$ sudo aa-logprof
Reading log entries from /var/log/syslog.
Updating AppArmor profiles in /etc/apparmor.d.
1 Like
So did that help? Their docs say that the "update profiles" after the log assessment might remedy problems
Does certbot run now?
2 Likes
Nope. Still:
$ sudo certbot certificates
cannot change profile for the next exec call: No such file or directory
and Requesting updated certs in Virtualmin still yields the same error.
There doesn't seem to be an AppArmor forum, so I guess it's off to AskUbuntu...
1 Like
I was just going to suggest AskUbuntu. Lots of AA issues posted
This might also be helpful in addition to prior AppArmor link I provided:
https://wiki.ubuntu.com/DebuggingApparmor
One item from this page:
How to Triage
Help with triaging bugs for apparmor profiles is very welcome. To find out what exactly is the problem, we always need the 'audit' in /var/log/kern.log and if they exist, the log files in /var/log/apparmor/*. Most of the time these provide enough information to know what went wrong. If these are missing, it is recommended to ask for them with a phrase like: (...)
2 Likes
From /var/log/kern.log, this entry is repeated often:
audit: type=1400 audit(1635877257.770:584): apparmor="DENIED" operation="change_onexec" info="label not found" error=-2 profile="unconfined" name="snap.certbot.certbot" pid=3272017 comm="snap-confine"
Seems important. I have AskedUbuntu and will see what they say.
1 Like
Yes! lol
2 Likes
@robbrandt I see you are now serving a fresh certificate chain. Terrific.
Would you share any details of how you resolved it? For benefit of future readers - and my curiosity. Thanks
2 Likes
And me too!
[although I dare say I may fall under both categories]
-"An Always Curious Future Reader"
2 Likes
LOL I had such a busy day today I didn't even notice that I wasn't receiving the failed renewal notices.
I did nothing. I started this thread at AskUbuntu and got no responses. I was still hoping someone would take notice and answer.
I got my last failure notice at 7:38pm PDT yesterday.
I got a successful renewal notice at 8:38pm PDT yesterday.
I just manually requested a new cert from the Virtualmin UI, and it also worked.
No apt updates since then. term.log says the last update was
Log ended: 2021-11-02 05:55:24
My webmin/virtualmin versions haven't changed.
Just now, I did apt update && apt upgrade again:
Hit:1 Index of /ubuntu focal InRelease
Get:2 Index of /ubuntu focal-updates InRelease [114 kB]
Hit:3 Index of /232905/apt/ubuntu bionic InRelease
Get:4 Index of /ubuntu focal-backports InRelease [101 kB]
Get:5 Index of /ubuntu focal-security InRelease [114 kB]
Hit:6 Index of /ondrej/php/ubuntu focal InRelease
Get:7 Index of /ubuntu focal-updates/main amd64 Packages [1,303 kB]
Ign:8 Index of /download/repository sarge InRelease
Get:9 Index of /ubuntu focal-updates/main amd64 c-n-f Metadata [14.4 kB]
Get:10 Index of /ubuntu focal-updates/universe amd64 Packages [870 kB]
Hit:11 Index of /vm/6/gpl/apt virtualmin-universal InRelease
Hit:12 Index of /vm/6/gpl/apt virtualmin-focal InRelease
Err:13 Index of /download/repository sarge Release
Certificate verification failed: The certificate is NOT trusted. The certificate issuer is unknown. Could not handshake: Error in the certificate verification. [IP: 104.207.151.13 443]
Reading package lists... Done
E: The repository 'Index of /download/repository sarge Release' no longer has a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
So they haven't fixed their cert issue, therefore that wasn't the problem.
Anything else you want me to check?
2 Likes
See: nslookup download.webmin.com
Name: download.webmin.com
Addresses: 104.207.151.13
108.60.199.109
2 Likes
the problem is back. This time with https://committees.botany.org/. Error messages are the same:
cannot change profile for the next exec call: No such file or directory
Any ideas?
1 Like
I still believe apparmor is the most likely culprit. Are you again seeing messages in the kern.log like you were before (below)? Was there any response from AskUbuntu?
Earlier you could not run even certbot certificates. Is that the case now?
2 Likes
There were never any replies from AskUbuntu. I agree on your suspicions about AppArmor, I just have no idea what to do about it.
