X marks the spot

random commentary on life, the universe, and anything

October 21, 2017
by puhfu

Adding a self-signed SSL certificate for UniFi on Mac OS X 10.12

Got tired of seeing the UniFi controller java service running https but not trusted on localhost. And almost have a solution. Found a solution, but it wasn’t easy.

CertSimple: Never see localhost HTTPS warnings again
Ubiquiti Network Community: Installing an SSL Certificate

Follow the CertSimple instructions to use Mac OS X Keychain Access to generate self-signed certificates for localhost. In Step 3, make sure to export both the localhost certificate (as .pem) and the localhost private key (select .p12 from drop down and then convert as per the openssl command in Step 3 OR export as .pem) from within Keychain Access.

Keychain Access

Instead of service unifi stop as in the Ubiquiti Network Community instructions (which are for a linux system), for Mac OS X, simply quit the UniFi app in order to stop the service. Alternatively, from the command line:

$ java -jar /Applications/UniFi.app/Contents/Java/ace.jar stop

Here are the commands that I used based on the Community page. I put the files on the Desktop for easy finding (from the command line natch).

$ sudo openssl pkcs12 -export -passout pass:aircontrolenterprise \
 -in ~/Desktop/localhost-cert.pem -inkey ~/Desktop/localhost-key.pem \
 -out ~/Desktop/localhost -name unifi \
 -CAfile ~/Desktop/localhost_CAcert.pem -caname root

$ sudo keytool -delete -alias unifi \
 -keystore ~/Library/Application\ Support/UniFi/data/keystore \
 -deststorepass aircontrolenterprise

$ sudo keytool -trustcacerts -importkeystore \
 -deststorepass aircontrolenterprise -destkeypass aircontrolenterprise \
 -destkeystore ~/Library/Application\ Support/UniFi/data/keystore \
 -srckeystore ~/Desktop/localhost -srcstoretype PKCS12 \
 -srcstorepass aircontrolenterprise -alias unifi

Unfortunately, I’m running into an error where the certificate is not getting imported into the keystore.

$ sudo java -jar /Applications/UniFi.app/Contents/Java/ace.jar \
 import_cert ~/Desktop/localhost-cert.pem ~/Desktop/localhost-CAcert.pem \
Unable to import the certificate into keystore 

Hurrah! Found the answer.

UBNT Support Page: UniFi – SSL certificate error upon opening controller page


If the error "Unable to import certificate into keystore" appears when importing the signed certificate & intermediate certs, try the following steps:

1. Edit the certificate file and remove any blank spaces after each line of the cert.

And that did it.

$ sudo java -jar /Applications/UniFi.app/Contents/Java/ace.jar import_cert ~/Desktop/localhost-cert.pem ~/Desktop/localhost-CAcert.pem ~/Desktop/localhost
parse localhost-CAcert.pem (PEM, 1 certs): CN=localhost Certification Authority
parse localhost, 0 certs found
parse localhost-cert.pem (PEM, 1 certs): CN=localhost
Importing signed cert[localhost]
Certificates successfuly imported. Please restart the UniFi Controller.

But still doesn’t work completely because it’s self-signed. I guess if I want that green lock then I’ll have to go get a real cert.

And for reference:

$ java -jar /Applications/UniFi.app/Contents/Java/ace.jar
Usage: java -jar lib/ace.jar  [...]
    start  : start the UniFi controller
    stop   : stop the UniFi controller
    info   : display some information
    installsvc/startsvc/uninstallsvc/stopsvc : install/start/stop as a Windows service
    new_cert      : create new certificate (with csr)
    import_cert  [...] : import the signed certificate and ca cert

September 4, 2017
by puhfu

Amazon Lightsail, Let’s Encrypt, and SSL

I’m really happy having migrated to Amazon Lightsail so far. The documentation is good and it has a big enough user base so that there are plenty of others who have had the same issues as I am encountering. Sometimes though, it’s not quite the same.

