Ports inaccessible from outside after bullseye migration

Hi all,
I’m running into issues with accessing my VPS via web interface. Any help very much appreciated!

My YunoHost server

Hardware: VPS bought online
YunoHost version: 11.1.0.2
I have access to my server : Through SSH
Are you in a special context or did you perform some particular tweaking on your YunoHost instance ? : no

Description of my issue

After the migration to Bullseye, no ports (except 22) are accessible from outside according to the diagnosis (see diagnosis output at bottom), and I can’t access my server’s web interface (or any app on it). All services appear to be running correctly.

At first I thought be migration completed successfully since Debian says it’s at bullseye, and the yunohost version is at 11, and the migration says it’s done:

migrations:
  0:
    description: Upgrade the system to Debian Bullseye and YunoHost 11.x
    disclaimer: None
    id: 0021_migrate_to_bullseye
    mode: manual
    name: migrate_to_bullseye
    number: 21
    state: done

However when I dug up the log, it looks like it errored out (link to full log below):

2022-11-04 04:26:58,346: ERROR - Migration 0021_migrate_to_bullseye did not complete, aborting. Error: Failed to reinstall mariadb-common ?
Traceback (most recent call last):
  File "/usr/lib/moulinette/yunohost/tools.py", line 944, in tools_migrations_run
    migration.run()
  File "/usr/lib/moulinette/yunohost/data_migrations/0021_migrate_to_bullseye.py", line 174, in run
    raise YunohostError("Failed to reinstall mariadb-common ?", raw_msg=True)
yunohost.utils.error.YunohostError: Failed to reinstall mariadb-common ?

I’ve seen other topics with this error, but they seemed to fix it by rerunning the migration, which I can’t.

  • Is there anything else I should check related to the ports?
  • Is there a way to rerun the migration (if that’s even advisable)?

I’d very much appreciate advice on what could be causing the ports to be inaccessible or why the migration seemed to fail, but also shows as completed.

Thanks in advance!

Log of migration: hastebin

Ports Diagnosis Output:

=================================
Ports exposure (ports)
=================================

[ERROR] Port 25 is not reachable from the outside.
  - Exposing this port is needed for email features (service postfix)
  - To fix this issue, you most probably need to configure port forwarding on your internet router as described in https://yunohost.org/isp_box_config

[ERROR] Port 80 is not reachable from the outside.
  - Exposing this port is needed for web features (service nginx)
  - To fix this issue, you most probably need to configure port forwarding on your internet router as described in https://yunohost.org/isp_box_config

[ERROR] Port 443 is not reachable from the outside.
  - Exposing this port is needed for web features (service nginx)
  - To fix this issue, you most probably need to configure port forwarding on your internet router as described in https://yunohost.org/isp_box_config

[ERROR] Port 587 is not reachable from the outside.
  - Exposing this port is needed for email features (service postfix)
  - To fix this issue, you most probably need to configure port forwarding on your internet router as described in https://yunohost.org/isp_box_config

[ERROR] Port 993 is not reachable from the outside.
  - Exposing this port is needed for email features (service dovecot)
  - To fix this issue, you most probably need to configure port forwarding on your internet router as described in https://yunohost.org/isp_box_config

[ERROR] Port 5222 is not reachable from the outside.
  - Exposing this port is needed for xmpp features (service metronome)
  - To fix this issue, you most probably need to configure port forwarding on your internet router as described in https://yunohost.org/isp_box_config

[ERROR] Port 5269 is not reachable from the outside.
  - Exposing this port is needed for xmpp features (service metronome)
  - To fix this issue, you most probably need to configure port forwarding on your internet router as described in https://yunohost.org/isp_box_config

Services status:

distbin:
  configuration: unknown
  description: Distributed pastebin
  last_state_change: 2022-11-05 05:43:55
  start_on_boot: enabled
  status: running
dnsmasq:
  configuration: valid
  description: Handles domain name resolution (DNS)
  last_state_change: 2022-11-05 05:43:56
  start_on_boot: enabled
  status: running
dovecot:
  configuration: unknown
  description: Allows e-mail clients to access/fetch email (via IMAP and POP3)
  last_state_change: 2022-11-05 05:43:57
  start_on_boot: enabled
  status: running
fail2ban:
  configuration: valid
  description: Protects against brute-force and other kinds of attacks from the Internet
  last_state_change: 2022-11-05 05:44:00
  start_on_boot: enabled
  status: running
gitea:
  configuration: unknown
  description: Gitea
  last_state_change: 2022-11-05 05:43:57
  start_on_boot: enabled
  status: running
gogs:
  configuration: unknown
  description: Gogs (Go Git Service)
  last_state_change: 2022-11-05 05:43:57
  start_on_boot: enabled
  status: running
metronome:
  configuration: unknown
  description: Manage XMPP instant messaging accounts
  last_state_change: 2022-11-06 00:00:05
  start_on_boot: enabled
  status: running
mysql:
  configuration: unknown
  description: Stores app data (SQL database)
  last_state_change: 2022-11-05 05:43:57
  start_on_boot: enabled
  status: running
nginx:
  configuration: valid
  description: Serves or provides access to all the websites hosted on your server
  last_state_change: 2022-11-05 05:44:00
  start_on_boot: enabled
  status: running
php7.4-fpm:
  configuration: valid
  description: The PHP 7.4 FastCGI Process Manager
  last_state_change: 2022-11-05 05:43:58
  start_on_boot: enabled
  status: running
postfix:
  configuration: unknown
  description: Used to send and receive e-mails
  last_state_change: 2022-11-05 05:43:58
  start_on_boot: enabled
  status: running
postgresql:
  configuration: unknown
  description: Stores app data (SQL database)
  last_state_change: 2022-11-05 05:43:59
  start_on_boot: enabled
  status: running
redis-server:
  configuration: unknown
  description: A specialized database used for rapid data access, task queue, and communication between programs
  last_state_change: 2022-11-05 05:43:55
  start_on_boot: enabled
  status: running
rspamd:
  configuration: unknown
  description: Filters spam, and other e-mail related features
  last_state_change: 2022-11-05 05:43:56
  start_on_boot: enabled
  status: running
slapd:
  configuration: valid
  description: Stores users, domains and related info
  last_state_change: 2022-11-05 05:43:55
  start_on_boot: enabled
  status: running
ssh:
  configuration: valid
  description: Allows you to connect remotely to your server via a terminal (SSH protocol)
  last_state_change: 2022-11-05 05:43:55
  start_on_boot: enabled
  status: running
tiddlywiki:
  configuration: unknown
  description: A non-linear personal web notebook
  last_state_change: 2022-11-05 05:43:55
  start_on_boot: enabled
  status: running
ttrss:
  configuration: unknown
  description: News feed reader and aggregator
  last_state_change: 2022-11-05 05:43:57
  start_on_boot: enabled
  status: running
yunohost-api:
  configuration: unknown
  description: Manages interactions between the YunoHost web interface and the system
  last_state_change: 2022-11-05 05:43:55
  start_on_boot: enabled
  status: running
yunohost-firewall:
  configuration: unknown
  description: Manages open and close connection ports to services
  last_state_change: 2022-11-05 05:44:00
  start_on_boot: enabled
  status: running
yunomdns:
  configuration: unknown
  description: Allows you to reach your server using 'yunohost.local' in your local network
  last_state_change: 2022-11-05 05:43:55
  start_on_boot: enabled
  status: running

i assume you have access to os console,
first of all check with your vps provider if upnp is supported for opening ports, if yes,
login as admin
then, login as root with the command
sudo su
then run the command
yunohost firewall upnp enable
that should open port 80 and 443 for you automatically aside the many other ports, (not all ports),
if it will success you will see a message “success ! firewall reloaded” and “upnp turned on”
once done you can check if you have access to your domain,

if that will not help,
try using nmap to check what is the status of the port if its filtered or closed,
if you have windows download nmap for windows and install, after the installation open cmd and type “nmap yourdomain -p 80”
it should tell you if the port is closed or filtered,
filtered means its blocked by a firewall, closed means worse, its blocked by the router/server itself which means something wrong with the vps hoster and you should talk to them about that,
in any case you need to try fix the system with the system console yourself, without to involve yunohost as for yunohost might broken,

in the os console type first these commands:
apt install -f
then
apt --fix-missing update
then
sudo apt-get clean
then
apt --fix-broken install
then
sudo dpkg --configure -a
after all run update
sudo apt-get update

reboot your machine

then run the upnp command again
yunohost firewall upnp enable

then run
yunohost dyndns update

if you now have an access to your yunohost website
try to upgrade your system with yunohost

you can also try and disable yunohost firewall by the command:
yunohost firewall stop

Hi izakis, thanks for the advice.

I tried to enable upnp, but it looks like my vps provider does not support this:

$ sudo yunohost firewall upnp enable
[sudo] password for admin:
Success! Firewall reloaded
Error: No UPnP device found
Success! Firewall reloaded
Error: Could not open port via UPnP

Using nmap, I was able to confirm that the other ports were filtered rather than closed. I tried the sequence of commands you suggested (see below for the results), but afterwards, upnp still couldn’t be enabled.

I also tried disabling yunohost firewall via yunohost firewall stop as well as yunohost service stop yunohost-firewall. Neither of those seem to have made a difference.

Is there any other component of yunohost that could be filtering those ports?

