[00:00] Yes [00:00] billybigrigger_, yes why? [00:02] is it installing? [00:03] 9.04 wouldn't install on my old p 166mhz, isolinux was giving me problems, i had to eventually do a netboot, but if you got to the installer you got farther than me [00:05] It's at 22% Loading additional components === hggdh_ is now known as hggdh [00:09] you should be good to go then [00:16] Uh oh! Bad burn! "There was a problem reading data from the CD-ROM. [00:16] " [00:24] how do i find my domain, setting up ISPConfig? [00:43] Is anyone here familiar with x509 certs? [01:06] quentusrex: shoot [01:07] hggdh: ok, I have had major issues with my certs for over a week... Everything I do to diagnose the issue is fruitless.... [01:07] I use TinyCA2 to manage my x509 certs. [01:07] It has worked well for apache, openvpn, and a few other apps. [01:07] But it flat out will not work with openldap [01:07] quentusrex: so you have your own private CA [01:07] yes. [01:08] so far so good [01:08] what happens with LDAP? [01:08] I have confirmed the issue is with MY certs, because I can generate local certs and it works fine. [01:08] here is the bug: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/398366 [01:08] hold on. what is the difference between "MY certs" and "local certs"? [01:09] Launchpad bug 398366 in openldap "Certs generated with TinyCA2 and openssl cause errors in openldap and gnutls" [Undecided,New] [01:09] hggdh: I have my real certs, [01:09] generated on my workstation, and I have fake certs generated locally on the server. [01:09] my workstation, and the backups are responsible for generating the companies certs. [01:09] oh, OK. My certs == officially issued certs [01:09] we can use real and fake [01:09] to describe them... [01:10] real ones = fail to start, fake ones work just fine. [01:10] I have tried on both ubuntu 8.04 and 9.04 versions of openldap [01:11] I can recreate the issue by creating a new fake CA on my workstation, and it still fails. [01:11] OK. Have you checked the certs for similar options -- for starter, by 'openssl x509 -text -in a.cert.file [01:12] and comparing both real and fake for differing options [01:12] so, it's either something with the way TinyCA2 generates certs(but doesn't effect openvpn or apache), or I have forgotten a step and repeatedly miss the same step in the cert generation. [01:12] I'll check... [01:12] as far as I can remember, TinyCA2 uses openssl to actually do the work [01:13] It does. [01:13] * hggdh also uses tinyca2, but no ldap [01:13] quentusrex: Well, OpenVPN and Apache both use openssl, while openldap uses gnutls, so it's entirely possible that the way TinyCA2 is doing the reqs is just missing a field (or something) that OpenSSL is forgiving about, but gnutls is grumpy about. [01:13] Pretty much all the CA packages are front ends for openssl. [01:14] Right, I am aware that tinyCA2 uses openssl, and openldap uses gnutls, [01:14] but I'm unable to figure out which field causes the issues... [01:14] yes. TLS is also more picky on the options you specify [01:14] what would work on SSL may fail on TLS [01:15] but I have tls setup with openvpn [01:15] and it works. [01:15] quentusrex: Well, as suggested, you should compare the text dump of the "real" and "fake" certs, and go from there. [01:15] quentusrex: Anything "different" is suspect. [01:15] need help installing joomla [01:15] for example, when you specify Netscape options, and do them wrong. SSL wouls swallow them, TLS will spit them out [01:15] infinity: can you suggest a command to dump all the cert info? (I have a command, but I've been stuck for a week. So I might be using the wrong one...) [01:16] the easy way: openssl x509 -text -in [01:16] just the public cert, no private key here [01:16] right [01:16] everything that openldap seems to say, points to the issue being with the cacert, [01:17] but there is almost no documentation and even less info on the actual error... [01:17] just says tls fails with error code -1 [01:17] Are you doing chain bundling? [01:17] I have one CA, and that is the only thing signing the certs. [01:17] only two levels, no sub CA's. [01:17] quentusrex: if a real and a fake cert are the, er, same, and one works and one not, then there is something different on them [01:19] you can also dump ASN1 (and I do not remember the opessl command for that, but it is there) the certs. Be prepared to get some sore eyes. [01:19] hggdh: I have compared the two certs [01:20] there are many more fields filled out with the tinyca2 ones... [01:20] the real ones. [01:20] the fake ones have almost no fields set... [01:20] so now you have a start [01:20] they *are* different [01:20] is there a way to diff them by fields? [01:21] no, not really. You will have to do it by hand [01:21] Don't forget content of the fields. [01:21] You may have characters gnutls is unhappy with, who knows? [01:21] ok... [01:21] Maybe you're breaking an RFC, which openssl is notorious for not caring about. :P [01:21] this will be 'fun' [01:22] check this out: [01:22] Certificate: [01:22] Data: [01:22] Version: 1 (0x0) [01:22] vs [01:22] Certificate: [01:22] Data: [01:22] Version: 3 (0x2) [01:22] (openssl is the most liberally forgiving software in the world when it comes to sloppy input, which explains why your certs are happy with openssl-using apps, but not gnutls) [01:22] real one is version 3 [01:22] great... so now I have to regen all my certs to make gnutls happy.... :( [01:23] wow, from V1 to V3... how old is this V1 cert? [01:23] I just generated it with openssl [01:23] that's the fake one that works. [01:23] V1 is the default with an openssl req with no options, IIRC. [01:23] But gnutls should be happy with V3, I suspect that's a red herring. [01:24] is there a paste bin that you prefer? [01:24] I'll paste the cert dumps [01:24] ubuntu.com [01:24] yes, it would be good [01:24] http://pastebin.ubuntu.com/ even [01:24] pastebin.ubuntu.com [01:25] http://paste.ubuntu.com/216539/ [01:25] those are both the cacerts. [01:25] I hadn't considered that the problem could be with a field in the cert [01:26] I thought it had something to do with corruptions, or not actually being signed or something... but all the verify commands I could find passed. [01:26] quentusrex: what time is it now at your locale? [01:26] 5:30 [01:26] west coast, USA [01:27] of July 12th, right? [01:27] right [01:27] lol [01:27] I see an issue... :) [01:27] look at the Not Before timestamps [01:28] right, but the real one you're looking at was just generated to pose as the real one [01:28] both generated with tinyca2 and both fail for the same reasons. [01:28] Just with random information in there [01:28] Well, does the real real one have that same timestamp? :) [01:28] nope [01:28] yes. The point is both of these should *NOT* be valid to begin with [01:28] it was generated in March of 07 [01:28] wait, [01:29] that is GMT [01:29] I'm -8 from there. [01:29] so it is valid. [01:29] indeed [01:29] so a red herring [01:29] yup [01:29] :) [01:30] I'd rather have false positives that turn out to be red herrings, than a false negative and never get a working ldap server... :( [01:30] I'm working on a script that will allow me to tweak the cert generation parameters [01:30] OK. Next one. fake one that works has a 1024 key, real one that fails has a 4096 key. Have you tried a fake one with 4096? [01:30] and test it on an openldap server [01:30] yup, and a real one with 1024 [01:30] red herring. [01:30] OK [01:31] quentusrex: the real one is a CA cert [01:32] I thought it was an user cert [01:32] like the first one [01:32] both should be ca certs [01:33] hmm.... [01:33] you're right... [01:33] first one should be refused, it does not have 'CA: True" critical constraint [01:34] that's right... I've been using a self signed cert for the fake ones, thinking I had built ca certs. [01:35] quentusrex: So, some random googling suggests that you need to tell openldap where to find the path to the CA cert. [01:35] brb afk [01:35] infinity: I do, I specify it. [01:35] I think my test case is wrong... [01:35] brb though... [01:35] quentusrex: Have you run slapd in debug mode (slapd -d -1) to see if it's any more useful? [01:37] back [01:37] had to change computers for a moment [01:38] quentusrex: Have you run slapd in debug mode (slapd -d -1) to see if it's any more useful? [01:38] infinity, I tried that, but I did not get anything more from it [01:38] the same one line error. failed to start tls, with the error code -1 [01:38] And I'll assume, since you have a testcase and all, that it's not file permissions? [01:38] nope, not file permission problem [01:39] but we've just proved that my test case was flawed. [01:39] I am not sure I was actually generating a ca cert, [01:39] but possibly a self signed cert, [01:39] well, if you were using the CA cert as an LDAP "user" cert, then ldap would most probably barf [01:39] so it could have been working because the cert was self signed it didn't need to look for the CA, so it didn't run into the same issue. [01:40] nope, not an ldap user cert. as the server cert. [01:40] the ldap server has nothing but default data in it... [01:40] yes, server cert == user cert; there are CA certs, and "user" certs [01:41] Yeah, you need both here in your case... [01:41] TLSCertificateFile /etc/openldap/currentcert.pem [01:41] TLSCertificateKeyFile /etc/openldap/currentkey.pem [01:41] TLSCACertificateFile /etc/openldap/demoCA/cacert.pem [01:41] you do not usually run *ON* a CA cert. You deploy a cert signed by the CA [01:41] The last one needs to be your CA, the first two are the server "user" cert. [01:41] hggdh, right. that is what I'm doing. [01:42] but you have to distribute the ca cert along with the client cert and key [01:42] for tls. [01:42] yes, you always have to distribute the CA certs. [01:43] or, better saying, the real user should check on the CA cert, ideally out-of-band [01:43] Yes. Lots of software out there explodes when you try to use "chained" certs, which is what I was driving at before. [01:43] so. when you put the real CA cert (the one in the pastebin) as TLSCACertFile it fails [01:44] (ie: when your CA is bundled in the cert, rather than being an out-of-band check) [01:45] but, when you put the real CA in the TLSCACertFile, you have to change the TLSCertFile accordingly. Did you do it? [01:45] * hggdh BTW asks for pardon on asking dumb questions, but one needs to be sure... [01:47] yes, I did that... I think I'm on to something... [01:47] I changed the order of the cert file includes. [01:47] it changed the error code... [01:47] if the CAcert line isn't first the error is -34 [01:47] with ca cert first it's -1 [01:49] I finally get an interesting error message: [01:49] gnutls-serv --x509keyfile ./ssl/server.pem --x509certfile ./ssl/server.pem [01:49] Set static Diffie Hellman parameters, consider --dhparams. [01:49] Error reading './ssl/server.pem' or './ssl/server.pem' [01:49] Error: Base64 decoding error. [01:49] I get this when I install gnutls-bin [01:49] and run that first line.... [01:50] Got a problem with two Ubuntu boxen not being able to relay email to one another. [01:50] The problem: http://erxz.com/pb/18721 [01:51] web2 is running exim4. I am guessing I need to tweak stuff in web2's exim.conf, but I don't know what. [01:52] hggdh and inifinity, you were right. It's a bad header. [01:53] with the real keys I get this error: gnutls-serv --x509keyfile ./key.pem --x509certfile ./cert.pem [01:53] Set static Diffie Hellman parameters, consider --dhparams. [01:53] Error reading './cert.pem' or './key.pem' [01:53] Error: Base64 unexpected header error. [01:53] Now, if only there were a way to find how which header.. [01:55] JordiGH: You need to authorize the other one to relay mail. I could tell you how for Postfix, but Exim, I have no idea. [01:56] ScottK: Yeah, I have "host_accept_relay = 127.0.0.1 : ::::1 : 192.168.1.0/24" in exim.conf, which seems a bit cryptic. [01:56] JordiGH: I'd try adding the IP of the other mail server to that. [01:57] ScottK: You mean the specific one instead of the netmasked IP network? [01:57] JordiGH: Is it in 192.168.1.0/24? [01:58] web4 from which I telnetted is 192.168.1.248 [02:01] OK, then I'm confused. I'd have expected that to work. [02:01] * ScottK looks around for someone who knows something about Exim. [02:02] Unless those streams of colons don't do what I expect them to. [02:02] JordiGH: The stream of colons is the IPv6 localhost. [02:03] JordiGH: Are you using exim's split config, or monolithic? [02:03] JordiGH: (Maybe you edited the monolithic config, but you're actually using split?) [02:04] ScottK: #debian is full of exim weenies :-) [02:04] Yet another reason not to go there. [02:05] Hey, I'm a Debian weenie. :-( [02:05] You have to tiptoe around them [02:05] JordiGH: Also, if this is exim4, I suspect you want "relay_from_hosts", not "host_accept_relay" [02:05] infinity: /etc/exim only has exim.conf and exim.conf.0 [02:05] ScottK: having said that, IME #debian (on OFTC, at least) is more helpful than #ubuntu. [02:05] Well I don't go there either. [02:05] #ubuntu is like a preschool full of screaming toddlers trying to configure compiz [02:05] JordiGH: Eww, and no it's not, you're using exim3... Stop that. :) [02:06] infinity: dapper drake. [02:06] JordiGH: remind us why postfix isn't allowed? [02:06] JordiGH: exim4 is on dapper. [02:07] JordiGH: exim3 is in universe and entirely unsupported, no? [02:07] Ah, you're right, exim4 is available. [02:07] twb: It isn't unallowed. You want me to use it instead? [02:07] twb: Don't get into an MTA flamewar. :P [02:07] twb: We support both for a reason. [02:08] Eh, sorry. [02:08] I should have added a ";-)" [02:08] I really have no preference. [02:08] The reason being infinity likes Exim. [02:08] ;-) [02:08] ScottK: And elmo. :P [02:08] That too [02:08] MTAs are like toasters to me. They should toast, and exactly how they toast and which one should toast, I don't really care. [02:08] JordiGH: then probably best to use whatever people around here will provide support for. [02:08] JordiGH: Anyhow. exim4 should "just work" when you configure it out of the box. [02:08] JordiGH: Alternately, switch to postfix, which will also "just work" when configured with the help of people like twb. [02:09] infinity: alright... it's a debconf config, right? At least it is in Debian. [02:09] JordiGH: I couldn't care less what anyone other than me uses. :) [02:09] JordiGH: Same as the Debian debconf config, yeah. [02:09] Hmmm... alright, what do I want here? I already don't know what to answer for the first question. [02:10] internet site? [02:10] Yes. [02:10] convert exim v3 config? [02:10] Okay, internet site. [02:10] I don't provide support for postfix, either. HAND. [02:10] hggdh, alright. I've build the test system for the fake certs. I'm actually useing ca certs now... [02:11] hggdh Any guess as to which of the headers are more likely to cause problems? [02:12] Man, SMTP sounds like LOLcatese to me. [02:12] "HELO web2" [02:12] "Why, hello there, web5". [02:12] "MAIL FROM: " [02:13] "Ah, yes, I see, and who is the recipient?" [02:13] "RCPT TO: " [02:13] "I'm afraid I can't let you do that, Bob..." [02:13] etc [02:13] Alright, so is the default the monolithic or the modular exim4 config? [02:14] No idea anymore. It used to be a debconf question, I suspect someone's nixed it. [02:14] Probably defaults to monolithic now to avoid upstream getting grumpy about stupid Debian users and their bad bug reports. [02:14] (I use split) [02:15] JordiGH: If you have an exim.conf in /etc/exim4, you're using monolithic. If not, it's in /var/lib/exim4, and you're using split. [02:17] I have a exim.conf.template... [02:18] grep dc_use_split_config /etc/exim4/update-exim4.conf.conf [02:18] (I knew it was a debconf question) [02:18] Must just have not been shown at your priority. [02:20] JordiGH: Anyhow, assuming you're using split, just edit dc_relay_nets in /etc/exim4/update-exim4.conf.conf, re-run "update-exim4.config", and restart exim. [02:20] infinity: It is a debconf question, but wasn't asked at install. It's asked with dpkg-reconfigure, though. [02:20] JordiGH: That's because dpkg-reconfigure defaults to priority=low [02:20] JordiGH: Your system's probably set to high or critical. [02:22] Hm... it still thinks that relaying to gmail.com is prohibited. [02:22] Seriously? [02:23] Yeah, identical SMTP session. :-/ [02:23] http://erxz.com/pb/18721 [02:24] http://pastebin.ubuntu.com/ [02:24] That's with lucifer's IP (174.0.107.159/32) in dc_relay_nets [02:24] Wait, I think I had the wrong answer.. [02:26] "Domains to relay mail for" that should be *, right? [02:26] Wow, linking the paste would have been helpful there to prove my point. :P [02:26] http://pastebin.ubuntu.com/216565/ [02:26] No! [02:26] No, no, no. [02:26] * would be an open relay. [02:27] You only relay for the domains you accept