Blog

Redhat yum update /usr/share/rhn/RHNS-CA-CERT is expired.

On a RHEL 6 server connected to a satellite when doing a yum update I got :-

yum update

Loaded plugins: product-id, rhnplugin, search-disabled-repos, security

The certificate /usr/share/rhn/RHNS-CA-CERT is expired. Please ensure you have the correct certificate and your system time is correct.

so

cat /usr/share/rhn/RHNS-CA-CERT
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=US, ST=North Carolina, L=Raleigh, O=Red Hat, Inc., OU=Red Hat Network, CN=RHN Certificate Authority/emailAddress=rhn-noc@redhat.com
Validity
Not Before: Aug 29 02:10:55 2003 GMT
Not After : Aug 26 02:10:55 2013 GMT
Subject: C=US, ST=North Carolina, L=Raleigh, O=Red Hat, Inc., OU=Red Hat Network, CN=RHN Certificate Authority/emailAddress=rhn-noc@redhat.com

Diagnostics

Check /etc/sysconfig/rhn/up2date

It had

sslCACert[comment]=The CA cert used to verify the ssl server
sslCACert=/usr/share/rhn/RHNS-CA-CERT

But on another RHEL 6 server using the same satellite it had

sslCACert[comment]=The CA cert used to verify the ssl server
sslCACert=/usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT

The fix

I copied over /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT  from the working machine and changed /etc/sysconfig/rhn/up2date :-

sslCACert[comment]=The CA cert used to verify the ssl server
sslCACert=/usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT

 

Now  yum update worked.

Yum errors RHEL

When trying to do a yum install I got errors when actually trying to download

yum install mysql-server
Loaded plugins: product-id, rhnplugin, subscription-manager
Updating certificate-based repositories.
Setting up Install Process
Resolving Dependencies
–> Running transaction check
—> Package mysql-server.x86_64 0:5.1.73-8.el6_8 will be installed
–> Processing Dependency: mysql = 5.1.73-8.el6_8 for package: mysql-server-5.1.73-8.el6_8.x86_64
–> Processing Dependency: libcrypto.so.10(libcrypto.so.10)(64bit) for package: mysql-server-5.1.73-8.el6_8.x86_64
–> Processing Dependency: libssl.so.10(libssl.so.10)(64bit) for package: mysql-server-5.1.73-8.el6_8.x86_64
–> Processing Dependency: perl-DBD-MySQL for package: mysql-server-5.1.73-8.el6_8.x86_64
–> Running transaction check
—> Package mysql.x86_64 0:5.1.73-8.el6_8 will be installed
–> Processing Dependency: mysql-libs = 5.1.73-8.el6_8 for package: mysql-5.1.73-8.el6_8.x86_64
—> Package openssl.x86_64 0:1.0.0-20.el6_2.3 will be updated
—> Package openssl.x86_64 0:1.0.1e-57.el6 will be an update
—> Package perl-DBD-MySQL.x86_64 0:4.013-3.el6 will be installed
–> Running transaction check
—> Package mysql-libs.x86_64 0:5.1.61-1.el6_2.1 will be updated
—> Package mysql-libs.x86_64 0:5.1.73-8.el6_8 will be an update
–> Finished Dependency Resolution

Dependencies Resolved

================================================================================
Package Arch Version Repository Size
================================================================================
Installing:
mysql-server x86_64 5.1.73-8.el6_8 rhel-x86_64-server-6 8.6 M
Installing for dependencies:
mysql x86_64 5.1.73-8.el6_8 rhel-x86_64-server-6 895 k
perl-DBD-MySQL x86_64 4.013-3.el6 rhel-x86_64-server-6 134 k
Updating for dependencies:
mysql-libs x86_64 5.1.73-8.el6_8 rhel-x86_64-server-6 1.2 M
openssl x86_64 1.0.1e-57.el6 rhel-x86_64-server-6 1.5 M

Transaction Summary
================================================================================
Install 3 Package(s)
Upgrade 2 Package(s)

Total download size: 12 M
Is this ok [y/N]: y
Downloading Packages:

 

