Directadmin + LetsEncrypt AH01895: Unable to configure verify locations for client authentication

When directadmin fails to restart and you see this in your apache error_log

[Mon Feb 13 00:27:08.010103 2017] [ssl:emerg] [pid 23113:tid 139658483275584] AH02311: Fatal error initialising mod_ssl, exiting. See /var/log/apache2/xxxx/xxx.be.error.log for more information
AH00016: Configuration Failed

if you take a look in /var/log/apache2/xxxx/xxx.be.error.log and something like this appears

[Mon Feb 13 00:27:02.014701 2017] [ssl:emerg] [pid 22949:tid 140381588760384] AH01895: Unable to configure verify locations for client authentication

Take a look if the cacert file for that domain isn’t empty, my file looked like this:

-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----

If the file is empty, you’ll have to manually try to renew the domain until it works.

cd /usr/local/directadmin/scripts/
./letsencrypt renew xxxx.be 4096

First time i ran the command i saw this message:
Generating RSA private key, 4096 bit long modulus
....................................................++
.................................................................................................................................................................................................................................................................++
e is 65537 (0x10001)
Size of certificate response is smaller than 500 characters, it means something went wrong. Printing response...
"detail": "JWS has no anti-replay nonce"

third time i got a message the certificate has been created successfully.

Using ubuntu stock kernels on OVH

One of my clients wanted to host his vm’s on OVH. So we ordered a dedicated server and i began to setup XEN on it.

As they depend on a recent ixgbe module i had some problems with the networking, after booting the server with a 3.x stock kernel the ipmi wasn’t working.

This is how it worked for me

* Install latest 4.xx kernel (mine was 4.2.0-34-generic )
* cd /usr/src/
* Download latest ixgbe package: wget https://sourceforge.net/projects/e1000/files/ixgbe%20stable/4.3.13/ixgbe-4.3.13.tar.gz

Now go into the webmanager tool and open a ipmi kvm session.

ovh control panel

* Reboot the server once you are connected to the ipmi

Time to build the new driver
* cd /usr/src/ixgbe-4.xx
* make
* make install

Time to test it
* rmmod ixgbe
* modinfo ixgbe | grep version
You should see something like “version: 4.3.13”

Where the version should match the version of the file you downloaded

If this looks oke, load the module using modprobe

* modprobe ixgbe

you should now have a working internet connection.

Now it’s time to rebuild the initramfs package so the new module is loaded when we reboot the server.

* uname -r
should give you the kernel name, something like “4.2.0-34-generic”

* update-initramfs -k 4.2.0-34-generic -u

reboot and your internet should work.

preferring ipv4 instead of some ipv6 connections

One of my clients had a problem when he tried to connect to the google maps api using ipv6, there where no problems when i curl the url over ipv4.

As i can’t control the connection the routing to google, i was looking for a alternative solution and found out you can manipulate which address your server prefers.

Something exists called gai.conf, this hooks into the getaddress function.

So i had to block ipv6 requests to 2a00:1450:4013:c01::5f , the easy way is to disable all ipv6 requests.

If you are looking for this, just uncomment this line, and restart the program that is opening a connection.

#precedence ::ffff:0:0/96 100

This is the easy way, and i don’t want to disable all ipv6 connections, so i went ahead and played a bit more.

This was the solution i ended up with.

precedence ::1/128 50
precedence ::/0 40
precedence 2002::/16 30
precedence ::/96 20
precedence ::ffff:0:0/96 10
precedence 2a00:1450::/32 0

You want to uncomment these lines, if you don’t do this, you will block all ipv6 requests again.

Harvest export invoices.

If you use Harvest and need to export your invoices every time you need to file your taxes, you know the time it takes to select only the invoices you need.

To speed things up a little i looked at some cli scripts to help me.

First you need to install xquartx and pdfgrep. I install these packages with brew.

If these packages are installed go to the folder where all your invoices al stored.

