Regenerating Apache SSL certificate for 10 years

I noticed the SSL certificate I had previously generated for Apache had expired, so I set about generating a new one. This time I wanted to generate a really long-lived (10 year) certificate so I didn't have to deal with this again in a year.

I started by cleaning out the old certificate (you'll get an error later if you don't do this):

# rm /etc/apache2/ssl/*

Now I edited the Openssl configuration file to bump the lifetime to 10 years (3650 days):

# cp /usr/share/ssl-cert/ssleay.cnf /usr/share/ssl-cert/ssleay.cnf.orig
# vi /usr/share/ssl-cert/ssleay.cnf
# diff -c /usr/share/ssl-cert/ssleay.cnf /usr/share/ssl-cert/ssleay.cnf.orig
*** /usr/share/ssl-cert/ssleay.cnf 2009-01-31 13:37:24.000000000 -0600
--- /usr/share/ssl-cert/ssleay.cnf.orig 2009-01-31 13:36:58.000000000 -0600
***************
*** 7,13 ****
[ req ]
default_bits = 1024
default_keyfile = privkey.pem
- default_days = 3650
distinguished_name = req_distinguished_name
prompt = no
policy = policy_anything
--- 7,12 ----

Now I went ahead and generated the new certificate. The hostname was already filled in, so I just had to hit return at the only prompt.

# make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/apache2/ssl/apache.pem

Finally I took a peak at the generated certificate to make sure it had the 10 year lifetime. Looking at the "Not Before" and "Not After" fields in the output below shows the lifetime.

# openssl x509 -noout -text -in /etc/apache2/ssl/apache.pem
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
9e:cd:82:bd:cb:03:19:d7
Signature Algorithm: sha1WithRSAEncryption
Issuer: CN=your.hostname.here
Validity
Not Before: Jan 31 19:37:42 2009 GMT
Not After : Jan 29 19:37:42 2019 GMT
Subject: CN=your.hostname.here
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:c5:5a:c0:c9:d0:d8:e7:d9:69:ac:04:74:13:4f:
62:d5:7d:70:4f:47:60:a1:42:d7:26:6f:e1:ff:11:
fc:94:e7:70:6c:48:b7:46:87:62:14:81:91:59:f2:
43:d0:1c:76:5f:27:47:6a:f0:d6:e3:8d:2b:5f:9c:
53:56:12:56:cc:a4:0e:62:2c:a5:16:0a:e6:72:11:
a2:ea:89:a1:3c:82:9d:02:d8:01:4a:e3:25:b7:5f:
47:4b:bc:7a:98:ba:57:f0:15:17:74:fd:e5:8d:6a:
fd:cc:37:b2:a0:08:e8:a9:35:9b:2a:1a:9e:75:b1:
7d:dd:69:a4:ca:87:a4:ac:33
Exponent: 65537 (0x10001)
Signature Algorithm: sha1WithRSAEncryption
1a:e9:96:fb:02:c5:86:fa:4d:3b:84:3e:fb:88:b9:db:00:fe:
a7:89:15:bb:a0:af:72:13:2f:d3:0e:a5:ff:59:00:cb:ca:67:
e6:6e:3c:24:92:9b:0d:2d:d5:46:77:7d:a3:7f:68:b3:7d:d7:
38:09:bb:48:e9:96:17:ba:02:e4:59:48:06:66:9a:ee:9b:bc:
64:6e:c9:ea:da:57:18:f7:bb:21:b1:61:38:1a:3a:31:4c:0f:
f0:b5:6c:05:8f:4b:30:76:bb:68:b0:f2:a7:8e:ae:07:c5:7e:
16:f5:86:78:4f:2a:b0:b7:fe:21:be:a9:79:ee:89:6d:07:4a:
68:a9

Cron-apt and reboot needed...

I've noticed that when cron-apt upgrades the kernel and I don't get around to rebooting the system that day, it will keep "reinstalling" the new kernel each night it runs until I reboot the system.

Not sure what to do about this at the moment. Guess it doesn't really hurt anything. Since there doesn't seem to be any way of automatically detecting if a reboot is needed, the only option would seem to be always reboot nightly.

Going to think about this for a while. If anyone has any suggestions, please comment away.

Kernel updates and VMWare

I've noticed every time my kernel is updated, I have to rerun '/usr/bin/vmware-config.pl' before VMWare will start. So far I've always been able to just take the default options.

MythTV and disk management

Just a quick note that I've watched MythTV manage the disk space I've allocated it and it seems to do a good job without any help from me. Logwatch sends me a daily email with the disk allocation, so I watch how MythTV handles things. I have allocated two disks partitions to MythTV, and while they are constantly almost full (with logwatch giving me the warning you see below), MythTV deletes old stuff deletes old recordings before anything becomes a problem.

--------------------- Disk Space Begin ------------------------

 Filesystem            Size  Used Avail Use% Mounted on
  ...
 /dev/sda6             183G  170G  3.0G  99% /mnt/data
 /dev/sdb3             220G  203G  6.6G  97% /mnt/data2
 
 /dev/sda6 => 99% Used. Warning. Disk Filling up.
 /dev/sdb3 => 97% Used. Warning. Disk Filling up.

