search

mail-in-a-box / mailinabox

Mail-in-a-Box helps individuals take back control of their email by defining a one-click, easy-to-deploy SMTP+everything else server: a mail server in a box.
https://mailinabox.email/
Creative Commons Zero v1.0 Universal
14.04k stars 1.44k forks source link

status checks and status page not working after 9/29 best guess #2168

Open tdahbura opened 2 years ago

tdahbura commented 2 years ago

running standard install of MIAB 57a with no local customizations on AWS ec2 server.

History of updates applied: 9/27/22 System -- Previously:

✓ System software is up to date.

System -- Currently:

✖ There are 2 software packages that can be updated. [1 standard security update] () sosreport (4.3-1ubuntu0.18.04.2)

9/28/22 System -- Previously:

✖ There are 2 software packages that can be updated. [1 standard security update] () sosreport (4.3-1ubuntu0.18.04.2)

System -- Currently:

✖ There are 4 software packages that can be updated. [3 standard security updates] () ghostscript (9.26~dfsg+0-0ubuntu0.18.04.17) libgs9 (9.26~dfsg+0-0ubuntu0.18.04.17) libgs9-common (9.26~dfsg+0-0ubuntu0.18.04.17)

9/29 System -- Previously:

✖ There are 4 software packages that can be updated. [3 standard security updates] () ghostscript (9.26~dfsg+0-0ubuntu0.18.04.17) libgs9 (9.26~dfsg+0-0ubuntu0.18.04.17) libgs9-common (9.26~dfsg+0-0ubuntu0.18.04.17)

System -- Currently:

✖ There are 1 software packages that can be updated. duplicity (1.0.0-ppa202209251803~ubuntu18.04.1)

I logged into the box today 10/2 and executed a sudo apt update && sudo apt upgrade

After the install the web status page would not load and returned a dialog box stating there was an error.

@alinto in the slack channel suggested running the status command on the box: $ cd mailinabox/management $ sudo ./status_checks.py

System

✖ Public DNS (nsd4) is not running (port 53). ✓ SSH disallows password-based login. ✓ System software is up to date. Traceback (most recent call last): File "./status_checks.py", line 1096, in run_checks(False, env, ConsoleOutput(), pool) File "./status_checks.py", line 62, in run_checks run_system_checks(rounded_values, env, output) File "./status_checks.py", line 168, in run_system_checks check_miab_version(env, output) File "./status_checks.py", line 927, in check_miab_version latest_ver = get_latest_miab_version() File "./status_checks.py", line 912, in get_latest_miab_version return re.search(b'TAG=(.)', urlopen("https://mailinabox.email/setup.sh?ping=1", timeout=5).read()).group(1).decode("utf8") File "/usr/lib/python3.6/urllib/request.py", line 223, in urlopen return opener.open(url, data, timeout) File "/usr/lib/python3.6/urllib/request.py", line 526, in open response = self._open(req, data) File "/usr/lib/python3.6/urllib/request.py", line 544, in _open '_open', req) File "/usr/lib/python3.6/urllib/request.py", line 504, in _call_chain result = func(args) File "/usr/lib/python3.6/urllib/request.py", line 1368, in https_open context=self._context, check_hostname=self._check_hostname) File "/usr/lib/python3.6/urllib/request.py", line 1325, in do_open encode_chunked=req.has_header('Transfer-encoding')) File "/usr/lib/python3.6/http/client.py", line 1285, in request self._send_request(method, url, body, headers, encode_chunked) File "/usr/lib/python3.6/http/client.py", line 1331, in _send_request self.endheaders(body, encode_chunked=encode_chunked) File "/usr/lib/python3.6/http/client.py", line 1280, in endheaders self._send_output(message_body, encode_chunked=encode_chunked) File "/usr/lib/python3.6/http/client.py", line 1046, in _send_output self.send(msg) File "/usr/lib/python3.6/http/client.py", line 984, in send self.connect() File "/usr/lib/python3.6/http/client.py", line 1446, in connect server_hostname=server_hostname) File "/usr/lib/python3.6/ssl.py", line 407, in wrap_socket _context=self, _session=session) File "/usr/lib/python3.6/ssl.py", line 817, in init self.do_handshake() File "/usr/lib/python3.6/ssl.py", line 1077, in do_handshake self._sslobj.do_handshake() File "/usr/lib/python3.6/ssl.py", line 694, in do_handshake match_hostname(self.getpeercert(), self.server_hostname) File "/usr/local/lib/mailinabox/env/lib/python3.6/site-packages/idna_ssl.py", line 19, in patched_match_hostname return real_match_hostname(cert, hostname) File "/usr/lib/python3.6/ssl.py", line 331, in match_hostname % (hostname, dnsnames[0])) ssl.CertificateError: hostname 'mailinabox.email' doesn't match 'box.fullmoonmanor.net'

I am not sure what to do on the box to correct any of this. I tried a set of host commands:

$ host www.ebay.com and it worked fine $ host mailinabox.email Host mailinabox.email not found: 2(SERVFAIL)

@alinto suggested getting a status on bind9 which gave the following: ● bind9.service - BIND Domain Name Server Loaded: loaded (/lib/systemd/system/bind9.service; enabled; vendor preset: enabled) Active: active (running) since Sun 2022-10-02 10:37:46 EDT; 8h ago Docs: man:named(8) Process: 10149 ExecStop=/usr/sbin/rndc stop (code=exited, status=0/SUCCESS) Main PID: 10152 (named) Tasks: 4 (limit: 2342) CGroup: /system.slice/bind9.service └─10152 /usr/sbin/named -f -u bind -4

