Renewing my Free SSL certificate with StartCom

Since my Secure Sockets Layer (SSL) certificate needs are quite modest, I use the free SSL certificates from StartCom. Here are my instructions for renewing it, which is almost identical to the process for creating an SSL certificate with StartCom.

  1. Go to the main site, and log in with your StartSSL Open Identity certificate. Create one if need be.
  2. Validate your email address in the resulting dashboard. The validation will be in force for 30 days.
  3. Validate every domain you wish to renew.
  4. Generate the certificate for the domain you are renewing.
    1. Select the StartCom SSL Certificates Wizard.
    2. Choose Web Server SSL/TLS Certificate, and click Continue.
    3. Your validated domain should show in the list. Enter the domain you’re generating the keys for into the “Please enter your full hostname here” input field.
    4. Under “Please submit your Certificate Signing Request (CSR):” select “Generated by Myself”. You can use the form, but generally I remember reading that it’s more secure for you to generate your Certificate Request (CSR) and private key from it yourself, using an offline OpenSSL script invocation. The present a suitable openssl command invocation, to which I added the -subj option to avoid having it prompt me for that information:
      openssl req -new -newkey rsa:2048 -nodes -out eldon.me.csr -keyout eldon.me.key -subj "/C=US/ST=Georgia/L=Mableton/O=Eldon Carl Blancher III/CN=eldon.me"
      
    5. Copy the content of the CSR into the resulting form. It will look something like this:
      • -----BEGIN CERTIFICATE REQUEST-----
        BLAAAAAAAAAAAAAAAAAAAAAAAHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH
        OBFUSCATTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTEDDD
        BLAAAAAAAAAAAAAAAAAAAAAAAHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH
        OBFUSCATTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTEDDD
        BLAAAAAAAAAAAAAAAAAAAAAAAHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH
        OBFUSCATTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTEDDD
        BLAAAAAAAAAAAAAAAAAAAAAAAHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH
        OBFUSCATTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTEDDD
        BLAAAAAAAAAAAAAAAAAAAAAAAHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH
        OBFUSCATTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTEDDD
        BLAAAAAAAAAAAAAAAAAAAAAAAHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH
        OBFUSCATTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTEDDD
        BLAAAAAAAAAAAAAAAAAAAAAAAHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH
        OBFUSCATTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTEDDD
        BLAAAAAAAAAAAAAAAAAAAAAAAHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH
        OBFUSCATTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTEDDD
        BLAAAAAAAAAAAAAAAAAAAAAAAHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH
        OBFUSCATTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTED==
        -----END CERTIFICATE REQUEST-----

        The actual code has been obfuscated to protect it, I highly doubt that’s a valid CSR now.

    6. Click “Submit.” If the CSR is accepted, the resulting page should provide a link to the new certificate files (the “here” link), as a ZIP archive.
    7. Download and unpack the archive. There are several ZIP archives with in it, one for some possible web servers. The Apache.zip file contained two files:
      • 1_root_bundle_crt, renamed to startcom.crt
      • 2_eldon.me.crt, renamed to eldon.me.crt

        Now that the certificates are generated, I need to add them to my apache2 web server.

      1. My current sites-available/eldon.me apache2 configuration looks like this:
        <VirtualHost *:80>
        DocumentRoot /var/www/eldon.me
        ServerName www.eldon.me
        ServerAlias eldon.me
        ServerAdmin trey@blancher.net
        ErrorLog /var/log/apache2/eldon.me-error.log
        TransferLog /var/log/apache2/eldon.me-access.log
        RedirectPermanent / https://eldon.me/
        </VirtualHost>
        
