From zanchey at ucc.gu.uwa.edu.au Sun Nov 1 23:59:29 2015 From: zanchey at ucc.gu.uwa.edu.au (David Adam) Date: Sun, 1 Nov 2015 23:59:29 +0800 (AWST) Subject: [tech] Mussel upgraded to Debian stable "jessie" 8.2 Message-ID: With the clubroom pretty quiet due to exams, I took the opportunity this afternoon to upgrade Mussel to Debian "jessie" 8.2. Mussel is probably our cruftiest machine and it is something of a workhorse, so I can understand why nobody else has been keen to tackle it so far. The release notes for the upgrade were very helpful; I started by removing a lot of unused packages, such as a variety of X display managers, and obsolete services. The system did run out of disk space about half way through, but with [BOB]'s assistance the virtual disk image has been resized. FreeRADIUS, OpenLDAP and jabberd2 required quite a bit of work but are working fine now. The main remaining issue is that suPHP was removed from the Debian distribution as it is not actively maintained. I am not keen on running mod_php for user directories without it; there's too much risk in the PHP running in other contexts (e.g. cacti, Roundcube, etc.). For now, I've disabled PHP code in user home directories (see mods-enabled/php5.conf). I'll try and work out an alternative in the next few days, although others are most welcome to take a look. Merlo and Mooneye are the only remaining machines that are candidates for upgrades soon, so that might be worth looking in to. As they don't have a remote console I think they'd be better off being done from the clubroom. David Adam UCC Wheel Member zanchey@ From trs80 at ucc.gu.uwa.edu.au Mon Nov 2 09:21:32 2015 From: trs80 at ucc.gu.uwa.edu.au (James Andrewartha) Date: Mon, 2 Nov 2015 09:21:32 +0800 (AWST) Subject: [tech] Mussel upgraded to Debian stable "jessie" 8.2 In-Reply-To: References: Message-ID: On Sun, 1 Nov 2015, David Adam wrote: > The system did run out of disk space about half way through, but with > [BOB]'s assistance the virtual disk image has been resized. FreeRADIUS, > OpenLDAP and jabberd2 required quite a bit of work but are working fine > now. jabberd2 isn't acutally working - c2s.log has Sun Nov 1 22:02:42 2015 [error] failed loading authreg module 'mysql' (/usr/lib/i386-linux-gnu/jabberd2/authreg_mysql.so: undefined symbol: _BF_body_r) which is fairly unhelpful but I think that's a blowfish routine. jabberd2 is from backports but ldd doesn't report any linking errors. -- # TRS-80 trs80(a)ucc.gu.uwa.edu.au #/ "Otherwise Bub here will do \ # UCC Wheel Member http://trs80.ucc.asn.au/ #| what squirrels do best | [ "There's nobody getting rich writing ]| -- Collect and hide your | [ software that I know of" -- Bill Gates, 1980 ]\ nuts." -- Acid Reflux #231 / From zanchey at ucc.gu.uwa.edu.au Mon Nov 2 23:33:29 2015 From: zanchey at ucc.gu.uwa.edu.au (David Adam) Date: Mon, 2 Nov 2015 23:33:29 +0800 (AWST) Subject: [tech] Mussel upgraded to Debian stable "jessie" 8.2 In-Reply-To: References: Message-ID: On Sun, 1 Nov 2015, David Adam wrote: > The main remaining issue is that suPHP was removed from the Debian > distribution as it is not actively maintained. I am not keen on running > mod_php for user directories without it; there's too much risk in the PHP > running in other contexts (e.g. cacti, Roundcube, etc.). For now, I've > disabled PHP code in user home directories (see mods-enabled/php5.conf). > > I'll try and work out an alternative in the next few days, although others > are most welcome to take a look. I think I've got all the webspace stuff working again. I ended up install libapache2-mod-ruid2, which uses Linux capabilities to switch user as required. I am a little concerned, because while I think I have a good understanding of suexec/suPHP, ruid2 is a little more impenetrable. Regardless, it's in Debian and supported. Installing the module and disabling suexec made everything work perfectly. Ha ha, just kidding! Of course we got bitten by the minimum GID that mod_ruid2 enforces, requiring (as usual [1]) recompilation and reinstallation of the module. I've put a hold on the package so that it doesn't get automatically reinstalled. Also, for some reason, although mod_suexec was disabled and there were no references to suexec anywhere in the Apache configuration, suexec kept running until I moved /usr/lib/apache2/suexec to suexec.pre_ruid2. David Adam zanchey at ucc.gu.uwa.edu.au [1]: http://lists.ucc.gu.uwa.edu.au/pipermail/tech/2015-October/004695.html From trs80 at ucc.gu.uwa.edu.au Tue Nov 3 09:39:46 2015 From: trs80 at ucc.gu.uwa.edu.au (James Andrewartha) Date: Tue, 3 Nov 2015 09:39:46 +0800 (AWST) Subject: [tech] Mussel upgraded to Debian stable "jessie" 8.2 