KeePassX Database merge…

I’ve done a lot in the past three weeks. I finally went back to Mardi Gras in New Orleans, something I haven’t been able to do since I started working in Huntsville. I also managed to move this site to my old VPS. The edis.at OpenVZ VPS was a little under powered for my tastes, though its pricing is very attractive. Turns out the original Apache2 documentation I first found (I can’t find the link for the life of me) was wrong: you CAN have multiple SSL sites behind one IP address, thanks to a browser extension: Server Name Indication (SNI). This Google search should help you find the appropriate articles to set it up. All I did was backup both WordPress databases on my two sites, backup both sets of WordPress files, copy the relevant apache2 configurations over to my ChunkHost, restore the database to the new server, and restore the WordPress files (to a different web-root). It worked like a charm!

While I was in Mobile last week, my ISP (Knology) decided to do some network maintenance. My IP address changed, and my pfSense router hadn’t been configured to automatically obtain a new lease. Thus I was unable to reach my KeePassX database. I will get to the KeePassX database merge below. To rectify the WAN DHCP lease problem, I discovered these instructions. Since Knology changes my IP address so infrequently, I’m not likely to even notice the problem until I look at my IP address.

When I was down in Mobile last week, I went to the USA Career Fair to seek employment in Mobile. Got a lot of good leads, so I started filling out online applications. However, saving my passwords to KeePassX proved to present me a problem: I didn’t have access to my password database via sshfs. This meant I had to use my local copy. This meant that anything I added or deleted from the local copy wouldn’t be reflected in my master database. When I got back to Huntsville, and sorted out my WAN connection problem, I needed a way to merge the databases (I did not want to do it by hand).

I noticed that KeePassX has import and export functions, but no explicit merge. I didn’t want to import the laptop local database into the master, since I was afraid of a lot of duplicates. I did find this KeePassX forum topic, that presents some solutions. The patch that was linked isn’t directly accessible to the public, and it’s unclear whether it was added to keepassx on Debian sid. However, further down that page, someone had posted a public-domain Python script which will merge the two databases. Here’s a link to the script. I backed up my databases in case something went wrong, and actually renamed my master database to avoid overwriting it in place.

Basically you provide three XML database names, the first source, the second source, and the destination file. However, it only seems to add the entries that are in both files, plus the ones that are only in the first. Since I had entries that were unique to both files, it appears that all I had to do was run kdb-merge twice, and just swap the first and second source. This is essentially what I ran:


kdb-merge master.xml laptop.xml merged.xml
kdb-merge laptop.xml master.xml merged.xml

The true test was loading up the merged.xml file into KeePassX. I loaded a new, blank database (which it turns out I didn’t have to do; importing an XML file apparently creates a new database). I then made sure the different entries from both files were there. I still have the backup files, should something be missing or be totally wrong.

One final step was to shred the XML files, since they contain the passwords in plaintext format. A simple rm/remove/delete would not do, since most disks don’t overwrite a deleted file (and its contents remain on disk). Perhaps if I had SSDs in this system it’d be different. That’s for the next workstation.

StartCom SSL intermediate certificate chain fix…

In the past year I’ve installed two SSL certificates from StartCom, for my two websites: amberandtrey.us, and eldon.me. Both of these sites (now) are running Debian Sid, and have almost identical configurations. For most browsers/devices I’ve tried, the StartCom SSL certificates work fine (notice the appropriate lock icon in the address bar [in Google Chrome/Chromium it’s a green lock icon]). However, on some devices–most notably my Samsung Galaxy S II running CyanogenMod 9.10, and my mother’s aging iMac–I get a message similar to the following following:

(Sorry for picking on you Midnight Commander, but yours is a website I know generates this error for me consistently. Maybe I can link to this post and have you fix that!)

