Wednesday, November 06, 2019

6.5 amd64: Modify existing certbot certificates.

Hi,

It's been quite some time eh. As you can see, I still upgrade my OpenBSD system regularly but currently I do not have the time to write another blog post. So, here I am.

My 6.5 server have Let's Encrypt certificate which I have multiple subdomains in it. This OpenBSD system have Nginx which act as a HTTPS reverse proxy to Docker host backend.

[Router] <--https--> [OpenBSD] <--http--> [Docker]

 For this example I'm replacing the subdomains with generic names. First, I check my existing SSL certificate.

$ doas certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: domain.my
    Domains: domain.my www.domain.my 123.domain.my 456.domain.my
    Expiry Date: 2019-12-11 09:35:47+00:00 (VALID: 34 days)
    Certificate Path: /etc/letsencrypt/live/domain.my/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/domain.my/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -


Great. I still have a valid certificate. What I'm planning to do is to remove these subdomains:

1) 123.domain.my
2) 456.domain.my

Then add 2 new subdomains:

1) abc.domain.my
2) def.domain.my

As I'm using Nginx to serve the certificate, I stopped my Nginx, preparing for the certificate modification.

$ doas rcctl stop nginx

Then I proceed to request for certificate modification using certbot. Take note the value of the previous "Certificate Name" as it's needed to properly modify existing cert.

$ doas certbot certonly --cert-name domain.my -d domain.my,www.domain.my,abd.domain.my,def.domain.my

After I run the command, the prompt to select the option I can use to authenticate my server. For this one, I opted to spin up temporary standalone webserver (option 1)

Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Spin up a temporary webserver (standalone)
2: Place files in webroot directory (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Plugins selected: Authenticator standalone, Installer None


Next certbot is showing me the changes that will be made. I then choose "U" to update the cert.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
You are updating certificate domain.my to include new domain(s):
+ abc.domain.my
+ def.domain.my

You are also removing previously included domain(s):
- 123.domain.my
- 456.domain.my

Did you intend to make this change?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(U)pdate cert/(C)ancel: u

Renewing an existing certificate

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/domain.my/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/domain.my/privkey.pem
   Your cert will expire on 2020-02-04. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le


And it's done! So easy. Take note that I did not use " --expand " on the command.

If you did not include " --cert-name CERT_NAME" in your command, certbot will create another certificate and you might get additional certificate name with "-0001". Such as "domain.my-0001" and you will end up with 2 separate certificate instead.

That's all. Until next post!

Ref: https://certbot.eff.org/docs/using.html#renewing-certificates

Monday, October 09, 2017

6.1 amd64: Python 3 - ebaysdk UnicodeDecodeError.

Hey,

Currently I'm testing Odoo 11, which now have moved from Python 2.7 support to Python > 3.5. For OpenBSD 6.1, the Python is already 3.6 so it should be of no issue.

However, this one particular package is currently uninstallable.

ebaysdk

I tried using pip but I got errors. Take note the "requiremens.txt" only have ebaysdk in it.

$ doas pip install -r requirements.txt
The directory '/home/karl/.cache/pip/http' or its parent directory is not owned by the current user and the cache has been disabled. Please check the permissions and owner of that
directory. If executing pip with sudo, you may want sudo's -H flag.
The directory '/home/karl/.cache/pip' or its parent directory is not owned by the current user and caching wheels has been disabled. check the permissions and owner of that directo
ry. If executing pip with sudo, you may want sudo's -H flag.
Collecting ebaysdk==2.1.4 (from -r requirements.txt (line 1))
  Downloading ebaysdk-2.1.4.tar.gz (40kB)
    100% |################################| 51kB 148kB/s
    Complete output from command python setup.py egg_info:
    Traceback (most recent call last):
      File "", line 1, in
      File "/tmp/pip-build-dvars6pw/ebaysdk/setup.py", line 26, in
        open(VERSIONFILE, "rt").read(), re.M).group(1)
      File "/usr/local/lib/python3.6/encodings/ascii.py", line 26, in decode
        return codecs.ascii_decode(input, self.errors)[0]
    UnicodeDecodeError: 'ascii' codec can't decode byte 0xc2 in position 29: ordinal not in range(128)

    ----------------------------------------
Command "python setup.py egg_info" failed with error code 1 in /tmp/pip-build-dvars6pw/ebaysdk/


All the other dependencies can be installed correctly except for this one. I try setting up the LC_CTYPE, LC_ALL, even LANG and LANGUAGE to en_US.UTF-8 but still unsuccessful.

