Anthony’s Ramblings

I recently discovered StartCom’s free Class 1 SSL certificates and decided to request some for my server. I figured, why not start with Jabber? The Openfire admin interface makes it seem simple enough. Well, it’s not as straight-forward as it sounds, but it’s relatively easy once you know what to do.

Your server must be running JRE 6 with the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 6 to be able to use a certificate generated by StartCom.

My experience is Debian based, so these instructions will be written as such. All terminal commands below are performed as root.

Step 0 – Delete Existing Certificates

Log in to your Openfire server at http://yourserver:9090

Under “Server Settings” select “Server Certificates”

Delete all listed certificates.

Step 1 – Install and configure JRE 6

To install Java 6 JRE, simply do:

apt-get install sun-java6-jre

Next, we want to make sure JRE 6 is the default for java on our server.

update-alternatives --config java

Be sure to select the option corresponding to /usr/lib/jvm/java-6-sun/jre/bin/java (option 3 on my server).

Step 2 – Install JCE Unlimited Strength Jurisdiction Policy Files 6

Download the files from http://java.sun.com/javase/downloads/index.jsp

Copy the files US_export_policy.jar and local_policy.jar to /usr/lib/jvm/java-6-sun/jre/lib/security overwriting what already exist. Be sure to retain the permissions the old files had.

Openfire will continue to use the old JRE until its environment variables are updated. I was too lazy to do this, so I rebooted my server. This worked for me!

Step 3 – Obtain Private Key & Certificate From StartCom

Go to https://www.startssl.com/ and go through the process of creating an account (if you haven’t already). Then request a Jabber/XMPP certificate through them for your server. Don’t use an Openfire generated CSR, let StartCom generate the private key for you.

Save the private key and its password!! If you lose this, your certificate will be invalid and you will NOT be able to re-request the certificate from StartCom! We will be using it in a later step.

Note: Since StartCom is generating the private key, you may have to wait a few hours for your request to be confirmed.

Step 4 – Install StartCom’s Class 1 Intermediate and Root Certificates

Note: You can perform this step while you’re waiting for your certificate to be generated.

Download StartCom’s class1 intermediate certificate here: https://www.startssl.com/certs/sub.class1.server.ca.pem and StartCom’s root certificate here: https://www.startssl.com/certs/ca.pem.

Copy the root and intermediate certificates to a logical location in your server. I worked in ~/ssl/ to keep things organized.

To install the certificates, use the following commands (each command is 1 line):

keytool -import -trustcacerts -alias startcom.ca -file ca.pem -keystore /usr/share/openfire/resources/security/truststore

keytool -import -trustcacerts -alias startcom.ca.sub -file sub.class1.server.ca.pem -keystore /usr/share/openfire/resources/security/truststore

You will be prompted for a password. The default password is “changeit”.

(It is recommended that you change the keystore and truststore passwords. For instructions on how to do this, see http://www.igniterealtime.org/builds/openfire/docs/latest/documentation/ssl-guide.html)

Step 5 – Additional Openfire Configuring

Browse to your Openfire server at http://yourserver:9090

Under “Server Manager”, select “System Properties”

Add/edit the following properties with the following values:

Property Name – Property Value
xmpp.socket.ssl.active – true
xmpp.socket.ssl.port – 5223
xmpp.socket.ssl.storeType – JKS
xmpp.socket.ssl.keystore – resources/security/keystore
xmpp.socket.ssl.keypass – changeit
xmpp.socket.ssl.truststore – resources/security/truststore
xmpp.socket.ssl.trustpass – changeit

(It’s recommended that you change the keystore and truststore passwords. See http://www.igniterealtime.org/builds/openfire/docs/latest/documentation/ssl-guide.htmlfor instructions on how to do this.)

Step 6 – Installing Private Key & Certificate

Now we’re ready to install the certificate! Log back into your Openfire server at http://yourserver:9090.

Under “Server Settings” select “Server Certificates”. You should be prompted with the message

“One or more certificates are missing. Click here to generate self-signed certificates or here to import a signed certificate and its private key.”

Click the second link corresponding to importing a signed certificate.

