Posted by & filed under Server Admin, Virtualization, VMWare.

Ran into some issues with the ssl certs on the vCenter server when trying to run the Migration Assistant. Notes on the will follow, but first links to articles on the actual upgrade:

The issues I ran into with the migration assistant complained of the SSL certs not matching. Upon inspecting the certs I found all were issues for domain.lan except for one which was issued to domain.net. I followed the following articles to generate a new vCenter cert and install it:

  • Generate SSL cert using openssl: https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2074942
  • Install and activate cert: https://kb.vmware.com/selfservice/search.do?cmd=displayKC&docType=kc&docTypeID=DT_KB_1_1&externalId=2061973

As the Appliance Installed reached Stage 2 of the install where it copies the data to the new VCSA, I received the following error (note the yellow warning in the background along with the details in the foreground):

To resolve this error, I followed the following articles:

  • Upgrading to VMware vCenter 6.0 fails with the error: Error attempting Backup PBM Please check Insvc upgrade logs for details (2127574): https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2127574
  • Resetting the VMware vCenter Server 5.x Inventory Service database (2042200): https://kb.vmware.com/selfservice/search.do?cmd=displayKC&docType=kc&docTypeID=DT_KB_1_1&externalId=2042200#3

Which essentially had me reset the inventory service’s database due to corruption. I had noticed the vSphere client slow in recent weeks, this could be a side effect.

  • Additional more generic docs for tshooting vCenter upgrades: https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2106760

 

Posted by & filed under Active Directory, Server Admin, Virtualization, VMWare.

Attempting to join a freshly deployed VCSA server to a AD domain can be problematic if SMB1 is disabled. In my case it was 5.5 but I believe this issue persists in 6.x. SMB1 was disabled on the DC as it should be as it is broken and insecure. The problem lies in the fact that VCSA doesn’t support SMB2 and this causes the error. The VAMI (web interface) might report something like the following when attempting to join the domain:

Additionally, on the VCSA, /var/log/vmware/vpx/vpxd_cfg.log contains entries like the following:

Of course DNS resolution of the VCSA’s hostname should be validated before continuing, but assuming everything else is in working order, the fix is to enable SMB2 on the VCSA.

Verify SMB2 is disabled (note the Smb2Enabled key is 0:

Enable SMB2:

Restart the lwio service:

Log out of VAMI web interface, log back in and retry joining to the domain.

Posted by & filed under Hardware.

Using the sas2ircu utility from LSI, we can blink the drive LED to help ID the failed drive correctly. Of course this requires a LSI card. Some LSI cards may need to use the sas3ircu utility instead. There have been some reports from the interwebs that this utility failed to blink the correct drive, but I have not experienced this myself.

As always use the supercomputer between your ears to ensure the physical serial and the serial reported by the system match, etc etc.

Back to the sas2ircu utility in a moment. We need to first acquire the serial number of the failed disk. For a system that is multipath, we can find the actual dev names by running the following to locate a disk in the fail state:

Now we can see da16 is failed. Time to get the serial number of that disk. Or da43. they are the same just multipaths.

Save that serial number for the next step.

Smartctl also outputs other useful information about the drive, statistics, etc. Worth checking out, but not relevant here.

Next, we can display the disks attached to one of those controllers. Be sure to input the correct serial number in the grep command:

Get the enclosure and slot # of the failed drive and turn the led on:

Turn the led off:

NOTE: If you are replacing a disk that is multipath, e.g. you see something like the following when you offline and remove a disk, ensure that the LED above is OFF or GEOM_MULTIPATH will not pickup the new disk as multipath. See the below log for what happens when a disk is inserted with the LED blinking Vs not blinking:

 

Posted by & filed under Adruino, Hardware, Hardware Development, Programming.

PlatformIO is an open source ecosystem for IoT development
Cross-platform build system. Continuous and IDE integration. Arduino and ARM mbed compatible

 

Came across this cool IDE, built on top of Atom for dev of iot. There is also a commercially supported offering. http://platformio.org/

Posted by & filed under Linux.