        <VirtualHost *:443>
        ServerName www.eldon.me
        ServerAlias eldon.me
        ServerAdmin trey@blancher.net
        SSLEngine on
        SSLProtocol all -SSLv2 -SSLv3
        SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM
        SSLCertificateFile /etc/ssl/certs/eldon.me.pem
        SSLCertificateKeyFile /etc/ssl/private/eldon.me.key
        SSLCertificateChainFile /etc/ssl/certs/startcom_sub.class1.server.ca.pem
        SSLCACertificateFile /etc/ssl/certs/startcom_ca.pem
        DocumentRoot /var/www/eldon.me
        Customlog /var/log/apache2/eldon.me-access.log combined
        ErrorLog /var/log/apache2/eldon.me-error.log
        HostnameLookups On
        </VirtualHost>
        
        <Directory /var/www/eldon.me>
                Options FollowSymLinks            
        #       AllowOverride Limit Options FileInfo
          AllowOverride All
                DirectoryIndex index.php
        </Directory>                                  
        
      2. I changed these three lines:
        SSLCertificateFile /etc/ssl/certs/eldon.me.crt
        SSLCertificateKeyFile /usr/local/apache/conf/eldon.me.key
        SSLCertificateChainFile /usr/local/apache/conf/startcom.crt
        
      3. Reload apache2, and the new SSL certificate is loaded!

Colorizing messages in mutt index

I’d heard a long time that if I’m a self-respecting Linux or UNIX geek I should use a terminal-based email client. My options are Alpine and mutt, and it seemed that while mutt was the hardest to get up and running, it was also the most flexible and powerful. I have drunk the Google Kool-Aid, so I had been loath to switch from Gmail, my workflow habits (in both personal and work Gmail) depending on certain features.

The first feature of Gmail (available in the “Labs” section) that I used very heavily was the multi-colored stars feature. At home, I use six different stars (green-check, yellow-bang, red-star, blue-info, purple-question, and green-star, in this order). At work I use eight (these and yellow-star, and blue-star). One thing I always hated about Gmail, is that I had to repeatedly click on the empty star icon in Gmail to cycle to the star I wanted. For seldom-used stars, this meant that I might not remember where it is in the list, so I’d accidentally cycle past it, sometimes multiple times until I got the star I wanted. Another problem with these stars is that they don’t translate to any other mail client. It would be really nice if Google would add something like “X-Gmail-red-star” or something to the email headers, but that isn’t what happens now (not sure if that would violate an RFC).

The other feature I use is the priority inbox, which separates the inbox into “Important and Unread,” “Starred,” and “Everything else.” I use this especially at work to help me triage email. I get a lot of stuff which isn’t junk, but that isn’t addressed (To: or Cc:) to me, so I don’t read it. All messages To or Cc’d to me get an automatic star (Gmail only has the capability to add yellow-star to messages automatically, something I hope to rectify with mutt. One day….).

The only thing I’ve figured out how to do in mutt thus far is at least a first stab at achieving the multi-colored stars feature. This time, it’s all tied to key macros, so no having to cycle through until I find the color I want. The way it works is through mutt’s scoring feature. At least for now, each score range (100-199, 200-299, 300-399, etc.) gets set to whatever color that score range gets. Whenever I run the macro to color a message, I pipe it (<pipe-entry>) into a bash script I wrote which greps for the Message-ID, filters out the Message-ID’s angle brackets (‘<' or '>‘), adds the relevant score, and then writes a score configuration command to a separate rc file (~/.mutt/stars). Then, I have mutt reload it’s configuration (thankfully score isn’t something that requires a complete restart).