In the first field, type your private key’s password. Copy the private key generated by StartCom and paste it in the second field. Copy the XMPP certificate generated by StartCom and paste it in the 3rd field.

Click save. You should now be back at the “Server Certificates” page with your certificate listed below. You will still be prompted with the “One or more certificates are missing.” error, but simply ignore it. This is because Openfire is looking for an RSA and a DSA certificate. You don’t need both.

Restart Openfire and…success!

Did an ‘apt-get dist-upgrade’ yesterday and updated the ol’ server to Debian 5.0. For the most part, everything went fine. I did encounter one weird thing. The latest version of MySQL would not install, complaining about not having version information for libz.so.1 located in /opt/mono/lib/. It was very, very strange (I don’t ever remember installing Mono). I Googled around a bit, and found that other people simply deleted the file that the MySQL installer was referring to (as there was another copy somewhere else on the system and some path specification was messed up…something like that).

In any case, deleting it (and the entire /opt/mono directory…I don’t need it) seemed to fix the problem. MySQL is working (or else you wouldn’t be reading this). :shrug:

Not that it’s hard or anything, but I learned how to generate self-signed certificates and set up HTTPS sites in Apache. Go me!

So now, Apache forces (or should force) https upon anybody who tries to log in or view content under /wp-admin.

I should buy a certificate and server all of HHSn over HTTPS! …just kidding.

That is all!

Sort of…

Over the summer, I and a co-worker moved e-mail over from a tired G5 Xserve running the default “Mail” package that OS X Server (Tiger) comes with to Zimbra (which was installed on a new beefy Dell server running Debian 4.0)! The move went excellent and nothing more than what was expected went wrong. It was truly much less problem free than anybody expected. We were so excited that we had a little “party” when we “flipped the switch” and officially switched over. The party lasted, oh, 15 minutes maybe. Carel made six cup cakes, one for every letter in the word Zimbra. He also doodled “Happy Zimbra Day” on the white board in the office. I decided to share this with the Zimbra team and, now, we’re famous!

http://www.zimbrablog.com/blog/archives/2008/08/happy-zimbra-day.html

Woot!

http://forums.hhsn.net

After a long internal debate, I decided to bring them back. Although none of the old/original posts exist, I hope that it’ll become a little something that’ll use some of the wasted CPU cycles of my server.

Any comments/suggestions about the forums are welcomed and appreciated.

Pass the word around, please!

Last weekend I obtained a copy of Windows Vista Ultimate. I didn’t really expect much out of it as I’m not really a fan and haven’t heard any worthwhile testimony on why anybody should be using it. However, I still felt the urge to check it out anyway. So, I moved partitions around on my Dimension’s 160 GB hard drive and plopped Vista on it.

The first thing I expected was slowness. I know the system requirements for Vista are pretty high with a minimum 1 GHz CPU and 512 MB RAM. I’ve even heard that Vista runs best with 4 GB RAM! With that said, my Dimension only has a P4 2.8GHz CPU and 1.5 GB RAM. Surprisingly, it’s actually very responsive. With anti-virus software installed, it feels pretty close to how responsive XP is on this machine.

It was a little frustrating figuring out where Microsoft decided to stash things this time around. One thing that MS has actually handled quite well until now was that the transition between versions of Windows never killed anybody. Let me tell you, A LOT has changed in Vista. From somethings as simple as “My Documents” being changed to broken down folders inside your user’s home directory to “My Computer” being re-named just plain ‘ol “Computer”, to complete path changes (no more Documents and Settings folder, it’s now a Mac-ish /Users folder) and preference relocations (they’ve combined all network interfaces into a what wants to be an intuitive interface, but coming from XP it took me a minute to figure it out).

I had also expected to run into the incompatibility problems with installing older applications, but everything that I have installed this far has worked without a hitch. I haven’t tried any older games (I love Sim City 3000 ), so we’ll see.

Aero is pretty neat. It’s not an amazing must-have, but does show that Windows has come a long way. Windows fade in and out, translucent titlebars and taskbar, along with other fancy touches here and there. However, you must have a fairly beefy video card to get the full Aero effect. Luckily, the GeForce 6800 XT I bought a few weeks ago supports it very nicely.

