Moving to new server - copying everything by hand but sites unavailable

My domain is: pastlife.works
Server: Apache2.4
OS: Debian 11
Host: Linode
Root access? yes
certbot 1.12.0

I started with this thread: Move to another server - #6 by sahsanu

I did things a little different.

Steps taken:

  • I backed up everything I needed from the first server.
  • Created a new server and installed all the needed packages
  • I deleted the domains attached to first server from the Linode panel
  • I deleted the server completely from Linode
  • Then I attempted to copy all the directories and .conf files needed for apache and letsencrypt to work with the new server (the ones that required root were copied as root - the /var/www/* stuff was copied as the user)

Browser gives this error:

Unable to connect
Firefox can’t establish a connection to the server at pastlife.works.

    The site could be temporarily unavailable or too busy. Try again in a few moments.
    If you are unable to load any pages, check your computer’s network connection.
    If your computer or network is protected by a firewall or proxy, make sure that Firefox is permitted to access the Web.

Could I just be waiting for DNS to switch? I can access the site by goin to the IP, but it is not secure connection.

How do I tell if I need to just revoke all the certificates, start over from scratch and obtain new certificates?

Thanks for your help

There's no need to revoke certificates unless you believe your private keys have been compromised.

What it looks like is that your Apache server is not listening on port 443.

Make sure the SSL module is enabled:

a2enmod ssl

and check whether you have any port 443 virtual hosts:

apachectl -t -D DUMP_VHOSTS
4 Likes

"revoke the certificate" is (almost) never a correct answer--the only reason to do it is if you have reason to believe a private key has been compromised.

Depends--are these your IP(v4/v6) addresses?

 dan@Dan-MacBook-Pro-2013  ~  host pastlife.works
pastlife.works has address 173.255.244.152
pastlife.works has IPv6 address 2600:3c01::f03c:93ff:febc:2959

If so, then no, DNS isn't your problem. If your page is about "The Universal, Immutable Laws of Nature and Creation" (which is what I see when I browse to that IP address), then DNS seems to be fine. But you aren't serving HTTPS at all.

6 Likes

Thank you guys for your help.

I realized I forgot to install some apache modules and also re-install an application that I had reverse proxy configured for.

I needed to run a2enmod ssl headers rewrite proxy proxy_http proxy_wstunnel

I did that and restarted system and now I think I fixed it.

1 Like

Can you help me with a permission issue I'm having on the server with mumble-server application?

If you go here you can see the detail of the solution that mumbles gives for this, but I dont know how to do it and I dont know if changing the permissions is a good idea.
https://wiki.mumble.info/wiki/Obtaining_a_Let's_Encrypt_Murmur_Certificate

<C>[date time] Failed to read /etc/letsencrypt/live/mumble.example.org/cert.pem

I tried to reconfigure the mumble-server with the correct path to the fullchain.pem and to the private key, but then I get this error:

<C>2022-05-26 15:47:23.733 MetaParams: Failed to read /etc/letsencrypt/live/chat.pastlife.works/fullchain.pem
<F>2022-05-26 15:47:23.733 MetaParams: Failed to load SSL settings. See previous errors.

I even requested a new certificate for the subdomain chat.* in order to try to avoid this because that worked on another system (ubuntu jammy with certbot from snap).

I cant connect to the mumble server because of this, it was a public server with SSL and now I broke it
Thanks so much for your time

You'll probably want to create a deploy hook to:

  1. Copy the certificate and private key somewhere where the Mumble server can read them
  2. Send the SIGUSR1 signal to Mumble, so that it reloads the renewed certificate

So it might be something like:

#!/usr/bin/env bash

umask 022

cp /etc/letsencrypt/live/chat.pastlife.works/fullchain.pem /etc/ssl/mumble.crt
cp /etc/letsencrypt/live/chat.pastlife.works/privkey.pem /etc/ssl/mumble.key

chown mumble-server:mumble-server /etc/ssl/mumble.{key,crt}

# The sysv script for mumble-server on Debian 11 doesn't appear to support reload, but
# we can manually do it.
start-stop-daemon \
        --quiet --oknodo --stop --signal 10 \
        --user mumble-server --pidfile /var/run/mumble-server/mumble-server.pid

You would save that as something like /etc/letsencrypt/deploy-mumble.sh and make sure it's executable:

chmod +x /etc/letsencrypt/deploy-mumble.sh

and when you obtain a certificate, you'd do something like:

certbot certonly -d chat.pastlife.works \
--webroot -w /tmp \
--deploy-hook /etc/letsencrypt/deploy-mumble.sh

(changing --webroot to however you already authenticate your certificate request).

Since you already have a certificate, you might instead need to modify /etc/letsencrypt/renewal/chat.pastlife.works.conf and add a line under [renewalparams] as follows:

renew_hook = /etc/letsencrypt/deploy-mumble.sh

Then you'd reconfigure Mumble to:

sslCert=/etc/ssl/mumble.crt
sslKey=/etc/ssl/mumble.key

The details here are going to depend on how you installed Mumble, but this is approximately what I'd do in your position.

4 Likes

Thanks for your reply. This is way beyond my ability I think. This one will take a few days.

I'm very confused about this comment:

not sure how I authenticated my certificate request.

I think I might have done the install and setup incorrectly so I deleted mumble completely with sudo apt remove --purge mumble*

1 Like

That's okay. Alternatively you should instead be able modify the .conf file and add the renew_hook line, as described above.

Sorry that the instructions are a bit involved. Setting things up for servers like Mumble is going to be a fair bit more complex than for servers that Certbot supports by default, like Apache.

3 Likes

Ok so I made the script and made it executable but am I supposed to use this on top line: #!/usr/bin/env bash
why not #!/bin/bash ?

I also added that line to the end of [renewalparams]

Rebooted the server and I still get this output after I attempt to reconfigure mumble-server:

<C>2022-05-26 17:44:27.916 MetaParams: Failed to read /etc/ssl/mumble.key
<F>2022-05-26 17:44:27.916 MetaParams: Failed to load SSL settings. See previous errors.

I think I'm gonna have to give up on mumble. No one ever chats anyways because they don't even know how to connect to it. I only get spammed by Spanish speaking people who only join to cuss me out.

1 Like

Force of habit for me, you can change it if you want.

Well, you will have to run the hook once yourself just to bootstrap things:

/etc/letsencrypt/deploy-mumble.sh

and stop and start Mumble.

Afterwards, Certbot should take care of things automatically.

2 Likes

Thank you so much @_az you are awesome! After I ran the script and then reconfigured I was able to see the green letters in the mumble client and the certificate shows in the server information. Success!!

I video recorded my entire migration. Will have to work on editing that video and then use it to make a new video for complete noobs to do this. If I can do it, a newer user can.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.