Daniel E. Markle's Blog - System Administration

Let's Encrypt SSL Certificates

dmarkle@ashtech.net (Daniel E. Markle) — Sat, 21 Jan 2017 00:17:11 -0500

Let's Encrypt changes the game for SSL certificates. By combining free certificates with an effective mechanism for ensuring these certificates are legitimately issued, everyone running a site can now have a signed certificate. EFF's Certbot is a handy tool for allowing even novice administrators to easily maintain these certificates, with automatic renewal.

For companies with intranets, Let's Encrypt may not be suitable. The resolution protocol which proves out the site owner requires access to the dns or parent web server for a real domain. Regardless of registration method used, the addresses of these intranet sites are then publicly available via logs which anyone can see, which could be an issue in cases where it is important to keep these private.

Regardless of the caveat for intranets, this new option is a tremendous improvement over the previous state of SSL for many, and has particularly impressive use cases in cloud deployments.

Liferay 6.0.6 CE Editing Toolbar Bug

dmarkle@ashtech.net (Daniel E. Markle) — Wed, 28 Sep 2011 11:39:05 -0400

In Liferay 6.0 GA4 Community Edition there is an error in the CKEditor configuration; different configuration files are used to define the editing toolbar for the web content and other areas depending on the browsing path. This results in an issue where the toolbar changes seemingly at random. This is fixed in the Enterprise Edition and for future versions, but for those of us using the current Community Edition, the following workaround is useful.

The most problematic disappearing item for my use case is the spell checker; the same method can be used to restore other buttons as necessary. Back up, then apply this ckconfig.jsp patch to the Liferay root web app. For the tomcat download this is located in the liferay-portal-6.0.6/tomcat-6.0.29/webapps/ROOT/html/js/editor/ckeditor/ directory. Shut down Liferay, remove the tomcat work directory to clear the cache, then restart Liferay.

Airprint to an Office Workgroup Printer

dmarkle@ashtech.net (Daniel E. Markle) — Tue, 19 Jul 2011 15:55:26 -0400

Although Apple uses standard protocols for Airprint, the service is very picky about the exact broadcast settings before the printer will show up on iOS devices. The easiest way I've found to Airprint to an office workgroup printer:

Configure the printer to be printable via a Linux / CUPS server. On Debian install the cups and cups-pdf packages then log in via port 631 and configure the workgroup printer, making sure a test page prints.

Add ServerAlias * in /etc/cups.conf; this prevents "Request from x using invalid Host: field" errors.

Install avahi, on Debian use the avahi-daemon package.

Run this handy airprint-generate script. Copy the resulting file to /etc/avahi/services/ and restart avahi and cups.

Airprint should now be working for your iOS devices on the local network.

SNMP MIB lookup removed from Debian squeeze

dmarkle@ashtech.net (Daniel E. Markle) — Mon, 07 Feb 2011 18:02:51 -0500

After upgrading to Debian squeeze, snmp output will change; the descriptions are missing.

Before squeeze (i.e. in lenny):

$ snmpget -v1 -On -c public printer.example.com 1.3.6.1.2.1.25.3.5.1.1.1

.1.3.6.1.2.1.25.3.5.1.1.1 = INTEGER: idle(3)

After squeeze upgrade:

$ snmpget -v1 -On -c public printer.example.com 1.3.6.1.2.1.25.3.5.1.1.1

.1.3.6.1.2.1.25.3.5.1.1.1 = INTEGER: 3

This is because the MIB files were stripped from squeeze due to licensing reasons. Install the snmp-mibs-downloader package and comment out the line in /etc/snmp/snmp.conf as described in that config file. Non-free will need to be enabled in apt sources if you are not finding the package. See the Debian wiki section on snmp for added information.

