Daniel Quinn's questions

I've got a small k3s cluster in my home hosting a few websites and local applications. For the most part, I've been able to wrangle it to host a variety of services, but the LetsEncrypt functionality has never worked very well for me. When it has worked, I've been unsure as to why, and afraid to tinker with it lest it break again.

At the moment, there are two sites on the cluster with TLS support working fine... for years even, but now that I'm adding a third site, I'm running into the same errors I was getting in the past and I have no idea why. I'm hoping someone here can explain what I've missed.

The error appears to be a complaint that when the magic URL is requested (how do I determine the URL being attempted?), they get HTML rather than the expected response, though it's not clear why it's doing that, or even what service is constructing the response.

I0820 17:28:23.398812       1 service.go:43] cert-manager/challenges/http01/selfCheck/http01/ensureService "msg"="found one existing HTTP01 solver Service for challenge resource" "dnsName"="REDACTED.tld" "related_resource_kind"="Service" "related_resource_name"="cm-acme-http-solver-9qp5z" "related_resource_namespace"="my-namespace" "related_resource_version"="v1" "resource_kind"="Challenge" "resource_name"="tls-REDACTED" "resource_namespace"="my-namespace" "resource_version"="v1" "type"="HTTP-01"
E0820 17:28:23.585197       1 sync.go:190] cert-manager/challenges "msg"="propagation check failed" "error"="did not get expected response when querying endpoint, expected \"REDACTED.REDACTED\" but got: <!DOCTYPE html PUBLIC \"-... (truncated)" "dnsName"="REDACTED.tld" "resource_kind"="Challenge" "resource_name"="tls-REDACTED" "resource_namespace"="my-namespace" "resource_version"="v1" "type"="HTTP-01"
I0820 17:28:33.585741       1 pod.go:59] cert-manager/challenges/http01/selfCheck/http01/ensurePod "msg"="found one existing HTTP01 solver pod" "dnsName"="REDACTED.tld" "related_resource_kind"="Pod" "related_resource_name"="cm-acme-http-solver-5gnhm" "related_resource_namespace"="my-namespace" "related_resource_version"="v1" "resource_kind"="Challenge" "resource_name"="tls-REDACTED" "resource_namespace"="my-namespace" "resource_version"="v1" "type"="HTTP-01"
I0820 17:28:33.585898       1 service.go:43] cert-manager/challenges/http01/selfCheck/http01/ensureService "msg"="found one existing HTTP01 solver Service for challenge resource" "dnsName"="REDACTED.tld" "related_resource_kind"="Service" "related_resource_name"="cm-acme-http-solver-9qp5z" "related_resource_namespace"="my-namespace" "related_resource_version"="v1" "resource_kind"="Challenge" "resource_name"="tls-REDACTED" "resource_namespace"="my-namespace" "resource_version"="v1" "type"="HTTP-01"
E0820 17:28:33.600402       1 sync.go:190] cert-manager/challenges "msg"="propagation check failed" "error"="did not get expected response when querying endpoint, expected \"REDACTED.REDACTED\" but got: <!DOCTYPE html PUBLIC \"-... (truncated)" "dnsName"="REDACTED.tld" "resource_kind"="Challenge" "resource_name"="tls-REDACTED" "resource_namespace"="my-namespace" "resource_version"="v1" "type"="HTTP-01"

The entire application consists of a Python web app, a Python worker, Redis, and Nginx, which adds up to a lot of YAML. I'm including the markup I assume is relevant for this case:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx
  namespace: my-namespace
spec:
  replicas: 1
  revisionHistoryLimit: 0
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
        - name: nginx
          image: nginx:alpine
          imagePullPolicy: IfNotPresent
          resources:
            requests:
              memory: 32Mi
              cpu: 125m
            limits:
              memory: 32Mi
              cpu: 125m
          ports:
            - containerPort: 80
          volumeMounts:
            - name: public
              mountPath: "/usr/share/nginx/html"
      volumes:
        - name: public
          persistentVolumeClaim:
            claimName: public

