Dec 27 2016

Why isn’t the full certificate chain provided by my web server?

Category: Computer,LinuxTuxevara @ 18:23

Good question, simple answer though: Probably you’re still on Ubuntu 14.04 (Trusty) and thus your Apache version is too old (2.4.7) and does not provide the full certificate chain from the file specified as SSLCertificateFile. The nasty thing: It does not throw a warning nor an error; not on the console nor in the error.log.

Solution: Use the SSLCertificateChainFile option instead to point to the intermediate certificates of your CA.

But watch out when you update your server: SSLCertificateChainFile became obsolete with version 2.4.8, when SSLCertificateFile was extended to also load intermediate CA certificates from the server certificate file.

Tags: , ,


Mar 17 2015

Xubuntu/XFCE to Ubuntu/Unity

Category: Computer,LinuxTuxevara @ 10:50

I finally made it and switched from Xubuntu/XFCE to plain Ubuntu/Unity after I bought a new laptop for my parents, which forced me to finally choose a desktop environment that I want to support for my family and friends in the next years. I have to say that after using Unity a couple of hours, it turns out to be not as bad as I always thought. So basically it’s like every time there is something new that feels like it just wants to break your habits: first you hate it, then you accept it and at some point you begin to love it. Now, after switching my own laptop, my workstation at work and my parents desktop PC to Ubuntu/Unity, I am getting closer to “lovin’ it”.

All that does not mean that I was unhappy with Xubuntu/XFCE ever, but in the last years its main purpose was to provide me a way to stick with a Gnome 2ish desktop environment, just because I did not want to change my own, maybe bad habits. Unity without additional tweaking is great for the normal user and with its lightweight menus and highly integrated apps, it just does its job. With some minor adjustments it works perfectly well for advanced users like me. Compiz Settings Manager and  Unity Teak Tool (PPA version) are very helpful if you want to improve your Unity experience and I highly recommend to have a look at them, even if you think that the defaults already provide a decent user experience.

BTW: There is no need to re-install you system. If you want to switch from any Ubuntu flavor back to pure Ubuntu, check out Psychocats’ Pure Ubuntu 14.04 post

Tags: , , ,


Jan 21 2015

Python’s argparse and lists

Category: ComputerTuxevara @ 14:30

While Python’s argparse allows to declare a command line parameter to be of any supported type, this does neither work nor is it recommended for the “list” type.  A workaround for passing a list of comma separated items is to use your own type, which for argparse means that the value of “type” must be callable as shown in the example below.

def csv_list(string):
   return string.split(',')

parser = argparse.ArgumentParser()
parser.add_argument('-l', type = csv_list)



Dec 03 2014

ARD: Die geheime Macht von Google

Category: Allgemein,ComputerTuxevara @ 00:36

Die folgenden Zeilen habe ich bereits während der Ausstrahlung der Sendung auf meinem Smartphone angefangen zu schreiben und war kurz davor es einfach auf Google Plus zu posten. Aber ich denke in meinem Blog ist es besser aufgehoben. Anscheinend liege ich mit meiner Meinung zu der Sendung nicht ganz falsch, wenn ich mir angucke, was z.B. auf ZDNET dazu geschrieben wurde.

Was zeigt mir “Die Story im Ersten – Die geheime Macht von Google”: Mangelnde Medienkompetenz wohin man schaut. Merkel hat recht, ist alles #Neuland

Die gezeigten Nutzer fallen auf Anzeigen rein, die als solche gekennzeichnet sind und regelmäßige Benutzer von Google eigentlich sofort erkennen sollten. Eine Lehrerin ist überrascht was im Dashboard zu sehen ist. Vor allem das Tracking über das Smartphone überrascht sie. Aber hey, man wird beim ersten Nutzen ja nur danach gefragt ob diese Funktionen aktiviert werden sollen. Immerhin gibt sie am Ende ihr eigenes Versagen zu, indem Sie feststellt, sich wahrscheinlich nicht genug damit beschäftigt zu haben. Nochmal: Ich habe schon einige Androiden im Auslieferungszustand gesehen und man muss diverse Sachen die mit Tracking, Privatsphäre und Datenschutz zu tun haben bestätigen oder gar erst aktivieren. Wer da einfach immer auf “Weiter” drückt ohne zu lesen ist selbst schuld – basta!

Und für einen weinerlichen Anbieter von Kartendiensten, im Beitrag immer schön peinlich als “Internet-Manager” bezeichnet (was zum Henker soll das sein?!), dessen Branche jahrelang selbst Privatnutzer wegen jedem kleinen Kartenschnipsel verfolgt hat ohne ein akzeptables Geschäftsmodell anzubieten, habe ich leider auch kein Mitleid übrig. (Wie ich irgendwie schon vermutet hatte, verbirgt sich hinter einem der beiden gezeigten “Internet-Manager” anscheinend ein Mitarbeiter von Axel-Springer).

Da Google kein so erfolgreiches Soziales Netzwerk wie Facebook oder LinkedIN besitzt, gibt es auch keinen “Gruppenzwang” und jeder Nutzer kann selber entscheiden ob und was er von Google nutzt. Von daher sind wir Nutzer wohl eher die geheime Macht hinter Google. Zumindest konnte der Beitrag nicht ansatzweise irgendein Geheimnis lüften.

Tags: , ,


Nov 23 2014

Getting Webcam of Dell M1330 running

Category: Computer,Hardware,LinuxTuxevara @ 09:52

In order to get the webcam running that is identified by lsusb as

Bus 002 Device 003: ID 05a9:7670 OmniVision Technologies, Inc. OV7670 Webcam

you just have to enable quirks mode for the uvcvideo kernel module:

echo "options uvcvideo quirks=0x100" > /etc/modprobe.d/uvcvideo.conf

After that, reboot or reload the kernel module (sudo rmmod uvcvideo && sudo modprobe uvcvideo). This seems to work on most recent Linux distributions and has been tested by myself on Xubuntu 14.04. If not, check that a corresponding video device has been created. More details about that issue (which I had not), can be found in a post on (German only)


Nov 23 2014

Mailserver Reloaded – Step 1

Category: Computer,LinuxTuxevara @ 09:42

To reproduce the latest setup of my email server and being able to work on this series of posts as promised months ago, I created a new LXC container with Debian Wheezy first. As LXC is not part of this series, no further details about it are provided here.

Like always, the first thing to do on a brand new machine is checking for the latest updates:

apt-get update && apt-get dist-upgrade

First we need to install a mail transfer agent (MTA), which in our case will be Exim. As some enhanced capabilities, such as SASL authentication are required, the Debian package exim4-daemon-heavy must be installed:

apt-get install exim4-daemon-heavy

Given that we are going to manually create an Exim configuration from scratch later, answers to configuration related questions during the installation process are irrelevant to this setup.

Now that our machine has an MTA installed, MySQL server can be installed:

apt-get install mysql-server

Hint: If you try to installed MySQL server before an MTA is installed, Debian might choose an other MTA than Exim to fulfill MySQL’s requirements. This may lead to additional, unnecessary steps or even a configuration conflict that you would have to resolve when installing Exim.

After that, Dovecot can be installed with the following command:

apt-get install dovecot-core dovecot-mysql dovecot-lmtpd dovecot-imapd dovecot-sieve dovecot-managesieved

Additionally to the more or less obvious packages dovecot-mysql, dovecot-lmtpd and dovecot-imapd, the packages dovecot-sieve and dovecot-managesieved are also installed, so that server-side filtering based on Sieve is possible. Roundcube has some great plugins to create and manage Sieve filter rules.

Talking about Roundcube: This is the last of piece we have to install, before we can glue everything together. Though I generally prefer distribution packages, I mostly end up with installing software manually when in comes to web applications. As Roundcube is written in PHP, we need web server that is capable of executing PHP scripts. For simplicity we choose Apache plus the appropriate PHP 5 module in this howto:

apt-get install libapache2-mod-php5

That’s it for the first step. All required software is installed, so we can proceed with the configuration of each in the next step.

Tags: , , ,


Jun 10 2014

Installing .NET Framework 4.5.1 on Windows 2008 R2 Server Core

Category: ComputerTuxevara @ 14:16

If you try to install .NET Framework 4.5.1 on a fresh installation of Windows 2008 R2 Server Core you may see the follow error message:

You must install the .NET Framework 2.0 SP2 OS component.

Well, there IS a link to a list off reasons for a blockage of the 4.5.1 installation, but it wouldn’t be Microsoft if that error message is really in the list. After having a look at the listing of available features, I tried NetFx2-ServerCore first, which should be sufficient on a 64bit platform. Error message still occurred, so I installed the 32bit compatibility feature NetFx2-ServerCore-WOW64 as well. There we go: .NET Framework 4.5.1 could be installed successfully.

As searching for the error message did not return any useful results, I am documenting the solution here.
For completeness, here are the two commands that install the missing features on Server Core:

dism /online /enable-feature /featurename:NetFx2-ServerCore
dism /online /enable-feature /featurename:NetFx2-ServerCore-WOW64

Tags: , ,


May 19 2014

Mailserver Reloaded – The Idea

Category: Computer,LinuxTuxevara @ 23:14

It has been a while since the last big update of my email server configuration. For years it has been running solid as a rock based on Exim/Dovecot with a LDAP-backed configuration.

You may ask: Why change a running system?

One of the things that bugged me for months, was the fact that I am using self-signed certificates on that server. That means that all email clients have been set to accept ANY SSL certificate without further checks (at least manual pinning or something would be great). So any evil hacker in a public WiFi network could use SSL interception to get my username and password. To eliminate this risk, replacing the self-signed certificate with ones signed by a well-know CA (I’d never call them trustworthy!) would probably be enough, but who really wants such a simple solution?

So additionally to replacing the self-signed certificates, I decided to add some extra security by implementing application-specific passwords. Google user’s may already now how they work, for all others here comes a little introduction: Application-specific passwords allow users to create unique passwords for each application that is interacting with your email server. That means that regular user passwords, that are often used for other services as well, must neither be stored in email clients nor will they ever get transferred via SMTP, IMAP or POP3. The whole setup could even be hardened more, by creating a whole new username-password combination for each application, but that seems to be a little over the top to me.

As I also wanted to easily support multiple email domains in the future, I completely moved away from the LDAP backend, that was a partly replication of my LDAP database I use at home for authentication the accounts of my family, to a MySQL-backed setup. To reduce complexity and be more flexible in the future, I also made Dovecot my MDA (LMTP) and authentication service (SASL).

One thing that I also had to solve was the problem that no tools exist to allow users the management of their application-specific passwords. As I am using Roundcube Webbmail for years now and still more than happy with it, I decided to use Roundcube as the one and only tool that I provide users for managing their email settings, including the application-specific passwords. A corresponding plugin was therefore developed by me and has been published on GitHub in the meanwhile. Access to Roundcube is possible only with the normal user passwords BUT requires the use of one-time-passwords created with Google Authenticator (or compatible).

Now you know what I did and why I did it. I know that you now want to know how I actually implemented that setup, but unfortunately you must be patient. I’ll reproduce the setup in a brand new LXC container in order to provide a series of blog posts with precise information how to set this up on your own within the next two weeks. So stay tuned!

Tags: , , ,


Feb 02 2014

Migrating from KVM to LXC

Category: LinuxTuxevara @ 18:58

After I had to replace the mainboard of my HTPC, on which also two other virtual machines were running on KVM, the kvm_amd module crashed on every boot on the replacement hardware. Though KVM still worked, I don’t like to see any modules crashing on boot. I began asking myself whether I really need full KVM virtualization or if some kind of container based virtualization would do a good or even better job for me.

After reading into the pros and cons of different solutions, I concluded that LinuX Containers (LXC) should probably first choice for me. As the HTPC is running on Ubuntu 12.04, which also has Apparmor profiles that enhance the security of LXC’s weak security concept, I actually decided to continue with LXC.

I don’t want to explain how to install LXC, because this is already covered by many other sites. The only thing that I found which is not covered well enough, is the conversion of machines from KVM (or similar) to LXC. In my case the KVM guests where using RAW disk images, so I am exclusively focusing on converting such below.

Step 1 – Prepare the rootfs folder

First, the new target folder for the root file system of the LXC guest must be created.

mkdir -p /var/lib/lxc//rootfs

Step 2 – Mount the RAW image

Then the RAW disk image must be mounted to access the files. In my case the disk contained only one partition. Modify the mount command may be necessary.

kpartx -a
mount /dev/mapper/loop0p1 /mnt

Step 3 – Copy files to rootfs

Now that the content of the RAW image can be accessed, the files can be copied into the new rootfs folder created in step 1. I have been using the below command for years, to create more or less exact copies:

cd /mnt
find . -xdev | cpio -pmv /var/lib/lxc//rootfs

Step 4 – Modify the configuration

Now comes the trickiest part: The configuration of the new machine must be modified, otherwise it is unlikely that it will boot successfully. Most required changes can be extracted from the template files in /usr/lib/lxc/templates/, which are typically used for the creation of new machines. Below are the modification for Debian machines, which worked perfectly well for Debian Lenny (shame in me) and Squeeze.


cat < $rootfs/etc/inittab
l0:0:wait:/etc/init.d/rc 0
l1:1:wait:/etc/init.d/rc 1
l2:2:wait:/etc/init.d/rc 2
l3:3:wait:/etc/init.d/rc 3
l4:4:wait:/etc/init.d/rc 4
l5:5:wait:/etc/init.d/rc 5
l6:6:wait:/etc/init.d/rc 6
# Normally not reached, but fallthrough in case of emergency.
1:2345:respawn:/sbin/getty 38400 console
c1:12345:respawn:/sbin/getty 38400 tty1 linux
c2:12345:respawn:/sbin/getty 38400 tty2 linux
c3:12345:respawn:/sbin/getty 38400 tty3 linux
c4:12345:respawn:/sbin/getty 38400 tty4 linux

mkdir -p $rootfs/selinux
echo 0 > $rootfs/selinux/enforce

mknod $rootfs/dev/tty1 c 4 1
mknod $rootfs/dev/tty2 c 4 2
mknod $rootfs/dev/tty3 c 4 3
mknod $rootfs/dev/tty4 c 4 4

