Exim and gnutls - A TLS fatal alert has been received

Posted: 2016-06-03 23:52:16 by Alasdair Keyes

Direct Link | RSS feed

Whilst diagnosing why an email wasn't getting through to me, I noticed the following errors appearing occasionally in my Exim logs.

"2016-06-03 20:20:36 TLS error on connection from servername (servername) [1.2.3.4] (gnutls_handshake): A TLS fatal alert has been received.


Anything producing the words 'fatal' in logs are cause for alarm and it wasn't something I'd seen before so I did a bit of investigation and found that it was due to the TLS certificate I have for exim not having a common name set that matches the hostname that the remote server was connecting to.

My certificate had akeyes.co.uk and www.akeyes.co.uk however my MX records are mail.akeyes.co.uk, this doesn't really cause an error, mail is still accepted, however at some point in future (and some very strict mail servers) may refuse such connections so it's best to get it fixed.

To diagnose the issue, lets try connecting on a hostname that is not on the certificate, as I was on the server, 127.0.0.1 would do fine. As exim is compiled against gnutls we'll need to use the gnutls command line tools..
apt-get install gnutls-bin -y

Then connect using gnutls-cli bold red text is what I typed and bold blue text is the useful part of the response

# gnutls-cli -s -p 25 127.0.0.1
Processed 174 CA certificate(s).
Resolving '127.0.0.1'...
Connecting to '127.0.0.1:25'...
- Simple Client Mode:
220 vps2.akeyes.co.uk ESMTP Exim 4.84_2 Fri, 03 Jun 2016 20:40:55 +0100
ehlo me
250-vps2.akeyes.co.uk Hello localhost [127.0.0.1]
250-SIZE 104857600
250-8BITMIME
250-PIPELINING
250-STARTTLS
250 HELP
starttls
220 TLS go ahead
<CTRL-D>
*** Starting TLS handshake
- Certificate type: X.509
- Got a certificate list of 2 certificates.
- Certificate[0] info:
 - subject `CN=akeyes.co.uk', issuer `C=US,O=Let's Encrypt,CN=Let's Encrypt Authority X3', RSA key 2048 bits, signed using RSA-SHA256, activated `2016-06-03 18:35:00 UTC', expires `2016-09-01 18:35:00 UTC', SHA-1 fingerprint `d0b48bf7056860c48ab204e246b5ec95dcac42f4'
    Public Key ID:
        4d601b2e453c98b68ac88addd946de73982b6cac
    Public key's random art:
        +--[ RSA 2048]----+
        |       =*        |
        |      ++o+       |
        |     ...o..      |
        |      .. o       |
        |.. . .  S .      |
        |... . .          |
        |o. . B . o       |
        |o . o O = .      |
        |    E+ ..+       |
        +-----------------+
- Certificate[1] info:
 - subject `C=US,O=Let's Encrypt,CN=Let's Encrypt Authority X3', issuer `O=Digital Signature Trust Co.,CN=DST Root CA X3', RSA key 2048 bits, signed using RSA-SHA256, activated `2016-03-17 16:40:46 UTC', expires `2021-03-17 16:40:46 UTC', SHA-1 fingerprint `e6a3b45b062d509b3382282d196efe97d5956ccb'
- Status: The certificate is NOT trusted. The name in the certificate does not match the expected. 
*** PKI verification of server certificate failed...
*** Fatal error: Error in the certificate.
*** Handshake has failed


I then ran the same command but using a hostname I knew was on the certificate


# gnutls-cli -s -p 25 akeyes.co.uk
Processed 174 CA certificate(s).
Resolving 'akeyes.co.uk'...
Connecting to '178.62.80.10:25'...
- Simple Client Mode:
220 vps2.akeyes.co.uk ESMTP Exim 4.84_2 Sat, 04 Jun 2016 00:02:08 +0100
ehlo me
250-vps2.akeyes.co.uk Hello vps2.akeyes.co.uk [178.62.80.10]
250-SIZE 104857600
250-8BITMIME
250-PIPELINING
250-STARTTLS
250 HELP
starttls
220 TLS go ahead
<CTRL-D>
*** Starting TLS handshake
- Certificate type: X.509
...
...
- Status: The certificate is trusted. 
...
...


So we can see why this error is occuring, the easy fix is to ensure that the certificate used by Exim has all required hostnames. I use letsencrypt so I just regenerated a certificate and added -d mail.akeyes.co.uk switch. Alternatively, change the MX records for all domains your server handles mail for, to a hostname which is included on the certificate.

Oh, and in case you were wondering, the cause of the mail getting through was misconfiguration of the sender's DNS. The hostname part of his email address was a subdomain which had no DNS record so sender verification failed.