Thanks again,
Nathan

$ sudo apt install -f
[sudo] password for admin:
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
0 upgraded, 0 newly installed, 0 to remove and 1 not upgraded.
$ sudo apt --fix-missing update
Hit:1 http://security.debian.org/debian-security bullseye-security InRelease
Hit:2 http://forge.yunohost.org/debian bullseye InRelease
Hit:3 http://ftp.us.debian.org/debian bullseye InRelease
Hit:4 https://packages.sury.org/php bullseye InRelease
Get:5 http://ftp.us.debian.org/debian bullseye-updates InRelease [44.1 kB]
Hit:6 https://packages.grafana.com/oss/deb stable InRelease
Get:7 https://download.docker.com/linux/debian bullseye InRelease [43.3 kB]
Fetched 87.4 kB in 2s (43.9 kB/s)
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
All packages are up to date.
$ sudo apt-get clean
$ sudo apt --fix-broken install
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
0 upgraded, 0 newly installed, 0 to remove and 1 not upgraded.
$ sudo dpkg --configure -a
$ sudo apt-get update
Hit:1 http://ftp.us.debian.org/debian bullseye InRelease
Hit:2 http://ftp.us.debian.org/debian bullseye-updates InRelease
Hit:3 http://forge.yunohost.org/debian bullseye InRelease
Hit:4 http://security.debian.org/debian-security bullseye-security InRelease
Hit:5 https://packages.sury.org/php bullseye InRelease
Hit:6 https://packages.grafana.com/oss/deb stable InRelease
Get:7 https://download.docker.com/linux/debian bullseye InRelease [43.3 kB]
Fetched 43.3 kB in 2s (22.7 kB/s)
Reading package lists... Done

hi nathan
most of ports are filtered by nature, they are not open for no reason, unless there is a service what will serve them, for example if you open port 80 on your router and there is no any http service or any other service what will be served in that port, port checkers will indicate that port as closed or else filtered if a firewall is running at the background,

if upnp API doesn’t works on your host. the only way i see it its you need to get out of yunohost control and try to take control by the native system commands only at least till the system will be fully fixed then you can keep messing with yunohost,

in some cases we dont have a choice,

to your question if there are any components what can block ports the answer no, only firewall can block ports or else no services what will serve them,

if i was in your situation i will take down the whole firewall natively first,

run these commands to stop completely the firewall on your linux machine (iptables)

first make a backup of your firewall configurations by the command:
sudo iptables-save > /root/firewall.rules

then,
stop terminate the firewall by these commands one by one,
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

that’s it, now your firewall is not doing anything the system is completely open and vulnerable

check if you have internet connection inside your machine by going to ifconfig and check if you have a valid ip dedicated dhcp ip by your hoster router/server for ens33 or whatever your network adapter name is, its supposed to be the first one,

once you assure you have an ip for your machine, try to get out by ping to cloudflare dns
run the command:
ping 1.1.1.1
it should show you that is sending and receiving ping every second,
if its stuck (not moving) you dont have even internet connection on your system

now if you have internet connection
so update yunohost dyndns again to make sure your domain is reachable
yunohost dyndns update
wait little bit let the dns to be updated on their servers and try check with nmap again
it should show you that port 80 is open (in case the http server is running normally)

in any case try to reach your yunohost admin panel

if all goes right and you did reached the admin so now youre in a better situation and from there you start trying fixing yunohost by the GUI

about the firewall rules, we did set a backup before so we can restore it to the same state it was even i dont see any sense to restore it by yourself if there were issues with the firewall they will come back, so yunohost will fix the firewall for you in the help of the diagnosis tool,

in any case if you desire to bring back your firewall configurations you can do so by the next command:
iptables-restore < /root/firewall.rules

if all of this doesn’t help
and you have many important things on that server and you think you can go crazy to reinstall it,
you can try to download your server to your own computer at home and work on it locally,
in any case i believe these kind of providers do provide tools for such things,

i dont have any experience with them cause i do all by myself on my own machine at home in vmware, its easier for me to backup, or fix any issue, my computer is 24/7 running anyway

but you always can reinstall it, and this time be careful not to take any step before you have an image copy or any kind of whole server backup,
dont trust these types of backups inside the system, which they are a part of the system,
if the system is defected they will never help you anymore,

for me i have yunohost on vmware so simply right click on my yunohost vm folder and 7zip it the strongest compression will make a file of 28 gb to just about 4, and that my whle server is backed up, if something goes wrong i just extract the server and its fresh and healthy

Hi again izakis,
I tried to disable the firewall via iptables, but even after that none of the ports appear accessible.

I’ve also double-checked that I have internet access from the machine and that appears to work ok.

I do have backups from before the migration, so I think I will try to restore them to a fresh instance.

I like your method of hosting, I might try that in future to avoid issues like this.

Thanks again for the help and advice!

1 Like

just a note nathan
you said “I tried to disable the firewall via iptables”
you did destroy the firewall itself by those commands, iptables IS the firewall,
there are two firewalls in linux systems one called iptables and the other is ufw which is not in use in debian out of the box (more in ubuntu). and not installed for sure on yunohost.

after all those commands the ports are not open at all there is a serious issue with operating system are not capable to server any inbound pockets, probably some synaptics got defected by the upgrade.

Thanks for the clarification about iptables, that’s good to know.

I think it was probably some deeper issue with the OS migration, as you suggest. I’ve reinstalled and restored from backup and it’s pretty much back to normal (at least my ports are open).

One last thanks for your advice izakis, it’s much appreciated.

1 Like