In-Reply-To: References: Message-ID: On Mon, 2 Nov 2015, James Andrewartha wrote: > On Sun, 1 Nov 2015, David Adam wrote: > > > The system did run out of disk space about half way through, but with > > [BOB]'s assistance the virtual disk image has been resized. FreeRADIUS, > > OpenLDAP and jabberd2 required quite a bit of work but are working fine > > now. > > jabberd2 isn't acutally working - c2s.log has > Sun Nov 1 22:02:42 2015 [error] failed loading authreg module 'mysql' (/usr/lib/i386-linux-gnu/jabberd2/authreg_mysql.so: undefined symbol: _BF_body_r) > which is fairly unhelpful but I think that's a blowfish routine. > jabberd2 is from backports but ldd doesn't report any linking errors. So this is because jabberd2/util/crypt_blowfish.c has: #ifdef __i386__ #define BF_ASM 1 ... but then doesn't include the actual assembly implementation of x86.S [1] Since this file has the comments: * This version of the assembly code is optimized primarily for the original * Intel Pentium but is also careful to avoid partial register stalls on the * Pentium Pro family of processors (tested up to Pentium III Coppermine). * * It is possible to do 15% faster on the Pentium Pro family and probably on * many non-Intel x86 processors, but, unfortunately, that would make things * twice slower for the original Pentium. I've just changed that #define BF_ASM to 0, rebuilt the package and [BOB]'s your mother's brother. Reported to debian as http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=803901 [1] http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/glibc/crypt_blowfish/x86.S?rev=1.6.2.1;content-type=text%2Fx-cvsweb-markup -- # TRS-80 trs80(a)ucc.gu.uwa.edu.au #/ "Otherwise Bub here will do \ # UCC Wheel Member http://trs80.ucc.asn.au/ #| what squirrels do best | [ "There's nobody getting rich writing ]| -- Collect and hide your | [ software that I know of" -- Bill Gates, 1980 ]\ nuts." -- Acid Reflux #231 / From zanchey at ucc.gu.uwa.edu.au Wed Nov 4 10:09:44 2015 From: zanchey at ucc.gu.uwa.edu.au (David Adam) Date: Wed, 4 Nov 2015 10:09:44 +0800 (AWST) Subject: [tech] UCC wildcard certificate In-Reply-To: <20151028144751.GD7184@ucc.gu.uwa.edu.au> References: <20151028144751.GD7184@ucc.gu.uwa.edu.au> Message-ID: Globalsign want crazy money for wildcard certificates. https://www.ssls.com/ssl-certificates/comodo-positivessl-wildcard is about as reasonable as it gets. The club can probably afford $130 for a year's worth. Alternatively, we could just turn HTTPS off for subdomains. We've got a cert for secure.ucc.asn.au that's good until 2018. I didn't put HSTS on my domain ;-) [DAA] On Wed, 28 Oct 2015, Matt Johnston wrote: > The ssl certificate for *.ucc.asn.au expires on 11 November. > I've emailed globalsign but they aren't doing wildcards for > open source projects any more. > > letsencrypt.org goes live on November 16 [1], we should be > able to use that for all UCC domains in future (bodge up > zonemake.py a bit more). Perhaps for the 5 day gap we could > take advantage of a 15-day refund on a wildcard certificate > certificates. Anyone got other ideas? > > Matt > > > [1] https://letsencrypt.org/2015/08/07/updated-lets-encrypt-launch-schedule.html > ----- Forwarded message from no_reply at globalsign.com ----- > > Date: Wed, 28 Oct 2015 10:08:46 +0900 (JST) > From: no_reply at globalsign.com > To: wheel at ucc.asn.au > Subject: Reminder: Do not let your GlobalSign SSL Certificate expire > X-Spam-Status: No, hits=0.1 required=5.0 tests=BAYES_50, DKIM_SIGNED, > DKIM_VALID, > DKIM_VALID_AU,RCVD_IN_DNSWL_MED autolearn=no version=3.3.2 > > -------------------------------------------------- > Please note that this e-mail is automatically sent from a noreply mailbox. > To contact GlobalSign please use the Contact Details at the footer of this email. > -------------------------------------------------- > > Dear Matt Johnston, > > Your DomainSSL Certificate for > *.ucc.asn.au expires on 11/11/2015. > If you do not renew your Certificate before this date you > will not be able to continue the security of your web site. > > There is no need to risk your Certificate expiring by waiting too > long. > > You can renew your Certificate and not lose any remaining > time at any point up to 11/11/2015. > So be safe and ensure the continued use of SSL security. > > CERTIFICATE DETAILS > > Organization: University Computer Club > Organization ID: PAR95805 - quote when contacting Tech Support > Product Type: DomainSSL > Common Name: *.ucc.asn.au > Order Number: CEDV1409092416 > > HOW TO RENEW > -------------------------------------------------- > You can log into your GlobalSign Certificate Center account and renew your > Certificate at any