---

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: web
  namespace: my-namespace
  annotations:
    kubernetes.io/ingress.class: traefik
    cert-manager.io/cluster-issuer: letsencrypt
    acme.cert-manager.io/http01-edit-in-place: 'true'
spec:
  rules:
    - host: REDACTED.tld
      http:
        paths:
          - path: /static
            pathType: Prefix
            backend:
              service:
                name:  nginx
                port:
                  number: 8000
          - path: /media
            pathType: Prefix
            backend:
              service:
                name:  nginx
                port:
                  number: 8000
          - path: /
            pathType: Prefix
            backend:
              service:
                name:  web
                port:
                  number: 8000
  tls:
    - secretName: tls
      hosts:
        - REDACTED.tld

---

apiVersion: v1
kind: Service
metadata:
  name: nginx
  namespace: my-namespace
spec:
  selector:
    app: nginx
  ports:
    - port: 8000
      targetPort: 80
      name: tcp

---

apiVersion: v1
kind: Service
metadata:
  name: web
  namespace: my-namespace
spec:
  selector:
    app: web
  ports:
    - port: 8000
      targetPort: 8000
      name: gunicorn

I'm quite comfortable working with "bare metal" Linux administration, but Kubernetes still feels like too much "magic" to me. The above was built through following the K3s Rocks tutorials and as mentioned above, somehow works for two other domains — though they didn't at first and then somehow started working.

I'd appreciate any suggestions for this problem, as well as any recommendations for how I could/should do the above better.

There's lots of howtos out there for this, and I've even (successfully!) followed them in the past to get my VPN setup on my Synology but for some reason, since I reset the box and wiped everything (currently running DSM 6.2.4-25556 Update 2) VPN setup just does not work.

What I do

1. Via the web UI, on a freshly installed Synology, go to Control Panel → Network → Network Interface → Create → Create VPN Profile.
2. Select OpenVPN (via importing a .ovpn file)
3. Enter my account number in Username, and m in the Password field.
4. Upload the following file for the Import .ovpn file field which I downloaded from their site:

client
dev tun
resolv-retry infinite
nobind
persist-key
persist-tun
verb 3
remote-cert-tls server
ping 10
ping-restart 60
sndbuf 524288
rcvbuf 524288
cipher AES-256-CBC
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA
proto udp
auth-user-pass
reneg-sec 0
tun-ipv6
fast-io
remote-random
remote us-sea-101.mullvad.net 1300
remote us-sea-103.mullvad.net 1300
remote us-sea-102.mullvad.net 1300
<ca>
-----BEGIN CERTIFICATE-----
[redacted]
-----END CERTIFICATE-----
</ca>

5. Click Next
6. Check the box next to "Use default gateway on remote network"
7. Check the box next to "Reconnect when the VPN connection is lost"
8. Click Apply
9. Select my newly-created VPN connection and click the Connect button.

What happens

After a few seconds, outgoing internet connectivity on the machine is effectively dead. DNS lookups don't work, and I can't even ping 1.1.1.1. The output of route -n is not what I would have expected. Here's what it was before clicking Connect:

# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.1.1     0.0.0.0         UG    0      0        0 eth0
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0

...and here's what it's like after:

# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.14.0.1       128.0.0.0       UG    0      0        0 tun0
0.0.0.0         10.14.0.1       0.0.0.0         UG    0      0        0 tun0
10.14.0.0       0.0.0.0         255.255.0.0     U     0      0        0 tun0
128.0.0.0       10.14.0.1       128.0.0.0       UG    0      0        0 tun0
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
198.54.131.34   192.168.1.1     255.255.255.255 UGH   0      0        0 eth0
198.54.131.34   192.168.1.1     255.255.255.255 UGH   0      0        0 eth0

This doesn't look right to me, and it's quite different from my desktop machine when connected to the same Mullvad service:

$ route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.1.1     0.0.0.0         UG    100    0        0 eno1
10.8.0.0        0.0.0.0         255.255.0.0     U     0      0        0 tun0
192.168.1.0     0.0.0.0         255.255.255.0   U     100    0        0 eno1

Stuff I've checked

• My Mullvad account is paid up through next year
• There's only a 4 devices connecting to said account, including this Synology.
• The Synology is the only one failing to connect properly.
• I can ping 1.1.1.1 and do all normal internet things before initiating the VPN connection.
• A look at /var/log/messages and /var/log/synoservice.log don't show anything particularly alarming other than the following in messages:

2021-10-27T23:23:42+01:00 synology openvpn[13618]: WARNING: file '/tmp/ovpn_client_up' is group or others accessible
2021-10-27T23:23:42+01:00 synology openvpn[13619]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2021-10-27T23:23:42+01:00 synology openvpn[13619]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2021-10-27T23:23:43+01:00 synology openvpn[13735]: WARNING: file '/tmp/ovpn_client_up' is group or others accessible
2021-10-27T23:23:43+01:00 synology openvpn[13736]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2021-10-27T23:23:43+01:00 synology openvpn[13736]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2021-10-27T23:23:44+01:00 synology openvpn[13736]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1557', remote='link-mtu 1558'
2021-10-27T23:23:44+01:00 synology openvpn[13736]: WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
2021-10-27T23:23:47+01:00 synology openvpn[13736]: NOTE: setsockopt TCP_NODELAY=1 failed

Any insight someone could offer here would be greatly appreciated. I'm a programmer, not a network engineer, so I'm afraid I lack the skills to properly debug this.

My company is using a pfsense router to manage a simple VPN for the office. The idea is that I should be able to connect to the VPN from home and use it to (a) access servers on the office LAN and (b) visit our AWS-based webservers over ports 22 and 80 via the VPN.

Unfortunately, it's currently setup as an all-or-nothing deal: if I connect to the office VPN, all of my web traffic goes through there, and I'd rather not do that.

I'm running GNOME 3.22.2 with NetworkManager and the OpenVPN plugin on Gentoo Linux, so help with these tools in mind would be appreciated.

I'm running a Gentoo Linux system under which I've never had problems installing anything into my virtualenv using pip. I've managed installing PIL and django, but for some reason, pycurl (a dependency of cloudkey) is flipping out, claiming that I don't have libcurl.a (note that it's not .la) on my system.

curl is installed. In fact, pycurl is installed on the host system just fine, but it just won't install into my virtualenv. Here's the output:

$ pip install cloudkey
Requirement already satisfied (use --upgrade to upgrade): cloudkey in /path/to/virtualenv/lib/python2.6/site-packages
Requirement already satisfied (use --upgrade to upgrade): distribute in /path/to/virtualenv/lib/python2.6/site-packages (from cloudkey)
Requirement already satisfied (use --upgrade to upgrade): simplejson>=2.0.9 in /path/to/virtualenv/lib/python2.6/site-packages (from cloudkey)
Downloading/unpacking pycurl>=7.19.0 (from cloudkey)
  Downloading pycurl-7.19.0.tar.gz (71Kb): 71Kb downloaded
  Running setup.py egg_info for package pycurl
Using curl-config (libcurl 7.23.1)
Installing collected packages: pycurl
  Running setup.py install for pycurl
Using curl-config (libcurl 7.23.1)
building 'pycurl' extension
x86_64-pc-linux-gnu-gcc -pthread -fPIC -DHAVE_CURL_OPENSSL=1 -DHAVE_CURL_OPENSSL=1 -DHAVE_CURL_OPENSSL=1 -DHAVE_CURL_OPENSSL=1 -DHAVE_CURL_SSL=1 -I/usr/include/python2.6 -c src/pycurl.c -o build/temp.linux-x86_64-2.6/src/pycurl.o
x86_64-pc-linux-gnu-gcc -pthread -shared build/temp.linux-x86_64-2.6/src/pycurl.o -L/usr/lib64 -lcurl -lssl -lcrypto -lldap -lrt -lssl -lcrypto -lz -lssl -lcrypto -lldap -lrt -lssl -lcrypto -lz -lpython2.6 -o build/lib.linux-x86_64-2.6/pycurl.so /usr/lib64/libcurl.a -Wl,-O1 -Wl,--as-needed
x86_64-pc-linux-gnu-gcc: /usr/lib64/libcurl.a: No such file or directory
error: command 'x86_64-pc-linux-gnu-gcc' failed with exit status 1
Complete output from command /path/to/virtualenv/bin/python2.6 -c "import setuptools;__file__='/path/to/virtualenv/build/pycurl/setup.py';exec(compile(open(__file__).read().replace('\r\n', '\n'), __file__, 'exec'))" install --single-version-externally-managed --record /tmp/pip-kkwDnf-record/install-record.txt --install-headers /path/to/virtualenv/include/site/python2.6:
Using curl-config (libcurl 7.23.1)

