Author: Yazeed

This post is very outdated, you might want to check a more recent version of it at (Self signed wildcard security certificate for apache or nginx), even though it says WILDCARD in the title, it clearly shows how to make one that is not a wildcard certificate

It may be true that tutorials teaching you how to create and install a self signed security certificvate are everywhere, this one here i put for my own purposes, because i use this one that i wrote as copy and paste instructions for speed. I added things to explain why we are doing everything

Here we will discuss installing a self signed certificate (Acting as your own certificate authorite) …

If you are not sure if what you need is a self signed certificate or a proper secure certificate signed by a certificate authority, you can see the difference here

In this tutorial, we will install a self signed certificate on a debian squeeze machine. Please keep in mind that 1 certificate can be installed per IP address. If you need to install more certificates for more hosts, please have a look here.

We are sssuming you have apache installed, other web servers have different installation instructions, but the generation procedure remains the same

The steps we will take are

A- get the system ready
B- Create a private key
C- Create a certificate signing request from the private key
D- Create a certificate from the certificate signinig request
E- Install the certificate and the private key
F- Decrypt the private key (Optional)

A- get the system ready

1- Install openssl

On my debian system, this is done with the following command, on other systems, the installer may be different

apt-get install openssl ssl-cert

2- Create a directory we can work in

mkdir /etc/apache2/ssl

B- Create a private key

Creating a private key is as simple as

1- Go to our working directory

cd /etc/apache2/ssl

2- To create a private key, Issue the command

openssl genrsa -des3 -out myprivate.key 4096

A password of your choice is requiered (You must enter it twice).

You will then have a private key in the file myprivate.key

This is the encryption key for your private key, and even though this is an encrypted private key file, this key should never be shared with anyone. Since if you do decrypt it in the optional step below, and if it is ever shared with anyone after it is decrypted, they can create a certificate just like the one we are creating and fool a visitor into thinking they are on the correct website (in case of a man in the middle attack for example).

C- Create a certificate signing request from the private key

The certificate signing request is the file we normally give to a certificate authority so that they can create a certificate for us, but in this case, we are the certificate authority (Self signed certificate), we will therefore create a Certificate Signing request and sign it ourselves

1- To create a file containing the Certificate signing request data, all we need to do is issue the following command

openssl req -new -key myprivate.key -out signingrequest.csr

You will now be asked for (Keep your eyes open for the common name since it is the most important)

* Your Pass Phrase, the one you chose for the private key (To create a request from a private key, we need the decrypt and read the private key)
* Country Code (US), State…, CITY, Organisation Name, Organisation Unit
* Common name, and this is the most important, this is either your domain or sub domain, if it is your domain, do not add WWW and enter example.com if it is a sub domain enter subd.example.com
* A Challenge password of your choice

* Enter anything into the optional company name.

We will now have 2 files in the directory, our private key (myprivate.key) and a certificate signing request (signingrequest.csr), we have 2 passwords, the private key’s encryption password and the signing request’s challenge password

D- Create a certificate from the certificate signinig request

openssl x509 -req -days 3650 -in signingrequest.csr -signkey myprivate.key -out mypublic.crt

Now, you will be asked the the Private Key’s pass phrase, the first password, Again to decrypt the private key so we can create a certificate.

We will now have 3 files in the directory, our private key (myprivate.key) and a certificate signing request (signingrequest.csr), and out certificate file (mypublic.crt)

E- Install the certificate and the private key

At this point, we have a public key (mypublic.crt), and a private key (myprivate.key), we can now install those on apache, and start using our certificate.

To install certificate on apache, we must

1- Enable mod ssl on apache, this is done with the command

a2enmod ssl

2- Make sure Apache is listening on the SSL port (443 by default)

On a debian system, you will need to verify the file ….

3- Fix the host’s config file to use the certificates

How this is done depends on how your system defines websites in apache, The easiest way to do this on a debian system is to copy the file mysite from the /etc/apache2/sites_available folder into a file called mysite_ssl (The mysite file could be called anything like polosite.com.cfg), then open the new file for editing, change the Virtual Host Line at the top to <VirtualHost *:443> (You may also change the 8 with your IP address) then scroll down to the end of the new file, and right before the end of the Virtual Host, add the following lines

<VirtualHost *:443>
...................
...................
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/mypublic.crt
SSLCertificateKeyFile /etc/apache2/ssl/myprivate.key
</VirtualHost>

4- Restart apache server

On a debian system, the apache server is restarted with the command

/etc/init.d/apache2 restart

IMPORTANT: Now, when you restart the apache server, you will be asked for the password you chose when you created your private key, the next step below will make apache not ask for a password, but will also create a risk if your unencrypted key should fall into a malicious user’s hands. Worth mentioning that most websites do decrypt the private key, then make sure it is in a directory only root user can access, again, by default your private key is encrypted, decrypting it means you need to take very good care of it.