I'm checking for workaround on this. Later.


Thursday, October 05, 2017

6.1 DL160 Gen9: Bought myself a domain, now to configure Nginx + acme-client.

Hi,

Except the fact that the server's Smart Array Battery failing, my ProLiant DL160 Gen9 is doing great. I've long changed to running ESXi 6.0 and now it's VMware ESXi 6.5. Last time I wrote that I'm using XenServer but it's just a brief encounter. Having to install additional program for a web management feature is one of the negative point for me. So that's why I went back to VMware ESXi. Been learning a lot from this machine so I'm very excited and grateful.

What else is new? Ah. Got a very crazy deal for a domain registration which is buy 2 years and get 2 more years free for RM160! So I went for it and bought meself a domain. I should've bought more but I have no more budget. And before that I registered for a bargain 10Mbps Unifi plan for RM129/mth. Oh yeah and I moved to a new place.

As now I have my internet line at home, I can properly play around with the server and OpenBSD. My plan is to bring up my Odoo web online and *finally* start my small business.

So far, I have 2 OpenBSD vm. 1 vm is basically serving the local DNS (in progress), web (using Nginx), PostgreSQL, Fossil SCM and the other vm is doing nothing important (yet). In details:

serv1.mydomain.my (also known as www.mydomain.my):
- Unbound (not done).
- Nginx (serving Odoo through reverse proxy, Fossil SCM through SCGI, proxy pass to ESXi all in HTTPS).
- PostgreSQL.
- acme-client for SSL Certs (This particular post).

I learned acme-client quite a hard way. I configured the acme-client related files (/etc/acme-client.conf & /etc/nginx/nginx.conf) but every time I run the "acme-client -vAD mydomain.my" I received errors:

# acme-client: bad exit: netproc(xxxx): 1

Thinking that I can do trial/error as much as I wanted, I kept reconfiguring the files until I reached the limit of registration tries. Is it then that I read about it at https://letsencrypt.org/docs/rate-limits/. Then I read about the "Staging" function (acme-client --staging) which I tried but not in the installed version in OpenBSD. I checked the /etc/acme-client.conf and found the staging block. So I altered it as:

===== /etc/acme-client.conf =====
#authority letsencrypt {
#    *snipped
#}

#authority letsencrypt-staging {
authority letsencrypt {
    agreement url "bla bla
    bla bla bla
    account key "bla bla
}
===== /etc/acme-client.conf =====

Basically I commented the production block and "authority letsencrypt-staging" line. Using the same "acme-client -vAD mydomain.my" now will basically use the Staging URL instead of the production one so the limit is much higher which is useful for testing/debugging. I wish I knew this earlier. Because of the production limit, now I have to wait for a full 7 days before I can try and register again. Ah well, I can do more testing in the mean time.

After much re-configuration / testing cycle, I found that this configuration managed to successfully register my domain. Here's the additional block in /etc/acme-client.conf:

===== /etc/acme-client.conf =====
* snipped

domain mydomain.my {
    alternative names { www.mydomain.my esx.mydomain.my fossil.mydomain.my }
    domain key "/etc/ssl/private/mydomain.my.key"
    domain certificate "/etc/ssl/mydomain.my.crt"
    domain full chain certificate "/etc/ssl/mydomain.my.fullchain.pem"
    sign with letsencrypt
    challengedir "/var/www/acme/.well-known/acme-challenge"
}
===== /etc/acme-client.conf =====

And to compliment the above configuration, here's the /etc/nginx/nginx.conf configuration.

===== /etc/nginx/nginx.conf =====
# Default server
server {
    listen 80;
    server_name mydomain.my www.mydomain.my;

    location ^~ /.well-known/acme-challenge {
        default_type "text/plain";
        root /var/www/acme;
    }

    location / {
        return 307 https://www.mydomain.my$request_uri;
    }
}

# ESXi
server {
    listen 80;
    server_name esx.mydomain,my;

    location ^~ /.well-known/acme-challenge {
        default_type "text/plain";
        root /var/www/acme;
    }

    location / {
        return 307 https://$host$request_uri;
    }
}

server {
    listen 443;
    ssl on;
    ssl_certificate    /etc/ssl/mydomain.my.fullchain.pem;
    ssl_certificate_key    /etc/ssl/private/mydomain.my.key;

    *snipped
}
===== /etc/nginx/nginx.conf =====

Do take note that the "default_type "text/plain";" line is optional. I tried registering without it and it's fine. The "ESX" block is also not completed yet as virtual console have "Failed to connect" error which is for another post. After reconfiguration then I restarted Nginx then run acme-client again.

