2022 log

September: 3, 5, 6, 7, 8. 9, 10, 11, 17, 18, 24
December 3, 4

December 4

Fixed the aborted upgrade to ubuntu 22.04, and completed it.
Press F2 during boot -> BIOS
Select UDISK (USB disk)


mkdir /mnt
for i in proc dev etc; do mount $i /mnt/$i; done #er... disk prefix missing?
chroot /mnt
ls /var/log/apt/history.log

Renewed the Let's encrypt certificate before it expires on December 9.
Note: need to give berry314.girod.fi so that the certificate is valid for both berry314.girod.fi and girod.fi.
Next expiration: March 4.


~> sudo perl -pi -e 's/Rewrite/# Rewrite/' /etc/apache2/sites-available/000-default.conf
~> sudo apachectl graceful

# certbot certonly
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Spin up a temporary webserver (standalone)
2: Place files in webroot directory (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Plugins selected: Authenticator webroot, Installer None
Please enter in your domain name(s) (comma and/or space separated)  (Enter 'c'
to cancel): berry314.girod.fi
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for girod.fi
Input the webroot for girod.fi: (Enter 'c' to cancel): /var/www/html
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/berry314.girod.fi/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/berry314.girod.fi/privkey.pem
   Your cert will expire on 2023-03-04. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

~> sudo perl -pi -e 's/# Rewrite/Rewrite/' /etc/apache2/sites-available/000-default.conf
~> sudo apachectl graceful
~> sudo openssl x509 -enddate -noout -in /etc/letsencrypt/archive/berry314.girod.fi/fullchain3.pem
notAfter=Mar  4 17:44:41 2023 GMT

December 3

Created a live USB key from the work laptop, from the ubuntu ISO image.

September 24

Lazily looking at the htdig/unicode situation...
Abandoned so long ago... Looks like C++ does still not support unicode, and that ICU still doesn't support C++ (fully)! In addition, C++ on Raspian is obsolete.
A few pages found:

icu/71.1 from Conan Center (blog)
Raspberry Pi - Install GCC 10 and compile C++17 programs from Solarian Programmer
UTF8-CPP: UTF-8 with C++ in a Portable Way
Stackoverflow: How do I properly use std::string on UTF-8 in C++?

September 18


htdig> sudo $BINDIR/htdig -vvv -i -a
	1:1:https://berry314.girod.fi/
New server: berry314.girod.fi, 80
Retrieval command for http://berry314.girod.fi/robots.txt: GET /robots.txt HTTP/1.0
User-Agent: htdig/3.1.6 ([email protected])
Host: berry314.girod.fi

Header line: HTTP/1.1 301 Moved Permanently
Header line: Date: Sun, 18 Sep 2022 08:04:27 GMT
Header line: Server: Apache/2.4.38 (Raspbian)
Header line: Location: https://berry314.girod.fi/robots.txt
Header line: Content-Length: 329
Header line: Connection: close
Header line: Content-Type: text/html; charset=iso-8859-1
Header line: 
returnStatus = 3
 pushed
pick: berry314.girod.fi, # servers = 1
0:0:0:https://berry314.girod.fi/: Retrieval command for https://berry314.girod.fi/: GET / HTTP/1.0
User-Agent: htdig/3.1.6 ([email protected])
Host: berry314.girod.fi

Header line: HTTP/1.1 301 Moved Permanently
Header line: Date: Sun, 18 Sep 2022 08:04:27 GMT
Header line: Server: Apache/2.4.38 (Raspbian)
Header line: Location: https://berry314.girod.fi/
Header line: Content-Length: 319
Header line: Connection: close
Header line: Content-Type: text/html; charset=iso-8859-1
Header line: 
returnStatus = 3
 redirect
redirect: https://berry314.girod.fi/

   Rejected: Not an http or relative link!pick: berry314.girod.fi, # servers = 1

I set the start for htdig to:


start_url:		http://berry314.girod.fi/

I comment away the 3 lines in /etc/apache2/sites-enabled/000-default.conf:


htdig> grep Rewrite /etc/apache2/sites-enabled/000-default.conf 
	# RewriteEngine On
	# RewriteCond %{REQUEST_URI} !^/\.well\-known/acme\-challenge/
	# RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L]
htdig> sudo apachectl graceful
htdig> sudo $BINDIR/htdig -vvv -i -a
	1:1:http://berry314.girod.fi/
New server: berry314.girod.fi, 80
Retrieval command for http://berry314.girod.fi/robots.txt: GET /robots.txt HTTP/1.0
User-Agent: htdig/3.1.6 ([email protected])
Host: berry314.girod.fi