F- Decrypt the private key (Optional)

openssl rsa -in myprivate.key -out myprivate.key.insecure
mv myprivate.key myprivate.key.secure
mv myprivate.key.insecure myprivate.key
  

Now, restarting Apache should not ask you for a password

G- Working with browsers

Firefox will allow you to add this certificate to it’s memory, whenever this certificate is presented for this hostname, Your modified Firefox will consider it a valid certificate

Update

In order to be able to stack disks outside computer cases, the solution i found was this
I got some of those grills used for paint, bent them so that they can hold the 3.5 inch hard drive through sc4rews, then i had a 12cm tube like aluminum tube into 1.5 inch pats, then glued the Sorbothane pads to the aluminum, then i duct taped the grills (that hold the disks) to the aluminum frame, and now i can stack them above each other.

Please be aware that vibration from disks affects other disks VERY considerably, i have had unbelievable failure rates with disks before this, the disk transfer rates also drops drastically when the vibration from other disks is high.

You might say that disk manufacturers claim that disks are relatively vibration resistant, if you dig deeper, you will find that vibration caused by a spinning disk is an exception to this, the type of vibration other disks will introduce.

Because i have many terabytes of files and backups, and because every PC i have has at least 4 hard drives attached to it, the vibration kills the performance of the hard drives, when you have 4 hard drives in a case, every hard drive is affected by the other three hard drives.

What i did was that i got a pack of vibration isolation pads, some metal grills that i use in suspending the disks (so that they can get better ventilation) (grills like the ones you could use in barbequing).

My hard drive failure rate went down considerably, actually, i have had no hard drives break down since i implemented this solution (I used to get plenty of failures).

So, the bottom line is, turns out the ONLY MATERIAL that isolates the vibration well enough (Actually so well) is called “Sorbothane Vibration Isolation”.

Anyway, here are SOME of the photos i took to demonstrate that.

For my reference, i got the following USB Ethernet adapters from Carefour today, at JD2 each (around $3)

The light green has the chip DAVICOM DM9000E 0350s MHGW95, what windows sees is PM9601 USB NIC KMDF
A sticker on the back reads LH : 201103188

The blue ones have a chip that is not readable,
Sticker reads
XH-QF9700 2011-07-668A

The 2 CDs that came with them are in my drivers folder, Linux compatibility et all testing under way

Microsoft server 2008 R2 STANDARD seems to have a 32GB memory limit, so my Windows server reports memory as follows

64.0 GB (32.0 GB usable), and this is indeed what Microsoft tells me on this page

http://msdn.microsoft.com/en-us/library/aa366778%28VS.85%29.aspx#physical_memory_limits_windows_server_2012

If it appears that VMWARE is using some of the 32 spare gigabytes and leaving the system memory alone, this is an illusion because vmware workstation does not allocate all the memory of the VM at power on, give it a few hours, or copy a very big file within the workstation and it will take the ram away.

By the way, i had to write this because the answer is only available on a website that wants me to become a member to show me this information, so i experimented myself and put this information up for grabs. no one should have to pay $12 a month for a subscription to a website that displays information the site owners never even contributed to finding.

The lowdown

Install iostat, then run (in a second command window) the command

iostat -k -x 2

Change the 2 for any refresh rate, no matter the refresh rate, you will get the KBytes per seconed both read and write for both disks involved in the copy. You will also get the total copied for the period of time between refresh, so always take note of the (per second) sign in kB_read/s and kB_wrtn/s.
To recap, kB_read/s and kB_wrtn/s are not affected by the interval you set, while kB_read/s and kB_wrtn/s. are affected (they are the result of multiplying the speed (/s) by the interval you set
The K stands for KiloBytes (the default is blocks), you can also use m for megabytes

the X stands for Extended statistics (You probably dont need it for this particular purpose)
We are doing the above because CP and MV do NOT provide means of monitoring transfer rate.

Some other solutions like pv and rsync do, but would you want to get into all of this every time you want to copy a file or folder ?
Anyway, here is a rundown of all the ways that can allow you to monitor speed when you copy or move
(I will come back to this in a bit.
	

Not only is Orange internet the most expensive in Jordan, they are also the most idiotic.

I pay them loads of money for the internet (more than 2JDs per gigabyte) and i get rar files that don’t match the MD5 sum of the upstream, and the reason turns out to be that i have CLICK HERE IF YOU ARE NOT REDIRECTED wthin my multi-part downloaded rar files.

