Restoring from backup error messages v60

Maintenance
1

I plan to use the existing MIAB to use for v60 / Ubuntu 22.04.1 LTS, so I hope to have no IP or DNS issues. So the plan is to test the backup on a separate test server first. Once that is successful, I will reset / rebuild the main server to Ubuntu 22.04.1 LTS and re-install MIAB from scratch and backup. I am following the guides as recommended in the v60 announcement. (maintenance / moving box). In a nut shell, the recommendation is to install MIAB first (curl -s https://mailinabox.email/setup.sh | sudo -E bash), then restore the backup and do sudo mailinabox to finalise the setup.

So, I am testing the backup on the test server (also Ubuntu 22.04.1 LTS). The last messages from the restore process are:

[...]
Copying duplicity-new-signatures.20221024T184505Z.to.20221025T184505Z.sigtar.gpg to local cache.
Copying duplicity-new-signatures.20221025T184505Z.to.20221026T184504Z.sigtar.gpg to local cache.
Last full backup date: Mon Sep 12 18:42:05 2022

Error '[Errno 17] File exists: b'/home/user-data/ssl/box.abc.com-20230117-af971f04.pem' -> b'/home/user-data/ssl/ssl_certificate.pem'' processing ssl/ssl_certificate.pem

Then, following the instructions in the guide, running sudo mailinabox I get:

[...]
token frequency: less than 8 occurrences: 13.74%
Installing Nginx (web server)...


FAILED: service nginx restart
-----------------------------------------
Job for nginx.service failed because the control process exited with error code.
See "systemctl status nginx.service" and "journalctl -xeu nginx.service" for details.
-----------------------------------------

systemctl status nginx.service

Γ— nginx.service - A high performance web server and a reverse proxy server
     Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled)
     Active: failed (Result: exit-code) since Fri 2022-10-28 00:28:54 UTC; 12min ago
       Docs: man:nginx(8)
    Process: 54637 ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_process on; (code=exited, status=1/FAILURE)
        CPU: 32ms

Oct 28 01:28:54 box.abc.com systemd[1]: Starting A high performance web server and a reverse proxy server...
Oct 28 01:28:54 box.abc.com nginx[54637]: nginx: [emerg] SSL_CTX_use_PrivateKey("/home/user-data/ssl/ssl_private_key.pem") f>
Oct 28 01:28:54 box.abc.com nginx[54637]: nginx: configuration file /etc/nginx/nginx.conf test failed
Oct 28 01:28:54 box.abc.com systemd[1]: nginx.service: Control process exited, code=exited, status=1/FAILURE
Oct 28 01:28:54 box.abc.com systemd[1]: nginx.service: Failed with result 'exit-code'.
Oct 28 01:28:54 box.abc.com systemd[1]: Failed to start A high performance web server and a reverse proxy server.
lines 1-13/13 (END)

journalctl -xeu nginx.service

β–‘β–‘ Subject: A start job for unit nginx.service has begun execution
β–‘β–‘ Defined-By: systemd
β–‘β–‘ Support: http://www.ubuntu.com/support
β–‘β–‘ 
β–‘β–‘ A start job for unit nginx.service has begun execution.
β–‘β–‘ 
β–‘β–‘ The job identifier is 8001.
Oct 28 00:28:54 box.abc.com nginx[54637]: nginx: [emerg] SSL_CTX_use_PrivateKey("/home/user-data/ssl/ssl_private_key.pem") f>
Oct 28 00:28:54 box.abc.com nginx[54637]: nginx: configuration file /etc/nginx/nginx.conf test failed
Oct 28 00:28:54 box.abc.com systemd[1]: nginx.service: Control process exited, code=exited, status=1/FAILURE
β–‘β–‘ Subject: Unit process exited
β–‘β–‘ Defined-By: systemd
β–‘β–‘ Support: http://www.ubuntu.com/support
β–‘β–‘ 
β–‘β–‘ An ExecStartPre= process belonging to unit nginx.service has exited.
β–‘β–‘ 
β–‘β–‘ The process' exit code is 'exited' and its exit status is 1.
Oct 28 01:28:54 box.abc.com systemd[1]: nginx.service: Failed with result 'exit-code'.
β–‘β–‘ Subject: Unit failed
β–‘β–‘ Defined-By: systemd
β–‘β–‘ Support: http://www.ubuntu.com/support
β–‘β–‘ 
β–‘β–‘ The unit nginx.service has entered the 'failed' state with result 'exit-code'.
Oct 28 01:28:54 box.abc.com systemd[1]: Failed to start A high performance web server and a reverse proxy server.
β–‘β–‘ Subject: A start job for unit nginx.service has failed
β–‘β–‘ Defined-By: systemd
β–‘β–‘ Support: http://www.ubuntu.com/support
β–‘β–‘ 
β–‘β–‘ A start job for unit nginx.service has finished with a failure.
β–‘β–‘ 
β–‘β–‘ The job identifier is 8001 and the job result is failed.

So it seems to be the initial curl -s https://mailinabox.email/setup.sh | sudo -E bash installs that PEM file and the restoring process overwrites is, but since it is the old configuration the error appears. Is this correct? How to fix this issue?

2

Doing some more research, I think what happens is:

curl... installs a PEM certificate
Then the restore process overwrites it.
Since the key creation is different for the two PEM certificates, there is a mismatch and nginx fails to start.

So, should I make a copy of the PEM certificate, before I restore from backup? And once the backup is restored, overwrite the one from the backup?

I am just weary, that I will introduce other errors by doing so.

3

So, I renamed the pem certificate and key files and then ran curl... again, which did create fresh files and this seemed to have worked. I hope I did not break anything :smiley:

4

The next issue was that the TLS cert remained self-signed and I could not get a new one.
from the certbot log in the MIAB admin page:

Saving debug log to /var/log/letsencrypt/letsencrypt.log Missing command line flag or config entry for this setting: Please choose an account Choices: ['box.abc.com@2021-05-11T02:27:05Z (b7c2)', 'box.abc.com@2022-10-28T04:30:06Z (d92b)'] Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

I have now two accounts in /home/user-data/ssl/lets_encrypt/accounts/acme-v02.api.letsencrypt.org/directory

I moved the newer folder out of that directory and was able to provision a certificate through the admin page.

5

I think this would have saved you some trouble here…

1 Like
6

Oh, yes for sure! I did read the announcement, but not the full thread. :slightly_frowning_face:

7

Yeah specifically this part

I also think it is critical to let folks know that they should run a sudo rm -rf /home/user-data/ssl/* command on the new host host prior to trying to use the duplicity restore command as it made a mess with the existing SSL files from the initial install and not being able to replace them.

1 Like
8

The last one about TLS certificates, has been around for a while it seems.

9

How in the world is this not fixed yet?

10

This topic was automatically closed 40 days after the last reply. New replies are no longer allowed.