chore: remove acme fork by gsanchietti · Pull Request #1679 · NethServer/nethsecurity

gsanchietti · 2026-05-15T13:41:09Z

Upstream version has been updated

Certificate request is failing:

May 15 14:56:46 NethSec hook[13893]: Using CA: https://acme-v02.api.letsencrypt.org/directory
May 15 14:56:46 NethSec hook[13893]: Running pre hook:'/usr/lib/acme/notify prepare'
May 15 14:56:46 NethSec hook[13893]: Standalone mode.
May 15 14:56:46 NethSec hook[13893]: Account key creation OK.
May 15 14:56:46 NethSec hook[13893]: Registering account: https://acme-v02.api.letsencrypt.org/directory
May 15 14:56:47 NethSec hook[13893]: Registered
May 15 14:56:47 NethSec hook[13893]: ACCOUNT_THUMBPRINT='YP4c0upbxpAqFYwxW7KzKMZq1sQ0LYyUS7G3JGHozoU'
May 15 14:56:47 NethSec hook[13893]: Creating domain key
May 15 14:56:47 NethSec hook[13893]: The domain key is here: /etc/acme/acme.gs.nethserver.net/acme.gs.nethserver.net.key
May 15 14:56:47 NethSec hook[13893]: Single domain='acme.gs.nethserver.net'
May 15 14:56:49 NethSec hook[13893]: Getting webroot for domain='acme.gs.nethserver.net'
May 15 14:56:49 NethSec hook[13893]: Verifying: acme.gs.nethserver.net
May 15 14:56:49 NethSec hook[13893]: Standalone mode server
May 15 14:56:51 NethSec hook[13893]: Pending. The CA is processing your order, please wait. (1/30)
May 15 14:56:53 NethSec hook[13893]: Pending. The CA is processing your order, please wait. (2/30)
May 15 14:56:56 NethSec hook[13893]: Pending. The CA is processing your order, please wait. (3/30)
May 15 14:56:58 NethSec hook[13893]: Pending. The CA is processing your order, please wait. (4/30)
May 15 14:57:01 NethSec hook[13893]: acme.gs.nethserver.net: Invalid status. Verification error details: 138.68.70.176: Fetching http://acme.gs.nethserver.net/.well-known/acme-challenge/G-VdzGF3jFCPlQBVNOJ1P1sVVNmGi21x2gUzGf7HmwQ: Timeout during connect (likely firewall problem)
May 15 14:57:01 NethSec hook[13893]: Please add '--debug' or '--log' to see more information.
May 15 14:57:01 NethSec hook[13893]: See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh
May 15 14:57:01 NethSec acme-acmesh: State moved to /etc/acme/acme.gs.nethserver.net.failed-1778857021

root@NethSec:~# cat /etc/config/acme 

config acme
	option account_email 'no-reply@nethsecurity.org'
	option debug '0'

config cert 'example_wildcard'
	option enabled '0'
	option staging '1'
	list domains 'example.org'
	list domains '*.example.org'
	option validation_method 'dns'
	option dns 'dns_freedns'
	list credentials 'FREEDNS_User="ssladmin@example.org"'
	list credentials 'FREEDNS_Password="1234"'
	option calias 'example.com'
	option dalias 'dalias.example.com'

config cert 'example_subdomain'
	option enabled '0'
	option staging '1'
	list domains 'example.net'
	list domains 'www.example.net'
	list domains 'mail.example.net'
	option validation_method 'webroot'

config cert 'testacme'
	option enabled '1'
	list domains 'acme.gs.nethserver.net'
	option key_type 'rsa2048'
	option validation_method 'standalone'

For the sake of god, avoid to loose the history at every reboot

Replace Netdata alerting with vmalert: - add vmalert init script (vmalert.initd) to start/stop vmalert service - add vmalert UCI configuration file (vmalert.conf) with datasource settings - add comprehensive alert rules - update Makefile to install vmalert configuration and rules - add detailed documentation of vmalert setup and metrics mapping - support for Mimir integration when configured via ns-plug - add ns-plug-alert-proxy that listens on 127.0.0.1:9095 and receives notifications from vmalert: the proxy verify if an alert is firing or resolved Then it translates selected alerts to the legacy portal format and forwards them to my.nethesis.it or my.nethserver.com - if Mimir credentials are present in ns-plug UCI config, the Mimir alertmanager endpoint is added as a second notifier alongside the proxy - port to Victoria Metrics also alert about non-encrypted backup - add telegraf-mwan Python script that reads /var/run/mwan3/iface_state/ to collect WAN interface connectivity state. - add telegraf-services Python script that queries ubus to collect the running state of all procd-managed services. Outputs JSON for Assisted-by: Copilot:Sonnet4.6

Changes: - migrate ping monitoring from netdata's fping plugin to telegraf's native ping input plugin - expose metrics to the UI The ping plugin uses native method (method="native") which sends ICMP packets directly without external ping command, requiring CAP_NET_RAW capability or root privileges. Metrics are tagged with influxdb_db="ping-metrics" for proper InfluxDB database routing. Assited-by: Copilot:Sonnet4.6

These plugins are required to replace all Netdata features

Netdata has been replaced by Victoria Metrics.

