Category Archives: Server config

Getting certificates from Windows p7b certificate files

I was given a binary certificate chain and needed the ASCII versions of the CA certificates.  Unfortunately, I wasn’t able to get openssl to do this, and had to resort to using a Windows machine (on Win7 I got an ‘install certificate’ menu item when right-clicking on the p7b file in windows explorer).  Double click on the file and you’ll be able to navigate to the certificates in the window that opens (with crypto shell extensions).  You can then right-click > all tasks > export for the individual certificates, and export into a der file, which openssl can then convert to pem.

Here are the errors I got from various ssl commands that I tried:

user@ubuntu:~/certs$ openssl x509 -inform der -in Certificate.p7b -out Certificate.pem
unable to load certificate
31083:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1316:
31083:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:380:Type=X509_CINF
31083:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:748:Field=cert_info, Type=X509

user@ubuntu:~/certs$ openssl pkcs7 -print_certs -in Certificate.p7b -out Certificate.pem
unable to load PKCS7 object
31109:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:650:Expecting: PKCS7

user@ubuntu:~/certs$ openssl pkcs12 -in Certificate.p7b
31162:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1316:
31162:error:0D06C03A:asn1 encoding routines:ASN1_D2I_EX_PRIMITIVE:nested asn1 error:tasn_dec.c:828:
31162:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:748:Field=version, Type=PKCS12

user@ubuntu:~/certs$ openssl nseq -in Certificate.p7b
Error reading sequence file Certificate.p7b
31475:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:650:Expecting: CERTIFICATE

Installing DKIM and DomainKeys for postfix on Ubuntu 10.04

Servername: web1.domain.com
From address: noreply@example.com

Aim: validate DKIM and DomainKeys for this email address sending from this server.

Requirements: access to enter TXT DNS records for domain.com and example.com, and root access to web1.domain.com server.

  1. apt-get install dkim-filter; apt-get install dk-filter
  2. vi /etc/dkim-filter.conf
    Uncomment UMask
    Uncomment Domain, and set to “*” (without quotation marks)
    Underneath Domain, create the following “KeyList    /etc/mail/dkim_domains.key”
    Uncomment Selector and set to “mail”
    You can also uncomment AutoRestart if you want and set to “yes”, and Statistics
    Do not uncomment Version – it’s not a valid setting
    Save and close
  3. vi /etc/postfix/main.cf
    Append the following:
    # DKIM & DomainKeys
    milter_default_action = accept
    milter_protocol = 2
    smtpd_milters = inet:localhost:8891,inet:localhost:8892
    non_smtpd_milters = inet:localhost:8891,inet:localhost:8892
  4. cd /etc/mail
  5. dkim-genkey -t -s mail -d web1.domain.com (dkim key)
  6. openssl genrsa -out domainkey.key 1024 (domainkeys private key)
  7. openssl rsa -in domainkey.key -out domainkey.pub -pubout -outform pem (domainkeys public key)
  8. mv mail.private mail
  9. vi /etc/default/dk-filter
    Uncomment out DAEMON_OPTS and SOCKET and set them like so:
    DAEMON_OPTS=”$DAEMON_OPTS -d example.com t -s /etc/mail/domainkey.key -S web1″ (the selector here is web1; this is because the DNS record has to go on example.com for DomainKeys, so for every server you want to send example.com mail for you’ll need a seperate record)
    SOCKET=”inet:8892@localhost”
  10. Open up mail.txt; you need to create the DNS record for DKIM for web1.domain.com from this.  I use a managed DNS service for domain.com, so I put “mail._domainkey.web1” in the subdomain/selector, and paste the bit in quotes as the record content.  Notice the mail.txt file does not have the domain appended, but I’ve added my subdomain web1 in my record.
  11. Make two more DNS records, this time on example.com:
    _domainkey IN TXT “t=y; o=~;”
    web1._domainkey IN TXT “k=rsa; t=y; p=<INSERT KEY FROM DOMAINKEYS.PUB HERE>”
  12. vi /etc/mail/dkim_domains.key  (new file)
    Paste in the following:
    *:web1.domain.com:/etc/mail/mail
  13. Start/restart services; service dkim-filter restart; service dk-filter restart; service postfix restart (dkim went a bit funny for me here; may be better for dkim-filter and dk-filter to stop, then start them)
  14. To check the DNS is set up properly, go to http://domainkeys.sourceforge.net/selectorcheck.html and put in web1._domainkey.example.com, then go to http://dkimcore.org/tools/dkimrecordcheck.html and put in mail for the selector, and web1.domain.com for the domain name.
  15. To check it works; send an email to yahoo address, and check out View Full Header (under the cog button), you should find a line:
    Authentication-Results: mta1066.mail.ird.yahoo.com  from=example.com; domainkeys=pass (ok);  from=web1.domain.com; dkim=pass (ok)

 

You’ll notice that DKIM and DomainKeys use different parts of the header for validation.  DKIM is looking at the server name given by postfix, and DomainKeys is looking at the domain of the From address.