If you found this useful, please feel free to donate via bitcoin to 1NT2ErDzLDBPB8CDLk6j1qUdT6FmxkMmNz

Chrome APT update error

Posted: 2016-03-22 07:18:22 by Alasdair Keyes

Direct Link | RSS feed

For testing I have the Linux version of Google Chrome installed, recently I was seeing the following error in my Package manager

failed to fetch http //dl.google.com/linux/chrome/deb/dists/stable/release

The fix is fairly easy, update your /etc/apt/sources.list.d/google-chrome.list file in the following way

deb http://dl.google.com/linux/chrome/deb/ stable main

to

deb [arch=amd64] http://dl.google.com/linux/chrome/deb/ stable main

Then refresh your sources list. The file does warn that it'll be auto generated. So this might well occur again, but doesn't seem to be auto-generated often so should be good for a while.


If you found this useful, please feel free to donate via bitcoin to 1NT2ErDzLDBPB8CDLk6j1qUdT6FmxkMmNz

IT Russian Roulette

Posted: 2016-03-21 21:12:43 by Alasdair Keyes

Direct Link | RSS feed

Living dangerously... http://www.commitstrip.com/en/2014/05/16/russian-roulette/


If you found this useful, please feel free to donate via bitcoin to 1NT2ErDzLDBPB8CDLk6j1qUdT6FmxkMmNz

Return of the Gopher Server

Posted: 2016-03-17 19:07:01 by Alasdair Keyes

Direct Link | RSS feed

After being bombared with literally no requests as to where my Gopher server went after my server move, It's back!!

gopher://gopher.akeyes.co.uk

(You'll have to hunt out your own Gopher client, Firefox doesn't support the protocol anymore and I doubt any of the other browsers do either)


If you found this useful, please feel free to donate via bitcoin to 1NT2ErDzLDBPB8CDLk6j1qUdT6FmxkMmNz

Puppet Nagios Plugin

Posted: 2016-03-14 10:39:58 by Alasdair Keyes

Direct Link | RSS feed

Over the weekend I finished migrating all my servers to being managed by a PuppetMaster. Some of these servers were quite old (One is over 5 years old, so forcing it's management into Puppet when it has lots of customisation and idiosynchrocies was a little nerve-wracking... thankfully all went well!

Now that everything is all under control, I wanted to ensure that Puppet was working correctly and nothing was getting left behind an errors weren't silently going un-noticed. There are a number of Puppet-centric tools that do this, but I didn't really want the extra Puppet functionality. Since I already monitor my systems with Nagios, I thought a simple Plugin would be useful.

With that, I've just released the first version of nagios-plugin-check_puppet_run

The core functionality is just to report the last run, the number of resources and the number of changes and any errors generated on the last run.

OK: Successes:0 Failures:0 Last Run:Mon Mar 14 10:10:41 2016 Version:3.7.2 Changes:0 Resources:44

WARNING: Successes:0 Failures:1 Last Run:Mon Mar 14 10:10:41 2016 Version:3.7.2 Changes:0 Resources:44

The script checks the Puppet last run summary file /var/lib/puppet/state/last_run_summary.yaml rather than other plugins that check if the Puppet service is running, this way, you can execute puppet by Cron/Daemon and still get a valid result on your Puppet install.


If you found this useful, please feel free to donate via bitcoin to 1NT2ErDzLDBPB8CDLk6j1qUdT6FmxkMmNz

Inbox Zero: Update

Posted: 2016-03-10 07:25:53 by Alasdair Keyes

Direct Link | RSS feed

It's been almost 6 months since I started using Inbox Zero (See original post) so I thought I would provide an update....

Overall it's been a success, at present my personal inbox has 1 item in it and my work has 3 outstanding items.

It's not easy to measure it's value as I've been using email pretty succesfully for the past 20 years, however by the following metrics, it has been a great success...

Overall, if you can start using it, I think you'll really feel the benefits


If you found this useful, please feel free to donate via bitcoin to 1NT2ErDzLDBPB8CDLk6j1qUdT6FmxkMmNz

Munin Automatic plugin addition with Puppet

Posted: 2016-03-06 14:40:25 by Alasdair Keyes

Direct Link | RSS feed

I manage the core of my servers with Puppet and also use Munin for graphing system resources and metrics.

Munin has a lot of built in plugins to record system metrics and on installation will auto-detect what is available on the system to monitor, but it doesn't activate new plugins automatically. For example, I installed Munin Node on a server and then after installing NTP, Munin didn't know to monitor NTP metrics until I updated the plugins with the munin-node-configure command.

To combat this I wrote the following Puppet stanza to do this for me. In essence, it checks if munin-node-configure has detected any new plugins, if so, it just activates them and notifies the munin-node service to reload.

exec { 'add_suggested_munin_checks': 
    path    => [ "/usr/bin", "/usr/sbin", "/sbin", "/usr/local/sbin", "/bin" ],
    command => "munin-node-configure --suggest --shell | grep 'ln -s' | bash",
    onlyif  => "munin-node-configure --suggest --shell | grep 'ln -s'",
    notify  => Service['munin-node'],
}

service { 'munin-node':
    ensure  => 'running',
    enable  => true,
}

If anyone else manages Munin Nodes via Puppet, this could well help you speed up your Munin updates over large estates


If you found this useful, please feel free to donate via bitcoin to 1NT2ErDzLDBPB8CDLk6j1qUdT6FmxkMmNz

Worst passwords of 2015

Posted: 2016-02-15 20:42:23 by Alasdair Keyes

Direct Link | RSS feed

For any sysadmin, the use of weak passwords and the havoc it can wreak across your infrastructure and data can keep you up at night if you think about it too hard. A good password policy with correct enforcement can really help but people will use the easiest that they can get away with.