# rcctl restart nginx
# acme-client -vAD mydomain.my
* snipped
acme-client: /etc/ssl/mydomain.my.crt: created
acme-client: /etc/ssl//mydomain.my.fullchain.pem: created

Noted the the double-slash "//" on the fullchain.pem. Although it seems like something not working, I can still find the fullchain.pem file in /etc/ssl folder. And when I checked the SSL Certificate, the issuer > Common Name (CN) is stated as "Fake LE Intermediate X1" which is as what Let's Encrypt documented.

So far I've done a few test and it's ok. I need to wait until this Sunday (or next Monday) before I can try and register again. Later.

Wednesday, December 14, 2016

-c X200 amd64: New bind-key for cwm.

Hey,

Updated my -CURRENT today and found that my key bindings in cwm no longer working. Done a man cwmrc and found that binding has changed.

Previous ~/.cwmrc
=====
#bind key binding
bind 4-l    lock
=====

Now:
=====
bind-key 4-l    lock
=====


Working now like a charm. cwm rocks!

Saturday, September 17, 2016

Welcoming HPE ProLiant DL160 Gen9 as my another machine.

Hi,

Been quite some time. Been busy with work and all. And this few days I've been busy with new weapons in my IT arsenal.

I've acquired, or more correctly salvaged a HPE ProLiant DL160 Gen9 server. It's from a burnt server room which was destined to be disposed. When I got it, the server fans (3 units) was not working thus it can't boot so the company who owns it doesn't want it in production anymore. There was tar built up inside the server, so I cleaned the fans until I can make it turn so I try to boot it up and it works. The fire doesn't go anywhere near the server, it just heavy smoke was covering the server room. I cleaned the internal a bit more but need to get myself an isopropyl alcohol soon to thoroughly clean the interior.

The first OS I installed to test this system is, well, OpenBSD 6.0 amd64. As I thought, this Generation 9 system is new and there's many devices which prompted "not configured". The Matrox 200eH display has not device driver for it yet. Sorry but I forgot to get the dmesg after bare-metal install.

This DL160 Gen9 configuration is:
1x Intel E5-2623 v3 @ 3.00Ghz (4 cores)
4x 4Gb ECC RAM (I set it up to RAID 5)
4x 1Tb 2.5" SAS Drive
HPE P440 SAS Controller PCIe
1x 550w non-hotswap PSU
HPE 82Q 8Gb 2-Port PCIe Fibre Channel Host Adapter (not installed)

That's what I can remember. So after the brief test of OpenBSD, I installed Windows Server 2012 R2 trial. Figuring that as HPE should have provided all the device drivers needed for Windows (which is true), I might as well use the Hyper-V for OpenBSD, which I did. And didn't quite like it. Partly because I'm not delving deeper on how to configure the Hyper-V. Also that I keep staring at the Win Server 2012 R2 desktop, not knowing on what else to do with it. Yeah sure my company uses it in production, also I set up a few of my company's backup server with it, so I somehow need to learn it but it's not the only virtualization solution.

So I check the server's compatible OS list, got meself 2 candidate.

VMware ESXi vSphere 6.0 Update 2
XenServer 6.5

For ESXi, 6.0 is the latest version. Also HPE provided downloadable custom ISO for it. Nice. I downloaded the goodies and installed the HPE custom ISO version. My verdict:

I'm still new to this vm thingy. My DL160 have 64Gb miniSD included, so ESXi can be installed in it. As I was told that vSphere is free now, so I got meself the Free License Key. Keyed it in, just to feel what the free version can do as I know I can't afford to buy myself the Essentials or more. Installation was easy, post installation's configuration too. Web interface readily available. Then I installed OpenBSD. Didn't manage to get the network to work. Even with HPE custom ISO, which included all the necessary drivers, I somewhat feel the console respond in OpenBSD a bit sluggish. But hey, it's my first try so what do I know? My company also utilise ESXi so it's good to know there's latest ISO provided by HPE for this server.

