=== markthomas is now known as markthomas|away === Lcawte is now known as Lcawte|Away === markthomas|away is now known as markthomas [06:53] Does anyone know if it's ok to use lxd on a home server? I want to replace kvm as my main hypervisor. [07:06] Good morning. [07:32] Good morning everybody [07:36] o/ [08:26] Hello guys. Can anyone help me to setup an Ubuntu Server with full disk encryption? [08:26] I've been googling around but haven't find anything like a guide [08:28] May be someone have a guide so please share a link [08:28] Thanks [08:28] ld2412: it's a choice during installation [08:28] But if a rent a server (dedicated) and os is already installed [08:29] I mean this case [08:29] ld2412: not sure how to encrypt an existing system [08:30] RoyK: nevermind. I'm sure it's possible and it's somehow connected with KVM thiing [08:31] Encrypting an existing file-system using LUKS/dm-crypt? [08:31] TJ-: How to decrypt hdd after a reboot? [08:31] E.g. [08:32] ld2412: That depends on how it was encrypted :) [08:32] So, can you help me with it? :) [08:34] ld2412: Give some specifics and I may be able to [08:39] Ahhh... silent encryption, eh, sneaky! [08:40] TJ-: I've sent you messages [08:41] ld2412: Please keep the support messages in the channel so others can learn from the issue [08:42] Ok [08:42] So [08:42] The example [08:42] I rent a dedicated server [08:42] It comes with default Ubuntu Server 14.04 [08:42] That's it [08:43] Full disk encryption is needed for that server [08:43] I have just ssh root shell access [08:45] ld2412: OK... well first off, anyone with physical access will be able to circumvent any encryption [08:46] That is clear :) [08:46] But still [08:46] ld2412: so what attacks are you looking to prevent. Encryption will protect the data if the server is powered off, but as soon as it powers up and is active, the block devices are available unencrypted and the key is in memory [08:47] You have already named the reason - protection when server is powered off [08:48] ld2412: Well, it's unusual to have a dedicated server that isn't powered on :) [08:48] That is true :D [08:48] But stiil, encryption is needed [08:48] ld2412: that said, you can configure an initrd.img with a small ssh client that can connect out to get a key to unlock encrypted devices [08:49] ld2412: it's much better to protect individual files/sets of files, if the aim is to protect personal data in, for example, databases [08:49] ld2412: usually, with full disk encryption, you'll have to type a password on the console to unlock it - for a headless machine, that's a bit tricky [08:50] ld2412: and storing the password in the bootup renders encryption rather useless [08:50] * RoyK encrypts all his data with ROT13 - twice! [08:50] ld2412: If you want to protect data areas but the OS doesn't need encryption, then that makes it slightly easier since you can wait for the init system to start before needing to handle unlocking the encrypted device(s) [08:51] RoyK: That is so secure with UTF-16 :) [08:52] ld2412: if you're really paranoid, setup your own hardware :P [08:52] I can't setup my own :) [08:52] RoyK: 2x rot13 is the best security! By far. [08:53] ld2412: Ain't it better to make luks containers for your critical data rather than go full disk encryption? [08:53] I think FDE is better [08:53] I dont mind typing a password on each reboot [08:54] So [08:54] Is there any guide on the internet? I haven't found one [08:54] ld2412: do you have console access or just ssh? also - why so scared? the ISP will gain access if they want to [08:54] I have only ssh [08:55] That's my personal "features" :D [08:55] Please help guys [08:55] lordievader: FDE and LUKS are orthogonal. LUKS is simply a way to manage the keys of a dm-crypt device [08:56] ld2412: well, as TJ- said, you can probably get sshd into the initrd to help, but setting this up on a machine without console access will be hard - I've never tried it... [08:56] TJ-: I know. I was targeting encrypted lvm volumes. [08:56] I one provides me with step by step guide I will thank that person via bitcoins :) [08:56] ld2412: if you use FDE first of all, it won't be FDE, what it will be is root file-system file-system encryption. you'll need a separate unencrypted /boot/ file-system containing GRUB and the kernels/initrd.img [08:57] ld2412: why on earth would you bother