ReadyNAS OS 6.10.2 - Certbot-auto unmet dependencies

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: nibbles0522.ddns.net

I ran this command:certbot-auto apache

It produced this output: The following packages have unmet dependencies:
python-virtualenv : Depends: python-pip-whl (>= 8.1.1-2) but 1.5.6-5 is to be installed
virtualenv : Depends: python3-virtualenv but it is not going to be installed
E: Unable to correct problems, you have held broken packages.

My web server is (include version): Apache/2.4.25 (Debian)

The operating system my web server runs on is (include version):ReadyNASOS 6.10.2 (Debian 8 - Jessie)

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): The above error precludes even obtaining certbot-auto version, but it was downloaded within the past 7 days.

I have also posted this issue on the Netgear community forum, but so-far no response.

1 Like

Your Debian needs a little love...
Try:
sudo dpkg –configure -a
sudo apt-get clean
sudo apt-get update
sudo apt-get upgrade

2 Likes

OK, thanks rg305. dpkg --configure -a produced this output:

Setting up nfs-kernel-server (1:1.2.8-9+deb8u1) …
debconf: unable to initialize frontend: Dialog
debconf: (No usable dialog-like program is installed, so the dialog based frontend cannot be used. at /usr/share/perl5/Debconf/FrontEnd/Dialog.pm line 76.)
debconf: falling back to frontend: Readline
debconf: unable to initialize frontend: Dialog
debconf: (No usable dialog-like program is installed, so the dialog based frontend cannot be used. at /usr/share/perl5/Debconf/FrontEnd/Dialog.pm line 76.)
debconf: falling back to frontend: Readline
update-rc.d: error: initscript does not exist: /etc/init.d/nfs-kernel-server
dpkg: error processing package nfs-kernel-server (–configure):
subprocess installed post-installation script returned error exit status 1
Errors were encountered while processing:
nfs-kernel-server

I guess we have to bear in mind that The ReadyNAS OS uses a very pared down version of Debian, but I’m out of my depth here!

1 Like

If it can’t be corrected, you could maybe try another ACME client - like: acme.sh

1 Like

Thanks. I’ll look into the ACME client.

Well, having restored the system to factory settings and re-installed my apps, I have managed to get ssl certificates using acme.sh. Now the problem is, where do I put them? Polite answers only please.)
The ReadyNAS OS uses Apache 2.4 and the 000-default.conf file in sites-available says the DocumentRoot is at /var/www/html, but there is no html directory in /var/www, just an html.index file.
Anything else seems to be pointing to frontview, which is the web facing control panel for the NAS. So looking at sites-enabled/000-fv-https.conf points to an ssl.conf file in /etc/frontview/apache which points to an apache2.pem file in the same directory. Thats the only certificate file I can find on the system. There is no sign of a fullchain.cer, ca.cer or a key file anywhere. So I’m not sure how to proceed. Any ideas anyone?

1 Like

There are two parts to solving this.
One: understand how and where Apache puts files and expects things to be (including order).
Two: understand where acme.sh puts certificate file information and how they should be accessed.

For part one, I would start with understanding what you already have.

  • apachectl -S
    [this can show you which names are being served by which files]
  • create/modify ssl enabled file to serve encrypted access via desired name.
    [this requires use of cert files found in part two]

For part two, you should be able to find cert files within the /root/.acme.sh/ folder.
[if not there, try using find or which commands to locate where acme.sh is installed]

Some tips and gotchas:

  • Apache processes files alphabetically, so if/when there’s a name overlap it will use the first match.
    [name your files accordingly - most important first, least/default important last]
  • acme.sh may stores cert files with restricted access rights - esp. the private key file
    [ensure apache has sufficient privilege to those files or try creating links with required access]

And of course, we are always here for any additional Q&A.
All the best, on this and through your holidays :slight_smile:

1 Like

Many thanks rg305 for your very helpful reply. Well, I say helpful… here are the results of apachetl -S:
AH00558: apache2: Could not reliably determine the server’s fully qualified domain name, using fe80::eafc:afff:fee4:d252. Set the ‘ServerName’ directive globally to suppress this message
VirtualHost configuration:
*:80 fe80::eafc:afff:fee4:d252 (/etc/apache2/sites-enabled/000-fv-http.conf:1)
*:443 fe80::eafc:afff:fee4:d252 (/etc/apache2/sites-enabled/000-fv-https.conf:2)
ServerRoot: “/etc/apache2”
Main DocumentRoot: “/var/www/html”
Main ErrorLog: “syslog”
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
Mutex ldap-cache: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/run/lock/apache2" mechanism=fcntl
Mutex mpm-accept: using_defaults
Mutex watchdog-callback: using_defaults
PidFile: “/var/run/apache2.pid”
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name=“admin” id=98
Group: name=“admin” id=98

So then, the contents of /etc/apache2/sites-enabled/000-fv-http.conf are:
<VirtualHost *:80>
Include “/etc/frontview/apache/defaults.conf”
Include “/etc/frontview/apache/http-share-redirect.conf”
Include “/etc/frontview/apache/fv-admin.conf”
Include “/etc/frontview/apache/Shares.conf”
Include “/etc/frontview/apache/apps-https.conf”
Include “/etc/frontview/apache/READYDROP.conf”
Include “/etc/frontview/apache/lan-try.conf”

As you can see, it includes a whole load of other files and I’ve tried to work out what’s going on but I’m not enough of an Apache expert to know how to proceed.

