| thumper | hallyn: hey there | 00:13 |
|---|---|---|
| thumper | hallyn: still around? | 00:13 |
| thumper | hallyn: I'm looing into the lxc template failing to stop issue on trusty with juju 1.22 with katco | 00:14 |
| thumper | hallyn: looking through the log files, it became obvious that the problem was intermittent with many other lxc containers and our template mechanism working on other machines | 00:14 |
| thumper | hallyn: so the race condition option seems most likely | 00:14 |
| thumper | hallyn: however I'm not entirely sure what we are racing with... | 00:14 |
| === markthomas is now known as markthomas|away | ||
| hallyn | thumper: well, whatever does the first lxc-create or lxc-start, can you have it do a 'ps -ef' and 'sudo aa-status' and 'dpkg -l'? Question is whether package install is complete, and if not why not. | 02:22 |
| linocisco | hi all | 04:51 |
| linocisco | i have ddns registered at no-ip.com. I have no registered domain | 04:52 |
| linocisco | i want to setup webserver on virtualbox using dynamic dns. what do I do? | 04:55 |
| === kickinz1|afk is now known as kickinz1 | ||
| === thumper is now known as thumper-afk | ||
| tash | when I run this from the CLI: curl http://myurl/cgi-bin/my-file.pl it returns a string "ok" which I expect. But, when I put that into a shell script like this: REQUEST=`curl http://myurl/cgi-bin/my-file.pl` print $REQUEST it spits this out: Error: no such file "ok" | 06:19 |
| tash | can anyone explain why it doesn't just show "ok" when I run it from a script, rather than display an Error | 06:19 |
| excalibr | tash, print? | 06:22 |
| excalibr | you want echo or printf if that is shell script | 06:23 |
| === chmurifree is now known as chmuri | ||
| tash | yeah, lol | 06:26 |
| tash | i actually realized that after I put that here...I've been working on perl scripts and shell scripts today and got some syntax confused | 06:27 |
| tash | pffff, thx excalibr | 06:27 |
| === zz_DenBeiren is now known as DenBeiren | ||
| === CiPi is now known as cipi | ||
| === cipi is now known as CiPi | ||
| brianw | using ubuntu 14.04 on (2) physical machines to host my glusterfs backup & lxc host for samba ad/dc containers & glusterfs/ctdb/samba DFS server containers. Each physical machine can run the network without the other. When the other comes back online, all is synced... | 07:38 |
| brianw | Lovely! | 07:38 |
| brianw | I just wish glusterfs supported btrfs backend with snapper support. | 07:39 |
| lordievader | Goodmorning. | 08:11 |
| === Lcawte|Away is now known as Lcawte | ||
| excalibr | Upstart question, in script stanza, do your codes in it always get executed when you start/stop your upstart job? | 08:22 |
| excalibr | never mind | 08:38 |
| voidfire | anyone able to help me? tryin to setup vhosts like cpanel (per user) in ubuntu | 09:06 |
| voidfire | tried manually. tried with webmin.. i dont know what im missing. I get forbidden eerors as well as I have fiddle with the permission of the said user folder to try stuff out | 09:06 |
| lordievader | !webmin | 09:09 |
| ubottu | webmin is no longer supported in Debian and Ubuntu. It is not compatible with the way that Ubuntu packages handle configuration files, and is likely to cause unexpected issues with your system. | 09:09 |
| lordievader | voidfire: ^ is likely why you get those errors. | 09:09 |
| voidfire | but I was trying first manually :/ | 09:10 |
| voidfire | i tried throught webmins after I failed my self | 09:10 |
| voidfire | but thanks for your input..its better than nothin | 09:10 |
| voidfire | shall I go with ISPconfig3? | 09:11 |
| lordievader | Just pointing out what I know ;) | 09:13 |
