Free fully-functional SSL encryption for your websites via StartSSL

Tricks Tips Tools Websites

There is only one way I know of to get free functional legitimate SSL encryption for your web server, and that’s through StartCom’s StartSSL service. You can get a free “class 1” certificate that will work out of the box in Firefox and Safari. Microsoft hasn’t added StartCom to IE, so people browsing to your site will have to specifically add StartCom’s authority certificate (instructions) (or ignore security warnings).

UPDATE: I am told as of Sept ’09, IE will include StartCom, yay! See comments for more…

Every year I have to renew my websites’ certificates, and the process is a bit clunky. Here’s a summary for next time around…

  • Sign up at the site; they will issue an [S/MIME client certificate] and “install it into your browser”; make sure you keep the stupid thing backed up, it’s the ONLY WAY BACK IN to your account! Here are backup instructions from their FAQ: 
    Firefox: Select "Preferences" -> "Advanced" -> "Encryption" -> "View Certificates -> Your Certificates" and locate your certificate from the list. The certificate will be listed under StartCom Ltd. with "StartCom Free Certificate Member" as its name if this is your first one. Select the certificate and click on "Backup", choose a name for this backup file, provide a password and save it at a known location. Now you should either burn this file to a CD ROM or save it on a USB stick or smart card. Thereafter delete this file from your computer.
  • Every year, request to renew your S/MIME client certificate, as it expires; back it up to a safe place
  • Request to renew your domain certificate; provide a password; an ssl.key is generated
  • Use openssl to create a no-password key:
    openssl rsa -in ssl.key.passphrase -out ssl.key.nopassphrase
  • Grab the official StartCom certificates from https://www.startssl.com/certs/
    sub.class1.server.ca.pem
    ca.pem
  • WAIT for confirmation of your certificate (you’ll get an email)
  • Return to the website, log in, go to Tool Box -> Retrieve Certificate, save as ssl.crt
  • Set up apache to use ’em! 
    
    SSLEngine on
    SSLCertificateFile /path_to_certs/2009-2010/ssl.crt
    SSLCertificateKeyFile /path_to_certs/2009-2010/ssl.key
    SSLCertificateChainFile /path_to_certs/2009-2010/sub.class1.server.ca.pem
    SSLCACertificateFile /path_to_certs/2009-2010/ca.pem

That’s the basics but it should be enough to help me through annual renewal. *sigh*…

Comments (4) | Sunday, August 30, 2009    [ * * ]

Residential service blues

Tricks Tips Tools

For the sake of learning from past mistakes, a quick note about my recent server troubles…

I am masochistic enough to run my own web and email server on my residential broadband connection. It is also my firewall and router – yes I run all this on a shoestring. I’ve kept it running for almost a decade now, and I learned early on that splurging on NIC’s and a good power supply is a good idea. I use two nice Netgear NIC’s in it, and they get constant abuse. They’ve held up for years, but one of them often does not power up on reboot until I pull it and stuff it back in and cross my fingers. But on Monday night, my server started flaking out, with BIOS not posting at all on reboot. I had to play around, pulling memory, removing extra hard drives, unplugging fans, etc., and finally got it to come back to life. But on Tuesday morning I awoke to a dead NIC in my server.

I played around more, swapping out 3 different NIC’s, and testing with 5 different OS’es and live CD’s. But no matter what, my server would not get a response from Roadrunner’s DNS server. Everything worked fine if I plugging in another machine, regardless of whether it was running linux or Windows. Eventually, using a brand new NIC and fully powering down the cable modem and PC got me a DNS response (and a new IP, *sigh*). Remember, you have to actually physically unplug the PC from the wall to power down the NIC!

