Bugs in Hestia 1.9.5

1.- Rebuilding mail domains removes webmail SSL config.

Due to the modified get_object_value in Hestia 1.9.5, a bug in v-rebuild-mail-domain-webdomain arose:

WEBMAIL=$(get_object_value 'web' 'DOMAIN' "$domain" "$WEBMAIL")

This worked in previous versions of get_object_value by coincidence.

The fix is:

WEBMAIL=$(get_object_value 'web' 'DOMAIN' "$domain" "WEBMAIL")

This PR fixes the issue:

To fix this manually for now, run these commands as root:

sed -i.ori 's/"\$WEBMAIL")/"WEBMAIL")/' /usr/local/hestia/bin/v-rebuild-mail-domain
for user in $(/usr/local/hestia/bin/v-list-users plain | cut -f1); do if [[ "$("/usr/local/hestia/bin/v-list-user" "$user" json | jq -r '.[]|.U_MAIL_DOMAINS')" -ge 1 ]]; then echo "${B}[ + ]${N} Rebuilding mail domains for user $user"; /usr/local/hestia/bin/v-rebuild-mail-domains "$user";fi;done
systemctl restart nginx apache2

2.- Web Terminal doesn’t work.

The service doesn’t start and it’s because it doesn’t have the node_modules installed.

To fix it:

cd /usr/local/hestia/web-terminal
npm install

After that the service starts but if you try to use the web terminal you only get:

Your session has expired.

And that’s because it tries to use a missing php file /usr/local/hestia/web-terminal/web-terminal-session-auth.php:

server.js[242164]: Could not open input file: /usr/local/hestia/web-terminal/web-terminal-session-auth.php
server.js[242164]: Session helper failed for 3la6dl33js19afb150tmlq2v9g, refusing connection: Command failed: /usr/local/hestia/php/bin/php /usr/local/hestia/web-terminal/web-terminal-session-auth.php 3la6dl33js19afb150tmlq2v9g

I can’t fix it so I’ve opened this issue:

So overnight all my Roundcube(s) stopped checking for mail due to the SSL cert change. But only webmail(s) were affected, so none of the generic troubleshooting guides seemed to apply. Without mail checking, it was more luck than skill that I happened to notice that the HestiaCP version had changed, which is what led me here.

For #1, the webmail SSL config, it looks like 2 separate commands should do the trick…, one to remove the trouble-making “$” from /usr/local/hestia/bin/v-rebuild-mail-domain, and the other to use the corrected CLI command to rebuild for all users.

# sed -i.ori ‘s/“$WEBMAIL”)/“WEBMAIL”)/’ /usr/local/hestia/bin/v-rebuild-mail-domain

# for user in $(/usr/local/hestia/bin/v-list-users plain | cut -f1); do if [[ “$(”/usr/local/hestia/bin/v-list-user" “$user” json | jq -r ‘.
|.U_MAIL_DOMAINS’)" -ge 1 ]]; then echo “${B}[ + ]${N} Rebuilding mail domains for user $user”; /usr/local/hestia/bin/v-rebuild-mail-domains “$user”;fi;done

BUT in the first command it refers to
/usr/local/hestia/bin/v-rebuild-mail-domain
while in the 2nd command it refers to
/usr/local/hestia/bin/v-rebuild-mail-domains

Is that correct???

Yes, it is. The second command v-rebuild-mail-domains $user internally runs v-rebuild-mail-domain $user $domain to rebuild all the mail domains for the user.

As always, THANK YOU for the prompt reply and education (and the fix).

The fix ran as expected, though it took a little while.

But it didn’t help. So I re-(re-)started the web browser, but that didn’t help either.

I tried going to webmail.domain.com using a browser that’d never been there, and still got the Potential Security Risk warning.

Restart nginx (and apache2 if used):

systemctl restart nginx apache2

Done. Now the SSL warning is gone.

BUT all it says is “Success!” “Your new web server is ready to use.” below the green-bkg check mark.

What’s the Roundcube version?

grep RCMAIL_VERSION /var/lib/roundcube/program/include/iniset.php | cut -d "'" -f 4

1.6.8

That’s weird. It didn’t update to 1.6.15 during the upgrade, so something happened.

Show the output of this command:

v-add-sys-roundcube

fwiw, last night when this first happened, I tried surfing to www.webmail.domain.com and got that same “ready to use” response.

To assist in determining what something happened, I dug into the appropriate new mail folder and retrieved the following (I sure hope my lingering no-buffer web template experiments didn’t gum up the works):

### =============================================================================
Hestia Control Panel Software Update Log

### OPERATING SYSTEM:      Debian (12)
CURRENT VERSION:       1.9.4
NEW VERSION:           1.9.5
RELEASE BRANCH:        release
BUILD TYPE:            Production release

### INSTALLER OPTIONS:

### Send email notification on upgrade complete:      true
Send installed log output to admin email:         true

### =============================================================================
\[ \* \] Backing up existing templates and configuration files...