| voidfire | tell me more of what you do know :) | 09:13 |
| voidfire | pweasee | 09:14 |
| lordievader | What are you trying to do exactly? | 09:15 |
| voidfire | im setting up 2 new ubuntu 14.04 servers (vps) | 09:15 |
| voidfire | i want inside one of them to make virtual hosts on apache for every user | 09:16 |
| voidfire | so each user will be able to develop php/html and serve those files from /home/$USER/public_html | 09:16 |
| voidfire | similar to what a cpanel server does | 09:16 |
| voidfire | i know , ive googled for the matter but each article shows different proccess or misses steps and Im puzzled | 09:17 |
| * voidfire is confused | 09:17 | |
| lordievader | http://httpd.apache.org/docs/2.4/mod/mod_userdir.html | 09:17 |
| voidfire | ive enabled that module | 09:17 |
| voidfire | lets read up | 09:18 |
| lordievader | voidfire: That should be all, then you should be able to acces http://localhost/~username/ | 09:18 |
| voidfire | kay , thanx | 09:18 |
| === kickinz1 is now known as kickinz1|afk | ||
| === kickinz1|afk is now known as kickinz1 | ||
| frobware | anybody aware of dpkg SEGV issues on arm64 since Monday this week? | 10:19 |
| Odd_Bloke | frobware: On vivid? | 10:54 |
| === thumper-afk is now known as thumper | ||
| frobware | Odd_Bloke, trusty | 11:20 |
| frobware | Odd_Bloke, I went back to http://cloud-images.ubuntu.com/trusty/20150313/trusty-server-cloudimg-arm64-disk1.img which is OK for my test case (installing devstack) | 11:20 |
| mgz | rbasak (or someone) licencing question: | 12:44 |
| mgz | we're currently removing some files from our tarball when building juju because they come from a w3c testsuite | 12:45 |
| mgz | looking at their docs again today, they now seem to offer 3-clause bsd as an option as well as their own non-free licence | 12:45 |
| mgz | so is bundling w3c test suites okay now? | 12:46 |
| strikov | mgz: very good point; i don't know the answer (need to think about it) but i just figured out that we *include* this testsuite as src/golang.org/x/net/html/charset/testdata/ | 12:51 |
| strikov | mgz: we now have two copies of pretty the same code (maybe different versions) at golang.org/x/net and code.google.com/p/go.net/ | 12:52 |
| mgz | strikov: so, the juju tarball we build explictly strips that | 12:52 |
| mgz | but the move is why I'm looking at it again :) | 12:53 |
| strikov | mgz: i found it in the tarball for 1.23-beta3 | 12:53 |
| strikov | mgz: it removed from code.google.com/p/go.net/ but not from golang.org/x/net | 12:53 |
| mgz | >_< | 12:53 |
| strikov | mgz: do you know the reason why we have two versions of the same code? | 12:54 |
| mgz | code.google.com is shutting down, so everything is moving | 12:55 |
| mgz | I suspect not all things have moved the import over yet | 12:55 |
| strikov | mgz: origin link in the testdata/ folder doesn't work for me; what is the origin repo for these tests? | 13:04 |
| jelly | hi, is 15.04 server going with systemd as default init or is that delayed? | 13:06 |
| mgz | strikov: looks like it's that url s/repository\/// | 13:07 |
| mgz | wait, other way around | 13:07 |
| mgz | add repository in, after tests/ in the path | 13:07 |
| strikov | jelly: systemd is default for vivid | 13:08 |
| strikov | mgz: ah, thanks; i was confused by the fact that they call them the-input-byte-stream-*** | 13:09 |
| strikov | mgz: do you mean this by saying about bsd license: http://www.w3.org/Consortium/Legal/2002/copyright-software-20021231 | 13:12 |
| strikov | mgz: sorry, found right one | 13:13 |
| mgz | strikov: I was reading the "licenses for w3c test suites" page | 13:13 |
