Changing FQDN broke GUI

[Pcom]

Hello,

I created my first PMG server (8.0.7), using the internal name hydra.mydomain.com, all the pages in the GUI was working fine.
However, to avoid problem with certificates, I tought was better idea to use even internally the name i was planning to use as public FQDN: mx.mydomain.com
So i followed this guide and edited files /etc/hosts + /etc/hostname with the new name. Dns is OK

Since this change I have some problem with gui. I can login with both addresses hydra and mx (only with firefox, edge does not load page using the new fqdn) but in both cases I can see some pages perfectly and some not, for example the page "administration" is OK but the page "mail filter" can't load:



I noticed that the self signed certificate is stil named hydra (the guide did not mention replacing certificates), so I tried to create a let's encrypt SMTP certificate to mx.mydomain.com
It worked but nothing is fixed in the GUI, which is still using the self signed hydra cert. I tried to manually delete file /etc/pmg/pmg-api.pem, at the first login a new file was recreated and now my HTTPS certificate is pointing to mx and not mx.mydomain.com so, once again, nothing is fixed in the broken GUI.

If I try to create a new let's encrypt cert for API for mx.mydomain.com i receive error "duplicate domain 'mx.mydomain.com' in ACME config properties 'acmedomain1' and 'acmedomain0' (500)"

I don't understand, I can't create a cert for web interface and for SMTP with the same FQDN?
The solution is to use hydra.domain.com for gui and mx.mydomain.com for SMTP?

I'm a bit confused, considering SMTP cert should be OK, which is the supposed solution to fix the GUI ?
Thanks

 

[Pcom]

Don't know if this is correct or not but I deleted once again the self signed pmg-api.pem, copied the pmg-tls.pem and renamed as
pmg-api.pem. Now I can login without certificate error on firefox (edge still doesn't work) but pages are still broken in GUI so maybe is not the correct procedure.

 

[Stoiko Ivanov]

Did you restart your PMG after changing the hostname?

please share the logs of the system after a boot and trying to access the GUI - else it's not really possible to find out what's broken.

 

[Pcom]

Hello,

Yes, I rebooted PMG, multiple times. On client, dns flushed, changed browser, even changed PC, same problem.

Attached is the syslog after a reboot grabbed from the GUI on page Administration -> Syslog (which is one of the web page that works).
Let me know if you need other log and where to find them.
Thanks!

 

[Pcom]

Hello, nobody had the same problem? I'm still building the system so I can even recreate it from scratch but it's not ideal.

Thanks for any help

 

[Stoiko Ivanov]

but in both cases I can see some pages perfectly and some not, for example the page "administration" is OK but the page "mail filter" can't load:

This sounds odd - as Mail Filter is clusterwide but administration is based on the node - so I'd expect administration not to work

just to be on the safe side:
* make sure you have entries in /etc/hosts for both your hostnames (hydra and mx) (pointing to the same ip...

else share /etc/hostname, /etc/hosts, /etc/resolv.conf, `pmgconfig dump`

 

[Pcom]

This sounds odd - as Mail Filter is clusterwide but administration is based on the node - so I'd expect administration not to work

So it's possible my problem is related to some "cluster settings"? This is my first and only PMG, I didn't set up anything related to cluster config.
This is what I see in cluster page

just to be on the safe side:
* make sure you have entries in /etc/hosts for both your hostnames (hydra and mx) (pointing to the same ip...

else share /etc/hostname, /etc/hosts, /etc/resolv.conf, `pmgconfig dump`

Just re-checked everything, it looks OK to my eyes. (but problem persist, many pages or part of the page doesn't work)

/etc/hosts


/etc/hostname


/etc/resolv.conf

(hidden my domain and internal dns IP, correct)

And attached pmconfig.dump, I only replaced my real domain with "mydomain.com"

Thanks

 

[Stoiko Ivanov]

So it's possible my problem is related to some "cluster settings"? This is my first and only PMG, I didn't set up anything related to cluster config.
This is what I see in cluster page

no - sorry - I did not phrase that precisely enough - for Administration the api paths contain the node-name - and this might fail if your /etc/hosts settings are not correct ... the Mail Filter part does not contain the node-name ...

Just re-checked everything, it looks OK to my eyes. (but problem persist, many pages or part of the page doesn't work)

Looks ok to me as well on the first glance ....

How does the network configuration look like:
* cat /etc/network/interfaces
* ip addr show
* ip route show
* ping -c4 $(hostname -f)
* ping -c4 $(uname -n)


EDIT: one more question - the part you've edited out (the red lines in the screenshots) - is /etc/resolv.conf and /etc/host the same there?

