Troubleshoot
HowTo: Generate Certificate for OpenLDAP and using it for certificate authentication.
LDAPS Server Certificate Requirements
LDAPS requires a properly formatted X.509 certificate. This certificate lets a OpenLDAP service listen for and automatically accept SSL connections. The server certificate is used for authenticating the OpenLDAP server to the client during the LDAPS setup and for enabling the SSL communication tunnel between the client and the server. As an option, we can also use LDAPS for client authentication.
Having spent quite some time to make a TLS work, I thought this may be usefull to some :
Creating Self CA certificate:
1, Create the ldapclient-key.pem private key :
openssl genrsa -des3 -out ldapclient-key.pem 1024
2, Create the ldapserver-cacerts.pem certificate :
openssl req -new -key ldapclient-key.pem -x509 -days 1095 -out ldapserver-cacerts.pem
Creating a certificate for server:
1, Create the ldapserver-key.pem private key
openssl genrsa -out ldapserver-key.pem
2, Create a server.csr certificate request:
openssl req -new -key ldapserver-key.pem -out server.csr
3, Create the ldapserver-cert.pem certificate signed by your own CA :
openssl x509 -req -days 2000 -in server.csr -CA ldapserver-cacerts.pem -CAkey ldapclient-key.pem -CAcreateserial -out ldapserver-cert.pem
4, Create CA copy for the client:
cp -rpf ldapserver-cacerts.pem ldapclient-cacerts.pem
Now configure the certificates in slapd.conf, the correct files must be copied on each server:
TLSCACertificateFile /etc/openldap/certs/ldapserver-cacerts.pem TLSCertificateFile /etc/openldap/certs/ldapserver-cert.pem TLSCertificateKeyFile /etc/openldap/certs/ldapserver-key.pem TLSCipherSuite HIGH:MEDIUM:+SSLv2 # personnally, I only check servers from client. # If you do, add this : TLSVerifyClient never
Configure certificate for ldap clients
Key : ldapclient-key.pem Crt : ldapclient-cert.pem
Error: posftix: warning: SASL authentication failure: No worthy mechs found
After configuring postfix relay server I found their was some issue with gmail server authentication, it will bounce the emails
Error : postfix/smtp[25857]: 59BF721177: SASL authentication failed; cannot authenticate to server smtp.gmail.com[74.125.25.108]: no mechanism available postfix/smtp[25861]: warning: SASL authentication failure: No worthy mechs found
Their must be two solid reasons behind this
1, SASL package is missing for plain module
yum install cyrus-sasl{,-plain}
2, Allow plaintext (which is fine when using STARTTLS): make the connection enrypted
smtp_sasl_security_options = noanonymous
Make Sure you enabled all the below options :
smtp_sasl_auth_enable = yes smtp_use_tls = yes smtp_tls_loglevel = 1 smtp_tls_security_level = encrypt smtp_sasl_mechanism_filter = login
HowTo: Recover RAID volume and mount seperatly
My NAS storage was crashed, this time I was forced to move one of the raid volume to another server to make the service up because the volume contains all VM’s used by XEN server, most probably it is a LVM disk.
Everybody knows that we can’t simply attach the raid disk to another machine, so just follow the procedures below.
Once I attached the HDD to another machine. check the disk availability
root@ubuntu:~# mdadm --examine /dev/sdb
/dev/sdb: Magic : a92b4efc Version : 1.2 Feature Map : 0x0 Array UUID : ec2c6fb2:f211cfa5:8dfa8777:4f08bfed Name : openmediavault:storage Creation Time : Fri May 9 16:22:45 2014 Raid Level : raid1 Raid Devices : 2 Avail Dev Size : 1953523120 (931.51 GiB 1000.20 GB) Array Size : 976761424 (931.51 GiB 1000.20 GB) Used Dev Size : 1953522848 (931.51 GiB 1000.20 GB) Data Offset : 2048 sectors Super Offset : 8 sectors State : clean Device UUID : 3a9e90a0:ca0e458e:c48e1b34:f3aaf06f Update Time : Tue Jun 24 16:20:00 2014 Checksum : eaa54b02 - correct Events : 24468 Device Role : Active device 1 Array State : .A ('A' == active, '.' == missing)
It sounds good now move to the next step, It should be create the block device md* so it will be reveal the partitions.