| rbasak | mgz, strikov: sounds OK, as long as the version you're shipping was released under the 3-clause bsd license as an option. I trust strikov will take care of checking that :) | 13:14 |
| strikov | mgz: rbasak: how about changing README in the tests folder to include 'all *.html files' are (c) by w3c and the following license applies <license from http://www.w3.org/Consortium/Legal/2008/03-bsd-license.html> | 13:17 |
| mgz | strikov: I'd like to do that, as an upstream patch at least | 13:17 |
| mgz | having a readme with a dead link and no mention of licencing at all is dumb | 13:18 |
| strikov | mgz: do you plan to file upstream bug to google or I need to do that? | 13:33 |
| mgz | strikov: I can | 13:34 |
| strikov | mgz: ok, thanks; ping me please when done so i can track it (i need to include a link to the bug to debian/copyright) | 13:34 |
| faylite | I get lots of lag while using ssh on a local network, 1-10 seconds of delay when typing etc. Any suggestions, it's a server on the same local network as me. | 13:42 |
| faylite | And it's connected to wifi...... | 13:42 |
| lordievader | Bad wifi connection? Long latency? | 13:44 |
| faylite | Any commands to measure it? Probably bad connection but I'm not sure. | 13:44 |
| lordievader | faylite: /proc/net/wireless can tell you. | 13:46 |
| faylite | Not sure what's good or bad, wlan0: link:58. level:-52. noise:-256 | 13:50 |
| faylite | Ok nvm looks like the signal is pretty bad and unstable, guess I'll try plugging in the Alfa | 13:53 |
| lordievader | Link level isn't optimal. | 13:53 |
| strikov | mgz: i just updated the bug; imo, we need to remove this testsuite from 1.23 tarball; we will return it back but only when golang guys fix the issue upstream | 14:00 |
| strikov | mgz: i don't want to be in a position when we have 1.23 release but we can't package it because golang upstream doesn't fix it yet | 14:01 |
| mgz | strikov: sure | 14:03 |
| strikov | mgz: thanks | 14:05 |
| mgz | strikov: what's the tarball you are looking at? because it really should ahve the old location stripped already | 14:07 |
| strikov | mgz: yes, old location is stripped; i'm talking about new location | 14:07 |
| strikov | mgz: i.e. we need to remove both :) | 14:07 |
| mgz | okay, I have that change done, will propose now | 14:07 |
| strikov | mgz: awesome | 14:07 |
| === xachet_2 is now known as xachet | ||
| caribou | utlemming: ping, | 14:46 |
| utlemming | caribou: pong | 14:47 |
| caribou | utlemming: just saw your MP for the cloud-init sosreport plugin, thanks ! | 14:47 |
| utlemming | caribou: :) | 14:47 |
| caribou | utlemming: the only thing is that I will not merge it from bzr as I would prefer to have it upstream first | 14:48 |
| caribou | utlemming: do you have a github account ? | 14:48 |
| caribou | utlemming: this way, it will benefit to all distros | 14:48 |
| utlemming | caribou: ah, sure. What is the github project I need to fork? | 14:49 |
| utlemming | caribou: I'll be happy to submit it up that way | 14:49 |
| caribou | utlemming: https://github.com/sosreport/sos | 14:49 |
| caribou | utlemming: or I can do it for you if you're too busy | 14:49 |
| utlemming | caribou: meh, I'll do it...its simple and I should really be playing in the Github community more | 14:50 |
| caribou | utlemming: just make sure that your commit log starts with [cloud-init] & add the signoff thingy | 14:50 |
| caribou | utlemming: just have a look here : https://github.com/sosreport/sos/wiki/Contribution-Guidelines | 14:50 |
| caribou | utlemming: so bryn doesn't send you back there. It mostly sums up to the two things I mentionned | 14:51 |
