Wojno: Category How-Tos

Creating your own Apache SSL Certificate Signed by your Root CA

Christopher Wojno — Sat, 08 Nov 2008 15:17:00 -0800

This article is part 2 of Going SSL with Your Own Root CA

Putting your Root CA to work

Now that you have your own Root CA, it doesn’t do anyone any good unless you use it. You use it by creating certificates for services. The rule is one certificate per-IP address. If you need additional certificates, you should have an IP address for each certificate. Any domain (or sub-domain, etc.) listed in the Certificate’s CN (Common Name) should resolve to its own unique IP address. Now, nothing is set in stone. But that’s the way it should be done. I’ve used multiple certificates for different domains on the same server using Virtual Hosts (same IP) before, but Apache warned me every time I started the server that this is bad practice. If you’re using Apache, it will still work, but you’ve been warned (again).

Disclaimers

This guide is for amateur, non-production use only. I make no warranties or guarantees as to the correctness of this document. This guide involves escalating privileges and may cause irreparable damage if used improperly. You use this document at your own risk and I hereby disclaim any responsibility or liability for your actions or non-actions.

Assumptions

I’m assuming you’re using Apache 2.X with mod_ssl already installed. I’m also assuming you’ve already set-up a vhost file with the site you want to SSL already created and configured minus the specification of the server certificate, and trust chain. I realize this is a lot to assume. This can help you setup an Apache server with SSL.

Creating a Server Key

Just as with the Root CA key, you need a server key. Now, if you already have one, relax, skip this step (though I still urge you to create and migrate to the “secure” environment created in the next step). You can re-use your server key as many times as you like until you want to upgrade the private key quality (or the key is compromised). If you have not created a server key, you’ll need to do so now.

We’ll use OpenSSL again, but first, let’s create a safe place for our key. The key needs to be readable by the server upon start-up (meaning, the key cannot be encrypted) or Apache (or any other server) will be unable to use it without first asking you for a password. If you don’t mind typing it in each time, that’s your prerogative. However, for live or even development environments, it’s simply impractical.

Just as with the Root CA key, you must keep this server key confidential as well. If it is breached, anyone can masquerade as your web server; thus defeating the purpose of the certificate. If you need to move the key, you are advised to use OpenSSL to encrypt it first, however, that is a tutorial for another day.

Create the “secure” environment

Create a comfy place for your key. I like to put it in /etc/apache2/ssl with Gentoo, but the better place is likely /usr/local/etc/apache2/ssl and if you use Windows: there are no rules for file placement. With that: create your directory:

sudo mkdir /usr/local/etc/apache2
sudo mkdir /usr/local/etc/apache2/ssl
sudo chmod 0770 /usr/local/etc/apache2/ssl
sudo groupadd apache_ssl_admins
sudo chown :apache_ssl_admins /usr/local/etc/apache2/ssl
sudo usermod -a -G apache_ssl_admins YOURUSERNAME # varies by OS

Here’s what I’ve done:

Created an apache2 directory (if it didn’t exist, if this call fails, just make sure the directory is there)
Created the SSL directory where we’ll store the server key
Changed the permissions for the directory such that only root can access it
Created a group called “apache_ssl_admins”
Changed the ownership of the new directory to allow members of the apache_ssl_admins access
Added you to the new group called “apache_ssl_admins”, note that this step may vary among Operating Systems so modify this command as required.

You’ll need to log out and log back into your server for the group membership to take effect.

Now, I’ve put the word “secure” in quotes as if anyone were to compromise the server and gain access to the apache_ssl_admins group, your key is then accessible. Your key is only as secure as your server.

Once you’ve logged back in, cd to the newly created “secure” environment.

cd /usr/local/etc/apache2/ssl

Creating the server key

You will now generate a server key. I highly recommend that you study the documentation for OpenSSL. It’s very very rough, but it will help you understand the commands you’re entering. It may be necessary to update these commands as machines become faster and the encryption level becomes insufficient.

openssl genrsa -out www.pem 2048

This generates a new file called www.pem in your “secure” environment. This is an RSA private key with a bit length of 2048. This bit-length is considered to be good by today’s standards. You may use any power of two; though, be warned, larger numbers require more time to initiate SSL connections. Smaller numbers will result in a less secure SSL handshake (and vicariously a less secure SSL session).

Again, it is a good idea to encrypt this key with 3des. I’ve not done so to facilitate this demonstration. Please see the previous tutorial for instructions about encrypting your server’s private key. The instructions for encrypting your Root CA private key are applicable to this purpose.

