问题[debian-stretch](server)

如果我尝试从 debian 9 访问具有 certbot 颁发的证书的 HTTPS 服务器，我会收到以下错误：

 # curl -v https://hu.dbpedia.org/
 *   Trying 195.111.2.82...
 * TCP_NODELAY set
 * Connected to hu.dbpedia.org (195.111.2.82) port 443      (#0)
 * ALPN, offering h2
 * ALPN, offering http/1.1
 * Cipher selection:      ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
 * successfully set certificate verify locations:
 *   CAfile: /etc/ssl/certs/ca-certificates.crt
   CApath: /etc/ssl/certs
 * TLSv1.2 (OUT), TLS header, Certificate Status (22):
 * TLSv1.2 (OUT), TLS handshake, Client hello (1):
 * TLSv1.2 (IN), TLS handshake, Server hello (2):
 * TLSv1.2 (IN), TLS handshake, Certificate (11):
 * TLSv1.2 (OUT), TLS alert, Server hello (2):
 * SSL certificate problem: certificate has expired
 * Curl_http_done: called premature == 1
 * stopped the pause stream!
 * Closing connection 0
 curl: (60) SSL certificate problem: certificate has expired

但是，如果我从 debian 10 尝试相同的命令，它会成功。

我尝试使用 rsync 简单地将所有 ca-certificates 从 debian 10 VM 复制到 debian 9 VM（到 /usr/local/share/ca-certificates），然后运行update-ca-certificates似乎添加了 400 多个证书。不幸的是，它没有帮助。这并不奇怪，因为显然 debian 9 和 10 上似乎有相同的证书。

我的问题是：如何在不完全忽略证书验证的情况下从 debian 9 机器访问带有 certbot 证书的站点

为什么systemd抱怨？

Jul  5 09:55:33 st701a-9 systemd[1]: [/etc/systemd/system/load-xyz-modules.service:7] Unknown lvalue 'ExecCondition' in section 'Service'

服务配置/etc/systemd/system/load-xyz-modules.service：

[Unit]
Description=Load xyz kernel modules

[Service]
RemainAfterExit=yes
Type=oneshot
ExecCondition=/bin/sh -c '***'
ExecStart=/bin/sh -c '***'
ExecStop=/bin/sh -c '***'

[Install]
WantedBy=multi-user.target

如果我正确阅读了systemd 手册页ExecCondition，则该部分是一个选项[Service]。

编辑：问题发生在 Debian 上stretch。

我有一个关于鸽舍的奇怪问题。直到昨天，当我从 debian/jessie 升级到 debian/stretch (armhf) 时，我的 dovecot 在我的 cubietruck 上完美运行。
/var符号链接到另一个已安装的驱动器（mountpoint /extended）：/var->/extended/hostname/var

现在，每当我将它作为服务（“ systemctl start dovecot”）启动时，它都不会启动，而是立即退出并出现错误。

May 08 21:16:20 hostname systemd[1]: Starting Dovecot IMAP/POP3 email server...
May 08 21:16:20 hostname dovecot[32167]: Error: bind(/var/spool/postfix/private/auth_dovecot) failed: No such file or directory
May 08 21:16:20 hostname dovecot[32167]: Fatal: Failed to start listeners
May 08 21:16:20 hostname systemd[1]: dovecot.service: Control process exited, code=exited status=89
May 08 21:16:20 hostname systemd[1]: Failed to start Dovecot IMAP/POP3 email server.
May 08 21:16:20 hostname systemd[1]: dovecot.service: Unit entered failed state.
May 08 21:16:20 hostname systemd[1]: dovecot.service: Failed with result 'exit-code'.

每当我root在 shell 中启动 dovecot 时，dovecot它不会显示任何错误，但可以完美运行。

我的dovecot.conf：

auth_mechanisms = plain login
log_timestamp = "%Y-%m-%d %H:%M:%S "
passdb {
  args = /etc/dovecot/dovecot-mysql.conf
  driver = sql
}
protocols = imap pop3
service auth {
  unix_listener /var/spool/postfix/private/auth_dovecot {
    mode = 0660
    user = postfix
    group = postfix
  }
  unix_listener auth-master {
    mode = 0600
    user = vmail
  }
  user = root
}
ssl_cert =</etc/postfix/sslcert/server.crt
ssl_key =</etc/postfix/sslcert/server.key
userdb {
  args = /etc/dovecot/dovecot-mysql.conf
  driver = sql
}
protocol pop3 {
  pop3_uidl_format = %08Xu%08Xv
}

# Enable installed protocols
!include_try /usr/share/dovecot/protocols.d/*.protocol

# Most of the actual configuration gets included below. The filenames are
# first sorted by their ASCII value and parsed in that order. The 00-prefixes
# in filenames are intended to make it easier to understand the ordering.
!include conf.d/*.conf

# A config file can also tried to be included without giving an error if
# ried not found:
!include_try local.conf

• 我在启动之前已经删除了套接字/var/spool/postfix/private/auth_dovecot，但是作为服务启动时没有用。在 shell 中启动时，套接字 ( auth_dovecot) 在启动时重新创建。
• 注释掉unix_listener-part 可能会导致启动超时。错误读取PID file /var/run/dovecot/master.pid not readable (yet?) after start。
• 对套接字 ( /var/spool/postfix/private/auth) 使用另一个名称会导致相同的错误。
• 我已经尝试完全重新安装 dovecot（apt purge、autoremove、autoclean、clean、install ......），但这会导致超时问题和奇怪的配置文件。
• 在 google/stackexchange 上搜索并没有找到解决方案。

