FreeSoftwareServers's questions

I am trying to configure CertBot and it only works when I serve my site over http. Usually I have an https redirect and I don't want to have to change the site config each time I need to use certbot. I tried to serve only /.well-known/ over http but it is still failing any ideas how to resolve this?

I am trying to copy this idea but not working --> NGINX redirect everything except letsencrypt to https

Eg: This Works:

server {
    listen 80;
    listen [::]:80;
    server_name example.com www.example.com;


location / {

        proxy_pass              http://localhost:8575/;
        include                 /etc/nginx/conf.d/proxy.conf;
    }
}

This does not: (Note that the current configured SSL Certs are not correct, but needed for NGinX to start)

server {

   listen 80;
   listen [::]:80;
   server_name www.example.com example.com;

    location /.well-known/acme-challenge/ {
        proxy_pass              http://localhost:8575/;
        include                 /etc/nginx/conf.d/proxy.conf;
    }

location / {
       return 301 https://$server_name$request_uri;
    }

}

server {
        listen 443 ssl;
        listen        [::]:443;
        server_name www.example.com example.com;

#        ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
#        ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
        ssl_certificate /etc/ssl/crt/crt.crt;
        ssl_certificate_key /etc/ssl/crt/key.key;

location / {

        proxy_pass              http://localhost:8575/;
        include                 /etc/nginx/conf.d/proxy.conf;
    }
}

Error Log:

certbot    | Saving debug log to /var/log/letsencrypt/letsencrypt.log
certbot    | Plugins selected: Authenticator webroot, Installer None
certbot    | Registering without email!
certbot    | Obtaining a new certificate
certbot    | Performing the following challenges:
certbot    | http-01 challenge for www.example.com
certbot    | http-01 challenge for example.com
certbot    | Using the webroot path /var/www/html for all unmatched domains.
certbot    | Waiting for verification...
certbot    | Challenge failed for domain www.example.com
certbot    | Challenge failed for domain example.com
certbot    | http-01 challenge for www.example.com
certbot    | http-01 challenge for example.com
certbot    | Cleaning up challenges
certbot    | IMPORTANT NOTES:
certbot    |  - The following errors were reported by the server:
certbot    |
certbot    |    Domain: www.example.com
certbot    |    Type:   unauthorized
certbot    |    Detail: Invalid response from
certbot    |    http://www.example.com/.well-known/acme-challenge/WyVEA5g6BWVDPpYUhEJ0bG5iH6daF1rZpFd0vuTXOa0
certbot    |    [50.117.156.123]: "        <!DOCTYPE html><html lang=\"en-US\">\r\n
certbot    |    \t<head>\n\n\t\t        <meta charset=\"UTF-8\">\r\n        <meta
certbot    |    name=\"viewport\" con"
certbot    |
certbot    |    Domain: example.com
certbot    |    Type:   unauthorized
certbot    |    Detail: Invalid response from
certbot    |    https://www.example.com/x61_h9wxFY2Ye8-16GllyMq_dfsXbsEB1lYOjeq4LjU
certbot    |    [50.117.156.123]: "        <!DOCTYPE html><html lang=\"en-US\">\r\n
certbot    |    \t<head>\n\n\t\t        <meta charset=\"UTF-8\">\r\n        <meta
certbot    |    name=\"viewport\" con"
certbot    |
certbot    |    To fix these errors, please make sure that your domain name was
certbot    |    entered correctly and the DNS A/AAAA record(s) for that domain
certbot    |    contain(s) the right IP address.
certbot    |  - Your account credentials have been saved in your Certbot
certbot    |    configuration directory at /etc/letsencrypt. You should make a
certbot    |    secure backup of this folder now. This configuration directory will
certbot    |    also contain certificates and private keys obtained by Certbot so
certbot    |    making regular backups of this folder is ideal.
certbot    | Some challenges have failed.
certbot exited with code 1

I have successfully setup Windows Admin Center and everything works as epected from within the LAN. I forwarded the ports through my gateway and attempted remote access. Everything works as expected, I am able to view all tabs I try, but when I try remote desktop, it doesn't work. I tried connecting to both the server and VM consoles to no avail. It just shows a blank screen where the console should be (usually I get an Auth pop-up on the right hand side).