Nextcloud gets referred to in /etc/frontview/apache/apps-https.conf and points to /apps/nextcloud/https.conf:
Alias /nextcloud /apps/nextcloud/web
<Directory /apps/nextcloud/web>
Options -MultiViews +FollowSymLinks -Indexes
AllowOverride all
Order allow,deny
Allow from all
php_admin_value upload_tmp_dir “/apps/nextcloud/web/data/data/tmp”
Header always set Strict-Transport-Security "max-age=15552000; includeS$

Redirect 301 /.well-known/carddav /nextcloud/remote.php/dav
Redirect 301 /.well-known/caldav /nextcloud/remote.php/dav

… and that’s where I get lost. I can’t see where http gets redirected to https or where the ssl engine is turned on. Everything seems to be tied up with the frontview config files, which I’m a bit wary of messing with. So any pointers will be much appreciated. :slight_smile:

1 Like

I would start here:

And it is difficult to see from your post, but it looks like all includes are within a <virtual *:80> block.
That is BAD programming structure.
The includes should be outside of any such block.
[but not knowing the contents of those files... that remains to be seen]

1 Like

Looks like a good starting point. Contents of …frontview/apache/defaults.conf:

ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory “/usr/lib/cgi-bin”>
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order Deny,Allow
Deny from All

SSLOptions +StdEnvVars

ErrorDocument 401 /error.html
ErrorDocument 423 /user_locked.html

Any idea what or where the SSLOptions might be found? As for the all the Includes being in <VirtualHost *:80> … Not me guv! I cannot tell a lie, it was them!

grep -ri ssloption /etc/apache2/

My concern is where are the *:443 ?
[inside the *:80 block?]

grep -ri ssloption /etc/apache2/ produces
/etc/apache2/sites-available/default-ssl.conf: #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
/etc/apache2/sites-available/default-ssl.conf: SSLOptions +StdEnvVars
/etc/apache2/sites-available/default-ssl.conf: SSLOptions +StdEnvVars

Nothing in sites-enabled and the 000-fv-https.conf in there contains pretty much the same as the http.conf i.e:


Include “/etc/frontview/apache/ssl.conf”
Include “/etc/frontview/apache/defaults.conf”
Include “/etc/frontview/apache/http-share-redirect.conf”
Include “/etc/frontview/apache/fv-admin.conf”
Include “/etc/frontview/apache/Shares.conf”
Include “/etc/frontview/apache/apps-https.conf”
Include “/etc/frontview/apache/READYDROP.conf”

Sorry that last didn’t go right…

Include "/etc/frontview/apache/ssl.conf" Include "/etc/frontview/apache/defaults.conf" Include "/etc/frontview/apache/http-share-redirect.conf" Include "/etc/frontview/apache/fv-admin.conf" Include "/etc/frontview/apache/Shares.conf" Include "/etc/frontview/apache/apps-https.conf" Include "/etc/frontview/apache/READYDROP.conf"

Neither did that!! I must learn to proof read before committing my reply. :frowning:
Ok the missing bits are:
ifModule mod_ssl.c
VirtualHost default:443
Include “/etc/frontview/apache/ssl.conf”
Include “/etc/frontview/apache/defaults.conf”
Include “/etc/frontview/apache/http-share-redirect.conf”
Include “/etc/frontview/apache/fv-admin.conf”
Include “/etc/frontview/apache/Shares.conf”
Include “/etc/frontview/apache/apps-https.conf”
Include “/etc/frontview/apache/READYDROP.conf”
/VirtualHost
/IfModule
This system doesn’t allow the <>s

The config seems very customized.

There may be a way to DUMP the entire config out into a single file that you can then search/review.

That would be useful, but beyond my capabilities! I’ll see what I can find. There is a system backup option in frontview. I don’t know how readable it might be, but I’ll give it a go.

I found this online:

1 Like

Ok thanks I’ll take a look.
The config backup didn’t seem to have much of any interest in it. Plenty of .conf files, but nothing in sites-enabled! Very odd. I can’t attach it, as .zip files aren’t allowed. Can’t remember how to do pastebin.

Well, I created a dump file and saved it on the ReadyNAS, can’t work out how to get that file to my PC using Putty & PSCP. I’ll have another go tomorrow evening.

copy it to the web directory and just http://your.server/file.name