Error Downloading Packages:
mysql-5.1.73-8.el6_8.x86_64: failed to retrieve getPackage/mysql-5.1.73-8.el6_8.x86_64.rpm from rhel-x86_64-server-6
error was [Errno 14] PYCURL ERROR 22 – “The requested URL returned error: 503”
perl-DBD-MySQL-4.013-3.el6.x86_64: failed to retrieve getPackage/perl-DBD-MySQL-4.013-3.el6.x86_64.rpm from rhel-x86_64-server-6
error was [Errno 14] PYCURL ERROR 22 – “The requested URL returned error: 503”
mysql-libs-5.1.73-8.el6_8.x86_64: failed to retrieve getPackage/mysql-libs-5.1.73-8.el6_8.x86_64.rpm from rhel-x86_64-server-6
error was [Errno 14] PYCURL ERROR 22 – “The requested URL returned error: 503”
openssl-1.0.1e-57.el6.x86_64: failed to retrieve getPackage/openssl-1.0.1e-57.el6.x86_64.rpm from rhel-x86_64-server-6
error was [Errno 14] PYCURL ERROR 22 – “The requested URL returned error: 503”
mysql-server-5.1.73-8.el6_8.x86_64: failed to retrieve getPackage/mysql-server-5.1.73-8.el6_8.x86_64.rpm from rhel-x86_64-server-6
error was [Errno 14] PYCURL ERROR 22 – “The requested URL returned error: 503”

error was [Errno 14] PYCURL ERROR 22 – “The requested URL returned error: 503”

Even a yum repolist had intermittant errors

Error: Cannot retrieve repository metadata (repomd.xml) for repository: rhel-x86_64-server-6. Please verify its path and try again

I tried various things like yum clean all and even removing the rpm db and remaking it.

The fix

In the end I found a similar RHEL box that was working and checked what yum would be updated to  :-

yum update yum
Loaded plugins: product-id, rhnplugin, subscription-manager
Updating certificate-based repositories.
Unable to read consumer identity
Setting up Update Process
Resolving Dependencies
–> Running transaction check
—> Package yum.noarch 0:3.2.29-30.el6 will be updated
—> Package yum.noarch 0:3.2.29-81.el6 will be an update
–> Processing Dependency: python-urlgrabber >= 3.9.1-10 for package: yum-3.2.29-81.el6.noarch
–> Running transaction check
—> Package python-urlgrabber.noarch 0:3.9.1-8.el6 will be updated
—> Package python-urlgrabber.noarch 0:3.9.1-11.el6 will be an update
–> Finished Dependency Resolution

Dependencies Resolved

================================================================================
Package Arch Version Repository Size
================================================================================
Updating:
yum noarch 3.2.29-81.el6 rhel-x86_64-server-6 1.0 M
Updating for dependencies:
python-urlgrabber noarch 3.9.1-11.el6 rhel-x86_64-server-6 86 k

Transaction Summary
================================================================================
Upgrade 2 Package(s)

Total download size: 1.1 M
Is this ok [y/N]: N
Exiting on user Command

Then I searched for those packages on our Redhat Satelitte server

locate yum | grep 3.2.29-81 | grep rpm/var/satellite/redhat/NULL/370/yum/3.2.29-81.el6/noarch/3702066d6cc553db72e489daa1d8151db6af604657e47dee229c0acfa5ccab62/yum-3.2.29-81.el6.noarch.rpm
/var/satellite/redhat/NULL/dab/yum-cron/3.2.29-81.el6/noarch/dab067a9e2f5be14cc74f9af04c0415ff10eecf24bb095da124bc2acf78d7530/yum-cron-3.2.29-81.el6.noarch.rpm

locate urlgrabber | grep 3.9.1-11.el6 | grep rpm/var/satellite/redhat/NULL/4dd/python-urlgrabber/3.9.1-11.el6/noarch/4dd271d930e48809b7ab2832f1029fafc7c2268af018f27217c42f3d2c398835/python-urlgrabber-3.9.1-11.el6.noarch.rpm

Then scp’d them over to the faulty box /var/tmp and did a manual rpm -Uvh with them

Now yum install and yum repolist work without any issues

 

ssh fatal: buffer_get: trying to get more bytes than in buffer

The issue

You are using ssh to login to a server with ssh key authentication and you get connection closed. On the server you are logging into the syslog shows as messages like

Oct 17 11:30:02 myserver sshd[27687]: [ID 800047 auth.crit] fatal: buffer_get: trying to get more bytes than in buffer

The fix

Check your authorized_keys file on the remote server. Use ssh-keygen -l -f  ~/.ssh/authorized_keys

ssh-keygen -l -f ~/.ssh/authorized_keys
buffer_get: trying to get more bytes than in buffer

The above shows there is at least one  key in your file that is the wrong format – usually because it is  split over several lines rather than being just one long line. (note it could be any key in the file – not the one you are using from your server ) Once you fix the key then confirm with ssh-keygen that all is well – it should return a md5 checksum.
ssh-keygen -l -f authorized_keys
md5 1024 5d:35:7e:ad:3d:e6:70:6d:6f:1d:76:1a:46:ee:c1:c9 authorized_keys

Now retry your ssh access

TSM ANS1245E The file has an unknown format When doing a RMAN restore

TSM ANS1245E The file has an unknown format

If the DBAs get the error “ANS1245E The file has an unknown format”

when doing a RMAN restore of a DB from one machine to another, check the version of the TSM client API ( not the TDP version ) is the same on both machines.