| caribou | utlemming: I worked on this a while back; sent a few emails then it fell in my todo blackhole | 14:51 |
| === Faylite_ is now known as Faylite | ||
| utlemming | caribou: done, https://github.com/sosreport/sos/pull/548 | 15:06 |
| caribou | utlemming: yep, just got the email. Thanks a lot. I'll get it in ubuntu once it's in | 15:07 |
| utlemming | caribou: great :) | 15:07 |
| === DenBeiren is now known as zz_DenBeiren | ||
| === kickinz1 is now known as kickinz1|afk | ||
| === kickinz1|afk is now known as kickinz1 | ||
| === markthomas|away is now known as markthomas | ||
| excalibr | Can someone help me with Upstart? Why does 'read' behave unusually in *-stop script stanza? | 16:56 |
| excalibr | I have these 2 lines in post-stop script block | 16:56 |
| excalibr | read -r ppid < /var/log/dnscrypt-resolvers_1.log | 16:56 |
| excalibr | touch /tmp/dnsc1_$ppid | 16:56 |
| excalibr | and when I stopped the job, the filename created in /tmp was dnsc1_[NOTICE] | 16:57 |
| lordievader | excalibr: what is in dnscrypt-resolvers_1.log? | 17:07 |
| excalibr | lordievader, /facepalm. I just realized that I made a stupid mistake when writing the filename. It meant to be a pidfile but it looks here something still caused it to fail | 17:14 |
| excalibr | read -r ppid < ${PID_FILE_PRIMARY} | 17:14 |
| lordievader | ;) | 17:14 |
| excalibr | touch /tmp/foobar_${ppid} | 17:14 |
| lordievader | Why throw it through read? 'touch /tmp/foobar_${PID_FILE_PRIMARY}'? | 17:15 |
| excalibr | stop: Job failed while stopping | 17:15 |
| excalibr | it gave me that when I stopped the service | 17:15 |
| excalibr | and dmesg output: | 17:15 |
| excalibr | [83429.323424] init: dnscrypt-proxy post-stop process (10894) terminated with status 1 | 17:16 |
| excalibr | lordievader, Im interested with the file content | 17:16 |
| excalibr | not the file itself | 17:16 |
| lordievader | Could you pastebin the full script? | 17:17 |
| excalibr | lordievader, it works though if I wrote it this way: ppid=`cat $PID_FILE_PRIMARY`; touch /tmp/foobar_${ppid} | 17:18 |
| lordievader | I really have no idea what you are trying to accomplish. | 17:19 |
| excalibr | lordievader, http://pastebin.com/raw.php?i=KW4X9ZKF | 17:21 |
| lordievader | Could you explain what you are trying to accomplish? | 17:24 |
| excalibr | lordievader, I had this line earlier in the post-stop block: if { read -r ppid < ${PID_FILE_PRIMARY}; } 2>/dev/null but oddly that didnt work so now this line was reduced to just that short read -r ... code. Basically I want to dig why the built-in read command failed | 17:25 |
| lordievader | So, run it manually? | 17:26 |
| excalibr | If I run that piece of code manually in interactive dash/bash shell it works just fine | 17:27 |
| === bilde2910|away is now known as bilde2910 | ||
| lordievader | What does the upstart log say? | 17:28 |
| excalibr | where is the log file | 17:28 |
| lordievader | /var/log/upstart/ | 17:29 |
| excalibr | I dont see a log file for the upstart job in the dir | 17:29 |
| excalibr | I was wondering about this as well | 17:30 |
| lordievader | ttp://upstart.ubuntu.com/wiki/Debugging | 17:32 |
| lordievader | http://upstart.ubuntu.com/wiki/Debugging | 17:32 |
| jathan | Hello ubuntu-server chanel | 18:05 |
| lordievader | o/ | 18:05 |
| jathan | Can someone tell me please which could be a good hardware characteristics for a Lidrectord implementation with Ubuntu Server 14.04 for an operation that will be attending between 200 and 1 milion requests per day? | 18:06 |
| === Lcawte is now known as Lcawte|Away | ||
| === Fez is now known as Guest42674 | ||
