Adding Free SSL Certificates for HTTPS To Your Websites

I recently received a warning email from Google:

“Starting October 2017, Chrome (version 62) will show a ‘NOT SECURE’ warning when users enter text in a form on an HTTP page, and for all HTTP pages in Incognito mode.

The recommended solution was to migrate the affected website(s) to HTTPS. This requires an SSL certificate. There are many companies selling those for hundreds of dollars. I didn’t really want to spend that money.

It turns out there is a free alternative: The Let’s Encrypt project (https://letsencrypt.org/) provides free SSL certificates with just enough functionality to run SSL with current browsers. It also provides automated tools that greatly assist you in obtaining and installing those certificates.

I had a default SSL host configured on my Apache 2.4 installation (inherited from a different server running Ubuntu) that I had to manually remove.

Then, when all virtual hosts only had port 80 (HTTP) enabled, I could run the certbot tool as root:

# certbot --apache

It enumerates all host names supported by your Apache installation. I ran it repeatedly, for each domain and the corresponding www. host name (e.g. joewein.net, www.joewein.net) in my installation and verified the results, one at a time. It will create a new virtual host file in /etc/httpd/hosts-enabled for those hosts for port 443 (HTTPS). I appended the content of that file to my existing port 80 (HTTP) virtual host file in /etc/httpd/hosts-available for that host name and deleted the new file created by certbot. That way I can track all configuration details for each website for both HTTP and HTTPS in a single file, but this purely a personal choice.

All it takes is an Apache restart to enable the new configuration.

You can test if SSL is working as expected by accessing the website with a browser using https:// instead of http:// at the start of the URI.

If you have iptables rules for port 80, you may want to replicate those for port 443 or the certificate generation / renewal may fail. Also, you want to make sure that SSLv3 is turned off on your Apache installation, to protect against the POODLE vulnerability. This required the following setting in ssl.conf:

/etc/httpd/conf.d/ssl.conf:SSLProtocol all -SSLv2 -SSLv3

The free certificates will expire in 90 days, but it’s recommended to add a daily cron job that requests renewals so that an updated key will be downloaded after 60 days, long before the old key expires. Once that is in place, maintenance of SSL keys will be totally automatic.

Porting iptables to ip6tables

A couple of days ago I received an email notification by the Berkeley Security Notifications Team that a Linux server of mine had less restrictive firewall rules for IPv6 than it had for IPv4. This prompted me to update my ip6tables settings on that host to make it is as secure via IPv6 as it was for IPv4.

If you have a dual stack server with IPv4 A records and IPv6 AAAA records published in DNS, you should have it protected with firewall rules on both protocols. Even if you only publish A records and not AAAA ones, you should secure IPv6 access because its address may leak to potential attackers in other ways.

The ip6tables tool is installed as part of iptables on recent distributions, but you need to set up one set of rules for each protocol. They’re independent of each other. A (not very secure) default ip6tables configuration might look like this:

# Generated by ip6tables-save v1.4.21 on Thu Sep 24 11:17:56 2015
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1456:118498]
-A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p ipv6-icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state –state NEW -m tcp –dport 22 -j ACCEPT
-A INPUT -j REJECT –reject-with icmp6-adm-prohibited
-A FORWARD -j REJECT –reject-with icmp6-adm-prohibited
COMMIT
# Completed on Thu Sep 24 11:17:56 2015

It’s relatively easy to port additional settings from iptables to ip6tables (e.g. in /etc/sysconfig/iptables and /etc/sysconfig/ip6tables for CentOS).

Below are some of the changes needed when porting common entries. As you can see, some names are replaced with those of IPv6 equivalents. Any IP addresses and CIDRs for ip6tables need to be written in IPv6 notation.

To easily port over IPv4 addresses, simply prefix them with “::ffff:”. If they’re followed by a bit count such as /24 (the routing prefix size), add 96 to that number (IPv6 addresses are 128 bits each versus 32 bits for IPv4). Add equivalent rules for the corresponding native IPv6 addresses as needed.