mail for as an MX. [02:27] Whereas the relaying you want is allowing privileged hosts to relay through you. [02:28] What's the difference between "domains to relay mail for" and "machines to relay mail for"? [02:29] "machines" is what turns into "relay_nets". [02:29] Machines is who you will accept mail FROM, to send to anywhere. [02:29] Domains is who you will accept mail TO, from anywhere. [02:29] If you're not a secondary MX, relay_domains should be empty. [02:30] (usually) [02:30] Uhhhh... [02:31] JordiGH: Here's a simple config: http://pastebin.ubuntu.com/216566/ [02:31] Okay, so I did tell debconf to use monolithic config. [02:31] JordiGH: It accepts mail for all those domains listed, it doesn't forward/relay mail for any other domains, and it accepts mail to ANYWHERE from the IPs listed. [02:32] JordiGH: (Of course, mine's a split config, so translate as required) [02:33] infinity: Kay... dc_other_hostnames is the machines from which I accept incoming SMTP connections? [02:33] infinity: dc_relay_domains is blank because those machines can send anywhere in the world, right? [02:34] JordiGH: other_hostnames is all the hostnames/domains that you accept mail FOR. [02:34] JordiGH: So, my config accepts mail for loki.0c3.net, szeretlek.net, etc... [02:34] JordiGH: (By default, you'd only accept mail for you actual hostname, without that line there) [02:34] infinity: Oh, so I can't email gmail.com from your machine? [02:34] JordiGH: But that's for local delivery. [02:35] JordiGH: You can email gmail.com from my machine if you're listed in relay_nets. [02:35] JordiGH: relay_nets defines the people who are allowed to send mail ANYWHERE. [02:35] Ah, ok, ok... [02:35] JordiGH: Anyone not in that list can only send mail to other_hostnames and relay_domains. [02:35] lessee.. [02:36] JordiGH: Note that while the options have different names (obviously), every MTA has this exact concept. You're filtering on two sets: "People who can send mail to anyone", and "Anyone can send mail to a specific small set of addresses". [02:37] infinity: Interesting. [02:43] !release [02:43] Ubuntu releases a new version every 6 months. Each version is supported for 18 months to 5 years. More info at http://www.ubuntu.com/ubuntu/releases & http://wiki.ubuntu.com/TimeBasedReleases [02:44] !eol [02:44] End-Of-Life is the time when security updates for an Ubuntu release stop. See https://wiki.ubuntu.com/Releases [02:45] Yes, I know DD is dead. [02:45] So is my website, kinda, but not because of DD. [02:47] JordiGH: sorry, that was for me. [02:47] I was too lazy to /msg ubotu, sorrry. [02:51] Dapper is not dead for this channel, just weaklings who need X. [02:58] Actually my desktop is still Dapper. I haven't ever bothered to upgrade it. [02:59] infinity: http://pastebin.ubuntu.com/216574/ [02:59] infinity: Still full of fail. :-( [03:01] JordiGH: You're running update-exim4.conf and restarting exim after changes, right? [03:02] infinity: ayup. "/etc/init.d/exim4 restart" [03:02] ScottK: you're even worse than me [03:02] My laptop runs Sid because otherwise how can I test that my bugs have ACTUALLY been fixed when maintainers close them? ;-) [03:02] JordiGH: Oh, but you're still not using split config either. [03:02] JordiGH: So, editing that probably doesn't buy you much. [03:02] JordiGH: (Just find relay_from_hosts in your actual config and edit it) [03:03] ajmitch: The smaller the computer it seems the newer I use. Desktop is Dapper, laptop is Jaunty, netbook is Karmic. [03:03] infinity: How about I just use a split config? [03:03] * JordiGH doubts it makes a difference, but whatever. [03:03] JordiGH: Up to you. :) [03:04] * infinity needs to run off. [03:04] JordiGH: Ultimately, however you do it, you need exim to think that network is in relay_nets, and you win. [03:20] n external python package? I am having import name resolution problems and dont see what is accuring [03:20] netbook ate my first line [03:20] is /usr/local/lib/python2.6/dist-packages/ a typical location for an external package? [03:23] /usr/local is stuff not managed by dpkg. [03:25] i used the modules setup.py [03:25] it is not in apt [03:32] slestak: More likely site-packages, but that may be OK. [03:32] slestak: import sys and then print sys.path to see if it's in your path. [03:32] ScottK: good idea [03:33] ScottK: last key in path is '/usr/local/lib/python2.6/dist-packages' [03:34] Then that should be a fine location. [03:34] every .py in examples for package xlwt fails with the same error [03:35] File "/usr/local/lib/python2.6/dist-packages/xlwt/Worksheet.py", line 52, in __init__ [03:35] self.Row = Row.Row [03:35] AttributeError: 'module' object has no attribute 'Row' [03:36] Row.py is on the dir, and it has a class name Row [03:38] Try to append xlwt to sys.path [03:39] where is that adjusted? [03:39] slestak: FYI, xlwt is packaged in Karmic, so you could ask for a backport of the package for whatever release you're using. [03:40] im supposed to present this at a PUG tomorrow :) [03:40] slestak: It's something like sys.path.append("pathyouwanttoadd") [03:40] dont think backport will be quick enough [03:40] slestak: What release are you using? [03:40] im about the least exp guy in the group [03:40] 9.04 [03:41] slestak: What timezone are you in? [03:41] EST [03:41] infinity: If you're still there, the problem was that exim3 was still running even though I removed the package and /etc/init.d/exim stop didn't stop the daemon either. I killdashnined the process and restarted exim4 and now it works. [03:41] WTF. [03:41] * JordiGH has spent maybe 4 hours on this today. [03:42] slestak: If you don't get it figured out tonight, we can probably manage a backport in the morning. [03:42] * ScottK would likely have to mangle some rules to get it done tongiht. [03:42] that would be awesome. i used pyExcelerator, maybe I should just present that, its in Jaunty. I just know xlwt and xlrd have replaced it [03:42] When is sysadmin day? I think I'm gonna demand lots of ice cream for it. [03:43] JordiGH: sysadmin day is on the horizon. [03:43] bofh day? [03:43] Good. [03:43] * JordiGH wonders if he could also demand sexual favours on July 31st. [03:43] lo0l [03:43] Interesting sysadmin day is the day before my birthday. [03:43] The horizon being an imaginary place you can walk towards, but never reach. [03:43] It's actually in a few weeks. [03:44] JordiGH: This is probably going to sound silly to you, but we work very hard here to create an environment where everyone will be confortable, so it's not a huge deal, but talking about demanding sexual favors probably isn't the best idea for here. [03:44] ScottK: I'll try it on another workstation, see if it is consistent [03:45] I guess sex is going to make someone uncomfortable. [03:45] Fine, fine. [03:49] slestak: sys.path.append("/usr/local/lib/python2.6/dist-packages/xlwt/") [03:49] ScottK: i just installed pyExclearator from repo. it works fine. xlwt is a fork, so I'll just explain that the package imshowing is a lottledated [03:49] i can wait for karmic [03:49] slestak: OK. I'd try sys.path.append [03:50] but that will not help me when running a .py in bash? [03:50] or can i run the exampkles easily from the python shell, after touching up sys.path? [03:53] Or edit the start of the example to do it for you. [03:57] no joy [03:58] I alsotried adding from xlwt.Row import * [04:00] well, im done for the night, thx for the help [04:18] hggdh: ScottK: infinity: are you still around? [04:18] I've narrowed the limitations for gnutls... [04:18] Maybe. [04:18] I've removed almost all of the cert attributes [04:19] down to the fewest [04:19] but gnutls still can't handle it... === s_markow_ is now known as s_markow [04:26] Can gnutls generate certs like openssl does? [04:27] If it can, maybe generate a cert from it and see what's in it. === Kyon0 is now known as Kyon`Away === Kyon`Away is now known as Kyon0`Away === ircd is now known as Guest18724 [09:05] hey, can anybody tell me wher's the default logrotate conf for mail.log, currently it's rotating between 06:0 -07:00 [09:05] and only keeping 6 days of log [09:06] but mail.log is not defined for logrotate to rotate [09:13] found the solution, it's sysklogd that's rotating the logs by default, /etc/cron.daily/sysklogd, not logrotate [09:14] <_ruben> which is a nice default solution, but very managable in the long run, imo [09:14] <_ruben> add "not" somewhere in that line :) [09:21] :P [09:40]