因为我可以从 shell 以 root 身份运行 dovecot 而不会出现问题，所以我强烈怀疑systemd会生成某种chroot但我需要一些提示来进一步调查它。

先感谢您。

PS：幸运的是我应该可以回去，debian/jessie因为我有一个SD 卡的tar.gz存档。cubietruck

我在 Debian 9.12 中遇到了以下 libc6 依赖问题。

sudo apt install libc6-dev

Reading package lists... Done
Building dependency tree
Reading state information... Done
Some packages could not be installed. This may mean that you have
requested an impossible situation or if you are using the unstable
distribution that some required packages have not yet been created
or been moved out of Incoming.
The following information may help to resolve the situation:

The following packages have unmet dependencies:
 libc6-dev : Depends: libc6 (= 2.24-11+deb9u4) but 2.27-6 is to be installed
             Depends: libc-dev-bin (= 2.24-11+deb9u4) but it is not going to be installed
E: Unable to correct problems, you have held broken packages.

我该如何解决？

EDIT1：apt策略libc6

libc6:
  Installed: 2.27-6
  Candidate: 2.27-6
  Version table:
 *** 2.27-6 100
        100 /var/lib/dpkg/status
     2.24-11+deb9u4 500
        500 http://deb.debian.org/debian stretch/main amd64 Packages
     2.24-11+deb9u1 500
        500 http://security.debian.org/debian-security stretch/updates/main amd64 Packages

编辑2：

apt install libc6/stretch libc6-dev/stretch libc-dev-bin/stretch
Reading package lists... Done
Building dependency tree
Reading state information... Done
Selected version '2.24-11+deb9u4' (Debian:9.12/oldstable [amd64]) for 'libc6'
Selected version '2.24-11+deb9u4' (Debian:9.12/oldstable [amd64]) for 'libc6-dev'
Selected version '2.24-11+deb9u4' (Debian:9.12/oldstable [amd64]) for 'libc-dev-bin'
The following additional packages will be installed:
linux-libc-dev
Suggested packages:
glibc-doc locales
The following packages will be REMOVED:
libc-bin locales sudo
The following NEW packages will be installed:
libc-dev-bin libc6-dev linux-libc-dev
The following packages will be DOWNGRADED:
libc6
WARNING: The following essential packages will be removed.
This should NOT be done unless you know exactly what you are doing!
libc-bin
0 upgraded, 3 newly installed, 1 downgraded, 3 to remove and 0 not upgraded.
Need to get 6,797 kB of archives.
After this operation, 1,437 kB disk space will be freed.
You are about to do something potentially harmful.
To continue type in the phrase 'Yes, do as I say!'
?]

在从 Stretch 更新到 Buster 并从 iptables 移动到 nftables 之后，nft 命令不处理任何给定的命令，除了 list，它不打印任何内容。

输入nft flush ruleset打印：

Error: Could not process rule: Invalid argument
flush ruleset
^^^^^^^^^^^^^^
Error: Could not process rule: Invalid argument
flush ruleset
^^^^^^^^^^^^^^

nft create table inet filter

Error: Could not process rule: Invalid argument
create table inet filter
^^^^^^^^^^^^^^^^^^^^^^^^^
Error: Could not process rule: Invalid argument
create table inet filter
^^^^^^^^^^^^^^^^^^^^^^^^^

即使使用 debian 包中的初始配置，它也会为其中的每一行打印一个错误。

nft -f /etc/nftables.conf

/etc/nftables.conf：

#!/usr/sbin/nft -f

flush ruleset

table inet filter {
    chain input {
        type filter hook input priority 0;
    }
    chain forward {
        type filter hook forward priority 0;
    }
    chain output {
        type filter hook output priority 0;
    }
}

/etc/nftables.conf:3:1-14: Error: Could not process rule: Invalid argument
flush ruleset
^^^^^^^^^^^^^^
/etc/nftables.conf:5:1-2: Error: Could not process rule: Invalid argument
table inet filter {
^^
/etc/nftables.conf:6:15-19: Error: Could not process rule: Invalid argument
    chain input {
                 ^^^^^
/etc/nftables.conf:9:15-21: Error: Could not process rule: Invalid argument
    chain forward {
                 ^^^^^^^
/etc/nftables.conf:12:15-20: Error: Could not process rule: Invalid argument
    chain output {
                 ^^^^^^
/etc/nftables.conf:3:1-14: Error: Could not process rule: Invalid argument
flush ruleset
^^^^^^^^^^^^^^
/etc/nftables.conf:5:1-2: Error: Could not process rule: Invalid argument
table inet filter {
^^
/etc/nftables.conf:6:15-19: Error: Could not process rule: Invalid argument
    chain input {
                 ^^^^^
/etc/nftables.conf:9:15-21: Error: Could not process rule: Invalid argument
    chain forward {
                 ^^^^^^^
/etc/nftables.conf:12:15-20: Error: Could not process rule: Invalid argument
    chain output {
                 ^^^^^^

发行版：Debian GNU/Linux 10（破坏者）

nft: nftables v0.9.0 (Fearless Fosdick)