Then for XenServer 6.5. Not the latest version. Latest is version 7 but HPE stated that they officially supporting version 6.5 as compatible. No custom ISO by HPE so I went to xenserver.org to download it. But never did install it as it needs MBR booting only. No UEFI. Which somehow I do mind.

So I went back xenserver.org and get meself XenServer 7. I read that there's no web client included so I also download Xen Orchestra, which adds nearly 500Mb additional download from XenServer's 600Mb+-. ESXi have vSphere client, so do XenServer with its XenCenter. Both both are Windows only. Which is a bummer. But ESXi's built in web interface is good and progressing. Unlike XenServer which relies on 3rd party web interface like Xen Orchestra.

Installation-wise, XenServer can be installed in UEFI which is great. But there's strong suggestion to avoid installing it to SD or USB and proceed with the local disk instead so ESXi wins this part. Getting Xen Orchestra to run also pose a problem for newbie like me. My bad. I'm using an old Innacom's Streamyx ADSL Router Modem as my home-lab router for this exciting project so I'm learning quite a few things at once.

To my surprise, Xen Orchestra runs as a vm inside XenServer. Which I thought will just add the web interface inside XenServer instead of doing that. Also to my surprise, the web interface is much better than ESXi's. Maybe because I keyed in the free license in ESXi and many feature is disabled? I'm not quite sure. Many feature are also disabled in Xen Orchestra (oh, this one is also a free version) but I read that XenServer have all the feature enabled and I can just fall back to the trusty SHH/console if I need to use it. Honestly, although the Xen Orchestra's interface is nice, I found myself lost in it quite a few times. Anyway getting a vm installed using it is not that hard. But...

But ESXi made it easy to get guest OS's ISO uploaded to host server. This is also the thing that I like about ESXi. Basically storage manipulation in ESXi is easier for me, although I don't have enough experience with this VM thingy. I can just create a directory, then upload ISO into it and install my guest OS using it. In XenServer, I have to take note of the directory's limitation (storage is in XenServer's partition etc), mkdir the directory in somewhat standard place (/var/opt/xen/ISO_Store) and then register that directory to XenServer's Storage. And to note that I already gained a bit of experience in XenServer rather than the truly trial-and-error approached in ESXi earlier, these points really shows how well, hmm can I say "user friendly" ESXi is.

Putting that aside, I made that /var/opt/xen/ISO_Store thingy happened, push my install60.iso in it then install it. Easy-peasy-lemon-squeasy. Tried UEFI installation for it but didn't manage to boot OpenBSD after installation. I'm lazy to find the solution right now so I rushed for MBR installation. Hey I need to know how good XenServer will host my OpenBSD. And it doesn't dissappoint. I'm smiling to see that the xnf0 network interface was up in dhcp. The console respond in Xen Orchestra is also fluid. Nice. Getting OpenBSD up is the most important thing. And I know for now, XenServer is the suitable place for it in my DL160 Gen9. Until OpenBSD support all those hardware in bare-metal that is. Or who knows, maybe I'll stick with vm path as this is also a great knowledge to learn.

XenServer 7 it is then. Seeing more feature enabled in free version than ESXi, I made my choice already. Will I return to ESXi? I will for learning purpose. As I'm new on these (I think I state this too many now) vm thingy, the limitation in free ESXi might not make too much impact. Or if I was given an Essentials license for free. Hah! Oh also Microsoft have a free Windows Hyper-V 2012 R2 server for download, and done downloading I am.

That's it for now. I'll write up the details of installation and configuration next when I'm not too lazy to write as I'm currently playing around with the server. Just exploring the iLO4 alone is exciting! Later!

Friday, July 15, 2016

-c X200 amd64: Odoo 9, node.js npm "Abort Trap" error.

Hi,

Updated my OBSD today and git-pulled my Odoo 9 too. So I noticed 2 things, #1, kern.usermount's setting denied. #2, pledge() enforced on node (node.js). So my Odoo's Homepage is now messed up and informing a "Could not execute commend 'lessc'" info on the top part of the Homepage. This messed the Homepage only as other page (Discuss, Calendar etc) pages are ok. When I tried running npm, I get an error.

$ npm
Abort trap (core dumped)

Also dmesg is showing W^X violation.

node(12345): mmap W^X violation

So I'm unable to update less and so on. The truth is that I'm very new to the pledge(2) thingy and I need to find informations regarding this. If you have any info, do share with me. Later.