Zimbra 6.0.9 Upgrade Logrotate Issue

dmarkle@ashtech.net (Daniel E. Markle) — Fri, 03 Dec 2010 12:27:36 -0500

If receiving e-mails like this from Zimbra after upgrading to 6.0.9:



/etc/cron.daily/logrotate:

error: zimbra:5 unknown user 'USER'

run-parts: /etc/cron.daily/logrotate exited with return code 1

See this forum post on a 6.0.9 logrotate issue. In a nutshell, edit /etc/logrotate.d/zimbra and replace USER GROUP with zimbra zimbra.

Debconf 10

dmarkle@ashtech.net (Daniel E. Markle) — Wed, 13 Oct 2010 21:20:57 -0400

In August I attended Debconf 10. My primary goals were to learn more about the current status of the Debian community, particularly in the face of Ubuntu's rise to popularity, and to fix the package xtrkcad for Debian, which used an outdated library. Continue reading "Debconf 10"

Apache SSL and Combined Certificates

dmarkle@ashtech.net (Daniel E. Markle) — Tue, 04 May 2010 13:52:37 -0400

Current versions of Apache HTTP Server support SSL certificates and keys all in one file; it is no longer required to separate them. Point SSLCertificateFile at the combined file (commonly .pem) and comment out or omit SSLCertificateKeyFile.

This may not be desirable if you wish to have the certificate publicly available somewhere like /etc/ssl/certs/, available on the web for verification, or use the certificate for other applications for that domain (it's important to keep the key, and thus the combined file, private). In many common cases certificates are only used for an SSL secured web server, however.

Zimbra 32bit to 64bit Certificate Issue

dmarkle@ashtech.net (Daniel E. Markle) — Sat, 01 May 2010 20:48:14 -0400

When upgrading from 32 to 64 bit Zimbra, I could not get the zimbra mailbox (mailboxd) to start. It turned out to be a set of borked certificates. Do yourself a favor if you have this problem and just do this:



mv /opt/zimbra/mailboxd/etc/keystore /opt/zimbra/mailboxd/etc/keystore.borked

sudo /opt/zimbra/bin/zmcertmgr deploycrt self

Then re-deploy your certificates using the gui admin interface after restarting Zimbra. Continue reading "Zimbra 32bit to 64bit Certificate Issue"

Agile Documentation Thoughts for Small Groups

dmarkle@ashtech.net (Daniel E. Markle) — Thu, 30 Jul 2009 23:03:25 -0400

Working for a small company, our projects tend to be small. Processes and programs are best documented as tasks are first done and over time as improvements are made. Trying to document everything up front is a waste of time, as the requirements change throughout. Waiting until the end, the documentation is never completed as some other urgent project comes along. Humans are frighteningly perishable and can get hit by a bus/meteor/disease at any time.
Continue reading "Agile Documentation Thoughts for Small Groups"

Debian 5 Mailutils and Maildir

dmarkle@ashtech.net (Daniel E. Markle) — Wed, 08 Apr 2009 16:32:48 -0400

When setting up Maildir in Debian 5.0, getting the generic mail applications working correctly can be tricky.

Install the 'mailutils' package, not the bsd mailx package.

Do not touch the mailutils /etc/mail.rc file; there are some promising looking variables here like mailbox-type but these do not do what is desired. When the MAIL environment variable is set correctly mailutils will automatically detect the maildir box type.

Do not touch /etc/login.defs; the promising looking lines in here are deprecated.

Edit files in /etc/pam.d, changing the pam_mail.so lines as shown (assuming ~/Maildir as the selected location):
- login: default login shells
  session optional pam_mail.so dir=~/Maildir standard
- su: set up for proper MAIL when using su; nopen does not show 'new mail' message
  session optional pam_mail.so dir=~/Maildir nopen
- sshd: set up MAIL properly when logging in with ssh; this line probably has a noenv by default which needs removed to set this properly
  session optional pam_mail.so dir=~/Maildir standard

PostgreSQL Upgrade to 8.3 on Debian Encoding Issues

dmarkle@ashtech.net (Daniel E. Markle) — Wed, 18 Mar 2009 19:28:36 -0400

PostgreSQL has improved its checking for proper locale handling in version 8.3. Due to inconsistencies caused by changing defaults in past versions of Debian, some database clusters contain UTF8 and LATIN1 databases in the same cluster. This can cause problems when trying to restore from a pgdump file with errors similar to:

ERROR:  encoding LATIN1 does not match server's locale en_US.UTF-8

DETAIL:  The server's LC_CTYPE setting requires encoding UTF8.

