Imagine my surprise this morning to find all my websites down. A quick look and last night at 2am:
##### News announcements #####
The automatic migration to the latest Turris OS version was enabled for your router. The next update is going to install package 'tos3to4' and initiate the migration.
More info is available in the official documentation https://docs.turris.cz/geek/tos3-migration/.
##### Update notifications #####
• Installed version 1.5 of package tos3to4-notify
So panic stations this morning to find out what was wrong.
Problem 1: kresd name resolution failed
Lord knows why. It came good all by itself without a reboot before I could even find out why. All I did was try to ssh to my router by its domain name and it failed to resolve, so I ssh to it using its IP address and then poke around a few logs and check port listeners netstat -tulpen
being my goto and I see kresd is there listening so I try again and names now resolve. We’ll write that one off as a transient hiccup.
Problem 2: Foris and Luci down
Turns out lighttpd is not up. Grrr. Nothing in logs, so I run it manually:
lighttpd -f /etc/lighttpd/lighttpd.conf
and I get ssl errors. Lots of on-line searching (not much help) and poking around locally and head scratching and happens that lighttpd’s default config is broken. In:
/etc/lighttpd/conf.d/ssl-enable.conf
which is part of the lighttpd-https-cert
package
the config:
ssl.openssl.ssl-conf-cmd = (
"MinProtocol" => "TLSv1.2",
"Options" => "-ServerPreference",
"CipherString" => "ECDHE+AESGCM:ECDHE+AES256:CHACHA20:!SHA1:!SHA256:!SHA384"
)
must now be global or wrapped in $SERVER["socket"]
. Efforts to make it global by wrapping it global { ... }
did not help so moved into the $SERVER["socket"]
sections and then (after one other small tweak on account of a missing Foris conf) lighttpd started and Luci and Foris were up again.
Conclusion: the lightttpd ssl module got an upgrade but the lighttpd-https-cert
did not.
Problem 3: DDNS updates failed
I rely on DDNS. And Luci wasn’t even showing me DDNS details any more. Aaarg. Checked packages and ddns-scripts
and luci-app-ddns
packages were gone. Reinstalled them. Rebooted and all my DDNS updates went ahead and the Lucy app was back.
Problem 4: reforis is broken
This is new. In fact I know that because I use the router as a reverse proxy and had issues years ago with Foris SSL so have this in my in lighttpd.conf:
# Prohibit foris and luci from any WAN ip (server only to LAN ips)
$HTTP["remoteip"] == "192.168.0.0/16" {
# SSL fix needed alas. Foris depends on a package that creates
# /etc/lighttpd/conf.d/ssl-enable.conf
# whenever an update is installed. This file delivers an SSL certificate that the FORIS
# web interface currently depends on. Bothersome to say the least. So we have to not load
# that file if we're delivering an SSL certificate for one of the sites we configured
# in LAN-servers.conf that needs a certificate. Otherwise lighttpd delivers two
# certificates.
#
# So we can't do the following:
#
#include "/etc/lighttpd/conf.d/*.conf"
# Don't load the foris and luci configs if accessing a site that uses its own SSL
# certificates. As we we don't want to deliver two certificates.
$HTTP["host"] !~ "(my WAN domains)" {
include "/etc/lighttpd/conf.d/foris-config.conf"
include "/etc/lighttpd/conf.d/foris-root.conf"
include "/etc/lighttpd/conf.d/foris-ws.conf"
include "/etc/lighttpd/conf.d/ssl-enable.conf"
include "/etc/lighttpd/conf.d/luci.conf"
}
}
But foris-root.conf
disappeared and so I replace it with reforis.conf
to get lighttpd to start earlier. Still on Foris the reforis links like:
http://myrouterlan/reforis/openvpn/client-settings/
return a 404 and the requests leave a trace in the lighttpd access log but nothing in the error log.
I’d love some tips on getting reforis to work, I’ll have to park that as simply broken for now as I’ve spent all morning getting this far and have an operational router again bar this issue as far as I can tell.
The up side
Foris reports I’m on Turris OS 5.3.3.
Thanks for the update, it’s about time. A shame it cost me so much time and is still a little broken
The down side
Majordomo is a loss. Why on earth was it not maintained? Pakon performs dreadfully by comparison (I do use it) and Luci stats is not a replacement.