| === markthomas is now known as markthomas|away | ||
| Guest42674 | hi | 18:12 |
| === Guest42674 is now known as XIaah | ||
| XIaah | does anyone have a few minutes for a few quick questions for a noob about linux servers? | 18:12 |
| lordievader | XIaah: Shoot | 18:12 |
| joren | Hey, has anyone else ran into missing ca certs on ubuntu server recently? The install I did is pretty minimal (from preseed) so I'm wondering if there's just a package or something I'm missing. Wget and python are both having trouble with some *fairly* common keys. | 18:14 |
| XIaah | thanks lordievader, im doing a project at the moment using a dns, http and msql server and going to use a client to "hack" the servers to gain information from them and try to patch the weaknesses in them. i've obviously got apache2 installed on the http with and mysql on the mysql server. however i'm slightly unsure on where the best place to install myphpadmin and wordpress (wordpress | 18:16 |
| XIaah | must be used for the sake of project) would be? would it be on the apache server as i read that it needs to have permission to access apache2. or would it be best to install it on the mysql server? i hope thats clear enough its been a very long day! | 18:16 |
| XIaah | everywhere i've looked so far just points towards LAMP and installing everything on the same server, which in my case isn't possible as i need to use 3 individual servers | 18:16 |
| lordievader | XIaah: Those things are usually placed in /var/www if that is what you mean. | 18:17 |
| XIaah | yeah | 18:17 |
| sarnold | joren: apt-get install ca-certificates, that ought to be a good start | 18:17 |
| joren | sarnold, that's on there. some ssl works, some doesn't. I was hoping there might be another package missing but maybe it's something else | 18:18 |
| XIaah | lordievader would you recommend installing wordpress and myphpadmin along side apache2? | 18:18 |
| sarnold | XIaah: you could look into the juju charms for wordpress, apache, and mysql, they'll know how to configure those services to run on different computers | 18:19 |
| XIaah | sarnold juju charms? :o | 18:19 |
| sarnold | joren: can you share a specific site that's failing to verify? | 18:19 |
| sarnold | joren: maybe run it through the qualsys ssl checker.. | 18:19 |
| joren | running now, https://api.xero.com/ for one | 18:20 |
| sarnold | XIaah: see e.g. https://jujucharms.com/mysql/trusty/24 | 18:20 |
| XIaah | i'll look into it, thanks sarnold ! | 18:21 |
| teward | anyone here use reprepro willing to give me a hand with something? | 18:22 |
| lordievader | XIaah: You need something to serve those pages ;) | 18:22 |
| teward | i need to get two versions of the same source package into a repository that is explicitly named what i want, say, 'nginx-mainline' or 'nginx-stable' | 18:22 |
| teward | and within that it needs to support ubuntu versions trusty, utopic, vivid, and debian repos as well. any sane way to execute this | 18:23 |
| XIaah | lordievader what do you mean? | 18:23 |
| lordievader | XIaah: Apache is a web server, wordpress/phpmyadmin are web pages. | 18:23 |
| XIaah | lordievader: i'll have a dns running to support them also | 18:25 |
| jvwjgames | Hi i am trying to find my private key | 18:41 |
| jvwjgames | where is it stored | 18:42 |
| jvwjgames | i used openssl to generate a key | 18:42 |
| jvwjgames | but can't find the key | 18:42 |
| genii | cwd | 18:42 |
| teward | jvwjgames: /home/$USER/.ssh/ | 18:42 |
| teward | jvwjgames: the default is id_something - id_rsa for an RSA key, etc. | 18:42 |
| jvwjgames | openssl req -nodes -newkey rsa:2048 -keyout ... | 18:43 |
