26
May
2016
BOA-3.1.0 Full Edition
We are happy to release BOA-3.1.0 Full Edition, with support for Let’s Encrypt free SSL certificates, PHP-FPM versions configurable per site, along with many fixes and improvements. Enjoy!
### Stable BOA-3.1.0 Release - Full Edition ### Date: Thu May 26 16:41:40 PDT 2016 ### Milestone URL: https://github.com/omega8cc/boa/milestones/3.1.0 ### Latest hotfix added on: Mon May 30 08:55:03 PDT 2016 @=> Includes Aegir Hostmaster 3.x-head with improvements @=> Includes Aegir Provision 3.x-head with improvements @=> Includes Drush 8 customized for BOA # Release Notes: This BOA release includes new features, system upgrades, improvements and bug fixes, with most notable features and changes listed below. All supported Drupal platforms have been updated to latest versions. @=> Let’s Encrypt free SSL certificates are supported directly in Aegir @=> PHP-FPM version can be switched per site hosted on the same instance @=> Both Aegir control panel and its backend are compatible with PHP 7.0.7 @=> Support for forced Drush cache clear in the Aegir backend @=> BOA can run Debian Wheezy to Debian Jessie upgrades easily More details on new features, enhancements and changes can be found below. ### #-### Let’s Encrypt free SSL certificates are supported directly in Aegir ### You can find these important Let’s Encrypt topics discussed below: # Introduction # How it works? # How to add Letsencrypt.org SSL certificate to hosted site? # How to add Letsencrypt.org SSL certificate to the Aegir Hostmaster site? # How to modify/renew Letsencrypt.org SSL certificate for SSL enabled site? # Are there any requirements, limitations or exceptions? # How to enable live mode? # How to replace Let's Encrypt certificate with custom certificate? [ Available also at: https://omega8.cc/node/381 ] This BOA release opens a new era in SSL support for all hosted Drupal sites. The old method of creating SSL proxy vhosts is officially deprecated, as explained in the docs/SSL.txt how-to: NOTE ###===>>> The old how-to is still useful if you prefer to use SSL termination separated from your Aegir system, or if you don't want to use built-in Letsencrypt.org SSL certificates support (available since BOA-3.1.0). But if you can use Letsencrypt.org SSL certificates, or you are willing to use also built-in BOA feature which allows you to replace Letsencrypt.org SSL certificate with any third-party certificate per site, while still managing SSL via Aegir control panel (for redirects, forced/required SSL mode), we highly recommend to use Aegir built-in SSL support, which is enabled and ready to use in all Octopus instances since BOA-3.1.0 release. NOTE ###===>>> * How it works? BOA leverages letsencrypt.sh utility to talk to Letsencrypt.org servers, and on the Aegir side it's using new `hosting_le` extension, which replaces self-signed SSL certificates generated by Aegir with Let's Encrypt ones. You can find more information on both at these URLs: https://github.com/lukas2511/letsencrypt.sh https://github.com/omega8cc/hosting_le * How to add Letsencrypt.org SSL certificate to hosted site? In your Aegir control panel please go to the site's node Edit tab, then under `SSL Settings > Encryption` choose either `Enabled` or `Required`, if you want to enable HTTP->HTTPS redirection on the fly. Now click `Save` and wait until you will see the Verify task completed. Done! NOTE: SSL Settings are not available in the Add Site form, only in Edit. * How to add Letsencrypt.org SSL certificate to the Aegir Hostmaster site? !!! WARNING !!! ###===>>> Don't enable SSL option for the Hostmaster site in Aegir !!! WARNING Let’s Encrypt SSL for Aegir control panel is handled in BOA outside of the control panel, and you should never enable it within control panel. During octopus upgrade you will see this message, explaining what to do: BOA [02:44:59] ==> UPGRADE B: Letsencrypt SSL initial mode: DEMO BOA [02:44:59] ==> UPGRADE B: LE -- No real SSL certs will be generated BOA [02:44:59] ==> UPGRADE B: LE -- To enable live SSL mode, please delete file: BOA [02:44:59] ==> UPGRADE B: LE -- /data/disk/o1/tools/le/.ctrl/ssl-demo-mode.pid BOA [02:44:59] ==> UPGRADE B: LE -- Then run octopus forced upgrade * How to modify/renew Letsencrypt.org SSL certificate for SSL enabled site? When you modify aliases or redirections, Aegir will re-create the SSL certificate on the fly, to match current settings and aliases to list. BOA runs auto-renewal checks for you weekly, and forces renewal if there is less than 30 days to the certificate expiration date (Let’s Encrypt certs are valid for up to 90 days before they have to be renewed). Also every Verify task against SSL enabled site runs this check on the fly. * Are there any requirements, limitations or exceptions? Yes, there are some: * All aliases must have valid DNS names pointing to your server IP address * Even with aliases redirection enabled all aliases are listed as SAN names * Avoid renaming SSL-enabled sites; move aliases between site's clones instead * Before you rename a site, disable SSL first; then re-enable once it's renamed NOTE: The Subject Alternative Names (SAN) is a feature which allows to issue multi-domain / multi-subdomain SSL certificates -- it is automated in BOA. Let's Encrypt API for live, real certificates has its own requirements and limits you should be aware of. Please visit their website for details: https://community.letsencrypt.org/t/rate-limits-for-lets-encrypt/6769 To make this new BOA feature easy to test before you will be ready to generate real, live SSL certificates, BOA comes with Let's Encrypt demo mode enabled by default, so it will not hit limits enforced for live, real Let's Encrypt SSL certificates. It allows to generate "fake" certs, similar to self-signed certificate used in BOA by default. NOTE: All sites with one or more keywords (listed below) in the site's main name (this exception rule doesn't apply to aliases) will be ignored, and they will receive only self-signed SSL certificates generated by Aegir, once you will switch their SSL settings to `Enabled` or `Required`. `.(dev|devel|temp|tmp|temporary|test|testing|stage|staging).` Examples: `foo.temp.bar.org`, `foo.test.bar.org`, `foo.dev.bar.org` NOTE: This exception rule doesn't apply to aliases which are not used as a redirection target. Even aliases with listed special keywords in their names will be listed as SAN entries, as long as they are valid DNS names. * How to enable live mode? It is enough to delete the `[aegir_root]/tools/le/.ctrl/ssl-demo-mode.pid` control file and run Verify task on any SSL enabled site again. NOTE: If you are on hosted BOA, you don't have an access to this location on your system, so please open a ticket at: https://omega8.cc/support You could switch it back and forth to demo/live mode by adding and deleting the control file, and it will re-register your system via Let's Encrypt API, but we have not tested how it may affect already generated live certificates once you will run the switch many times, so please try not to abuse this feature. It is important to remember that once you will switch the Let's Encrypt mode to demo from live, or from live to demo, by adding or removing the `[aegir_root]/tools/le/.ctrl/ssl-demo-mode.pid` control file, it will not replace all previously issued certificates instantly, because certificates are updated, if needed, only when you (or the BOA system for you during its daily maintenance, if used) will run Verify tasks on SSL enabled sites. These BOA specific Verify tasks are normally scheduled to run weekly, between Monday and Sunday, depending on the first character in the site's main name, so both live and demo certificates may still work in parallel for SSL enabled sites until it will be their turn to run Verify and update the certificate according to currently set Let's Encrypt mode. NOTE: You may find some helpful details in the Verify task log -- look for lines with `[hosting_le]` prefix. * How to replace Let's Encrypt certificate with custom certificate? 