Header line: HTTP/1.1 404 Not Found
Header line: Date: Sun, 18 Sep 2022 08:11:54 GMT
Header line: Server: Apache/2.4.38 (Raspbian)
Header line: Content-Length: 281
Header line: Connection: close
Header line: Content-Type: text/html; charset=iso-8859-1
Header line: 
returnStatus = 1
 pushed
pick: berry314.girod.fi, # servers = 1
0:0:0:http://berry314.girod.fi/: Retrieval command for http://berry314.girod.fi/: GET / HTTP/1.0
User-Agent: htdig/3.1.6 ([email protected])
Host: berry314.girod.fi

Header line: HTTP/1.1 200 OK
Header line: Date: Sun, 18 Sep 2022 08:11:54 GMT
Header line: Server: Apache/2.4.38 (Raspbian)
Header line: Last-Modified: Sun, 01 Sep 2019 08:27:53 GMT
Converted Sun, 01 Sep 2019 08:27:53 GMT to Sun, 01 Sep 2019 08:27:53
Header line: ETag: "526-59179a1ae7187"
Header line: Accept-Ranges: bytes
Header line: Content-Length: 1318
Header line: Vary: Accept-Encoding
Header line: Connection: close
Header line: Content-Type: text/html; charset=UTF-8
Header line: 
returnStatus = 0
Read 1318 from document
Read a total of 1318 bytes
href: http://berry314.girod.fi/tmfish (General Fish Family tree)
...

OK, that was it... htdig needs to bypass the cert...
Uncommented and restarted after completion.


htdig> sudo apachectl graceful
htdig> sudo rm db/db.{docdb,wordlist}
htdig> for f in db/db.{docdb,wordlist}; do sudo mv $f.work $f; done
htdig> LC_COLLATE=C sudo $BINDIR/htmerge

And it works again!

September 17


dev> cd /opt/www/htdig/bin
bin> export DBDIR=/opt/www/htdig/db COMMONDIR=/opt/www/htdig/common BINDIR=/opt/www/htdig/bin
bin> export TMPDIR=$DBDIR
bin> sudo $BINDIR/htdig -v -i -a

New server: berry314.girod.fi, 80
0:0:0:https://berry314.girod.fi/:  redirect

But in /etc/apache2/sites-enabled/000-default.conf, there is:


	RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L]

Would this be the redirection?
Right now in htdig.conf, there is:


start_url:		https://berry314.girod.fi/

And:


bin> host berry314.girod.fi
berry314.girod.fi has address 104.21.21.89
berry314.girod.fi has address 172.67.197.83
berry314.girod.fi has IPv6 address 2606:4700:3033::ac43:c553
berry314.girod.fi has IPv6 address 2606:4700:3037::6815:1559
bin> grep berry314.girod.fi /etc/hosts
127.0.1.1	berry314 berry314.girod.fi
# 86.44.5.225	berry314.girod.fi
# 86.44.5.225	berry314.dyndns-pics.com berry314.girod.fi

September 11

Applied the suggestions from Mozilla, and getting now an A+ rating. in Qualys SSL report.

September 10

Not sure what happens... The situation looks stable from the laptop:


tmp> dig berry314.girod.fi | grep -A1 'ANSWER SECTION'
;; ANSWER SECTION:
berry314.girod.fi.	0	IN	A	86.44.5.225

which matches the doc in cloudflare:

CNAME Flattening
Cloudflare will follow a CNAME to where it points and return that IP address instead of the CNAME record. By default, Cloudflare will only flatten the CNAME at the root of your domain, which is girod.fi.