| teward | jvwjgames: those files contain the private keys; the id_something.pub file is the public key | 18:43 |
| jvwjgames | this is the command i used | 18:43 |
| teward | jvwjgames: oh wait, nevermind, i failed | 18:43 |
| teward | that command is only part of it, but -keyout should say what the filename is | 18:43 |
| teward | it'd then be in your current working directory | 18:43 |
| teward | (the directory you were in when you ran the command) | 18:43 |
| teward | FYI I can't read | 18:44 |
| teward | xD | 18:44 |
| * teward is tiredish | 18:44 | |
| jvwjgames | i forgot to speok found it | 18:46 |
| jvwjgames | ok i found it | 18:47 |
| jvwjgames | where is the ssl config file for apache 2 i can't find it | 18:52 |
| jrwren | jvwjgames: you can find it yourself: grep -ri ssl /etc/apache2 | 18:52 |
| jrwren | jvwjgames: looks like it is split across files in mods-enabled and sites-enabled | 18:53 |
| joren | It really does just seem like ubuntu is missing some important ca cert. it's working just fine on an arch machine and not working a few ubuntu servers | 19:09 |
| sarnold | joren: we really just repackage and ship the mozilla certs.. we don't want to be in the business of auditing CAs ourselves.. | 19:13 |
| joren | I see | 19:15 |
| maxb | what exactly fails? | 19:16 |
| joren | wget https://api.xero.com | 19:16 |
| joren | for one | 19:16 |
| joren | openssl s_client -showcerts -connect api.xero.com:443 | 19:16 |
| joren | show's "unable to get local issuer certificate | 19:16 |
| joren | er, with -CApath /etc/ssl/certs/ | 19:17 |
| jrwren | joren: I hate to say WFM, but... :) | 19:18 |
| joren | :( maybe it's really a man in the middle :D | 19:18 |
| maxb | I do see it fail for me on vivid | 19:19 |
| maxb | though I can't quite work out why | 19:19 |
| jvwjgames | how do i convert a cert to X.509 PEM | 19:20 |
| jrwren | me too, works on trusty, fails on utopic interesting | 19:20 |
| * joren on trusty here | 19:21 | |
| joren | failing on at least 3 installs | 19:21 |
| joren | :/ | 19:21 |
| jrwren | /etc/ssl/certs/Entrust.net_Secure_Server_CA.pem is on trusty and not utopic | 19:22 |
| jrwren | likely the cert was revoked for a reason? | 19:22 |
| jrwren | maybe because its a 1024 bit signing cert? | 19:22 |
| sarnold | jrwren: can you dpkg -S that on both systems? I thuoght the certs should be identical on all: https://launchpad.net/ubuntu/+source/ca-certificates | 19:23 |
| joren | I've got the Entrust.net_Premium_2048_Secure_Server_CA.pem but I'm missing that one that jrwren just mentioned. This gets me a bit closer :) | 19:24 |
| jrwren | sarnold: 20130906ubuntu2 on this not-updated trusty. | 19:25 |
| jrwren | here it is, phasing out 1024bit signing keys: https://blog.mozilla.org/security/2014/09/08/phasing-out-certificates-with-1024-bit-rsa-keys/ | 19:26 |
| jrwren | and https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.16.3_release_notes | 19:28 |
| sarnold | I don't thinkt hat's it though, qualys reports their cert and all certs above it in the chain are 2048. but they also report they are using sha1.. I wonder if that's related? | 19:29 |
| jrwren | sarnold: I can confirm that the missing file which I mentioned has the same fingerprint mentioned in those NSS release notes. | 19:30 |
| === kickinz1 is now known as kickinz1|afk | ||
| === kickinz1|afk is now known as kickinz1 | ||
| joren | jrwren, how did you find that that was the missing file? I've got one other site failing that I'd like to investigate a bit too, it's failing on a verson of ca-certificates that works with api.xero.com | 19:34 |