  1. Accept ping from any source:

    IPv4:

    -A INPUT -p icmp -j ACCEPT

    IPv6:

    -A INPUT -p ipv6-icmp -j ACCEPT

  2. Accept connection from white-listed address:

    IPv4:

    -A SSH-IN -s 123.45.67.89/32 -j ACCEPT

    IPv6:

    -A SSH-IN -s ::ffff:123.45.67.89/128 -j ACCEPT
    -A SSH-IN -s 2345:abcd:678:42::/64 -j ACCEPT

  3. Rule to block access (after all the exceptions):

    IPv4:

    -A INPUT -j REJECT –reject-with icmp-host-prohibited
    -A FORWARD -j REJECT –reject-with icmp-host-prohibited

    IPV6:

    -A INPUT -j REJECT –reject-with icmp6-adm-prohibited
    -A FORWARD -j REJECT –reject-with icmp6-adm-prohibited

Filco Majestouch-2 [FKBN104M/EB2]

Recently, the space bar of the keyboard on my main machine developed a problem, so I ordered a Filco Majestouch-2 (US layout, USB version with PS/2 adapter). It uses brown Cherry MX switches.

I have always liked the feel and feedback of the original IBM PC and IBM PC/AT keyboards (which I first used in 1981). If you’re a fan of the original IBM keyboards, you’ll love this one. The Filco keyboards are not cheap, but you get what you pay for.

There are various models from Filco, some with the blue or black Cherry switches. The brown switches are recommended for general use, including office work and programming. I am very happy with mine and will probably order another one for another of my machines.

Acer One D260 system restore

The hard disk in my wife’s Acer One D260 netbook got damaged. A new hard disk is about a quarter the price of a new netbook, so I wanted to install a new drive. Like with most PCs these days there aren’t any Windows install DVDs included.

The netbook came with Windows 7 Starter, which we needed to somehow install on the new hard disk. Fortunately, the damaged hard disk was still limping along enough to use the Acer eRecovery system to create two Recovery DVDs. These should allow restoring the initial system state to a hard disk in the machine, wiping all the data on the drive.

To replace the hard disk, I had to undo seven clips around the edge of the keyboard, lift off the keyboard and disconnect the keyboard ribbon cable to the motherboard connector. Then I needed to undo 4 screws underneath and push through, to pop out the cover on the bottom of the machine. This opened access to the single memory slot and drive cage.

The 1 GB memory module on the motherboard can be replaced with a 2 GB PC3-8500 1066MHZ DDR3 module available for about $20. This is a wortwhile investment and I already have the module on order.

I replaced the damaged 250 GB WD Scorpio Blue drive with a spare 500 GB drive (available new for about $60-$80). Then I closed the cover and reinstalled the screws and then the keyboard.

With the new drive it was possible to boot off the first Recovery DVD using a USB DVD drive. The eRecovery software copied data from both DVDs to the hard disks and then rebooted. However, that reboot failed because the new drive did not yet have a Windows Master Boot record (MBR) on it. You can install an MBR from within Windows, but not from the bootable eRecovery DVD. So I had a chicken and egg problem.

I overcame this hurdle by booting off a Ubuntu Live DVD (32 bit), installing the ‘lilo’ package and telling it to install the Linux equivalent of Microsoft’s MBR code:

sudo apt-get install lilo
sudo lilo -M /dev/sda mbr

At the next attempt to boot off the hard disk, Windows started installing its components and drivers and launched into its initial configuration, just like the first time we had unboxed the machine more than two years ago. So we are back to a working Winmdows 7 machine!

Thank you, Linux — you saved my day again! 🙂

Western Digital 4 KB sector drive alignment for Windows XP and 2003 server

If your existing Windows XP or Windows 2003 Server machine needs a new C: drive, there are ways of upgrading to one of the latest drives without a complete software reinstall, but you may encounter some stumbling blocks due to the new Advanced Format technology, which uses 4 KB sectors.

When one of my PCs developed hard disk problems and I had to upgrade one of its drives, I also checked out my other machines. I found the C: drive of a Windows 2003 Server machine was about to fail. Windows 2003 is basically the server version of Windows XP, with which it shares most components. I opted for a 1 TB WD Red drive (WD10EFRX) by Western Digital, since these drives are designed for 24/7 operation, primarily for use in Network Attached Storage (NAS) appliances (desktop drives are only designed for an 8 hours on, 16 hours off use pattern).

I did not want to reinstall everything from scratch on that machine, so I used a Linux boot DVD and the GNU dd utility to mirror the failing drive onto the new WD Red drive (“sudo dd if=/dev/sda of=/dev/sdb”). As a result, all the partitions were in the same place and the same size as on the old drive, a Seagate Barracuda 7200.11 320 GB. The partitions on the old drive had not been aligned on 4 KB boundaries as is recommended to get decent performance on modern Advanced Format drives, so I needed to run an align tool to move the partition to the proper place. Western Digital offers one free to its customers, so that should be easy then, right?