Any ideas on what to adjust or places I can share/look for debugging information?

Update: More Details

I have a Windows 10 LTSC 2019 client running Hyper-V w/ 2 Windows Server Core 2019 DC. One runs WAC (Gateway-Server) the other a DC. I'm currently adding computers to Domain to see if this helps resolve anything. There is another Ubuntu VM as well.

Settings:

• Enabled RDP on machines
• Disabled requirement for Network Level Auth
• Proper SSL Certs installed on all machines

Things I have tried:

• Powershell in WAC --> Works
• Overview/Registry etc --> Works
• VM Overview & Inventory --> Works
• RDP to VM (Windows/Liunx) or Host OS --> Do not work, no "Auth Pop-up" on right hand side, just blank/hanging.
  • Confirmed working correctly from within LAN

I'm investigating an SSL setup and Chrome says the cert was issues to, subdomain.subdomain.domain.com but if I visit that URL I get the "Cert Invalid" warning". Yet, if I visit "subdomain" directly, the cert is accepted. I'm not 100% how you even setup a site to not have a ".com/org" etc let alone get SSL to work in this sense. Does anybody have any ideas/experience with how this might be setup/possible?

I'm securing RDP by adding my SSL cert to my Windows host and of course, I'm working on scripting everything. I've got it 99% complete, the only step I can't figure out how to script is relating to permissions.

Eg: https://superuser.com/questions/1093159/how-to-provide-a-verified-server-certificate-for-remote-desktop-rdp-connection/1093160#1093160

1.Start > Run > mmc

2.File > Add Remove Snap-in > Certficates > Add > Computer Account > Local Computer > OK

3.In the left-hand window right-click on Certificates (Local Computer)Personal, choose All Tasks/Import…

4.Locate the pfx file and import it, I suggest that for security reasons you don’t make it exportable.

5.Expanding your Personal/Certificates you should now see 3 certificates, one of which is your site certificate (e.g. mysite.com). Right-click on this site certificate and right-click, choose All Tasks / Manage Private Keys…

6.Add user ‘NETWORK SERVICE’ with Read permission only (not Full Control), then Apply

7.Close mmc

I'm trying to script step 6 in this guide. Does anybody have any ideas where to start?

I'm having trouble SSHing into a VM I am trying to migrate to the cloud. I used the "Cloud Endure" option from google's migration doc's.

I tried yesterday and realized in my LAN the only way to log in via SSH is if my LDAP server is running, so I enabled SSH Login via PWD and confirmed it worked with my LDAP server off and then started the replication process again.

I am having the same problem as yesterday, I don't get an error from PuTTY like refused key, or any prompts. Just "Connection Refused".

I tried adding the network tag "default-allow-ssh" to the network tags section but still same error. I pay for internet per GB so I'm hesitant to try replicating again, also I have no idea what to change next.

Does any body have any experience using Cloud Endure and having SSH troubles after?> Suggestions or more information needed?

The distro is Ubuntu 14 just fyi.

Also, this could be a separate question, but is there no "Remote Console" in google cloud so that I could login as if I was local? This seems ridiculous to me as it is always my backup solution if I somehow break SSH.

Update:

Not sure if this should work as I only have 1 other working VM in the network, but I can't ping the VM from another working VM on the same VPC. (I assume same VPC, different "project", but same account and the private IP's are the same except ending in .2 and .3 respectively) I'm new to "the cloud"..., much prefer having total control. (I can ping the public IP from my LAN)

I tried SSH'ing into the VM via the working VM on the same VPC and it just hung, no errors.

I'm looking for a non gui way (CLI) to find all VM's that have Autostart configured on my Fedora KVM Host.

I am having some serious troubles passing through my NIC to my Windows guest running on KVM.