With the solution above, for every additional server sending emails from example.com, you’ll need to set up a DKIM record for the server hostname, and a DomainKeys record for example.com (with a separate selector).

Installing CentOS 6.2 on XenServer 6.0

Choose to install from URL, and enter the following URL (or your nearest mirror equivalent): http://mirror01.th.ifl.net/centos/6.2/os/x86_64/

The installer is looking for the following path: isolinux/isolinux.cfg

Choose to start VNC (as per: http://forums.citrix.com/thread.jspa?threadID=302677)

Start up your VNC client (eg tightVNC), connect to <IP>:1, put in your password

Once you’ve finished the installation you can install XenServer Tools:

  1. Put the XS Tools cd into the VM cd drive
  2. mkdir /mnt/xs-tools
  3. mount /dev/xvdd /mnt/xs-tools
  4. bash /mnt/xs-tools/Linux/install.sh

This should auto-detect your OS, install required packages, and ask you to reboot the machine.

Modifying the existing WordPress login/registration/lost password form

I wanted to make a few changes to the WordPress login page (wp-login.php) but keep all existing functionality.  I didn’t want to mess around with any core WP files.  Sounds like it should be easy…unfortunately not.

Here’s how you can make a copy of the existing wp-login.php, put it in your own theme, and make it useable so you can then go on to modify it however you like.

  1. copy wp-login.php to your theme directory, call it whatever you like
  2. replace the following lines:
      2 /**
      3  * WordPress User Page
      4  *
      5  * Handles authentication, registering, resetting passwords, forgot password,
      6  * and other user handling.
      7  *
      8  * @package WordPress
      9  */
     10
     11 /** Make sure that the WordPress bootstrap has run before continuing. */
     12 require( dirname(__FILE__) . ‘/wp-load.php’ );
    with:
      2 /*
      3 Template Name: Your Custom Login/Registration Page
      4 */
  3. If you’re using the vim editor, use the following two lines:
    :%s/$_REQUEST[‘action’]/$_REQUEST[‘do’]/g
    :%s/?action/?do/g
    Otherwise, use whatever find and replace function your editor has to replace $_REQUEST[‘action’] with $_REQUEST[‘do’], and ?action with ?do
  4. Create a page on your site, select the new template, and note down the page ID and slug
  5. Back to the custom login file, do the following in vim (where 591 is your page ID, and ‘login-register’ is your page slug):
    :%s/wp_login_url()/get_permalink(591)/g
    :%s/wp-login.php/login-register/g
    :%s/wp_lostpassword_url()/get_permalink(591).’?do=lostpassword’/g
    Or if not using vim, replace wp_login_url() with get_permalink(<your page ID>), replace wp-login.php with <your page slug>, and wp_lost_password_url() with get_permalink(<your page ID>).?do=lostpassword

That should be it.  If you now go to that page it should show you the normal WP login form, and the links for registering and lost passwords should also go to your custom page.  The lost password feature will also direct the user back to the custom page to reset their password.

 

You can now edit the page however you like!

 

NB: point 3 may seem a bit unenecessary; we’re changing the ?action= to ?do=, however, wierdly, if you leave as-is and post new user registration data to http://yoursite.com/customlogin?action=register, WP calls the register_post action (which registers new users) before it even loads your custom template, and then it calls it again during your template.  Very bizarre, but changing it works fine.

Accessing a GUI on Ubuntu XenServer VM

If you try and start the GUI on a paravirtualized Ubuntu VM in XenServer, you’ll get the following error:

Primary device is not PCI
(EE) open /dev/fb0: No such file or directory
(EE) No devices detected

Peter Bats from Citrix said the following:
In a paravirtualized world there is no such thing as a physical console (nor is there a physical CPU, physical memory etc). Hence for completely paravirtualized OSes (with a paravirtualized kernel like Xen) there’s no GUI console.

PS: With the upcoming move/approach of something called PV on HVM (Paravirtualized Linux I/O drivers for a HVM machine, that in this was can profit from the latest developments by Intel/AMD at the hardware levels like EPT/NPT etc.) one will have the option to have both. And a hardware console GUI and good paravirtualized I/O.
This is already available for the RHEL/SLES distros, but not for the general Linux kernel or debian based distributions. There’s work underway to get this included into upstream Linux very soon.

 

In other words, use VNC for now.

