@dafyre said in Nginx Active-Passive HA:
location /.well-known/acme-challenge { root /var/www/letsencrypt; }
So I understand it well, these lines are ONLY to tell Let's Encrypt which folders to look to for the challenge/response and has nothing to do with any actual site webroot folders. Am I correct? This is just used so Nginx can act as the web server for those challenges/responses.
My initial cert request process looks like this:
certbot certonly -d mydomain.com --pre-hook "systemctl stop nginx" --post-hook "systemctl start nginx" --preferred-challenges http
When prompted, I select 1 to spin up a temporary web server for the issuance and challenge. This as I understand it allows me to not have to name webroot folders anywhere. I've already defined the path of the certs because this is easy to figure out based on the command line that will save the certs in the location for the first named domain so when Nginx restarts, certs and domain are all good to go. I have a separate Nginx server that handles nothing but proxy and SSL services. All sites are hosted on their own Fedora, CentOS or Ubuntu servers. I don't use webroot authentication.
If I setup .well-known path, can this be setup globally for all cert issuances and renewals? I guess I would set this up in my config file for each domain.
@black3dynamite said in Nginx Active-Passive HA:
@scottalanmiller said in Nginx Active-Passive HA:
@jaredbusch said in Nginx Active-Passive HA:
It would still need to restart for the cert to be applied of course.
Just a reload, no downtime.
Is this what you mean?
certbot certonly --webroot -w /path/to/your/webroot -d example.com --post-hook="service nginx reload"
This will work if you define the webroot path which I don't. Separate Nginx server from web servers.
@jaredbusch said in Nginx Active-Passive HA:
@scottalanmiller said in Nginx Active-Passive HA:
My Nginx doesn't go offline during a cert renewal, do them all of the time.
Mine does because I have not setup the .wellknown path as I do everything certonly when adding a cert. This means the certbot renew needs to shutdown nginx and run its own websesrver temporarily. It is all scripted with a pre-hook and post-hook to stop and start nginx though. so it is still fully automated.
I need to revisit this as cerbot is smarter now than it used to be.
Yeah, this is the method I use as well.
Maybe I'm going renewals wrong or I'm misunderstanding the process but the renew script has the certbot renew --pre-hook "systemctl stop nginx" --post-hook "systemctl start nginx" line. Wouldn't that take Nginx offline, then renew certs, then restart Nginx? Maybe there's a better renewal method I'm not aware of.
Tbh, I've only assumed Nginx was going offline because of this line but only renewing a dozen or so certs only takes seconds so it isn't something I've actually had a chance to test.
I'm guessing someone might suggest some automation method like SaltStack for this (not even sure if that's doable) but if you are going to suggest this, please provide a link to documentation where I can read up on it.
I have a client who is about to migrate to using Let's Encrypt for SSL instead of their standard SSL issuer and fully manual process they had before. They host many hundreds of sites and manually updating certs was just ridiculously time consuming for them.
I'm looking to setup Nginx in Active-Passive HA mode so that when the cert update job takes Nginx offline for up to 15-20mins, the sites aren't taken offline.
I've found a couple tutorials that explain the setup process and will be testing this setup to death before it goes online (virtual IP, defining the master/passive node...etc) but I'm wondering if there is a best-practice for the SSL certs location. Should each Nginx instance host its own set of certs for the same domains? In this case, running the renew script on one would renew certs on only that instance (since Nginx has to reload to use the new certs) and then renew on the other node? I can't imagine I should save the certs on some network location because the remaining Nginx node would not be able to use the new certs until reload so in effect negating the HA setup. Should I simply have a script to copy the new certs to the other node after the master comes back online and then reload the other node's Nginx service?
The majority of these sites are low traffic (fewer than 100 visits a day) so offline sites for a few minutes a day or once a week during early morning hours isn't going to kill anyone but it's still a good plan to setup the HA proxies should one go down and a bonus if we can keep sites online while certs are getting renewed.
Thoughts? Recommendations? Gotchas?
@tim_g said in Install a Basic WordPress Site with WP-CLI:
@nashbrydges said in Install a Basic WordPress Site with WP-CLI:
It allows me access when I set it up without https in the url. But once in settings, and I change the blog address from http://domain.com/blog to https://domain.com/blog I get the same too many redirects error. Cleared history and cache 3 times and still same issue.
I'm going to blow this install away and recover from backup and will have to install manually.
Still can't figure out why this issue. The root domain works perfectly with Let's Encrypt but as soon as I get to the blog folder it just shits all over itself.
How did you set up the whole thing? Did you use my guide? It includes the SSL set up.
I used your guide up to the SSL setup. I'm running a website in the root directory and Nginx as a proxy.
It's loading but had to allow unsafe script for the blog to load. Gotta go digging around for that now.
It allows me access when I set it up without https in the url. But once in settings, and I change the blog address from http://domain.com/blog to https://domain.com/blog I get the same too many redirects error. Cleared history and cache 3 times and still same issue.
I'm going to blow this install away and recover from backup and will have to install manually.
Still can't figure out why this issue. The root domain works perfectly with Let's Encrypt but as soon as I get to the blog folder it just shits all over itself.
Now getting a too many redirects error. I entered https://domain.com/blog as a URL.
I know that manually installing it I can tell it if I want it to run as a subdomain or a subfolder (blog.domain.com or domain.com/blog). If I want to use the subfolder method, is it as simple as changing this section?
wp core install --url=mysite.com/blog
@jaredbusch said in Fedora Update Breaks httpd:
So, if you followed the original instructions, you can use this to fix it.
sed -i "s/access\.log/httpd\/access_log/" /etc/httpd/conf.d/bookstack.confThen start apache.
systemctl start httpd
As always, thanks @JaredBusch that fixed it for me as well.
Anyone else run into this issue? I just completed a simple update and now service fails to start.
dnf -y update
[root@bookstack-fedora ~]# systemctl status httpd
● httpd.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled)
Drop-In: /usr/lib/systemd/system/httpd.service.d
└─php-fpm.conf
Active: failed (Result: exit-code) since Mon 2018-03-05 12:51:18 EST; 1min 31s ago
Docs: man:httpd.service(8)
Process: 651 ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND (code=exited, status=1/FAILURE)
Main PID: 651 (code=exited, status=1/FAILURE)
Status: "Reading configuration..."
Mar 05 12:51:18 bookstack-fedora systemd[1]: Starting The Apache HTTP Server...
Mar 05 12:51:18 bookstack-fedora httpd[651]: AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using ::1. Set
Mar 05 12:51:18 bookstack-fedora systemd[1]: httpd.service: Main process exited, code=exited, status=1/FAILURE
Mar 05 12:51:18 bookstack-fedora systemd[1]: Failed to start The Apache HTTP Server.
Mar 05 12:51:18 bookstack-fedora systemd[1]: httpd.service: Unit entered failed state.
Mar 05 12:51:18 bookstack-fedora systemd[1]: httpd.service: Failed with result 'exit-code'.
Nothing else has changed. Even after reboot still get this error.
Error log shows this:
[Mon Mar 05 12:39:04.290603 2018] [core:notice] [pid 656:tid 140047618265088] SELinux policy enabled; httpd running as context system_u:system_r:httpd_t:s0
[Mon Mar 05 12:39:04.294838 2018] [suexec:notice] [pid 656:tid 140047618265088] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using ::1. Set the 'ServerName' directive globally to suppress this message
[Mon Mar 05 12:39:04.438012 2018] [lbmethod_heartbeat:notice] [pid 656:tid 140047618265088] AH02282: No slotmem from mod_heartmonitor
[Mon Mar 05 12:39:04.443196 2018] [http2:warn] [pid 656:tid 140047618265088] AH02951: mod_ssl does not seem to be enabled
[Mon Mar 05 12:39:04.489771 2018] [mpm_event:notice] [pid 656:tid 140047618265088] AH00489: Apache/2.4.29 (Fedora) configured -- resuming normal operations
[Mon Mar 05 12:39:04.489819 2018] [core:notice] [pid 656:tid 140047618265088] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'
[Mon Mar 05 12:49:37.356049 2018] [mpm_event:notice] [pid 656:tid 140047618265088] AH00492: caught SIGWINCH, shutting down gracefully
AH00015: Unable to open logs
ServerName is set in the config file. Always has been since I've had this setup.
Veeam Windows Agent does block level backup but if it is being linked to an existing Veeam B&R Repository, there might be search indexes that are built during backup. I remember reading some best-practice documentation about their catalog but only related to VM backups. Not sure if you're poiting Veeam Windows Agent to a B&R or just to storage.
No size limitations but this explains it better.
https://www.veeam.com/veeam_agent_windows_2_1_editions_comparison_ds.pdf
Assuming the VM is getting backed-up and not files/folders or drives.
Veeam doesn't care about files, it's block level backup isn't it?
@scottalanmiller said in SSDNodes - Anyone used these for hosting?:
It's not the end of the world, but it definitely doesn't bode well for continuing support.
True. But combined with their "month-to-month" pricing of $80 instead of only slightly higher than the annual amount, that tends to set my spidey senses tingling.
@scottalanmiller said in SSDNodes - Anyone used these for hosting?:
@dafyre said in SSDNodes - Anyone used these for hosting?:
@scottalanmiller said in SSDNodes - Anyone used these for hosting?:
@dafyre said in SSDNodes - Anyone used these for hosting?:
@black3dynamite said in SSDNodes - Anyone used these for hosting?:
@nashbrydges said in SSDNodes - Anyone used these for hosting?:
Some strange pricing options if you choose monthly lol
LTS Operating Systems templates only?
What's to stop you from doing an upgrade to the latest version if you're using Debian or Ubuntu?
But it forces you to do that, it's a huge update process and limits you only to those options.
True... but that raises the question: How often are you going to switch from Debian to CentOS ?
It's that you can't do Fedora, that's the bigger issue.
That's why I didn't go beyond signing up which was the only way I could see what they offered.