time. Please follow these Renewal Instructions: > > 1. Log into your GCC Account at https://www.globalsign.com/login > > 2. On the left side click: Order History & Certificate Renewals > > 3. Run Upcoming Renewals Report > > 4. Click the "Renew" button next to your expiring SSL Certificate Order > > 5. Complete the online form (amend details accordingly). Provide a new CSR or use our AutoCSR function and we'll create the CSR for you. > > 6. A 15% renewal discount will automatically be applied. > > 7. Complete the application process as directed. > > For additional information please visit the SSL Renewal Center at: https://www.globalsign.com/ssl/renew > > > YOUR ACCOUNT & GCC LOGIN DETAILS > -------------------------------------------------- > Organization: University Computer Club > Organization ID: PAR95805 - quote when contacting Tech Support > > Login to your GlobalSign Certificate Center (GCC) Account to manage > the lifecycle of your certificate. Your Account gives you easy access > to renew Certificates, buy additional Certificates and to revoke or > cancel existing Certificates if necessary. > > GCC Login URL: https://www.globalsign.com/ssl-login.htm > > Not sure of your User ID / Password? This would have been sent when you > purchased your first GlobalSign product or created a User from within your > GCC account. An email confirmation would have been sent. Please check > your email or Contact Support if you have forgotten your Password. > > > RENEWAL OFFERS > -------------------------------------------------- > * 15% Discount on Renewal: > - Renew now and receive a 15% Discount > > * 30 days Bonus: > - Any remaining time will be transferred to your new Certificate > - Plus we will give you an extra 30 days Free! > > * Multi-year Savings: > - Renew with multi-year (up to 5 years) to avoid the renewal process > again this time next year. Get over 20% discount per additional year. > > > Thank you for choosing GlobalSign, if you have any questions or > issues please do not hesitate to contact us. > > CONTACT US > -------------------- > Please note this email was sent from a nonreply mailbox. > > Support Contact Information > Create Support Ticket: https://support.globalsign.com/customer/portal/emails/new > Phone Support: 1-877-467-7543 > Online Support: https://support.globalsign.com/ > > Vetting Contact Information > Vetting Fax: 617-830-0779 > Vetting Email: vetting at globalsign.com > > -------------------------------------------------- > GlobalSign - Identity for Everything? > -------------------------------------------------- > > www.globalsign.com . 1-877-775-4562 . sales at globalsign.com > > > > YOUR CERTIFICATE TO RENEW: > -------------------------------------------------- > Here is a copy of the Certificate you now need to renew: > > -----BEGIN CERTIFICATE----- > MIIE8jCCA9qgAwIBAgISESEncmGAMwb7qKVar+tjjtWiMA0GCSqGSIb3DQEBCwUA > MGAxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMTYwNAYD > VQQDEy1HbG9iYWxTaWduIERvbWFpbiBWYWxpZGF0aW9uIENBIC0gU0hBMjU2IC0g > RzIwHhcNMTQwOTA5MTMyMjAxWhcNMTUxMTExMDAxMDUwWjA6MSEwHwYDVQQLExhE > b21haW4gQ29udHJvbCBWYWxpZGF0ZWQxFTATBgNVBAMMDCoudWNjLmFzbi5hdTCC > ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANB3lB2Q9IwIPw4wA3FzOCoR > 55iXkrmwWcQgGEDvwioQ9dFIIz9llqPQ88ZliUWK6S3SJ34llTuxsOF1bMFJ0wy0 > 0yMEUohXrUqIqF/4l8SaLMzH27zmBtIoHw+cJeaCy3sCrbw3TF0ymZZTKr0mXj1d > 0jO/FSjOTwVKjQUH34teUBWOurmXCb0Vl0glfCOWpKkZR6Ve8dBIEP+in7LQkpPn > /o6pgX5oiMf08FpIwb+RcLveE7RcGC5MJPTBaewfJQRV0U4TcMCMYlHTdDj5LTQJ > xhLWwbcg0TCM8EuzSBdx+XW7LewmDn5INjRr3lOn2mE+q2mvBWQulqWtUHDF28EC > AwEAAaOCAcowggHGMA4GA1UdDwEB/wQEAwIFoDBJBgNVHSAEQjBAMD4GBmeBDAEC > ATA0MDIGCCsGAQUFBwIBFiZodHRwczovL3d3dy5nbG9iYWxzaWduLmNvbS9yZXBv > c2l0b3J5LzAjBgNVHREEHDAaggwqLnVjYy5hc24uYXWCCnVjYy5hc24uYXUwCQYD > VR0TBAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwQwYDVR0fBDww > OjA4oDagNIYyaHR0cDovL2NybC5nbG9iYWxzaWduLmNvbS9ncy9nc2RvbWFpbnZh > bHNoYTJnMi5jcmwwgZQGCCsGAQUFBwEBBIGHMIGEMEcGCCsGAQUFBzAChjtodHRw > Oi8vc2VjdXJlLmdsb2JhbHNpZ24uY29tL2NhY2VydC9nc2RvbWFpbnZhbHNoYTJn > MnIxLmNydDA5BggrBgEFBQcwAYYtaHR0cDovL29jc3AyLmdsb2JhbHNpZ24uY29t > L2dzZG9tYWludmFsc2hhMmcyMB0GA1UdDgQWBBRlhck6a3u3snso3Y6JIqh27oK+ > BzAfBgNVHSMEGDAWgBTqTnzUgC3lFYGGJoyCbcCYpM+XDzANBgkqhkiG9w0BAQsF > AAOCAQEAXIufu5A5RPZdokglCXPI2yJrE4vHDhsuRvDGirsj5ToYuI1yRyqSgvwr > 0vNBr6TXpfY6tDV0uVLD28DNigHjiYQ3ITjlEHSiu3eWIZ2T/1cUUHs6PslXXGNK > gkGg0BUmI3kpoqhPSlxHTnqeQXxdoTbQDZNRwXVKBQUD7SGDTTyc6hoRYoTMLGSX > 9IkBl5e6iT7lUykEid9aUk8ueGPlKN5DUMBb574MolTupaOb0kj1RTXHxoO6A1Ig > ldVHNt6J8i0pEn66PJptOrYbgPwA8hjbSqkjSPeWfg08LcWRroiys8Vp4Xm8GBJq > mWlXEWy+2M8My0lMvo1HcTTdm8BMSg== > -----END CERTIFICATE----- > > > > ----- End forwarded message ----- > _______________________________________________ > List Archives: http://lists.ucc.gu.uwa.edu.au/pipermail/tech > > Unsubscribe here: http://lists.ucc.gu.uwa.edu.au/mailman/options/tech/zanchey%40ucc.gu.uwa.edu.au > Cheers, David Adam zanchey at ucc.gu.uwa.edu.au Ask Me About Our SLA! From matt at ucc.asn.au Wed Nov 4 21:55:00 2015 From: matt at ucc.asn.au (Matt Johnston) Date: Wed, 4 Nov 2015 21:55:00 +0800 Subject: [tech] UCC wildcard certificate In-Reply-To: References: <20151028144751.GD7184@ucc.gu.uwa.edu.au> Message-ID: <0D53959C-7D7A-4695-8CD7-53DBB41C0315@ucc.asn.au> > On Wed 4/11/2015, at 10:09 am, David Adam wrote: > > Globalsign want crazy money for wildcard certificates. > https://www.ssls.com/ssl-certificates/comodo-positivessl-wildcard is about > as reasonable as it gets. The club can probably afford $130 for a year's > worth. > > Alternatively, we could just turn HTTPS off for subdomains. We've got a > cert for secure.ucc.asn.au that's good until 2018. I didn't put HSTS on my > domain ;-) I'll switch over to a cert that just has secure.ucc, www.ucc, ucc, matt.ucc until letsencrypt is generally available in a few weeks time. Those are the only domains that are seeing much http traffic. No point paying money to the SSL industry. Cheers, Matt From matt at ucc.asn.au Thu Nov 5 22:59:56 2015 From: matt at ucc.asn.au (Matt Johnston) Date: Thu, 5 Nov 2015 22:59:56 +0800 Subject: [tech] UCC wildcard certificate In-Reply-To: <0D53959C-7D7A-4695-8CD7-53DBB41C0315@ucc.asn.au> References: <20151028144751.GD7184@ucc.gu.uwa.edu.au> <0D53959C-7D7A-4695-8CD7-53DBB41C0315@ucc.asn.au> Message-ID: <0C6F843B-0362-45D6-A504-6F7CC0233B67@ucc.asn.au> >> On Wed 4/11/2015, at 10:09 am, David Adam wrote: >> >> Alternatively, we could just turn HTTPS off for subdomains. We've got a >> cert for secure.ucc.asn.au that's good until 2018. I didn't put HSTS on my >> domain ;-) I've set up letsencrypt certificates for https www.ucc.asn.au, ucc.asn.au and matt.ucc.asn.au (those were the ones I submitted with their beta). https secure.ucc has gone back to using the comodo certificate expiring in 2018. You put multiple "sslcertificatefile"/key lines for different virtualhosts in Apache's config it seems to magically figure it which cert to use. Other user webspace certificates expires on 11 November. Once letsencrypt is generally available I'll get certs for all subdomains again - looking at the web logs there's seems to be only accidental traffic to other domains (apart from zanchey.ucc). I've switched postfix and dovecot (SMTP and IMAP) back to the 2018 secure.ucc certificate. I guess wifi or something else might also need attention? Cheers, Matt From zanchey at ucc.gu.uwa.edu.au Thu Nov 5 23:17:44 2015 From: zanchey at ucc.gu.uwa.edu.au (David Adam) Date: Thu, 5 Nov 2015 23:17:44 +0800 (AWST) Subject: [tech] UCC wildcard certificate In-Reply-To: <0C6F843B-0362-45D6-A504-6F7CC0233B67@ucc.asn.au> References: <20151028144751.GD7184@ucc.gu.uwa.edu.au> <0D53959C-7D7A-4695-8CD7-53DBB41C0315@ucc.asn.au> <0C6F843B-0362-45D6-A504-6F7CC0233B67@ucc.asn.au> Message-ID: On Thu, 5 Nov 2015, Matt Johnston wrote: > >> On Wed 4/11/2015, at 10:09 am, David Adam wrote: > >> > >> Alternatively, we could just turn HTTPS off for subdomains. We've got a > >> cert for secure.ucc.asn.au that's good until 2018. I didn't put HSTS on my > >> domain ;-) > > I've set up letsencrypt certificates for https www.ucc.asn.au, > ucc.asn.au and matt.ucc.asn.au (those were the ones I submitted with > their beta). https secure.ucc has gone back to using the comodo > certificate expiring in 2018. You put multiple "sslcertificatefile"/key > lines for different virtualhosts in Apache's config it seems to > magically figure it which cert to use. Other user webspace certificates > expires on 11 November. Once letsencrypt is generally available I'll get > certs for all subdomains again - looking at the web logs there's seems > to be only accidental traffic to other domains (apart from zanchey.ucc). > > I've switched postfix and dovecot (SMTP and IMAP) back to the 2018 > secure.ucc certificate. I guess wifi or something else might also need > attention? Wifi uses the UCC CA certificates, as does LDAP. Maaxen has the wildcard certificate installed for its RDP server; can just go back to the self-signed cert for now. [DAA] From trs80 at ucc.gu.uwa.edu.au Thu Nov 5 23:22:54 2015 From: trs80 at ucc.gu.uwa.edu.au (James Andrewartha) Date: Thu, 5 Nov 2015 23:22:54 +0800 (AWST) Subject: [tech] UCC wildcard certificate In-Reply-To: <0C6F843B-0362-45D6-A504-6F7CC0233B67@ucc.asn.au> References: <20151028144751.GD7184@ucc.gu.uwa.edu.au> <0D53959C-7D7A-4695-8CD7-53DBB41C0315@ucc.asn.au> <0C6F843B-0362-45D6-A504-6F7CC0233B67@ucc.asn.au> Message-ID: On Thu, 5 Nov 2015, Matt Johnston wrote: > >> On Wed 4/11/2015, at 10:09 am, David Adam wrote: > >> > >> Alternatively, we could just turn HTTPS off for subdomains. We've got a > >> cert for secure.ucc.asn.au that's good until 2018. I didn't put HSTS on my > >> domain ;-) > > I've set up letsencrypt certificates for https www.ucc.asn.au, ucc.asn.au and matt.ucc.asn.au (those were the ones I submitted with their beta). https secure.ucc has gone back to using the comodo certificate expiring in 2018. You put multiple "sslcertificatefile"/key lines for different virtualhosts in Apache's config it seems to magically figure it which cert to use. Other user webspace certificates expires on 11 November. Once letsencrypt is generally available I'll get certs for all subdomains again - looking at the web logs there's seems to be only accidental traffic to other domains (apart from zanchey.ucc). > > I've switched postfix and dovecot (SMTP and IMAP) back to the 2018 secure.ucc certificate. I guess wifi or something else might also need attention? Postfix is broken: Nov 5 22:52:46 mooneye postfix/smtpd[21843]: warning: cannot get RSA certificate from file /etc/ssl/secure.ucc/combo-just-secure.ucc-2014.crt: disabling TLS support Nov 5 22:52:46 mooneye postfix/smtpd[21843]: warning: TLS library problem: 21843:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen('/etc/ssl/secure.ucc/combo-just-secure.ucc-2014.crt','r'): Nov 5 22:52:46 mooneye postfix/smtpd[21843]: warning: TLS library problem: 21843:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400: Nov 5 22:52:46 mooneye postfix/smtpd[21843]: warning: TLS library problem: 21843:error:140DC002:SSL routines:SSL_CTX_use_certificate_chain_file:system lib:ssl_rsa.c:722: Nov 5 22:52:46 mooneye postfix/smtpd[21843]: connect from 58-7-48-39.dyn.iinet.net.au[58.7.48.39] Nov 5 22:52:46 mooneye postfix/smtpd[21843]: warning: Wrapper-mode request dropped from 58-7-48-39.dyn.iinet.net.au[58.7.48.39] for service smtps. TLS context initialization failed. For details see earlier warnings in your logs. Nov 5 22:52:46 mooneye postfix/smtpd[21843]: disconnect from 58-7-48-39.dyn.iinet.net.au[58.7.48.39] -- # TRS-80 trs80(a)ucc.gu.uwa.edu.au #/ "Otherwise Bub here will do \ # UCC Wheel Member http://trs80.ucc.asn.au/ #| what squirrels do best | [ "There's nobody getting rich writing ]| -- Collect and hide your | [ software that I know of" -- Bill Gates, 1980 ]\ nuts." -- Acid Reflux #231 / From matt at ucc.asn.au Thu Nov 5 23:27:40 2015 From: matt at ucc.asn.au (Matt Johnston) Date: Thu, 5 Nov 2015 23:27:40 +0800 Subject: [tech] UCC wildcard certificate In-Reply-To: References: <20151028144751.GD7184@ucc.gu.uwa.edu.au> <0D53959C-7D7A-4695-8CD7-53DBB41C0315@ucc.asn.au> <0C6F843B-0362-45D6-A504-6F7CC0233B67@ucc.asn.au> Message-ID: <5CCFCD52-C130-44FE-9204-92C7B8FCD32A@ucc.asn.au> Should be OK now? That log is my test email. My email to tech at ucc went through secure.ucc smtps. Matt > On Thu 5/11/2015, at 11:22 pm, James Andrewartha wrote: > > On Thu, 5 Nov 2015, Matt Johnston wrote: > >>>> On Wed 4/11/2015, at 10:09 am, David Adam wrote: >>>> >>>> Alternatively, we could just turn HTTPS off for subdomains. We've got a >>>> cert for secure.ucc.asn.au that's good until 2018. I didn't put HSTS on my >>>> domain ;-) >> >> I've set up letsencrypt certificates for https www.ucc.asn.au, ucc.asn.au and matt.ucc.asn.au (those were the ones I submitted with their beta). https secure.ucc has gone back to using the comodo certificate expiring in 2018. You put multiple "sslcertificatefile"/key lines for different virtualhosts in Apache's config it seems to magically figure it which cert to use. Other user webspace certificates expires on 11 November. Once letsencrypt is generally available I'll get certs for all subdomains again - looking at the web logs there's seems to be only accidental traffic to other domains (apart from zanchey.ucc). >> >> I've switched postfix and dovecot (SMTP and IMAP) back to the 2018 secure.ucc certificate. I guess wifi or something else might also need attention? > > Postfix is broken: > > Nov 5 22:52:46 mooneye postfix/smtpd[21843]: warning: cannot get RSA certificate from file /etc/ssl/secure.ucc/combo-just-secure.ucc-2014.crt: disabling TLS support > Nov 5 22:52:46 mooneye postfix/smtpd[21843]: warning: TLS library problem: 21843:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen('/etc/ssl/secure.ucc/combo-just-secure.ucc-2014.crt','r'): > Nov 5 22:52:46 mooneye postfix/smtpd[21843]: warning: TLS library problem: 21843:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400: > Nov 5 22:52:46 mooneye postfix/smtpd[21843]: warning: TLS library problem: 21843:error:140DC002:SSL routines:SSL_CTX_use_certificate_chain_file:system lib:ssl_rsa.c:722: > Nov 5 22:52:46 mooneye postfix/smtpd[21843]: connect from 58-7-48-39.dyn.iinet.net.au[58.7.48.39] > Nov 5 22:52:46 mooneye postfix/smtpd[21843]: warning: Wrapper-mode request dropped from 58-7-48-39.dyn.iinet.net.au[58.7.48.39] for service smtps. TLS context initialization failed. For details see earlier warnings in your logs. > Nov 5 22:52:46 mooneye postfix/smtpd[21843]: disconnect from 58-7-48-39.dyn.iinet.net.au[58.7.48.39] > > > > -- > # TRS-80 trs80(a)ucc.gu.uwa.edu.au #/ "Otherwise Bub here will do \ > # UCC Wheel Member http://trs80.ucc.asn.au/ #| what squirrels do best | > [ "There's nobody getting rich writing ]| -- Collect and hide your | > [ software that I know of" -- Bill Gates, 1980 ]\ nuts." -- Acid Reflux #231 / From trs80 at ucc.gu.uwa.edu.au Thu Nov 5 23:32:08 2015 From: trs80 at ucc.gu.uwa.edu.au (James Andrewartha) Date: Thu, 5 Nov 2015 23:32:08 +0800 (AWST) Subject: [tech] UCC wildcard certificate In-Reply-To: <5CCFCD52-C130-44FE-9204-92C7B8FCD32A@ucc.asn.au> References: <20151028144751.GD7184@ucc.gu.uwa.edu.au> <0D53959C-7D7A-4695-8CD7-53DBB41C0315@ucc.asn.au> <0C6F843B-0362-45D6-A504-6F7CC0233B67@ucc.asn.au> <5CCFCD52-C130-44FE-9204-92C7B8FCD32A@ucc.asn.au> Message-ID: On Thu, 5 Nov 2015, Matt Johnston wrote: > Should be OK now? That log is my test email. My email to tech at ucc went through secure.ucc smtps. Hmm, yeah. I just saw the bounces to postmaster now. -- # TRS-80 trs80(a)ucc.gu.uwa.edu.au #/ "Otherwise Bub here will do \ # UCC Wheel Member http://trs80.ucc.asn.au/ #| what squirrels do best | [ "There's nobody getting rich writing ]| -- Collect and hide your | [ software that I know of" -- Bill Gates, 1980 ]\ nuts." -- Acid Reflux #231 / From trs80 at ucc.gu.uwa.edu.au Fri Nov 6 10:31:45 2015 From: trs80 at ucc.gu.uwa.edu.au (James Andrewartha) Date: Fri, 6 Nov 2015 10:31:45 +0800 (AWST) Subject: [tech] UCC wildcard certificate In-Reply-To: <0C6F843B-0362-45D6-A504-6F7CC0233B67@ucc.asn.au> References: <20151028144751.GD7184@ucc.gu.uwa.edu.au> <0D53959C-7D7A-4695-8CD7-53DBB41C0315@ucc.asn.au> <0C6F843B-0362-45D6-A504-6F7CC0233B67@ucc.asn.au> Message-ID: On Thu, 5 Nov 2015, Matt Johnston wrote: > >> On Wed 4/11/2015, at 10:09 am, David Adam wrote: > >> > >> Alternatively, we could just turn HTTPS off for subdomains. We've got a > >> cert for secure.ucc.asn.au that's good until 2018. I didn't put HSTS on my > >> domain ;-) > > I've set up letsencrypt certificates for https www.ucc.asn.au, > ucc.asn.au and matt.ucc.asn.au (those were the ones I submitted with > their beta). https secure.ucc has gone back to using the comodo > certificate expiring in 2018. You put multiple "sslcertificatefile"/key I've added a chain cert to the old SHA1 AddTrust CA as my phone hasn't got the new SHA2 Comodo CA in it. https://support.comodo.com/index.php?/Default/Knowledgebase/Article/View/966/108/intermediate-1-sha-2-comodo-rsa-certification-authority >From irc for let's encrypt: 'fullchain.pem' isn't full. https://community.letsencrypt.org/t/solved-why-isnt-my-certificate-trusted/2479 -- # TRS-80 trs80(a)ucc.gu.uwa.edu.au #/ "Otherwise Bub here will do \ # UCC Wheel Member http://trs80.ucc.asn.au/ #| what squirrels do best | [ "There's nobody getting rich writing ]| -- Collect and hide your | [ software that I know of" -- Bill Gates, 1980 ]\ nuts." -- Acid Reflux #231 / From bob at ucc.gu.uwa.edu.au Fri Nov 6 12:51:15 2015 From: bob at ucc.gu.uwa.edu.au (Andrew Adamson) Date: Fri, 6 Nov 2015 12:51:15 +0800 (AWST) Subject: [tech] Collaborative Breaking Session Tonight Message-ID: Hi all, I'll be heading into UCC tonight to do some machine general maintenance on servers. I might also be looking at the cluster regarding upgrades and/or a hardware upgrade of mooneye and/or replacing a disk in motsugo. If anyone else wants to come along and help and/or learn, you are welcome to do so. Andrew Adamson bob at ucc.asn.au |"If you can't beat them, join them, and then beat them." | | ---Peter's Laws | From zanchey at ucc.gu.uwa.edu.au Fri Nov 6 21:26:24 2015 From: zanchey at ucc.gu.uwa.edu.au (David Adam) Date: Fri, 6 Nov 2015 21:26:24 +0800 (AWST) Subject: [tech] Mussel upgraded to Debian stable "jessie" 8.2 In-Reply-To: References: Message-ID: On Mon, 2 Nov 2015, David Adam wrote: > On Sun, 1 Nov 2015, David Adam wrote: > > The main remaining issue is that suPHP was removed from the Debian > > distribution as it is not actively maintained. I am not keen on running > > mod_php for user directories without it; there's too much risk in the PHP > > running in other contexts (e.g. cacti, Roundcube, etc.). For now, I've > > disabled PHP code in user home directories (see mods-enabled/php5.conf). > > > > I'll try and work out an alternative in the next few days, although others > > are most welcome to take a look. > > I think I've got all the webspace stuff working again. I ended up install > libapache2-mod-ruid2, which uses Linux capabilities to switch user as > required. I am a little concerned, because while I think I have a good > understanding of suexec/suPHP, ruid2 is a little more impenetrable. [MSH] took a look, and ruid2 doesn't actually drop the switch-user capability like it should, so you can probably use it to take over the world. I've switched back to suexec. PHP now runs with CGI in user home directories. The magic of `update-binfmt` means that people don't need to add shebangs to the scripts, but they do need to be made executable, so I ran the following over /home/*/*/public-html: find . -name \*.php ! -perm /100 -perm -444 -exec chmod ugo+x '{}' \; Hopefully that does the trick for now. An alternative was suggested by the Anchor crew: http://www.anchor.com.au/hosting/support/How-Anchor-runs-PHP-as-CGI-on-shared-hosting but that looked approximately zero fun. [DAA] From zanchey at ucc.gu.uwa.edu.au Fri Nov 6 21:29:45 2015 From: zanchey at ucc.gu.uwa.edu.au (David Adam) Date: Fri, 6 Nov 2015 21:29:45 +0800 (AWST) Subject: [tech] Molmol reboot and fallout Message-ID: Yesterday the NFS server on Molmol was acting up - nlockmgr/rpc.lockd was wedged and lots of operations were failing. We decided to reboot it. Unfortunately, Mussel's disk image was hosted on the NFS server and for some reason the superblock got corrupted. Usually, all the VMs work just fine when the underlying storage disappears temporarily. I restored a bunch of stuff from backups and used debsums to check the consistency of most of the system. The sticking points were PostgreSQL and MySQL. Postgres refused to start until the transaction logs were flushed; as far as I can tell no data was lost. MySQL refused to start as a configuration file was missing; `dpkg-reconfigure mysql` made that work, but then it just dropped a whole bunch of databases without so much as a peep. I restored the ones that were missing from the backup. There's a small chance of data loss but most of the affected DBs didn't appear to be terribly high traffic. [DAA] zanchey@ From trs80 at ucc.gu.uwa.edu.au Mon Nov 16 23:52:15 2015 From: trs80 at ucc.gu.uwa.edu.au (James Andrewartha) Date: Mon, 16 Nov 2015 23:52:15 +0800 (AWST) Subject: [tech] =?utf-8?b?4pqgIFJlOiAgTW9sbGl0eiBkaXNr?= In-Reply-To: References: <20150914035443.D281220082@motsugo.ucc.gu.uwa.edu.au> <43F9DD34-9C7B-4509-A5E4-2EBDDD7C7EF7@ucc.asn.au> Message-ID: On Tue, 15 Sep 2015, Andrew Adamson wrote: > It's worth a try I guess, but mollitz is super-picky about its disks. It > has a Perc 5/i raid controller that doesn't get on well with some disk > firmwares (especially those that spin down to save power). The problem is > that it'll work fine for a day or so and then drop the raid, hence why I > recommended that we simply replace the exact model of disk on warranty. The other two disks are also failing smart tests: On Mon, 16 Nov 2015, root wrote: > Subject: SMART error (SelfTest) detected on host: mollitz > > Device: /dev/sda [megaraid_disk_01] [SAT], Self-Test Log error count increased from 4 to 5 > > Device info: > WDC WD2002FAEX-007BA0, S/N:WD-WMAY05101686, WWN:5-0014ee-2b1a4d741, FW:05.01D05, 2.00 TB On Mon, 16 Nov 2015, root wrote: > Subject: SMART error (SelfTest) detected on host: mollitz > > Device: /dev/sda [megaraid_disk_02] [SAT], Self-Test Log error count increased from 4 to 5 > > Device info: > WDC WD2002FAEX-007BA0, S/N:WD-WMAY04224759, WWN:5-0014ee-25c4cb307, FW:05.01D05, 2.00 TB I catch the train into work so getting the replacement disks is not that easy. Can someone drop them off to me in Claremont? -- # TRS-80 trs80(a)ucc.gu.uwa.edu.au #/ "Otherwise Bub here will do \ # UCC Wheel Member http://trs80.ucc.asn.au/ #| what squirrels do best | [ "There's nobody getting rich writing ]| -- Collect and hide your | [ software that I know of" -- Bill Gates, 1980 ]\ nuts." -- Acid Reflux #231 / From oxinabox at ucc.asn.au Mon Nov 23 10:59:33 2015 From: oxinabox at ucc.asn.au (oxinabox at ucc.asn.au) Date: Mon, 23 Nov 2015 10:59:33 +0800 Subject: [tech] How to Fix it when windows computers only have local accounts Message-ID: Hi all, idk why this happens, but it seems Sambda is derped. The solution is to `ssh root at molmol` then run `service -R` This will restart a bunch of services running on Molmol, including Samba. This fixes windows logins etc. Obviously you need be on