running install

running build

running build_py

creating build

creating build/lib.linux-x86_64-2.6

creating build/lib.linux-x86_64-2.6/curl

copying python/curl/__init__.py -> build/lib.linux-x86_64-2.6/curl

running build_ext

building 'pycurl' extension

creating build/temp.linux-x86_64-2.6

creating build/temp.linux-x86_64-2.6/src

x86_64-pc-linux-gnu-gcc -pthread -fPIC -DHAVE_CURL_OPENSSL=1 -DHAVE_CURL_OPENSSL=1 -DHAVE_CURL_OPENSSL=1 -DHAVE_CURL_OPENSSL=1 -DHAVE_CURL_SSL=1 -I/usr/include/python2.6 -c src/pycurl.c -o build/temp.linux-x86_64-2.6/src/pycurl.o

x86_64-pc-linux-gnu-gcc -pthread -shared build/temp.linux-x86_64-2.6/src/pycurl.o -L/usr/lib64 -lcurl -lssl -lcrypto -lldap -lrt -lssl -lcrypto -lz -lssl -lcrypto -lldap -lrt -lssl -lcrypto -lz -lpython2.6 -o build/lib.linux-x86_64-2.6/pycurl.so /usr/lib64/libcurl.a -Wl,-O1 -Wl,--as-needed

x86_64-pc-linux-gnu-gcc: /usr/lib64/libcurl.a: No such file or directory

error: command 'x86_64-pc-linux-gnu-gcc' failed with exit status 1

----------------------------------------
Command /path/to/virtualenv/bin/python2.6 -c "import setuptools;__file__='/path/to/virtualenv/build/pycurl/setup.py';exec(compile(open(__file__).read().replace('\r\n', '\n'), __file__, 'exec'))" install --single-version-externally-managed --record /tmp/pip-kkwDnf-record/install-record.txt --install-headers /path/to/virtualenv/include/site/python2.6 failed with error code 1
Storing complete log in /home/daniel/.pip/pip.log

Any ideas/suggestions?

Has anyone ever seen this before? Note that this happens not only with google.com, but with every domain I try. It's a wireless connection (WEP), but I'm not sure how that would be relevant:

$ curl -v google.com
# This takes about 60s to return
* getaddrinfo(3) failed for google.com:80
* Couldn't resolve host 'google.com'
* Closing connection #0
curl: (6) Couldn't resolve host 'google.com'

$ wget google.com
--2011-11-28 14:44:08--  http://google.com/
Resolving google.com... failed: Name or service not known.
wget: unable to resolve host address `google.com'

$ ping google.com
PING google.com (209.85.148.147) 56(84) bytes of data.
64 bytes from fra07s07-in-f147.1e100.net (209.85.148.147): icmp_req=2 ttl=54 time=136 ms
64 bytes from fra07s07-in-f147.1e100.net (209.85.148.147): icmp_req=3 ttl=54 time=34.0 ms
64 bytes from fra07s07-in-f147.1e100.net (209.85.148.147): icmp_req=4 ttl=54 time=34.3 ms
64 bytes from fra07s07-in-f147.1e100.net (209.85.148.147): icmp_req=5 ttl=54 time=42.5 ms
64 bytes from fra07s07-in-f147.1e100.net (209.85.148.147): icmp_req=6 ttl=54 time=44.7 ms
64 bytes from fra07s07-in-f147.1e100.net (209.85.148.147): icmp_req=7 ttl=54 time=34.5 ms
^C
--- google.com ping statistics ---
8 packets transmitted, 6 received, 25% packet loss, time 7007ms
rtt min/avg/max/mdev = 34.063/54.376/136.026/36.758 ms


$ host google.com
google.com has address 209.85.148.106
google.com has address 209.85.148.147
google.com has address 209.85.148.99
google.com has address 209.85.148.103
google.com has address 209.85.148.104
google.com has address 209.85.148.105
google.com mail is handled by 30 alt2.aspmx.l.google.com.
google.com mail is handled by 40 alt3.aspmx.l.google.com.
google.com mail is handled by 50 alt4.aspmx.l.google.com.
google.com mail is handled by 10 aspmx.l.google.com.
google.com mail is handled by 20 alt1.aspmx.l.google.com.