The geniuses at Orange internet Jordan decided not to inspect the http headers and make sure they are HTML before they tell me about my quota.

The geniuses at orange should have inspected if the header contains “Content-Type: text/html” where you don’t replace

a downloading file part that specifically reads “Content-Type: application/octet-stream” with an html file reading (you are approaching your quota), at least because the zip file is not opening inside the browser Mr. genius, you are just corrupting the downloads i paid you for.

Comparing orange to umniah, you will notice that umniah is at least 5 times cheaper, and they don’t play silly games that end up ruining your day, they are also reliable, go umniah

أورنج أنترنت الأردن … أغبياء

بالأضافه الى كون الأنترنت من أورنج الأغلا تمناً، هم أيضاً الأغبى على الأطلاق

أنا أدقع لهم الكثير (أكثر من دينارين للجيجابايت) و أحصل على ملفات غير مطابقه للملفات التي أقوم بتنزيلها، و السبب هو أن تحذير أورنج من أقتراب حد التنزيل يظهر داخل ملفاتي التي تنزل على أجزاء.

العباقره عند أورنج قرروا عدم النظر الى بدايات الأتصال و التاكد من البدايه التي تقول “Content-Type: text/html”، فهم يستبدلون بايناري فايل “Content-Type: application/octet-stream” ببيانات نصيه بدون النظر الى الهيدرز

عند مقارنه أورنج بامنيه، ستجد أن امنيه أرخص بخمس مرات و لا يقومون بالعاب سخيفه رعناء لأفساد يومك، و أعتمادستهم جيده. الى الأمام أمنيه

The lowdown: Yes you can, try the free OSFMount.

How i found out about it ? a friend sent me his laptop to un-dlete files for him, i didn’t have time to see how i can un-delete under windows, so (with his permission) i mounted his laptop hard drive on my computer (Linux), then DDd the whole drive to a 250GB image file, put the hard drive back where it was (in the laptop), and sent it back to him so that he can continue using it, once i found the time, i simply copied the image to a Windows computer, mounted it with OSFMount, then un-deleted everything with Recuva (the best un-delete software in my opinion), put his files on an external hard drive and sent it his way.

Images created with dd , ddrescue , or dd_rescue are not formatted, they are the direct copy of a whole disk, including boot records, partition tables, and file system, so mounting such images should not be hard at all, and indeed, turns out there is a program that can mount them under windows (i would not be surprised if it turns out there are hundreds that do that), but for now, this seems to be a champ, and it seems to be free.

Yet, this program seems to be more than a mounting tool for direct disk images, it also mounts CD images (i guess the one i currently use (virtual clone drive) is obsolete, creation of RAM disks, and can open a big bunch of other image formats (nrg, SDI, AFF, AFM, AFD, VMDK, E01, S01).

So there you are, all you need for your disk mounting needs in 1 program 😀

Cheers

1- Before using dd, ddrescue, or dd_rescue, you need to know which disk is which, you can do that by simply using the command “fdisk -l” in my case, the old disk turned out to be /dev/sdb and the new un-partitioned disk is /dev/sdc.

So, i have been cloning a 2TB hard drive ( WD20EARS ) to a WD20EARX, same disk, but with a few differences

WD20EARS is sata 2 and the other is sata 3, another difference is that using “hdparm -I /dev/sdb” the older WD20EARS reports (And should not be true)

WD20EARS

Logical/Physical Sector size:           512 bytes

wile with “hdparm -I /dev/sdc” the newer WD20EARX reports

        Logical  Sector size:                   512 bytes
        Physical Sector size:                  4096 bytes
        Logical Sector-0 offset:                  0 bytes

The first clone did not work for a reason unknown to me, i cloned my NTFS disk with ddrescue (gddrescue) on a linux (because i don’t know how to clone on windows) and then plugged it into windows, where it simply did not work, and in disk management reported the disk as un-partitioned space, so now i want to do the thing again, but i don’t want that slow performance, so i increased block size to 4KiB. (UPDATE: THE NEW COPY WITH 4KiB DID WORK BUT I DONT KNOW IF THE 4KiB SIZE IS RELEVANT, MAYBE YOU SHOULD TAKE A LOOK AT THE SECOND DIFFERENCE BETWEEN THE DISKS UP AT THE BEGINNING OF THE POST)

For now, i will try the cloning with the command (Only change the block level for advanced format hard drives)