1. Create an empty control file (replace `example.com` with your site name): `[aegir_root]/tools/le/.ctrl/dont-overwrite-example.com.pid` 2. Replace `privkey.pem` symlink with single file containing your custom certificate key -- use `privkey.pem` as a filename in the directory: `[aegir_root]/tools/le/certs/example.com/` 3. Replace `fullchain.pem` symlink with single file containing your custom certificate and all intermediate certificates beneath it -- use `fullchain.pem` as a filename in the same directory: `[aegir_root]/tools/le/certs/example.com/` 4. Run Verify task for your site in the Aegir control panel. Done! NOTE: If you are on hosted BOA, you don't have an access to this location on your system, so please open a ticket at: https://omega8.cc/support ### #-### Support for PHP-FPM version switch per Octopus instance (also per site) ### ### ~/static/control/fpm.info ### ### This file, if exists and contains supported and installed PHP-FPM version, ### will be used by running every 2-3 minutes system agent to switch PHP-FPM ### version used for serving web requests by this Octopus instance. ### ### IMPORTANT: If used, it will switch PHP-FPM for all Drupal sites ### hosted on the instance, unless multi-fpm.info control file also exists. ### ### Supported values for single PHP-FPM mode which can be written in this file: ### ### 7.0 ### 5.6 ### 5.5 ### 5.4 ### 5.3 ### ### NOTE: There must be only one line and one value (like: 7.0) in this file. ### Otherwise it will be ignored. ### ### It is now possible to make all installed PHP-FPM versions available ### simultaneously for sites on the Octopus instance with additional ### control file: ### ### ~/static/control/multi-fpm.info ### ### This file, if exists, will switch all hosted sites to highest ### available PHP-FPM version within the 5.3-5.6 range, with ability ### to override PHP-FPM version per site, if the site's name is listed ### in this additional control file, as shown below: ### ### foo.com 7.0 ### bar.com 5.5 ### old.com 5.3 ### ### NOTE: Each line in the multi-fpm.info file must start with main site name, ### followed by single space, and then the PHP-FPM version to use. ### ### #-### Support for PHP-CLI version switch per Octopus instance (all sites) ### ### ~/static/control/cli.info ### ### This file, while similar to fpm.info, if exists and contains supported ### and installed PHP version, will be used by running every 2-3 minutes ### system agent to switch PHP-CLI version for this Octopus instance, but ### it will do this for all hosted sites. There is no option to switch this ### or override per site hosted. ### ### NOTE: While current Aegir version 3.x included in BOA works fine with ### latest PHP 7.0, many hosted sites, especially using Pressflow 6 core or ### older Drupal 7 core without required patch we have included since 7.43.2, ### will not work properly and Aegir tasks run against those sites may fail, ### so it's recommended to use PHP-CLI 5.6, unless you have verified that all ### sites on the instance support PHP 7.0 without issues. ### ### Supported values which can be written in this file: ### ### 7.0 ### 5.6 ### 5.5 ### 5.4 ### 5.3 ### ### There must be only one line and one value (like: 5.6) in this control file. ### Otherwise it will be ignored. ### ### #-### Support for forced Drush cache clear in the Aegir backend ### ### ~/static/control/clear-drush-cache.info ### ### Octopus instance will pause all scheduled tasks in its queue, if it will ### detect a platform build from the makefile in progress, to make sure ### that no other running task could break the build. ### ### This is great, until there will be a broken build, and Drush will fail ### to clean up all leftovers from its .tmp/cache directory, which in turn ### will pause all tasks in the queue for up to 24-48 hours, until the cache ### directory will be automatically purged by running daily cleanup tasks, ### designed to not touch anything not old enough (24 hours at minimum) ### to not break any running builds. ### ### If you need to unlock the tasks queue by forcefully removing everything ### from the Aegir backend Drush cache, you can create an empty control file: ### ~/static/control/clear-drush-cache.info ### ### You have to delete this file once the tasks queue is unlocked again, ### or it will forcefully clear Drupal cache on every run, which in turn will ### break all future attempts to build the platform