Generate a Certificate Signing Request

The Certificate Signing Request (CSR) is used by Root CA’s to create certificates for people who need them. A CSR is a uniform way to telling Root CA’s exactly what the certificate should say. The Root CA merely signs the CSR and viola: a certificate. Well, it’s not all that simple. The Root CA also adds an expiration date to the signature or other fields deemed necessary or desired. But before it can be signed, the CSR must be generated by using the server’s key:

openssl req -new -sha1 -out www.csr -key www.pem

This command will create a file called www.csr in your “secure” environment. This file is a Certificate Signing Request. You may expose this file publicly, though that is not required if you’re signing it yourself. This new request requires that it be identified using the SHA1 hashing algorithm. This algorithm is safer than MD5 as it has been proven that MD5 collisions can be generated in a reasonable time.

You will be asked a series of questions after running this command. Answer them honestly. When you see the CN (Common Name), enter the domain name and subdomain for your certificate. I.E. for my domain: christopher.wojno.com, use as the CN: “christopher.wojno.com”

Sign your CSR and create a real server Certificate

Now that you have a CSR, we’ll use our Root CA certificate and key to sign the CSR. This creates a certificate you can use in your Apache server (or other SSL-capable web server). If you created your Root CA using my previous article, then you may use the paths I have specified here. Otherwise, you’ll need to adjust the -CA, -CAkey and -CAserial parameters to match what you have used.

openssl x509 -req -days 365 -in www.csr -CA /usr/local/etc/certificate_authority/certs/cacert.crt -CAkey /usr/local/etc/certificate_authority/private/cakey.pem -CAserial /usr/local/etc/certificate_authority/serial.srl -out www.crt

This is a lot to swallow in one step. This used to be where I became completely lost with regard to SSL Certificate generation. The command is very complex so I’ll break it down part by part:

We’re asking OpenSSL to do something
Specifically, we’re asking it to invoke it’s x509 library (SSL certificate chains)
We’re then specifying that our input will be a CSR (-req)
We want the resulting certificate to be valid for 365 days (-days 365) from date of signing
The CSR is the input (-in www.csr)
We’re using the CA public certificate created in the previous tutorial: (-CA /usr/local/etc/certificate_authority/certs/cacert.crt)
We’re using the CA’s private key created in the previous tutorial to sign this CSR: (-CAkey /usr/local/etc/certificate_authority/private/cakey.pem)
We’re using the CA’s serial file to mark the resulting certificate: (-CAserial /usr/local/etc/certificate_authority/serial.srl)
Finally, we’re outputting a new certificate for the web server: (-out ../www.crt)

That little command does quite a bit. After running it, you will be prompted for the CA Root private key password (if you created one as I recommended that you do). It should automatically increment the serial file (serial.srl) so that future certificates do not have the same serial number used to identify certificates.

Now we have an SSL certificate for your server located in /usr/local/etc/apache2. Time to tell Apache where it is.

Telling Apache about our certificate

This next step takes place in the Virtual Host configuration file (or in your httpd.conf if your OS distro has not broken that file up yet). The true location of this next step can only be described in a universal fashion by describing the purpose: website configuration. Locate that file. In Gentoo, it’s located at: /etc/apache2/vhosts.d/00_default_ssl_vhost.conf I am unsure as to its location on other operating systems.

Once you’ve located this file, you’ll need to edit it (this may require privilege escalation). Edit this file in your favorite editor (or least favorite, there is no favorite requirement).

Add or amend the following lines in the VirtualHost section of the website you wish to secure using the new SSL Certificate. The hostname of this virtual host must match the CN name you specified when you created the CSR for this site.

SSLCertificateFile /usr/local/etc/apache2/ssl/www.crt
SSLCertificateKeyFile /usr/local/etc/apache2/ssl/www.pem
SSLCertificateChainFile /usr/local/certificate_authority/certs/cacert.crt

This tells Apache:

Where our certificate can be accessed so that the server may present it to requesters
Where the server’s private key file is so that the certificate may be used to decrypt encrypted requests from requesters (these requests are encrypted using the certificate in step 1)
Where the certificate authority’s certificate is located so that Apache is able to append it to the certificate presented in step 1 (to avoid having the user’s browser look it up first)

Again, I’m assuming that you’ve already set up Apache to use SSL:

You’ve installed mod_ssl
You have enabled it in the /etc/conf.d/apache2 file
You’ve allowed access to port 443 through all firewalls (or other port you wish to use for SSL)
You’ve configured your Apache instance to listen on the SSL port

If you’ve not done so, Apache will not understand the SSL commands and will not start.