So now I am using a crappy new $10 100Mbit TP-LINK NIC for WAN traffic and the one good Netgear NIC for LAN. To get them set up properly was a pita, networks don’t like IP-MAC address changes, and I had to change the good Netgear NIC from eth1 to eth0. To get it working took a few steps. I had to bake support for the TP-LINK NIC into the kernel, it uses a Realtek 8139 C+ chipset and that requires the 8139too module. Then I researched how MAC addresses get assigned to eth# network slots, and was shocked to learn that traditionally, the kernel assigns them based on the order in which it loads modules. What if you have two of the same cards?! I wondered how many elite geeks bought different brands of NIC just so they could control the assignments! As in many situations, udev to the rescue. I already use udev, and I found that it was already using a rule for the MAC<->eth# associations, in [/etc/udev/rules.d/70-persistent-net.rules]. Totally sweet. I swapped things around so that the new NIC was eth0, and the previously-eth1 NIC was eth0. Total win, yay. As the last steps, I had to rerun my firewall script and resave my iptables rules with [/etc/init.d/iptables save], and… like every geek struggling to run a server on crappy Roadrunner residential service… I had to repropagate my DNS records with my new IP. Thanks 1and1.com for making me click a thousand times to do it. In 1and1’s defense, they said “next time just call customer service and we’ll do the clicking”, haha cool!

If you’re reading this, then everything worked out! :>

Comments (1) | Thursday, July 30, 2009

MythTV’s nice new shiny OpenGL effects (even with ATI)

Tricks Tips Tools

When I replaced my Mythtv backend/living-room-frontend, I couldn’t resist the dirt-cheap AMD/ATI HDMI motherboard/CPU combo. No regrets – it plays 1080p great – even though I have to deal with ATI rather than smooth-as-silk nVidia drivers. In setting up StepMania and MythTV (and etc.) to use OpenGL, I had a few hoops to jump through, including…

  • gentoo requires recompile of [ati-drivers] after kernel bumps
  • gentoo required VIDEO_CARDS in make.conf
  • [eselect opengl set ati]
  • to get fluxbox and opengl and ati playing well: [aticonfig –ovt opengl]
  • also see http://en.gentoo-wiki.com/wiki/Fglrx

Upwards and onwards…

Comments | Wednesday, June 3, 2009

Automated torrent management in linux

Linux Projects Open Source Tricks Tips Tools

Drowning in scattered torrents and files? Get yourself organized! Here is a torrent management system for linux users that will give you…

* automatic download of torrent contents for all downloaded .torrent files
* automatic download of new .torrent files from RSS feeds
* automatic organization of content once it finishes downloading
* continuous seeding of contents during this process
* simple control of seeding of all previously downloaded content

Comments | Tuesday, April 7, 2009    [ * * * ]

My first C++ vs. C99 collision

C++

Recently, I found myself kind of annoyed by the fact that I couldn’t use the same “initialization” syntax to directly set the values of an existing structure. Extremely trivial, but it bugs me. Is there really a good reason for this limitation?

	typedef struct
	{
	    int x;
	    int y;

	} Doh;

    Doh doh = { 1, 2 };

    // You can't directly re-assign in one step, bummer.
    // doh = { 3, 4 };

    // You need a second struct to use the same syntax.  Yuck.
    Doh d2 = { 3, 4 };   
    doh = d2;

    // Or just do it longhand.  Also yuck.
    doh.x = 5;
    doh.y = 6;

So I dug around to see if there was anything I was missing, and I found designated initializers, the new initialization method available in C99. It doesn’t allow me to directly assign values to an existing structure, but it is interesting:

	Doh doh_set = { 
	    .x = 4,
	    .y = 3
	};
	Doh doh_set2 = { 
	    .y = 3, 
	    .x = 4 
	};
	Doh doh_set3 = { 
	    .y = 3
	};
    Doh set4[]=
    {
        {
            .y  = 1039      
        },
        {
            .y  = 1040,
            .x  = 23
        }
    };

Still not rocket science, but the truly interesting part is that designated initializers are not yet available in C++. At least not today. I tested it with gcc 4.1.2 and Visual Studio 2008 C++ compilers and they do not support it. It may appear in C++0x, but for now, C is definitely no longer a pure subset of C++. For more possible gotchas (and some C99 features that make it more compatible with C++), here’s a quick C99 rundown.

Considering designated initializers are being used in places like the linux kernel, this issue no longer seems trivial. Oh well, code and learn. Hopefully I can go another 10 years(!) before my next snag. For now, back to classes… :>

Comments | Tuesday, March 10, 2009    [ ]

« Older entries
Newer entries »