January 2008

Apache releases version 2.2.8 still problems with SSL

Apache just released version 2.2.8 of it’s webserver. It’s mostly just a security fix release. When using it on Tiger there isn’t any issue with compiling and installing it as described in the documentation. On Leopard it’s another issue (or there is still the same issue). The bug we found in the apr configuration with the APR_HAS_SENDFILE option is now solved. You can compile it out of the box. The problem with mod_ssl still stands and needs to be solved. This time even copying the original mod_ssl module which worked with 2.2.6 doesn’t help anymore. If anyone has any ideas how to solve this problem I and many others would be very gratefull for that!

Expiring SSL certificates on your mailserver

It’s that time of year again for me. My certificates which I normally give a lifespan of a year expired again. I thought I should write down the procedure for refreshing your certificates for all of you and myself so you don’t need to wade through the complete documentation set to find the relevant parts. I hope it as usefull to as it will be for me in a year.

First we’ll do the postifx SMTP TLS/SSL part.

Just open a Terminal and execute the following command in the directory ‘/etc/postfix‘:

sudo openssl req -new -outform PEM -out smtpd.cert \
    -newkey rsa:2048 -nodes -keyout smtpd.key -keyform PEM \
    -days 365 -x509

This will create a 2048 bit encryption key that, for now, is secure enough for you mailserver to use. If you are paranoid and want a bigger key just increase the number after rsa:. The key will be valid for a year, if you want a longer period just increase the number after the -days option. When the key is finished you will be asked a couple of questions you need to answer. The information will be shown to people who want to see your certificate when their mail client complains. The most important one is the ‘Common Name’, make sure that that one is the same as the mail server name. Also please make sure that all your answers are the same as the original certificate.

Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:your.mailserver.tld
Email Address []:you@yourdomain.tld

To make sure everything is refreshed do a ‘sudo postfix reload‘ and try to send an email.

For the IMAP server it is a bit simpler as all the details there are put in a configuration file that still should be there: ‘/usr/local/etc/imapd.cnf‘. Please check the contents of the file and if they don’t relfect your setup please edit the file as described here.

When everything is verified and found in the correct state you can go to the directory ‘/usr/local/share‘ and run ‘sudo ./mkimapdcert‘ to generate a new certificate. Make sure you remove the existing ‘imapd.pem‘ in the same directory first or no new certificate will be created.

Start up your favourite mail client and check the certificate.

All should be in the correct state and our certificates are valid for another year.

Problems, DSL off-line

Sorry for the downtime of the sites, my ISP had some issues and wasn’t refreshing the DHCP leases. I hope you didn’t get into problems because of it…

Sun acquires MySQL

We’ll I wonder what will happen with MySQL, first the full or enterprise version was put behind bars and now a take over by Sun. I guess the future will tell. If it has any troubling consequences I guess we’ll have to switch to another open source database but I think there is a slim change that it will go that bad.

Here is the news from MySQL and here from Sun.

Leopard, Apache and mod_ssl

Thanks to Tim we’ve got a simple workaround to get our own compiled Apache version 2.2.6 running on Leopard with a proper SSL module. The solution is to just use the original mod_ssl module from the original installation. The original mod_ssl module can be found in /usr/libexec/apache2/.

To use this original module the best way possible use these commands:

cd /usr/local/apache2/modules/
sudo mv mod_ssl.so mod_ssl.so.old
sudo ln -s /usr/libexec/apache2/mod_ssl.so mod_ssl.so

Restart the server, uncomment the mod_ssl module in your httpd.conf and restart the server to see it working.

You could also copy the module from its original location but I choose this method because it will benefit from any update that might happen with a security update from Apple.

I can only hope it will also work with a new version of Apache, but we’ll have to wait and see.