Oct 02 18:47:45 box.fullmoonmanor.net named[10152]: SERVFAIL unexpected RCODE resolving 'rbldns18.sorbs.net/A/IN': 108.59.172.201#53 Oct 02 18:47:45 box.fullmoonmanor.net named[10152]: SERVFAIL unexpected RCODE resolving 'rbldns17.sorbs.net/A/IN': 108.59.168.201#53 Oct 02 18:47:45 box.fullmoonmanor.net named[10152]: SERVFAIL unexpected RCODE resolving 'rbldns18.sorbs.net/A/IN': 108.59.168.201#53 Oct 02 18:54:41 box.fullmoonmanor.net named[10152]: validating mailinabox.email/DNSKEY: verify failed due to bad signature (keyid=33553): R Oct 02 18:54:41 box.fullmoonmanor.net named[10152]: validating mailinabox.email/DNSKEY: no valid signature found (DS) Oct 02 18:54:41 box.fullmoonmanor.net named[10152]: no valid RRSIG resolving 'mailinabox.email/DNSKEY/IN': 66.199.228.130#53 Oct 02 18:54:41 box.fullmoonmanor.net named[10152]: validating mailinabox.email/DNSKEY: verify failed due to bad signature (keyid=33553): R Oct 02 18:54:41 box.fullmoonmanor.net named[10152]: validating mailinabox.email/DNSKEY: no valid signature found (DS) Oct 02 18:54:41 box.fullmoonmanor.net named[10152]: no valid RRSIG resolving 'mailinabox.email/DNSKEY/IN': 94.76.202.152#53 Oct 02 18:54:41 box.fullmoonmanor.net named[10152]: broken trust chain resolving 'mailinabox.email/A/IN': 66.199.228.130#53 Oct 02 18:47:45 box.fullmoonmanor.net named[10152]: SERVFAIL unexpected RCODE resolving 'rbldns18.sorbs.net/A/IN': 108.59.172.201#53 Oct 02 18:47:45 box.fullmoonmanor.net named[10152]: SERVFAIL unexpected RCODE resolving 'rbldns17.sorbs.net/A/IN': 108.59.168.201#53 Oct 02 18:47:45 box.fullmoonmanor.net named[10152]: SERVFAIL unexpected RCODE resolving 'rbldns18.sorbs.net/A/IN': 108.59.168.201#53 Oct 02 18:54:41 box.fullmoonmanor.net named[10152]: validating mailinabox.email/DNSKEY: verify failed due to bad signature (keyid=33553): R Oct 02 18:54:41 box.fullmoonmanor.net named[10152]: validating mailinabox.email/DNSKEY: no valid signature found (DS) Oct 02 18:54:41 box.fullmoonmanor.net named[10152]: no valid RRSIG resolving 'mailinabox.email/DNSKEY/IN': 66.199.228.130#53 Oct 02 18:54:41 box.fullmoonmanor.net named[10152]: validating mailinabox.email/DNSKEY: verify failed due to bad signature (keyid=33553): R Oct 02 18:54:41 box.fullmoonmanor.net named[10152]: validating mailinabox.email/DNSKEY: no valid signature found (DS) Oct 02 18:54:41 box.fullmoonmanor.net named[10152]: no valid RRSIG resolving 'mailinabox.email/DNSKEY/IN': 94.76.202.152#53 Oct 02 18:54:41 box.fullmoonmanor.net named[10152]: broken trust chain resolving 'mailinabox.email/A/IN': 66.199.228.130#53

please help.

alento-group commented 2 years ago

I realized later that it was NSD, not BIND that wasn't running, so advised OP to check status of NSD ... 

● nsd.service - Name Server Daemon
  Loaded: loaded (/lib/systemd/system/nsd.service; enabled; vendor preset: enabled)
  Active: active (running) since Sun 2022-10-02 09:19:41 EDT; 9h ago
 Main PID: 905 (nsd)
  Tasks: 3 (limit: 2342)
  CGroup: /system.slice/nsd.service
      ├─ 905 /usr/sbin/nsd -d
      ├─ 916 /usr/sbin/nsd -d
      └─1035 /usr/sbin/nsd -d
Oct 02 09:19:41 [box.fullmoonmanor.net](http://box.fullmoonmanor.net/) systemd[1]: Started Name Server Daemon.
tdahbura commented 2 years ago

ran a sudo mailinabox and the problem is still present

tdahbura commented 2 years ago

@JoshData found some dnssec issue with the host mailinabox.email. His instructions to run the command nsd-control reload fixed the problem.

looks like it was not MIAB software related.

tdahbura commented 2 years ago

@JoshData found the following (message is in slack #general): DNSSEC DNS records (the ones published on the box, not the DS records published by the domain registrar) have a one-month expiration, and although they were correctly refreshed in my DNS zone files on disk by Mail-in-a-Box, the DNS server nsd didn't notice the change and didn't start serving them. So when they expired yesterday, they became invalid, and any DNS server that enforces DNSSEC (which is not many) stopped being able to resolve any of the domains that my Mail-in-a-Box does DNS for. (edited)

Suggestion to update the status_checks.py code: would it be good to add some better error handling in the status_checks.py to say something when this condition occurs versus saying that the local MIAB server is thinking it is mailinabox.email? Perhaps try/except block around the code that did the lookup in the status_checks.py itself and respond with a dnssec issue detected on mailinabox.email?