First, the section of .muttrc I have for stars:

# Star scoring 
source ~/.mutt/stars

set my_red_star = 1000
set my_magenta_question = 800
set my_yellow_bang = 600
#set my_green_star = 400
set my_green_check = 200
set my_blue_info = 100
set my_del_star = 0

macro index,pager sr "<pipe-entry>~/bin/stars $my_red_star<enter><enter-command>source ~/.muttrc<enter>" "Mark the current message with RED"
macro index,pager sm "<pipe-entry>~/bin/stars $my_magenta_question<enter><enter-command>source ~/.muttrc<enter>" "Mark the current message with MAGENTA"
macro index,pager sy "<pipe-entry>~/bin/stars $my_yellow_bang<enter><enter-command>source ~/.muttrc<enter>" "Mark the current message with YELLOW"
macro index,pager sc "<pipe-entry>~/bin/stars $my_green_check<enter><enter-command>source ~/.muttrc<enter>" "Mark the current message with GREEN"
macro index,pager si "<pipe-entry>~/bin/stars $my_blue_info<enter><enter-command>source ~/.muttrc<enter>" "Mark the current message with BLUE"
macro index,pager sd "<pipe-entry>~/bin/stars $my_del_star<enter><enter-command>source ~/.muttrc<enter>\
<pipe-entry>~/bin/del_stars<enter>\
<enter-command>source ~/.muttrc<enter>" "Remove color marking from the current message"

color index default brightred '~n 1000-1100'  # Mark the message with red!
color index magenta default '~n 800-999'  # Mark the message with magenta!
color index black brightyellow '~n 600-799'  # Mark the message with yellow!
#color index default green '~n 400-599'  # Mark the message with green!
color index green default '~n 200-399'  # Mark the message with green (check)!
color index brightblue default '~n 100-199'  # Mark the message with blue!

And my stars script:

#!/bin/bash                                          
                                                     
msgid=$(grep -m 1 '^Message-I[Dd]' | awk '{print $2}' 
                                   | sed 's/[<>]//g')                                                                                                                                                                                        
echo "score \"~i $msgid\" $1" >> ~/.mutt/stars       

My delete stars (del_stars) script (which doesn’t work all the time, but I haven’t been able to investigate why):

#!/bin/bash

msgid=$(grep -m 1 '^Message-I[Dd]' | awk '{print $2}' | sed 's/[<>]//g')
sed -i "/$msgid/d" ~/.mutt/stars

Now the stars script doesn’t always work, either. I think I’ve tracked it down to Message-IDs which use nonalphanumeric symbols in them (like pipe ‘|’ and dollar-sign ‘$’). I might not be quoting the “~i $msgid” correctly (single-quotes, maybe?). Not terrible for a first stab at this. I wonder if any old mutt hands will have a fit if they see this, but I’m too tired to investigate further. It works well enough for my purposes right now. Also, I don’t know the performance ramifications of an ever growing ~/.mutt/stars file. We’ll have to see how that goes.

Backup WordPress Files and Database

I’ve been meaning to create a backup of my WordPress files and databases on my VPS (ChunkHost). After a minimal amount of digging (on WordPress’s Codex site), I wrote this script:

#!/bin/bash

WPBAK=/var/backups/wordpress
tar -cvJf $WPBAK/$(date +%F)_files.tar.xz /var/www || exit 1
mysqldump --all-databases --verbose | xz -c > $WPBAK/$(date +%F)_databases.sql.xz || exit 2

Just change the “$WPBAK” variable to where on the server you want to store the backups. Also, you’ll need to create the ~/.my.cnf file (I did it for the root user):

[mysqldump]
user=root
password=secret

You’ll need to change user to the appropriate MySQL user, and the password accordingly. Be sure to set .my.cnf to have the permissions 600 (“chmod 600 ~/.my.cnf”), that way the script doesn’t need to contain the MySQL user password in order to make the dump.

I put all of this in /etc/cron.daily/wordpress, and made it executable (“chmod +x /etc/cron.daily/wordpress”). This way my system will back up automatically on a daily basis.

The next step is to update my rsnapshot configuration so it will store the backup on my Network Attached Storage (NAS). First, I had to copy the SSH public key for my NAS admin user to my VPS, and add it to the user doing the work. Then, I added a single line (port number changed to protect the innocent):

backup  root@eldon.me:/var/backups/wordpress    eldon.me/       ssh_args=-p 4321

I’m waiting for another rsnapshot backup process to start naturally, rather than kicking off a manual run. I’m curious to see if this works as well as I thought.

The next step is to write a cron job that will remove old backups. This is simple enough (put in /etc/cron.daily/wordpress_backup-cleanup, and make executable, as above):

#!/bin/bash
find /var/backups/wordpress/ -mtime +7 -exec rm {} \;

This will delete backup files greater than seven days old. This will hopefully keep my li’l VPS’s disk from filling up. And that’s it!

(trey’s take)On sharing a directory with Windows…

Market forces have conspired into forcing me to have a bare-metal Windows install (a Virtualbox Virtual Machine can no longer cut it). I still would rather work solely in Debian, or some form of Linux distribution (distro!), but this presents me with an opportunity to grow my skills in ways I did not anticipate. First, the scenario:

  1. I use the venerable KeePassX to manage my passwords. It is not to be confused with KeePass. Both programs have similar functions, and even read the same database format (KeePass 1.x), but the latest (and currently maintained) KeePass version depends on .NET, so on Linux that means Mono. Last I checked (which is admittedly a long time ago), the Linux/Mono port looked *terrible*. Luckily, KeePassX has a port for Windows, so I can keep the same look and feel regardless of whether I’m booted into Windows or Linux. FULL DISCLOSURE: KeePassX 0.4.3 has been out for some time, and it appears the development on the next version of KeePassX has slowed to a crawl or is nonexistent.
  2. No matter which computer I’m using, I want to be able to access the password database. In Linux, I just set up a port forward on my WAN router that points to the SSH port on my Debian workstation, and on my satellite devices I use SSHFS to mount the keepass directory. This “tricks” KeePassX in thinking the password database is local to the satellite machine, any changes are immediately available on the main workstation and satellite machines, and there is no reconciling disparate databases. As part of the (manual) SSHFS mount command, I make a local copy on the satellite so the password is available if my central server is not. Note, if my primary home workstation becomes unavailable, and I need to modify the database in any way, I will need to manually merge my KeePassX databases.

My previous architecture is described above. Adding a dual-boot Windows 7 installation to the mix gives me a number of challenges:

  1. There is the problem of sharing the database between both OSes (Windows 7 and Debian), such that both versions of KeePassX operate without having to redirect KeePassX to a different location (C:\Users\trey\keepass in Windows, and /home/trey/keepass in Debian).
  2. Making the database available via SSHFS will pose a challenge on the Windows side.
  3. Making backups of the database may be difficult from the Windows side

My solutions to the above:

  1. Sharing the database between the two systems is relatively straightforward. This is where Linux plays the glue system, and makes up for the inadequacies of others. Windows 7 will store the master password database here: C:\Users\trey\keepass\. I can mount the C: drive in Linux (the ntfs-3g filesystem driver is quite mature), and then bind mount the Windows directory to /home/trey/keepass/. Here are the relevant /etc/fstab entries:
    /dev/sda2                       /windows           ntfs    defaults,uid=1000 0 0
    /windows/Users/trey/keepass     /home/trey/keepass none    bind              0 0
    

    If I’m booted into Linux, everything is as it was. I don’t anticipate that the database actually residing on an NTFS volume to be a concern, but usage may dictate otherwise.

  2. Making the directory available from the Debian side is already done, and works as expected. Doing so from Windows is a bit more difficult. I’ll need to install OpenSSH in Cygwin, which is done, but it’s not configured. I’ll first need to expose C:\Users\trey\keepass in the Cygwin filesystem tree. I’ll also need to copy the various SSH keys into the Cygwin environment, so my satellite devices don’t know (or care) when they mount the SSHFS volume. I’m currently writing this from Debian; I’ll need to reboot into Windows and continue this post later.
  3. I have no idea how my general rsnapshot backup will work if Windows is booted. I’ll have to think of that later, but assuming the keepass directory is properly exposed in Windows/Cygwin, it should be OK.

On to the Windows side…