Pre install questions

It is better to use builtin nextcloud and roundcube apps, because integrated fail2ban, ldap/AD and others?
I have own installations and they are newer Nextcloud 17 and Roundcube 1.4rc2.
tonight it is going probably…

I won’t give a straight answer because it depends…

Builtin modules integrate with other modules or services, are easier to install and usually also easier to update or maintain. They require less admin configuration and effort (kind of others have done most of the work for you).

Being CentOS, software on official repositories often don’t have the latest version of programs (like you found with roundcube) but security patched versions of supposedly well-tested and stable releases.

On NethServer, Nextcloud 17 will come in the near future (usually some weeks after the official release). For most modules developers try to follow upstream (RedHat/CentOS) decisions, which could mean not the latest versions.

You could disagree with developers about some of the configuration choices. If you are fluent on some specific program, you might see some of the auto-configuration a bit as a restriction where manual changes you are used too require an extra step (templates), but other times you might find that same same very useful and a time-saver.

Don’t forget you also get a central place to manage most of the services and the server itself. You have a support community and, if needed and can be afforded, professional support.

If you install programs on your own you have more freedom, you can use more recent versions and make use of other update methods (like non-rpm). On the other side they require more manual configuration and integration with other components. The more components you want to use the more time you have to spend configuring them and making them talk to some others (LDAP/AD, firewall… don’t even talk about all the components of a mail server).

Surely I left many things out (TL;DR) but hope it will help you get on track.

1 Like

I have it running, but one BIG problem with old server manager and probably all related (nextcloud, roundcube…)
New cockpit working fine.

I installed php-scl and httpd from codeIT repo. I wanted to switch default php to newer one, but old server manager and others apps (nc and rc) not loading, still not found 404 error. I dont know, what to do…

cat /var/log/httpd_admin/error_log:

[Fri Nov 08 23:16:11.424493 2019] [core:notice] [pid 2986] SELinux policy enabled; httpd running as context system_u:system_r:httpd_t:s0
[Fri Nov 08 23:16:11.426472 2019] [suexec:notice] [pid 2986] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Fri Nov 08 23:16:11.427666 2019] [ssl:error] [pid 2986] AH02217: ssl_stapling_init_cert: can’t retrieve issuer certificate! [subject: L=Hometown,C=–,emailAddress=root@.sk,OU=Main,ST=SomeState,O=Example Org,CN=NethServer / issuer: L=Hometown,C=–,emailAddress=root@sk,OU=Main,ST=SomeState,O=Example Org,CN=NethServer / serial: 5DC5E900 / notbefore: Nov 8 22:15:28 2019 GMT / notafter: Nov 5 22:15:28 2029 GMT]
[Fri Nov 08 23:16:11.427697 2019] [ssl:error] [pid 2986] AH02235: Unable to configure server certificate for stapling
[Fri Nov 08 23:16:11.427715 2019] [ssl:warn] [pid 2986] AH01906: RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Fri Nov 08 23:16:11.427736 2019] [ssl:warn] [pid 2986] AH01909: RSA certificate configured for box.orencak.sk:443 does NOT include an ID which matches the server name
[Fri Nov 08 23:16:11.479295 2019] [lbmethod_heartbeat:notice] [pid 2986] AH02282: No slotmem from mod_heartmonitor
[Fri Nov 08 23:16:11.479915 2019] [ssl:warn] [pid 2986] AH01873: Init: Session Cache is not configured [hint: SSLSessionCache]
[Fri Nov 08 23:16:11.480377 2019] [ssl:error] [pid 2986] AH02217: ssl_stapling_init_cert: can’t retrieve issuer certificate! [subject: L=Hometown,C=–,emailAddress=root@sk,OU=Main,ST=SomeState,O=Example Org,CN=NethServer / issuer: L=Hometown,C=–,emailAddress=root@.sk,OU=Main,ST=SomeState,O=Example Org,CN=NethServer / serial: 5DC5E900 / notbefore: Nov 8 22:15:28 2019 GMT / notafter: Nov 5 22:15:28 2029 GMT]
[Fri Nov 08 23:16:11.480397 2019] [ssl:error] [pid 2986] AH02235: Unable to configure server certificate for stapling
[Fri Nov 08 23:16:11.480414 2019] [ssl:warn] [pid 2986] AH01906: RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Fri Nov 08 23:16:11.480433 2019] [ssl:warn] [pid 2986] AH01909: RSA certificate configured for box.orencak.sk:443 does NOT include an ID which matches the server name
[Fri Nov 08 23:16:11.521741 2019] [mpm_prefork:notice] [pid 2986] AH00163: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16 configured – resuming normal operations
[Fri Nov 08 23:16:11.521807 2019] [core:notice] [pid 2986] AH00094: Command line: ‘/usr/sbin/httpd -f /etc/httpd/admin-conf/httpd.conf -c MaxConnectionsPerChild 12 -D FOREGROUND’
[Fri Nov 08 23:59:45.477718 2019] [suexec:notice] [pid 25278:tid 140360069580992] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Fri Nov 08 23:59:45.479443 2019] [ssl:warn] [pid 25278:tid 140360069580992] AH01906: box.orencak.sk:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Fri Nov 08 23:59:45.479498 2019] [ssl:warn] [pid 25278:tid 140360069580992] AH01909: box.orencak.sk:443:0 server certificate does NOT include an ID which matches the server name
[Fri Nov 08 23:59:45.479784 2019] [ssl:error] [pid 25278:tid 140360069580992] AH02217: ssl_stapling_init_cert: can’t retrieve issuer certificate! [subject: L=Hometown,C=–,emailAddress=root@sk,OU=Main,ST=SomeState,O=Example Org,CN=NethServer / issuer: L=Hometown,C=–,emailAddress=root@sk,OU=Main,ST=SomeState,O=Example Org,CN=NethServer / serial: 5DC5E900 / notbefore: Nov 8 22:15:28 2019 GMT / notafter: Nov 5 22:15:28 2029 GMT]
[Fri Nov 08 23:59:45.479803 2019] [ssl:error] [pid 25278:tid 140360069580992] AH02604: Unable to configure certificate sk:443:0 for stapling
[Fri Nov 08 23:59:45.515175 2019] [ssl:warn] [pid 25278:tid 140360069580992] AH01873: Init: Session Cache is not configured [hint: SSLSessionCache]
[Fri Nov 08 23:59:45.516349 2019] [ssl:error] [pid 25278:tid 140360069580992] AH02217: ssl_stapling_init_cert: can’t retrieve issuer certificate! [subject: L=Hometown,C=–,emailAddress=root@sk,OU=Main,ST=SomeState,O=Example Org,CN=NethServer / issuer: L=Hometown,C=–,emailAddress=root@.sk,OU=Main,ST=SomeState,O=Example Org,CN=NethServer / serial: 5DC5E900 / notbefore: Nov 8 22:15:28 2019 GMT / notafter: Nov 5 22:15:28 2029 GMT]
[Fri Nov 08 23:59:45.516366 2019] [ssl:error] [pid 25278:tid 140360069580992] AH02604: Unable to configure certificate .sk:443:0 for stapling
[Fri Nov 08 23:59:45.516485 2019] [lbmethod_heartbeat:notice] [pid 25278:tid 140360069580992] AH02282: No slotmem from mod_heartmonitor
[Fri Nov 08 23:59:45.522297 2019] [mpm_event:notice] [pid 25278:tid 140360069580992] AH00489: Apache/2.4.41 (codeit) OpenSSL/1.1.1d configured – resuming normal operations
[Fri Nov 08 23:59:45.522375 2019] [core:notice] [pid 25278:tid 140360069580992] AH00094: Command line: ‘/usr/sbin/httpd -f /etc/httpd/admin-conf/httpd.conf -c MaxConnectionsPerChild 12 -D FOREGROUND’