Tutorial: Configure Apache Web Server on Amazon Linux to Use SSL/TLS
Appendix: Let’s Encrypt with Certbot on Amazon Linux

Able to follow the first steps:

$ sudo yum-config-manager --enable epel
$ wget https://dl.eff.org/certbot-auto
$ chmod a+x certbot-auto
$ sudo ./certbot-auto --debug

As a sidenote, certbot-auto is located in /etc.

Anyway, after running through the certbot-auto steps, it fails with the following message:

Incorrect validation certificate for tls-sni-01 challenge. Requested 6e9f679b4c7458baae91e229b3352d33.6e3c653d675dfdf58604b4b049566594.acme.invalid from xxx.xxx.xxx.xxx:443. Received 1 certificate(s), first certificate had names \"ip-yyy-yyy-yyy-yyy, ip-yyy-yyy-yyy-yyy.us-west-2.compute.internal, localhost, localhost.localdomain\"

The certbot documentation for Apache on CentOS/RHEL 7 shows a certificate only process, instead of the automated installation of the certificate and key into the right locations.

The certificates are located in /etc/pki/tls/certs/
The private keys are located in /etc/pki/tls/private/

$ sudo certbot-auto --apache certonly

Running Certbot generates the certificate and key and puts them into /etc/letsencrypt/live/domain.com/

From there, it is just a quick ln -s to the right directories and boom. SSL works.

September 4, 2017
by puhfu

Goodbye Rackspace; Hello Amazon Lightsail

Some of the documentation I used:

1. Getting ssh to work from Mac OS X terminal. Lightsail uses ssh keys for access. They also have a web-based ssh session which is pretty good but it has a short time-out. Plus, I like my terminal.

How do I set or change the root password for my EC2 Linux instance?
Amazon EC2 Key Pairs – Retrieving the Public Key
Set up SSH in Amazon Lightsail
Log in with an SSH private key on Linux and Mac
Tutorial: Installing a LAMP Web Server on Amazon Linux

2. Now I need vsftpd

$ sudo yum install vsftpd 

How to Setup FTP (SFTP) on an AWS EC2 Instance

3. Wait, no iptables?

That’s right. With LightSail, it’s in the Networking tab on the Lightsail dashboard and you use that to open up ports, in this case, ftp 20-21, 1024-1048

4. SSL!
Tutorial: Configure Apache Web Server on Amazon Linux to Use SSL/TLS
Appendix: Let’s Encrypt with Certbot on Amazon Linux

Yikes. I can’t do SSL until the site is migrated over. Oh well. Let’s do that.

5. Migrate WordPress files, export/import the database. Needed to change wp_options siteurl and home from http://domain.com to http://x.y.z.a After using the IP address in the URL, I can get pages to load. Whoo hoo!

6. Migrated the DNS

7. Hm. Why is /html not directing to subdirectory/ and why and why am I getting 500 errors? Well, I can get WP to work now but by manually adding the subdirectory in the URL which means that mod_rewrite isn’t working.

Enable mod_rewrite on Apache EC2 Linux Server

Hm. check php.ini. Well, mod_rewrite is installed. So what’s up then?

/var/log/httpd/error_log is showing something funky in .htaccess. Weird control characters? Oh man, I must have introduced them in a copy/paste. Once retyped, it works.

Except non-default Permalinks. Argh.

September 3, 2017
by puhfu

Open source projects have the craziest names – Wazuh

Decided I was unhappy with the unsupported, very old school visualization OSSEC-WUI. It’s been unsupported for a while. There must be something new out there.

Lo an behold. Wazuh open source host and endpoint security

Great documentation:
Migrating OSSEC manager installed from packages
Install Wazuh server with RPM packages

In general, the step-by-step instructions are clear and explicit. I had do some steps manually though.