with encrypting the root? [08:57] Of course boot leaves unecrypted [08:58] I am a bit more than average user, so not all the things you guys say are clear [08:58] ld2412: install a sttically linked ssh client in the initrd, that is hard-coded to contact your key-server via a key-script, and then crypsetup's cryptroot update-initramfs scripts can do the rest [08:58] ld2412: this is a bit on the advanced side ;) [08:59] RoyK: That is why advanced help is needed :) [08:59] ld2412: some people install dropbear in the initrd, the micro-ssh-server, and have it wait for incoming connections from a key-delivery system, also, but I prefer the call-out method [09:00] Personally I don't think it is worth the trouble. [09:01] ld2412: I've been working on ssh support in GRUB so GRUB's LUKs encryption can be used remotely too, to allow the /boot/ file-system to be remotely unlocked. Currently it requires console access to unlock GRUB's root file-system [09:02] TJ, would you like to help me tet-a-tet and I will pay your time? [09:02] Hourly [09:02] :) [09:03] ld2412: no thanks, I've got enough of my own to do [09:04] ld2412: pro tip... practice in a simple local VM guest until you're confident it works and you understand it [09:07] Sorry, my interned connection failed and I was disconnected [09:07] With servers that my contain confidential info a better solution is to use per-application encryption that encrypts its data before writing to disk, such as in databases, so even if the files are compromised the contents are safe === ashleyd is now known as ashd === justizin_ is now known as justizin === Lcawte|Away is now known as Lcawte [09:53] Hello everyone! [09:53] Got a quick question for you: [09:54] If I have a server, on which I run a very important web-service for our business, and I want to add two drives to fstab and then type "mount -a", will anything be interrupted or will the new drives just be added? [09:54] The second. [09:55] lordievader: so mount -a doesn't do anything to the already mounted? [09:55] No. [09:59] not that I don't believe you lordievader but I need to be 200% sure, can someone confirm? [10:00] A "very important web-service" should be built in a redundant way [10:02] Celphish: test it locally [10:22] magicalChicken: how do you feel about bug 869017? Are you happy to post to ubuntu-devel? [10:22] bug 869017 in kbd (Ubuntu) "Ubuntu server enables screenblanking, concealing crashdumps (DPMS is not used)" [Medium,In progress] https://launchpad.net/bugs/869017 [10:27] Celphish: well, of course, I use it regularly, but as dasjoe says, make it redundant [10:30] mdeslaur: around? I'm looking at sponsoring bug 1394403 - as you're looked at it before I'd like your opinion please. [10:30] bug 1394403 in apache2 (Ubuntu Trusty) "RewriteRule of "^$" is broken" [Medium,Confirmed] https://launchpad.net/bugs/1394403 [10:31] when I asked magicalChicken to look at it I didn't realise the upstream fix would add a configuration directive. But it looks like it's safe as it defaults to the same behaviour. Had you considered this already? Does it also look reasonable to you? [10:31] I also think we should include the documentation update in our backport - better than not having it in the SRU IMHO. [10:34] smoser: reminder to look at bug 1481337 when you can please. [10:34] bug 1481337 in keepalived (Ubuntu Wily) "keepalived makes a floating IP available on more than one host after configuration reload" [Undecided,Confirmed] https://launchpad.net/bugs/1481337 [10:35] smb: thank you for driving bug 1483214! Looking good. [10:35] bug 1483214 in linux (Ubuntu Vivid) "ipmi_si module spams kernel log with "ipmi_si 00:05: Could not set the global enables: 0xcc."" [Medium,Fix committed] https://launchpad.net/bugs/1483214 [10:36] rbasak, np, should be getting out as this cycle closes [11:10] rbasak: I'm ok with the new config option...I've added options before to packages as security updates, so it's not like we haven't done it before. The option will change the behaviour though, but cases where it will break something are unlikely [11:10] rbasak: for the documentation, meh...if it were man pages, I'd push for it...but the static web documentation, meh [11:10] rbasak: especially since there are localized versions of the documentation and we'd only be updating the english version [11:11] hello [11:11] i cant