But not so from berry itself:


ddclient-3.9.1> host berry314.girod.fi
berry314.girod.fi has address 172.67.197.83
berry314.girod.fi has address 104.21.21.89
berry314.girod.fi has IPv6 address 2606:4700:3037::6815:1559
berry314.girod.fi has IPv6 address 2606:4700:3033::ac43:c553
ddclient-3.9.1> host berry314.dyndns-pics.com
berry314.dyndns-pics.com has address 86.44.5.225

As suggested in the letsencrypt forum, un-proxied my berry314 cname.
As a result, I lost berry for a while.
Added 'berry' back to /etc/host on the laptop


tmp> host berry
Host berry not found: 2(SERVFAIL)
tmp> host berry
berry has address 86.44.5.225
Host berry not found: 3(NXDOMAIN)
tmp> host berry
berry has address 192.168.1.7
berry has address 86.44.5.225
Host berry not found: 3(NXDOMAIN)
tmp> host berry314
Host berry314 not found: 2(SERVFAIL)
tmp> host berry314.girod.fi
berry314.girod.fi has address 86.44.5.225
berry314.girod.fi is an alias for berry314.dyndns-pics.com.

Distinguished berry from berry314 in /etc/hosts:


tmp> host berry
berry has address 192.168.1.7
Host berry not found: 3(NXDOMAIN)
tmp> host berry314
berry314 has address 86.44.5.225
Host berry314 not found: 3(NXDOMAIN)
tmp> dig berry314.girod.fi | grep -A1 'ANSWER SECTION'
;; ANSWER SECTION:
berry314.girod.fi.	0	IN	A	86.44.5.225
tmp> dig berry314.dyndns-pics.com | grep -A1 'ANSWER SECTION'
;; ANSWER SECTION:
berry314.dyndns-pics.com. 0	IN	A	86.44.5.225

And now on berry itself:


ddclient-3.9.1> dig berry314.girod.fi | grep -A2 'ANSWER SECTION'
;; ANSWER SECTION:
berry314.girod.fi.	3600	IN	CNAME	berry314.dyndns-pics.com.
berry314.dyndns-pics.com. 3600	IN	A	86.44.5.225

The certificate generation still fails:


ddclient-3.9.1> sudo certbot certonly -d berry314.girod.fi
...
Failed authorization procedure. berry314.girod.fi (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: 86.44.5.225: Invalid response from http://berry314.girod.fi/.well-known/acme-challenge/-IyZRmjOEebaImeIXP97--DACdvBJ_g8__wYkqkU1WY: 404

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: berry314.girod.fi
   Type:   unauthorized
   Detail: 86.44.5.225: Invalid response from
   http://berry314.girod.fi/.well-known/acme-challenge/-IyZRmjOEebaImeIXP97--DACdvBJ_g8__wYkqkU1WY:
   404

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

More instructions...


ddclient-3.9.1> sudo certbot certonly --webroot -w /var/www/html -d berry314.girod.fi
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for berry314.girod.fi
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/berry314.girod.fi/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/berry314.girod.fi/privkey.pem
   Your cert will expire on 2022-12-09. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Updated /etc/apache2/sites-available/default-ssl.conf


ddclient-3.9.1> sudo egrep -v '^([ 	]*#|$)' /etc/apache2/sites-enabled/default-ssl.conf | grep SSLCert
		SSLCertificateFile    /etc/letsencrypt/live/berry314.girod.fi/fullchain.pem
		SSLCertificateKeyFile /etc/letsencrypt/live/berry314.girod.fi/privkey.pem
		SSLCertificateChainFile /etc/letsencrypt/live/berry314.girod.fi/fullchain.pem

B rating.
Mozilla SSL Configuration Generator

September 9

Edited the name servers in shellit.org to point to the cloudflare ones.


tmp> dig NS girod.fi @opal.ns.cloudflare.com  | grep -A2 'ANSWER SECTION'
;; ANSWER SECTION:
girod.fi.		86400	IN	NS	opal.ns.cloudflare.com.
girod.fi.		86400	IN	NS	walt.ns.cloudflare.com.
tmp> dig berry314.girod.fi @opal.ns.cloudflare.com | grep -A1 'AUTHORITY SECTION'
;; AUTHORITY SECTION:
berry314.girod.fi.	300	IN	NS	berry314.dyndns-pics.com.
tmp> dig NS girod.fi  | grep -A2 'ANSWER SECTION'
;; ANSWER SECTION:
girod.fi.		6584	IN	NS	ns1.shellit.org.
girod.fi.		6584	IN	NS	ns1.z.fi.
tmp> dig berry314.girod.fi | grep -A1 'ANSWER SECTION'
;; ANSWER SECTION:
berry314.girod.fi.	0	IN	A	164.215.39.201