root@ubuntu:~# mdadm --assemble --force /dev/md127 /dev/sdb
You will get the output like this
root@ubuntu:~# ll /dev/md127 brw-rw---- 1 root disk 9, 127 Jun 24 14:27 /dev/md127
Now you can see the LVM names
root@ubuntu:~# lvs LV VG Attr LSize Origin Snap% Move Log Copy% Convert nfs storage -wi-ao 931.51g root@ubuntu:~# pvs PV VG Fmt Attr PSize PFree /dev/md127 storage lvm2 a- 931.51g 0 root@ubuntu:~# vgs VG #PV #LV #SN Attr VSize VFree storage 1 1 0 wz--n- 931.51g 0
Mount the partition manually
root@ubuntu:~# mount /dev/mapper/storage-nfs /export/
root@ubuntu:~# mount | grep nfs /dev/mapper/storage-nfs on /export type ext4 (rw)
That’s it now I got my files back,
HowTo: Change Instance store AMI to EBS-backend AMI
Amazon not providing any feature for changing AMI root device type, once we generate an instance with Instance-store we can’t upgrade the instance because for upgrading instance should stop. The stop option is disable for such instance-store AMI’s. I followed the steps below, It can be workout by two ways either using rsync or dd
Here is the steps:
- Create an EBS vol with size as same or more, I used 10G because my existing instance having 10G on root.
After creating which is look like this
- Attach the EBSLogin to existing Instance-store backend AMI,
Right- click and select Attach Volume,
- Login to the Instance-store backend server, and stop all the running services (Optional), (eg., mysqld , httpd , xinted )
Execute the the disk mirroring commands below, it will take few min to complete according to the server perfomance.
[root@ip-10-128-5-222 ~]# dd bs=65536 if=/dev/sda1 of=/dev/sdf
or
mkfs.ext3 /dev/sdf #create filesystem mkdir /mnt/ebs #New dir for mounting mount /dev/sdh /mnt/ebs #Mount as a partition
rsync -avHx / /mnt/ebs #Synchronizing root and ebs rsync -avHx /dev /mnt/ebs #Synchronizing device informations tune2fs -L '/' /dev/sdf #Creating partition label for ebs sync;sync;sync;sync && umount /mnt/ebs #Sync and umounting ebs
Check the EBS volume for consistency
[root@ip-10-128-5-222 ~]# fsck /dev/sdf fsck 1.39 (29-May-2006) e2fsck 1.39 (29-May-2006) /dev/sdf: clean, 126372/1310720 files, 721346/2621440 blocks
Mount the EBS volume into the instance, Remove the /mnt entry from the fstab on your EBS vol
[root@ip-10-128-5-222 ~]# mount /dev/sdf /mnt/ebs-vol [root@ip-10-128-5-222 ~]# vim /root/ebs-vol/etc/fstab
- Create a snapshot of the EBS volume using the AWS management console
Right-Click the EBS_vol –> select Create Snapshot , it will take few min to create
After creating snapshot it will list under snapshot list.
Now Right-click snapshot –> select Create Image from snapshot
- Launch new EC2 using newly create AMI, so while creating new EC2 you can select any instance type also you may use the same keypair and Elastic IP for the new instance
Creating New instance using new AMI.
Running instance
- Now you can login to the new server, If you select more than the size of snapshot you have to use the below command to retain the storage back
#resize2fs /dev/sda1
- Successfully migrated the server as EBS-backend. Start all the services if it is necessary, This time we can upgrade the instance type
HowTo: S3 bucket dynamic URI access
s3cmd is a command line tool for uploading, retrieving and managing data in Amazon S3. Still their are no wiki is updated.
you may get the packages from sourceforge official
Also the download repository is available here : Download Now
It will also support including unix dynamic resource access method, for example we can use * for calling all the resources or {dir1,file2} for specific resource.
