Ah, the trials and tribulations of upgrading Debian 12 Bookworm to Debian 13 Trixie! I learned a valuable lesson this weekend with the update - always read the apt listchanges email. Always.
The upgrade itself went smoothly with no errors during the packages upgrading/installing. I run three main services on my server - nginx, exim, and dovecot. On reboot, all three had issues with the upgraded packages.
I received the following error in my nginx error.log:
I dusted off the site and was going to write about my experience updating Debian 12 Bookworm to Debian 13 Trixie on two servers. I use Hugo with the Mainroad theme and I hadn’t updated the site in quite a while. I updated Hugo to the latest stable version and tried to rebuild the site to include the new content. I ran into an error.
The error was:
Site.Author was deprecated in Hugo v0.124.0 and subsequently removed.
Implement taxonomy 'author' or use .Site.Params.Author instead.
I grepped the files in the theme and found .Site.Author in two files - author.html and authorbox.html. I replaced all the instances of “.Site.Author” with “.Site.Params.Author”. I also changed the “Site.Params.Author.avatar” to “Site.Params.Author.image”. Authorbox was now activated but nothing was displaying. So I looked at a couple of other newer themes to see what parameter names in config.toml needed to be changed. The “[Author]” section I renamed to [Params.author]" and changed “avatar” to “image”.
For quite a while, I’ve been getting the “nf_conntrack: automatic helper assignment is deprecated and it will be removed soon” warning at boot. So I can’t say I was too surprised when I started getting “kernel: nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based firewall rule not found. Use the iptables CT target to attach helpers instead.”
Back in January/February 2017 there was a post on the Linux-Kernel mailing list submitting a patch to print out the warning so firewall admins would at least have notice. As best as I can tell from reading a ton of stuff, the warning is logged if a packet which would have otherwise traversed your firewall didn’t because there was no helper available. More information can be found at Secure use of iptables and connection tracking helpers.
Noticed these lines in journalctl when nginx didn’t start after a reboot:
Dec 10 17:43:30 mail1 nginx[3485]: nginx: [warn] "ssl_stapling" ignored, host not found in OCSP responder "ocsp.int-x3.letsencrypt.org" in the certificate "/etc/letsencrypt/live/www.example.com/fullchain.pem"
Dec 10 17:43:30 mail1 nginx[3485]: nginx: [emerg] bind() to [<IPv6 address>]:80 failed (99: Cannot assign requested address)
Dec 10 17:43:30 mail1 nginx[3485]: nginx: configuration file /etc/nginx/nginx.conf test failed
Dec 10 17:43:30 mail1 systemd[1]: nginx.service: Control process exited, code=exited status=1
Dec 10 17:43:30 mail1 systemd[1]: nginx.service: Unit entered failed state.
Dec 10 17:43:30 mail1 systemd[1]: nginx.service: Failed with result 'exit-code'.
Dec 10 17:52:35 mail1 systemd[1]: nginx.service: Failed to read PID from file /run/nginx.pid: Invalid argument
Hmmm…
Either of these scripts will grab both the IPv4 and IPv6 (if any) addresses assigned to any WAN I’m behind, and, using Linode’s DNS API, will update my DNS records with same and log changes/errors using logger. In effect, it’s a homemade Dynamic DNS updater. Linode’s developing a new API so that’s why two versions exist.
To use the script, you need:
The IDs don’t change, whether you’re using version 3 or version 4.