For your edification, here are selected readings from /var/log/kern.log. I got my first failure email notification today, but from the 12th:
Nov 12 23:08:25 ip-172-30-0-148 kernel: [ 6.295281] audit: type=1400 audit(1636758499.116:2): apparmor="STATUS" operation="profile_load" profile="unconfined" name="nvidia_modprobe" pid=626 comm="apparmor_parser"
Nov 12 23:08:25 ip-172-30-0-148 kernel: [ 6.295284] audit: type=1400 audit(1636758499.116:3): apparmor="STATUS" operation="profile_load" profile="unconfined" name="nvidia_modprobe//kmod" pid=626 comm="apparmor_parser"
Nov 12 23:08:25 ip-172-30-0-148 kernel: [ 6.301963] audit: type=1400 audit(1636758499.124:4): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/bin/man" pid=628 comm="apparmor_parser"
Nov 12 23:08:25 ip-172-30-0-148 kernel: [ 6.301966] audit: type=1400 audit(1636758499.124:5): apparmor="STATUS" operation="profile_load" profile="unconfined" name="man_filter" pid=628 comm="apparmor_parser"
Nov 12 23:08:25 ip-172-30-0-148 kernel: [ 6.301968] audit: type=1400 audit(1636758499.124:6): apparmor="STATUS" operation="profile_load" profile="unconfined" name="man_groff" pid=628 comm="apparmor_parser"
Nov 12 23:08:25 ip-172-30-0-148 kernel: [ 6.310635] audit: type=1400 audit(1636758499.132:7): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/sbin/named" pid=627 comm="apparmor_parser"
Nov 12 23:08:25 ip-172-30-0-148 kernel: [ 6.310833] audit: type=1400 audit(1636758499.132:8): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/sbin/tcpdump" pid=625 comm="apparmor_parser"
Nov 12 23:08:25 ip-172-30-0-148 kernel: [ 6.311783] audit: type=1400 audit(1636758499.132:9): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/bin/freshclam" pid=624 comm="apparmor_parser"
Nov 12 23:08:25 ip-172-30-0-148 kernel: [ 6.315149] audit: type=1400 audit(1636758499.136:10): apparmor="STATUS" operation="profile_load" profile="unconfined" name="lxc-container-default" pid=629 comm="apparmor_parser"
Nov 12 23:08:25 ip-172-30-0-148 kernel: [ 6.315153] audit: type=1400 audit(1636758499.136:11): apparmor="STATUS" operation="profile_load" profile="unconfined" name="lxc-container-default-cgns" pid=629 comm="apparmor_parser"
Nov 12 23:08:25 ip-172-30-0-148 kernel: [ 12.330630] new mount options do not match the existing superblock, will be ignored
Nov 12 23:08:25 ip-172-30-0-148 kernel: [ 12.567914] kauditd_printk_skb: 15 callbacks suppressed
Nov 12 23:08:25 ip-172-30-0-148 kernel: [ 12.567916] audit: type=1400 audit(1636758505.388:27): apparmor="DENIED" operation="capable" profile="/usr/bin/freshclam" pid=907 comm="freshclam" capability=2 capname="dac_read_search"
Nov 12 23:08:25 ip-172-30-0-148 kernel: [ 12.620611] audit: type=1400 audit(1636758505.440:28): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="/usr/sbin/mysqld" pid=1061 comm="apparmor_parser"
And then:
Nov 13 03:24:01 ip-172-30-0-148 kernel: [15348.892565] audit: type=1400 audit(1636773841.594:29): apparmor="DENIED" operation="change_onexec" info="label not found" error=-2 profile="unconfined" name="snap.certbot.renew" pid=135593 comm="snap-confine"
two per day, different pids
And today:
Nov 16 23:53:15 ip-172-30-0-148 kernel: [348314.608513] audit: type=1400 audit(1637106795.878:60): apparmor="DENIED" operation="change_onexec" info="label not found" error=-2 profile="unconfined" name="snap.certbot.certbot" pid=2751576 comm="snap-confine"
Since my earlier post today there have been about a half dozen other snap.certbot.certbot failures with different pids and domains.
I would try deleting the two snap profiles from your apparmor list. If same as earlier:
I am not certain of the command so you may need to experiment. Here is one place for example of deleting profiles
@robbrandt Update: A couple things.
One, I just noticed this in the log you just posted. This looks to me like your apparmor is conflicting with more than just snap and certbot. freshclam is part of an antivirus tool (thanks google).
Nov 12 23:08:25 ip-172-30-0-148 kernel: [ 12.567916] audit: type=1400 audit(1636758505.388:27): apparmor="DENIED" operation="capable" profile="/usr/bin/freshclam" pid=907 comm="freshclam" capability=2 capname="dac_read_search"
Two, snapd may require some apparmor profiles. I am getting well beyond my skill set but found this thread. I think your apparmor may have more extensive problems. But, perhaps some of this will help or at least give you a better source (snapcraft) to help resolve problem.
2 Likes
After much reading and study, and after reinstalling snapd, I decided to try uninstalling the certbot snap and then installing it again.
It worked!
I will check kern.log next week to see if there's anything amiss but for now I am happy.
3 Likes
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.