Thursday, August 24, 2017

OpenVPN error CRL has expired

I have webmin and openvpn installed.

After an upgrade to openvpn and openssl I recreated certificates and after a bit I got the following error:

error=CRL has expired

I couldn't see how to regenerate the required files in webmin, and on the commandline it kept throwing errors. I did not have easy-rsa installed.

There is some guidance on this eg here:

https://forums.openvpn.net/viewtopic.php?t=23166

https://u5r.nl/post/openvpn-crl-has-expired

However, this doesn't help too much. What I did was this open this:

/etc/openvpn/openvpn-ssl.cnf

Modify this line to something longer eg 365

default_crl_days= 30            # how long before next CRL


Add the following details from:

/etc/openvpn/keys/your-server/ca.config

to the to openvpn-ssl.cnf file:

# This definition stops the following lines choking if HOME isn't
# defined.
HOME            = .
RANDFILE        = $ENV::HOME/.rnd

# From here
CA_NAME='your-server'
CA_EXPIRE='3650'
KEY_SIZE='2048'
KEY_CONFIG='/etc/openvpn/openvpn-ssl.cnf'
KEY_DIR='/etc/openvpn/keys/your-server'
KEY_COUNTRY='AA'
KEY_PROVINCE='Province'
KEY_CITY='City'
KEY_ORG='Org'
KEY_EMAIL='email@gmail.com'

KEY_OU='OU'
KEY_CN='CN'
# To here


Now cd /etc/openvpn

openssl ca  -gencrl -keyfile keys/your-server/ca.key -cert keys/your-server/ca.crt  -out keys/your-server/crl.pem -config ./openvpn-ssl.cnf

Restart Openvpn and you should be good to go until the crl_days expire


Thursday, July 20, 2017

Linux Mint 18 RTL8723BE wifi disconnecting

HP 14-an062sa with RTL8723BE

Here's a tail of woe.

A friend asked me to install linux on a W10 laptop. I decided to try Mint.

Installed fine and all was good. Except complaints that the wifi kept disconnecting etc.

On inspection it clearly did, and it appear the kernel driver for version 4.4.x does not work correctly. There are lots of posts on this and how to download and compile the Realtek driver.


Unfortunately on upgrade to the 4.8.x kernel it all breaks again and will not compile. Allegedly the kernel includes a newer version of the driver.

I unloaded and reloaded it, but again the usual tales of woe.

I tried the suggested ant_sel=2 and that was a fail.

Eventually out of desperation I tried ant_sel=1 and Lo ! the damn thing fired into life.

To persist across reboots do the following

echo "options rtl8723be ant_sel=2" | sudo tee /etc/modprobe.d/50-rtl8723be.conf

That should fix it.

Monday, February 6, 2017

Mongod logrotate failure

I had an issue with rocketchat and mongod with RedHats SCL version of mongod. Basically mongod failed when it tried to rotate its own logs which then caused rocketchat to fail.

There are a number of sources on line for this notably here:

https://jira.mongodb.org/browse/SERVER-11087

https://serverfault.com/questions/540423/mongodb-proper-way-to-rotate-logs/653095


Here is my (apparently) successful version:

 cat /etc/logrotate.d/rh-mongodb26-mongodb  

 /var/opt/rh/rh-mongodb26/log/mongodb/*.log {  
 weekly  
 rotate 10  
 copytruncate  
 delaycompress  
 compress  
 notifempty  
 missingok  
 create  
 postrotate  
 # Original line  
 # /bin/kill -USR1 `cat /var/opt/rh/rh-mongodb26/run/mongodb/mongod.pid 2>/dev/null` 2> /dev/null|| true  
 # New line  
 /usr/bin/kill -USR1 `cat /var/opt/rh/rh-mongodb26/run/mongodb/mongod.pid 2>/dev/null` 2> /dev/null|| true  
 rm /var/opt/rh/rh-mongodb26/log/mongodb/mongod.log.????-??-??T??-??-??  
 endscript  
 }  


Test with:

 logrotate -v -f /etc/logrotate.d/rh-mongodb26-mongodb  

Sunday, November 6, 2016

Remote debugging pydbgpproxy dbgp.proxy: No server with key

I decided to try and run a debug proxy so I could run multiple connections to xdebug from KomodoIDE.

That has caused a lot of frustration.

First I copied the dbgpproxy files to the server.