 ---------------------- Disk Space End -------------------------

Ubuntu Pocket Guide Available as a Free Download

Via Lifehacker, the Ubuntu Pocket Guide and Reference is available for free as a PDF download (or you can buy it from Amazon for ~$10).

I've given it a quick scan and it looks like a great little reference guide.

Cloning a Ubuntu VM

I haven't yet found a good set of directions on the net for cloning a Ubuntu VM. These directions are for cloning a 8.04 Ubuntu server VM (it happens to also be running in a Ubuntu server, but these should work for any linux server).

These directions assume your VMs use static IP addresses and you want to clone an existing VM called "myvm" to a new VM called "mynewvm" with its own IP address.

Make sure "myvm" has no snapshots, as this method won't work on a VM with snapshots (the disk rename step will fail).

Also make sure you close the original VM in VMWare-Server or you may get file-locking problems.


Ok, first change to the directory where the original VM is stored and copy the directory (this will take a few minutes):

cd /usr/lib/Virtual Machines
cp -ax myvm mynewvm

Now rename the disk:

cd mynewvm
/usr/bin/vmware-vdiskmanager -n myvm.vmdk mynewvm.vmdk

Now rename the configuration file and change the name of the VM in the file:

mv myvm.vmx mynewvm.vmx
sed -i "s/myvm/mynewvm/" mynewvm.vmx

Now in VM-Ware server, select "File" then "Open" and "Browse". Select the "mynewvm" directory and the "mynewvm.vmx" file in that directory. The new VM should appear in the Inventory list.

Select the new VM and boot it. At this point it won't appear on the network. You'll need to log into the console as root and do the following:

rm /etc/udev/rules.d/70-persistent-net.rules

At this point, you could reboot the VM and it will come back up with original IP and hostname, which will cause a conflict if the original VM is also on the network, so you might just want to go ahead and do the following while you're hear:

Change the hostname by editing /etc/hostname.

Then edit /etc/network/interfaces and change the 'address' line to reflect the new IP address you want the VM to have.

Finally, etc /etc/hosts, change the line for '127.0.1.1' to reflect the new hostname and add (probably at the end of the file, but really where ever you want) a new line for the new hostname, e.g/:

192.168.1.50  mynewvm

That should do it. Now just reboot the VM and it should come back up with the new IP and hostname.

Installing Eclipse on 8.10 Desktop

Straight forward following these directions. I already had the OpenJDK Java Runtime installed. The Eclipse download took about 30 minutes.

Installing Skype on 8.10 Desktop and getting it to work with Logitech Headset

Installing Skype on a Ubuntu 8.10 desktop turns out to be a piece of cake, getting it to work with my Logitech USB Headset was a little harder.

Installation of Skype was easy following these directions. First, I edited /etc/apt/sources.list to include the Skype repository:

# vi /etc/apt/sources.list
# tail -3 /etc/apt/sources.list
# SKYPE
deb http://download.skype.com/linux/repos/debian/ stable non-free

Then I did the repository install and installed skype:

# apt-get update
# apt-get install skype

At this point Skype was installed and appeared under Applications -> Internet -> Skype

But when I tried to make a call Skype reported "Problem with Audio Playback" and nothing worked.

Long story short, these directions finally worked for me, specifically, here are the devices I used:

Sound in: Logitech USB Headset (pluhw:Headset,0)
Sound out: Logitech USB Headset (hw:Headset,0)
Ringing: Logitech USB Headset (hw:Headset,0)

During the time I worked on this problem I restarted pulseaudio, I don't know if this helped or not, but I'll mention it just in case:

# killall pulseaudio
# /etc/init.d/pulseaudio start

Following is more details on things I saw and what didn't work.

If I run System -> Preferences -> Sound, I see both ALSA and OSS versions of the Headset, but only the OSS version works (the ALSO version returns the following error when I try to test it: "audiotestsrc wave=sine freq=512 ! audioconvert ! audioresample ! gconfaudiosink: Could not open audio device for playback.")

Trying to record with Applications -> Sound & Video -> Sound Recorder does not work.

"alsamixer -c 1" showed Logitech USB Headset, but I couldn't get anything further to work.

I tried these directions but I saw the same problem others did in that when I tried to remove pulseaudio, apt-get/aptitude wanted to remove ubuntu-desktop and I stopped there.