Update:
Bah! The info regarding this was already posted looooong ago. Ouch. Sorry for this.

https://www.openbsd.org/faq/current.html#r20160527

Wednesday, June 15, 2016

-c X200 amd64: Nginx + PHP5 + PostgreSQL + Drupal 8. Headaches and joy. Finally working.

Hi,

In short, I'm happy my 3 days of headache are over. And Drupal 8 is working now (from my 2 days test.). Hey it's just an updated version from Drupal 7 (which is in package), how hard can the installation be? Yeah I thought the same, but Drupal 8 requires additional package to work properly. I'll tell you about it.

There's no Drupal 8 package available yet. But it's just a web app. Just download the tar file from official Drupal site, and extract it in /var/www/htdocs and it should be ok as I've installed Drupal 7 before.

Take note that the web server I'm using is Nginx. It's in package so I can install it.

# pkg_add nginx

Then I can start to disable httpd and enable Nginx.

# /etc/rc.d/httpd stop

Edit /etc/rc.conf.local

===== /etc/rc.conf.local starts =====
#httpd_flags=
pkg_scripts=nginx
===== /etc/rc.conf.local end =====

Then start Nginx.

# /etc/rc.d/nginx start

Drupal version is 8.1.2 now. So I download that version and extract the tar.gz file.

# tar zxvf drupal-8.1.2.tar.gz
# mv drupal-8.1.2 /var/www/htdocs/drupal8

Then I chown the folder and contents to www:daemon. Before this I just leave all website inside /var/www/htdocs to root:daemon.

# cd /var/www/htdocs
# chown -R www:daemon

Now, for the /etc/nginx/nginx.conf, I follow the nginx.conf available in Nginx Recipe site.

https://www.nginx.com/resources/wiki/start/topics/recipes/drupal/#

Take note to change the details inside. Then I copied the default.settings.php in drupal8, for the installation.

# cd drupal8
# cp sites/default/default.settings.php sites/default/settings.php

I don't need to change anything in settings.php as the installation will take care of it. And then I open up firefox and type "drupal.example.com" to open up the drupal installation. Do make sure the PostgreSQL part of the installation is ready (user and database for Drupal 8).

The installation went through. Then I was brought the Drupal 8's front page. Nice. I try clicking on the Content link.

The website encountered an unexpected error

What the.. This error took me 3 days to figure out the solution. I uncommented error log in nginx.conf, then check the log at /var/www/logs/error.log.

2016/06/14 16:02:13 [error] 48552#0: *89 FastCGI sent in stderr: "PHP message: Uncaught PHP Exception RuntimeException: "GuzzleHttp requires cURL, the allow_url_fopen ini setting, or a custom HTTP handler." at /htdocs/drupal8/vendor/guzzlehttp/guzzle/src/functions.php line 116" while reading response header from upstream, client: 127.0.0.1, server: drupal.example.com, request: "GET /node/add HTTP/1.1", upstream: "fastcgi://unix:/run/php-fpm.sock:", host: "drupal.example.com", referrer: "http://drupal.example.com/"


This is what I got. What GuzzleHttp? What? Searching around I found that I need to install curl. Fortunately it's in package.

# pkg_add php-curl

I choose the version similar to PHP5 version. Installed. Good. Opened drupal.example.com again. Click Content. Got the same error. What? Curl already installed!.

Doing more search and found that I need to define that curl library in /etc/php-5.6.ini. I put the details at the extension part.

===== /etc/php-5.6.ini start =====
* skipped *

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; Dynamic Extensions
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

extension=/usr/local/lib/php-5.6/modules/curl.so

* skipped *
===== / etc/php-5.6.ini end =====

Restarted both nginx & php-fpm.

# /etc/rc.d/nginx restart
# /etc/rc.d/php-fpm restart

Then check the website again. Wallah! It's working now. Yes! Ok I didn't put more info regarding PostgreSQL as I think I've already written something about it in the previous post. Somewhere.

Now the Drupal 8 is working, I can start learning the new app and do some little project that I've delayed sooooooooo long. Later.

6.5 amd64: Modify existing certbot certificates.

Hi, It's been quite some time eh. As you can see, I still upgrade my OpenBSD system regularly but currently I do not have the time to ...