See the following worst passwords of 2015

https://www.teamsid.com/worst-passwords-2015/


If you found this useful, please feel free to donate via bitcoin to 1NT2ErDzLDBPB8CDLk6j1qUdT6FmxkMmNz

rsync Puppet YUM repository

Posted: 2016-01-16 11:50:37 by Alasdair Keyes

Direct Link | RSS feed

I noticed that the Puppetlabs APT repository README has information on rsync'ing a local copy, but the YUM repository doesn't. So for anyone who wants to do it, the following will help...

YUM

rsync -av --stats --progress --copy-links --del rsync://yum.puppetlabs.com/packages/yum/ /home/repos/yum/puppet

APT

rsync -av --stats --progress --copy-links --del rsync://apt.puppetlabs.com/packages/apt/ /home/repos/apt/puppet


If you found this useful, please feel free to donate via bitcoin to 1NT2ErDzLDBPB8CDLk6j1qUdT6FmxkMmNz

Document versioning with GIT

Posted: 2016-01-05 23:43:55 by Alasdair Keyes

Direct Link | RSS feed

I've been at my new job for 3 months now and my home folder is slowly growing in size. Like most people often have files that are updated frequently, spreadsheets, build specs etc and I thought it would be quite nice to have a quick and dirty versioning system for my documents.

I didn't want to get too in-depth with log structured filesystems such as NILFS or really have to use a new FS or fuse-based FS as it seems an unnecessary length to go to. I don't have any requirement to store every single version, but just give me snapshots I could refer back to in future or easily restore mistakenly deleted files.

I decided that git would be a suitable base for this for the following reasons

I started by initializing my docs

$ cd /home/akeyes/mydocs
$ git init
Initialised empty Git repository in /home/akeyes/mydocs/.git
$ git add .
$ git commit -m "Initial commit"
[master (root-commit) 4cbb3d8] Initial commit
 152 files changed, 0 insertions(+), 0 deletions(-)
 create mode 100644 xxxxxx.docx
 create mode 100644 xxxxxx.odt
 ...
 create mode 100644 xxxxxx.txt

Now I have my initial commit, I wrote the followig script to add to cron

#!/bin/bash

FOLDER=/home/akeyes/mydocs
cd $FOLDER

if [ `git status --porcelain | wc -l` -gt 0 ]; then
    git add --all .
    git commit -m "Checkpoint"
fi

I was unaware of the --porcelain argument for git, but it essentially shows a simple machine parseable output of git status. For my usage if there's any output, it shows there's a change and it needs to be snapshotted

$ git status --porcelain
?? newfile
?? newfile1

the --all switch to git add allows git add to succesfully add in file deletions and not require git rm

To start with I just added this into my crontab

* * * * *    /home/akeyes/checkpoint_docs.sh

And now git log shows my versioning working

$ git log --name-only
commit d0544e40b856eb98cc2129f98383895708083deb
Author: Alasdair Keyes <x@x.com>
Date:   Tue Jan 5 19:47:00 2016 +0000

    Checkpoint

newfile2

commit 139fd9ff825232e0551bf570e4ac8957bc93c8b1
Author: Alasdair Keyes <x@x.com>
Date:   Tue Jan 5 19:46:00 2016 +0000

    Checkpoint

newfile
newfile2
newfile3

commit 8539658cd62581c3a514081c30d3c30a2a0a7ac9
Author: Alasdair Keyes <x@x.com>
Date:   Tue Jan 5 19:45:00 2016 +0000

    Checkpoint

newfile
newfile1

commit ba6ec4f43aecb81db0709ea18418d94d24cbb3d8
Author: Alasdair Keyes <x@x.com>
Date:   Tue Jan 5 19:42:33 2016 +0000

    Initial commit

xxxxxx.docx
xxxxxx.odt
xxxxxx.txt

It seems to work very well, on top of this I've created a .gitignore

# Libreoffice temp files
**/.~*#
# VIM swap files
**/.*.swp
# Keepass lock files
**/*.lock

Which stops temp files from LibreOffice being commited.


If you found this useful, please feel free to donate via bitcoin to 1NT2ErDzLDBPB8CDLk6j1qUdT6FmxkMmNz

© Alasdair Keyes

IT Consultancy Services

I'm now available for IT consultancy and software development services - Cloudee LTD.



Happy user of Digital Ocean (Affiliate link)

Digital Ocean Affiliate


Version:master-53c82addfa


Validate HTML 5