$ host google.com 192.168.1.201
Using domain server:
Name: 192.168.1.201
Address: 192.168.1.201#53
Aliases: 

google.com has address 209.85.148.103
google.com has address 209.85.148.104
google.com has address 209.85.148.105
google.com has address 209.85.148.106
google.com has address 209.85.148.147
google.com has address 209.85.148.99
google.com mail is handled by 40 alt3.aspmx.l.google.com.
google.com mail is handled by 50 alt4.aspmx.l.google.com.
google.com mail is handled by 10 aspmx.l.google.com.
google.com mail is handled by 20 alt1.aspmx.l.google.com.
google.com mail is handled by 30 alt2.aspmx.l.google.com.

$ cat /etc/resolv.conf 
# Generated by NetworkManager
nameserver 192.168.1.201

$ cat /etc/hosts
127.0.0.1       localhost
::1             localhost

$ netstat -rn
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         192.168.1.254   0.0.0.0         UG        0 0          0 wlan0
127.0.0.0       127.0.0.1       255.0.0.0       UG        0 0          0 lo
192.168.1.0     0.0.0.0         255.255.255.0   U         0 0          0 wlan0

Basically any application, including Firefox, can't work to do name lookups. What's more, if I take the wifi offline and plug in an ethernet cable, everything is fine.

I had this working once before, but for some reason it's not working on my new system.

in .kde4/Autostart/ I have a symlink to ssh-agent called 01-sshagent and then a simple script called 02-sshkeys that looks like this:

/usr/bin/ssh-add $(find $HOME/.ssh/keys -type f | egrep -v '\.pub$')

The problem seems to be that when I startup, ssh-agent is run alright, but KDE doesn't hold onto the output and store it in the environment, so for every Konsole session, I have to run ps to find the PID and then manually type:

SSH_AUTH_SOCK=/tmp/ssh-YtvdiEtW3065/agent.3065; export SSH_AUTH_SOCK;
SSH_AGENT_PID=<pidnumber>; export SSH_AGENT_PID;

...just to get it to work, and it does... just in that Konsole window.

I've tried removing the aforementioned symlink and just havining the ssh script look like this:

/usr/bin/ssh-agent | sh
/usr/bin/ssh-add $(find $HOME/.ssh/keys -type f | egrep -v '\.pub$')

But still, the agent variables aren't in the session and I'm never prompted for the password to my keys.

I'm obviously missing something, but what is it?

I know how to get a user to ssh into another box with a key:

ssh -l targetuser -i path/to/key targethost

But what about non-account users like apache? As this user doesn't have a home directory to which it can write a .ssh directory, the whole thing keeps failing with:

$ sudo -u apache ssh -o StrictHostKeyChecking=no -l targetuser -i path/to/key targethost
Could not create directory '/var/www/.ssh'.
Warning: Permanently added '<hostname>' (RSA) to the list of known hosts.
Permission denied (publickey).

I've tried variations using -o UserKnownHostsFile=/dev/null and setting $HOME to /dev/null and none of these have done the trick. I understand that sudo could probably fix this for me, but I'm trying to avoid having to require a manual server config since this code will be deployed on a number of different environments.

Any ideas?

Here's a few examples of what I've tried that don't work:

$ sudo -u apache export HOME=path/to/apache/writable/dir/ ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=path/to/apache/writable/dir/.ssh/known_hosts -l deploy -i path/to/key targethost
$ sudo -u apache ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=path/to/apache/writable/dir/.ssh/known_hosts -l deploy -i path/to/key targethost
$ sudo -u apache ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -l deploy -i path/to/key targethost

Eventually, I'll be using this solution to run rsync as the apache user.

I have a Dovecot mailserver running at home on a flaky cable connection. For the most part, the IMAP functionality works beautifully, but I'd like to add one feature if I can: I want Dovecot not to serve large messages to high-latency clients. That is to say, if someone decides that it's a good idea to send me a 9.3mb email to me, I don't want to get it unless I'm on my LAN at home.

This can't be an uncommon request, but I'm having trouble finding the configuration option in their documentation. Any ideas and/or good keywords to use in Googling would be awesome.

I have two USB devices and both require usbserial to be loaded in order to access them. However, One of the devices, a USB GPRS modem requires that it be loaded like this:

modprobe usbserial vendor=0x1410 product=0x4400

while the other one loads just fine like this:

modprobe usbserial

Is it possible then for me to use both of these devices at the same time? What's the purpose of those additional vendor and product arguments?