from makefile via Aegir ### control panel interface. ### ### #-### BOA can run Debian Wheezy to Debian Jessie upgrades easily ### This feature works like it worked before for `_LENNY_TO_SQUEEZE=YES` and then for `_SQUEEZE_TO_WHEEZY=YES`. But make sure you follow all the steps exactly as listed below: 1. Upgrade both barracuda and octopus to current stable: $ cd;wget -q -U iCab http://files.aegir.cc/BOA.sh.txt;bash BOA.sh.txt $ barracuda up-stable $ octopus up-stable all both NOTE: You can upgrade octopus selectively, if you still need one running the old stable BOA-2.4.9 version, example: $ octopus up-2.4 o1 force $ octopus up-stable o2 force $ octopus up-stable o3 force 2. Add to your /root/.barracuda.cnf this line: _WHEEZY_TO_JESSIE=YES 3. Run another barracuda upgrade with command: $ barracuda up-stable 4. If there are no errors reported, try to run manual update: $ aptitude update $ aptitude full-upgrade It should tell you that there are no packages to upgrade left. 5. Reboot your system (preferably via remote console) $ reboot 6. Run barracuda upgrade again: $ barracuda up-stable 7. Try to run manual update: $ aptitude update $ aptitude full-upgrade It should tell you that there are no packages to upgrade left. 8. Congrats! You are running BOA stable on Debian Jessie. # New features and enhancements: * Add all aliases as Subject Alternative Names in Let's encrypt certs -- #941 * Add auto-renewal procedure for Let's encrypt certs -- #942 * Add option to exclude *.tar.gz Drush archives in backboa -- #936 * Add Restaurant 1.11 * Add support for arbitrarily selected redirection targets as valid SSL names * Allow to define PHP-FPM version per site hosted -- #935 * Allow to use drush7 and drush8 on command line directly * Even with redirection enabled all aliases are listed as SAN names -- #964 * Feature: _WHEEZY_TO_JESSIE major upgrade procedure -- #870 * Let's encrypt support -- #500 * New Relic integration compatibility with multi-FPM mode * Support for forced Drush cache clear in the Aegir backend * Use Let's encrypt for Hostmaster site (after Octopus upgrade) -- #940 # Changes: * Do not allow XtraDB to crash the server due to single broken cache table * Nginx: Use faster 301/302 redirects * Nginx: Use only TLSv1.1 TLSv1.2 * Redis: Exclude cache_form bin again to avoid rare issues with contrib * Use dynamic httpredir.debian.org mirrors # System upgrades: * cURL 7.49.0 (if installed from sources) * Jetty 9.2.16.v20160414 * Nginx 1.11.0 * PHP 5.5.36 * PHP 5.6.22 * PHP 7.0.7 * Redis 3.2.0 * SLF4J 1.7.21 # Fixes: * Add compatibility with "config.sh" renamed to "config" in letsencrypt.sh * Add ssl_trusted_certificate directive required by ssl_stapling * Add warning: "Don't enable SSL option for the Hostmaster site in Aegir" -- #962 * Check if parent dir exists before touching ctrl file -- #945 * Do not clear drush cache on every hosting-dispatch -- #943 * Do not create Letsencrypt cert for Hostmaster if still in demo mode * Do not force PHP rebuild on new cURL install from sources * Drush is broken error -- clear drush cache before testing it -- #946 * Fix for backward compatibility with FPM pool tpl in 2.4 * Fix for Chive auth (via SSH) access filtering * Fix for conflicting Jetty libs * Fix ownership and attr on usr home dirs / subdirs * Improve sub-accounts zombie cleanup * Let's Encrypt SSL - switching from demo to live -- #959 * Make backboa sub-tasks delays optional and disable them by default -- #919 * Nginx: Fix for ssl_dhparam if/else logic * Remove deprecated wildcard HTTPS warning * Run registry-rebuild before updatedb with --no-cache-clear -- #938 * Set LE mode to DEMO on initial setup -- both on octopus install and upgrade * Skynet upgrades for limited shell configuration -- #950 * Something is stuck after BOA upgrade to 3.0.2 -- #951 * The makefile based platform creation fails with permissions error -- #943 * The site's files should have Aegir backend user as an owner * Use strict paths checks to avoid running chown/chmod on parent dirs # Known problems: https://github.com/omega8cc/boa/milestones/3.1.1 # Complete changelog: https://github.com/omega8cc/boa/blob/BOA-3.1.0/CHANGELOG.txt