…from netdata

Sync the local adblock fork to upstream 4.5.5-3 while keeping the NethSecurity-specific ts-dns hooks, bypass migration, and nft bypass rules intact. Assisted-by: Copilot:gpt-5.4

Changes: - add a new `nft-reload` action inside adbblock.sh - trigger reload when the configuration has been updated - call nft-reload on reload The above changes will recreated the nft chain when the bypass configuration has been changed.

Store Threat Shield DNS local allow and block list edits in UCI so rapid API calls no longer rewrite adblock files or restart the service immediately. Write the physical adblock list files during the next reload, add a one-shot migration for existing list files, and document the staged workflow for the affected API methods. Refs #1572 Assisted-by: Copilot:gpt-5.4

The init file from upstream replaces the dpd_action option values. Notably it replaces `restart` with `start`, but `start` value is not supported by Strongswan 6. Make sure if `restart` is set, the value is preserved. From the manual: Action to perform for this CHILD_SA on DPD timeout. The default clear closes the CHILD_SA and does not take further action. trap installs a trap policy, which will catch matching traffic and tries to re-negotiate the tunnel on-demand (note that this is redundant if start_action includes trap. restart immediately tries to re-negotiate the CHILD_SA under a fresh IKE_SA.

Upstream version has been updated

Tbaile and others added 30 commits May 15, 2026 13:47

build: openwrt 25.12.1

b399ac3

chore: updated build container

bceaca9

build(ppp): upstream patched the package

51b2e2e

build: openwrt 25.12.2

b685ac9

build(netifyd): updated binaries

5649ac8

fix: updated syntax due to python update

b8fd0f9

chore: updated checkmk version

d1b225f

build: added suffix support

700ff7c

updated variable generation

87b7b8d

chore: updated python semver package

434c54d

fixed release path

56f13fc

feat: added victoria-metrics package

647de75

feat: added victoria-logs

518f18a

feat: added telegraf package

c04d12a

fix: updated spdx

0b09db9

feat: compiling packages

84e119d

fix: accidentally overwrote telegraf config

64d0531

fix: addressed deprecation warnings and removed not useful comments

280eee8

fix: adjusted config for sensors and ethtool

67d6f4e

chore: updated monitoring tools

abecde7

chore: downgraded version to keep compatibility with go

275d473

chore: added skill to update packages

f5a3a4b

ci: fixed versioning for image build

3b756da

chore: removed ipcalc fork

2cdd65b

chore: removed jinja2 fork

794ac79

build: updated signing method for APKs (#1659)

dd7db83

build: compiling avahi mdns (#1657)

37c29b0

build: updated debian version and openwrt version

e1416f6

chore: move back history to persistend dir

0af757a

For the sake of god, avoid to loose the history at every reboot

build: fixed issue where env variables were not honoured

3fe68d6

Tbaile and others added 19 commits May 15, 2026 13:47

build: bumped to 24.12.4

1b33f84

feat(telegraf): add missing plugins

2213e9d

These plugins are required to replace all Netdata features

refactor(ns-plug): remove netdata

2b48091

Netdata has been replaced by Victoria Metrics.

feat(telegraf): using uci conf for ping config, added migration path …

3930f77

…from netdata

chore(ns-ui): version bump

0a1feb6

fix(telegraf): moving pruning of netdata config to telegraf migration

4eaa607

fix(ns-api): using uci config for pings

928c5f4

fix(ns-plug): added service triggers for alert-proxy

80b2891

feat(victoria-metrics): added storage configuration

214e272

chore(ns-ui): version bump

f23b035

chore(skill): improve OpenWrt package update

fd5a7e9

chore: updated adblock to 4.5.5-3

e4d859d

Sync the local adblock fork to upstream 4.5.5-3 while keeping the NethSecurity-specific ts-dns hooks, bypass migration, and nft bypass rules intact. Assisted-by: Copilot:gpt-5.4

fix(adblock): reload nft rules

ead56c6

Changes: - add a new `nft-reload` action inside adbblock.sh - trigger reload when the configuration has been updated - call nft-reload on reload The above changes will recreated the nft chain when the bypass configuration has been changed.

chore(ui): bump to dev commit

5b90c12

chore: remove acme fork

1e43ed3

Upstream version has been updated

gsanchietti mentioned this pull request May 15, 2026

OpenWRT 25.12 #1638

Open

35 tasks

Tbaile force-pushed the nethsecurity-8.8 branch 2 times, most recently from 4001fc2 to 841b872 Compare May 20, 2026 07:12

gsanchietti self-assigned this May 20, 2026

gsanchietti force-pushed the nethsecurity-8.8 branch from b0a81c6 to 03b27b7 Compare May 20, 2026 09:06

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore: remove acme fork#1679

chore: remove acme fork#1679
gsanchietti wants to merge 49 commits into
nethsecurity-8.8from
upstream_acme

gsanchietti commented May 15, 2026 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

gsanchietti commented May 15, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

gsanchietti commented May 15, 2026 •

edited

Loading