I was shown in the example for setting up public acl for dynamic sub directories.
Installation:
root@planetcure:wget http://kaz.dl.sourceforge.net/project/s3tools/s3cmd/1.0.1/s3cmd-1.0.1.tar.gz root@planetcure:tar -zxvf s3cmd-1.0.1.tar.gz root@planetcure:export PATH=$PATH:/opt/installer/s3cmd-1.0.1
Now we can access the binary from any of the location.
root@planetcure:/opt/installer/s3cmd-1.0.1# s3cmd setacl --acl-public s3://my-bucket-name/{dev,stg1,stg2}/*/dir5/*/3/*
This command will execute the following scenarios
s3://my-bucket-name/ is my S3 bucket
* will represent all the subdirectories
{dev,stg1,stg2} will represent the specific directories from the group of directories
dir5/ ,3/ will represent specific sub-directory
Enjoy the day, 🙂
Error: InfiniDB DBRM in Read only mode error
I was using infinidb 2.11 community edition, after couple of usage my data1 directory is growing rapidly, so I moved it to the NAS storage location because the community edition is not supporting for data compression. I realized that it will affect the Infinidb performance.
At the time of using NAS storage, I was faced many issues like data dir permission some thing, I findout the error is “DBRM in Read only mode”, From the infinidb forum nothing workout the solution they specified, I can’t restart Infinidb server for this issues, basically it is a busy server.
At last doing couple of research about Infinidb, I got the solution for this error without restarting Infinidb. Follow the steps below
This error because of DBRM unable to rollback the broken transaction.
Use the commands and make the operation normal
/usr/local/Calpont/bin/save_brm /usr/local/Calpont/bin/dbrmctl reload /usr/local/Calpont/bin/DMLProc
If everything seems good the last command shows the output like this
[root@infinidb02 bin]# ./DMLProc Locale is : C terminate called after throwing an instance of 'std::runtime_error' what(): InetStreamSocket::bind: bind() error: Address already in use
Solution from Infinidb : http://infinidb.co/community/infinidb-not-starting
HowTo: Increase The Maximum Number Of Open Files / File Descriptors (FD)
Sometimes we will get the error message is like “too many files open“, it is because of you have reached the limits of opened file, You could always try doing a ulimit -n 2048. This will only reset the limit for your current shell and the number you specify must not exceed the hard limit.
Each operating system has a different hard limit setup in a configuration file. For instance, the hard open file limit on Solaris can be set on boot from /etc/system.
[anand@planetcure ~]$ cat /proc/sys/fs/file-max 172214
This show the maxmimum number of opened files for the single user, you can also use the below commad.
# ulimit -Hn # ulimit -Sn
We can set this as System-wide and userlevel, for Global user configuration we can use /etc/sysctl.conf file under Linux operating systems. So you can increase the maximum number of open files by setting a new value in kernel variable /proc/sys/fs/file-max as follows (login as the root):
System-wide File Descriptors (FD) Limits
# sysctl -w fs.file-max=100000
The command allows to extend the new limit as 100000. You need to append the variable “fs.file-max = 100000” in the file /etc/sysctl.conf for the permanent set. It won’t be change after the reboot.
#sysctl -p
Verify by using below command
#sysctl fs.file-max
User-level File Descriptors (FD) Limits
Some of the case we need to specify the different level of setting for the particular users. This will override the sysetm wide settings and give the new limits for the users.
To specific limits by editing /etc/security/limits.conf file, we can all so use this file for all user limits
For apache:
httpd soft nofile 1024 httpd hard nofile 2048
All user limits
* soft nofile 1024 * hard nofile 2048
Save and close the file. You have to re-login to the console to get the new value.
su httpd -c "ulimit -Hn" su httpd -c "ulimit -Sn"
HowTo: Set Up Multiple SSL Certificates on One IP with Apache
As the Apache Web server grows and matures, new features are added and old bugs are fixed. Perhaps one of the most important new features added to recent Apache versions (2.2.12, to be specific) is the long-awaited support for multiple SSL sites on a single IP address.
prerequisites,
- The server, obviously, must use Apache 2.2.12 or higher.