 

[Pcom]

cat /etc/network/interfaces

auto lo
iface lo inet loopback

auto ens18
iface ens18 inet static
address 172.16.2.125/24
gateway 172.16.2.1

ip addr show

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: ens18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 8a:e0:2a:2c:cc:6d brd ff:ff:ff:ff:ff:ff
altname enp0s18
inet 172.16.2.125/24 scope global ens18
valid_lft forever preferred_lft forever

ip route show

default via 172.16.2.1 dev ens18 proto kernel onlink
172.16.2.0/24 dev ens18 proto kernel scope link src 172.16.2.125

ping -c4 $(hostname -f)

PING mx.mydomain.com (172.16.2.125) 56(84) bytes of data.
64 bytes from mx.mydomain.com (172.16.2.125): icmp_seq=1 ttl=64 time=0.042 ms
64 bytes from mx.mydomain.com (172.16.2.125): icmp_seq=2 ttl=64 time=0.038 ms
64 bytes from mx.mydomain.com (172.16.2.125): icmp_seq=3 ttl=64 time=0.039 ms
64 bytes from mx.mydomain.com (172.16.2.125): icmp_seq=4 ttl=64 time=0.040 ms

--- mx.mydomain.com ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3072ms
rtt min/avg/max/mdev = 0.038/0.039/0.042/0.001 ms

ping -c4 $(uname -n)

PING mx.mydomain.com (172.16.2.125) 56(84) bytes of data.
64 bytes from mx.mydomain.com (172.16.2.125): icmp_seq=1 ttl=64 time=0.025 ms
64 bytes from mx.mydomain.com (172.16.2.125): icmp_seq=2 ttl=64 time=0.015 ms
64 bytes from mx.mydomain.com (172.16.2.125): icmp_seq=3 ttl=64 time=0.035 ms
64 bytes from mx.mydomain.com (172.16.2.125): icmp_seq=4 ttl=64 time=0.042 ms

--- mx.mydomain.com ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3052ms
rtt min/avg/max/mdev = 0.015/0.029/0.042/0.010 ms

EDIT: one more question - the part you've edited out (the red lines in the screenshots) - is /etc/resolv.conf and /etc/host the same there?

Yes, name of my domain in both files.



Just to give you another information, everything works again if i delete "mx" in hosts and hostname and keep only the original name hydra.
Looks like somewhere in the system there is something else to change. Maybe something related to certificate? (as i wrote in my first message, when I changed hostname to "mx" the https self generated cert was still pointing to old hostname hydra)

 

[Stoiko Ivanov]

The certificate should not cause the issue of No route to host (this is a connectivity issue lower in the stack)...

does your client have the same view on DNS? mx.yourdomain.com resolving to 172.16.2.125?

from the information you shared it seems that the system is running fine and I don't see any issues in the logs...

do you maybe have /etc/pmg/cluster.conf - and does it have content?

 

[Stoiko Ivanov]

else - please also try:
* changing the order of mx and hydra in /etc/hosts
* removing hydra from /etc/hosts
also - maybe check the output of:
`grep -r hydra /etc`

 

[Pcom]

do you maybe have /etc/pmg/cluster.conf - and does it have content?

Yes! And it's wrong content, wrong ip and wrong name. No idea why, i never created a cluster not even for test. Can I delete this file? Or I have to fix it correcting IP and name?

 

[Stoiko Ivanov]

I'd try fixing the cluster.conf - as a few paths are different if it's present.

No idea why, i never created a cluster not even for test.

The file is only present if you created a cluster (clicking 'Create' in the GUI or running `pmgcm create` on the cli)

 

[Pcom]

Correct IP and name, reboot, now everything is working! Yuppie!

If I created a cluster I really had no idea, maybe I was just playing in the menu after the first install and it was not voluntary. Sorry!

It is correct that is not possible to remove a cluster once created? I have no "Remove" button. (not a problem anyway, I think I will build a cluster with two server when ready for production)


And can I ask you to clarify even about let's encrypt certificate? Now that server is officially called mx.mydomain.com, which is the correct procedure to request an https certificate? I requested and received a working SMTP certificate but if I try to do the same with HTTPS is says I can't because of the same name. Why I can't request certificate for both function with the same name?
I "solved" copying pmg-tls.pem and renamed as pmg-api.pem. It's working but it's the correct procedure?




Meanwhile many thanks for your help.