I then hacked php.ini as suggested setting the xdebug.remote_host to localhost/127.0.0.1 so my php.ini looked like this:

xdebug.remote_enable                   = true
xdebug.remote_host                     = 127.0.0.1
xdebug.remote_port                     = 9000
xdebug.remote_handler                  = dbgp
xdebug.remote_log                      = /var/log/xdebug.log
xdebug.remote_mode                     = req


Restarted Apache and then I then ran the proxy like this:

root@home php.ini]# python /root/dbgp/bin/pydbgpproxy -l DEBUG
INFO: dbgp.proxy: starting proxy listeners.  appid: 9795
INFO: dbgp.proxy:     dbgp listener on 127.0.0.1:9000
INFO: dbgp.proxy:     IDE listener on  127.0.0.1:9001


In Komodo I set the Listening port to 'system provided free port'

I set 'I am listening to a proxy' and added the IP and port of the server


But I kept getting errors:

Failed to start the listener socket on port 9001, error: -1 (the debugger proxy could not be contacted.)

If I tried to debug a file like this:

https://192.168.10.1/Test.php?XDEBUG_SESSION_START=users

I would get a proxy error like this:

WARNING: dbgp.proxy: No server with key [users], stopping request

Having tried multiple settings I finally found this page which gave me the clue :

https://confluence.jetbrains.com/display/PhpStorm/Multi-user+debugging+in+PhpStorm+with+Xdebug+and+DBGp+proxy

You have to set the proxy like this.

-i proxyserverExternalIP:port you specify in the proxy settings
-d IP:local debug port on the server (set in php.ini)

e.g.:

python /root/dbgp/bin/pydbgpproxy -d 127.0.0.1:9000 -i 192.168.10.1:9001

And presto ! You can now connect multiple users.

Tuesday, October 18, 2016

UK Privacy does not exist

Why Privacy is important

We live in a supposedly democratic state under the rule of law.

That law is quite clear. You are innocent until proven guilty.

If you have allegedly committed a crime then it is up to the powers of law enforcement to find the evidence to support their allegations.

In normal life you do not expect to be followed and surveyed 24/7 just in case you may commit a crime. You have an inalienable right to privacy. You are presumed innocent until proven guilty.

The problem with online surveillance (and this includes 'legal' sites such as Google, Facebook etc) is that you can't see it, so people do not consider it important. But it is as much an invasion of your privacy as having a policeman following you all day everyday, just in case you commit a crime.

Think about it like this.

Your daughter decides to go shopping. As she leaves the house, the policeman who has been assigned to her 24/7 follows along behind noting her every move. She meets her friends. Who are also followed by their officers.

Because she has her location services on her every movement is being tracked. She uses her messaging service to chat to friends. The messaging service takes all her contact details. Which would be fine if the people who had given her their details were happy for a third party to take them without their consent.

They stop at a map of the shopping centre where a guide (think Google 'cookie') kindly shows them where various shops are, and points out all what the guide thinks are the best deals (for which they get commission). As they head off to the shops, the guide follows them noting their every move, and helpfully adding suggestions as they go.

They pop into a store. The store assigns them a watcher (think 'cookie') who follows and notes their every move. When they leave the shop the follower is in tow, all the while noting their every move. As she has wifi on her phone and , even without logging on, her movements are tracked and her details are passed to other shops who rush to add their followers, even though she has never been in their shops. If she logs on to the wifi then the wifi station will then watch every piece of data flowing through which is also passed to numerous third parties.

They go to another shop, browse and buy something. The bank assigns a follower, who happily advises them of all the great banking deals they can avail themselves of and, as they can then track them to individual shops, can offer specific deals. The shop also assigns them another follower. The goods have a RFD tag, which can register in other shops as they browse, even if they have no intention of buying.

After some more browsing, and a bite to eat they arrive home. With a policeman, a spy, and numerous followers, all with their clipboards and wanting to bed down for the night so they can continue to watch her every move. They know where she lives, and where you live, and in the morning they are going to be following you too.

If you opened the door to see that, what would your reaction be ? Your daughter has done nothing wrong, and broken no laws. The issue is you cannot physically see it happening. That does not for one moment make it right.

Living your life like that in a permanently watched police state is what happened in the Eastern Bloc during the cold war. It still happens in numerous countries throughout the world. North Korea, China etc. You think the UK is any different ? It is not.

