# Fixes Prepared — Required and Optional **Last Updated:** 2026-02-07 **Purpose:** Single checklist of all fixes (required and optional) with copy-paste commands. **References:** [CHECKS_AND_FIXES_20260206.md](verification-evidence/CHECKS_AND_FIXES_20260206.md), [NEXT_STEPS_OPERATOR.md](../00-meta/NEXT_STEPS_OPERATOR.md), [UDM_PRO_NPMPLUS_ALLTRA_HYBX_PORT_FORWARD.md](UDM_PRO_NPMPLUS_ALLTRA_HYBX_PORT_FORWARD.md). **Consolidated (validators, block/tx, Sentries, RPCs + this):** [FULL_FIXES_PREPARED.md](FULL_FIXES_PREPARED.md). --- ## Summary | Category | Item | Action | Where | |----------|------|--------|--------| | **Required** | UDM Pro port forward (Alltra/HYBX) | Manual | [§ UDM Pro](#1-udm-pro-port-forward-alltrahybx-required) | | **Required** | Alltra/HYBX 502 (RPC + Cacti) | Verify backends → fix NPMplus or deploy | [§ Alltra/HYBX 502](#2-alltrahybx-502-failures-required) | | **Optional** | NPMplus certs (remaining Alltra/HYBX hosts) | Script or UI | [§ NPMplus certs](#3-npmplus-certificates-remaining-alltrahybx-optional) | | **Optional** | Explorer SSL | Manual NPMplus UI | [§ Explorer SSL](#4-explorer-ssl-optional) | | **Optional** | NPMplus cert 134 (cross-all.defi-oracle.io) | Manual NPMplus UI | [§ Cert 134](#5-npmplus-cert-134-optional) | | **Optional** | Shellcheck | Install + run | [§ Shellcheck](#6-shellcheck-optional) | | **Optional** | Env permissions | Re-run if new .env added | [§ Env permissions](#7-env-permissions-optional) | | **Optional** | Full verification re-run | Script | [§ Re-run verification](#8-re-run-full-verification-optional) | --- ## Required fixes ### 1. UDM Pro port forward (Alltra/HYBX) **Why:** Alltra/HYBX direct/management access uses 76.53.10.38 → NPMplus at 192.168.11.169. Tunnel traffic goes to primary NPMplus (192.168.11.167); this forward is for direct access to the Alltra/HYBX NPMplus instance. **Steps:** Add in **UniFi Network** → **Settings** → **Firewall & Security** (or **Networks** → **Port Forwarding**): | Rule Name | Destination IP | Dest Port | Forward to IP | Forward to Port | Protocol | |-----------|----------------|-----------|---------------|-----------------|----------| | NPMplus Alltra/HYBX HTTP | 76.53.10.38 | 80 | 192.168.11.169 | 80 | TCP | | NPMplus Alltra/HYBX HTTPS | 76.53.10.38 | 443 | 192.168.11.169 | 443 | TCP | | NPMplus Alltra/HYBX Admin | 76.53.10.38 | 81 | 192.168.11.169 | 81 | TCP | **Note:** 76.53.10.38 must be assigned on the UDM Pro. **Verify (from LAN):** ```bash curl -s -o /dev/null -w "%{http_code}" http://192.168.11.169:80/ curl -s -o /dev/null -w "%{http_code}" -k https://192.168.11.169:81/ ``` After port forward (from internet): `curl -s -o /dev/null -w "%{http_code}" http://76.53.10.38:80/` **Doc:** [UDM_PRO_NPMPLUS_ALLTRA_HYBX_PORT_FORWARD.md](UDM_PRO_NPMPLUS_ALLTRA_HYBX_PORT_FORWARD.md) --- ### 2. Alltra/HYBX 502 failures (required) **Observed (E2E 2026-02-07):** RPC and HTTPS return 502 for: - `rpc-alltra.d-bis.org`, `rpc-alltra-2.d-bis.org`, `rpc-alltra-3.d-bis.org` - `rpc-hybx.d-bis.org`, `rpc-hybx-2.d-bis.org`, `rpc-hybx-3.d-bis.org` - `cacti-alltra.d-bis.org`, `cacti-hybx.d-bis.org` **Traffic path:** Cloudflare DNS (CNAME to tunnel) → Cloudflare Tunnel → **primary NPMplus 192.168.11.167:443** → proxy hosts → backends. **Root cause (choose one or both):** 1. **Backends not running** — Alltra/HYBX RPC (2500–2502, 2503–2505) and Cacti (5201, 5202) containers not deployed or stopped. 