Searching for the string “entity is not trusted” on the StartCom forums guided me to this posting, which suggests using a free tool called SSL Checker to verify that my SSL installation is complete and without problems. The site gives me the following:

So it is verified that my SSL certificate is not trusted by all browsers. They give a hint back to StartCom’s extensive FAQ. It led me to the Apache Web Server configuration page. I needed to copy both the ca.pem and sub.class1.server.ca.pem, and configure apache2 appropriately (in the sites-available/eldon.me configuration file). My configuration ended up being like this:



DocumentRoot /var/www/eldon.me
ServerName eldon.me
ServerAlias www.eldon.me
ServerAdmin trey@blancher.net
ErrorLog /var/log/apache2/wp-error.log
TransferLog /var/log/apache2/wp-access.log
RedirectPermanent / https://eldon.me



SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM
SSLCertificateFile /etc/ssl/certs/eldon.me.pem
SSLCertificateKeyFile /etc/ssl/private/eldon.me.crt
SSLCertificateChainFile /etc/ssl/certs/startcom_sub.class1.server.ca.pem
SSLCACertificateFile /etc/ssl/certs/startcom_ca.pem
DocumentRoot /var/www/eldon.me
Customlog /var/log/apache2/eldon.me-ssh-access.log combined
ErrorLog /var/log/apache2/eldon.me-ssh-error.log
HostnameLookups On



  Options FollowSymLinks
  AllowOverride Limit Options FileInfo
  DirectoryIndex index.php


I was missing the ChainFile and CACertificateFile, and I added the extra bits about CipherSuite and Protocol. Now the SSL Checker validates everything on eldon.me. The same configuration isn’t working for amberandtrey.us, the checker says “No SSL could be found,” yet my browser indicates SSL is active and enabled. I’ll have to do a closer comparison… [Edit 2013-01-27 0554 -0600]Looks like the SSL certificate is tied directly to www.amberandtrey.us (which redirects to amberandtrey.us). The opposite problem exists for eldon.me. If I have the SSL Checker scan www.eldon.me, it says “No SSL could be found.” Must be a difference in the way I set up the SSL certificates.

Now I can be sure that folks won’t have to click through an SSL warning when they visit my sites!

WordPress install on Debian Sid (post-Wheezy)

For my first post, I will discuss how I installed this website on my Debian Sid installation on my EDIS Virtual Private Server (VPS). I first started with the EDIS VRS STARTER, which includes 512MB RAM, with a 10GB disk, 1Gbps network bandwidth, and 2TB total bandwidth allowed per period. Not much to work with, but it’s only ~$7 per month! The nice thing is, the Wheezy image I started with only takes up 200MB of disk space, so there’s plenty to work with.

Here’s the procedure I followed:

  1. First thing was to install my bare essentials. This includes vim and tmux. I installed them with the following command, as root:
    aptitude install vim tmux
  2. Now that vim was installed, I could remove nano and edit /etc/apt/sources.list properly:
    
    # aptitude purge nano # DIE EVIL NANO!
    # vim /etc/apt/sources.list
    
    

    The /etc/apt/sources.list file ended up like this:

    deb http://debian.uchicago.edu/debian sid main contrib
    
    

    Since this server is in Chicago, IL, USA, I changed the Debian repository server from ftp.at.debian.org (EDIS is based in Austria). The “contrib” parameter was used because several key MySQL components (necessary for WordPress) are not available in the “main” repository because of licensing issues. With that I added the following alias to root’s bash run control file (~/.bashrc):

    
    alias upgrade='aptitude update && aptitude full-upgrade'
    
    

    I do the above on all of the Debian servers and workstations I manage, to make it a simple matter to update the system to the latest available packages. Sourcing the .bashrc file source .bashrc(or what I really use) . .bashrc loaded the new alias. Executing the “upgrade” alias proceeded to update my Wheezy install to Sid, and took about twenty minutes or so. Note that lsb_release -a still returns Wheezy; I’ll have to investigate that when I have time.