wheel to do this Someone (possibly me) need to check why Samba is derping. -- [*OX] Wheel member From vanbujm at gmail.com Wed Nov 25 13:21:52 2015 From: vanbujm at gmail.com (Jonathan Van buren) Date: Wed, 25 Nov 2015 05:21:52 +0000 Subject: [tech] Fwd: UCC Windows 10 Machine In-Reply-To: References: Message-ID: Okay got it working. Had to edit the smb.conf file not the smb4.comf file in "/usr/local/etc/smb.conf" I have added some extra commenting to the line to explain the fix then I commented out the line and it still works! I also added a section in SOE page on the wiki detailing the fix for windows 10. Thanks for your help!. - JVB ---------- Forwarded message --------- From: Date: Tue, 24 Nov 2015 at 18:41 Subject: Re: UCC Windows 10 Machine To: Jonathan Van buren On Tue, 24 Nov 2015, Jonathan Van buren wrote: > I have been attempting to get the clubroom windows 10 machine to login to > accounts on the UCCDOMAIN, however I am getting the "There are currently no > logon servers available to service the logon request" error. Now the fix > seems to be to add the line "max protocol = NT1" to the smb.conf. But to my > knowledge we are running samba4 with active directory not NT correct? > > So my question is; is it safe to try this config change or is there a > better solution? Hi J We're running Samba 4, but still in NT Domain mode. I'm sort of amazed that it still works; I would have thought they would have given 15+ year old tech the boot by now. I take it you're looking at https://wiki.samba.org/index.php/Required_settings_for_NT4-style_domains#Windows_10:_.E2.80.9ENo_logon_servers_available.E2.80.9C I think it should be safe to try this config change. You probably need to make it on the PDC, which is molmol, in /usr/local/etc/smb4.conf . Restart the service with `service samba_server restart` and then probably reboot the Windows 10 machine as well. Unfortunately this will probably make the performance of file transfers even worse. However, this thread: https://lists.samba.org/archive/samba-technical/2015-June/107642.html suggests that once the Windows 10 machine has logged on to the domain once, you can remove the `max_protocol` line and it should keep working! If that's the case, we can probably have the best of both worlds. Good luck, I'd be keen to hear how you get on. One of these days we should move to full Active Directory with Samba - but it will require rewriting quite a lot of scripts so perhaps February is the time. Cheers [DAA] -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.ucc.gu.uwa.edu.au/pipermail/tech/attachments/20151125/f6b6abe2/attachment.htm From mjpomery at ucc.asn.au Wed Nov 25 18:36:33 2015 From: mjpomery at ucc.asn.au (Mitchell Pomery) Date: Wed, 25 Nov 2015 18:36:33 +0800 (AWST) Subject: [tech] Phones around UWA Student Guild Unavailable this weekend Message-ID: See below for details Regards, Mitch 2015 President University Computer Club ---------- Forwarded message ---------- Date: Wed, 25 Nov 2015 18:12:28 +0800 From: Kieran Natalwala 15 To: Subject: RE: Tenancy Committee Meeting & Busy Bee Hello Tenants, Please be advised of the following: There will be a shutdown to phone lines to allow the installation of the new Phone Panel on Saturday 28/11/15 between 7am and 4pm. This may extend into Sunday 29/11/15 if complication arise. Williams Electrical will be on site Monday 30/11/15 at 7am if any problems arise as offices are re-occupied. The areas affected include -Pelican Offices -Catering Offices -Boost Juice -Subway -Cameron Hall -Payphone in courtyard between Guild Ground Floor and Ref. (Refrigerated machines to north of Guild Bld not effected) Further to this there will be a meeting on Friday 27/11/15 at 1pm to confirm any further details. Any stakeholders with any concerns are welcome to attend also. Kieran Natalwala Guild Councillor UWA Student Guild ? Experience Student Culture A M300, UWA Student Guild - 35 Stirling Hwy, Crawley WA 6009 P (+61) 432 059 458 E kieran.natalwala15 at guild.uwa.edu.au W www.uwastudentguild.com FB facebook.com/UWAStudentGuild T @UWAStudentGuild NOTICE - This e-mail and any attachments are intended for the addressee(s) only and may be confidential. They may contain legally privileged or copyright material. You should not read, copy, use or disclose them without authorisation. If you are not the intended recipient please contact the sender as soon as possible by return e-mail and then please delete both messages. This notice should not be removed. Any views expressed in this message are those of the individual sender and may not necessarily reflect the views of the UWA Student Guild. Please consider the environment before printing this e-mail.