The alert dialog boxes that appear when certain tasks are performed isn’t as annoying as I thought it’d be. It’s just like when you perform a task that requires root privileges to run in Ubuntu and you are prompted for your password, except that you aren’t prompted for a password. I can see how this is pointless, as a user who isn’t sure what is going on could just as easily click “continue” and allow potentially bad tasks to run. Also, the alerts aren’t always descriptive. That can add to a user going “I don’t know *clicks continue*?”

Brianna decided to be a Vista guinea pig as well. She let me wipe her laptop and put Vista on it…from SCRATCH! I wish she’d let me do that with Linux. Oh well!

In summary, Vista is (in my opinion) a little more pretty than previous versions of Windows. I don’t have any major complaints, yet, nor do I have anything to rant and rave about. People have said that it’s the next Windows ME. I can agree, but so far without as many bugs.

Last weekend, I helped my mom’s cousin Debbie move some stuff for her boss up to San Rafael. She drove up from Los Angeles Friday night, and we headed up from my place to San Rafael Saturday morning. Since she was up, she brought me her old HP to try to “spruce up”, along with a Dell she was given. Debbie is really partial to Windows 98 (no idea why!), and since her HP was dead I couldn’t do much for her. So, I proposed a little trade. If she gave me the Dell, I’d give her the best system I could build that would run Windows 98. She agreed.

So, about this Dell. It’s a Dimension 4600i that has a 2.8GHz P4 /w hyperthreading, 512 MB of RAM (in dual channel mode, so 2×256), onboard video and sound, and no hard drive. For free, it’s a pretty decent machine. It has an AGP 8x slot, and supports Serial ATA hard drives. So, I decided to put a couple hundred bucks into it to bring it up to speed.

I bought a Serial ATA hard drive, a matched pair of 512MB DDR RAM sticks (for a total of 1.5 GB RAM), and a GeForce 6800XT video card (was open box, $60, I couldn’t pass it up). Since the hard drive didn’t come with a Serial ATA cable, and I was too lazy to run to Fry’s, I decided to install the RAM and video cards first (I previously installed a PATA hard drive).

All went perfect! So, being very excited, I ran to Fry’s and picked up a Serial ATA cable for the hard drive. I ghosted the contents of the old drive over to the new drive and booted the machine up. I’d get to the Windows XP login screen, log in, and as soon as the nVidia control panel application would load, the display would jumble and the computer would crash. So, I was like “what the fuck?!” It was working fine a half hour ago. I am pushing the limits of its power supply…it’s only rated to produce a peak wattage of 170 watts. So, yeah.

I wasn’t about to give up! I took all the hardware I had installed out. I switched back to the PATA hard drive. I booted the machine up, and it’d freeze at the login screen. Okay…so I’ll just wipe the drive and re-install the OS. It would freeze at the initial Windows setup screen! Perhaps I fucked up the power supply…

For the hell of it, I updated the BIOS. This didn’t seem to do any good. I was rather confused as to why the machine was running funky in it’s original configuration. So, for the hell of it, I took the CMOS battery out and let the system sit for a while.

I put the battery back in, booted the machine up with it’s original hardware configuration, and success! So, one by one, I added hardware. First, I added the RAM. The machine was still happy, so I added the hard drive. Nope, unhappy. I remembered that this drive had a jumper setting to force SATA 150, so I set that jumper and the computer became happy again. Last, I added the video card. Nope, the computer became crashy again!

It worked in the beginning, so why wouldn’t it work now? Power supply? I think so. However, I still didn’t give up! I rebooted the computer about a million times, and I finally got it to blue screen. It complained about “nv4_disp”. Aha! When the video card driver initializes, all goes crazy.

I removed the video card (because the system would freeze in SAFE MODE!), booted the machine up, and uninstalled the nVidia drivers. Re-installed the video card, re-installed the video drivers…

And the machine seems happy!

Whew. What an adventure. What a picky video card! The only thing I haven’t done is tried to play a game. We shall see how that goes!