If all goes well, when you access the website at the CN name on your certificate and use the https protocol (i.e. https://CN where CN is the name used when you were asked for the Common Name when generating the CSR), you will see your website and will not be prompted to accept the authenticity of the certificate. Again, I assume you’ve completed the previous tutorial and have installed your own Root CA (used to sign this certificate) into your machine’s trusted Root certificates.

Should something go wrong

Debugging OpenSSL certificate problems is tricky and complicated. OpenSSL provides a tool for doing so over the network. I used it extensively during my first attempts at creating my certificates. Use:

openssl s_client -connect CN:PORT -debug

See the documentation# for more information. Be warned, this is a developer tool and comes with few instructions and brief explanations.

Going SSL with your own Root CA

Christopher Wojno — Tue, 04 Nov 2008 20:06:00 -0800

The Prompt

Recently, my slew of SSL certificates expired for my site and e-mail. Like most people, I didn’t write anything down when I set it up. After all, I was just trying to explore what I could do with my server at that point. So, I decided to make my own Root CA for my site’s certificates. That way, my family and I can use my root certificate to verify the authenticity of my servers and services.

What are you talking about?

SSL Certificates. SSL/TLS is the secure socket layer. It uses the PKI (public key infrastructure) to provide both data encryption and confidentiality. You can review the Wikipedia article about PKI and SSL

Anywho, with a fully working SSL/TLS system in place, you can be relatively sure that your client-server (and server-server) communications are not only encrypted, but being held between the party with which you believe you are communicating. This means you can use your e-mail and web server on a public network and not worry about your password being sent in the clear or digested format. It also means you’re sure you’re talking with your servers and not someone pretending to be a gateway. It’s nice, but it’s much more complicated to set up.

One of the problems with self-signed certificates is that you are not sure if the certificate is authentic the first time you connect to the server. As I have SSL for my mail and https server, I’d have to independently verify each certificate via the SHA1 hash and identifying information to be absolutely sure my communications are secure.

Where does the Root CA Thingy come in?

A CA is short for “Certificate Authority.” A Certificate authority can sign certificates that you make. Because the CA is trusted, when the CA signs your certificate, it transfers that trust to your certificate. When you get your operating system (or your web browser or e-mail client), there are several Root CA’s pre-installed. They pay lots of cashey money to be there so that your browser, operating system, and e-mail client will recognize theirs and certificates they sign as trusted.

OK, so How do you do it?

Disclaimers

Overview

Create a “proper” and “secure” environment for your CA private key and certificates
Create a CA private key
Create a CA Certificate Signing Request (CSR)
Self-sign the CA CSR using the CA’s private key thereby creating a CA Certificate
Install the CA Certificate locally

Create a “proper” and “secure” environment

Before we begin, we need a “secure” place to put our CA Root’s private key. We cannot let this fall into the wrong hands (or any hands other than ours).

When you see YOURUSERNAME, replace it with the username you use to access the system onto which you are creating the Root CA’s certificate.

sudo mkdir /usr/local/etc/certificate_authority
sudo groupadd ca_admins
sudo usermod -a -G ca_admins YOURUSERNAME
cd /usr/local/etc/certificate_authority
sudo mkdir certs
sudo mkdir private
sudo chmod 0770 private
sudo chmod 0775 certs
sudo chown :ca_admins private
sudo chown :ca_admins certs

You’ll need to log out and then log back in to properly join the ca_admins group. Be sure to cd to the /usr/local/etc/certificate_authority directory when you do so. The following steps assume that you are in that directory.

We’ll be generating the certificate’s private key. It’s important that it never be exposed. I highly recommend that you encrypt it now, when it’s being created, but in this example, I will not do so to facilitate this demonstration. I’ll indicate where you’ll need to put in the encryption.

I’ve created an environment that is relatively “secure.” That is, it is only as secure as your server. We will generate the private key in the private folder. I have designated this as readable only to root and members of the ca_admins group. I’ve also put commands in to create that group and have you join it.

When you create the CA private key, it will be placed under “private.” When the certificate is generated and signed, the resulting certificate will be placed in the certs directory. The only file that needs to be kept secret is the CA private key. We generate it in the next step.

The proper location for local configuration changes should be the /usr/local/etc folder. It’s a toss up as to whether or not a CA’s private key is a local configuration resource. It may be better to place all of this in the /var/local/certificate_authority. The serial file most assuredly belongs here (created later) as would a Root CA CSR configuration file (not used in this document). However, for the purposes of this document, we’ll keep it as is.

In this step, I’ve also created a certs directory and a private directory. Certificates that we create for the CA Root should be placed in the certs folder. The private key for the CA Root should be placed in the private directory, as it will not be world-readable.