get random_delay to work in /etc/crontab [11:11] rbasak: the only thing is perhaps add what the option is and how the default has changed to the changelog [11:13] http://pastie.org/10376721 [11:13] every job runs exactly on the minute [11:14] that its "supposed" to [11:16] mdeslaur: OK. Thanks! [11:25] Azaril: No mention of RANDOM_DELAY on "man crontab" [11:48] Hi guys [11:48] If I mount a gluster volume from server1 with server2 as backup with the fuse mount, I understand that once server1 is down it will use server2 automatically. But what happens when server1 is back ? will it start automatically use server1 even if it doesn't have the latest data or keep using server2 until it goes down and then go back to server1 ? [11:51] jpds: having gone through a lot of google, apparently ubuntus version doesnt support it [11:51] Azaril: Not mentioned in the manpage. :) [11:51] yeah, not in ubuntus [11:51] ill have to do it by hand [12:15] (whee wordpress exploded) [12:15] rbasak: FYI, i've downloaded the nginx package from Debian Unstable, and am test-building it without changes before pushing to PPAs... [12:15] so the latest 1.9.x will be 'available' via that PPA [12:21] teward: sounds good. Thanks! [12:21] has anyone seen sarnold, I think he was lookin for my writeup on my Landscape-and-Gitlab-On-the-Same-Server blog post on my headaches and solutions for everything on the same server xD [12:21] rbasak: no problem === ws2k3_ is now known as ws2k3 [12:30] rbasak: Oh, yeah, I need to ask the mailing list if they think it's a good idea. I'll send that email out this afternoon. [12:55] Quick question, when I typ lsblk or fdisk -l, I see the same disk appear both as sdb and sdc, any way to get rid of sdc? [12:56] Celphish: same disk? sounds like some symlinks or device nodes are stale [12:56] TJ-: looks like it's the same disk yes [12:57] TJ-: how do I check if it's the same, I've been fiddling with this for a few hours now, haha [12:58] Celphish: do you have multipath somehow? [12:58] Celphish: there are symlinks under /dev/disk/ check out "ls -l /dev/disk/by-id/" and look at the names/serial numbers and where the symlink points to, and follow the trail [12:59] Celphish: I've seen same disk appearing twice if it's connected on multipath [12:59] Celphish: if that's the case, setup multipath in linux [13:01] hi coreycb, ready for me to push from proposed to updates in Kilo cloud archive? FYI, this is the proposed vs. current updates list: http://paste.ubuntu.com/12199098/ [13:02] beisner, probably should wait until after 4:30 pm to officially have it in proposed for +7 days [13:02] * beisner moves finger off the trigger [13:02] coreycb, gotcha [13:03] beisner, the list looks good, thanks! [13:03] RoyK: well, it was used faulty before, I haven't used it though.. When I did what TJ- said, it looks like one number points to sdc, and then the same number with the addition of "-part1" points to sdb1... [13:04] coreycb, ok thanks for confirming. I'll push later today. === martins-afk is now known as martinst [13:08] Celphish: is it using multipath? how is the device connected? [13:08] Celphish: also, check "/var/log/kern.log" and look at the messages when those devices are added by the kernel, that might give a clue [13:09] TJ-: not sure tbh, think it's connected with fiber optic cable somehow [13:09] Celphish: pastebin output of 'smartctl -i /dev/sdc' and similar for sdb [13:12] RoyK: not installed on the server, smartctl, not sure I want to install it either since it's a production server [13:13] Celphish: possibly "sudo dmsetup info" might give come clues [13:13] TJ-: no devices found [13:13] resort to the logs then :) [13:16] Celphish: it should be installed :) [13:16] Celphish: install smartmontools [13:16] Celphish: it's very nice for monitoring and reporting things [13:17] RoyK: I'm just a tad restrictive when it comes to install anything on a server that's in use by all our customers atm [13:17] Celphish: it comes with smartd, monitoring physical disk health [13:17] well, uninstall it later, then [13:27] TJ-: there are some interesting entries in the log but I'm not sure what they mean, haha :D [13:27] alot of "device-mapper........ error getting device [13:27] with a "multipath" in between [13:27] but we've flushed all mp, there are none left [13:32] Celphish: looks like stale device references then, not sure how they aren't identical though [13:32] Celphish: you'd expect sdb sdb1 sdc sdc1 really [13:51] TJ-: ye, that's what I suspected too... but how do I correct / remove stale references? [13:52] Celphish: remove the nodes [13:52] Celphish: and any sym-links of course [13:55] TJ-: sorry for lacking the knowledge, but please elaborate on how [13:56] Celphish: if you're not familiar with such basic tasks, I would recommend getting a capable sysadmin to deal with it. you said it is a production server. [14:11] rharper: around? I'd like to talk about bug 1481289. [14:11] bug 1481289 in php5 (Ubuntu) "PHP 5.5.9 Default socket timeout being not honoured by application" [Medium,Incomplete] https://launchpad.net/bugs/1481289 [14:11] rbasak: here [14:12] rharper: thank you for investigating the bug. It's turned out to be much more complicated than applying a simple patch (don't they all!) but at least that's clear now so it doesn't look like we're just ignoring people sending patches. [14:12] rharper: I'd like to either get an SRU landed though, or drop it off my list for driving. [14:13] rbasak: indeed; it's rather complicated w.r.t what's actually needed [14:13] rharper: ah, so it's not a "minimal fix", right? [14:13] there's nothing definitive in the referenced bugs that cleanly applies [14:13] OK [14:13] and the upstream versions that are fixed are rather significantly modified in that area [14:13] The bug status should still be Triaged though - as it's about whether the bug is valid rather than if we have a readily available fix. [14:13] they went through a number of iterations to get things working right [14:14] ah, ok [14:14] I gave you the bug because I thought it was trivial, rather than because it has a large user impact. [14:14] sure [14:14] So I think it's fine to drop it on that basis, while inviting others to provide a minimal patch for SRU. [14:15] right, if we get a simpler patch (or any set of patches) I'd be happy to re-review that for SRU [14:15] Could you maybe explain what you think is required to drive the bug further in the bug itself, and then withdraw and unassign yourself? Assuming we don't want to work on it ;) [14:15] rbasak: sure [14:16] Thanks! [14:16] rharper: is there anything you're waiting on me for BTW? I'm trying to go through all the bugs I'm tracking but don't see anything else from you on my list. [14:17] rbasak: no; I have the other bug related to puppet service status that I need to pick back up but that's not waiting on you, just me [14:17] OK, np. Thanks! [14:18] sure [14:18] TJ-: well, they don't have any responsible syadmn :) [14:30] Is this the right channel to discuss ubuntu openstack installation as a single installer without maas? [14:40] smmoCoffee: I'm not aware of a better place if it doesn't involve MAAS. Try asking your question. [14:48] rbasak: We're wondering if there are any recommended procedures for running openstack-install behind a proxy server [14:51] stokachu: ^^ are you the right person to help smmoCoffee? [14:51] running it with the http-proxy argument helps, but I'm finding with a self signed certificate used by the proxy server [14:52] danwest: ^^ [14:52] stokachu, can you answer the proxy question for smmoCoffee? [14:52] we're the there is an insecure option that might be passed to ignore the self signed cert [14:53] smmoCoffee: if you use a linux server as the router/proxy, you could setup transparent proxing [14:54] we have no direct access to the proxy server [14:54] smmoCoffee, looks like there is a proxy option [--http-proxy HTTP_PROXY] [--https-proxy HTTPS_PROXY] [14:54] logs for the bootstrap lxc container show errors with curl [14:54] I've never installed openstack, so sorry [14:55] smmoCoffee:we have cli options that you can set to run behind a proxy, --http-proxy and --https-proxy [14:55] have a look at openstack-install --help [14:55] danwest: yes, that's how I'm running and that is allowing us to actually get to whitelist sites like entropy.ubuntu.com [14:56] oh self signed certificate [14:56] don't we just love those? ;) [14:57] curl: (60) SSL certificate problem: unable to get local issuer certificate [14:57] yea we don't implement a way to accept insecure certificates [14:57] that appears in the bootstrap container clould init log [14:57] whats the full command thats being run [14:58] everything we query