# reconfigure some services

locale="$LANG $(echo $LANG | cut -d. -f2)"
chroot $rootfs echo "locales locales/default_environment_locale select $LANG" | chroot $rootfs sh -c "LANG=C debconf-set-selections"
chroot $rootfs echo "locales locales/default_environment_locale seen true" | chroot $rootfs sh -c "LANG=C debconf-set-selections"
chroot $rootfs echo "locales locales/locales_to_be_generated seen true" | chroot $rootfs sh -c "LANG=C debconf-set-selections"
chroot $rootfs sed -i -e "0,/^[# ]*$locale *$/ s/^[# ]*$locale *$/$locale/" /etc/locale.gen
chroot $rootfs sh -c "LANG=C dpkg-reconfigure locales -f noninteractive"

# remove pointless services in a container
chroot $rootfs /usr/sbin/update-rc.d -f remove # S
chroot $rootfs /usr/sbin/update-rc.d stop 09 S .

chroot $rootfs /usr/sbin/update-rc.d -f umountfs remove # 0 6
chroot $rootfs /usr/sbin/update-rc.d umountfs start 09 0 6 .

chroot $rootfs /usr/sbin/update-rc.d -f umountroot remove # 0 6
chroot $rootfs /usr/sbin/update-rc.d umountroot start 10 0 6 .

# The following initscripts don't provide an empty start or stop block.
# To prevent them being enabled on upgrades, we leave a start link on
# runlevel 3.
chroot $rootfs /usr/sbin/update-rc.d -f remove # S 0 6
chroot $rootfs /usr/sbin/update-rc.d start 10 3 .

chroot $rootfs /usr/sbin/update-rc.d -f remove # S
chroot $rootfs /usr/sbin/update-rc.d hwclockfirst start 08 3 .

chroot $rootfs /usr/sbin/update-rc.d -f module-init-tools remove # S
chroot $rootfs /usr/sbin/update-rc.d module-init-tools start 10 3 .

rm $rootfs/etc/udev/rules.d/70-persistent-net.rules

Step 5 – Create LXC config

Finally we have to create a LXC configuration file for the new machine. Lazy as I am, I have copied an existing config file into /var/lib/lxc// and modified the paths and network configuration accordingly.

After that the machine can be started with

lxc-start -n

Keep in mind that you won’t be able to detach from that console again. But to debug boot problems it is essential to not launch the machine in background mode (-d).

Tags: , , ,


Dec 13 2013

Vdr-sxfe audio output issues over and over again

Category: Computer,LinuxTuxevara @ 20:53

And after fixing them for the hundredth time in the last ten years, I finally decided to write down what I seem to always forget. Isn’t this what tech blogs are for?!

So what was happening this time: After some years without any major issues, our media center PC decided to reboot in circles, which turned out to be caused be a defective motherboard. After replacing it with the one from my gaming PC everything worked fine, except that I had to use the onboard graphics card as the passive cooler of the former PC-Express graphics card wouldn’t allow me to use the DVB-S card in the upper PCI slot.

In my vdr-sxfe startup script I’ve set the audio parameter to alsa:plug:'hdmi:CARD=NVidia,DEV=0'. But the only results I get is either no sound at all or vdr-sxfe restarting every few seconds. At some point I managed to set the audio channel in VDR to stereo instead of AC3. Guess what happened? Immediately vdr-sxfe stopped restarting and sound was coming from the left and right speakers.

Conclusion: Something must be terribly wrong with the AC3 passthrough. But what? And who controls which device is used for the AC3 passthrough? I know that I should have asked myself this questions earlier, but trial and error worked perfectly well in the past 😉

After trying to remember which files I modified several times before to optimize vdr-sxfe audio and video output, I came to the point where I felt certain that the whole magic must only happen in ~/.xine/config_xineliboutput. As vdr-sxfe is based on Xine this seems to make sense.

Some tests later it was proven, that the audio parameter of vdr-sxfe never affects the value of audio.device.alsa_passthrough_device in the config file.

So the solution to my AC3 passthrough problem is setting the audio.device.alsa_passthrough_device value in the config file to plug:'hdmi:CARD=NVidia,DEV=0'.

Today the new PCI-Express graphics card arrived and all I had to do is changing the vdr-sxfe audio parameter and the audio.device.alsa_passthrough_device value in the config file to plug:'hdmi:CARD=NVidia_1,DEV=0'.

For the sake of completeness, here are all non-default values from my ~/.xine/config_xineliboutput

audio.output.speaker_arrangement:Pass Through

Tags: , , , , ,


Next Page »