1. Created the wazuh.repo repository file /etc/yum.repos.d/wazuh.repo

name=CentOS-$releasever - Wazuh

2. For NodeJS install, had to add ‘sudo’ in order for bash to run correctly

$ curl --silent --location https://rpm.nodesource.com/setup_6.x | sudo bash -

3. And I need Python 2.7. Python 2.6 is installed already for yum, but Wazuh wants 2.8.

$ yum install -y centos-release-scl
$ yum install -y python27

4. Also had to create the elastic.repo repository file /etc/yum.repos.d/elastic.repo

name=Elastic repository for 5.x packages

But uh oh. I can’t run elasticsearch. Not enough memory. Hm.

So far, I have installed:


Hm. Maybe it’s time to admit that I’m overpaying for hosting with Rackspace – well, overpaying for what I need.

Time for another rabbit hole.

September 2, 2017
by puhfu

Idle hands are the devil’s workshop (Prov 16:27)

or How I spent the Saturday of Labor Day weekend.

Because it was so hot outside, I decided to do some server maintenance.

1. Used yum and the @ius repository to install Apache 2.4. I heard that 2.4 does memory management better.
2. Discovered that I broke something and WP would not load correctly (PHP module dependency)
3. Decided that the differences between 2.2 and 2.4 were not sufficient for me to spend time making 2.4 work
4. Uninstalled apache 2.4 using yum
5. Tried to install apache 2.2 using yum and watched it fail.
6. Learned yum clean all and how to find the name of a package yum list installed and remove the ones that didn’t get erased cleanly with the uninstall
7. Finally reinstalled apache 2.2
8. Installed PHP 7 because why not
9. Decided to add my instagram feed to the main X marks the spot page so mucked with my child theme and discovered that it is no longer supported (but I like it and I can read CSS so NBD I guess)
10. Discovered that my CSS is very rusty. Thank goodness for backups.
11. Decided to figure out my social media cross posting.

Twitter –> Facebook app –> Facebook post (set Only Me so that I don’t spam with my conference/HIT tweeting)
Instagram –> IFTTT –> Twitter
Instagram –> IFTTT –> Tumblr (I have a tumblr?)
Instagram –> WP widget –> WP
WP –> WP plugin –> Twitter (selective by post)
Twitter –> WP widget –> WP

I show my insta and twitter on the main WP page (right columns, see #9/10 above)
But I am old so I use FB instead of instagram. How do I get my Facebook to cross-post to WordPress? There are many WP plugins to do the opposite.

Facebook simple text post –> IFTTT –> WP post ** WORKS **
Facebook link post –> IFTTT –> WP photo post ** DOESN’T WORK **

Well let me rephrase, cross posting FB link post to WP photo post works, but for some reason, the IFTT applet runs multiple times, resulting in multiple WP posts.

Troubleshooting that will be left to another day.

October 6, 2015
by puhfu

CPR for an old MacBook Air

Once upon a time, I picked up a 2nd generation (2,1) MacBook Air (Late 2008), 1.6 GHz Intel Core 2 Duo, 2GB RAM, 120GB HD, NVIDIA GeForce 9400M 256MB, and was thrilled with how small it was. 3 lbs woo!

MacBook Air

It ran 10.5 briskly. Then I made the mistake of upgrading to 10.6 and that’s when I pretty much stopped using it. It was dog slow and I was too lazy to downgrade back to 10.5. But recently, while cleaning out my old technology boneyard, I thought I’d give it another go at being useful. Always good to have a laptop around the house when you need to do something like remote desktop spy on your kids to make sure that they’re not on tumblr or playing CS:GO http://blog.counter-strike.net/. If CPR can be made as easy as 2 steps …

I picked up an OWC SSD replacement (Mercury Aura Pro MBA) and whew! It’s snappy. Upgraded to 10.7 and still snappy. 10.8? Snappy. 10.9? Less snappy, but definitely usable. So I’m pretty annoyed at myself for waiting so long to get on the SSD bandwagon, although I’ll be the first to admit that it was because I didn’t want to pay for something that wasn’t really working cost related. This is a 7 year old machine after all. I wonder how well it’ll do with Yosemite or El Capitan?