The current driver in use is vfio-pci and I have done the passthrough via Virt-Manager so the XML format is correct. But when I try to start it, it shows Internal Error: Unknown PCI Header Type 127.

lspci -nnv shows Unknown Header Type 7F

02:00.0 Network controller [0280]: Intel Corporation Wireless 8260 [8086:24f3] (rev ff) (prog-if ff)
        !!! Unknown header type 7f
        Kernel driver in use: vfio-pci
        Kernel modules: iwlwifi

Does anybody have any advice/experience passing through an Intel PCI WiFi NIC on KVM that could possibly help? Thanks.

PS: This device has been successfully pass through w/ ESXi and currently I have passthrough working with my GPU, so you can count vt-d/iommu configuration out of the equation. (And hardware failure, I think. The only real way for me to test is to get this working on KVM or go back to ESXi and if it doesn't work on ESXi then its broken). I have been switching hypervisors for testing a lot latley and I'm hoping to get this to work with KVM, i suspect its not broken hardware that is the issue.

Normally, when I passthrough a disk to a VM I use the entire disk. I am looking at attempting to passthrough a partition in KVM. First question is that possible/ok? Looking at this doc it seems to be the way to go which supprised me.

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/virtualization_administration_guide/sect-virtualization-adding_storage_devices_to_guests-adding_hard_drives_and_other_block_devices_to_a_guest

Important

Guest virtual machines should not be given write access to whole disks or block devices (for example, /dev/sdb). Guest virtual machines with access to whole block devices may be able to modify volume labels, which can be used to compromise the host physical machine system. Use partitions (for example, /dev/sdb1) or LVM volumes to prevent this issue.

My next question is I have read about how to do this via /dev/sdX and by diskID, but DiskID seems to be the entire disk, IE:

https://lime-technology.com/forums/topic/34659-hard-drive-passthrough/

<disk type='block' device='disk'>
        <source dev='/dev/disk/by-id/ata-Corsair_CSSD-F120GB2_1109650632000461003B' />
        <target dev='hdc' bus='virtio' />
</disk>

And the whole point of using the by-id is because /sdX can change. I was wondering if I can use LABEL or UUID? Anybody with experience, I'd like some input.

Thank you

I have migrated my site from Wordpress to Confluence, and modified the 404 Error page to redirect to the main domain home page. This works if i type

https://www.freesoftwareservers.com/asdasd

But if you go to an old page, say

https://www.freesoftwareservers.com/index.php/2016/07/24/xymon-home-page/

It takes you to main main confluence page, which is NOT what I want.

The working redirect, redirects you to a "scroll point viewport" @

https://www.freesoftwareservers.com/wiki

But the non-working url above, just takes you to my regular confluence page which is not really supposed to be public. (Its still protected though, its just not as pretty and not the view I want to be public)

Any thoughts?

PS: This is how I handle 404 with confluence (all pages are proxyied thru NGinX)

sudo mv /opt/atlassian/confluence/confluence/404.vm /opt/atlassian/confluence/confluence/404.vm.original
sudo nano /opt/atlassian/confluence/confluence/404.vm
<!DOCTYPE HTML>

<meta charset="UTF-8">
<meta http-equiv="refresh" content="1; url=http://example.com/url">

<script>
  window.location.href = "http://example.com/url"
</script>

<title>Page Redirection</title>

<!-- Note: don't tell people to `click` the link, just tell them that it is a link. -->
If you are not redirected automatically, follow the <a href='link'>http://example/url'>link to example</a>

NginX Config

##Jira
server {
       listen         80;
       server_name    jira.freesoftwareservers.com;

       return         301 https://$server_name/;

}

server {
        listen 443 ssl;
        server_name jira.freesoftwareservers.com;

location / {

        proxy_pass              http://192.168.1.255:8081/;

        include                 /etc/nginx/proxy.conf;
    }
}


#Confluence
server {
       listen         80;
       server_name    freesoftwareservers.com www.freesoftwareservers.com;

       return         301 https://www.freesoftwareservers.com$request_uri;
}

server {
listen 443 ssl;
server_name www.freesoftwareservers.com freesoftwareservers.com;

rewrite     ^/$ /wiki permanent;

location / {

      proxy_pass           http://192.168.1.255:8091/;
      include             /etc/nginx/proxy.conf;

    }
}

So, I thought my LDAP was working perfect, but today I went to log in, and its authenticating me, but its showing i'm the local Admin account, even whoami says so, and I have full root access like local user account does.

