Differences

This shows you the differences between two versions of the page.

--- linux:debian:start [2011/11/04 02:53] – mod: adds PAGER stybla
+++ linux:debian:start [2022/01/27 01:52] (current) – add link to how to build Debian package stybla
@@ Line 1: / Line 1: @@
 ====== Debian ======
-Despite I don't favor Debian distribution too much for this and that, this page is not meant as rant.
+Despite I don't favour Debian distribution too much for this and that, this page is not meant as rant.
 It is actually quick reference for me. If you find it useful, good. If not, just move on.
 If you got offended by the content, I'm sorry.
+===== Other topics =====
+  * [[apt-mirror|local APT mirror]]
+  * [[automatic-installation|automatic installation of Debian]]
+  * [[build_package|Building Debian packages]]
 ===== Quick Tips and Tricks =====
+==== APT fingerprints ====
+Print out all and full APT key fingerprints, not just the short ones.
+<code>
+apt-key adv --list-public-keys --with-fingerprint --with-colons
+</code>
+==== cron.hourly/cron.daily/cron.weekly/cron.monthly jobs aren't being executed ====
+You want some job being executed on regular basis as a part of cron.hourly/cron.daily/cron.weekly/cron.monthly, but
+nothing happens. What the problem might be, you ask?
+  - make sure script has ''+x'' set
+  - make sure ''anacron'' isn't present
+  - make sure script name consists of allowed characters. And yes, '.' is not allowed character! :-)
+This did happen to me and I fould myself scratching on the head. Despite being close to solution(yeah, I was reading
+through ''man'' pages), I've overlooked the fact '.' isn't allowed character. I think I've got "saved" by some
+forum post in the end, resp. re-read man page again.
@@ Line 51: / Line 81: @@
 ==== Migrating ejabberd 2.0.x to 2.1.x ====
-**WARNING - still work in progress!!!**
+**WARNING - probably a bit incomplete, but who cares years later**
 Debian 6.0 Squeeze, however I think this doesn't depend on your GNU/Linux distribution.
@@ Line 118: / Line 148: @@
 </code>
   * hopefully enjoy!
+==== Migrating ejabberd from Jessie to Stretch ====
+Yet another round fun. My private Jabber has been off for a long time, because client decided server is no good anymore. This was due to vulnerabilities in SSL/TLS, resp. OpenSSL(?) and there seemed to be no fix for Jessie. I've ignored it, because I didn't have time and it's not that important to me anyway. Now, on the verge of migration to Stretch, I couldn't ignore it anymore. Of course I've hit couple snags on the way.
+First of all, I found out I can neither perform backup or dump of ejabberd at Jessie. Mad props to devs, because all I had to do was to move ''/var/lib/ejabberd'' to the new server.
+Second of all, there was the change of format of configuration file from whatever to YAML. In theory, you can convert old cfg to YAML via ''ejabberdctl convert_to_yaml src dst''. Theory being theory, it wasn't my case.
+<code>
+ejabberdctl convert_to_yaml /etc/ejabberd/ejabberd-old.cfg /etc/ejabberd/ejabberd.yaml
+Error: erofs
+</code>
+Not exactly nice, but worry not, because it's not that hard to adjust whatever needs to be adjusted, if your configuration is simple.
+Last, but not least, was the certificate. I guess that was the issue on Jessie as well, but then I didn't really spend any time on it. Anyway, once I got ejabberd up and running, I couldn't connect. "Host unknown" was the error and some others later on. The following should've been the big hint, unfortunately wasn't.
+<code>
+foo@bar:~/openssl$ s_client -connect XXX:5222
+CONNECTED(00000003)
+140252860966144:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:252:
+---
+no peer certificate available
+---
+No client certificate CA names sent
+---
+SSL handshake has read 5 bytes and written 176 bytes
+Verification: OK
+---
+New, (NONE), Cipher is (NONE)
+Secure Renegotiation IS NOT supported
+Compression: NONE
+Expansion: NONE
+No ALPN negotiated
+SSL-Session:
+    Protocol  : TLSv1.2
+    Cipher    : 0000
+    Session-ID:
+    Session-ID-ctx:
+    Master-Key:
+    PSK identity: None
+    PSK identity hint: None
+    SRP username: None
+    Start Time: 1512468671
+    Timeout   : 7200 (sec)
+    Verify return code: 0 (ok)
+    Extended master secret: no
+---
+foo@bar:~/$ openssl s_client -connect XXX:5222 -starttls xmpp
+CONNECTED(00000003)
+---
+no peer certificate available
+---
+No client certificate CA names sent
+---
+SSL handshake has read 295 bytes and written 126 bytes
+Verification: OK
+---
+New, (NONE), Cipher is (NONE)
+Secure Renegotiation IS NOT supported
+Compression: NONE
+Expansion: NONE
+No ALPN negotiated
+---
+</code>
+Well, at least I've found out you must(?) disable SSLv2 in the config as well. Also, that there is ''starttls_required: true''. Anyway, this didn't help either and I didn't find error messages really helpful(I guess I should've, shouldn't I?).
+<code>
+-12-05 11:13:30.742 [error] <0.376.0> Supervisor ejabberd_s2s_in_sup had child undefined started with {ejabberd_s2s_in,start_link,undefined} at <0.528.0> exit with reason no match of right hand value {error,<<"SSL_CTX_use_certificate_file failed: error:140AB18E:SSL routines:SSL_CTX_use_certificate:ca md too weak">>} in ejabberd_socket:starttls/3 line 153 in context child_terminated
+-12-05 11:13:49.406 [error] <0.530.0> gen_fsm <0.530.0> in state wait_for_feature_request terminated with reason: no match of right hand value {error,<<"SSL_CTX_use_certificate_file failed: error:140AB18E:SSL routines:SSL_CTX_use_certificate:ca md too weak">>} in ejabberd_socket:starttls/3 line 153
+</code>
+So, as the last ditch effort, I've generated new SSL certificate. Lo behold, the miracle! Everything works now. I wonder what the problem was. May be SSL cert generated in ~ 2013 wasn't strong enough and that's what the issue was about from the get go. Comparison of old and new one:
+<code>
+Signature Algorithm: md5WithRSAEncryption
+Signature Algorithm: sha256WithRSAEncryption
+</code>
@@ Line 135: / Line 245: @@
 root@foo:~# netstat -nlp | less
 </code>
+==== Postfix ====
+=== Configuration files from different Postfix/distro ===
+Simply - don't. If you do, make sure you modify your "old"
+configs to reflect paths in Debian, or else ... problems. :-)
+=== Trailing hash '#' aka "what the problem is?" ===
+Postfix version:
+<code>
+root@foo:~# apt-cache show postfix
+Package: postfix
+Priority: extra
+Section: mail
+Installed-Size: 3340
+Maintainer: LaMont Jones <lamont@debian.org>
+Architecture: amd64
+Version: 2.7.1-1+squeeze1
+</code>
+Error in log:
+<code>
+Nov  5 10:43:29 foo postfix/local[8229]: fatal: open dictionary: expecting "type:name" form instead of "#"
+Nov  5 10:43:30 foo postfix/master[29102]: warning: process /usr/lib/postfix/local pid 8229 exit status 1
+Nov  5 10:43:30 foo postfix/master[29102]: warning: /usr/lib/postfix/local: bad command startup -- throttling
+</code>
+If you look at [[http://postfix.eu.org/big-picture.html|postfix in big-picture]] it
+tells you where the problem is. However, it is one of less descriptive cases of
+error.
+{{:linux:debian:postfix-big-picture.gif?700|}}
+Config lines to blame:
+<code>
+alias_maps = hash:/etc/postfix/aliases #, hash:/var/lib/mailman/data/aliases
+[...]
+alias_database = hash:/etc/postfix/aliases #, hash:/var/lib/mailman/data/aliases
+</code>
+Strange enough this works perfectly at different host ... and with different version of Postfix. Well ... shrug :-)
 ==== SysV init scripts are complicated ====