Scenario:

We need to scp a file between two hosts. The problem is that the two hosts (A & C) cannot directly communicate. We can solve this using a SSH tunnel and an intermediate host (B) that can communicate with both. This also means, the command for Host B needs to run first, then the scp command for host A.:

 

Host A (source)

This will scp to localhost on port 3000 which is actually our tunnel to host c — /destination_file is the path on host C

Host B (intermediate)

Host C (destination)

 

 

Also, if you have spaces in the paths make sure to escape the space with \ e.g.

 

Posted by & filed under Server Admin.

I have a PKCS12 .pfx export of a cert that I need to import into a Tomcat keystore in order to update an expiring certificate.

 

Need to know a few things beforehand:

  • Tomcat keyfile path
  • Source store password for the pfx file
  • Source alias for the pfx
  • Dest source passwd
  • Dest source alias

In order to get the source alias from the new pfx file:

If you need to get the alias from the existing Tomcat keystore:

Additionally, the above command can be used to verify the certificate, expiry date, etc.

Lastly, if you restart Tomcat and it throws errors like the following in the catalina log, you may need to reset the keystore password:

Reset to the correct password as defined in the servver.xml keyStorePass parameter using the following command. You may need to adjust alias to your needs. You will be prompted for the new password, which should match the previously mentioned keyStorePass parameter.

You can also reset the password for the keystore itself (www.ibm.com/support/knowledgecenter/en/S…):

 

 

EDIT FROM THE FUTURE:

Additional note — when trying to run the import command I was getting the following error:

I ran the following to verify the alias is correct:

Key ID of 2 is displayed correctly here as well as a more verbose output also showed the same:

I then took the same .pfx file and checked it on a linux machine based on a hint from this stackoverflow on binary chars: http://stackoverflow.com/questions/15301005/keytool-cant-find-alias

And lo’ and behold it shows the alias is actually 1!

 

..Back in Windows land:

It accepted alias 1 instead and the cert imported correctly. I love Tomcat -_-

 

 

 

 

Posted by & filed under Linux, Server Admin.

I had a old server I brought up and it was unable to complete it’s boot due to a missing drive in fstab. Editing the fstab in recovery mode is not a option since the filesystem gets flagged as read only.

In order to make the FS writable and therefore be able to successfully edt the fstab, the following command will remount the FS in read/write mode:

 

Posted by & filed under Server Admin.

I recently had a Windows XP laptop crash. Windows would not boot to safe mode or anything, and just displayed the following error message:

I could not afford to simply wipe the laptop and reinstall windows as it had some old software that was no longer available.I located the following article which details a procedure to recover from this issue using the MS recovery console and using the System Restore: https://support.microsoft.com/en-us/kb/307545

As this laptop did not have a optical cd-rom, it was a difficult proposition to make a XP bootable USB stick to complete this procedure since I do not have the media handy. Additionally, it seemed like a pain to go thru all the steps when it could be simplified quite a bit with a functioning OS like linux. I decided to attempt to recover using a linux live cd:

  1. Create a bootable USB stick with Ubuntu on it using uNetBootin
  2. Boot to the USB stick.
  3. Make backups of any critical files (just in case)
  4. Backup registry files at C:\windows\system32\config to usb stick:
  5. Access the System Volume Information which should contain restore points for the system. See Part 2 Steps 7 through 10 in above MS article for details, but in a nutshell you want to access C:\System Volume Information. There will be one or more folders inside and their names will be similar to “_restore{D86480E3-73EF-47BC-A0EB-A81BE6EE3ED8}”. Inside these folders, look for RPx folders. There may be more than 1, and x would be a number. Look at the created dates of these folders to identify a fairly recent restore point. For example I found one that was two weeks old in RP47.
  6. Access the snapshot folder to retrieve registry backups. Example:
  7. Inside the snapshot directory, copy the registry files to a temp location, and make a backup of them:
  8. Copy the snapshots to C:\windows\system32\config.
  9. Delete the old crashed registry files:
  10. Rename the backup registry files to replace the ones you just deleted:
  11. Cross your fingers and reboot! If it does not work, and you still receive the same error message, you may need to try a older registry snapshot. Simply follow the above steps to try a different registry snapshot.

Good luck!

Posted by & filed under Linux, Server Admin.

