John Main Logo

John Main

Code. Design. Hosting. Maintenance.

11
Apr '16

If you’re trying to install or update packages via yum on a RedHat /CentOS server and you keep getting ‘Multilib’ errors along the lines of:

Protected multilib versions: openssl-1.0.1e-42.el6_7.4.x86_64 != openssl-1.0.1e-42.el6.i686

Then this means that you already have a 32bit version of a package and you’re trying to install a 64bit version (either by direct installation or as a dependency), or vice-versa. Generally these days you will be operating on a 64bit system so this issue can be very easily fixed by running the following

yum remove *.i386 *.i486 *.i586 *.i686

And then installing the 64 bit versions (these should be the defaults) of the offending packages.

I encountered this when trying to use a 64 bit CentOS image as an AWS server due to 32 bit packages being pre-installed. Good grief it took me a while to figure out!

02
Jun '14

I’ve been having a go at pulling server information and stats out of PHP as a ‘nice to have’ for an application I’m building. It turns out that you can retrieve a fair bit of information from a Linux system if you’re not afraid of wrapping a few system calls. Here’s my finished script, please feel free to use at will!

$stats = array(
'Host Name' => exec('hostname'),
'System Date/Time' => date('Y-m-d H:i:s')
);
$uptime_parts = explode(' ', file_get_contents('/proc/uptime'));
$uptime_raw = $uptime_parts[0];
$days = floor($uptime_raw / 86400);
$hours = ($uptime_raw / 3600) % 24;
$minutes = ($uptime_raw / 60) % 60;
$seconds = $uptime_raw % 60;
$stats['Uptime'] = $days . ' day(s), ' . $hours . ' hour(s), ' . $minutes . ' minute(s) and ' . $seconds . ' second(s)';
$load_parts = sys_getloadavg();
$load_average = $load_parts[0];
$stats['Load Average'] = $load_average;
$memory_data = preg_split('/[\r\n]/', file_get_contents('/proc/meminfo'));
if($memory_data && count($memory_data) >= 2) {
$memory_total_parts = array_values(array_filter(explode(' ', $memory_data[0])));
$memory_total = number_format(($memory_total_parts[1] / 1000000), 2);
$memory_free_parts = array_values(array_filter(explode(' ', $memory_data[1])));
$memory_free = number_format(($memory_free_parts[1] / 1000000), 2);
$stats['Total Memory'] = $memory_total . ' GB';
$stats['Available Memory'] = $memory_free . ' GB';
}
$stats['Total Disk Space'] = number_format((disk_total_space('/') / 1000000000), 2) . ' GB';
$stats['Available Disk Space'] = number_format((disk_free_space('/') / 1000000000), 2) . ' GB';
15
Jun '13

I often have to work with SSL Certificates on behalf of my clients – advising on which to purchase, generating keys and certificate signing requests (CSRs), installing the certificates and trying to figure out what on earth I’m meant to be doing with the CA bundles. So I decided that, for the benefit of humankind (or at least any frustrated sysadmins that happen to stumble across this blog) I’d go through the process step by step. Please not that these are the steps that have worked for me, but server environments can vary so I’m not guaranteeing this will work for everyone.

Certificate Options

  • ‘Essential Security’ certificates are the cheapest you’ll find and, while they let you have legitimate HTTPS traffic, they aren’t great for security. There are little or no checks done against the site and they are usually signed by the guys you buy them from, rather than a trusted authority.
  • ‘Trusted’ certificates generally have extra checks and are signed by a trusted authority such as Verisign, Comodo or GlobalSign
  • ‘Extra Authentication’ certificates will usually include checks on the business registering the certificate, which will give customers greater confidence in the site.
  • ‘Extended Validation’ or EV certificates have checks that follow the most rigorous guidelines, and will allow the browser to show a green address bar, along with the standard padlock symbol.

The following is information on creating keys and certificate signing requests with openssl under linux.

Generating a Key

openssl genrsa -des3 -out www.johnmain.co.uk.key 2048

Omit the ‘-des3′ flag if you don’t want to include a passphrase. Passphrases are worth having if you think anyone else might gain access to your certificate files, but my feeling is that on a secure server with tight access control, there is little danger in leaving it out. If anyone can gain access to your server to access these files then you have much bigger problems to deal with!

Your keys should always be at least 2048 bits long for maximum security. If an authority asks for less then I’d be very cautious about using them.

Generating a Certificate Signing Request (CSR)

openssl req -new -key www.johnmain.co.uk.key -out www.johnmain.co.uk.csr

This command will prompt you to provide the following information:

  • Country Name (2 letter code)
  • State or Province Name (full name)
  • Locality Name (eg, city)
  • Organization Name (eg, company) – This is very important if you want extra checks or extended validation
  • Organizational Unit Name – This can be left blank
  • Common Name – This is the full domain name the certificate will be used for (without the https:// bit) e.g. www.johnmain.co.uk
  • Email Address – Leave blank
  • A challenge password – Leave blank
  • An optional company name – Leave blank

Now you’ll have your CSR ready to go. You can run the following command to double-check that you’ve entered the correct information:

openssl req -noout -text -in www.johnmain.co.uk.csr

Installing the Certificate

You’ll find a lot of long-winded and technical descriptions of installation procedures online, but assuming the certificate is right, it’s just a case of putting it, your CA bundle and your key in the right place and then editing your vhost configuration file to attach them to your domain. For example, under Apache, if your certificates live in /etc/ssl/certs and your keys live in /etc/ssl/private you would need to add the following to your vhost configuration:

SSLEngine on
SSLCertificateFile /etc/ssl/certs/www.johnmain.co.uk.crt
SSLCertificateKeyFile /etc/ssl/private/www.johnmain.co.uk.key
SSLCertificateChainFile /etc/ssl/certs/www.johnmain.co.uk.ca-bundle

Your vhost configuration will likely be under /etc/apache2/sites-enabled or /etc/httpd/conf/extra or within the main httpd.conf file.

The CA bundle should be provided along with your certificate, or alternatively your provider might have a standard one available via their website. You don’t really need to worry about what they are, so long as you can obtain a copy and install as above.

Once the installation is complete you should be able to restart your webserver and see the SSL certificate working its magic on your site.

04
Feb '12

I know many many sites out there have tutorials on Mod Rewrite but I had to piece this together from a number of them and it seemed like a fairly common thing to want to do. If you’re using the classic controller/action/id schema for your site and want to prettify your links so that the values can be simply broken by slashes but you also want relative paths to any subfolders (for images, CSS etc) to work and you don’t want your subdomains to break then try this code in a .htaccess file in your web root. Of course you may need to change the naming of your root file and arguments.

RewriteEngine On
RewriteCond %{REQUEST_FILENAME} -f                        [NC,OR]
RewriteCond %{REQUEST_FILENAME} -d                        [NC]
RewriteRule .* -                                          [L]
RewriteRule ^([^/]+)/?$ index.php?controller=                                [QSA,L]
RewriteRule ^([^/]+)/([^/]+)/?$ index.php?controller=&action=                [QSA,L]
RewriteRule ^([^/]+)/([^/]+)/([0-9]+)/?$ index.php?controller=&action=&id=   [QSA,L]
´╗┐