I ended up deleting /etc/ssh config files and reinstalling ssd. Everything seems to be working now.

I changed the default SSH port and tried to login again. The SSH wouldn't connect without "-oKexAlgorithms=+diffie-hellman-group1-sha1", but when I use this parameter, the SSH refuses to log me in! I can login from the server console directly (keyboard and monitor connected to the server), but not remotely over SSH!

Suspicious Message from SSH Server!

I just got a strange message when I was trying to login! I launched the macOS Terminal app and typed:

I didn't get the usual password prompt, instead I got this message:

Unable to negotiate with 192.168.1.2 port 22: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1

I searched the Internet and found that passing the argument "-oKexAlgorithms=+diffie-hellman-group1-sha1" to the ssh command would pass this message. But when I tried to login with the said argument, I got this message:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
SHA256:qWRhA4Y948bweEJTLM0uYCH6IFUMm9QiA0lnSF6aR0Y.
Please contact your system administrator.
Add correct host key in /Users/mac/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /Users/mac/.ssh/known_hosts:56
RSA host key for aratab.com has changed and you have requested strict checking.
Host key verification failed.

I have not done anything to the server since I last successfully logged to it yesterday. And the auto-update is turned off. The client also (the macOS system) hasn't been changed as well. Is there something fishy going on in my server?

Most rotation is controlled by /etc/logrotate.conf and all the configlets in /etc/logrotate.d/. If you have files in /var/log/samba.old then rotation is taking place. That is how they got there in the first place.

Great news Nick.

Should testers report back their findings here in this thread or somewhere else?

Logs Rotation?

/var/log folder in my server is more than 65GB in size! The largest folder in there is ./samba/old. It's clear that no log rotation is taking place. Any idea how clearOS logrotate works and where to find its config file?

Thank you

Nick Howitt wrote:
AFAIK the ClearOS repo packages are fine. python2-cffi python2-ipaddress and python2-pyOpenSSL are not needed and python2-cryptography-1.7.2-2.el7 is fine. I have a feeling you have repo problems.

python2-cffi and python2-ipaddress are required for the newer version of python2-pyOpenSSL. python2-pyOpenSSL is a request for app-lets-encrypt.

Nick Howitt wrote:What do you get from "yum repolist".

Here is the output:

Re: Let's Encrypt Renew Failure

Ok, I got rid of all pip and rpm packages related to certbot and started fresh. The aim is to have working certbot and Let's Encrypt app.

1. Manually installing an updated version of pyOpenSSL and its dependencies, because the one in the yum repo is outdated.


2. Installed certbot and the dashboard app:

Ok, I got rid of all pip and rpm packages related to certbot and started fresh. The aim is to have working certbot and Let's Encrypt app.

1. Manually installing an updated version of pyOpenSSL and its dependencies, because the one in the yum repo is outdated.


2. Installed certbot and the dashboard app:

You are right Nick. I installed the Let’s Encrypt app after renewing the domain’s certificate. That was a mistake, because it installed old versions of the python modules (using yum) and certbot is broken again!

At least my website is working now with a renewed certificate. I’ll try to fix the issue later on and update this thread. I’ll use a simple crontab to renew certificates instead of relying on the Let’s Encrypt app.