I now have a shiny new RoundCube 0.3 install, thanks gentoo! And I bumped up the server with an [emerge -Davu world] as well. A glorious new day. :>
The gory details follow. (continued…)
Ordered and received…
- Macbook Pro 17″ with 3.08GHz, 500GB-7200RPM, anti-glare-screen
- iPod Touch 8GB
- OS X 10.6 (Snow Leopard)
Next I’ll get…
- iPhone 3GS
Here are all the notes on setting these puppy dogs up… (continued…)
There is only one way I know of to get free functional legitimate SSL encryption for your web server, and that’s through StartCom’s StartSSL service. You can get a free “class 1” certificate that will work out of the box in Firefox and Safari. Microsoft hasn’t added StartCom to IE, so people browsing to your site will have to specifically add StartCom’s authority certificate (instructions) (or ignore security warnings).
UPDATE: I am told as of Sept ’09, IE will include StartCom, yay! See comments for more…
Every year I have to renew my websites’ certificates, and the process is a bit clunky. Here’s a summary for next time around…
- Sign up at the site; they will issue an [S/MIME client certificate] and “install it into your browser”; make sure you keep the stupid thing backed up, it’s the ONLY WAY BACK IN to your account! Here are backup instructions from their FAQ:
Firefox: Select "Preferences" -> "Advanced" -> "Encryption" -> "View Certificates -> Your Certificates" and locate your certificate from the list. The certificate will be listed under StartCom Ltd. with "StartCom Free Certificate Member" as its name if this is your first one. Select the certificate and click on "Backup", choose a name for this backup file, provide a password and save it at a known location. Now you should either burn this file to a CD ROM or save it on a USB stick or smart card. Thereafter delete this file from your computer. - Every year, request to renew your S/MIME client certificate, as it expires; back it up to a safe place
- Request to renew your domain certificate; provide a password; an ssl.key is generated
- Use openssl to create a no-password key:
openssl rsa -in ssl.key.passphrase -out ssl.key.nopassphrase - Grab the official StartCom certificates from https://www.startssl.com/certs/
sub.class1.server.ca.pem
ca.pem - WAIT for confirmation of your certificate (you’ll get an email)
- Return to the website, log in, go to Tool Box -> Retrieve Certificate, save as ssl.crt
- Set up apache to use ’em!
SSLEngine on SSLCertificateFile /path_to_certs/2009-2010/ssl.crt SSLCertificateKeyFile /path_to_certs/2009-2010/ssl.key SSLCertificateChainFile /path_to_certs/2009-2010/sub.class1.server.ca.pem SSLCACertificateFile /path_to_certs/2009-2010/ca.pem
That’s the basics but it should be enough to help me through annual renewal. *sigh*…
For the sake of learning from past mistakes, a quick note about my recent server troubles…
I am masochistic enough to run my own web and email server on my residential broadband connection. It is also my firewall and router – yes I run all this on a shoestring. I’ve kept it running for almost a decade now, and I learned early on that splurging on NIC’s and a good power supply is a good idea. I use two nice Netgear NIC’s in it, and they get constant abuse. They’ve held up for years, but one of them often does not power up on reboot until I pull it and stuff it back in and cross my fingers. But on Monday night, my server started flaking out, with BIOS not posting at all on reboot. I had to play around, pulling memory, removing extra hard drives, unplugging fans, etc., and finally got it to come back to life. But on Tuesday morning I awoke to a dead NIC in my server.
I played around more, swapping out 3 different NIC’s, and testing with 5 different OS’es and live CD’s. But no matter what, my server would not get a response from Roadrunner’s DNS server. Everything worked fine if I plugging in another machine, regardless of whether it was running linux or Windows. Eventually, using a brand new NIC and fully powering down the cable modem and PC got me a DNS response (and a new IP, *sigh*). Remember, you have to actually physically unplug the PC from the wall to power down the NIC!
So now I am using a crappy new $10 100Mbit TP-LINK NIC for WAN traffic and the one good Netgear NIC for LAN. To get them set up properly was a pita, networks don’t like IP-MAC address changes, and I had to change the good Netgear NIC from eth1 to eth0. To get it working took a few steps. I had to bake support for the TP-LINK NIC into the kernel, it uses a Realtek 8139 C+ chipset and that requires the 8139too module. Then I researched how MAC addresses get assigned to eth# network slots, and was shocked to learn that traditionally, the kernel assigns them based on the order in which it loads modules. What if you have two of the same cards?! I wondered how many elite geeks bought different brands of NIC just so they could control the assignments! As in many situations, udev to the rescue. I already use udev, and I found that it was already using a rule for the MAC<->eth# associations, in [/etc/udev/rules.d/70-persistent-net.rules]. Totally sweet. I swapped things around so that the new NIC was eth0, and the previously-eth1 NIC was eth0. Total win, yay. As the last steps, I had to rerun my firewall script and resave my iptables rules with [/etc/init.d/iptables save], and… like every geek struggling to run a server on crappy Roadrunner residential service… I had to repropagate my DNS records with my new IP. Thanks 1and1.com for making me click a thousand times to do it. In 1and1’s defense, they said “next time just call customer service and we’ll do the clicking”, haha cool!
If you’re reading this, then everything worked out! :>
When I replaced my Mythtv backend/living-room-frontend, I couldn’t resist the dirt-cheap AMD/ATI HDMI motherboard/CPU combo. No regrets – it plays 1080p great – even though I have to deal with ATI rather than smooth-as-silk nVidia drivers. In setting up StepMania and MythTV (and etc.) to use OpenGL, I had a few hoops to jump through, including…
- gentoo requires recompile of [ati-drivers] after kernel bumps
- gentoo required VIDEO_CARDS in make.conf
- [eselect opengl set ati]
- to get fluxbox and opengl and ati playing well: [aticonfig –ovt opengl]
- also see http://en.gentoo-wiki.com/wiki/Fglrx
Upwards and onwards…