Any ideas on what to look for?

This is the output of Logging in as donut, who is NOT a local user, but has logged in before.

sysadmin@BASICTEMPLATE:~$ whoami
sysadmin
sysadmin@BASICTEMPLATE:~$ pwd
/home/donut

And the output of tail -f /var/log/auth while logging in as donut

Oct  7 21:01:15 BASICTEMPLATE sshd[1871]: Accepted publickey for donut from 192.168.1.210 port 50472 ssh2: RSA 9c:a7:b6:3c:a8:2d:96:21:e8:d2:47:cb:6f:8f:a0:91
Oct  7 21:01:15 BASICTEMPLATE sshd[1871]: pam_unix(sshd:session): session opened for user donut by (uid=0)
Oct  7 21:01:15 BASICTEMPLATE systemd-logind[471]: New session 4 of user sysadmin.

My Client Setup :

Both client and server are Ubuntu Server 14.04

Setup on Client :

sudo su

apt-get update
apt-get install -y libpam-ldap nscd ldap-utils python-pip python-ldap libsasl2-dev python-dev libldap2-dev libssl-dev libnss-ldapd

##INSTALL STEPS###

#NOT LDAPI://, LDAP://
ldap://192.168.1.255

dc=freesoftwareservers,dc=com

{group,pass,shadow} (These options may not all show, manually edit /etc/nsswitch.conf if so)

ldap://192.168.1.255

dc=freesoftwareservers,dc=com

3

YES

NO

cn=admin,dc=freesoftwareservers,dc=com

PASSWORD

sed -i -r 's/(.*)(use_authtok)(.*)/\1\3/g' /etc/pam.d/common-password
grep 'pam_mkhomedir.so' /etc/pam.d/common-session > /dev/null || {

    cat >> /etc/pam.d/common-session <<EOF
session required    pam_mkhomedir.so skel=/etc/skel umask=0022
EOF
}

sh -c 'echo "tls_reqcert never\nnss_initgroups_ignoreusers ALLLOCAL\nbind_timelimit 3\ntimelimit 3" >> /etc/nslcd.conf'

Edit :

sudo nano /etc/nsswitch.conf
passwd:         compat ldap
group:          compat ldap
shadow:         compat ldap

Enable SSH RSA Key Lookup :

pip install ssh-ldap-pubkey
sh -c 'echo "AuthorizedKeysCommand /usr/local/bin/ssh-ldap-pubkey-wrapper\nAuthorizedKeysCommandUser nobody" >> /etc/ssh/sshd_config' && service ssh restart

Restrict to group ServerAdmins :

sudo sh -c 'echo "auth    required    pam_access.so" >> /etc/pam.d/common-auth'
sudo sh -c 'echo "- : ALL EXCEPT root (admin) (wheel) (ServerAdmins): ALL EXCEPT  LOCAL" >> /etc/security/access.conf'

Grant Group ServerAdmins Sudo Access :

 sudo visudo
 # Members of the LDAP group ServerAdmins may run sudo
 %ServerAdmins ALL=(root) ALL

 /etc/init.d/nscd restart

I have imported from what I can tell successfully the sshPublicKey schema but the attribute doesn't show in PHPLDAPADMIN.

Anybody have any experience with this issue?