  3. Now that my machine had been updated, I rebooted it to load the new kernel (with the command reboot. Next, I installed wordpress and mysql. I note that mysql-server is *not* a dependency of wordpress (it merely suggests mysql-server); I discovered this when I tried to start WordPress for the first time and noticed mysql-server was not installed (this led me to adding “contrib” to sources.list above). The command below installed many libraries and helper packages, including apache2 and php5 related packages:

    
    # aptitude install wordpress mysql-server libssh2-php
    
    

    I installed libssh2-php since I wanted to use SSH keys for WordPress to apply updates, plugins, and themes (rather than use FTP or FTPS [I’ve always found installing and securing FTP repositories to be a major pain]). I was then ready to set up apache.

  4. Setting up apache was as simple as creating the /etc/apache2/sites-available/eldon.me:
    
    
    DocumentRoot /var/www/eldon.me
    ServerName eldon.me
    ServerAlias www.eldon.me
    ServerAdmin trey@blancher.net
    ErrorLog /var/log/apache2/wp-error.log
    TransferLog /var/log/apache2/wp-access.log
    RedirectPermanent / https://eldon.me
    
    
    
    SSLEngine on
    SSLCertificateFile /etc/ssl/certs/eldon.me.pem
    SSLCertificateKeyFile /etc/ssl/private/eldon.me.crt
    DocumentRoot /var/www/eldon.me
    Customlog /var/log/apache2/eldon.me-ssh-access.log combined
    ErrorLog /var/log/apache2/eldon.me-ssh-error.log
    HostnameLookups On
    
    
    
            Options FollowSymLinks            
            AllowOverride Limit Options FileInfo
            DirectoryIndex index.php
                                                
    
    

    I obtained my SSL certificates from StartSSL, based in Israel. The main reason I use them is they offer level 1 certificates for personal use completely free/gratis! The only downside is that many older, out of date browsers and smartphones don’t recognize their certificate authority credentials, which means many browsers issue an SSL warning (as if the site used self-signed certificates). If that becomes a major problem, I may switch.

    The next step was to enable the site:

    
    # a2ensite eldon.me
    
    
  5. The next step is to set up the WordPress MySQL user and database (adapted from here). In Debian, when mysql-server is installed apt/dpkg directs you to set root’s password for the MySQL server. The first command below will prompt for that password:
    
    # mysql -p
    Enter password:
    Welcome to the MySQL monitor.  Commands end with ; or \g.
    Your MySQL connection id is 308
    Server version: 5.5.29-1 (Debian)
    
    Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved.
    
    Oracle is a registered trademark of Oracle Corporation and/or its
    affiliates. Other names may be trademarks of their respective
    owners.
    
    Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
    
    mysql> create database eldon;
    Query OK, 1 row affected (0.00 sec)
     
    mysql> grant all privileges on eldon.* to "wp_agent"@"localhost"
        -> identified by "SUPERSECRETPASSWORD";
    Query OK, 0 rows affected (0.00 sec)
      
    mysql> flush privileges;
    Query OK, 0 rows affected (0.01 sec)
    
    mysql> exit
    
    

    Since wordpress installs to /usr/share/wordpress on Debian, I made a symlink, and then restarted apache2:

    
    ln -s /usr/share/wordpress /var/www/eldon.me
    service apache2 restart
    
    

    If I want to add other sites to this VPS, I’ll just need to set up the site as above, and place it in /var/www/. Note thttps://www.startssl.com/hat I’ll have to be careful when setting up SSL. I had originally found that multiple SSL sites on a single IP was impossible. However, when I tried to find the page that explained that, I found this post instead: “Configure Apache to Support Multiple SSL sites on a single IP address”. I could have saved some money, but having multiple VPS services makes sure I have access to one of them should the other go down (I use my other VPS for IRC as well).

  6. Now, I could finally set up WordPress. I navigated here (you’ll see that it has already been set up). I won’t go into setting up WordPress from there, but this is precisely the same as “Run the Install Script”.

And that’s it for now! Hopefully I didn’t miss any steps.