- It must also use OpenSSL 0.9.8f or later and must be built with the TLS extensions option.
- Apache must be built against this version of OpenSSL as it will enable SNI support if it detects the right version of OpenSSL — the version of OpenSSL that includes TLS extension support.( Default installation contains all these things)
Note:
SNI can only be used for serving multiple SSL sites from your web server and is not likely to work at all on other daemons, such as mail servers, etc. There are also a small percentage of older web browsers that may still give certificate errors. Wikipedia has an updated list of software that does and does not support this TLS extension.
Here am using wild card SSL for hosting two sub-domain in single server, similearly we can also use different ssl for different domain with the same IP.
Follow the basic installation of apache
Redhat :
[root@ip-10-132-82-251 ~]# yum install httpd openssl openssl-devel mod_ssl
Ubuntu:
apt-get install apache2 openssl mod_ssl
Get the the certificate from the authority or use self singed SSL, Verify you have enabled SSL module in the existing apache installation
[root@ip-10-132-82-251 ~]# httpd -M |grep ssl
Add the following lines in the apace main configuration file httpd.conf
[root@ip-10-132-82-251 ~]# vi /etc/httpd/conf/httpd.conf ###FOR SSL NameVirtualHost *:443 <IfModule mod_ssl.c> # If you add NameVirtualHost *:443 here, you will also have to change # the VirtualHost statement in /etc/apache2/sites-available/default-ssl # to # Server Name Indication for SSL named virtual hosts is currently not # supported by MSIE on Windows XP. Listen 443 </IfModule> <IfModule mod_gnutls.c> Listen 443 </IfModule>
Create the Virtual Hosts
Once you downloaded all required files for SSL, proceed to creating Vhost.
Here is the Vhost entry that I used
[root@ip-10-132-82-251 ~]# vi /etc/httpd/conf.d/domain1-ssl.conf <IfModule mod_ssl.c> <VirtualHost *:443> ServerName domain1.mydomain.com DocumentRoot "/opt/web-home/domain1/public_html" <Directory /> Options FollowSymLinks AllowOverride all </Directory> <Directory /opt/web-home/domain1/public_html> Options Indexes FollowSymLinks MultiViews AllowOverride all Order allow,deny allow from all </Directory> ScriptAlias /cgi-bin/ /opt/web-home/domain1/public_html/cgi-bin/ <Directory "/opt/web-home/domain1/public_html/cgi-bin/"> AllowOverride None Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch Order allow,deny Allow from all </Directory> ErrorLog logs/ssl_error_log TransferLog logs/ssl_access_log LogLevel warn SSLEngine on SSLProtocol all -SSLv2 SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW SSLCertificateFile /etc/ssl/certs/planetcure.in.crt SSLCertificateKeyFile /etc/ssl/certs/planetcure.in.key SSLCertificateChainFile /etc/ssl/certs/planetcure.in.csr SSLCACertificateFile /etc/ssl/certs/planetcure.in.ca SetEnvIf User-Agent ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 CustomLog logs/ssl_request_log \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" </VirtualHost> </IfModule> SSLPassPhraseDialog builtin SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000) SSLSessionCacheTimeout 300 SSLMutex default SSLRandomSeed startup file:/dev/urandom 256 SSLRandomSeed connect builtin SSLCryptoDevice builtin
You can also create more Vhost files using this entry. By changing the domain name and the SSL path.