No quite. I encountered all the troubles described by others in this thread: Basically, the download link for the WD Align tool (AcronisAlignTool_s_e_2_0_111.exe) takes you back to the same page, over and over, without error message. It turns out that you need to be registered and logged in to the WD site for the download link to do anything. You need to register both your contact details (name, e-mail address, postal address, phone number) and your hard disk’s serial number. For the latter I had to shut down the machine again and take out the drive once more to take a look, because the number is not printed on the cardboard box, only on the drive itself.

Once I registered my new drive, a download link did appear next to the registered product, but from it I found I could only download Acronis True Image and not the Acronis Align Tool (Advanced Format Software, WD Align). The WD Red series drives are all Advanced Format Drives, as is pretty much every drive made since 2011, but WD say it is designed for NAS use and hence don’t see the need for a fix for what they see as a Windows XP problem.

Various people online recommended a download site in Ukraine that apparently offers a copy of that program, but if you’re downloading from sites like that you risk installing malware on your computer. Beware!

There is a safer solution. I had to register another Western Digital drive, an old WD10EARS to get a usable download link for Advanced Format Software. If you don’t happen to have one lying around, a Google image search for WD10EARS will show you many photographs of disk drives with clearly readable serial numbers on the label. And apparently, these serial numbers will do the trick! 😉

After I downloaded the software, I ran it to make a bootable CD (it also seems to be Linux-based), booted and ran it and 1 hour and 30 minutes later my C: partition was showing up as properly aligned.

I can understand that Western Digital wants to restrict the use of licensed Acronis software to its own customers, denying other brands a free ride. However, the hoops it is making people jump through to be able to use one of their new drives as an upgrade to an existing Windows XP machine is just ridiculous. If a login is required to do the download, it should clearly say so. And if a drive uses 4 KB sectors (Advanced Format), its serial number should qualify you for the download. There are millions of existing XP users out there still and many will need new hard disks before they need a new computer.

Upgrading to a Western Digital WD20EFRX hard disk

All hard disks will die, sooner or later. They only way to avoid that is to retire a drive early enough. Often I upgrade drives because I run out of disk space, and migrate the data to a bigger drive. However, this times it looks like one of my drives is about to die.

Over the last couple of months, one of my PCs that is processing data 24/7 has been seizing up periodically, so I was starting to get suspicious about its hard drives (it has two of them). This week the Windows 7 event viewer reported that NTFS had encountered write errors on the secondary drive. It’s a Samsung SpinPoint F2 EG (Samsung HD154UI, 1.5 TB) which basically has been busy non stop for over three years.

I installed smartmontools for Windows and it showed errors:

ID# ATTRIBUTE_NAME FLAG VALUE WORST THRESH TYPE UPDATED WHEN_FAILED RAW_VALUE
1 Raw_Read_Error_Rate 0x000f 099 065 051 Pre-fail Always - 5230
(...)
13 Read_Soft_Error_Rate 0x000e 099 065 000 Old_age Always - 5223
(...)
187 Reported_Uncorrect 0x0032 100 100 000 Old_age Always - 12379
(...)
197 Current_Pending_Sector 0x0012 099 099 000 Old_age Always - 24

“Reported_Uncorrect” are fatal errors and “Current_Pending_Sector” are bad sectors the drive wants to replace with spare sectors as soon as it can. Neither is a good sign. So I have ordered a new drive, started a backup to another machine and will replace the drive with a new disk that I have ordered from Amazon.

The new drive is a 2 TB Western Digital WD20EFRX, which is part of WD’s “Red” series. These drives are specifically designed for 24/7 operation (as opposed for 8/5 office computers). The drive is 0.5 GB bigger, which is just as well as the old drive was getting close to filling up. Gradually I will be moving my processing to an Ubuntu server, which I already use as my main archive machine with a RAID6 drive array.

What is Skipity and why is it in FireFox?

I mostly use Google Chrome these days, but still have Mozilla FireFox installed as a browser, which used to be my standard browser before I switched to Chrome.

Today I launched FireFox again and was surprised to see something called Skipity in its toolbar. Furthermore, when I tried to go to my browser custom start page (a page with my most useful links) it took me to the Skipity website. A Google search showed that Skipity comes as part of an add-on called “Download Youtube video 12.0”. I removed that add-on, restarted FireFox, opened the URL I previously had as the browser start page and went to “Tools > Options > General > Startup” to select that URL as the start page again.

Any software that changes the start page of the browser without your consent should be permanently banned from your computer!

strcpy data corruption on Core i7 with Linux 64bit

If you’re C programmer, does this code look OK to you?

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

int main(int argc, char* argv[])
{
  char szBuffer[80];
  strcpy(szBuffer, "abcdefghijklmnopqrstuvwxyz");
  printf("Before: %s\n", szBuffer);
  strcpy(szBuffer, szBuffer+2);
  printf(" After: **%s\n", szBuffer);

  return 0;
}

Here is the output on my server, a Core i7 running Debian 6:

Before: abcdefghijklmnopqrstuvwxyz
After: **cdefghijklmnopqrstuvwzyz

What the program does is dropping two characters from a text string in a buffer, moving the rest of it left by two characters. You expect the moved characters to stay in sequence, but if you compare the last three characters of the output you see that that isn’t the case. The ‘x’ has been obliterated by a duplicate ‘z’. The code is broken.

It’s a bug, and not a straightforward one, as I’ll explain.

I first came across it a couple of months ago, as I was moving some code of mine from an Athlon 64 Linux server to a new Intel Core i7 server. Subsequently I observed strange corruption in data it produced. I tracked it down to strcpy() calls that looked perfectly innocent to me, but when I recoded them as in-line loops doing the same job the bug went away.

Yesterday I came across the same problem on a CentOS 6 server (also a Core i7, x86_64) and figured out what the problem really was.

Most C programmers are aware that overlapping block moves using strcpy or memcpy can cause problems, but assume they’re OK as long as the destination lies outside (e.g. below) the source block. If you read the small print in the strcpy documentation, it warns that results for overlapping moves are unpredicable, but most of us don’t take that at face value and think we’ll get away with it as long as we observe the above caveat.

That is no longer the case with the current version of the GNU C compiler on 64-bit Linux and the latest CPUs. The current strcpy implementation uses super-fast SSE block operation that only reliably work as expected if the source and destination don’t overlap at all. Depending on alignment and block length they may still work in some cases, but you can’t rely on it any more. The same caveat theoretically applies to memcpy (which is subject to the same warnings and technically very similar), though I haven’t observed the problem with it yet.

If you do need to remove characters from the middle of a NUL terminated char array, instead of strcpy use your own function based on the memmove and strlen library functions, for example something like this:

void myStrCpy(char* d, const char* s)
{
  memmove(d, s, strlen(s)+1);
}
...
  char szBuffer[80];
...
  // remove n characters i characters into the buffer:
  myStrCpy(szBuffer+i, szBuffer+i+n);

I don’t know how much existing code the “optimzed” strcpy library function broke in the name of performance, but I imagine there are many programmers out there that got caught by it like I was.

See also:

APC Smart-UPS 750 with Ubuntu 11.4


I finally got myself an uninterruptible power supply (UPS). The infamous August heat in Tokyo has been pushing power use including air conditioning close to the limit of what Tepco can supply: All 10 reactors in Fukushima Daiichi and Daini are either destroyed or shut down. In total about 2/3 of the nuclear power capacity in Japan is currently offline. That gave me one more reason to shop for a UPS. The other was that I have a Linux server and Linux file systems tend to use a lot of write buffering, which can make a mess of a hard disk partition if power is lost before the data is fully written to disk.

A friend recommended APC as a brand. Researching which of their ranges was suitable for my server, it appeared that some advanced PC power supplies with Power Factor Correction (PFC) have problems with the consumer level APC models, which output a square wave when in battery power mode. The more business-oriented models output something closer to a sine wave, the shape of power supplied by your utility company. Because of that I went for the APC Smart-UPS range. The server draws less than 50W, so there wasn’t really much point going for the beefiest models. That’s how I picked the APC Smart-UPS 750 with 500W of output power. My exact model is the SUA750JB, the 100 V, 50/60 Hz model for Japan. If you live in North America, Europe, Australia or New Zealand you’ll use either the 120V or 230V models. There’s also a 1000W (1500 VA) model, the APC Smart-UPS 1500, which features a larger capacity battery and larger power output.

The UPS arrived within two days. There’s a safety plug at the back of the unit which when open disconnects the battery for transport, which you’ll have to connect to make it work. The internal lead-acid batteries appeared to come fully charged. They are fully sealed units that are supposed to be leak-proof.

My unit came with a manual in Japanese and English but no software of any kind. It came with a serial cable, which I don’t have any use for, as virtually all modern PCs no longer have legacy serial and parallel ports. What I needed was a USB cable with one type A and one type B connector and that was not included. I am not sure why APC bundles the serial cable and not the USB cable. For an item in this price range, the USB cable should not be extra. However, I had a couple of suitable cables lying around from USB hard disks and flat screen monitors with built-in USB hubs, so it wasn’t a problem. You may want to check if the unit you’re buying comes bundled with the USB cable or if you may need to get one separately.

Once you connect the UPS to the PC using a USB cable, you should be able to verify that Linux has detected the device. Run:

me@ubuntu-pc:~$ lsusb
Bus 003 Device 003: ID 051d:0002 American Power Conversion Uninterruptible Power Supply

The software I’m using for linux is the apcupsd daemon, whose source code is available on SourceForge. I compiled it this way:

./configure --enable-usb
make
sudo make install

To be able to run it you need to set some config files. In /etc/default/apcupsd set

ISCONFIGURED=yes

In /etc/apcupsd/apcupsd.conf:

UPSCABLE usb (default: smart)
UPSTYPE usb (default: apcsmart)
DEVICE (default: /dev/ttyS0)

Stop and start the daemon and you’re in business:

/etc/init.d/apcupsd stop
/etc/init.d/apcupsd start

While the daemon is stopped you can also run apctest to run various tests on the unit.

Test that the UPS works, by pulling the power cable from the wall socket. The UPS should raise an audible alarm and its LEDs should switch from the sine wave symbol to the sine wave with battery poles symbol. Also be aware that UPS batteries do not last forever, especially if they’re used in a hot environment. You may get anywhere between 2 to 4 years of use out of them. Replacement batteries from third parties are usually available for much less than original parts from the UPS manufacturer.

Gateway M-6750 with Intel Ultimate-N 6300 under Ubuntu and Vista

My Gateway M-6750 laptop uses a Marvell MC85 wireless card, for which there is no native Linux driver. Previously I got it working with Ubuntu 9.10 using an NDIS driver for Windows XP. Recently I installed Ubuntu 11.04 from scratch on this machine (i.e. wiping the Linux ext4 partition) and consequently lost wireless access again.

Instead of trying to locate, extract and install the XP NDIS driver again, this time I decided to solve the problem in hardware. Intel’s network hardware has good Linux support. I ordered an Intel Centrino Ultimate-N 6300 half-size mini PCIE networking card, which cost me about $35. Here is how I installed it.

Here is a picture of the bottom of the laptop. Remove the three screws on the cover closest to you (the one with a hard disk icon and “miniPCI” written on it) and open the cover. Use a non-magnetic screwdriver because the hard disk is under that cover too. As a matter of caution, use only non-magnetic tools near hard disks or risk losing your data.

Remove the screw that holds the MC85 card in the mini PCI slot on the right. Remove the network card. Carefully unplug the three antenna wires. Connect those wires to the corresponding locations on the Intel card. Insert the Intel card into the socket on the left. Note: I had first tried the Intel card in the socket on the right but in that case it always behaved as if the Wireless On/Off switch was in the Off position, regardless of its actual state. Even rebooting didn’t make it recognize the switch state. The left mini PCI socket did not have this problem 🙂

Because the Intel card is a half size card you will also need a half size to full size miniPCI adapter to be able to screw down the card to secure it. Instead I simply used a stiff piece of cardboard (an old business card) to hold it in place and closed the cover again. If you take your laptop PC on road a lot I recommend doing it properly (don’t sue me if the cardboard trick melts your motherboard or burns down your house).

Download the Intel driver and utility set for Windows from the Intel website using a wired connection. Under Ubuntu the card seemed to work first time I rebooted into it. I just had to connect to the WLAN.

UPDATE:

I fixed it properly using a half size to full size Mini PCI-E (PCI Express) adapter converter bracket by Shenzhen Fenvi Technology Co., Ltd. in Guangdong. I had found it on Alibaba. I paid $9.50 by Paypal and a bit over a week later five sets of brackets and matching screws arrived by mail from Hong Kong (one set is only $1.90 but the minimum order was 5, so that’s what I ordered). The brackets come with about a dozen each of two kinds of screws. Four of the smaller screws worked fine for me.