  1. Move all invoices made from 01-03 into the folder 2015-Q1, make sure you created the folder first.
  2.  mkdir 2015-Q1

    for i in `pdfgrep -H  "Factuurdatum[ ]*[0-9]{2}/(01|02|03)/2015" *.pdf  | cut -d: -f1`; do mv $i 2015-Q1/; done

  3. Now we will change the default harvest name into $invoice-number.pdf
  4.  IFS=":"

    pdfgrep -H "Factuurnummer" *.pdf | sed -E "s/Factuurnummer[ ]{0,}//g" | while read pdf id ; do mv $pdf $id.pdf; done

  5.  Merge all pdfs’s
  6.  pdfunite 2015-*.pdf Q1.pdf

tugboat gem

Recently i was writing tests for all my chef cookbooks and it became time for testing them.

There are a lot of options to test everything, i chose  to use digitalocean to test everything.

I found a nice little gem called tugboat which gives you all the regions and images that are available.

To install the gem just run “gem install tugboat” and then run “tugboat authorize”

The authorize steps will ask you some api questions, like what is your client key and your api key.

To find both keys you’ll need to go to https://cloud.digitalocean.com/api_access

Click on the generate key button to get your api key. Don’t mix this with the apps & api link in the default menu, as these keys won’t work.

Security ubuntu feisty package: Bash

Because i have this one server which is still running ubuntu feisty, I had to build my own bash packages to prevent the system from becoming to be abused using the shellshock bug.

 

The package can be download here.

The tar with the source can be downloaded here.

Libreoffice label templates

I’m runing LibreOffice on my mac and i’m the sucker at the office to always print the new labels.

I recently reinstalled my laptop and lost my label settings, it took me a while to find where LibreOffice saves the templates but i finally found it.

Turn of your LibreOffice, and on your old disk go to

cd /backup_pad/Users/<username>/Library/Application\ Support/LibreOffice/3/user

Copy the file to your new disk.

cp registrymodifications.xcu ~/Library/Application\ Support/LibreOffice/3/user

Restart LibreOffice and you should find the labels you made again.

Retrieving your private SSL key with IIS 7

Open the MMC window ( start -> run -> mmc) and go to file -> add/remove snap-in, choose certificates from this list. Click on Add and choose Computer account in the list.

Click Next and select Local computer, and click Finish and then Ok.

Go to Certificates (local computer) -> personal -> certificates.

On the existing SSL certificate, right mouse click -> all tasks -> export. Enable Export the private key and follow the next steps. (to check, is dit niet voor import?)

So now we have an encrypted pfx file, to retrieve our private SSL key use these commands.

openssl pkcs12 -in publicAndprivate.pfx -nocerts -out privateKey.pem

This outputs the private key, but this still has a password.

openssl rsa -in privateKey.pem -out private.pem

Now we have our private key in a clear text file.

Renewed your SSL certificate and importing it into IIS 7

Copy your certificate you receive and save it on your windows machine.

Now open the MMC window ( start -> run -> mmc) and go to file -> add/remove snap-in, choose certificates from this list. Click on Add and choose Computer account in the list.

Click Next and select Local computer, and click Finish and then Ok.

Go to Certificates (local computer) -> personal -> certificates.

In the certificates box, right mouse click -> all tasks -> import.

Choose your certificate file and finish the import process.

Now you’ll see that the certificate misses its private key.

Double click on your certificate, go to the details tab and choose thumbprint.

Copy this and open a command prompt:

certutils –repairstory my “thumbprint” (of iets gelijk dat)

When you refresh your certificates you should see that the key has an extra symbol attached, and your certificate should be valid again.

Exim blacklist on directadmin

One of the interesting things in exim is blacklisting, unfortunately this is not enabled by default.

To enable blacklisting you need to execute these 3 commands as root on your server:

cd /etc/virtual
rm use_rbl_domains
ln -s domains use_rbl_domains