azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

sync: auto-sync from GURU-5070 at 2026-05-26 07:05:06

Browse Source 
Author: Mike Swanson
Machine: GURU-5070
Timestamp: 2026-05-26 07:05:06
This commit is contained in:
Mike Swanson
2026-05-26 07:05:10 -07:00
parent 29666be268
commit f962cb87d0
3 changed files with 116 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

110
session-logs/2026-05-26-session.md
View File

@@ -228,3 +228,113 @@ StandardErrorPath: /usr/local/var/log/gururmm-agent.log
- Phase 3 (menu bar app): 4-5 days
- Phase 4 (integration/testing): 2-3 days
- Total: 10-13 days for complete system
---
## Update: 06:20 MST — SSL cert triage (Mike Swanson / GURU-5070)
### User
- **User:** Mike Swanson (mike)
- **Machine:** GURU-5070 (DESKTOP-0O8A1RL)
- **Role:** admin
- **Session span:** 2026-05-26 ~06:20 MST
### Session Summary
Session opened with `/context` to recover prior state, followed by `/sync` which pulled the MacBook session log (macOS agent enrollment fix). Two SSL cert items from the pending list were addressed.
Neptune SSL cert (mail.acghosting.com, expiring 2026-05-31) was flagged as having auto-renewal configured by the user. The wiki was updated to remove the URGENT flag and note that auto-renewal is in place.
Western Tire SSL was investigated in depth. The `*.westerntire.com` wildcard cert (Let's Encrypt, issued 2026-03-01) was expiring 2026-05-30 and had not renewed. Direct SSL inspection via `openssl s_client` confirmed the cert was the original March 1 issue — no renewal had occurred. SSH to IX (172.16.3.10) via paramiko revealed the root cause: all 9 westerntire.com domains were listed as user-excluded in cPanel's AutoSSL, so AutoSSL had been skipping the account entirely on every 3-hour run. No acme.sh installation and no cron job for cert renewal existed.
Per the user's direction, only `mail.westerntire.com` was removed from the AutoSSL exclusion list (the 8 other domains — www, webmail, cpanel, autodiscover, webdisk, cpcontacts, cpcalendars, westerntire.com — remain excluded as they carry no live services). An AutoSSL run was triggered via `whmapi1 start_autossl_check_for_one_user`. AutoSSL completed within 30 seconds: HTTP DCV passed, Let's Encrypt issued a cert for `mail.westerntire.com` only, and it was installed immediately. Live verification via `openssl s_client` on port 993 confirmed the new cert (CN=mail.westerntire.com, R13, issued 2026-05-26, expires 2026-08-24). Wiki articles for western-tire and internal-infrastructure were updated to reflect the resolved state.
### Key Decisions
- **Only remove mail.westerntire.com from AutoSSL exclusions** — user specified mail sub only. The other 8 domains serve no live purpose (westerntire.com redirects to jackfurriers.com; cPanel/webmail/autodiscover subdomains unused by active users). Retaining their exclusion avoids AutoSSL issuing unnecessary certs for unused names.
- **Let AutoSSL issue per-domain cert, not wildcard** — AutoSSL (HTTP-01 challenge) cannot issue wildcards. Switching from the wildcard to a per-domain cert for mail.westerntire.com is functionally equivalent for IMAP/SMTP clients.
- **Neptune SSL flagged as no-action** — user confirmed auto-renewal is configured. Removed from urgent list without verifying the renewal client directly; if renewal fails by 2026-05-31 it will surface as a mail TLS error.
### Problems Encountered
- **`uapi remove_autossl_excluded_domains domain=...` failed** — cPanel UAPI expects the argument as `domains=` (plural), not `domain=`. Fixed by correcting the argument name; API returned status 1 on retry.
- **sshpass not available on Windows** — initial SSH attempt using `sshpass -p` failed with command not found. Switched to paramiko (Python) for all SSH operations to IX.