The UK population is one of the most watched populations on earth, from CCTV through to bulk internet surveillance. No, it may not be a physical presence, but it is a presence nonetheless. Just because you cannot see it does not mean that it is not there. You breathe, but cannot see the air. Surveillance is the same.

If you want to live in a nation where you are presumed guilty from the start then just carry on.

Personally I don't.

Wednesday, June 8, 2016

Crenova support, manuals and firmware

Or lack of it....

If you are looking for support, manuals or firmware for a Crenova product, good luck.

A friend of mine bought one recently - a Crenova XPE600 projector. Not a bad little unit for the money all things considered EXCEPT.

Try finding out ANYTHING about it.

Anything... reviews galore indeed. But anything of ANY substance AT ALL ?

Having looked around a bit I am pretty convinced this is a fake brand name setup by a large company such as Amazon to supply cheap products but avoid support costs.

Here's the supposed 'Home Page'

http://crenovamultimedia.co.kr/

Not a lot there on projectors.....

I then stumbled on this place

https://www.linkedin.com/company/crenova-technology-gmbh

Who have a link to

http://www.crenova.tv

Unsurprisingly that resolves back to the Korean address.

On the Korean website you have a link to ... www.crenova.tv which links back to...... get the idea?

Hmmm....

A quick whois for this shady bunch

http://whois.domaintools.com/crenova.tv

Hmmmmm.

Seems they have a few domains for Crenova too

http://reversewhois.domaintools.com/crenova-multimedia

Registered to Cronon, a German Hosting company. Someone is hiding themselves well.

The main 'Company'

http://whois.domaintools.com/crenovamultimedia.co.kr

So all in all, nothing. Ahhhh, a Facebook page. Shame there is no 'These are scammers' button.

So the upshot is - avoid Crenova at all costs. If it looks like a scam, and smells like a scam, then ......


--------------------


As a follow up it appears that the Crenova XPE600 is also known as a iRULU 2600 Lumens Home Cinema aka BL-20

Good luck with them too.....

Tuesday, May 24, 2016

Proxmox v4 using Jessie PXE boot

Had a bit of fun getting this running with my existing PXE setup. I wanted a non standard disk layout for Proxmox.

The Debian PXE way (stupidly) assumes it is the only distro in town so making it work with a tftp setup with multiple distros is a touch more tricky.

I assume you have a working tftp setup.

I store my image files in:

/tftpboot/images/somedirectory

I have the following directories in my tftpboot directory:

com32 > contains vesamenu.c32 etc
graphics > contains background images
images > contains directories for each distro
pxelinux.cfg > contains config files

pxelinux.0 is in the root tftpboot directory

To make Debian boot we have to amend a whole pile of paths.... tftpd is very dumb so you have to be pretty specific about where stuff is stored.

First I extracted the relevant Debian boot files from netboot.tar.gz to

/tftpboot/images/debian

In my 'default' tftpd config file I have several menu choices leading off to other menus and configs. I first added a link to the Debian installer menu.

cat /tftpboot/pxelinux.cfg/default

# header stuff
label Debian Netinstall
 menu label ^Debian Netinstall
 kernel com32/vesamenu.c32
 append pxelinux.cfg/debian

I then added a 'debian' config file containing the following:

cat /tftpboot/pxelinux.cfg/debian

# D-I config version 1.0
include images/debian/debian-installer/amd64/boot-screens/menu.cfg
default images/debian/debian-installer/amd64/boot-screens/vesamenu.c32
prompt 0
timeout 0

Now you have to adjust paths/directories in the debian config files.

In my case here : /tftpboot/images/debian/debian-installer/amd64/boot-screens

grep -r -l debian-installer * | xargs sed -i "s|debian-installer|images/debian/debian-installer|g"

One last issue is the possible lack of firmware for your hardware.

I fixed this by doing the following:

# cd to the directory where you have your initrd
cd /tftpboot/debian-installer/amd64
[ -f initrd.gz.orig ] || cp -p initrd.gz initrd.gz.orig
[ -f firmware.cpio.gz ] || wget http://cdimage.debian.org/cdimage/unofficial/non-free/firmware/stable/current/firmware.cpio.gz
cat initrd.gz.orig firmware.cpio.gz > initrd.gz

Hopefully you can now PXE boot and get your Debian installed