nix Posts

Fixing “SSL routines:tls_process_ske_dhe:dh key too small” on Containerized RHEL8

I have a very unique error today, so basically my RHEL 8 (Red Hat Enterpise Linux) cannot connect to another system due to SSL issue. The exception is quite clear, and can be seen below.

error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small

It is quite easy to do it in a standalone infrastructure, but this problem happen on a containerized application which make it much more complicated.

After searching for a solution, i come up with this Dockerfile

FROM registry.redhat.io/application/application-rhel8:7.8.0

user root
RUN update-crypto-policies --set LEGACY 

user 185

Build it,

docker build -f Dockerfile -t application-rhel8-modified:7.8.0 .

Deploy it, and i can see that the previous error is no longer exist.

Google+

Fixing MySql’s Error, “Cant create test file /folder/data/servername.lower-test” on RedHat OS

Had a very weird error starting my MySql after im moving MySql’s data folder from /var/lib/mysql to /folder/data on my RHEL 7 Server,

2017-03-23 11:50:52 2119 [Warning] Can't create test file /folder/data/servername.lower-test
2017-03-23 11:50:52 2119 [Warning] Can't create test file /folder/data/servername.lower-test
2017-03-23 11:50:52 2119 [ERROR] /usr/sbin/mysqld: Can't create/write to file 
    '/folder/data/servername.lower-test' (Errcode: 13 - Permission denied)

very very weird because im already change the ownership of my /folder data to mysql user, and still not working. I even chmod it to 777 for testing purpose, yet still no positive result. After a while i found out that my SELinux is blocking it, here is the command to unblock it.

[root@servername ~]# setenforce 0
[root@servername ~]# getenforce
Permissive

but the commands above only configure your SELinux until reboot. If you want to make it permanent, you could use this command,

[root@servername ~]# vi /etc/selinux/config 
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=permissive
# SELINUXTYPE= can take one of these two values:
#     targeted - Targeted processes are protected,
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted  

Hope it helps others, cheers

Google+

Fixing Jasper Report Error, “Font ‘Arial’ is not available to the JVM.”

Yesterday, i had a weird error when deploying to my Red Hat machine. Somehow my pdf generated report is throwing exceptions, it said “Font ‘Arial’ is not available to the JVM.”. A little bit weird since on my development machine, everything is running well.

After i run this command,

fc-list | grep "Arial"

I found out that “Arial” font isnt installed on my RedHat server, a little bit tricky due to im unable to run “yum” command because the server is behind a network firewall. So my workaround is download a .rpm, and installed it manually. After several minutes googling, i found a very recommended .rpm installer.

http://www.mjmwired.net/resources/mjm-fedora-f11.html#ttf

I installed it using

 sudo rpm -ivh msttcore-fonts-2.0-3.noarch.rpm

And check my installed fonts

fc-list | grep "Arial"

Now i can see “Arial” fonts on my list of installed fonts on RedHat, restart my tomcat and my pdf reporting is running well again.

Here is the complete stacktrace of the error,

21:57:12,135 INFO  [stdout] (AsyncLogger-1) <2014-09-29 21:57:12,131>,[http-/0.0.0.0:80-94]>>[ERROR]Font 'Arial' is not available to the JVM. See the Javadoc for more details. net.sf.jasperreports.engine.util.JRFontNotFoundException: Font 'Arial' is not available to the JVM. See the Javadoc for more details.
21:57:12,135 INFO  [stdout] (AsyncLogger-1) 	at net.sf.jasperreports.engine.fonts.FontUtil.checkAwtFont(FontUtil.java:357)
21:57:12,135 INFO  [stdout] (AsyncLogger-1) 	at net.sf.jasperreports.engine.fill.SimpleTextLineWrapper.loadFont(SimpleTextLineWrapper.java:369)
21:57:12,135 INFO  [stdout] (AsyncLogger-1) 	at net.sf.jasperreports.engine.fill.SimpleTextLineWrapper.getGeneralFontInfo(SimpleTextLineWrapper.java:339)
21:57:12,135 INFO  [stdout] (AsyncLogger-1) 	at net.sf.jasperreports.engine.fill.SimpleTextLineWrapper.createFontInfo(SimpleTextLineWrapper.java:279)
21:57:12,135 INFO  [stdout] (AsyncLogger-1) 	at net.sf.jasperreports.engine.fill.SimpleTextLineWrapper.start(SimpleTextLineWrapper.java:241)
21:57:12,135 INFO  [stdout] (AsyncLogger-1) 	at net.sf.jasperreports.engine.fill.TextMeasurer.measure(TextMeasurer.java:537)
21:57:12,136 INFO  [stdout] (AsyncLogger-1) 	at net.sf.jasperreports.engine.fill.JRFillTextElement.chopTextElement(JRFillTextElement.java:623)
21:57:12,136 INFO  [stdout] (AsyncLogger-1) 	at net.sf.jasperreports.engine.fill.JRFillTextField.prepare(JRFillTextField.java:699)
Google+