updating httpd from codeIT repo, httpd service is unable to start:

Nov 09 09:49:04 server.domain.tld httpd[5421]: AH00526: Syntax error on line 31 of /etc/httpd/conf.d/php.conf:
Nov 09 09:49:04 server.domain.tld httpd[5421]: Invalid command 'php_value', perhaps misspelled or defined by a module not included in the server configuration
Nov 09 09:49:04 server.domain.tld systemd[1]: httpd.service: main process exited, code=exited, status=1/FAILURE
Nov 09 09:49:04 server.domain.tld systemd[1]: Failed to start The Apache HTTP Server.

https://codeit.guru/en_US/2019/08/apache-httpd-2-4-41-tls-1-3-brotli-alpn-http2-openssl-1-1-1c-red-hat-centos-rhel-7/

The update changed some conf files (I didn't kept track of diff changes).

changed file : /etc/httpd/conf.d/autoindex.conf
changed file : /etc/httpd/conf.d/ssl.conf
changed file : /etc/httpd/conf.modules.d/00-base.conf
changed file : /etc/httpd/conf.modules.d/00-mpm.conf
changed file : /etc/httpd/conf.modules.d/00-proxy.conf
changed file : /etc/httpd/conf.modules.d/01-cgi.conf
changed file : /etc/httpd/conf/httpd.conf

Don’t know if it’s the best one, but one possible workaround could be related to /etc/httpd/conf.modules.d/00-mpm.conf, un-commenting:

LoadModule mpm_prefork_module modules/mod_mpm_prefork.so

and commenting:

LoadModule mpm_event_module modules/mod_mpm_event.so

and starting httpd service. I think some additional fix would be needed (default welcome page is unable to load some resources…).

Saw similar/related problems on sentora, plesk, vestacp, letsencrypt… when they were used in conjunction with codeIT repo.

Was php-scl installed from the community modules following the wiki guide?
Is there any specific reason you need a newer version of apache server?
Nextcloud module is already running on a higher php version (rh-php72) than the system default.
old server-manager may have some compatibility issues with higher php versions.

Thank You very much!
Im back to my previous proxmox and 3vm.
Yes, I followed wiki guide to install php-scl mod.

I wanted to have tls 1.3 on httpd.
Centos 7 have too old packages :frowning: thats why…

I had configured mail accounts, domains, apps. Mostly I wanted Nethserver because good ips/ids (suricata & fail2ban) and good server overview actuall connections to httpd, openvpn, mail etc…

I rollback because Im running some crucial stuff to my clients and it was 3am, and server services was needed by 5,6am.

Suggestions:
centos 8 :open_mouth:
php selection on new #cockpit server manager
do not auto create mailboxes for default domain, or make it removable (not every user belonging to default domain)

Nethserver is good distro, I will follow you, guys :slight_smile: and I probably do some more tests in future :sunny:

Next NethServer will be CentOS8 (or better), but for the other suggestions I… erm… suggest you go to the appropriate thread and say your ideas.

Neth really isn’t designed for true multi-domain mail. I think there’d be some value there, even if it isn’t something I’d use, but AFAIK it isn’t really an intended use case. Here’s some other discussion of the subject: