Categories
Linux PicoPosts

Adding certificates to Java keystore

Java has its own certificate storage. At least in Arch Linux it is located in:

/etc/ssl/certs/java/

To add a new certificate there, run this command:

keytool -keystore cacerts -importcert -alias myrootcert -file /path/to/MyRootCert.crt

(you might want to run that as root) As a password, the default is “changeit”.

I encountered this while setting up my Android project in IntelliJ IDEA, trying to do a Gradle build. Also the Android SDK tool was failing on an invalid SSL connection.

(2741)

Categories
Awesome Linux Open source Programming Projects Technology Web development

HTTP and HTTPS running on the same port

Running HTTP and HTTPS on the same port with Apache. They said it couldn’t be done. They were wrong!

https://github.com/Dejvino/https-multiplexer

I’ve modified a simple Python port forwarding utility to act as a port multiplexer that can automatically forward HTTP and HTTPS requests to the appropriate ports. If the request looks like an HTTP in plain text, it forwards it to port A. Otherwise it is assumed to be HTTPS and is forwarded to port B.

Now you can run your web applications from a single port, regardless of using HTTP or HTTPS. Hooray!

(1996)

Categories
Linux Open source Privacy Projects Technology Web development

How to become a Certification Authority

This short How-To has been compiled based on the work I’ve done so far while building my personal home server. To achieve reasonable level of privacy without spending a fortune on it, I’ve become my own Certification Authority (CA).

Overview

These are the basic steps covered later in detail:

  1. Create a CA key and certificate.
  2. Create a server key and a Certificate signing request (CSR).
  3. Sign the CSR using the CA key.
  4. Use the new server certificate in Apache.
  5. Import the CA certificate into your browsers.
  6. … Profit!

What this results in is a single certificate file for your CA that you distribute and import into your browsers (PC, phone, …). Every individual signed server / service certificate you create and use is then automatically recognized as valid and trusted. If you are using a personal set of services (various web applications, XMPP server, etc.), this saves you a lot of “exception adding”, just import one (your) CA certificate and everything is working, no need for the browser to nag about self-signed certificates.

Detailed how-to

Creating a CA key pair

First, prepare your “playground”, a data storage somewhere on your (preferably Linux) computer. It should look like this:

root-ca
 |-- conf     ... for configuration files.
 |-- private  ... for private CA key (protect this directory!)
 |-- public   ... for public CA key
 |-- requests ... for incoming CSR
 +-- certs    ... for resulting certificates

Now cd to the root-ca directory. Create a configuration file conf/openssl.conf with the following content:

[ req ]
default_bits            = 2048
default_keyfile         = ./private/root.pem
default_md              = sha1
prompt                  = no
distinguished_name      = root_ca_distinguished_name
x509_extensions = v3_ca

[ root_ca_distinguished_name ]
countryName             = UK
stateOrProvinceName     = Sussex
localityName            = Brighton
0.organizationName      = Example Inc
commonName              = Example Inc Root CA
emailAddress            = david@example.com

[ v3_ca ]
subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid:always,issuer:always
basicConstraints        = CA:true

[ ca ]
default_ca              = CA_default

[ CA_default ]
dir                     = .
new_certs_dir           = ./certs/
database                = ./conf/index
certificate             = ./public/root.pem
serial                  = ./conf/serial
private_key             = ./private/root.pem
x509_extensions         = usr_cert
name_opt                = ca_default
cert_opt                = ca_default
default_crl_days        = 30
default_days            = 365
default_md              = sha1
preserve                = no
policy                  = policy_match

[ policy_match ]
countryName             = match
stateOrProvinceName     = match
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

[ usr_cert ]
basicConstraints        = CA:FALSE
subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid,issuer:always
nsCaRevocationUrl       = https://www.example.com/example-ca-crl.pem

It might look long and complicated, but most of it is pretty self explanatory. What you should edit is the root_ca_distinguished_name section and the nsCaRevocationUrl.

Then initialize the “certificate counters”, like so:

echo "01" > conf/serial
touch conf/index

Finally, generate a CA key pair (public and private root.pem files):

openssl req -nodes -config conf/openssl.conf -days 1825 -x509 -newkey rsa:2048 -out public/root.pem -outform PEM

Creating a server key pair

On the server for which you want to obtain a signed certificate, do this:

openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr

Then you can transfer the server.csr file to the CA’s requests directory.

Signing the CSR

Simply call this command and you get a signed certificate server.cert from a request server.csr:

openssl ca -batch -config conf/openssl.conf -in requests/server.csr -out certs/server.cert

Setting up SSL in Apache

Somewhere in the httpd.conf or inside a virtual host configuration add these lines:

 Listen 443
 SSLEngine on
 SSLCertificateFile /path/to/keys/server.cert
 SSLCertificateKeyFile /path/to/keys/server.key
 SSLCertificateChainFile /path/to/keys/root.pem

These lines activate SSL and the port for SSL, specify server certificate, private certificate key and (optionally) root CA certificate. After restarting the server, HTTPS should be ready to use.

Importing and using

Different applications have different ways of importing trusted CA certificates.

On Windows, you just “execute” the certificate and install it into the appropriate category. This should take care of most of your applications. Web browser (e.g. Firefox) might need to have this certificate installed explicitly, ignoring certificates in the OS.

On Linux, look for /etc/ca-certificates.conf, add the certificate filename there and copy the file to /usr/share/ca-certificates/. Then run update-ca-certificates –fresh to recreate the list of known certificates.

 

Based on these articles:

(2905)

Categories
Linux PicoPosts Projects Raspberry Pi Technology

Linux udev USB automount script

I’ve been wondering how to enable automounting of USB drives on my Raspberry Pi server. The sollution is pretty simple with udev on Arch Linux.

  1. Create a new file /etc/udev/rules.d/automount.rules
  2. Fill this script:
    ACTION=="add",KERNEL=="sda*", RUN+="/usr/bin/mount /dev/sda1 /mnt/disk-a"
    ACTION=="remove", KERNEL=="sda*", RUN+="/usr/bin/umount /mnt/disk-a"
  3. Run udevadm control --reload-rules to reload the rules.
  4. Done!

Naturally you should modify the script to your needs. What this one does for me is that when sda1 is connected, it is mounted as /mnt/disk-a (and unmounted when removed). Adding more lines like this can be used to mount more / other drives.

(9293)

Categories
Linux Privacy Projects Technology

Building a Digital Haven (home server)

As part of my “Prism break” initiative, I’ve started working on a personal (family) server — a safe haven in the wild digital world.

Target and usage

  • near-silent box you turn on and forget about
  • low energy consumption
  • large disk space
  • above-average data storage reliability, probably via RAID 1
  • web server (for email client, “cloud” storage interface, …, Friendica, etc.)
  • IM server (Jabber)

Hardware

Ideal setup: specialized low-energy no-fans computer.
Problem: hard to come by the appropriate parts, expensive, weak hardware.

My current plan: choose from what is available on the regular PC market, focus on power consumption, size and minimize unnecessary components / features.
Reason: consumer electronics are pretty cheap, standardized, easy to obtain. The bill for electricity will not outweigh the cost of a more energy efficient hardware.

— W-I-P —

Motherboard

Must have:

  • several SATA ports — for several disks
  • RAID 1 support
  • basic integrated graphics card (just for the setup phase, will not be actually used later on)

Should have:

  • USB 3.0 — for external disks
  • eSATA — for external disks

Selected type: AMD, FM2 socket. Supports the latest Trinity processors. These should have some usable power-saving capabilities.

Example: ASUS F2A85-M LE

Processor

Should have:

  • power-saving options — large portions of time it’s not going to be used
  • multiple cores — will have to serve multiple requests at a time

Selected type: based on the selected motherboard.

Example: AMD Athlon X4 740

Memory

Size “table”:

  • 2 GB — bare minimum
  • 4 GB — sufficient for most work
  • 8 GB — sufficient for most work with a nice reserve and smooth operation
  • 16 GB — virtualization becomes a usable possibility
  • 32 GB — … Hello? Anyone there? … *sound of echo*

Basic memory sticks seem to be the best — no fancy coolers needed, that can only mean energy wasted.

Example: Kingston 8GB 1333MHz

Power supply

Should have:

  • less than 400 W — should be a low-energy device, so no need for anything stronger
  • large fan (if any) — large means less RPMs means less noise
  • surge-protection etc.

Example: Seasonic G Series 360W

Hard drives

Setup:

  • 1 system disk
  • 2 data disks in RAID 1

Data disks should be separate from the OS disk. It would be best if the data disks could be simply unplugged and used freely on their own if the server broke down.

Energy efficiency is a question here: shared OS+Data disk would be a one-disk-less solution, meaning less devices to power. On the other hand, if the data is not needed, the disks may be powered down and only one device would then run.

Should have:

  • generally
    • low energy consumption (lower RPMs, etc.)
  • system disk
    • 32+ GB of space
    • fast
    • used for the OS and installed applications
  • data disk
    • 1+ TB of space
    • mostly sequential access to larger files, not many changes, mostly read operations

Example:

System disk — 32 GB SSD?

Data disk — WD Green WD10EZRX 3.5″ 1TB

Other things

Electricity usage meter might come in handy. Example: BaseTech Cost Control 3000

 

Grand total: 11 500 CZK = 444 EUR = 584 USD

…it is arguable whether it is worth it. Time for a web-hosting solution!

(1179)

Categories
Friendica Ideas Open source Privacy Projects Raspberry Pi Technology Uncategorized

Prism break

If you haven’t heard about the Prism scandal, you should read a bit about it. But basically, numerous large companies based in the US have allowed private information of their users to be accessible to the government (the NSA, to be more exact). Maybe even yours, if you’ve ever interacted with companies like Google, Apple, Facebook and others.

As mentioned on the Prism-Break website, there are lots of alternatives to the services and software most of us currently use. And surprisingly, it should’t be that hard to switch to a more secure and privacy-protecting solution to your daily internet-related needs.

Here is my personal ‘Prism break’ roadmap, or a security todo list:
Note: work in progress, subject to change.

Email

Biggest challenge as far as I can see. The concept itself is sadly not really that secure.

Must have:

  • highly reliable (so no self-hosted solutions are acceptable)
  • web client for easy accessibility
  • address based on own domain name (and email address), e.g. me at dejvino dot com
  • at least country-local hosting (i.e. here in Czech Republic for me)

Should have:

  • contacts
  • calendar

Could have:

  • email content encryption. Currently it seems pretty impractical, but who knows. Maybe there is a usable solution?

Some cheap web-hosting with emails? http://hosting.wedos.com/cs/webhosting.html

IM

Similar to email. Doesn’t require 100% availability.

Ideas:

  • own secure Jabber/XMPP server? Could be self-hosted / VPS. Expensive, hard to maintain.
  • rented server? server-side history is hard to come by. Only Google has got it all…

Should have:

  • encrypted transmission
  • secured history saved on server side

Web hosting

I’m currently using external paid services. I might switch to a more custom solution, i.e. home server.

Raspberry Pi anyone? … UPDATE: nope, it could work for really simple services, but running anything more sophisticated results in long response times. And since I’ve got big plans, it is not the right solution.

Cloud storage

Dropbox has been a great service — lots of free space, great tools on Windows as well as on Android.
I’m in the process of switching to a more controlled ownCloud server solution.

Must have:

  • web interface
  • handle large files
  • access restrictions
  • per-user space limits (quotas)
  • PC client (Windows)

Should have:

  • online music streamer
  • public file-linking capability
  • applications / plugins / extensions

Could have:

  • Android client
  • synchronization / backup support

Social media

Friendica is a project I’ve been using a bit and am planing to use a bit more. But the other “standard” ones still seem quite usable, to some extent.

Should have:

  • RSS-feed-reader-like view
  • responsive design / client for Android
  • integration of different social networks

TODO: move Friendica to a more powerful server. It is quite CPU-demanding.

Web browsing

Type Current New Status
Browser Google Chrome Firefox DONE
Passwords KeePass KeePass + KeeFox DONE
Plugins DoNotTrackMe, HTTPS Everywhere, … see FixTracking.com as a handy guide. DONE

(3892)

Categories
Raspberry Pi Technology

Plan 9 on Raspberry Pi – done

Finally got it working. All it needed was a 2+ GB SD card and not only 1 GB, which resulted in a restart-loop with error messages not far from “Something is broken! Panic!”.
Next on my agenda – hook up all of my 5 RPis and form a “supercomputer”!

Source: http://bendyworks.com/geekville/lab_projects/2012/11/getting-plan-9-running-on-the-raspberry-pi

Also interesting: http://plan9.bell-labs.com/sources/contrib/miller/

To get you started: http://www.quanstro.net/newbie-guide.pdf

And by the way – the user experience is ground-breaking and paradigm-shifting. The scrolling wheel works in an opposite direction! (+ some other mind blowing things)

(1508)

Categories
PicoPosts Raspberry Pi Technology Uncategorized

Raspberry Pi case

It is finally here! My new Raspberry Pi case.

You can buy it here – http://www.emko.cz/katalog/it-skrine/mini-itx-skrine/em-raspberry-little-case-b

(9202)

Categories
Linux Open source PicoPosts Raspberry Pi Technology Uncategorized

Distributed Pi

Plan 9 – distributed operating system, now ported to Raspberry Pi.

http://bendyworks.com/geekville/lab_projects/2012/11/getting-plan-9-running-on-the-raspberry-pi

…newly on my ToDo list.

(1117)

Categories
Linux Open source Raspberry Pi Technology

Raspberry Pi – sound HOW-TO

Here are a few pointers on how to make the sound work on Raspberry Pi. I’ve gathered these bits and pieces along the way of using this tiny computer.

First of all – Arch Linux for ARM (i.e. alarm) is the best distro I’ve used on RasPi so far. Lightweight, starts in just a few seconds, has a lots of packages and you can install it just the way you want. And this is also the distro for which I am writing this short How-To.

How to add the sound module

To make the system see the integrated sound card you need to load the appropriate kernel module. Like so:

sudo modprobe snd_bcm2835

To check whether it is loaded, just check the output of lsmod. The command written above has to be executed every time the system starts. To make it “stick”, add the module to the list of automatically loaded modules. That is create a new file  /etc/modules-load.d/sound.conf containing just a single line:

snd-bcm2835

That’s it. The sound module should now load every time you start your RasPi.

How to install Alsa

Most of the programs will be able to output sound using Alsa. To install it, issue this command:

sudo pacman -S alsa-utils alsa-plugins alsa-lib alsa-firmware

Now you can run speaker-test and it should produce a nice white noise on your speakers.

How to enable analog sound

If you want to select which sound output should be used (HDMI or analog 3.5mm jack), the command to use for Alsa and analog output is:

sudo amixer cset numid=3 1

Or substitute the last “1” for “2” if you want HDMI.

How to make VLC or mplayer work with Alsa

If you are getting messages like this:

alsa audio output error: cannot commit hardware parameters: Invalid argument
jack audio output error: failed to connect to JACK server
main audio output error: no suitable audio output module

All you have to do is fix the sound card configuration via creating a simple *.conf file: /etc/asound.conf with the following content:

pcm.!default {
   type hw
   card 0
}
ctl.!default {
   type hw
   card 0
}

For more info, take a look at this: http://elinux.org/R-Pi_Troubleshooting#Sound

(27627)