Waitiong for it to propagate. Maybe still something needed in shellit.org.
Edited the server name in apache2.conf and restarted.
Edited the rewrite rules in htdig
Added berry314.girod.fi to /etc/hosts in both the laptop and berry.
Removed on berry... Doesn't seem to work well
Added the cloudflare dns to /etc/resolv.conf...
And from the laptop:


tmp> dig berry314.girod.fi | grep -A1 'ANSWER SECTION'
;; ANSWER SECTION:
berry314.girod.fi.	0	IN	A	86.44.5.225
tmp> dig NS girod.fi  | grep -A2 'ANSWER SECTION'
;; ANSWER SECTION:
girod.fi.		21600	IN	NS	opal.ns.cloudflare.com.
girod.fi.		21600	IN	NS	walt.ns.cloudflare.com.

But on berry:


ddclient-3.9.1> sudo certbot certonly -d berry314.girod.fi
Saving debug log to /var/log/letsencrypt/letsencrypt.log
...
Failed authorization procedure. berry314.girod.fi (http-01): urn:ietf:params:acme:error:dns :: DNS problem: query timed out looking up A for berry314.girod.fi; DNS problem: SERVFAIL looking up AAAA for berry314.girod.fi - the domain's nameservers may be malfunctioning

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: berry314.girod.fi
   Type:   None
   Detail: DNS problem: query timed out looking up A for
   berry314.girod.fi; DNS problem: SERVFAIL looking up AAAA for
   berry314.girod.fi - the domain's nameservers may be malfunctioning

And the same from the laptop.
But there was an error: what I needed for berry314.girod.fi was a cname record, not an ns one! Fixed. Now wait again until it propagates...

September 8


tmp> dig berry314.girod.fi

; <<>> DiG 9.16.1-Ubuntu <<>> berry314.girod.fi
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60103
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;berry314.girod.fi.		IN	A

;; ANSWER SECTION:
berry314.girod.fi.	0	IN	A	164.215.39.201

;; Query time: 0 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Thu Sep 08 08:38:19 IST 2022
;; MSG SIZE  rcvd: 62

Tried to follow support instructions:


ddclient-3.9.1> sudo certbot certonly -d girod.fi
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Spin up a temporary webserver (standalone)
2: Place files in webroot directory (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for girod.fi
Input the webroot for girod.fi: (Enter 'c' to cancel): /home/marc/webroot/girod
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. girod.fi (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: 2a03:e581:4::11: Invalid response from http://girod.fi/.well-known/acme-challenge/KgJIcfxawvbG-qXGHk0Z-Da3165sgIt0kpxumXfld5E: 404

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: girod.fi
   Type:   unauthorized
   Detail: 2a03:e581:4::11: Invalid response from
   http://girod.fi/.well-known/acme-challenge/KgJIcfxawvbG-qXGHk0Z-Da3165sgIt0kpxumXfld5E:
   404

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

Correction from shellit support:


ddclient-3.9.1> sudo certbot certonly -d dyndns-pics.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Spin up a temporary webserver (standalone)
2: Place files in webroot directory (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for dyndns-pics.com
Input the webroot for dyndns-pics.com: (Enter 'c' to cancel): /home/marc/webroot/dyndns
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. dyndns-pics.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: 132.226.44.1: Fetching https://www.oracle.com/corporate/acquisitions/dyn/: Timeout after connect (your server may be slow or overloaded)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: dyndns-pics.com
   Type:   connection
   Detail: 132.226.44.1: Fetching
   https://www.oracle.com/corporate/acquisitions/dyn/: Timeout after
   connect (your server may be slow or overloaded)

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.
ddclient-3.9.1> sudo certbot certonly -d berry314.dyndns-pics.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Spin up a temporary webserver (standalone)
2: Place files in webroot directory (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for berry314.dyndns-pics.com
Input the webroot for berry314.dyndns-pics.com: (Enter 'c' to cancel): /home/marc/webroot/dyndns
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. berry314.dyndns-pics.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: 86.44.5.225: Invalid response from http://berry314.dyndns-pics.com/.well-known/acme-challenge/h0q9GnqCnvHWIhkT0NCjj_GAB38wKqQ6mzGLjxi7xIE: 404

