Where to look for errors

The LEAP Platform is set of complementary packages and server recipes to automate the maintenance of LEAP services in a hardened Debian environment.

General

Firewall

Every node in your provider has its own restrictive firewall, but you might have a network firewall in place as well that is not managed by LEAP platform. To see what ports and addresses must be open, run this command:

workstation$ leap compile firewall

If any of those are blocked, then your provider will not work.

Webapp

Places to look for errors

Is haproxy ok ?

curl -s -X  GET "http://127.0.0.1:4096"

Is couchdb accessible through stunnel ?

Check couchdb acl as admin

mkdir /etc/couchdb
cat /srv/leap/webapp/config/couchdb.yml.admin  # see username and password
echo "machine 127.0.0.1 login admin password <PASSWORD>" > /etc/couchdb/couchdb-admin.netrc
chmod 600 /etc/couchdb/couchdb-admin.netrc

curl -s --netrc-file /etc/couchdb/couchdb-admin.netrc -X GET "http://127.0.0.1:4096"
curl -s --netrc-file /etc/couchdb/couchdb-admin.netrc -X GET "http://127.0.0.1:4096/_all_dbs"

Check couchdb acl as unpriviledged user

cat /srv/leap/webapp/config/couchdb.yml  # see username and password
echo "machine 127.0.0.1 login webapp password <PASSWORD>" > /etc/couchdb/couchdb-webapp.netrc
chmod 600 /etc/couchdb/couchdb-webapp.netrc

curl -s --netrc-file /etc/couchdb/couchdb-webapp.netrc -X GET "http://127.0.0.1:4096"
curl -s --netrc-file /etc/couchdb/couchdb-webapp.netrc -X GET "http://127.0.0.1:4096/_all_dbs"

All URLs accessible ?

Check client config files

Soledad

/var/log/soledad.log

Couchdb

Places to look for errors

Databases

    curl -s --netrc-file /etc/couchdb/couchdb.netrc -X GET 'http://127.0.0.1:5984/_all_dbs'
    ["customers","identities","sessions","shared","tickets","tokens","user-0","user-9d34680b01074c75c2ec58c7321f540c","user-9d34680b01074c75c2ec58c7325fb7ff","users"]

Design Documents

    curl -s --netrc-file /etc/couchdb/couchdb.netrc -X  GET "http://127.0.0.1:5984/users/_design/User"

Is couchdb cluster backend accessible through stunnel ?

    grep "accept = 127.0.0.1" /etc/stunnel/*
    nc -v 127.0.0.1 4000
    nc -v 127.0.0.1 4001
    ...

MX

Places to look for errors

Is couchdb accessible through stunnel ?

Query leap-mx

    postmap -v -q  "joe@dev.bitmask.net" tcp:localhost:2244
    ...
    postmap: dict_tcp_lookup: send: get jow@dev.bitmask.net
    postmap: dict_tcp_lookup: recv: 200
    ...
    postmap -v -q  "joe@dev.bitmask.net" tcp:localhost:4242
    ...
    postmap: dict_tcp_lookup: send: get joe@dev.bitmask.net
    postmap: dict_tcp_lookup: recv: 200 f01bc1c70de7d7d80bc1ad77d987e73a
    postmap: dict_tcp_lookup: found: f01bc1c70de7d7d80bc1ad77d987e73a
    f01bc1c70de7d7d80bc1ad77d987e73a
    ...

Check couchdb acl as unpriviledged user

cat /etc/leap/mx.conf  # see username and password
echo "machine 127.0.0.1 login leap_mx password <PASSWORD>" > /etc/couchdb/couchdb-leap_mx.netrc
chmod 600 /etc/couchdb/couchdb-leap_mx.netrc

curl -s --netrc-file /etc/couchdb/couchdb-leap_mx.netrc -X GET "http://127.0.0.1:4096/_all_dbs"   # pick one "user-<hash>" db
curl -s --netrc-file /etc/couchdb/couchdb-leap_mx.netrc -X GET "http://127.0.0.1:4096/user-de9c77a3d7efbc779c6c20da88e8fb9c"

Mailspool

    ls -la /var/mail/vmail/Maildir/cur/
    mailq

Testing mail delivery

swaks -f alice@example.org -t bob@example.net -s mx1.example.net --port 25
swaks -f varac@cdev.bitmask.net -t varac@cdev.bitmask.net -s chipmonk.cdev.bitmask.net --port 465 --tlsc
swaks -f alice@example.org -t bob@example.net -s mx1.example.net --port 587 --tls

VPN

Places to look for errors