| jrwren | joren: I saw the name entrust so I ls /etc/ssl/certs/*trust* on a trusty and a utopic. Lucky guess. | 19:35 |
| joren | cool cool | 19:35 |
| === Lcawte|Away is now known as Lcawte | ||
| jrwren | joren: but, I am not sure that is the problem. | 19:35 |
| jrwren | I'd have excpect to see that cert as on in the chain in the output of that s_client command, and it is not | 19:35 |
| jrwren | i'm afraid i went down the wrong path on this. sorry. | 19:37 |
| joren | idk, seems logical to me. the ubuntu servers are missing a "USERTrust*" certs as well which would explain the other site. | 19:39 |
| joren | Maybe I should just get a different cert bundle from a trusted source | 19:39 |
| sarnold | you could download just their specific CA cert and use --ca-certificate=FILE | 19:40 |
| jrwren | joren: these certs were removed for good reason and without seeing them in that chain, there is no reason to believe adding the cert will fix the problem. | 19:40 |
| jrwren | joren: also, I do not think "unable to get local issuer certificate" is an error. I get that for google.com and yahoo.com | 19:41 |
| joren | I get "Verify return code: 0 (ok)" instead of the local issuer thing :/ | 19:42 |
| joren | using that missing cert with --ca-certificate does indeed work. Which I had actually downloaded from Entrust yesterday. | 19:44 |
| === crazybluek is now known as Blueking | ||
| joren | I guess I'll probably just do that, or add Entrust's full cert bundle, and maybe urge xero to get their key's resigned to that 2048 CA key if they can | 19:49 |
| joren | unless I'm missing something. | 19:50 |
| === kickinz1 is now known as kickinz1|afk | ||
| === kickinz1|afk is now known as kickinz1 | ||
| jvwjgames | where do i pu the chiper options in apache | 20:19 |
| jvwjgames | i can;t find the file | 20:20 |
| teward | jvwjgames: in your site configs, IIRC | 20:20 |
| teward | httpd.conf theoretically, but i don't know where that is on Ubuntu, as I use nginx instead :P | 20:20 |
| joren | jvwjgames, /etc/apache2/monds-enabled/ssl.conf is where I'd probably put it. | 20:21 |
| jrwren | jvwjgames: /etc/apache2/mods-available/ssl.conf | 20:21 |
| jrwren | jvwjgames: see SSLCipherSuite is there by default | 20:22 |
| joren | btw, thanks jrwren and sarnold for your help. | 20:22 |
| teward | what they said :0 | 20:22 |
| jvwjgames | thanks guys | 20:28 |
| jvwjgames | >:( | 20:29 |
| jvwjgames | why | 20:29 |
| jvwjgames | https://www.ssllabs.com/ssltest/analyze.html?d=jvwjgames.net | 20:29 |
| jvwjgames | This server accepts the RC4 cipher, which is weak. Grade capped to B. | 20:29 |
| jrwren | jvwjgames: http://blog.rlove.org/2013/12/strong-ssl-crypto.html I follow that. | 20:32 |
| jvwjgames | any ideas | 20:32 |
| teward | jvwjgames: you have the rc4 cipher somewhere | 20:33 |
| jvwjgames | SSLCipherSuite AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5:!RC4 | 20:33 |
| teward | but without your cipher strings we can't really tell | 20:33 |
| teward | did you reload the configuration when you hanged it | 20:33 |
| teward | changed* | 20:33 |
| jvwjgames | SSLHonorCipherOrder on | 20:33 |
| jvwjgames | yes | 20:34 |
| teward | yeah i was running the cipher test :p | 20:34 |
| teward | jvwjgames: i think it's missing this cipher in that config, but IDK why - ECDHE-RSA-RC4-SHA | 20:36 |
| teward | i just ran a cipherscan of your domain from here, and that's the only rc4 cipher still in use | 20:36 |
| teward | probably why it triggered | 20:36 |
| jvwjgames | so just add it | 20:36 |
| teward | see, https://cipherli.st/ is a little more 'accurate' to the cipher strings that you should probably use - it doesn't include the MEDIUM ciphers and won't trigger the RC4 error, but meh | 20:37 |