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: berry314.dyndns-pics.com
   Type:   unauthorized
   Detail: 86.44.5.225: Invalid response from
   http://berry314.dyndns-pics.com/.well-known/acme-challenge/h0q9GnqCnvHWIhkT0NCjj_GAB38wKqQ6mzGLjxi7xIE:
   404

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

And from the laptop:


tmp> sudo certbot certonly -d dyndns-pics.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Spin up a temporary webserver (standalone)
2: Place files in webroot directory (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Plugins selected: Authenticator webroot, Installer None
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): [email protected]

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017-w-v1.3-notice.pdf.
You must agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for dyndns-pics.com
Input the webroot for dyndns-pics.com: (Enter 'c' to cancel): ~/tmp/webroot/dyndns

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
~/tmp/webroot/dyndns does not exist or is not a directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Input the webroot for dyndns-pics.com: (Enter 'c' to cancel): /home/marc/tmp/webroot/dyndns
Waiting for verification...
Challenge failed for domain dyndns-pics.com
http-01 challenge for dyndns-pics.com
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: dyndns-pics.com
   Type:   connection
   Detail: 132.226.44.1: Fetching
   https://www.oracle.com/corporate/acquisitions/dyn/: Timeout after
   connect (your server may be slow or overloaded)

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - We were unable to subscribe you the EFF mailing list because your
   e-mail address appears to be invalid. You can try again later by
   visiting https://act.eff.org.
tmp> sudo certbot certonly -d berry314.dyndns-pics.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Spin up a temporary webserver (standalone)
2: Place files in webroot directory (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for berry314.dyndns-pics.com
Input the webroot for berry314.dyndns-pics.com: (Enter 'c' to cancel): /home/marc/tmp/webroot/dyndns
Waiting for verification...
Challenge failed for domain berry314.dyndns-pics.com
http-01 challenge for berry314.dyndns-pics.com
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: berry314.dyndns-pics.com
   Type:   unauthorized
   Detail: 86.44.5.225: Invalid response from
   http://berry314.dyndns-pics.com/.well-known/acme-challenge/oSPK_mj8o9BOfcR3abRNJK-1qaeTEqH0nV4OevHdBEA:
   404

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

September 7

Restored berry314.dyndns-pics.com in ddclient.conf


● ddclient.lsb.service - LSB: ddclient provides support for updating dynamic DNS services
   Loaded: loaded (/etc/init.d/ddclient.lsb; generated)
   Active: active (running) since Tue 2022-09-06 17:41:56 IST; 8h ago
     Docs: man:systemd-sysv-generator(8)
  Process: 23146 ExecStart=/etc/init.d/ddclient.lsb start (code=exited, status=0/SUCCESS)
    Tasks: 1 (limit: 877)
   CGroup: /system.slice/ddclient.lsb.service
           └─23151 ddclient - sleeping for 170 seconds

...
Sep 07 02:04:12 berry314 ddclient[26584]: FAILED:   updating berry314.thruhere.net: nohost: The hostname specified does not exist in the database
Sep 07 02:09:13 berry314 ddclient[26732]: WARNING:  file /var/cache/ddclient/ddclient.cache, line 3: Invalid Value for keyword 'ip' = ''
Sep 07 02:09:13 berry314 ddclient[26734]: SUCCESS:  updating berry314.dyndns-pics.com: good: IP address set to 86.44.5.225

Added an NS record for berry314.girod.fi in cloudflare
Next, I need to remove the shellit.org nameservers.
Or... maybe I can do it directly at shellit?

September 6

I need to generate the certs for thruhere, since girod.fi is only an alias!


tmp> dig NS thruhere.net @a.gtld-servers.net

; <<>> DiG 9.16.1-Ubuntu <<>> NS thruhere.net @a.gtld-servers.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39817
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 9
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;thruhere.net.			IN	NS

;; AUTHORITY SECTION:
thruhere.net.		172800	IN	NS	ns1.p201.dns.oraclecloud.net.
thruhere.net.		172800	IN	NS	ns2.p201.dns.oraclecloud.net.
thruhere.net.		172800	IN	NS	ns3.p201.dns.oraclecloud.net.
thruhere.net.		172800	IN	NS	ns4.p201.dns.oraclecloud.net.