To do that:

  1. Install a GUI onto your Ubuntu server:
    apt-get install ubuntu-desktop (for gnome)
    apt-get install –without-recommends ubuntu-desktop (for gnome without libreoffice and some other stuff)
    apt-get install xubuntu-desktop (xfce)
    apt-get install kubuntu-desktop (KDE)
  2. Install VNC
    apt-get install vnc4server
  3. Set the VNC resolution (whatever resolution you want to see on your desktop machine you’ll be using the VNC client on
    vncserver -geometry 1280×1024 -depth 24
  4. Create a password and VNC server should create some configuration files and start up
  5. Now we need to edit one of the configuration files
    vncserver -kill :1
    vim ~/.vnc/xstartup
  6. Change the file to look like the following (Ubuntu 10.04 and 10.10 only, other versions look different):
    #!/bin/sh

    # Uncomment the following two lines for normal desktop:
    unset SESSION_MANAGER
    exec sh /etc/X11/xinit/xinitrc

    [ -x /etc/vnc/xstartup ] && exec /etc/vnc/xstartup
    [ -r $HOME/.Xresources ] && xrdb $HOME/.Xresources
    xsetroot -solid grey
    vncconfig -iconic &
    x-terminal-emulator -geometry 1280×1024+10+10 -ls -title “$VNCDESKTOP Desktop” &
    x-window-manager &

  7. Save and quit vim
    :wq
  8. Start up the VNC server again
    vncserver -geometry 1280×1024 -depth 24
  9. Now you can connect to the server via a VNC client.  On windows, you can use TightVNC
  10. To connect to the server, you want to use IP:1, for example, my server’s IP is 10.0.0.30, then I need to connect to 10.0.0.30:1
  11. Put in the VNC password when requested by TightVNC and it should bring up the server’s desktop

 

 

References:
http://forums.citrix.com/message.jspa?messageID=1488656#1488656
http://www.havetheknowhow.com/Configure-the-server/Install-VNC.html

Fixing proFTP overwrite problems in Virtualmin

For some reason, the proFTP configuration in Virtualmin (v3.88) was not allowing files to be overwritten, despite the configuration in /etc/proftpd/proftpd.conf as follows:

# Umask 022 is a good standard umask to prevent new files and dirs
# (second parm) from being group and world writable.
Umask 022  022
# Normally, we want files to be overwriteable.
AllowOverwrite on

# Uncomment this if you are using NIS or LDAP via NSS to retrieve passwords:
# PersistentPasswd off

 

To solve this, add the following to the bottom of the config file (/etc/proftpd/proftpd.conf):

<Global>
        AllowOverwrite  on
</Global>

 

Then restart proFTP:

service proftpd restart

Editing corosync config with VIM

This also works when you’re getting the error “id is already in use”.

First, display config: crm configure show

Then edit config:
crm configure
edit
[make your changes, save and quit]

Then commit config:
commit

Then exit crm configure and check your configuration again
quit (or Ctrl+C)
crm configure show

XenServer install one-off CentOS packages (aka install a package from a disabled repo with yum)

This is not specific to XenServer, or to CentOS, but it was what I was trying to do at the time.

XenServer, by default, only has the Citrix repository enabled, so there will be lots of packages you can’t install.

If you want to install a package but don’t want to enable the CentOS repository, you can use the following command:

yum –enablerepo=base install mutt

This installs mutt from the base repo.  If you want a list of available repos, you can do the following:

yum repolist disabled

Example output:

[root@testxenserver yum.repos.d]# yum repolist disabled
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
repo id                         repo name                               status
addons                          CentOS-5 – Addons                       disabled
base                            CentOS-5 – Base                         disabled
c5-media                        CentOS-5 – Media                        disabled
centosplus                      CentOS-5 – Plus                         disabled
contrib                         CentOS-5 – Contrib                      disabled
extras                          CentOS-5 – Extras                       disabled
updates                         CentOS-5 – Updates                      disabled
repolist: 0

And to see enabled repos:

[root@testxenserver yum.repos.d]# yum repolist
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
repo id                   repo name                                   status
citrix                    XenServer 5.6.100 updates                   enabled: 0
repolist: 0

Openfiler 2.99 iSCSI SR backend failed to complete

Check your ACL.  I was using a netmask of 255.255.0.0, and couldn’t get this error to go away until I specified particular IPs with netmask of 255.255.255.255.

Also, after updating the system ACL, go back to the iSCSI target ACL and just ‘update’ on the host allow page.  This page was showing the new IPs for me, but the config file on the server (/etc/initiators.allow) was out of date until I updated.

Checking all open ports on a network using nmap

nmap -n 10.0.0.1/24 -PS

This will give you something similar to the following:

 

Nmap scan report for 10.0.0.1
Host is up (0.00082s latency).
Not shown: 993 closed ports
PORT     STATE    SERVICE
20/tcp   filtered ftp-data
21/tcp   filtered ftp
80/tcp   open     http
443/tcp  open     https
2602/tcp open     ripd
5000/tcp open     upnp
5100/tcp open     admd

Nmap scan report for 10.0.0.12
Host is up (0.00022s latency).
Not shown: 993 filtered ports
PORT      STATE SERVICE
80/tcp    open  http
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
2869/tcp  open  unknown
3389/tcp  open  ms-term-serv
49154/tcp open  unknown

Nmap scan report for 10.0.0.17
Host is up (0.00031s latency).
All 1000 scanned ports on 10.0.0.17 are closed

Nmap scan report for 10.0.0.20
Host is up (0.013s latency).
Not shown: 999 closed ports
PORT      STATE SERVICE
62078/tcp open  iphone-sync

Nmap scan report for 10.0.0.37
Host is up (0.00017s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE
80/tcp open  http