dave-smith.co.uk

So recently I needed to add SSL capability to an Amazon Elastic Load Balancer (ELB) which actually meant :

- Get the certificate, having created a new CSR and Private key on the machine of your choice
- Uploading the Private key, CSR and Certificate into Amazon using Amazon Web Services (AWS) Identity and Access Management service (IAM)

So the first challenge was getting the command line tools and creating the relevant identity files.

Download the AWS command line tools and put them somewhere you want to use them from, I put them in /use/local/IAMCLI which I then added to my .bash_profile using the settings below (this bit is optional, but makes your life easier):

# Added for AWS CLI
export AWS_IAM_HOME=/usr/local/IAMCli
export PATH=${AWS_IAM_HOME}/bin:$PATH
export AWS_CREDENTIAL_FILE=${HOME}/path_to_credential_file/credential_file

The AWS_CREDENTIAL_FILE is as below and the information to put in the file you get from the “Security Credentials” tab under your account settings, add in the ID of the access key you want to use, and click on “show” to reveal the key to use, create the file and ensure you put it in the location you added into your .bash_profile. Observant people will notice this doesn’t work if you deal with multiple AWS accounts, you can always use the optional -aws-credential-file when using the command line tools to point to the credential file you want to use.

AWSAccessKeyId=STUPID_LONG_ID
AWSSecretKey=Stupid_long_key

To upload the certificate:

$ iam-servercertupload -b public-key.pem -c .cert-chain-file.pem -k private-key.pem -s domain.name

To check the certificate is in place:

$ iam-servercertgetattributes -s domain.name

And should you need to delete the certificate:

$ iam-servercertdel -s domain.name

Now when you create the ELB, select “Secure HTTP Server” from the common applications list and save, then when you continue to the next page you should be given the option to “Choose from your existing SSL Certificates”

Service Unavailable and error code 12…..

Finally found the fix here

$ ~/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/Resources/GoogleSoftwareUpdateAgent.app/Contents/Resources/install.py --uninstall

$ sudo /Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/Resources/GoogleSoftwareUpdateAgent.app/Contents/Resources/install.py --uninstall

$ sudo rm -rf /Library/Google/GoogleSoftwareUpdate/ ~/Library/Google/GoogleSoftwareUpdate/

And as the OP says be careful with the last command sudo rm -rf isn’t fussy about what it kills.

I’m now running version 13.0.782.107 which seams as near as damnit to be the latest release (as posted here)

So if you code or write and create text files on the Mac the chances are you use the excellent Textmate to do it, and if you do and you haven’t already, you should upgrade your Textmate experience using this to make it pretty and work better.

As an added bonus the icon is changed to look like a moleskin note book.

but also perhaps what you enjoy.

So things changed, in my career, you start out doing one job, you’re perceived as being better than someone else in the business at their job (which whilst related to your job, isn’t what you normally do) so to help out the business and ease personal frustration you take the job and do a sideways shift / shimmy / move.

And while you enjoy the job, it’s not quite the same, not as creative, not as fulfilling.  Now I’m back doing what I used to do, with greater knowledge, a better perspective and enhanced ability, Dave++ if you like.

But importantly it is challenging, and I enjoy it

It’s funny how life works out, at the start of the year I had a vision in my mind of what Wirewool would be, and what it could do, but then as time progressed things changed and the needs and wants of my few clients and my various attempts at networking changed things, instead of becoming some kind of loose collection of talented digital and marketing savvy individuals working for a common goal, it became me. The work I do now is all about me, all about applying the skills I’ve learnt over the years, and I found that my initial thoughts on what I wanted Wirewool to be made me make some stupid decisions. I almost invented time travel to go back in time to 1999 and also forgot to trust my gut feelings, silly. However various discussions with other people and some interesting projects along the way and things are working better, I’ve managed to step back from the problems caused by the earlier choices I made and I’ve stopped my time travelling ways.

Now I’m ensuring that everything I do uses my existing experience, but more importantly builds on it for the better, best of all at the moment I’m back doing some coding (on one of my contracts) and so I’m creating, rather than just getting grumpy and stressed at people.

Wirewool looks like it is all about me, but still is about working with other talented digital and marketing savvy individuals so as Today I Should and Wicked Wolf oh and maybe just maybe I’ll get the Wirewool site sorted soon!

So I’m doing some interesting stuff at the moment which among other things has me reading up on Open Social which meant installing Shindig which before that (as the implementation I’ll be needing is Java based meant installing Tomcat.

And at this point I realised that nothing had really moved on in terms of servers / technology and setup, I know there is the argument that if you make it simple to do anyone can do it, but it should be a bit easier by now to have Apache / Tomcat running on OSX in harmony without resorting to Google and config file hacking, as it is I’ve just gone for a basic config with Tomcat running on a separate port (as per standard install) and after some memory leak issues (seemingly) have reverted back to running Tomcat as and when needed (to be fair this is more likely to have been as a result of a dodgy build of the site I was testing.