Now restart the apache
[root@ip-10-132-82-251 ~]# service httpd restart
To verify the list of enabled vhost, use the below command
[root@ip-10-132-82-251 ~]# apachectl -S VirtualHost configuration: wildcard NameVirtualHosts and _default_ servers: *:443 is a NameVirtualHost default server domain1.planetcure.in (/etc/httpd/conf.d/domain1-ssl.conf:2) port 443 namevhost domain1.planetcure.in (/etc/httpd/conf.d/domain1-ssl.conf:2) port 443 namevhost domain2.planetcure.in (/etc/httpd/conf.d/domain2-ssl.conf:2) Syntax OK
Phew, these domains having their own SSL with single IP 🙂
Script: https traffic block
This script is for blocking https traffic in the software router it self, I am using squid and it is not capable for handling HTTPS traffics, because 1 , the url is encrypted. 2, The routing table is only for handing traffic over port 80.
This script have two input file, it will create automatically when the first run. It having capability for private-IP based restriction
Editable area in the script :
DIST=192.168.1.6 #IP where the request has to forward DPORT=81 #Port where the request has to forward BLOCKPORTS=443 #Outgoing + incomming Port RULE=forward #Possible options reject,drop,forward
If you have any web-page for giving a message to the user regarding the block, set it here
Enter the domain and local IP separately in the file, examples are shown below Download here
[anand@planetcure ~]$ sh https_block.sh --help This script is for block https outbound traffic using source based requests -s or --silent Silent execution ssl_domains File for enter SSL domain names ip_users File for enter localip list
You must have to enable forwarding and execute it from root.
First run :
[root@planetcure]# sh https_block.sh Parent dir not found, Creating entire structure /opt/installer/scripts |-- ip_users `-- ssl_domains 0 directories, 2 files [INFO]:We found empty input file. exiting..
Input Files :
[root@planetcure]# ls /opt/installer/scripts/ ip_users ssl_domains
File input one by one :
[root@planetcure scripts]# cat ip_users 192.168.1.100 192.168.1.245 [root@planetcure scripts]# cat ssl_domains www.enlook.wordpress.com facebook.com www.facebook.com
Output:
[root@planetcure]# sh https_block.sh Validating file structure checking ssl_domains Ok. checking ip_users Ok. /opt/installer/scripts |-- ip_users `-- ssl_domains 0 directories, 2 files Executing source Ip 192.168.1.100 76.74.254.123 blocked for the domain www.enlook.wordpress.com 192.0.80.250 blocked for the domain www.enlook.wordpress.com 192.0.81.250 blocked for the domain www.enlook.wordpress.com 66.155.9.238 blocked for the domain www.enlook.wordpress.com 66.155.11.238 blocked for the domain www.enlook.wordpress.com 76.74.254.120 blocked for the domain www.enlook.wordpress.com 173.252.110.27 blocked for the domain facebook.com 31.13.79.128 blocked for the domain www.facebook.com Executing source Ip 192.168.1.245 76.74.254.120 blocked for the domain www.enlook.wordpress.com 76.74.254.123 blocked for the domain www.enlook.wordpress.com 192.0.80.250 blocked for the domain www.enlook.wordpress.com 192.0.81.250 blocked for the domain www.enlook.wordpress.com 66.155.9.238 blocked for the domain www.enlook.wordpress.com 66.155.11.238 blocked for the domain www.enlook.wordpress.com 173.252.110.27 blocked for the domain facebook.com 31.13.79.128 blocked for the domain www.facebook.com
Now set this as crone like below
*/05 * * * * /bin/sh /root/https_block.sh -s
If you run again the script it will show the current status of the blocked domain
