Upgrading Debian 9 to Debian 10

Triggered by needing to upgrade Nextcloud, I finally bit the bullet and decided to upgrade my virtually-hosted Debian server from Debian 9 “stretch” to Debian 10 “buster”.

The upgrade, as usual, was fairly trivial:

apt-get update
apt-get upgrade
<edit /etc/apt/sources.conf to point to the new version>
apt-get update
apt-get upgrade
apt-get full-upgrade

There were various configuration files which needed tweaking during and after the upgrade. vimdiff was very useful. I also learned a new screen feature – split-screen! (Ctrl-a – |). Finally a shoutout to etckeeper for maintaining a full history of all edits made in /etc.

Post-upgrade Issues and Gotchas

dovecot (imap server)

A huge issue was that I could no longer access my emails from anywhere.

Turns out that dovecot was no longer letting me log in. The mail log file had numerous “Can’t load DH parameters” error entries. I had not merged in a required change to the ssl certificate configuration.

exim4 (mail server)

The second huge issue was that exim was no longer processing incoming mail. Turns out that spamd wasn’t started after the reboot. Fixed by:

systemctl start spamassassin.service
systemctl enable spamassassin.service

shorewall (firewall)

Another major gotcha: the shorewall firewalls were not automatically re-enabled, and it took me three days to notice. Yikes! I had left the server on sys-v init instead of systemctl and the upgrade had silently switched over. After restarting the firewall, use systemctl enable to configure it to start on bootup.

systemctl start shorewall.service
systemctl enable shorewall.service
systemctl start shorewall6.service
systemctl enable shorewall6.service

bind9 (name server)

Another item was that bind was no longer starting up – it needed a tweak to the apparmor configuration. Appears that on my server the log files are written to a legacy directory and the new default configuration prevented bind from writing into it and hence failing to start up.


  • I finally removed dovecot spam from syslog by giving it its own logfiles (tweaking fail2ban accordingly).
  • Various PHP options needed tweaking and several new modules needed installing to support Nextcloud (manually installed so no dependency tracking).

Later Updates

  • Discovered that phpldapadmin was broken. Manually downloaded and installed an updated version from “testing”.