What I did verbatim :

sudo nano openssh-lpk.ldif

dn: cn=openssh-lpk,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: openssh-lpk
olcAttributeTypes: ( 1.3.6.1.4.1.24552.500.1.1.1.13 NAME 'sshPublicKey'
  DESC 'MANDATORY: OpenSSH Public key'
  EQUALITY octetStringMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
olcObjectClasses: ( 1.3.6.1.4.1.24552.500.1.1.2.0 NAME 'ldapPublicKey' SUP top AUXILIARY
  DESC 'MANDATORY: OpenSSH LPK objectclass'
  MAY ( sshPublicKey $ uid )
  )

Import the schema, should I change ldapi://? I tried using my IP/Loopback and it doesn't work, but it seems to work as is.

ldapadd -Y EXTERNAL -H ldapi:/// -f openssh-lpk.ldif

Got this from this guide here >> https://blog.shichao.io/2015/04/17/setup_openldap_server_with_openssh_lpk_on_ubuntu.html

Confirmed its what I'm supposed to via this post on SF.

SSH key authentication using LDAP

But his instructions are a bit vague...

"Update LDAP to include the OpenSSH-LPK schema"

We first need to update LDAP with a schema to add the sshPublicKey attribute for users:

How? What am I doing wrong?

Thanks,

PS: This is the output of me running the command, all seems well, it even says "Duplicate"

root@ldap:~# ldapadd -Y EXTERNAL -H ldapi:/// -f openssh-lpk.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=openssh-lpk,cn=schema,cn=config"
ldap_add: Other (e.g., implementation specific) error (80)
        additional info: olcAttributeTypes: Duplicate attributeType: "1.3.6.1.4.1.24552.500.1.1.1.13"

UPDATE: I can see the schema in PHPLDAPADMIN, but its not under the PosiX Account, can somebody post the attribute tag from /etc/phpldapadmin/templates/creation/posixAccount.xml

I am setting up Smart monitoring currently and I had a question regarding the command

smartctl -H /dev/sda

=== START OF READ SMART DATA SECTION ===
SMART Health Status: OK

Does this actually run anything against the disk, or does it just poll the logs/data currently available from SmartMonTools.

I understand and am looking into running smartd with short and long tests, but that would be managed by smartd. My script is simple in that it just greps for Health Status OK and fails/passed based on finding the result. It also displays "smartctl -all /dev/sda", and I wondered about that too.

I just want to make sure, because

I Think that both smartctl -H /dev/sda && smartctl -all /dev/sda when run, don't actually do any testing, they just poll avaialable data. Can anybody confirm?

The reason is I poll this data way to often with my network monitoring software (every 15m currently), but if it doesn't effect disks, I will just leave it and use smartd to schedule the actual self-tests which do 100% read/write/test the disks.

Xymon 4.3.0-0.beta2

Ubuntu 10.04.04

I am looking to set up a hobbit test for an API call to an HTTP URL

I was given the following information, and all I can find is the ability to monitor HTTP URLS or PINGs and http Auth, but nothing like what I need.

https://sub.domain.com/groups/api/domain/user_exists

Then :

'http' => array(
             'method'  => 'POST',
             'content' => $data,
             'header'=>  "Content-Type: application/json\r\n" .
                                 "X-API-SECRET: 
Long-Hash-of-Letters-and-Numbers####\r\n" .
                                 "Accept: application/json"

);

1) Check for a valid user exists:

$data = {"username":"admin"};

Result should be an HTTP response code 200 and JSON for content

2) Check for a user that doesn't exist

$data = {"username":"0"};

Result should be an HTTP response code 200 and empty for content

Is this even possible? Any good reading to get me started? Or the Answer :P.

Thanks,

I am just doing some initial researching into STONITH and am finding that it can require Hardware to reset the failed nodes. Something called an IPMI can be used. I was wondering how something like this factors into a virtual environment? Does anybody have any experience implementing STONITH in an esxi 6 VM Environment?

Current Env Variables:

Esxi 6

CentOS 7

Pacemaker + Coroysync + DRBD configured

Looking to configure STONITH and wondering if somebody can help me understand how to do this in a virtual environment.