2. **NPMplus proxy target wrong** — Proxy hosts on 192.168.11.167 point to wrong IP/port (see [NPMPLUS_ALLTRA_HYBX_MASTER_PLAN.md](NPMPLUS_ALLTRA_HYBX_MASTER_PLAN.md) for correct backends). **Expected backends (from master plan):** | Domain type | Backend IP(s) | Port | |-------------|---------------|------| | rpc-alltra* | 192.168.11.172, .173, .174 (VMID 2500–2502) | 8545 | | rpc-hybx* | 192.168.11.246, .247, .248 (VMID 2503–2505) | 8545 | | cacti-alltra | 192.168.11.177 (VMID 5201) | 80 | | cacti-hybx | 192.168.11.251 (VMID 5202) | 80 | **Fix steps:** 1. **Verify backends from LAN (Proxmox or jump host):** ```bash # Alltra RPC curl -s -X POST -H "Content-Type: application/json" -d '{"jsonrpc":"2.0","method":"eth_chainId","params":[],"id":1}' http://192.168.11.172:8545 # HYBX RPC curl -s -X POST -H "Content-Type: application/json" -d '{"jsonrpc":"2.0","method":"eth_chainId","params":[],"id":1}' http://192.168.11.246:8545 # Cacti curl -s -o /dev/null -w "%{http_code}" http://192.168.11.177:80/ curl -s -o /dev/null -w "%{http_code}" http://192.168.11.251:80/ ``` 2. **If backends respond:** In NPMplus (https://192.168.11.167:81) check Proxy Hosts for each Alltra/HYBX hostname: Forward hostname = backend IP, port = 8545 or 80 as above. Save and test. 3. **If backends do not respond:** Deploy or start the Alltra/HYBX containers (2500–2502, 2503–2505, 5201, 5202) per [NPMPLUS_ALLTRA_HYBX_MASTER_PLAN.md](NPMPLUS_ALLTRA_HYBX_MASTER_PLAN.md) and [MISSING_CONTAINERS_LIST.md](../03-deployment/MISSING_CONTAINERS_LIST.md). Then re-check NPMplus proxy targets. --- ## Optional fixes ### 3. NPMplus certificates (remaining Alltra/HYBX) (optional) Request Let's Encrypt for any Alltra/HYBX proxy host that does not yet have a cert. **From project root (LAN required; NPMplus API reachable):** ```bash cd /path/to/proxmox # First host only (verify before bulk) FIRST_ONLY=1 NPM_URL=https://192.168.11.167:81 bash scripts/request-npmplus-certificates.sh # Then all remaining (no FIRST_ONLY) NPM_URL=https://192.168.11.167:81 bash scripts/request-npmplus-certificates.sh ``` **Via SSH to r630-01:** ```bash bash scripts/run-via-proxmox-ssh.sh request-cert --host 192.168.11.11 ``` **Reference:** CHECKS_AND_FIXES: *"For remaining hosts, run: NPM_URL=https://192.168.11.167:81 bash scripts/request-npmplus-certificates.sh"* --- ### 4. Explorer SSL (optional) If **https://explorer.d-bis.org** shows "Your connection isn't private": 1. Open NPMplus: **https://192.168.11.167:81** (use `.167` if `.166` refuses; credentials: `NPM_EMAIL`, `NPM_PASSWORD` from `.env`). 2. **SSL Certificates** → Add Let's Encrypt for `explorer.d-bis.org` (DNS Challenge + Cloudflare credential if needed). 