The easiest way to do this is to type dsmc on both machines

This is machine 1 where the TSM RMAN backup was done

$ dsmc
IBM Tivoli Storage Manager
Command Line Backup-Archive Client Interface
  Client Version 7, Release 1, Level 1.0

This is machine 2 where the DBAs were restoring the RMAN backup to

$ dsmc
IBM Tivoli Storage Manager
Command Line Backup-Archive Client Interface
  Client Version 6, Release 4, Level 2.0

The fix was to upgrade the TSM client on machine 2 to 7.1.1 to match that on machine 1. Once the client was updated the RMAN restore worked fine.

Configure Sendmail on HPUX to listen on localhost only

Configure Sendmail on HPUX to listen on localhost only

HPUX 11.23

Edit /etc/mail/sendmail.cf  – search for DaemonPortOptions  and set
O DaemonPortOptions=Name=MTA, Addr=127.0.0.1
O DaemonPortOptions=Addr=127.0.0.1, Port=587, Name=MSA, M=E

Restart Sendmail

/sbin/init.d/sendmail stop
/sbin/init.d/sendmail start

Confirm sendmail is only listening on localhost

netstat -an | grep 25
tcp 0 0 127.0.0.1.25 *.* LISTEN

HPUX 11.11,  HPUX 11.00 and HPUX 10.20

Edit /etc/mail/sendmail.cf  – search for DaemonPortOptions  and set
O DaemonPortOptions=Addr=127.0.0.1

Restart Sendmail

/sbin/init.d/sendmail stop
/sbin/init.d/sendmail start

Confirm Sendmail is only listening on localhost

netstat -an | grep 25
tcp 0 0 127.0.0.1.25 *.* LISTEN

HPUX 11.31

cd /usr/newconfig/etc/mail/cf/cf
./gen_cf

1 General Features
8:  Send only

0 Main Menu

5: Generate sendmail.cf

6: Generate submit.cf

9: Create User and Queue for MSP
The group account for smmsp would be
created with the following gid value
gid = 25
>  Do you want to continue and create the group with the above gid
Press any key to continue or [n/N] to change the gid value

Group created Successfully

The user account for smmsp would be
created with the following uid value(recommended).
uid = 2500
>  Do you want to continue and create the user with the above uid
Press any key to continue or [n/N] to change the uid value

User created successfully
Creating Queue dir for MSP: /var/spool/clientmqueue/
Access permissions of /usr/sbin/sendmail is set to 2555
Group ID of /usr/sbin/sendmail is set to smmsp
Press any key to continue

0: Exit from selection

cp sendmail.cf.gen /etc/mail/sendmail.cf
cp submit.cf.gen /etc/mail/submit.cf

vi /etc/mail/sendmail.cf
O DaemonPortOptions=Name=MTA, Addr=127.0.0.1
O DaemonPortOptions=Addr=127.0.0.1, Port=587, Name=MSA, M=E

vi /etc/rc.config.d/mailservs
export SENDMAIL_SERVER=0
export SENDMAIL_SERVER_NAME=
export SENDMAIL_RECVONLY=0
export SENDMAIL_SENDONLY=1

cp sendmail.cf.gen /etc/mail/sendmail.cf
cp submit.cf.gen /etc/mail/submit.cf

vi /etc/mail/sendmail.cf
O DaemonPortOptions=Name=MTA, Addr=127.0.0.1
O DaemonPortOptions=Addr=127.0.0.1, Port=587, Name=MSA, M=E

/sbin/init.d/sendmail stop
/sbin/init.d/sendmail start

Confirm Sendmail is listening on localhost only

netstat -an | grep 25

tcp        0      0  127.0.0.1.25           *.*                     LISTEN

Installing letsencrypt free SSL HTTPS certificate on Centos 6 Apache

Letsenscrypt is a free an open automated certificate authority. You can get a SSL certificate from them for free that is trusted by browsers on nearly all platforms – see the FAQ

This is how to do it for Centos 6 running Apache HTTPD server and assumes you already have HTTPS setup but are currently using a self signed certificate.