So with one of my guys in Amsterdam and the other deciding his cold is man-flu I’m HelpDesk, no really stop laughing at the back!

I’ve been manning the ticketing system and picking up the phone to help users who can’t find their drinks holder, have lost the “any” key and are generally stuck. I’ve even managed to upgrade RAM in a couple of machines without killing myself, or frying the computer, clearly you just never lose the knack.

Best call of the day:

User : Hello I’m not getting any email on my computer, I’ve got some on my iPad, but nothing at all on my computer.
Tech (Me) : Ok, I can’t see your computer on the network, can you check in “System preferences” -> “Sharing” and tell me the computer name so I can remote in.
User : (after some faffing and more “email isn’t working comments”) Computer name is xxxxxxxxx
Tech : Ok, I can see that machine, logging in….
(poke around)
Tech : Right what email client are you using ?
User : Entourage
Tech : (Suppressed *ick) erm, well it’s not configured on this machine
User : Yes, there are no new emails.
Tech : No, the account isn’t setup at all….
User : Oh hangon, this isn’t my computer (shouting around the office) Has anyone seen my computer ?

*click*

Guess that gets logged as PEBKAC.

And people wonder why techies are cynical about users…..

* to be fair back to the shop floor would actually involve me working in Tesco’s as a stock controller.

(written ages ago, but never posted)

So after a lot of doing nothing I’ve finally moved my site, nothing wrong with the old hosting company I’ve been using for the last 10 years, just that the level of complexity they offer is no longer needed by me and I’ve been using Rackspace Cloud Sites now for a year for other bits and pieces and so with a large number of bounced emails due to an IP address being blocked it was time to change.

Simples…..
1) Grab the DB from the old server, do some DNS jiggery pokery and then on to a new site build.
2) Into the Rackspace control panel
2.1) add a new domain
2.2) build a MySQL DB (add a user)
2.3) create an email address

We’re now ready for the site build.

I downloaded the latest version of WordPress, uploaded the DB and ran the WP installer, filled in all 4 fields and job done, my site was back, but on new hosting. I decided to grab the plugin’s I wanted and as ever I’m still tinkering with the theme to use.

Oh and I found some useful Word Press tweaks to get the built in updating feature to work.

I added the following to my .htaccess to go above the mod_rewrite stuff

php_value post_max_size 128M
php_value upload_max_filesize 128M
php_value memory_limit 128M
php_value max_execution_time 6000000


Less than an hour to migrate the site including the DNS changes and email setup, happy days.

Ok going from 6.0.2 -> 6.0.5 NE on RHEL 4.x (Yes I know that the next major version won’t support 4.x) and I was hoping for a nice smooth upgrade, the previous SSL Comercial cert problems now showing as fixed in the bugtracker, however at the end of the process and I’m getting the same “Expired Cert” warning messages from email clients and the like….

So as root

cd /opt/zimbra/ssl/zimbra
/opt/zimbra/bin/zmcertmgr deploycrt comm commercial.6.0.2/commercial/commercial.crt commercial.6.0.2/commercial/commercial_ca.crt

Restart the services using ZMProv and all is good.

Note: I originally posted this on a different website, but have since re-purposed that site, having had this post help me out twice I figure it was worth keeping

UPDATE: Bug 41683 is now showing as fixed in 6.0.4

So last night was the chosen time to upgrade the Zimbra install at work, all offices were shut, most people shouldn’t be working and if they were then an hour without email shouldn’t be too much to have to cope with.

With offices in San Francsico and also Dubai the time when server changes that impact everyone can be made is from midnight Friday through to 05:00 on Sunday morning (Dubai has Friday and Saturday as its weekend)

All seemed to go fine with the upgrade until I checked the installed certificate, this had reverted to an earlier, now expired cert.  Using the admin interface to attempt a reinstall with newer server certificate failed with:

Invalid Request
Message: invalid request: missing required attribute: server Error code: service.INVALID_REQUEST Method: GetCertRequest Details:soap:Sender

So a quick hunt around the support forums, a bit of googling later and with no obvious answer found (and an impending deadline) it was time to log a support ticket.

Shortly the landline rang and it was time to give over access of the mail server to Zimbra support to have a look and fix the problem. 10 Minutes later and all was sorted.  It was a known bug (42216 / 41683) which is due to be fixed in 6.0.4

However the interim solution is to redeploy the commercial cert.

cd /opt/zimbra/ssl/zimbra/commercial
/opt/zimbra/bin/zmcertmgr verifycrt comm ./commercial.key ./commercial.crt ./commercial_ca.crt

If all looks good:

/opt/zimbra/bin/zmcertmgr deploycrt comm ./commercial.crt ./commercial_ca.crt

And you’re back up and running with the correctly installed commercial certificate.

Hopefully this is useful to someone, will probably need this again for the 6.0.3 upgrade, and slightly OT maybe I’ll take a more in depth look at outsourced Exchange solutions as our contract is up for renewal in April.