### \[ ! \] Performing system health check before proceeding with installation...
\[ \* \] Health check complete. Starting upgrade from 1.9.4 to 1.9.5...

### \[ - \] Now applying patches and updates for version v1.9.5...
\[ \* \] Fixing spamd execution in Exim when reject_spam is off
\[ \* \] Adding ESMTP to Exim smtp banner
\[ ! \] Updating default web domain templates...
\[ ! \] Updating default mail domain templates...
\[ ! \] Updating default DNS zone templates...
\[ ! \] Upgrading File Manager to version 7.14.3...
\[ ! \] Upgrading Roundcube to version 1.6.15...
\[ ! \] Update Hestia PHP dependencies...
\[ \* \] Updating Cloudflare IP Ranges for NGINX...
\[ \* \] Upgrading phpMyAdmin to version 5.2.3...

Installation tasks complete, performing clean-up..

.

Please, follow these steps:

sed -i -E 's/(^disable_functions.*),proc_open(.*$)/\1\2/' /etc/php/$(php -v | head -n1 | grep -o '[0-9]\.[0-9]')/cli/php.ini
sed -i -E 's/(^disable_functions.*),system(.*$)/\1\2/' /etc/php/$(php -v | head -n1 | grep -o '[0-9]\.[0-9]')/cli/php.ini
v-add-sys-roundcube

If v-add-sys-roundcube finish with success:

Note: If your administrator user uses another name, replace admin with that name.

v-add-user-composer admin
cd /var/lib/roundcube/
COMPOSER_ALLOW_SUPERUSER=1 /home/admin/.composer/composer -n update

# v-add-user-composer admin
Composer already available

…

#COMPOSER_ALLOW_SUPERUSER=1 /home/admin/.composer/composer -n update

Loading composer repositories with package information
Updating dependencies
Lock file operations: 1 install, 9 updates, 0 removals

• Upgrading dasprid/enum (1.0.5 => 1.0.7)
• Upgrading guzzlehttp/guzzle (7.9.2 => 7.10.5)
• Upgrading guzzlehttp/promises (2.0.3 => 2.4.1)
• Upgrading guzzlehttp/psr7 (2.7.0 => 2.10.3)
• Locking mlocati/ip-lib (1.22.0)
• Upgrading pear/crypt_gpg (v1.6.9 => v1.6.11)
• Upgrading pear/net_sieve (1.4.7 => 1.4.8)
• Upgrading pear/pear-core-minimal (v1.10.15 => v1.10.18)
• Upgrading roundcube/plugin-installer (0.3.7 => 0.3.11)
• Upgrading symfony/deprecation-contracts (v2.5.3 => v3.7.0)
  Writing lock file
  Installing dependencies from lock file (including require-dev)
  Package operations: 0 installs, 4 updates, 0 removals
• Downloading symfony/deprecation-contracts (v3.7.0)
• Downloading guzzlehttp/psr7 (2.10.3)
• Downloading guzzlehttp/promises (2.4.1)
• Downloading guzzlehttp/guzzle (7.10.5)
• Upgrading symfony/deprecation-contracts (v2.5.4 => v3.7.0): Extracting archive
• Upgrading guzzlehttp/psr7 (2.9.0 => 2.10.3): Extracting archive
• Upgrading guzzlehttp/promises (2.3.0 => 2.4.1): Extracting archive
• Upgrading guzzlehttp/guzzle (7.10.0 => 7.10.5): Extracting archive
  Package pear/console_commandline is abandoned, you should avoid using it. No replacement was suggested.
  Package pear/net_socket is abandoned, you should avoid using it. No replacement was suggested.
  Generating autoload files
  5 packages you are using are looking for funding.
  Use the composer fund command to find out more!
  No security vulnerability advisories found

Check again the version:

grep RCMAIL_VERSION /var/lib/roundcube/program/include/iniset.php | cut -d "'" -f 4

And webmail works?

1.6.15

No. Still “Your new web server is ready to use.”

However, when I tried it with www (www.webmail.domain.com) the browser returned a “Potential Security Rish\k Ahead” which is different than before. (I accepted the risk, then got a “Secure Site Not Available” HTTPS-Only message. I told it to continue to http site, THEN I got the “ready for use” message.)

Tomorrow, I’ll send you a private message so we can review it. It’s too late here.

TIA. Will I be able to retrieve that here?

PS: Nevermind – a reboot (probably from restarting apache2) was all it took (see post 47, below). Thanks again!

I’ve used https://sslchecktool.com to check webmail.domain.com

It now reads “Certificate Valid”. (Before I posted here, it did not, with a cert domain name mismatch)

…fwiw