for shouldn't be pulling in any self signed certificates [14:59] I get the impression that smmoCoffee has a MITM proxy that expects you to have installed its CA in every client. [14:59] (or bypass warnings) [14:59] yea makes sense [14:59] openstack-install --http-proxy $PROXY_SERVER:$PROXY_PORT --https-proxy $PROXY_SERVER:$PROXY_PORT [14:59] smmoCoffee:whats the output from the log where it fails [14:59] you can paste.ubuntu.com that [15:00] SO I guess a proper solution is to install the CA everywhere (every container etc) where it is needed. [15:00] This might need cloud-init support for an ideal solution. [15:00] the proper solution is to use proper certificates [15:01] An MITM SSL proxy is reasonable in a controlled environment for consenting adults IMHO. [15:01] Otherwise it's just something that tunnels through firewalls defeating their ability to keep you safe. [15:01] i wish the internet was more trusting [15:01] so i wouldnt have to lock my doors at night [15:01] stokachu: don't we all :P [15:02] And being Free Software we should be free to run our own CAs if we wish. So this reduces to a feature request :) [15:04] just as the ubuntu pastebin url? [15:04] http://paste.ubuntu.com/12199815/ [15:04] yea just paste it at that url and post the link here [15:05] Here [15:06] smmoCoffee:youre running an older openstack-installer [15:06] Here's higher level logging from the commands.log [15:06] smmoCoffee:http://ubuntu-cloud-installer.readthedocs.org/en/latest/single-installer.guide.html [15:06] http://paste.ubuntu.com/12199839/ [15:06] follow ^ that guide as that is the version that will end up in the ubuntu archives [15:07] ok, thanks. So we should use ppa:cloud-installer/experimental [15:07] the pollinate command should work behind a proxy so I think using the latest installer fixes all that [15:08] stokachu: thanks for confirming [15:09] np, also you can find us in #ubuntu-solutions if you need anything further [15:51] A question for those in the know. Can I replace KVM with LXD? [15:52] You can't just migrate from one to the other [15:53] any landscape pros here? (got a question about the actual Landscape Dedicated Server software) [15:53] I don't want to migrate. I was just wondering if I could use lxd instead of KVM. [15:55] it depends what for. you can use a shoe as a hammer, but not a hammer as a shoe. [15:55] teward: Yes [15:58] jpds: what part of LDS listens on 8080? And is it possible to make it listen elsewhere [15:58] teward: I think that's the appserver [15:58] (say, 28080 or similar, because portconflicts) [15:58] teward: Why do you already have something on there? [15:58] Knightmare: some prefer lxd over KVM - it will share resources better, but IMHO, KVM is nice [15:59] jpds: good question, it's more a hypothetical question :p [15:59] jpds: because it's an experimental system, so exploring it is different than production deployment [15:59] there's quite a lot of cruft there [15:59] (experimentation vlans ftw) [15:59] teward: I always install LDS on a new VM [16:00] jpds: remove VM from the equation - my ESXi box that runs VMs decided to blow up on me [16:00] so i'm still hunting a replacement/warrantyfix [16:00] (so it's on a barebones test system for now) [16:00] i was more curious what's listening on 8080 rather than changing the port :P [16:01] Right [16:01] teward: Apache just mod_proxy's stuff to the relevant component/appserver based on URL [16:02] right, which i discovered is fine, except for when you have one IP, many domains, then you need reverse proxies :/ [16:02] (I am also NOT an apache guru :P) [16:02] jpds: a lesson in how NOT to run things: I am temporarily putting LDS on my gitlab barebones box :/ [16:02] 8080 is conflicted because Gitlab's Unicorn is on 8080 [16:02] (I fixed that easy) [16:02] Ew [16:03] as i said [16:03] my esxi box decided to nuke itself :/ [16:03] KVM is lovely :-) [16:03] making it WORK is not hard once you fix the port conflict [16:03] mmm [16:03] indeed [16:04] jpds: too bad it doesn't like this box [16:04] in either case - http://dark-net.net/?p=100 is my musings and discovery [16:04] teward: Why doesn't it like that box? [16:04] jpds: old [16:04] (old converted desktop, my guess is virtualization isn't present in BIOS/CPU chipset [16:04] oh [16:04] jpds: interesting tidbit... [16:04] RoyK: Thanks for the advice! [16:04] So, ESXi