge/CswmQ5QUFFKOv48jpo71ja-OYunnmumLQpyYG84bjz8: "<!DOCTYPE html><html><head><meta charset=“UTF-8” /><title>Login</title><meta name=“viewport” content=“width=device-width, initia”

thats the error am getting. This I go to ssl certs, then request ssl via the same method.

What is this acme dns thing

https://wiki.nethserver.org/doku.php?id=userguide:let_s_encrypt_acme-dns

Note that you only need one installation of acme-dns for any Neth or other servers you’d want to use it with. I have it installed on my main Neth server, and then all my internal stuff (pfSense, my two Proxmox hosts, my FreeNAS boxes, etc.), as well as my Phab VPS, connect with that instance to do DNS validation.

As to your error, check the virtual host template fragment which should be at /etc/e-smith/templates-custom/etc/httpd/conf.d/virtualhosts.conf/15_phabricator. Does it match what’s in the wiki?

either my mind currently is not fit or something else.
I just got confused on the acme setup…

Question, if a person has multiple domains to different servers for different scenarios. Yet have one anycast dns that is used for all domains being managed.

does that setup have to be setup for each domain for it to work, or is there a way to setup one acme for all domains if required at any given point.

does below have to be set for each domain8
ns1.acme.example.com A $EXTERNAL_IP
ns2.acme.example.com A $EXTERNAL_IP
acme.example.com NS ns1.acme.example.com
acme.example.com NS ns2.acme.example.com

This would probably be better continued in the discussion thread for acme-dns (Acme-dns on Nethserver (now with RPM-y goodness!)), but here’s the overview:

When Let’s Encrypt attempts DNS validation for $FQDN, it looks for a DNS record for _acme-challenge.$FQDN. If there’s a TXT record there, Let’s Encrypt reads the value and determines if validation succeeds or fails. If there’s a CNAME record instead, Let’s Encrypt will follow that CNAME and see what its target says. So, if you have a record of _acme-challenge.$FQDN CNAME somethingelse.acme.$OTHERFQDN, Let’s Encrypt will query somethingelse.acme.$OTHERFQDN for the TXT record.

When you configure acme-dns, you’re setting it up as the authoritative DNS server for a subdomain of one of your domains. If you have a domain of example.com, the subdomain is acme.example.com. So the NS records above make ns{1|2}.acme.example.com the authoritative nameservers for that subdomain, and then set your external IP address is the IP address for both of them (it isn’t essential to set two nameservers, but it seems to be common practice).

The real magic happens in the CNAME records. The python hook script keeps track of which hostnames already have issued certs. When you request a cert for a hostname that you haven’t previously issued, it will ask you to create a CNAME record for that host, which you’ll only need to do once.

So, no, you don’t need to set the NS records for each domain. Set them for one (pick one, it doesn’t really matter, though I think my module works best if you use your primary domain). Then set CNAME records for all the other hostnames as you need them.

To summarize my last post, no. Set it for your primary domain. Then, as requested by the hook script, create CNAME records for any other domains you need. You can even bypass installing acme-dns entirely and use the author’s test server at https://auth.acme-dns.io (just enter that URL in the hook script instead of your own domain)–though that isn’t recommended, particularly for long-term use.

@danb35 I updated my configuration on /etc/e-smith/templates-custom/etc/httpd/conf.d/virtualhosts.conf/15_phabricator .
I was able to successfully renew my letsencrypt ssl.

The biggest problem I am facing is that, when I visit that page, I get the default nethserver page, instead of the phabricator login page.

anyone there to assist

No clue at all. What is “that page” in the below?

the link subdomain that phabricator is supposed to have been installed
phabricator login page that is

@danb35 did you understand what I mean?

To see your virtualhosts configuration and order you may use

httpd -S

Maybe it shows us the error…

VirtualHost configuration:
*:443 is a NameVirtualHost
default server ns.geniusdynamics.com (/etc/httpd/conf.d/nethserver.conf:42)
port 443 namevhost ns.geniusdynamics.com (/etc/httpd/conf.d/nethserver.conf:42)
port 443 namevhost ns.geniusdynamics.com (/etc/httpd/conf.d/ssl.conf:56)
port 443 namevhost phab.$geniusdynamics.com (/etc/httpd/conf.d/virtualhosts.conf:23)
port 443 namevhost phab.geniusdynamics.com (/etc/httpd/conf.d/virtualhosts.conf:53)
*:80 is a NameVirtualHost
default server phab.$geniusdynamics.com (/etc/httpd/conf.d/virtualhosts.conf:9)
port 80 namevhost phab.$geniusdynamics.com (/etc/httpd/conf.d/virtualhosts.conf:9)
port 80 namevhost ns.geniusdynamics.com (/etc/httpd/conf.d/virtualhosts.conf:41)
port 80 namevhost phab.geniusdynamics.com (/etc/httpd/conf.d/virtualhosts.conf:95)
ServerRoot: “/etc/httpd”
Main DocumentRoot: “/var/www/html”
Main ErrorLog: “/etc/httpd/logs/error_log”
Mutex rewrite-map: using_defaults
Mutex authdigest-client: using_defaults
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
Mutex authn-socache: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/run/httpd/" mechanism=default
Mutex mpm-accept: using_defaults
Mutex authdigest-opaque: using_defaults
Mutex proxy-balancer-shm: using_defaults
PidFile: “/run/httpd/httpd.pid”
Define: _RH_HAS_HTTPPROTOCOLOPTIONS
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name=“apache” id=48
Group: name=“apache” id=48

I’m pretty sure the $ shouldn’t be here, or in the other places it’s appearing. Check your template files.

2 Likes

@danb35 long time no see.

could work on converting this into a module?
what do you say? it gave us some hell, time to simplify the process right!

I don’t have enough interest in this software to put in that effort.

i would like then to know how to build modules.
build repos
and similar.

just came across this. maybe it can be re-purposed and tuned. for centos, and for nethserver integration.

Here are some links with info on creating a module:


2 Likes