The CA Private Key

I like RSA certificates, so I generate RSA server private keys.

openssl genrsa -out private/cakey.pem 2048

If you want to create an encrypted key, specify this:

openssl genrsa -out private/cakey.pem -des3 2048

and you’ll be asked to specify a password for your new key. Do NOT lose this password. You’ll never be able to get this key back. That means you can’t sign or create your certificate.

Create a CA CSR and Sign it (single step)

openssl req -new -x509 -key private/cakey.pem -out certs/cacert.crt -days 3600

This creates a 10-year (abouts) certificate signing request that is immediately signed by the CA’s Root private key to produce the certificate (certs/cacert.crt). We’ll be using it as our Root CA certificate. If you put a password on the key, you’ll be asked for that password again. You’ll also be asked a series of questions to identify your certificate. Answer them honestly. When you get to the CN field, do NOT enter your domain name or similar. Name it something that’s impossible to be a domain and does not conflict with another Root CA. I called my “Wojno CA Root” modeled after Apple’s certificate name: “Apple CA Root”.

You now have a real certificate. Now you need to install it locally onto every machine that will use a certificate signed by this Root CA Certificate. Yes, this is bothersome, but it sure beats having to specify an override for every certificate you generate. It also lowers the risk of accepting a bogus certificate by your users, in the event you miss one or more.

Installing the CA Certificate locally

This process varies between operating systems and/or browsers. Apple uses the Keychain. Windows has a root certificate listing in the Internet Options panel (accessible via the control panel). I have no clue where it would be in Vista. You’re on your own there. Once you have it installed, you’ll be able to create as many certificates and sign them and all will be automatically trusted because you now trust the Root CA Certificate that will sign them all. Special note: do NOT install stranger root certificates! This will pose a security risk if you go about installing root certificates willy-nilly.

Create the serial file

Back in your ca directory where you created the private and certs folders:

echo "01" > serial.srl
sudo chmod 0660 serial.srl
sudo chown :ca_admins serial.srl

Certificates issued by this CA will be imprinted with a serial number. Every time you sign a certificate, the serial file will be incremented and updated. Only ca_admins will be able to modify or read this file. While hiding the contents of this file is not absolutely paramount, the less that is known, the harder it is to break something (this is a generic statement and not necessarily true, but is usually true).

For use with Apache2’s mod_ssl, please see the next article in the series.

Rendering Forms in a Paragraph

Christopher Wojno — Mon, 14 Jul 2008 12:16:00 -0700

Here’s an example:

<p>If you're looking for other confidential
search parameters, click
<form action="secret_search" method="post">
<input type="hidden" value="my secret search parameters"/>
<input type="submit" value="here"/>
</form>
!</p>

You can’t.

The P element represents a paragraph. It cannot contain block-level elements (including P itself). HTML4.0 Reference

That means you’re stuck with a line-break if you want to have buttons with form data in your paragraphs.

A DNS Server to Call My Own

Christopher Wojno — Sun, 30 Dec 2007 15:56:00 -0800

I’ve been itching to set up my own DNS server for a while now. Why? I’ve come up with three reasons:

Speed
Convenience
Security

The first one is pure fluff. My home network doesn’t have nearly enough traffic to make it worth it. The second has merit. It would be nice if I could name machines on the network and have them resolve correctly. I could also use it to mask external addresses. So I could make stuff up and have it resolve locally. So I could make, oh, doubleclick.net resolve to 127.0.0.1. Now, no one on my network will get those advertisements anymore. Sure, I have it set up in the hosts file now, but I’m like any other network administrator… No, not lazy, but clever.

I’m working with Linux Gentoo 2.6.19 here on my local network. There is no chance that I will corrupt any legitimate records as nobody outside my network will be able to query my DNS server. I have my favorite editor: Vim at my side. Named (Bind) is currently at version BIND 9.4.1-P1.

Install bind

First, edit your /etc/portage/packages.use file. Add a line that says:

net-dns/bind -ipv6 -ldap postgres -ssl threads -mysql -bind-mysql -odbc

This means: I don’t want IPV6 support (my router doesn’t support it… sadly). Don’t use ldap. Add support for postgres (my favorite database). Don’t include SSL support (I’m assuming everyone trusts my server on the local network). Use threads to handle many requests simultaneously (I suppose I could turn this off as the server load will not be very large). Finally, don’t include mysql bindings or ODBC. Save that file.

Emerge

Using Gentoo’s emerge system:

%emerge net-dns/bind

It should install without any further intervention.

Firewall (IPTables)

I use the IPTables firewall to protect my server from local and foreign attacks. I like it because it gives me a lot of control over what goes in and out. I also don’t like it because it is very complicated. If you have a firewall, you need to poke holes in it for port 53 in the following ways:

Outgoing UDP connections TO port 53 from your server to the DNS servers you normally use
Incoming UDP connections TO your server on any port from the DNS servers you normally use for established UDP connections
Same as #1 with TCP connections
Same as #2 with TCP connections
Incoming UDP connections from the local network on port 53
Outgoing UDP connections to the local network on any port for established UDP connections
Same as #5 with TCP connections
Same as #6 with TCP connections

The above table is derrived from nixCraft’s article: Linux Iptables block or open DNS / bind service port 53 I added some modifications, however. Here’s an example configuration:

firewall.sh

#!/bin/bash
IPTABLES='/sbin/iptables'
LOCALNET='--src-range 192.168.1.2-192.168.1.254'
INTIF1='eth0'
DNSSERVERS='a.b.c.d a.b.c.e' # 2 IP addresses for your ISP's DNS servers

# PREAMBLE
$IPTABLES -F #flush old rules
$IPTABLES -X #clear old chains
$IPTABLES -A INPUT -s 127.0.0.1 -j ACCEPT #always trust requests from the server
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT #always trust active connections

# ... (other rules here)

# BIND/NAMED
# Outgoing Recursive Requests
for ip in $DNSSERVERS
do
        iptables -A OUTPUT -p udp -d $ip --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
        iptables -A INPUT -i $INTIF1 -s $ip -p udp --dport 53 -m state --state ESTABLISHED -j ACCEPT
        iptables -A OUTPUT -p tcp -d $ip --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
done
# incoming request configuration
# accept local queries
iptables -A INPUT -i $INTIF1 -m iprange $LOCALNET -p udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT

# block out all other Internet access
$IPTABLES -A INPUT -j DROP

The for loop was nixCraft’s idea. Very clever, however, instead of using the IP address of the server, I fell back to the interface card. Then, no matter what your IP address, you’ll be able to control access to the DNS server.

Update your firewall rules by executing your firewall script.

%./firewall.sh

IPTables example explained

This example actually works as is. But if you’re using SSH for access, you need to add in an SSH hole:

$IPTABLES -A INPUT --protocol tcp --dport 22 -j ACCEPT

Now, the beginning of the script defines (in order) the script used to interpret the file (#!/bin/bash), the iptables program (stored as a variable for ease in name or location changes), LOCALNET (an IP address range specifying your local network, generally, 192.168.1.1 is the gate way and packets may appear to originate from your router if it’s a piece of junk. 192.168.1.255 is broadcast, so no need to include that address either), INTIF1 is the NIC card on my server. Use ifconfig to figure out what yours is (or iwconfig if you have a wireless server because you’re crazy that way). Next, I define the DNS servers from my ISP. I didn’t list them here because my ISP probably would not appreciate that. Use OpenDNS if you’re really in a bind (pun not intended).

Let’s skip to the #BIND/NAMED section. Here, I’ve looped through each DNS server from my ISP. I’ve opened up the UPD and TCP ports to allow recursive look ups generated by my local network traffic. After that loop, I open up port 53 locally. Notice I’ve used the interface (-i #INTIF1). This restricts where requests may originate. You really only need this if you have more than one NIC card on the box.

Configuration

Before we can test, there’s one more thing we need to do: configure named/bind to listen to us. By default, bind is configured to only accept connections made ON THE SERVER. That doesn’t help when you want other computers on your network to be able to make requests. Open: /etc/bind/named.conf in vim. You need to change the listen-on directive to include your local network address. I just used “any” as my firewall will deny any other requests.

...
options {
  /* ... other configurations here ... */
  listen-on {any;};
};

Make sure you include the semi-colon after “any” or you’ll get named complaining at you. Restart named (bind).

%sudo /etc/init.d/named restart

Testing your server

You should now be able to test DNS lookups from another machine. From you local (non-DNS server), type:

%dig @DNSSERVER_IP_ADDRESS www.google.com

Replace DNSSERVER_IP_ADDRESS with the IP address of the server on which you just configured and installed bind/named. You should get something similar:

; <<>> DiG 9.4.1-P1 <<>> @DNSSERVER_IP_ADDRESS www.google.com -t A
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13465
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 7, ADDITIONAL: 0

;; QUESTION SECTION:
;www.google.com.            IN    A

;; ANSWER SECTION:
www.google.com.        604748    IN    CNAME    www.l.google.com.
www.l.google.com.    249    IN    A    64.233.169.104
www.l.google.com.    249    IN    A    64.233.169.103
www.l.google.com.    249    IN    A    64.233.169.147
www.l.google.com.    249    IN    A    64.233.169.99

If you’re using Windows, you need to use nslookup (command line application). The syntax is slightly different. If you’re using Gentoo, you need to first install the bind tools (emerge net-dns/bind-tools).

That’s it! You now have a working local DNS server merely acting as a cache.

Mac Latex-mk

Christopher Wojno — Sun, 30 Dec 2007 11:27:00 -0800

I really like the LaTeX typesetting system. It makes nice looking documents. It’s a bit of a pain to use, however. On FreeBSD, there is a LIFE-SAVING port called “latex-mk,” which is a set of maintained make files that will do all the heavy-lifting for you. It’s only released for FreeBSD and NetBSD, but I’ll walk you through how to install it on Darwin (Mac). I make no warrantees here. You accept all responsibility for following these instructions or deviating from these instructions. I am not responsible for lost data or damaged property, etc.

Installation

Getting LaTeX and latex-mk

First, you need the latex package for Mac: MacTex. Install that the usual way (or read their instructions if you get lost, no sense me repeating them). Once you have that installed, grab the latex-mk file. You’ll have to dig around a big, look under “Obtaining” if that link still exists. You’ll see a SourceForge download. Download this file: latex-mk-1.9.1.tar.gz. I’m sure these instructions will work for future versions too, though I make no guarantees.

Uncompressing/Unarchiving

Go ahead and unzip the latex-mk. Crack open a terminal (Finder > Applications > Utilities > Terminal.app). Change to the latex-mk directory:

cd ~/Downloads/latex-mk-1.9.1

If the version has changed, cd to that. Remember, you must unzip it first. Apple’s archiver should handle it. But you can always do a “tar -xzf latex-mk-1.9.1.tar.gz” if you’re old fashioned like me.

Configuration

Like most packages, you need to run the configuration program. Do this from the latex-mk-1.9.1 directory (you should still be there).

sh ./configure

You will see lots of text fly by. If you get errors, sorry, this tutorial is over. Drop me a line, maybe I’ll be able to help or point you in the right direction. If you see it create lots of little files, then you’re golden.

Compile

Type:

make

And, after a very short time, it will complete.

Install

Type

sudo make install

Sudo will ask for an administrator’s password. Enter it. If you don’t trust this package, you can always install by hand… But I’m not going over that. Once this is done, latex-mk is now installed and ready for use.

Cleaning up

Type:

make clean distclean

That will remove any installation files. You may also simply delete the latex-mk-1.9.1 folder. You should delete the zip file from which you got the latex-mk-1.9.1 folder; you no longer need it.

Testing

Let’s take it for a spin. Assuming you have MacTex installed already:

Create a new folder somewhere, I’ll call it: “Test”
cd to “Test”
Create a new latex document, say, “test.tex” and type or copy in the following:

%test.tex:
\documentclass[]{article}
\begin{document}
\LaTeX
\end{document}

Now create a new file called “Makefile” and put the following into it:

#Makefile
NAME = test
TEXSRCS = test.tex
BIBTEXSRCS = 
TGIFDIRS = tgif_figs

include /usr/local/share/latex-mk/latex.gmk

At the command prompt, type: “make pdf”
You’ll see it build the file. When it finishes, open finder and go to your “Test” folder. You’ll see a shiny new “Test.pdf” so go ahead, click it! You’ll see the strangely formatted LaTeX logo.

Congratulations. You just “ported” a FreeBSD application to Mac. Aren’t command line applications grand?

Why Latex-mk?

Latex-mk takes care of lots of details when creating LaTeX documents. It keeps your bibliography up to date automatically and will re-run the latex processor to ensure all your citations and cross references are up to date and shiny. Otherwise, you have to run latex 2-3 time every change to ensure your references will be linked. Your new friend is “make pdf” as it enables one-stop generation shopping.

More Information

The make file can do much more. You should see what it can do by going to the latex-mk site for instructions.

Mac Applications Not (Force) Quitting

Christopher Wojno — Fri, 28 Dec 2007 21:24:00 -0800

I’ve just recently (a few hours ago) run into applications not loading or quitting (even with Forced quits) on Mac OSX10.5 Leopard on a brand-new machine. Here’s the grueling story:

I tried to read a .doc and I declined to try Office 2004 for Mac. Nothing appears wrong at this point. I then tried to launch iTunes, it had the launched icon (blue circle) under it, leading me to believe it was running, but there was no window. I could not interact with iTunes at this point. I attempted repeatedly to launch iTunes to no avail. So, I did what any self-respecting GUI user did: Quit. After ignoring the problem report, I attempted the last straw, the Force Quit. After trying that several times, also to no avail, I turned to the Internet for help. Most forums suggested unplugging your iPod when this happens. I do not have an iPod attached to the computer. So I tried a little Unix magic. But “kill -9” from the command line was ineffective. Trevor suggested “killall Dock,” (the Dock is the application “Task Bar” for you Windows users) but that was also ineffective. iTunes appeared thusly in ps xau:

% ps xau | grep iTunes
6432   0.0  0.0        0      0   ??   E    6:45PM   0:00.00 (iTunes)

I’ve never seen an “E” state before, nor a process enclosed in parenthesis. According to the man pages for ps, the “E” means “the process is trying to exit.” The man pages, however, are silent as to what (PROCESS NAME) means.

Can’t Quit, Can’t Delete

Time Machine is running and was backing files up at that time to an external USB disk. It also refused to load or force quit (like iTunes) after stopping the back up. I could also not view the trash as it claimed that items were “being deleted.” The system was still responsive (I could browse the Internet to look for forums with this problem, but found nothing completely applicable). I attempted to restart: APPLE MENU > Restart. All windows quit, but the system would not complete the restart. After trying to restart AGAIN (the dock was still visible, so I opened up a Terminal and the menu reappeared), iTunes, System Preferences (Time Machine) and trash were still inaccessible. I then forced a restart by holding down the power button.

Office 2004 for Mac not the problem

Now, convinced Office was the problem, to avoid this problem again I attempted to deinstall the Office 2000 Test Drive application(s). That began to run, it claimed to have progressed 1/10th of the way through (as seen by the progress bar) at which point, the application was hung. Force quit was ineffective. I submitted a problem report about Remove Office crashing. But the application persists! Force quitting that does not shut it down either. Things are getting serious.

Time machine

Time Machine was not actively backing up at this time. I decided to unmount the back up drive “Time Machine Backups” (what Time Machine calls its backup drive). This did nothing as well. The drive refused to unmount, even though backups were stopped (this was done via System Preferences > Time Machine and then click the circled X near “Backing up” or “Next Backup”. Since that didn’t work, I decided to go for the gusto. I yanked the USB cable to the backup drive. This caused the trash to immediately empty. Remove Office quit. It appears that Time Machine is causing these hangs.

The External Drive

The external hard drive is a Smart Disk, 60GB FireLite XPress.

I then decided to check the disk. I launched the disk utility (Applications>Utilities>Disk Utility.app) and ran “Verify Disk”. It claims that the drive appears to be OK. I repaired it anyway and after a vigorous re-indexing (thank you Spotlight (AKA “mdworker” to ps)) the volume, again, appears to be OK. Things appear to be working again. I’ll try yanking the cable if it misbehaves again.

Problem

Applications not quitting, even after forced quit

Solution

Unplug external hard drives/iPods connected via USB.

Although it appears that Time Machine may be responsible, it may apply to all external USB hard drive devices.

Thunderbird Copy to Sent IMAP Connection Error

Christopher Wojno — Thu, 20 Dec 2007 21:46:00 -0800

This article applies to: Thunderbird v.2.0.0.9 and a few previous versions and may very well be applicable in the future.

The Solution

I’m assuming you want the solution and not the explanation. If you really do want the explanation, scroll down and come back!

After I set up my own IMAP server for my e-mail, I began to get error messages from Thunderbird: “Error copying message to sent folder. Retry? OK.” Rather than change my Postfix server (which was advised against by the documentation), I looked for a client-side solution. Retrying is a crap-shoot. Sometimes it copies, but most of the time it just sits there after informing you that:

Unable to connect to your IMAP server. You may have exceeded the maximum number of connections to this server. If so, use the Advanced IMAP Server Settings Dialog to reduce the number of cached connections.

Advanced IMAP Server Settings Dialog? I’ve never heard of that before. Let’s see what about:config has to say. You can find it in Tools->Options… on Windows, or Edit->Options… on other platforms. Once you see the dialog, hit the “Advanced” icon at the top right, then hit the “General” tab in the area below it. You’ll see “Config Editor…”.

I tried setting: mail.imap.max_cached_connections from 5, to 1, to 0. No value fixes it.

I then noticed: mail.server.server2.max_cached_connections And not just that one (I have several IMAP accounts). There were a few others as well. Setting these to 1 HAS solved my problem.

Just make sure all your: mail.server.serverN.max_cached_connections = 1

Now, had I listened to the error message from the start, I would have gone to the account settings for each. Right click on the IMAP account and select properties. Then goes to server settings. You’ll notice an “Advanced” button. Sure enough, you see the text field for the number of cached connections. Of course, if you want to change them all at once, you can use the Config Editor.

Remember, restart Thunderbird for the changes to take effect. Don’t expect miracles until after you’ve relaunched.

The Explanation

IMAP connection caching? Yes, when Thunderbird checks your e-mail over IMAP, it starts up a TCP connection. That’s a 3-way handshake.

Hello Server!
Hello Client!
Hello again Server! (I got your hello)

3 Hello’s = 3 way handshake. OK OK, yes, this is a gross oversimplification. None-the-less, this handshake sequence is considered slow and “expensive.” So instead of saying good-bye after getting your mail, the client will say, “I’ll be back, so leave the line open.” Sounds good, but most servers have limited resources. Once the maximum number of connections is reached, it won’t accept any more. That’s what is happening with Thunderbird here. It’s being told that there is no more room.

So, what limited resource am I talking about? Well, those connections take up memory, especially the secure ones. SSL adds the overhead of a new shared secret (passphrase). That’s not too bad, but it’s more than storing the usual, unencrypted nothing. Even if you don’t use SSL, each connection uses a new port. Every computer has 65535 ports. Depending on the system, approximately 1000 of them are reserved for system calls. The other 64,000 and change are shared among all the services provided by the server. And, yup, you guessed it, each connection uses up a port.

May not seem like a big deal. But say, you have an account. Thunderbird caches 5 connections by default. If you have 5 folders, it will use all 5 connections and cache them. If your e-mail is on a dedicated machine: 64,535/5 = 12,907. Only 13 thousand users can check their mail (if they all have 5 or more folders). If you have a big company, this would be bad if the CEO or POB (pointy haired boss) can’t check his or her e-mail. Most servers will limit you (as did mine and probably yours if you’re reading this article to solve your problem) to 4 connections from the same IP address. While it helps solve the connection volume problem, Thunderbird gets confused.

See, if you need a new connection on the same account, thunderbird will use any active ones. But if you have multiple accounts, Thunderbird assumes the connections are independent. Apparently, this is a mistake.

An Expert Fix

I suggest that Thunderbird take note of refused connections and give up active connections from other accounts if they resolve to the same server. That will expand the already automatic connection cycling feature among connections on the same account to connections on the same client.

UPE (Zeta) Freshman Unix Talk

Christopher Wojno — Thu, 13 Dec 2007 12:51:00 -0800

UPE wanted to hold a Freshman Unix Talk to introduce new students to USC’s shared computing resources. It is to help them understand the system so they can program their assignments with it and not pull out their hair in the process. Naturally, I jumped at the opportunity to give the talk.

It is an overview of Unix as an operating system from the user’s perspective. So I’ve included some charts of commonly used programs.

I gave this talk a few months back and had forgotten to post it here.

You’re free to use it so long as I remain credited and you don’t make any money from it.

Freshman Unix Talk

X11R6-R7 Upgrade Problem: elf_load_section: truncated ELF file

Christopher Wojno — Sat, 17 Nov 2007 21:09:00 -0800

The Problem

I attempted to update X11 from X11R6.7 to X11R7.3 about a month ago. However, I was not successful and after getting this cryptic message when running startxfce4:

elf_load_section: truncated ELF file
Abort

Launching startx yields that same message repeated six times. Oddly enough, launching X worked and also had two truncated ELF files (or the same one repeated). So, X worked, despite the inability to read a few files. I was confounded to say the least.

I spent hours, which lead to days trying to find what ELF file was truncated. Google searches and digging through help forums turned up nothing. I did:

pkg_delete -rx ".*xorg.*" 
pkg_delete -rx ".*font-.*"

(deleted everything xorg and that which depended on it), then reinstalled xorg (/usr/ports/x11/xorg) to no avail. I even updated from FreeBSD-6.1-RELEASE to FreeBSD-6.2-RELEASE.

As of today, I have resolved the problem and I almost lost my mind when I discovered that xinit, a critical component of startx (startx is invoked by startxfce4), was not even installed. Keep in mind, I was getting this error before I deinstalled everything, so I did not deinstall it inadventently and send myself on a wild goose chase.

I assume the port maintainers moved this component out of the xorg port for some reason when they went from X11R6.9 to R7.2. Indeed, the dist file for the port xinit supports that conjecture.

In Summary

Simply INSTALL: /usr/ports/x11/xinit and you’ll be able to use X11 again. You need not deleted everything. Oh, please be sure you updated according to the /usr/ports/UPDATING file’s directions. X11 upgrades have always required special treatment (this one’s no different).

Best of luck to you.