Note the way you request and get verified for the certificate is by installing a Python client which will  start up it’s own web server on port 80. The install of the client may involve installing dependency Centos packages  like gcc and other development tools.

So first install the client

As root or using sudo

git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt
./letsencrypt-auto --help

Stop Apache

service httpd stop

Run the client ( note as Centos 6 uses Python 2.6 you have to enable debug mode and you get lots of warnings about version 2.6 ) giving your email address and the domains you want i.e for my site I did

./letsencrypt-auto certonly --standalone --email me@tuqix.org -d tuqix.org  -d www.tuqix.org

It will fire up a screen to ask you to accept their terms and conditions

Selection_024

It will then come back with a message that your certificate has been saved as /etc/letsencrypt/live/yourdomain/fullchain.pem

Start your Apache HTTP server

service httpd start

Edit /etc/httpd/conf.d/ssl.conf

Update
SSLCertificateFile /etc/letsencrypt/live/yourdomain/cert.pem

SSLCertificateKeyFile /etc/letsencrypt/live/yourdomain/privkey.pem

SSLCertificateChainFile /etc/letsencrypt/live/yourdomain/chain.pem

Restart Apache HTTPD server

service httpd restart

Now when you https://yourdomain    your browser should not complain about the SSL certicate

Renewing your certificate

Letsencrypt certificates are valid for 90 days.

The good news is you can automagically renew your certificate. By default it will only update your certificate if it will expire in less than 30 days so you can run a cron job once a month for example without any harm.

To renew a certificate :-

Stop Apache

service httpd stop

/fullpath/letsencrypt-auto renew –standalone –debug

If the renew was successful you will see :-

Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/yourdomain/fullchain.pem (success)

Then start Apache

service httpd start

To run from cron create a script /usr/local/bin/letsencrypt.renew like

#!/bin/bash

/sbin/service httpd stop

/fullpath/letsencrypt-auto renew –standalone –debug  > /var/log/letsencrypt/renew.log 2>&1

 

/sbin/service httpd start

 

Add it to root’s cron to run for example 03:00 on the 9th of each month

00 03 09 * * /usr/local/bin/letsencrypt.renew

TSM ANS4042E one or more unrecognised characters and is not valid , Linux client

When backing up on a Linux client to TSM getting the error :-

ANS4042E Object name  contains one or more unrecognised characters and is not valid

In our case we had file names based on surnames – some of which had non english characters.

The fix was :-

export LANG=C

In our backup script.

 

Odiris A-8 Coconut Grater Review

Odiris A-8 Coconut Grater Review

Getting the edible coconut out of a coconut can be a challenge. I have found a useful tool – the Odiris A-8 Coconut Grater.

odiris-box

It comes with just the blade needed to be screwed onto the body

Odiris Coconut Grater
Odiris Coconut Grater
Odiris assembled
Odiris Coconut Grater Assembled

 

Once assembled you clamp it to a worktop  ( use some paper to protect the worktop surface ) with a bowl underneath the cutter to catch the coconut gratings and then hold a half of a coconut with one hand while turning the handle with the other.

Odiris ready for action
Odiris ready for action

You need to rotate round the coconut as you go so the blades can get access to all the content.

Odiris done

 

I found it easy to use and easy to clean afterwards – much better than try to use a knife to get at the coconut.

The UK distributor is Nishan Enterprise Lanka Limited . You can find the Odiris for sale on Ebay as well as in various ethnic grocery shops.

 

 

Discover what control LDOM a guest LDOM is on

If you are on a Solaris LDOM and you want to find out what the Control LDOM is :-

virtinfo -a
Domain role: LDoms guest I/O
Domain name: myserver-p1
Domain UUID: 06a4456da-76e0-4aa9-a0ef-ebc64ed0aada
Control domain: mycontrolldom
Chassis serial#: 1223BEZ6RRE

So the above shows it to be a guest LDOM called myserver-p1 and the Control LDOM is mycontrolldom

Use can aslo just use virtinfo -c to just return the Control domain

 

E437: terminal capability “cm” required in Redhat or Centos 6

If you try to use vi or another curses based application in Redhat or Centos 6 and you get the error :-

E437: terminal capability “cm” required
Press ENTER or type command to continue
And your TERM type is something other than a vt100 like a dtterm then you need to install additional terminfo

The fix

yum install ncurses-term

Now ls /usr/share/terminfo/d   shows lots of entries rather than dumb