I have a lab environment with multiple clouds configured in Hyper-V SCVMM. When a guest machine is created in the correct cloud say "Yellow" it is randomly given one of the 5 Vlans we use. If it is wrong, the Lab Admin has to manually change it.

I would like for the VM's to automatically be created with the correct VLAN AND/OR enable the guests to change this option without giving them full admin rights. Perhaps a powershell scrip that could be run from within the host?

I suspect I may have left out some information, please let me know what you need and I will get back ASAP.

So basically I had to proxypass the root of a web server @

/

but the application is hosted at

/ui

When they don't manually type /ui they are presented with the home page of the server, which is static and not being used. I want to initially have Nginx move you to domain.com/ui when you type domain.com then basically just do what it normally does and proxy the application.

I currently am working on configuring an nginx reverse proxy for the esxi html5 web client. I have seen two reported working configs.

There is this one:

 server {
 listen 443 ssl;
 server_name vmware.xxxxxxxxxx.org;
 location / {
 proxy_pass https://192.168.xxx.xxx/;
 proxy_http_version 1.1;
 proxy_set_header Upgrade $http_upgrade;
 proxy_set_header Connection “upgrade”;
 }

And this one:

location ^~ /vhost1 { # https://nginxserveraddress/vhost1 (will take you here)
    proxy_pass              https://serveripaddr/ui;
    proxy_http_version      1.1;
    proxy_set_header        Upgrade $http_upgrade;
    proxy_set_header        Connection "Upgrade";
    proxy_read_timeout      86400;
    proxy_set_header        Host $host;
    proxy_set_header        X-Real-IP $remote_addr;
    proxy_set_header        X-Forwarded-Server $host;
    proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header        Authorization "";
    proxy_redirect          off;
}

I have successfuly proxyed subdomain.domain.com with the "exact" same proxy config it fails to proxy when I use domain.com/ui

This Works:

server {
listen 443 ssl;

server_name subdomain.domain.com;

ssl on;
ssl_certificate /etc/ssl/certs/ssl-bundle.crt;
ssl_certificate_key /etc/ssl/private/server.key;

location / {

        proxy_pass          https://ip/;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_read_timeout      86400;
        proxy_set_header        Host $host;
        proxy_set_header        X-Real-IP $remote_addr;
        proxy_set_header        X-Forwarded-Server $host;
        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header        Authorization "";
        proxy_redirect          off;
}
}

But this does not:

server {
listen 443 ssl;
server_name domain.com;


location /ui {
        proxy_pass          https://ip/;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_read_timeout      86400;
        proxy_set_header        Host $host;
        proxy_set_header        X-Real-IP $remote_addr;
        proxy_set_header        X-Forwarded-Server $host;
        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header        Authorization "";
        proxy_redirect          off;
    }
}

The second unconfirmed working script apparently does what I want, but it doesn't work for me, and the dev of application reported the same thing.

[Update] So it does sort of work, It takes me to log in screen, but still can't access the files in the root directory even tho I proxy the base of the webroot in my proxy_pass config. Therefor location has to be / not /ui. And to make / work, I need to use a subdomain, because I already have a location / in my main domain.

I hope that makes sense...

Example:

I used this to proxy webroot of server:

location /ui {

  proxy_pass              https://192.168.*.*:443/;

Instead of

location /ui {

  proxy_pass              https://192.168.*.*:443/ui;

I noticed this with another application as well. Specifically deluge will not proxy domain.com/deluge

but works via deluge.domain.com/

I have kind of given up, as I got a wildcard SSL cert and just decided to live with sub-domains and that not everything works via domain.com/path proxypass.

But I would like to know why, and perhaps work on figuring it out anyway.

So I know how to block an app via Software Restriction Policies >> Path and it works for files inside Program Files and System32.

What I want is to block the Metro Calculator via GPO >> Software Restriction Policy.

I found a folder under C:\Program Files\WindowsApps and blocked

number.exe but no luck.

Any Thoughts?

I do not want to use AppLocker as I have been told by Admin to use Software Restriction Policies.

Example: Software Restriction Policy Image