3. **Proxy Hosts** → explorer.d-bis.org → **SSL** tab → assign cert, Force SSL, Save. **Doc:** [EXPLORER_TROUBLESHOOTING.md](EXPLORER_TROUBLESHOOTING.md), [NEXT_STEPS_OPERATOR.md](../00-meta/NEXT_STEPS_OPERATOR.md) § Explorer SSL. --- ### 5. NPMplus cert 134 (optional) If verification reports **"cert files missing"** for cert ID 134 (cross-all.defi-oracle.io): 1. Open NPMplus: **https://192.168.11.167:81** → **SSL Certificates**. 2. Find **cross-all.defi-oracle.io** → re-save or **Request** Let's Encrypt again to restore cert files on disk. No automated script; UI only. --- ### 6. Shellcheck (optional) Install and run optional shellcheck (no failure if not installed): ```bash # Install (one of) sudo apt install shellcheck # Debian/Ubuntu brew install shellcheck # macOS # Run (from project root) cd /path/to/proxmox bash scripts/verify/run-shellcheck.sh --optional # Or without --optional to fail on issues: bash scripts/verify/run-shellcheck.sh ``` --- ### 7. Env permissions (optional) Re-run if you added new `.env` files and want consistent permissions: ```bash cd /path/to/proxmox bash scripts/security/secure-env-permissions.sh ``` Applies `chmod 600` to `.env`, `unifi-api/.env`, `smom-dbis-138/.env`, `dbis_core/.env` where present. --- ### 8. Re-run full verification (optional) Re-run the full 6-step verification and regenerate source-of-truth: ```bash cd /path/to/proxmox bash scripts/verify/run-full-verification.sh ``` Outputs under `docs/04-configuration/verification-evidence/` and updates `docs/04-configuration/INGRESS_SOURCE_OF_TRUTH.json`. --- ## Quick command index | Goal | Command | |------|---------| | UDM Pro Alltra/HYBX | Manual: [UDM_PRO_NPMPLUS_ALLTRA_HYBX_PORT_FORWARD.md](UDM_PRO_NPMPLUS_ALLTRA_HYBX_PORT_FORWARD.md) | | Request NPMplus certs (first only) | `FIRST_ONLY=1 NPM_URL=https://192.168.11.167:81 bash scripts/request-npmplus-certificates.sh` | | Request NPMplus certs (all remaining) | `NPM_URL=https://192.168.11.167:81 bash scripts/request-npmplus-certificates.sh` | | Explorer SSL | NPMplus UI → SSL Certificates → explorer.d-bis.org; Proxy Hosts → SSL tab | | Cert 134 fix | NPMplus UI → SSL Certificates → cross-all.defi-oracle.io → re-save / re-request | | Shellcheck | `bash scripts/verify/run-shellcheck.sh --optional` | | Env permissions | `bash scripts/security/secure-env-permissions.sh` | | Full verification | `bash scripts/verify/run-full-verification.sh` | | Backup NPMplus | `bash scripts/verify/backup-npmplus.sh` | --- ## Execution order suggestion 1. **Required:** UDM Pro port forward (if you use direct 76.53.10.38 access). 2. **Required:** Diagnose Alltra/HYBX 502 (verify backends, then fix NPMplus or deploy containers). 3. **Optional:** NPMplus certs for remaining Alltra/HYBX hosts. 4. **Optional:** Explorer SSL, cert 134, shellcheck, env permissions, full verification re-run as needed. Evidence and prior checks: [verification-evidence/CHECKS_AND_FIXES_20260206.md](verification-evidence/CHECKS_AND_FIXES_20260206.md).