;; ADDITIONAL SECTION:
ns1.p201.dns.oraclecloud.net. 172800 IN	A	108.59.166.201
ns1.p201.dns.oraclecloud.net. 172800 IN	AAAA	2600:2000:2100::c9
ns2.p201.dns.oraclecloud.net. 172800 IN	A	108.59.168.201
ns2.p201.dns.oraclecloud.net. 172800 IN	AAAA	2600:2000:2110::c9
ns3.p201.dns.oraclecloud.net. 172800 IN	A	108.59.170.201
ns3.p201.dns.oraclecloud.net. 172800 IN	AAAA	2600:2000:2120::c9
ns4.p201.dns.oraclecloud.net. 172800 IN	A	108.59.172.201
ns4.p201.dns.oraclecloud.net. 172800 IN	AAAA	2600:2000:2130::c9

;; Query time: 27 msec
;; SERVER: 192.5.6.30#53(192.5.6.30)
;; WHEN: Tue Sep 06 13:14:02 IST 2022
;; MSG SIZE  rcvd: 310

tmp> dig NS girod.fi @a.gtld-servers.net

; <<>> DiG 9.16.1-Ubuntu <<>> NS girod.fi @a.gtld-servers.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15322
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;girod.fi.			IN	NS

;; AUTHORITY SECTION:
.			518400	IN	NS	k.root-servers.net.
.			518400	IN	NS	l.root-servers.net.
.			518400	IN	NS	m.root-servers.net.
.			518400	IN	NS	a.root-servers.net.
.			518400	IN	NS	b.root-servers.net.
.			518400	IN	NS	c.root-servers.net.
.			518400	IN	NS	d.root-servers.net.
.			518400	IN	NS	e.root-servers.net.
.			518400	IN	NS	f.root-servers.net.
.			518400	IN	NS	g.root-servers.net.
.			518400	IN	NS	h.root-servers.net.
.			518400	IN	NS	i.root-servers.net.
.			518400	IN	NS	j.root-servers.net.

;; Query time: 23 msec
;; SERVER: 192.5.6.30#53(192.5.6.30)
;; WHEN: Tue Sep 06 13:15:09 IST 2022
;; MSG SIZE  rcvd: 248

The error was:


ddclient-3.9.1> sudo systemctl -l status ddclient.lsb
● ddclient.lsb.service - LSB: ddclient provides support for updating dynamic DNS services
   Loaded: loaded (/etc/init.d/ddclient.lsb; generated)
   Active: active (running) since Tue 2022-09-06 17:41:56 IST; 38min ago
     Docs: man:systemd-sysv-generator(8)
  Process: 23146 ExecStart=/etc/init.d/ddclient.lsb start (code=exited, status=0/SUCCESS)
    Tasks: 1 (limit: 877)
   CGroup: /system.slice/ddclient.lsb.service
           └─23151 ddclient - sleeping for 130 seconds

Sep 06 17:41:56 berry314 ddclient[23156]: WARNING:   Wait at least 5 minutes between update attempts.
Sep 06 17:46:59 berry314 ddclient[23185]: FAILED:   updating berry314.thruhere.net: nohost: The hostname specified does not exist in the database
Sep 06 17:51:59 berry314 ddclient[23204]: WARNING:  file /var/cache/ddclient/ddclient.cache, line 4: Invalid Value for keyword 'ip' = ''
Sep 06 17:52:00 berry314 ddclient[23206]: FAILED:   updating berry314.thruhere.net: nohost: The hostname specified does not exist in the database
Sep 06 17:57:00 berry314 ddclient[23219]: WARNING:  file /var/cache/ddclient/ddclient.cache, line 4: Invalid Value for keyword 'ip' = ''
Sep 06 17:57:01 berry314 ddclient[23221]: FAILED:   updating berry314.thruhere.net: nohost: The hostname specified does not exist in the database
Sep 06 18:02:02 berry314 ddclient[23241]: WARNING:  file /var/cache/ddclient/ddclient.cache, line 4: Invalid Value for keyword 'ip' = ''
Sep 06 18:02:03 berry314 ddclient[23243]: FAILED:   updating berry314.thruhere.net: nohost: The hostname specified does not exist in the database
Sep 06 18:07:03 berry314 ddclient[23258]: WARNING:  file /var/cache/ddclient/ddclient.cache, line 4: Invalid Value for keyword 'ip' = ''
Sep 06 18:07:04 berry314 ddclient[23262]: FAILED:   updating berry314.thruhere.net: nohost: The hostname specified does not exist in the database