A friend of mine from elementary school (Cumberland, 5th grade), her dad, and their neighbor set up a really cool Christmas light display synced to music. I had known about it for a few years, but never got a chance to see it in person. Since I’ve moved back to the South Bay, I decided to check it out! Brianna, Ryan, and I drove to their house on Tangerine Avenue in Sunnyvale, tuned in, and watched it for about a half hour. It’s really cool! They use an FM transmitter to broadcast the music so people passing by can tune in, but the locals don’t get annoyed by all the music.

Along with being a holiday treat, the light display is also set up as an attraction for a food drive/donation drive for the Second Harvest food bank. If you like the display you’re encouraged to donate something (Brianna contributed $2, the only change we had), but it’s not required.

You can find out more at their website, http://severex.com.

If you’re in the area, check it out!

It’s been a while since I’ve last posted here. I’m not sure if much has really happened since July. Well, now that I think about it, a few things have.

First off, I’ve moved to San Jose and have been working for the Menlo Park City School District for almost 3 months now. The change has been mostly good. I really like my new job and do like living in the South Bay over the East Bay. More pay is also good.

Speaking of work, we’ve just completed the project of linking all our sites via fiber. This is VERY cool, as our sites were previously linked via T1 lines (can we say, slow?!). I’m a geek, so I have my iMac patched into the gigabit switch at my site, so I have gigabit access across the entire network. Now that this project has been completed, a very generous man on the Palo Alto Exchange board has given us permission to connect to them for Internet access. For those who don’t know, the Palo Alto Exchange (otherwise known as PAIX, or Palo Alto Internet Exchange) is a huge ISP exchange hub. This means mega bandwidth for us! We currently have a T1 out to the “cloud”, so Internet access at peak hours (typically around lunch) sucks majorly.

Other than that, my beloved PowerBook has developed a weird problem. The “F” key on the keyboard has become extremely sensitive. Barely putting any pressure on the key results in a keypress (the key doesn’t even have to move downward). This is annoying for two reasons: one, I end up getting multiple “F’s” (usually 2, but sometimes more) when I only want one, and two, “F” is on the home row, and that is where my fingers rest when I am not typing (but still have my hands on the keyboard ready to key in something). Rogue “F’s” will appear when I am using the terminal, word processor, browsing the web, or using any application that accepts text input. I haven’t attempted to take apart the key yet. It’s the only key that does this. If anybody has any ideas on what’s up, I’m open to any input!

I think this is about it. Oh, I changed the theme here. I’m feeling very minimalistic today. You like?

Update : I pried off the ‘F’ key and cleaned under it. It’s better, but still a little touchy on the lower quarter of the key. It seems that the way I type naturally doesn’t trigger the weird repeatedness, so I think I’m okay for now!

Somebody may have noticed that this and Jabber were down this morning…

So, I was at my parents house from the 3rd of July until today visiting for the holiday and then some.  I have my server sitting over there since I am too cheap to foot the power bill (but that may change).  Anyway, my mom woke me up at about 7 AM telling me to check on the server.  She said “it seems like the whole house was put on a dimmer switch!”.  So, in my boxers, I jump up and walk out to the garage.  Sure enough, the UPS’s alarm is blaring.  I stick a voltmeter into the wall socket and it reads 75 volts.  Yep, a brown out.  Since I’m not totally sure on the battery life of the UPS (but it’s probably at least an hour), off the server went.  Next came the frantic rush to turn off/unplug all other electronic devices (which nowadays is almost everything!).

I called PG&E and they gave me an estimate of 2 and 1/2 hours until power was restored.  Sure enough, they were actually on time!  Power was fully restored at 9:30 AM.

Since the server had to go down, I took this opportunity to do some major upgrades (shall we say, apt-get dist-upgrade ?)  Everything went smooth sailing…thankfully.

The power brownout/outage was weird.  I had always assumed that most electronic devices could not operate with a difference of +/- 15 volts coming from the wall.  In any case, both refrigerators still ran (but slowly/dimly), the microwave still displayed the time (but was very dim), and with a small load, the little power supply I made still produced the correct voltages.  However, I’m absolutely sure that prolonged usage at low voltages can be fatal.  Hence why a brownout is typically worse than a blackout.  It was the first time I had experienced one of them!

