dave-smith.co.uk

So recently I needed to add SSL capability to an Amazon Elastic Load Balancer (ELB) which actually meant :

- Get the certificate, having created a new CSR and Private key on the machine of your choice
- Uploading the Private key, CSR and Certificate into Amazon using Amazon Web Services (AWS) Identity and Access Management service (IAM)

So the first challenge was getting the command line tools and creating the relevant identity files.

Download the AWS command line tools and put them somewhere you want to use them from, I put them in /use/local/IAMCLI which I then added to my .bash_profile using the settings below (this bit is optional, but makes your life easier):

# Added for AWS CLI
export AWS_IAM_HOME=/usr/local/IAMCli
export PATH=${AWS_IAM_HOME}/bin:$PATH
export AWS_CREDENTIAL_FILE=${HOME}/path_to_credential_file/credential_file

The AWS_CREDENTIAL_FILE is as below and the information to put in the file you get from the “Security Credentials” tab under your account settings, add in the ID of the access key you want to use, and click on “show” to reveal the key to use, create the file and ensure you put it in the location you added into your .bash_profile. Observant people will notice this doesn’t work if you deal with multiple AWS accounts, you can always use the optional -aws-credential-file when using the command line tools to point to the credential file you want to use.

AWSAccessKeyId=STUPID_LONG_ID
AWSSecretKey=Stupid_long_key

To upload the certificate:

$ iam-servercertupload -b public-key.pem -c .cert-chain-file.pem -k private-key.pem -s domain.name

To check the certificate is in place:

$ iam-servercertgetattributes -s domain.name

And should you need to delete the certificate:

$ iam-servercertdel -s domain.name

Now when you create the ELB, select “Secure HTTP Server” from the common applications list and save, then when you continue to the next page you should be given the option to “Choose from your existing SSL Certificates”

So I’m doing some interesting stuff at the moment which among other things has me reading up on Open Social which meant installing Shindig which before that (as the implementation I’ll be needing is Java based meant installing Tomcat.

And at this point I realised that nothing had really moved on in terms of servers / technology and setup, I know there is the argument that if you make it simple to do anyone can do it, but it should be a bit easier by now to have Apache / Tomcat running on OSX in harmony without resorting to Google and config file hacking, as it is I’ve just gone for a basic config with Tomcat running on a separate port (as per standard install) and after some memory leak issues (seemingly) have reverted back to running Tomcat as and when needed (to be fair this is more likely to have been as a result of a dodgy build of the site I was testing.

(written ages ago, but never posted)

So after a lot of doing nothing I’ve finally moved my site, nothing wrong with the old hosting company I’ve been using for the last 10 years, just that the level of complexity they offer is no longer needed by me and I’ve been using Rackspace Cloud Sites now for a year for other bits and pieces and so with a large number of bounced emails due to an IP address being blocked it was time to change.

Simples…..
1) Grab the DB from the old server, do some DNS jiggery pokery and then on to a new site build.
2) Into the Rackspace control panel
2.1) add a new domain
2.2) build a MySQL DB (add a user)
2.3) create an email address

We’re now ready for the site build.

I downloaded the latest version of WordPress, uploaded the DB and ran the WP installer, filled in all 4 fields and job done, my site was back, but on new hosting. I decided to grab the plugin’s I wanted and as ever I’m still tinkering with the theme to use.

Oh and I found some useful Word Press tweaks to get the built in updating feature to work.

I added the following to my .htaccess to go above the mod_rewrite stuff

php_value post_max_size 128M
php_value upload_max_filesize 128M
php_value memory_limit 128M
php_value max_execution_time 6000000


Less than an hour to migrate the site including the DNS changes and email setup, happy days.

Ok going from 6.0.2 -> 6.0.5 NE on RHEL 4.x (Yes I know that the next major version won’t support 4.x) and I was hoping for a nice smooth upgrade, the previous SSL Comercial cert problems now showing as fixed in the bugtracker, however at the end of the process and I’m getting the same “Expired Cert” warning messages from email clients and the like….

So as root

cd /opt/zimbra/ssl/zimbra
/opt/zimbra/bin/zmcertmgr deploycrt comm commercial.6.0.2/commercial/commercial.crt commercial.6.0.2/commercial/commercial_ca.crt

Restart the services using ZMProv and all is good.

Well with the snow came the abuse of the company VPN (will post more about that later) and some sofa / server time.