isn't painful for you? [16:05] jpds: landscape-client refuses to recognize valid SSL on a Landscape server [16:05] Knightmare: IMHO KVM (or other virtualisation software) is far better in security terms - it's total isolation, not merely smart chrooting [16:05] (i.e. a valid SSL cert from an SSL certificate provider) [16:05] teward: Weird [16:05] jpds: it required me to copy in the CA chain and provide it via the cli arguments [16:05] jpds: that *may* be a bug, but meh [16:05] (it's a Comodo wildcard cert) [16:05] teward: It'll use whatever the Ubuntu ca-certificates uses [16:06] weird because curl worked fine to recognize the SSL as valid [16:06] landscape-client didn't [16:06] (so did Firefox, and Chromium, and w3m even) [16:06] also a funny story about Landscape - things run in KVM are sometimes NOT recognized as a VM [16:07] and as barebones hardware instead [16:07] teward: landscape-client uses gnutls instead of openssl, which is slightly more stricter about certs [16:07] mmm [16:07] * teward shrugs [16:07] teward: Yeah, did you expose the host cpu flags to the guest? [16:07] jpds: wasn't my system, the other sysadmin set that one up [16:07] :/ [16:08] my guess is 'maybe'? [16:08] my experimental test instances only have VMs [16:08] well... [16:08] jad. [16:08] had* [16:09] RoyK: I've got a HP Microserver and just want to make the most of the resources. [16:09] jpds: another question if you have a moment - any way to get more than those 20 free licenses? I assume one has to buy the advantage licenses, but my question is are they the same price, or do the prices on the canonical store reflect the Canonical-run Landscape instance? [16:10] Knightmare: what sort of cpu? how much memory? [16:10] teward: You have to buy licenses [16:10] RoyK: http://n40l.wikia.com/wiki/Base_Hardware_N54L [16:11] jpds: i know that, but are they the same licenses listed on the Ubuntu Advantage pages, or does one reach to Canonical Sales about pricing [16:12] Knightmare: if kvm doesn't do the job, try lxc, or get some better hardware ;) [16:12] teward: talk to sales [16:13] ok [16:13] jpds: thank you! [16:13] RoyK: I don't need serious hardware for what I want to run. Just want to be a efficient as possible :) [16:15] Knightmare: lxc is probably the best thing for that [16:17] teward, do you have an account on landscape.canonical.com? [16:17] teward, the hosted Landscape? [16:37] jgrimm: I agree with you on bug 1397250 - I'd like *someone* (even if it's the reporter) to be able to reproduce it, or at least still be affected by it, before we attempt an SRU. [16:37] bug 1397250 in libnss-ldap (Ubuntu) "SIGPIPE not caught in do_atfork_child()" [High,Triaged] https://launchpad.net/bugs/1397250 [16:41] rbasak, thanks.. i was going to ping you for opinion on that. hopefullly someone can actually recreate the bug.. [16:43] rbasak, i find it rather curious that the test reproducer didn't even hit the function that is patched as part of the fix when i enabled debugging. [16:43] rbasak, but has been an excellent learning exercise none-the-less [16:44] Beret: no, Landscape Dedicated Server, the personal-run one [16:44] NOT the cloud landscape.canonical.com [16:44] if I had the hosted landscape I'd have a support ticket in, not asking questions here :) [16:46] rbasak, would this actually be SRU'able even? I can't think that this is hitting that many folks.. [16:47] jgrimm: if someone's actually impacted (rather than it being theoretical) then I wouldn't block doing an SRU on that basis (though time and resource is a separate thing, I'm always happy for an affected user to drive). [16:48] jgrimm: OTOH, if we can't actually find anyone impacted because it's theoretical or that person has moved on and doesn't trigger it any more, then I see no point in risking regression by doing an SRU. [16:48] That's my personal opinion, anyway. [16:48] rbasak, that's my concern too [17:19] mmm... jpds, Beret: did either of you invite me to landscape.canonical.com for some reason? [17:20] teward, yes, do you not see my private messages? [17:20] teward: He's onto you [17:20] Beret: +g [17:20] (i get too much PM spam, being an op in bitcoin chans) [17:20] eh? [17:20] ah [17:20] (so I have umode +g on, which blocks PMs) [17:21] not ideal [17:21] Beret: feel free to resend if you wish :) [17:21] :) [17:21] paste coming your way [17:21] Beret: getting spammed by 300+ bots is less ideal [17:21] resent [17:21] get it this time? [17:26] Beret: yep! [17:52] hi, question about installing openstack per the single installer guide http://ubuntu-cloud-installer.readthedocs.org/en/latest/single-installer.guide.html [17:54] the top level container is failing to initialize [17:57] a process execution error is thrown where the single_install python script tries to run pollinate command === Lcawte is now known as Lcawte|Away [18:10] smmoCoffee: the pollinate command should fail gracefully, quietly [18:11] smmoCoffee: is it not? [18:11] smmoCoffee: can you paste some logs? [18:13] I have a dump question. I'm running nginx. I set up a self signed certificate a few months ago. everything worked great. I checked it against site certificate ssl/tls checkers and it was getting high marks. I bought a certificate and I guess I used the wrong key or something. I forgot the whole process from a few months ago. Right now I keep getting the same self signed certificate warning in the browser. === lifeless1 is now known as lifeless [19:11] acmehandle: check the nginx documentation to be sure [19:15] kirkland: here's the commands.log http://paste.ubuntu.com/12201532/ [19:17] smmoCoffee: so, first, I should mention that https_proxy=http://129.165.60.148:80 is a really bad idea, from a security perspective [19:17] acmehandle, it might be that the selfsigned cert is still in your /etc/nginx/nginx.conf, while you defined the website and its new "legit" certificate in a config file in /etc/nginx/sites-enabled/ [19:18] Yes, seems I was passing the old csr to the cert issuer [19:18] Had to regenerate new server.key and new server.csr [19:18] smmoCoffee: next, can you try adding "-i" to the list of pollinate flags? [19:19] now I have an ocsp server has not status of certificate. But that appears to be that it requires to take a little time to resolve with the CA or something. [19:21] make sure to use an SHA-2 hashing function for the CSR, or your Chrome users will get the SHA-1 security warning when visiting the site [19:21] Yes, Sha256 2048 [19:21] cool [19:21] you could also generate custom DH parameters [19:21] kirkland: so try running the installer as: openstack-install --upstream-ppa --https-proxy=http://129.165.60.148:80 -i [19:21] I was thinking of going all the way to 11 by using 4096...but in todays world I dont know if anyone cares [19:22] strengthens it a bit more [19:22] i use 4096 for mine [19:22] Oh, cool. [19:22] smmoCoffee: sorry, no [19:22] I generated a dhparam.pem using 4096 [19:22] dont know if that matters, [19:22] getting the 100/100/100/100 mark on ssllabs.com is not that hard either [19:22] or if it will cause a problem [19:22] Not if you have a vague idea of what youre doing :-) [19:23] Which is pretty much what I have [19:23] But as long as its secure I dont care. [19:23] hehe, if you're using a 2048 bit cert, 2048 bit dhparams would be sufficient, but more is even better [19:23] generally speaking [19:23] as long as it's not less [19:24] This was really more of an exercise for me. To gain some experience. But with everyone moving to clouds I dont know if anyone cares anymore. Besides me. [19:24] getting 100/100/100/100 and maintaining a USABLE site, is hard :) [19:24] kirkland: where/how is the pollinate flag "-i" passed or configured? [19:24] Do you have ocsp as well SCHAAP137? [19:24] smmoCoffee: it's in the cloud-init userdata [19:25] in apache i got OSCP to work, but with my current setup OCSP fails, haven't figured out why yet [19:25] smmoCoffee: sorry, I don't know about the openstack-install [19:25] i got HPKP though [19:25] current *nginx setup [19:25] might be SNI related, not sure [19:26] if you want the CHACHA20-POLY1305 ciphersuites, you could recompile nginx with LibreSSL btw [19:26] Has it been 12-24 hours? My 'resources' inform me that in some cases thats how long it takes to resolve. I just got it to this point a few minutes ago [19:26] Do I need it? [19:26] I dont even know anymore. [19:27] hmm, really? i might just have been impatient [19:27] OCSP could protect your clients from some forms of MITM, theoretically [19:27] So I have read. [19:28] Some of what I've read says that with chrome the sites work right away. Firefox often has that delay with ocsp [19:28] it would require quite a skilled attacker though [19:28]