How to Sniff Network Packages on HPUX Filtered By A Specific IP

Well on most of Linux distros, it’s very easy sniffing network packages using tcpdump, but on this case i need to sniff packages on HPUX, which doesnt have tcpdump installed.

So basically i have 2 options, install tcpdump on my hpux (which is very tricky because of limitation the sysadmin gave me), or simply by using HPUX’s build function for network sniffing, which is “nettl”.

On this example, im trying to sniff packages to and from a specific ip, first is creating a file which contain the target ip.

filter ip_saddr 192.168.0.11
filter ip_daddr 192.168.0.11

and i save it as /tmp/myfilter.

Next step is running nettl,

#this command is to start nettl
nettl -tn 0x30800000 -e ns_ls_ip -size 1024 -tracemax 99999 -f /tmp/raw.tr

#this command is to check nettl status
nettl -status TRACE

#this command is to filter sniffed network packages using filter
netfmt -N -n -l -c /tmp/myfilter -f /tmp/raw.tr.TRC000 > /tmp/trace.output

#this command is to stop nettl
nettl -tf -e all 
Google+

How to Setup HTTPS Connection for NginX

I just bought a new SSL Certificate from an SSL providers, and now im trying to install it on my nginx webserver. Now im trying to share the steps needed to install my ssl certificate, in case someone need it.

But first, i need to generate a .key and .csr file using openssl’s command, i will need those files to become a “secret key” or my private key.

sudo openssl req -new -newkey rsa:2048 -nodes -keyout domain.key -out domain.csr

Next is i send my .csr file to SSL providers to generate .crt files. In my case, the SSL Provider, gives me 2 .crt files. First is the “Intermediate Certificate” (my_intermediate_ca.crt) and another one is “SSL Certificate” files (domain.crt).

First, i need to join those 2 crt files,

cat domain.crt my_intermediate_ca.crt >> bundle.crt

It will look like this,

-----BEGIN CERTIFICATE-----
..... my domain.crt .......
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
..... my intermediate.crt .......
-----END CERTIFICATE-----

Next is registering my SSL on nginx, i just edit the ssl.conf here

sudo vi /etc/nginx/conf.d/ssl.conf

and add this lines

server {
    listen       443 default ssl;
    server_name  mydomain;

    server_tokens off;

    ssl_certificate      /crtlocation/bundle.crt;
    ssl_certificate_key  /crtlocation/domain.key;

    ssl_session_cache shared:SSL:1m;
    ssl_session_timeout  5m;

    ssl_ciphers  HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers   on;

    location / {
        root   /usr/share/nginx/html;
        index  index.html index.htm;
	}
}

Restart nginx and check your ssl using openssl command,

openssl s_client -debug -connect localhost:443

A good SSL configuration will give this result,

Verify return code: 0 (ok)

While bad ones will create result like this,

Hope it would help others, have fun :D

ps.
i had one weird condition on my previous ssl installation, somehow my website shows valid ssl on desktop browsers, but shows broken ssl when accessed from mobile devices and android browsers. I found out it’s due to i provide the wrong .crt file on nginx’s ssl.conf, i provide domain.crt instead of bundle.crt. :-(

Google+