| teward | not that i endorse that list | 20:37 |
| jvwjgames | hmm intresting | 20:37 |
| jvwjgames | i had two lines for cipher settings | 20:38 |
| jvwjgames | and apache2 didn't complain | 20:38 |
| jvwjgames | maybe why it was still triggering | 20:38 |
| jvwjgames | retesting | 20:38 |
| teward | well it shouldn't, you *can* override ciphers for specific sites, IIRC. | 20:39 |
| teward | nope still triggering :P | 20:42 |
| teward | (make sure to refresh your configs every time) | 20:42 |
| jvwjgames | ok i just copied and pasted the config from that site you gave and i am now retesting | 20:45 |
| jvwjgames | and yes i did a reload and even a restart | 20:45 |
| jvwjgames | of the apache2 service | 20:45 |
| teward | you might have something overriding it elsewhere in other configs, but IDK where that'd be. | 20:46 |
| teward | (I'm not an Apache expert) | 20:46 |
| jvwjgames | ok | 20:47 |
| joren | grep -R SSLCipherSuite /etc/apache2/ | 20:47 |
| joren | ? | 20:47 |
| joren | I just changed mine to "SSLCipherSuite AES256+EECDH:AES256+EDH" and it got rid of the RC4 thing for me. We've been using that on our public site for a while now | 20:48 |
| jvwjgames | ok retesting | 20:50 |
| teward | joren: yeah that's a strong ciphersuite, although iirc that limits to TLSv1.2 but don't quote me on that | 20:53 |
| teward | mmm it has older ones, too, nevermind. | 20:53 |
| teward | the only problem is if you need the 128 strength ones in which case time to expand | 20:53 |
| jvwjgames | hmm | 20:55 |
| jvwjgames | still don't work | 20:55 |
| joren | did the grep reveal any other SSLCipherSuite lines? do you have the symlink at /etc/apache2/mods-enabled/ssl.conf? | 20:56 |
| joren | heh, that guy Robert Love has the same last name as me :) | 20:59 |
| joren | I'm waiting for the .love tld to come out :D | 20:59 |
| jvwjgames | The apache2 configtest failed. Not doing anything. | 21:01 |
| jvwjgames | Output of config test was: | 21:01 |
| jvwjgames | apache2: Syntax error on line 219 of /etc/apache2/apache2.conf: Syntax error on line 163 of /etc/apache2/sites-enabled/default-ssl.conf: </IfModule> without matching <IfModule> section | 21:01 |
| jvwjgames | Action 'configtest' failed. | 21:01 |
| jvwjgames | The Apache error log may have more information. | 21:01 |
| jvwjgames | nevermind fixed it | 21:02 |
| jvwjgames | :D | 21:04 |
| jvwjgames | guys | 21:04 |
| jvwjgames | look | 21:04 |
| jvwjgames | https://www.ssllabs.com/ssltest/analyze.html?d=jvwjgames.net | 21:04 |
| jvwjgames | joren: look | 21:05 |
| jvwjgames | teward: look | 21:06 |
| joren | Congrats | 21:06 |
| jvwjgames | i had tones of cipher settings in diffrent places i commented them out and put the chiper settings in apache.conf and it worked | 21:07 |
| teward | jvwjgames: your OCSP is borked, but i think that's Comodo's fault | 21:08 |
| joren | you're getting allot less cipher suite mismatches than me | 21:08 |
| jvwjgames | i am | 21:10 |
| jvwjgames | hmmm | 21:10 |
| joren | I think it's a good thing ;) | 21:10 |
| jvwjgames | thanks for your help guys | 21:12 |
| joren | Anyone know if there SSLCertificateChainFile thing is supposed to take care of missing local ca certs? I started investigating the server I have access to that's failing wget but ssl labs certainly isn't telling me there are any issues | 21:38 |
| === jvwjgames_ is now known as jvwjgames | ||
| === jvwjgames_ is now known as jvwjgames | ||
| === mrt333_ is now known as mrt333 | ||
| === Lcawte is now known as Lcawte|Away | ||
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!