### Configuration Changes
**IX server (172.16.3.10) — cPanel westernt account:**
- Removed `mail.westerntire.com` from AutoSSL excluded domains list
- New cert issued and installed: CN=mail.westerntire.com, issued 2026-05-26, expires 2026-08-24
**Wiki (claudetools repo):**
- `wiki/clients/western-tire.md` — SSL section updated: wildcard replaced by per-domain AutoSSL cert for mail subdomain; P2 SSL item removed from open items; anti-pattern warning updated
- `wiki/clients/internal-infrastructure.md` — Neptune Let's Encrypt cert entry updated: removed URGENT flag, noted auto-renewal configured
### Credentials & Secrets
No new credentials. Used existing:
- IX root password: `infrastructure/ix-server.sops.yaml``credentials.password`
### Infrastructure & Servers
| Host | Detail |
|---|---|
| IX web server | 172.16.3.10 (internal) / 72.194.62.5 (external). cPanel account `westernt`. AutoSSL runs every 3 hours via Let's Encrypt provider. |
| mail.westerntire.com | Port 993 (IMAPS), port 587 (SMTP STARTTLS). New cert CN=mail.westerntire.com, expires 2026-08-24. |
### Commands & Outputs
```bash
# Verify existing cert before fix
echo | openssl s_client -connect mail.westerntire.com:993 -servername mail.westerntire.com 2>/dev/null \
| openssl x509 -noout -subject -dates
# subject=CN=*.westerntire.com
# notBefore=Mar 1 10:05:18 2026 GMT notAfter=May 30 10:05:17 2026 GMT
# Check AutoSSL log for westerntire (most recent run)
# -> "User-excluded domains: 9 (westerntire.com, www.westerntire.com, mail.westerntire.com, ...)"
# Get current exclusion list
uapi --user=westernt SSL get_autossl_excluded_domains
# -> 9 domains listed including mail.westerntire.com
# Remove mail.westerntire.com from exclusions
uapi --user=westernt SSL remove_autossl_excluded_domains domains=mail.westerntire.com
# -> status: 1 (success)
# Trigger AutoSSL run
/usr/local/cpanel/bin/whmapi1 start_autossl_check_for_one_user username=westernt
# -> pid: 3715934, result: 1
# AutoSSL log after run
# [2026-05-26T14:02:21Z] "mail.westerntire.com" is managed.
# [2026-05-26T14:02:22Z] CA authorized: "mail.westerntire.com"
# [2026-05-26T14:02:23Z] Local HTTP DCV OK: mail.westerntire.com
# [2026-05-26T14:02:25Z] "Let's Encrypt™" HTTP DCV OK: mail.westerntire.com
# [2026-05-26T14:02:27Z] Installing "westerntire.com"'s new certificate ...
# Verify new cert
echo | openssl s_client -connect mail.westerntire.com:993 -servername mail.westerntire.com 2>/dev/null \
| openssl x509 -noout -subject -issuer -dates
# subject=CN=mail.westerntire.com
# issuer=C=US, O=Let's Encrypt, CN=R13
# notBefore=May 26 13:03:56 2026 GMT notAfter=Aug 24 13:03:55 2026 GMT
```
### Pending / Incomplete Tasks
- HIGH: `fix/audit-2-remediation` branch (gururmm) — awaiting Mike's merge + deploy
- HIGH: macOS PKG installer — plan at `projects/msp-tools/guru-rmm/agent/MACOS_INSTALLATION_PLAN.md`
- HIGH: Kittle WS2025 EVAL license activation; no backup, no firewall
- HIGH: Kittle-Design Ken inbox rule (potential active compromise)
- MEDIUM: TGC-SERVER Hyper-V disposition (MAS90 VM — customer decision needed)
- MEDIUM: Neptune SSL auto-renewal — verify client is healthy before 2026-05-31 (user says it's configured)
- LOW: Seed wiki/systems/neptune.md, wiki/systems/beast.md
### Reference Information
- Western Tire Syncro ticket: #32199 (ID: 109325058) — not yet billed
- IX AutoSSL log path: `/var/cpanel/logs/autossl/<timestamp>/txt`
- IX AutoSSL schedule: every 3 hours (confirmed from log dir timestamps)
- cPanel UAPI: `uapi --user=<account> SSL remove_autossl_excluded_domains domains=<domain>` (note: `domains=`, not `domain=`)
- New cert details: CN=mail.westerntire.com, Let's Encrypt R13, 2026-05-26 → 2026-08-24, auto-renews ~2026-07-25