This all started with WordPress timeouts. I was trying to activate some premium plugins, and the license activation was timing out. I started doing some digging and found they use the WordPress core library WP_http which in turn uses curl to make the request. I wrote my own code to use WP_Http and it failed in the same way with a timeout. I added a timeout parameter to the wp_remote_get() call, and it was able to complete without a timeout. I then used a IP address in place of the domain name and it worked without the need for the timeout parameter.

With that info in hand, I decided it must be on the server. I started doing some tests:

I then did the same test from another server that uses the same DNS servers in resolv.conf:

After much googling, I found a few number of suggested solutions:

  • Disable IPv6
  • Ensure /etc/nsswitch.conf is set correctly (hosts: files dns)

Neither of these worked for me. Finally, I added the following directive into my resolv.conf and it fixed the issue!

Apparently, this is actually somewhat related to ipv6 — from the resolv.conf manpage:

Now, I get good response times when I curl:

Looks like the resolver sends parallel requests, fails to see the IPv6 response, waits 5 sec and sends sequential requests because it thinks the nameserver is broken. By adding the options single-request, glibc makes the requests sequentially be default and does not timeout.

I found some good info and hints on this issue here: https://bbs.archlinux.org/viewtopic.php?id=75770

Lastly, to bring this whole thing full circle, the WprdPress plugins now are able to get out and communicate successfully. Woohoo!

Posted by & filed under Uncategorized.

MassMine allows you to easily datamine Twitter, Google, Wikipedia, and soon Facebook for data. Pretty cool! From the official site:

MassMine is a social media mining and archiving application that simplifies the process of collecting and managing large amounts of data across multiple sources. It is designed with the researcher in mind, providing a flexible framework for tackling individualized research needs. MassMine is designed to run both on personal computers and dedicated servers/clusters. MassMine handles credential authorizations, rate limiting, data acquisition & archiving, as well as customized data export and analysis.

 

www.massmine.org/

Posted by & filed under Firewalls, Security, Server Admin.

cPanel WHM’s cpHulk system manages iptables blocks against IP addresses that fail to authenticate repeatedly. While the settings are fairly lenient and shouldn’t result in legitimate users being blacklisted, occasionally it can happen. The following command will reset the blocklist completely. While this is akin to using a shotgun when a scalpel is required, the blocks are time based and any malicious addresses would get quickly re-blocked.

 

There is a method to remove specific addresses, but I do not have the commands handy at present, and if I remember correctly it entails connecting to the mysql console, running a query to find the IP in the block table and issuing a drop query.

Posted by & filed under Software.

First step is creating the network.

Second step we are going to add a server to that network. Generate oauth password here http://www.twitchapps.com/tmi/

In case you’re wondering, the above -auto tag is optional. What this means is when you connect to this network, it will automatically connect to this server.

Third step is where we add the channel to the network you created in the first step. And in case you’re wondering, the channel is just your Twitch username.

Again, the -auto tag is optional.

And that does it. All you need to do now is connect to that network. Which is accomplished simply by the following:

One thing that I would suggest you go ahead and do once you get that sorted out, is ignore the user jtv. It will ping you information that you simply don’t need or care about. Of course, feel free to leave it. But if you do want to ignore it, just type:

Saved from the void via Google’s cache. Woohoo

Posted by & filed under Security, Web Development.

A few handy commands to cut to the chase and find the crap spammers/skiddies have added to a WP install:

Find files containing text recursively:

A good use of this is to search for the below. It can return false positives, but finds a function commonly used to obsfucate code:

Diff two installations. If you have a clean copy of WP, you can compare it to a compromised version to find the differences. Here I am excluding the error_log file, and sending the output to diff.txt for review:

Find php files (and other filetypes that should not be present in the uploads directory. This is typically one if the first places things are placed:

Grep the DB. Sometimes things get hidden in the database in an effort to hide malware. Considering that a WordPress database is tiny in the grand scheme of things, a simple way to quickly review what is in the database is to use mysqldump, phpmyadmin or whatever tool you would like to export the entire database to SQL. Then you can review the contents easily. Be on the lookout for base64 encoded strings, they are a good giveaway.

Find recently modified PHP files:

 

 

Posted by & filed under Linux, Server Admin.

Quick and dirty way to pull out the key and crt from a pkcs12 file:

If you are using this for Apache and need to strip the password out of the certificate so Apache does not ask for it each time it starts: