Adam Young http://adamyoung.net en OpenSSL unable to write 'random state' http://adamyoung.net/OpenSSL-unable-to-write-random-state <!-- google_ad_section_start --><div class="field field-name-body field-type-text-with-summary field-label-hidden"><div class="field-items"><div class="field-item even" property="content:encoded"><pre> $ openssl genrsa -des3 -out adamyoung.net.key 1024 Generating RSA private key, 1024 bit long modulus .........................++++++ .................................................................++++++ unable to write 'random state' e is 65537 (0x10001) Enter pass phrase for adamyoung.net.key: aborted! 4553:error:0906906F:PEM routines:PEM_ASN1_write_bio:read key:pem_lib.c:331: </pre><p> <strong>The Fix:</strong><br /> There's a .rnd file that OpenSSL needs to write to. You should change the ownership to the proper user and group. Typically it's in the $HOME directory:</p> <pre>sudo chown adam.adam ~/.rnd</pre><p> If this doesn't work, check $RANDFILE or generate the key with -rand <file></file></p> </div></div></div><!-- google_ad_section_end --> Fri, 03 Apr 2009 12:07:26 +0000 adam 53 at http://adamyoung.net http://adamyoung.net/OpenSSL-unable-to-write-random-state#comments MySQL DNS Lookups http://adamyoung.net/MySQL-DNS-Lookups <!-- google_ad_section_start --><div class="field field-name-body field-type-text-with-summary field-label-hidden"><div class="field-items"><div class="field-item even" property="content:encoded"><p>A couple days after xmas while I wanted to kill myself due to having the <a href="http://en.wikipedia.org/wiki/Norovirus" target="_blank">Norovirus</a> I got a call that our database servers at servercentral were all down. Sweet timing. Working next to a puke bowl I got in and saw that connections were hanging during login. It looks like this:</p> <pre> +-----+----------------------+------------------+------+---------+------+-------+-----------------------+ | Id | User | Host | db | Command | Time | State | Info | +-----+----------------------+------------------+------+---------+------+-------+-----------------------+ | 200 | unauthenticated user | 192.168.1.3:1312 | NULL | Connect | NULL | login | NULL | +-----+----------------------+------------------+------+---------+------+-------+-----------------------+ </pre><p> Pasting "unauthenticated user" into google it became obvious the problem is with DNS lookups. Due to some asshatery at mysql thinking it'd be a good idea to authenticate against hostname, it does DNS lookups for every connection by DEFAULT. Simple fix:</p> <p>add this to /etc/my.cnf:</p> <pre>skip-name-resolve</pre><p> I checked two days later and servercentral's DNS servers were still messing up frequently. I wonder how many other Christmas breaks were ruined...</p> </div></div></div><!-- google_ad_section_end --> Tue, 20 Jan 2009 13:41:42 +0000 adam 52 at http://adamyoung.net http://adamyoung.net/MySQL-DNS-Lookups#comments Linux Routing Multiple IPs http://adamyoung.net/Linux-Routing-Multiple-IPs <!-- google_ad_section_start --><div class="field field-name-body field-type-text-with-summary field-label-hidden"><div class="field-items"><div class="field-item even" property="content:encoded"><p>I added some more IPs to a server today and it changed the default outgoing IP. Looking at route -n it became obvious that the gateway for the new IPs became the default gateway. This messed up a bunch of webservices that are stupidly tied to IP (not my fault) that I hadn't specified the outgoing IP in the config (ok, my fault).</p> <p>Rather than fix my mistake which would've taken awhile, I fixed the routing table. First step is add back the old gateway if it's missing:</p> <pre>route add default gw 22.22.22.22</pre><p> Verify it added by route -n and then delete the wrong route:</p> <pre>route del -net 0.0.0.0 gw 11.11.11.11</pre><p> This got my IP back to the one listed for eth0 in ifconfig. If it hadn't worked (ie: used the IP on eth0:0 instead) then I would've used the new (relative to route) ip command from the iproute2 package. The <a href="http://lartc.org/howto/" target="_blank">Linux Advanced Routing &amp; Traffic Control Howto</a> has a ton of info and examples on using the iproute2 package. Here's an untested example:</p> <pre>ip route add default via 192.168.1.5 dev eth0 src 192.168.1.15</pre></div></div></div><!-- google_ad_section_end --> Tue, 20 Jan 2009 13:18:20 +0000 adam 51 at http://adamyoung.net http://adamyoung.net/Linux-Routing-Multiple-IPs#comments gem install mysql OS X http://adamyoung.net/gem-install-mysql-OSX <!-- google_ad_section_start --><div class="field field-name-body field-type-text-with-summary field-label-hidden"><div class="field-items"><div class="field-item even" property="content:encoded"><p>After having trouble <a href="http://www.adamyoung.net/MySQL-python-On-OSX">installing mysql support for python</a>, I ran into similar problems with ruby. To fix, first I installed a new version of MySQL from mysql.com. I'm not sure if this is necessary since OS X comes with MySQL but I don't have a second box to test with. After running the install, pick one of the lines below that matches the version you installed.</p> <p><strong>MySQL x86:</strong></p> <pre>sudo env ARCHFLAGS="-arch i386" gem install mysql -- \ --with-mysql-include=/usr/local/mysql/include \ --with-mysql-lib=/usr/local/mysql/lib</pre><p> <strong>MySQL x86_64:</strong></p> <pre>sudo env ARCHFLAGS="-arch x86_64" gem install mysql -- \ --with-mysql-include=/usr/local/mysql/include \ --with-mysql-lib=/usr/local/mysql/lib</pre><p> * I had problems using the x86_64 version because ruby is only compiled as 32-bit</p> </div></div></div><!-- google_ad_section_end --> Sun, 23 Nov 2008 02:17:23 +0000 adam 50 at http://adamyoung.net http://adamyoung.net/gem-install-mysql-OSX#comments OS X How to fix ABC, FOX, The CW, etc Episode Players http://adamyoung.net/OS-X-How-to-Fix-ABC-FOX-The-CW-Episode-Players <!-- google_ad_section_start --><div class="field field-name-body field-type-text-with-summary field-label-hidden"><div class="field-items"><div class="field-item even" property="content:encoded"><p>My new most hated company: Move Networks. &lt;rant&gt;You guys suck and it's no surprise you have an office in Ann Arbor. If you wanted real talent you'd be in East Lansing. TV shows were way better to watch on Hulu instead of your player.&lt;/rant&gt;</p> <p>The Move Networks player is being used by pretty much every major broadcaster: ABC, FOX, The CW, FX Networks, ESPN, Televisa, Oprah and it's gathering more every day. Unfortunately, their install support is pretty much useless. If you search the web you'll find tons of people stuck and pissed off that it doesn't work.</p> <p><strong>Here's how I got the player to work on OS X. I assume there's a similar method for Windows people - someone please post it below if you find.</strong></p> <p><strong>Non-techie way:</strong><br /> 1. Open Finder<br /> 2. You should be your home directory with your username. For example, mine is "adam", if not, go to your home directory.<br /> 3. Click the "Library" folder<br /> 4. Click the "Internet Plugins" folder<br /> 5. Select the file named "Move-Media-Player.plugin"<br /> 5. Press the keys Command Delete (These are two different keys. The Command key has either an apple logo or this logo: ⌘).<br /> 6. Close Safari (you can press ⌘Q to do it)<br /> 7. Re-open Safari and visit: <a href="http://www.movenetworks.com" target="_blank">Move Networks</a>. Click the Download button on the page.</p> <p><strong>Tech way:</strong><br /> rm -rf ~/Library/Internet\ Plugins/Move_Media_Player.plugin</p> <p>I hope this helps save other people time.</p> </div></div></div><!-- google_ad_section_end --> Sat, 15 Nov 2008 04:39:11 +0000 adam 49 at http://adamyoung.net http://adamyoung.net/OS-X-How-to-Fix-ABC-FOX-The-CW-Episode-Players#comments Verisign Which Certificate Chain http://adamyoung.net/Verisign-Which-Certificate-Chain <!-- google_ad_section_start --><div class="field field-name-body field-type-text-with-summary field-label-hidden"><div class="field-items"><div class="field-item even" property="content:encoded"><p>Verisign has 4 SSL certificate versions. Each one uses a different intermediate CA certificate. This is the SSLCertificateChainFile in apache httpd. Here's a two step method to finding which one you need:</p> <p><strong>Step 1:</strong><br /> Use the Verisign <a href="https://securitycenter.verisign.com/celp/enroll/searchStart" target="_blank">Search for SSL or Code Signing Certificates</a> link and enter the Common Name (the address you bought it for, ie: <a href="http://www.adamyoung.net">www.adamyoung.net</a>)</p> <p><strong>Step 2:</strong><br /> Compare the Certificate Type field to the table below</p> <p>* If you're using apache use the bundle if it exists. I think IIS uses singles.</p> <table><tr><th>Certificate Type</th> <th>Advertised Name</th> <th>Intermediate Certificate</th> </tr><tr><td>Digital ID Class 3 - Secure Server</td> <td>Secure Site</td> <td><a href="http://www.verisign.com/support/verisign-intermediate-ca/secure-site-intermediate/index.html" target="_blank">single</a></td> </tr><tr><td>Digital ID Class 3 - Global Server ID</td> <td>Secure Site Pro</td> <td><a href="http://www.verisign.com/support/verisign-intermediate-ca/secure-site-pro-intermediate/index.html" target="_blank">single</a></td> </tr><tr><td>Digital ID Class 3 - VeriSign Extended Validation Secure Server</td> <td>Secure Site with EV</td> <td><a href="http://www.verisign.com/support/verisign-intermediate-ca/extended-validation/apache/index.html" target="_blank">bundle</a> | <a href="http://www.verisign.com/support/verisign-intermediate-ca/extended-validation/index.html" target="_blank">singles</a></td> </tr><tr><td>Digital ID Class 3 - VeriSign Extended Validation Global Server</td> <td>Secure Site Pro with EV</td> <td><a href="http://www.verisign.com/support/verisign-intermediate-ca/extended-validation-pro/apache/index.html" target="_blank">bundle</a> | <a href="http://www.verisign.com/support/verisign-intermediate-ca/extended-validation-pro/index.html" target="_blank">singles</a></td> </tr><tr><td>Digital ID Class 3 - Test Secure Server</td> <td>Secure Site Trial</td> <td><a href="http://www.verisign.com/support/verisign-intermediate-ca/trial-secure-server-intermediate/index.html" target="_blank">single</a></td> </tr><tr><td>Digital ID Class 3 - VeriSign Global Server OnSite</td> <td>Enterprise Authentication</td> <td>see note below</td> </tr></table><p>If you're an Enterprise user (I've only seen financial companies using these) and you lost your intermediate CA certificate you're a dumbass. Try the two certificates below. You might only need the first one. If these don't work, there are others I didn't list. You should contact Verisign.</p> <p>-----BEGIN CERTIFICATE-----<br /> MIIDgzCCAuygAwIBAgIQJUuKhThCzONY+MXdriJupDANBgkqhkiG9w0BAQUFADBf<br /> MQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsT<br /> LkNsYXNzIDMgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkw<br /> HhcNOTcwNDE3MDAwMDAwWhcNMTExMDI0MjM1OTU5WjCBujEfMB0GA1UEChMWVmVy<br /> aVNpZ24gVHJ1c3QgTmV0d29yazEXMBUGA1UECxMOVmVyaVNpZ24sIEluYy4xMzAx<br /> BgNVBAsTKlZlcmlTaWduIEludGVybmF0aW9uYWwgU2VydmVyIENBIC0gQ2xhc3Mg<br /> MzFJMEcGA1UECxNAd3d3LnZlcmlzaWduLmNvbS9DUFMgSW5jb3JwLmJ5IFJlZi4g<br /> TElBQklMSVRZIExURC4oYyk5NyBWZXJpU2lnbjCBnzANBgkqhkiG9w0BAQEFAAOB<br /> jQAwgYkCgYEA2IKA6NYZAn0fhRg5JaJlK+G/1AXTvOY2O6rwTGxbtueqPHNFVbLx<br /> veqXQu2aNAoV1Klc9UAl3dkHwTKydWzEyruj/lYncUOqY/UwPpMo5frxCTvzt01O<br /> OfdcSVq4wR3Tsor+cDCVQsv+K1GLWjw6+SJPkLICp1OcTzTnqwSye28CAwEAAaOB<br /> 4zCB4DAPBgNVHRMECDAGAQH/AgEAMEQGA1UdIAQ9MDswOQYLYIZIAYb4RQEHAQEw<br /> KjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL0NQUzA0BgNV<br /> HSUELTArBggrBgEFBQcDAQYIKwYBBQUHAwIGCWCGSAGG+EIEAQYKYIZIAYb4RQEI<br /> ATALBgNVHQ8EBAMCAQYwEQYJYIZIAYb4QgEBBAQDAgEGMDEGA1UdHwQqMCgwJqAk<br /> oCKGIGh0dHA6Ly9jcmwudmVyaXNpZ24uY29tL3BjYTMuY3JsMA0GCSqGSIb3DQEB<br /> BQUAA4GBAAgB7ORolANC8XPxI6I63unx2sZUxCM+hurPajozq+qcBBQHNgYL+Yhv<br /> 1RPuKSvD5HKNRO3RrCAJLeH24RkFOLA9D59/+J4C3IYChmFOJl9en5IeDCSk9dBw<br /> E88mw0M9SR2egi5SX7w+xmYpAY5Okiy8RnUDgqxz6dl+C2fvVFIa<br /> -----END CERTIFICATE-----<br /> -----BEGIN CERTIFICATE-----<br /> MIICPDCCAaUCEHC65B0Q2Sk0tjjKewPMur8wDQYJKoZIhvcNAQECBQAwXzELMAkG<br /> A1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFz<br /> cyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTk2<br /> MDEyOTAwMDAwMFoXDTI4MDgwMTIzNTk1OVowXzELMAkGA1UEBhMCVVMxFzAVBgNV<br /> BAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFzcyAzIFB1YmxpYyBQcmlt<br /> YXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIGfMA0GCSqGSIb3DQEBAQUAA4GN<br /> ADCBiQKBgQDJXFme8huKARS0EN8EQNvjV69qRUCPhAwL0TPZ2RHP7gJYHyX3KqhE<br /> BarsAx94f56TuZoAqiN91qyFomNFx3InzPRMxnVx0jnvT0Lwdd8KkMaOIG+YD/is<br /> I19wKTakyYbnsZogy1Olhec9vn2a/iRFM9x2Fe0PonFkTGUugWhFpwIDAQABMA0G<br /> CSqGSIb3DQEBAgUAA4GBALtMEivPLCYATxQT3ab7/AoRhIzzKBxnki98tsX63/Do<br /> lbwdj2wsqFHMc9ikwFPwTtYmwHYBV4GSXiHx0bH/59AhWM1pF+NEHJwZRDmJXNyc<br /> AA9WjQKZ7aKQRUzkuxCkPfAyAw7xzvjoyVGM5mKf5p/AfbdynMk2OmufTqj/ZA1k<br /> -----END CERTIFICATE-----</p> </div></div></div><!-- google_ad_section_end --> Thu, 09 Oct 2008 12:12:15 +0000 adam 46 at http://adamyoung.net http://adamyoung.net/Verisign-Which-Certificate-Chain#comments Oops - Downtime http://adamyoung.net/Oops-Downtime <!-- google_ad_section_start --><div class="field field-name-body field-type-text-with-summary field-label-hidden"><div class="field-items"><div class="field-item even" property="content:encoded"><p>Oops I managed to not check the results of "/etc/init.d/httpd reload" after setting up another site on the server. To avoid this in the future, I added the following two lines to the end of the reload function in /etc/init.d/httpd:</p> <pre> sleep 1 status $httpd </pre><p> This will tell you if the httpd process is running:</p> <pre> Reloading httpd: [ OK ] httpd (pid 28299 28298 28297 28296 28295 28294 28293 28292 28265) is running... </pre><p> Beware though that there is no way to know whether the httpd has processed the -HUP already (aka: reloaded the new config files). For this small load server, 1 second is plenty. For some of my other servers I would probably increase the sleep.</p> </div></div></div><!-- google_ad_section_end --> Wed, 08 Oct 2008 21:47:43 +0000 adam 45 at http://adamyoung.net http://adamyoung.net/Oops-Downtime#comments Apache Block Backup Files http://adamyoung.net/Apache-Block-Backup-Files <!-- google_ad_section_start --><div class="field field-name-body field-type-text-with-summary field-label-hidden"><div class="field-items"><div class="field-item even" property="content:encoded"><p>A really simple way to "hack" into someone's site is by checking for common filenames with backup extensions. For example, check this google search for <a href="http://www.google.com/search?hl=en&amp;lr=&amp;safe=off&amp;client=safari&amp;rls=en-us&amp;as_qdr=all&amp;q=config+filetype%3Aphp%7E&amp;btnG=Search" target="_blank">config filetype:php~</a></p> <p>Since backup files don't always contain the correct extension to be processed properly, the httpd usually sends them as plain text. The lines below should be placed in your httpd.conf to block these requests across all sites on your server. If you don't have httpd.conf access, these lines can go into a .htaccess file. For .htaccess, make sure to place it in the root web directory so it covers all of your subdirectories.</p> <pre> # Block requests for emacs/vi standard filename~ files &lt;Files ~ "\~$"&gt; Order allow,deny Deny from all Satisfy All &lt;/Files&gt; # Block requests for anything like filename.old &lt;Files ~ "\.(bak|old|2|copy|tmp|swp?)$"&gt; Order allow,deny Deny from all Satisfy All &lt;/Files&gt; </pre></div></div></div><!-- google_ad_section_end --> Wed, 08 Oct 2008 14:19:28 +0000 adam 44 at http://adamyoung.net http://adamyoung.net/Apache-Block-Backup-Files#comments PayFlow Pro POST Fields Encoding http://adamyoung.net/PayFlow-Pro-POST-Fields-Encoding <!-- google_ad_section_start --><div class="field field-name-body field-type-text-with-summary field-label-hidden"><div class="field-items"><div class="field-item even" property="content:encoded"><p>I was editing the PayFlow Pro example API by Radu Manole (can't find link right now - check PDN forums) to add more fields to the authorization function and decided to redo this part:</p> <pre> // body of the POST $plist = 'USER=' . $this-&gt;user . '&amp;'; $plist .= 'VENDOR=' . $this-&gt;vendor . '&amp;'; $plist .= 'PARTNER=' . $this-&gt;partner . '&amp;'; $plist .= 'PWD=' . $this-&gt;password . '&amp;'; $plist .= 'TENDER=' . 'C' . '&amp;'; $plist .= 'TRXTYPE=' . 'A' . '&amp;'; $plist .= 'ACCT=' . $card_number . '&amp;'; $plist .= 'EXPDATE=' . $card_expire . '&amp;'; $plist .= 'NAME=' . $card_holder_name . '&amp;'; $plist .= 'AMT=' . $amount . '&amp;'; // amount $plist .= 'CURRENCY=' . $currency . '&amp;'; $plist .= 'VERBOSITY=MEDIUM'; </pre><p> to something a little nicer with max field sizes and the rest of the fields I needed:</p> <pre> $plist = array( 'USER' =&gt; $this-&gt;user, 'VENDOR' =&gt; $this-&gt;vendor, 'PARTNER' =&gt; $this-&gt;partner, 'PWD' =&gt; $this-&gt;password, 'TENDER' =&gt; 'C', 'TRXTYPE' =&gt; 'A', 'ACCT' =&gt; $card_number, 'EXPDATE' =&gt; $card_expire, 'AMT' =&gt; $amount, 'CURRENCY' =&gt; $currency, 'VERBOSITY' =&gt; 'MEDIUM', 'CVV2' =&gt; substr($cvv2,0,4), 'FIRSTNAME' =&gt; substr($first_name,0,25), 'LASTNAME' =&gt; substr($last_name,0,25), 'STREET' =&gt; substr($street,0,100), 'STREET2' =&gt; substr($street2,0,100), 'CITY' =&gt; substr($city,0,40), 'STATE' =&gt; substr($state,0,40), 'COUNTRYCODE' =&gt; substr($country_code,0,2), 'ZIP' =&gt; substr($zip,0,20), 'PHONENUM' =&gt; substr($phone_num,0,20), 'SHIPTONAME' =&gt; substr($ship_name,0,32), 'SHIPTOSTREET' =&gt; substr($ship_street,0,100), 'SHIPTOSTREET2' =&gt; substr($ship_street2,0,40), 'SHIPTOCITY' =&gt; substr($ship_city,0,40), 'SHIPTOSTATE' =&gt; substr($ship_state,0,40), 'SHIPTOZIP' =&gt; substr($ship_zip,0,20), 'SHIPTOCOUNTRYCODE' =&gt; substr($ship_country_code,0,2), 'IPADDRESS' =&gt; $ip_address, 'DESC' =&gt; $order_id ); </pre><p> I figured this was the only change I needed to make because CURLOPT_POSTFIELDS can take a name=&gt;value pair. However, PayPal started returning blank responses. While double checking that I could use an array, I saw this post: <a href="http://us3.php.net/manual/sl/function.curl-setopt.php#84916">PHP curl_setopt comment</a> To summarize in case the post disappears,</p> <p>using CURLOPT_POSTFIELDS with array encoding is: multipart/form-data<br /> using CURLOPT_POSTFIELDS with string encoding is: application/x-www-form-urlencoded</p> <p>That turned out to be the problem so I used <a href="http://php.net/http_build_query">http_build_query</a>($plist) for the CURLOPT_POSTFIELDS. </p> </div></div></div><!-- google_ad_section_end --> Mon, 06 Oct 2008 22:27:08 +0000 adam 43 at http://adamyoung.net http://adamyoung.net/PayFlow-Pro-POST-Fields-Encoding#comments Coda Missing File Browser http://adamyoung.net/node/42 <!-- google_ad_section_start --><div class="field field-name-body field-type-text-with-summary field-label-hidden"><div class="field-items"><div class="field-item even" property="content:encoded"><p>I'm probably one of <a href="http://www.panic.com/coda/">Coda's</a> biggest users. It's rarely ever closed and I have over 100 sites setup in it (site search box FTW). Unfortunately, this morning it quit working so I had to switch to my alternative (Transmit+TextMate) for a few hours until I found <a href="http://groups.google.com/group/coda-users/browse_thread/thread/607cdf299403434d">the fix</a>.</p> <p><strong>In Terminal:</strong></p> <pre>defaults delete com.panic.Coda sourceSplitPercentage</pre></div></div></div><!-- google_ad_section_end --> Wed, 17 Sep 2008 14:58:03 +0000 adam 42 at http://adamyoung.net http://adamyoung.net/node/42#comments