The least shocking element was the amount of work I could get down with a 3 year old and 6 week old in the house, easier to work from the sofa (no office yet) and less distractions than being the office…

So it was time to build some servers, I’ve got SonicWalls Global Management System and ManageSoft all requiring servers, also as we change things around the way we build and use servers will be changing, so I had three servers to build, (well four when we take into account the new development server for the in house digital team)

1) Windows 2K3 (64Bit) and SQL 2K5 Server for ManageSoft and SGMS usage
2) 2 x Windows 2K3 (32Bit) for ManageSoft ECM and SGMS
3) RHEL 5.4 Server for dev.

The windows servers were pretty simple. Build a new server, fully patch, then clone to a template, then join the server to AD with it’s new name and carry on with the specific requirements for the server.

Next server.
Use the fully patched template you’ve just created for your shiny new server, join to AD and you’re done, new server in under 10 minutes, sit back and rejoice at your new power…. repeat.

Three servers created in the time it would take you to create one new server.

Did the same with RHEL, so now I have my four new servers and three templates to enable me to deploy a new instance in under 10 minutes.

Nice having uninterrupted time to get stuff done – also printed out the manuals for the NSA2400 / SGMS / SSL-VPN, time to get reading…. and shortly re-configuring the NSA to make the most of the new power (before deploying to the other new NSA units via SGMS…)

“I have a cunning plan m’lord…”

Note: I originally posted this on a different website, but have since re-purposed that site, having had this post help me out twice I figure it was worth keeping

UPDATE: Bug 41683 is now showing as fixed in 6.0.4

So last night was the chosen time to upgrade the Zimbra install at work, all offices were shut, most people shouldn’t be working and if they were then an hour without email shouldn’t be too much to have to cope with.

With offices in San Francsico and also Dubai the time when server changes that impact everyone can be made is from midnight Friday through to 05:00 on Sunday morning (Dubai has Friday and Saturday as its weekend)

All seemed to go fine with the upgrade until I checked the installed certificate, this had reverted to an earlier, now expired cert.  Using the admin interface to attempt a reinstall with newer server certificate failed with:

Invalid Request
Message: invalid request: missing required attribute: server Error code: service.INVALID_REQUEST Method: GetCertRequest Details:soap:Sender

So a quick hunt around the support forums, a bit of googling later and with no obvious answer found (and an impending deadline) it was time to log a support ticket.

Shortly the landline rang and it was time to give over access of the mail server to Zimbra support to have a look and fix the problem. 10 Minutes later and all was sorted.  It was a known bug (42216 / 41683) which is due to be fixed in 6.0.4

However the interim solution is to redeploy the commercial cert.

cd /opt/zimbra/ssl/zimbra/commercial
/opt/zimbra/bin/zmcertmgr verifycrt comm ./commercial.key ./commercial.crt ./commercial_ca.crt

If all looks good:

/opt/zimbra/bin/zmcertmgr deploycrt comm ./commercial.crt ./commercial_ca.crt

And you’re back up and running with the correctly installed commercial certificate.

Hopefully this is useful to someone, will probably need this again for the 6.0.3 upgrade, and slightly OT maybe I’ll take a more in depth look at outsourced Exchange solutions as our contract is up for renewal in April.

So I finally managed to spend some time over the last few days on sorting out the 7 VMWare servers we have in the London (Main) office and more specifically get a free server available so that I could retire a VMWare server that couldn’t be upgraded to the latest version of VSPhere.

Course of action was simple.

- Install a new management server as a physical machine
- Move all existing VMWare servers under the control of the new management server
- Profit.

Not quite that simple, until I had upgraded a server to VSPhere it couldn’t be managed by the new VCenter Server as it didn’t have the old 3.5x license server running.

So it took a bit of moving instances around the various servers and gradually upgrading all servers to VSPhere.

Once I’d worked out the correct order to move all of the servers around without killing anything it was time to get started, I moved all of the already upgraded servers under the control of the new VCenter Server, and then migrated the BDC and PDC from VMWare servers that needed upgrading, this meant I was left with two 3.5x boxes to upgrade one of which was running the old VCenter Server with the 3.5 license manager.

I shut down the old VCenter Server and migrated into on to an already upgraded VMWare Server then set to work upgrading the last two servers.

All very simple, just required a bit of planning to ensure I didn’t end up with a 3.5x server that I couldn’t do anything with as the license server wasn’t available (I’ve got around this issue before using an emergency local license but it is a problem best avoided.)

So I now have 7 VMWare servers all running the latest version of VSPhere (well 3 of them will be auto updating using the update manager over the weekend) and a physical install of the Virtual Center Server.

I’m happier that the main management machine is a physical box as it makes life easier doing updates.

Now to set about getting in the extra kit to go HA