and the cache:


ddclient-3.9.1> sudo cat /var/cache/ddclient/ddclient.cache 
## ddclient-3.9.1
## last updated at Tue Sep  6 18:12:04 2022 (1662484324)
atime=1662480437,backupmx=1,custom=0,host=berry314.girod.fi,mtime=0,mx=berry314.girod.fi,script=/nic/update,static=0,status=nohost,warned-min-error-interval=0,warned-min-interval=0,wildcard=0,wtime=30 berry314.girod.fi
atime=0,backupmx=1,custom=0,host=berry314.thruhere.net,ip=86.44.5.225,mtime=0,mx=berry314.thruhere.net,script=/nic/update,static=0,status=nohost,warned-min-error-interval=0,warned-min-interval=0,wildcard=0,wtime=30 berry314.thruhere.net

I tried to set the ip to 86.44.5.225 (this of berry314.dyndns-pics.com), but this resulted in ddclient stopping to retry, and sleeping:


           └─23151 ddclient - sleeping for 250 seconds

Then, I moved the cache away:


ddclient-3.9.1> sudo mv /var/cache/ddclient/ddclient.cache /tmp/

This allowed a retry:


ddclient-3.9.1> sudo systemctl -l status ddclient.lsb
● ddclient.lsb.service - LSB: ddclient provides support for updating dynamic DNS services
   Loaded: loaded (/etc/init.d/ddclient.lsb; generated)
   Active: active (running) since Tue 2022-09-06 17:41:56 IST; 50min ago
     Docs: man:systemd-sysv-generator(8)
  Process: 23146 ExecStart=/etc/init.d/ddclient.lsb start (code=exited, status=0/SUCCESS)
    Tasks: 1 (limit: 877)
   CGroup: /system.slice/ddclient.lsb.service
           └─23151 ddclient - sleeping for 290 seconds

...
Sep 06 18:07:04 berry314 ddclient[23262]: FAILED:   updating berry314.thruhere.net: nohost: The hostname specified does not exist in the database
Sep 06 18:32:08 berry314 ddclient[23603]: FAILED:   updating berry314.thruhere.net: nohost: The hostname specified does not exist in the database

And the cache was recreated:


ddclient-3.9.1> sudo cat /var/cache/ddclient/ddclient.cache 
## ddclient-3.9.1
## last updated at Tue Sep  6 18:32:06 2022 (1662485526)
atime=1662485526,backupmx=1,custom=0,host=berry314.thruhere.net,ip=,mtime=0,mx=berry314.thruhere.net,script=/nic/update,static=0,status=nohost,warned-min-error-interval=0,warned-min-interval=0,wildcard=0,wtime=0 berry314.thruhere.net

But unfortunately with the same error:


Sep 06 18:32:08 berry314 ddclient[23603]: FAILED:   updating berry314.thruhere.net: nohost: The hostname specified does not exist in the database
Sep 06 18:37:08 berry314 ddclient[23713]: WARNING:  file /var/cache/ddclient/ddclient.cache, line 3: Invalid Value for keyword 'ip' = ''
Sep 06 18:37:09 berry314 ddclient[23715]: FAILED:   updating berry314.thruhere.net: nohost: The hostname specified does not exist in the database

One last stupid attempt: put another ip, e.g. the one currently reported:


tmp> host thruhere.net
thruhere.net has address 132.226.162.56

So:


ddclient-3.9.1> sudo cat /var/cache/ddclient/ddclient.cache 
## ddclient-3.9.1
## last updated at Tue Sep  6 18:42:09 2022 (1662486129)
atime=1662486129,backupmx=1,custom=0,host=berry314.thruhere.net,ip=132.226.162.56,mtime=0,mx=berry314.thruhere.net,script=/nic/update,static=0,status=nohost,warned-min-error-interval=0,warned-min-interval=0,wildcard=0,wtime=0 berry314.thruhere.net

Yields:


           └─23151 ddclient - sleeping for 230 seconds

...
Sep 06 18:42:10 berry314 ddclient[23957]: FAILED:   updating berry314.thruhere.net: nohost: The hostname specified does not exist in the database
Sep 06 18:47:11 berry314 ddclient[24152]: FAILED:   updating berry314.thruhere.net: nohost: The hostname specified does not exist in the database

This reset the value:


ddclient-3.9.1> sudo cat /var/cache/ddclient/ddclient.cache 
## ddclient-3.9.1
## last updated at Tue Sep  6 18:47:10 2022 (1662486430)
atime=1662486430,backupmx=1,custom=0,host=berry314.thruhere.net,ip=,mtime=0,mx=berry314.thruhere.net,script=/nic/update,static=0,status=nohost,warned-min-error-interval=0,warned-min-interval=0,wildcard=0,wtime=0 berry314.thruhere.net

September 5

Opened the https port in the router.
Bought girod.fi at shellit.org
Installed certbot from certbot.eff.org.


dev> sudo apt update
dev> sudo apt-get install certbot
dev> certbot run --dry-run
--dry-run currently only works with the 'certonly' or 'renew' subcommands ('run')
dev> sudo certbot run -d girod.fi,dyndns-pics.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Certbot doesn't know how to automatically configure the web server on this system. However, it can still get a certificate for you. Please run "certbot certonly" to do so. You'll need to manually configure your web server to use the resulting certificate.
dev> sudo certbot certonly -d dyndns-pics.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Spin up a temporary webserver (standalone)
2: Place files in webroot directory (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for dyndns-pics.com
Input the webroot for dyndns-pics.com: (Enter 'c' to cancel): /home/marc/webroot/dyndns
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. dyndns-pics.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: 132.226.44.1: Fetching https://www.oracle.com/corporate/acquisitions/dyn/: Timeout after connect (your server may be slow or overloaded)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: dyndns-pics.com
   Type:   connection
   Detail: 132.226.44.1: Fetching
   https://www.oracle.com/corporate/acquisitions/dyn/: Timeout after
   connect (your server may be slow or overloaded)

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.

Requested help: case 01441896
Used thruhere.net instead of dyndns-pics.com.
Changes in multiple places


root@berry314:/etc/ddclient# certbot certonly -d thruhere.net
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Spin up a temporary webserver (standalone)
2: Place files in webroot directory (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for thruhere.net
Input the webroot for thruhere.net: (Enter 'c' to cancel): /home/marc/webroot/
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. thruhere.net (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: 132.226.162.56: Fetching https://www.oracle.com/corporate/acquisitions/dyn/: Timeout after connect (your server may be slow or overloaded)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: thruhere.net
   Type:   connection
   Detail: 132.226.162.56: Fetching
   https://www.oracle.com/corporate/acquisitions/dyn/: Timeout after
   connect (your server may be slow or overloaded)

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.
root@berry314:/etc/ddclient# certbot certonly -d girod.fi
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Spin up a temporary webserver (standalone)
2: Place files in webroot directory (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for girod.fi
Input the webroot for girod.fi: (Enter 'c' to cancel): /home/marc/webroot/girod/
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. girod.fi (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: 2a03:e581:4::11: Invalid response from http://girod.fi/.well-known/acme-challenge/BYLGzzALKGIe72r8ASAn_FVm7Birw5purqRj3XSM9BM: 404

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: girod.fi
   Type:   unauthorized
   Detail: 2a03:e581:4::11: Invalid response from
   http://girod.fi/.well-known/acme-challenge/BYLGzzALKGIe72r8ASAn_FVm7Birw5purqRj3XSM9BM:
   404

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

September 3

Intending to open berry as berry.girod.fi, attempted to enable https. So far without success, probably because of the dynamic IP.
Followed Pozzi's instructions, except that I found that the self-signed certificates were already created, and enabled, so that I didn't change them to the ones I had just created under mycerts.
The problem was as I guess it, with the addition to /etc/hosts:


192.168.1.7	berry314.dyndns-pics.com

I'll wait until Sergey has got me the girod.fi domain, before I try to set it up in cloudflare.
Registered/updated my account at cloudflare.com
Stop there for now.
In fact, dyndns is likely to allow me to use berry314.girod.fi

2021, 2023, log

Marc Girod

Sat Sep 3 11:20:29 2022