Continue reading "PostgreSQL Upgrade to 8.3 on Debian Encoding Issues"

Cron Uses /usr/sbin/sendmail

dmarkle@ashtech.net (Daniel E. Markle) — Thu, 22 Jan 2009 20:09:33 -0500

On a server running Zimbra on Ubuntu, to get cron job output sent to an e-mail address, make the following link:

ln -s /opt/zimbra/postfix/sbin/sendmail /usr/sbin/sendmail

Until this is done, crontab output will silently vaporize. Continue reading "Cron Uses /usr/sbin/sendmail"

Be Careful with / in ProxyPass

dmarkle@ashtech.net (Daniel E. Markle) — Tue, 05 Feb 2008 18:06:26 -0500

I use the built-in Apache 2.2 ajp ProxyPass support when deploying Tomcat and JBoss applications via Apache. When doing so, be careful your slashes match up or you can have subtle problems with applications which use redirects. For example, I was deploying a JSPWiki but having an odd problem with authentication where logins would seem to fail but then work fine if I manually reloaded the page. I was using this Apache configuration:

ProxyPass           /webdevwiki  ajp://127.0.0.1:8009/webdevwiki/

ProxyPassReverse    /webdevwiki  ajp://127.0.0.1:8009/webdevwiki/

This appeared to work fine, but when logging in an extra slash would get added to the Login.jsp redirection page. This kept the redirect to the main page from working, causing it to reload the Login.jsp infinitely even though login had been successful. A manual click of the reload button fixed the site, with authentication and all other functions working until trying to log in again.

ProxyPass           /webdevwiki  ajp://127.0.0.1:8009/webdevwiki

ProxyPassReverse    /webdevwiki  ajp://127.0.0.1:8009/webdevwiki

Removing the extra slashes as shown fixed this issue.

Making Apache 2.2 valid-user work with mod_authnz_ldap

dmarkle@ashtech.net (Daniel E. Markle) — Thu, 03 Jan 2008 12:46:05 -0500

Apache 2.2's mod_authnz_ldap has significant differences from Apache 2.0's mod_auth_ldap. Moving to 2.2, some significant changes are needed which can be confusing and cause seemingly nonsensical authorization loops if directives are missed.

Necessary modules

auth_basic
authz_user
ldap
authnz_ldap

Directives



        AuthType basic

        AuthBasicProvider ldap

        AuthName "My Site"

        AuthLDAPURL ldap://ldap1.example.com/ou=People,o=Example

        AuthzLDAPAuthoritative Off

        Require valid-user

AuthBasicProvider ldap is needed instead of AuthLDAPEnabled on, which no longer exists as a valid directive.

AuthzLDAPAuthoritative Off is needed to allow the authorization to fall though to Require valid-user, otherwise you will get auth _ldap authorise: authorisation denied in your debug messages after it successfully authenticates the user but fails to find an authorization directive to allow access. These messages will not show up in your logs by default, so it can be confusing if you watch the ldap server, see authentication succeed, and wonder why it keeps requesting a username and password.

Zimbra Calendar Reminders Not Individually Configurable

dmarkle@ashtech.net (Daniel E. Markle) — Fri, 06 Jul 2007 10:57:39 -0400

Zimbra lacks a calendar feature commonly used by serious Outlook and Entourage users, the ability to configure reminders for individual calendar entries. The workaround is to create a 'reminder' calendar entry, which does not work well as it requires manually changing the reminder if the original appointment changes. If you are a current or prospective Zimbra user and would like to have this feature added, please vote for this bug. On a related note, the Zimbra Toaster (which provides popup notification of new mail) does not support calendar reminders, which is documented in this bug.