Oh, and Brianna was able to still toast a bagel.  However, she lost count after the 5th time she had to put it in…and it never turned brown (but it was crispy!).

Update: Is it just me, or does the “Visual” post editor in WP 2.2.1 NOT work? I’ve used it several times and with each post it ignores my paragraphs. I always have to go back and do it manually.

The power supply in my brother’s computer was acting weird…pretty much failing. I’m not sure how to explain it exactly, because all the voltages read within spec. His machine wouldn’t pass POST. In any case, a new power supply fixed it.

I ran across this site (PC Power Supply) and decided to give it a try myself. A trip to Radio Shack to pick up 6 binding posts (for ground, 3.3v, 5v, 12v, -5v, and -12v), a 10 watt 10 ohm wire wound resistor (for switching power supplies to work best, they must always have a load) to place on the 5v power supply, a lot of wire cutting, trimming, stripping, crimping, and sorting, a bunch of drilling, and volla! I built my own!

As you can see in the picture, mine is nowhere as neat as the one on the linked website. First of all, I drilled the mounting holes for the binding posts by eye. They’re not, shall we say, evenly spaced. Second of all, all connections should be soldered. I didn’t do this. I crimped all the connections together. So, maybe I’m a little lazy. It still works! Ironically, the only devices I had to test it with was a hard drive and a case fan. As soon as I get my hands on something I can destroy, it’s going on my new desktop power supply.

YouTube has recently added a feature to where you can post videos via your cell phone. All you need to do is set up a “mobile profile”. When you create your mobile profile, it’ll give you an e-mail-like address to send your videos to. You can create multiple profiles to separate your mobile videos into categories and whatnot, if you don’t feel like going back later and editing the video info. You also have the option of having the video public or private by default.

Out of sheer boredom, here’s an AWESOME video I posted a little while ago. I call it, ‘LX in the Garage’

Unfortunately, my cell phone only does 15 second clips and the quality isn’t awesome. Although…if I was to ever run into something that I must show the world instantly, it works.

So, I learned just enough about Apache’s mod_alias and mod_rewrite to be able to redirect URLs under my domains just about wherever I want, and keep the web browser back button functioning properly. This comes in handy especially when content has been moved from one location to another and you don’t want any links that may exist to become broken. It also comes in handy when you’re picky, like me, and want to force people to view your site(s) as http://www.foo.bar and not http://foo.bar alone , and when you’ve purchased multiple domains and want the old to forward to the new without any confusion.

Here are a couple examples of Apache and its redirection features at work (pay very close attention to your address bar):

http://hhsn.net/blog/
http://mn12.us/tech/air_silencer/index.htm

Go ahead, try out your browser back button. Now that’s a perfect redirection .

Also, I ran across an old website of mine. Anybody remember good ‘ol Hoppeville? Apparently, Tripod hasn’t deleted it yet. I was a bit shocked, especially since I haven’t touched it since 2003. I’m sure any day now it’s going to go away, so to preserve my web roots, I did a wget -m on it, and placed it here where it will remain forever, untouched.

Hoppeville, the website that sparked my web development and interest in servers, has brought back many many memories. I began to reminisce, and am amazed as how much I’ve learned–about computers, about cars, about everything. I am utterly amazed. It’s also a reminder on how fast time goes by. It seems that I last changed Hoppeville a few weeks ago. In reality, it’s been years.

Oh, the memories!

I never really used glxgears as a benchmark tool, but more as an “oh fuck my video drivers aren’t working” tool. In later versions of glxgears, I’ve noticed that it didn’t display FPS. I sort-of brushed it off and didn’t think much of it. Mainly because I’ve got my Mac, which gives me my *NIX fix and then some, and have stopped working in Linux enough to care about video drivers. If I’m working in a non OS X *NIX environment, it’s most likely a server, and we all know you don’t install a GUI of any sort on a server…that’s a waste of resources!.

Today, Sam discovered that you have to tell glxgears to display FPS manually. You want to know how this is done?