Here is the output from a couple commands:

# cat /proc/asound/cards 
 0 [ICH6           ]: ICH4 - Intel ICH6
                      Intel ICH6 with STAC9752,53 at irq 16
 1 [Headset        ]: USB-Audio - Logitech USB Headset
                      Logitech Logitech USB Headset at usb-0000:00:1d.3-2, full speed

# cat /proc/asound/devices
  2:        : timer
  3:        : sequencer
  4: [ 0- 4]: digital audio playback
  5: [ 0- 3]: digital audio capture
  6: [ 0- 2]: digital audio capture
  7: [ 0- 1]: digital audio capture
  8: [ 0- 0]: digital audio playback
  9: [ 0- 0]: digital audio capture
 10: [ 0]   : control
 11: [ 1- 0]: digital audio playback
 12: [ 1- 0]: digital audio capture
 13: [ 1]   : control

Installing a Tomato Router

This post is off the topic of Ubuntu and on the topic of networking that supports my Ubuntu systems, but I figure that's fair game (hey, it's my blog).

I have gotten really frustrated with the reliability of my existing wireless access points (a Airport express and a Linksys WAP54G). Both would fail regularly, requiring a power cycle to make them functional again.

So, as a big open source advocate, I thought I'd give Tomato a try. I followed these directions at Lifehacker. For a router I ordered a Linksys-Cisco WRT54GL (chosen from the list of Tomato-supported devices).

At this point, let me jump ahead here and give you a heads up. I was not able to use Firefox from my Ubuntu box to upgrade the firmware (or do much of anything) on the WRT54GL. Anytime I tried to apply a change on any of its web pages, I got a "Connection Interrupted" error. I turned to google and found other people who had encountered this problem. Like them I had to use Konqueror to do the firmware installation. Konqueror was installed on my Ubuntu system easily enough:

# apt-get install konqueror

The other thing to do before you start is make sure you know all the configuration details of your current router as you might need them to configure the new router. In my case, my ISP (Comcast) required the WAN port have a specific MAC address. I suggest you just print the administration screens for reference.

I downloaded the latest version of the Tomato Firmware (Version 1_23.7). I followed these directions to install 7Zip to unpack this archive (it looks like there is now also a .zip version if you want to skip this step):

# apt-get install p7zip-full

And then I unpacked the archive:

% 7z e Tomato_1_23.7z
7-Zip 4.58 beta Copyright (c) 1999-2008 Igor Pavlov 2008-05-05
p7zip Version 4.58 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,1 CPU)

Processing archive: Tomato_1_23.7z

Extracting whr_install.bat
Extracting WR850G.bin
Extracting WRT54GS.bin
Extracting WRT54GSv4.bin
Extracting WRT54G_WRT54GL.bin
Extracting WRTSL54GS.bin
Extracting readme.htm
Extracting tomato.trx

Everything is Ok

Files: 8
Size: 16854823
Compressed: 2844464

Now I was ready to upgrade the router to the Tomato firmware. Before I started I plugged my laptop into wired network and disabled wireless (right-click on network applet and de-selected "Enable wireless").

Then I disconnected my old NAT router and put the WRT54GL in it's place. Your network will go away at this point but you should still be able to connect to the router by entering http://192.168.1.1 into your browser.

Even though my router was fresh out of the box, I went ahead and reset it to make sure. I fired up Konqueror (Firefox won't work for this...) and connected to the router at http://192.168.1.1 (by default the username is blank and the password is "admin").

Then under "Administration"/"Factory Default" I selected "Yes" and "Apply" to reset all the settings. Then I did a hard reset by holding the reset button on the back of the router for 30 seconds.

Ok, now I was ready to upgrade. I connected back to the router and selected "Administration"/"Firmware Update". I selected the file "WRT54G_WRT54GL.bin" from the upacked Tomato archive (see readme.htm from the Tomato archive if you have a different router) and started the upgrade. It took about two minutes to complete.

Now I logged into my brand new Tomato router. I pointed my web browser (you can change back to Firefox now) at http://192.168.1.1 and logged in using the username "admin" and password "admin" and I was in.

First things I did were the following:

• Under "Administration" I set a new password (and I do strongly suggest you do this first).
• I wasn't getting an IP address on the WAN side. I had to set my WAN MAC address to what my old router had been. I did that under "Advanced"/"MAC Address" by setting the value of "WAN Port". After applying that, I now had Internet connectivity on my wired connection.
• Now, under "Basic"/"Network" I set the wireless SSID and Security (WPA2 Personal and shared key, aka password). After that was applied I disconnected my laptop's wired connection and was able to connect to the Internet through my wireless. Success!

The only other thing I did was under "Basic"/"Network" I set the Static DNS servers to those of OpenDNS.

I'll report back after a while on how the new router is doing.

My Mythbuntu box hung and host clock rate change requests again...

I went to remotely log into my mythbuntu box today and found it was hung....

A quick power cycle and it came back up, now to poke around the log and figure out why...

Last message in kern.log and syslog wasn't very useful:

Dec 31 13:14:54 casey kernel: [2612801.476210] [3224]: host clock rate change request 36 -> 26

Hmmm, besides the fact my log files are filled with host clock rate change requests, which I've seen before, no clue as to why the system was hung.

Anyway, to fix the host clock rate change message, I checked /etc/vmware/config and yep, "host.useFastClock = FALSE" was missing. So I re-added it and restarted vmware ('/etc/init.d/vmware restart').

I still have no idea what caused the box to hang though.