Note, block size no longer works, and it is called sector-size, but the short letter for it -b is still the same, so we will change this to the line below it
ddrescue --block-size=4KiB /dev/sdb /dev/sdc rescue2.log
ddrescue -b=4KiB /dev/sdb /dev/sdc rescue2.log

And if all of your data is important, you can ask ddrescue to retry every bad block 3 times (or as many times as you wish) with the -r command

ddrescue --block-size=4KiB -r3 /dev/sdb /dev/sdc rescue2.log
ddrescue -b=4KiB -r3 /dev/sdb /dev/sdc rescue2.log

And what do you know, the disk now works on my WINDOWS machine 😀 no errors and no nothing, great, so now to some details about the copy

The result up to now is that i am reading at a maximum of 129MB while the average (in the first 60 GBs is 93018 kB/s), if this continues, i will be done in less than 6 hours.

The part that does not make any sense to me is that western digital states clearly in the specs that the maximum (Host to/from drive (sustained)) is 110 MB/s for both drives, it must be that i need to wait a bit more and see what that actually means.

rescued:         0 B,  errsize:       0 B,  errors:       0
Current status
rescued:    74787 MB,  errsize:       0 B,  current rate:     119 MB/s
   ipos:    74787 MB,   errors:       0,    average rate:   93018 kB/s
   opos:    74787 MB,     time from last successful read:       0 s
Copying non-tried blocks...

Now, once done, you can have the OS reload the partition table without having to restart, you can simply use the command partprobe

partprobe
or
partprobe /dev/sdc

To use partprobe, you need to install parted

apt-get install parted

If it were a linux drive, an advanced format drive would not have it’s first sector on sector 63 but rather on sector 2048, which is at exactly 2KiB, it could (but usually does not) start at any other value divisible by 8.

Windows probably does something similar for our AF Disk, so asking parted about our ntfs disk, this is what parted says

Model: ATA WDC WD20EARS-00M (scsi)
Disk /dev/sdb: 2000GB
Sector size (logical/physical): 512B/512B
Partition Table: msdos

Number  Start   End     Size    Type     File system  Flags
 1      1049kB  2000GB  2000GB  primary  ntfs

1049kB is 1074176 bytes, Which when divided by 8 is 134272 (divisible by 8).

NOTES:
-There is a tool specifically for cloning ntfs volumes called ntfsclone, i am not sure what extra features it provides that are specific to ntfs, i have never used it before, with my disk that has bad blocks, i can only rely on gddrescue.
-A block is 512 on regular drives, and 4096 on newer ones, if you want to backup the hard drive’s geometry, you can do one of the following
Backup the first 63 blocks (MBR + Bootloader). on a “non advanced format” drive

dd if=/dev/sda of=/mnt/storage/sda.vbr bs=512 count=63

On an advanced format drive, we can try

dd if=/dev/sda of=/mnt/storage/sda.vbr bs=4096 count=63

Which, will make us read 258048 bytes rather than the traditional 32256 bytes (around 250K rather than 32K)

When typing in arabic, you will probably find that numbers are still rendered with latin charracters, 123, if you want them to render in arabic looking charracters, you can simply use the font PDMS_Mansehra

So, i will be doing this under linux for a good reason

My friend gave me his computer so that i can recover everything for him, he deleted all the photos and so many other things, photos of his family are most important to him.

So, becuase i have been holding his computer hostage for a week now, i decided to copy the entier hard drive so i can give him his computer back, and extract everything at my convinience, so after mountingf the disk i want to undelete from… i executed the command.

ddrescue /dev/sdb /hds/3tb/200gb.img /root/resumelog.log

So i had the image file that i can use for recovery after mounting

Now if as in the article here http://www.buildingcubes.com/2012/07/27/rescuing-a-failed-hard-drive/ i mounted the drive, i can use a nice linux command (ntfsundelete) to undelete the files from the mounted partition.

1- create a list of files to take a look at, put all deleted JPGs in a text file
ntfsundelete /hds/img -m ‘*.jpg’ -p 80 -t 8m > deletedmp3.txt
ntfsundelete /dev/loop0 -m ‘*.zip’ -p 50 -t 8m > deletedjpg.txt

2- change to the directory where you want to recover files to
cd /hds/wd1tb/newdir

3- recover all PNG files then all jpg files
ntfsundelete /dev/sda1 –u –m *.png
ntfsundelete /dev/sda1 –u –m *.jpg

or if i want to move them to a directory other than the active directory
ntfsundelete /dev/sda1 -u -m ‘*.jpg’ -p 90 -t 8m -d /hds/wd1tb/newdir

-p 90 means only recover files with at least 90% recoverable content
-t 5m means only files deleted in the past 8 months