$ glxgears -iacknowledgethatthistoolisnotabenchmark

No, I am not joking. Funny, isn’t it? If your version of glxgears doesn’t display FPS when ran, give it a try.

This is making it awfully hard to not buy a MacBook right now… 

http://www.apple.com/macosx/bootcamp/

This just fuels my hatred for Microsoft.

http://slashdot.org/articles/06/04/05/1425216.shtml

As of 9:11 PM PST, the HP NetServer LC 2000r (aka debsrv01) was shut down. The migration to the Dell PowerEdge 830 server (aka debsrv02) has been successfully completed. I’m going to miss the big ol’ noisey system. It served me well. Now I must move on. Godspeed, my friend.

Let’s take a moment of Coldplay for the NetServer.

Coldplay – Clocks

Lights go out and I can’t be saved
Tides that I tried to swim against
You’ve put me down upon my knees
Oh I beg, I beg and plead (singing)
Come out of things unsaid, shoot an apple of my head (and a)
Trouble that can’t be named, tigers waiting to be tamed (singing)
You are, you are

You are [continues in background]
Home, home, where I wanted to go [x4]

Akismet: A centralized blacklist that comments left on your blog are checked against. Any comments that Akismet may miss and you mark as spam are contributed to the Akismet blacklist. This helps build a blacklist so bulletproof that you should never have to worry about comment spam again. It is explained better here.

————

I’ve been trying out Akismet for a few days. It definitely gets the job done in terms of catching comment spam. However, it still is not as good as a captcha.

Before I started using a captcha, I was getting at least 50 comment spams a day (sometimes up to 200!). It was ridiculous! I was fed up with the spam. So I decided to give SecureImage a try. It took a little tweaking and searching for a decent font. Once I got it working, it worked like it was supposed to. Humans posted comments…bots did not. I never ran into a single piece of comment spam again. The captcha did not allow bots to successfully post!! Whoo!!

About a week ago, Sam had sent me an e-mail about Akismet and wanted me to try it. I figured it was worth a shot, so I disabled my captcha and put Akismet to work.

The first night running Akismet went very well. It caught 2 comment spams! I was shocked. Only two?! Surley it had missed something! Nope…it didn’t. The second night it caught 4. Third night, 16. And tonight, 46. Akismet never skipped a beat and caught all the spam. But wait, the spam is coming back…with buddies! Ahhh!!!

I gave these numbers some thought, and only have one conclusion. The captcha was deterring bots from even bothering an attempt at a comment post. Disabling the captcha with a return spam rate that is very low…it’s got to be doing the trick. I can’t think of anything else. This is especially good news for those who pay for bandwidth by the unit. Hmm…maybe spambots have the winter off?? Nah.

Akismet does exactly what it’s designed to do, catch all comment spam, and it does it well. However, if you are picky like me and don’t like to see wasted bandwidth, CPU cycles, and hard drive writes due to the spam flowing through your WordPress database on your home-brew server with a measily DSL WAN connection, a captcha may be the way to go. Of course, if you could care less about the unnecessary load on your host and its Internet connection, Akismet does work.

To sum everything: As annoying as a captcha may be to your blog visitors, it is still the better way to eliminate comment spam.

You are now looking at Wordpress 2.0.2 on my new Dell PowerEdge 850 server. The only thing that I haven’t moved yet is Jabber. So far it’s been zero downtime, baby. Man, I’m getting good at this server juggling business!

On the left, you see my old server. An HP LC 2000r (that takes rather expensive memory). It’s got two 9 GB SCSI-2 drives. For now, it’s still taking care of Jabber. On the right, my new server (obviously). The Dell looks so much cooler. And look, it has a blue light! The Dell is fast, quitet, smaller, and bit stylish (for a server). I like it. (Click the picture to enlarge).

I dumped CMS Made Simple for a much better site design. Let me know what you think! http://www.hhsn.net/

I never even thought of trying this…

http://phoenix.cc.edu/MegaFloppy.htm

The only downside, since they did a striped set, is if ONE of the floppies goes bad…all data is lost. We all know how reliable a floppy disk is…yeah.