[root@localhost bash]# sh https_block.sh Validating file structure checking ssl_domains Ok. checking ip_users Ok. /opt/installer/scripts |-- ip_users `-- ssl_domains 0 directories, 2 files Executing source Ip 192.168.1.100 Domain:www.enlook.wordpress.com DNAT tcp -- 192.168.1.100 76.74.254.123 tcp dpt:443 tcp dpt:443 to:192.168.1.6:81 Domain:www.enlook.wordpress.com DNAT tcp -- 192.168.1.100 192.0.80.250 tcp dpt:443 tcp dpt:443 to:192.168.1.6:81 Domain:www.enlook.wordpress.com DNAT tcp -- 192.168.1.100 192.0.81.250 tcp dpt:443 tcp dpt:443 to:192.168.1.6:81 Domain:www.enlook.wordpress.com DNAT tcp -- 192.168.1.100 66.155.9.238 tcp dpt:443 tcp dpt:443 to:192.168.1.6:81 Domain:www.enlook.wordpress.com DNAT tcp -- 192.168.1.100 66.155.11.238 tcp dpt:443 tcp dpt:443 to:192.168.1.6:81 Domain:www.enlook.wordpress.com DNAT tcp -- 192.168.1.100 76.74.254.120 tcp dpt:443 tcp dpt:443 to:192.168.1.6:81 Domain:facebook.com DNAT tcp -- 192.168.1.100 173.252.110.27 tcp dpt:443 tcp dpt:443 to:192.168.1.6:81 31.13.79.144 blocked for the domain www.facebook.com Executing source Ip 192.168.1.245 Domain:www.enlook.wordpress.com DNAT tcp -- 192.168.1.245 76.74.254.120 tcp dpt:443 tcp dpt:443 to:192.168.1.6:81 Domain:www.enlook.wordpress.com DNAT tcp -- 192.168.1.245 76.74.254.123 tcp dpt:443 tcp dpt:443 to:192.168.1.6:81 Domain:www.enlook.wordpress.com DNAT tcp -- 192.168.1.245 192.0.80.250 tcp dpt:443 tcp dpt:443 to:192.168.1.6:81 Domain:www.enlook.wordpress.com DNAT tcp -- 192.168.1.245 192.0.81.250 tcp dpt:443 tcp dpt:443 to:192.168.1.6:81 Domain:www.enlook.wordpress.com DNAT tcp -- 192.168.1.245 66.155.9.238 tcp dpt:443 tcp dpt:443 to:192.168.1.6:81 Domain:www.enlook.wordpress.com DNAT tcp -- 192.168.1.245 66.155.11.238 tcp dpt:443 tcp dpt:443 to:192.168.1.6:81 Domain:facebook.com DNAT tcp -- 192.168.1.245 173.252.110.27 tcp dpt:443 tcp dpt:443 to:192.168.1.6:81 31.13.79.144 blocked for the domain www.facebook.com
Now you have control in the network traffic usage.
Howto: Install ssl with tomcat Appserver.
Five easy steps to enable SSL for tomcat application server.
1, generate Key store
keytool -genkey -alias server -keyalg RSA -keysize 2048 -keystore planetcure-in.jks
It ask few information that we would like to publish along with the SSL
==Certificate information==
Common Name : *.planetcure.in
Organization name: Xtermpro
Country/Region name: myregion
City/Locality: mycity
State/Province: mystate
2, Generate CSR
CSR it to submit to the SSL provider for digital signing Now you receive CRT file from the SSL provider, you may see the signing information in it.
keytool -certreq -alias server -file planetcure-in.csr -keystore planetcure-in.jks
3, Import CA
You may also receive a public CA from the certificate Authority, now you need to import it. This will be called as intermediate CA
keytool -import -alias intermediate -trustcacerts -file intermediateCA.cer -keystore planetcure-in.jks
4, Now this is the final stage you have to import cert file , you can see that their is another key already installed in the key store that is generated along with the keystore generation, it have to replace with the valid certificate.
keytool -import -alias server -trustcacerts -file planetcure-in.crt -keystore planetcure-in.jks
This will give the success output, now move to the configuration changes.
5, Edit the server.xml for the valid entries. Default tomcat SSL port is 8443, here I user 443 .
<Connector port="443" protocol="HTTP/1.1" maxThreads="150" scheme="https" secure="true" SSLEnabled="true" keystoreFile="${catalina.home}/conf/keystore/planetcure-in.jks" keystorePass="keystorepassword" keyAlias="server" clientAuth="false" sslProtocol="TLS"/>
that’s it, now restart the web server to make the changes effect .