Arduino, Linux, Hadoop, Hive, H-Base, Postgres, Zabbix - Things that matter in life: July 2014

Solution to bypass Distributed Monitoring in Zabbix

Jeez NO BitCoins ... So, PLEASE .. If this helped you in any way and you have some spare BitCoins, you may donate them to me :-). If you don't have any, please buy some and donate them to me.... - 16tb2Rgn4uDptrEuR94BkhQAZNgfoMj3ug

I started with distributed monitoring with Zabbix, but after I did my

Zabbix Certified Specialist course is intended for those who have just begun to understand Zabbix and want to get on track fast and in the right way. During the course you will learn about the main functionality of Zabbix monitoring software, its installation, setup and further maintenance.
Zabbix Certified Professional course is designed for administrators of large enterprises and companies that use Zabbix to monitor large amounts of devices located in multiple datacenters.

courses, to my dismay I found out that Zabbix might not support DMs anymore. I suppose the solution is to go to proxies, but it just seemed to be a bit of a slepph to me. So, I decided to write some scripts.
Place a 'master' script in crontab, query the Zabbix database for all the active alarms and get the Master Zabbix server to pull these values and alarm on them.
Quick and dirty solution, but for now it works for me.

So lets get started, create this script below, I use the directory /etc/zabbix/scripts, where you place yours is up to you. I use Postgres for my Zabbix databases in the various countries, but I'm sure to adopt the sql for some other database will not be that difficult...

#!/bin/bash

# This script will fire various sql queries to get the different priority

# alarms in the Zabbix database which are active at the moment.
# The resulting logfiles's (alarmlogs) owner will then be changed to Zabbix,

# so that the Zabbix agent can read the files
# The Items and Triggers are then fired by the Master Zabbix server

# indicating the amount of alarms on the Zabbix Server in country
# This script will fix the problem with Distributed Monitoring, where the

# Master Zabbix server does not get updated from the in-country
# Zabbix servers

# King Rat 25 July 2014

zabdir="/etc/zabbix/scripts/*.alarmlog"
for d in $zabdir
do
 echo " priority |        host        |                       description                        |      date_time      
----------+--------------------+----------------------------------------------------------+---------------------" > $d
chown postgres:postgres $d
done

if [ -f /etc/zabbix/scripts/all_alarms.alarmlog ]; then
 chown postgres:postgres /etc/zabbix/scripts/all_alarms.alarmlog
else
 touch /etc/zabbix/scripts/all_alarms.alarmlog
 chown postgres:postgres /etc/zabbix/scripts/all_alarms.alarmlog
fi

su - postgres -c "psql -d BOSS -U zabbix_server -f /etc/zabbix/scripts/priority5.sql -o /etc/zabbix/scripts/priority5alarms.alarmlog"
su - postgres -c "psql -d BOSS -U zabbix_server -f /etc/zabbix/scripts/priority4.sql -o /etc/zabbix/scripts/priority4alarms.alarmlog"
su - postgres -c "psql -d BOSS -U zabbix_server -f /etc/zabbix/scripts/priority3.sql -o /etc/zabbix/scripts/priority3alarms.alarmlog"
su - postgres -c "psql -d BOSS -U zabbix_server -f /etc/zabbix/scripts/priority2.sql -o /etc/zabbix/scripts/priority2alarms.alarmlog"
su - postgres -c "psql -d BOSS -U zabbix_server -f /etc/zabbix/scripts/priority1.sql -o /etc/zabbix/scripts/priority1alarms.alarmlog"
su - postgres -c "psql -d BOSS -U zabbix_server -f /etc/zabbix/scripts/all_alarms.sql -o /etc/zabbix/scripts/all_alarms.alarmlog"

for d in $zabdir
do
 chown zabbix:zabbix $d
done

This script is fired from crontab every 5 minutes, this line below must be placed in root's crontab

*/5 * * * * /etc/zabbix/scripts/get_zabbix_alarms.sh

The main script get_zabbix_alarms.sh fires the following sql scripts
priority5.sql, priority4.sql, priority3.sql, priority2.sql, priority1.sql, all_alarms.sql
The scripts check_*.sh is fired by the Master Zabbix server towards the Zabbix server in country.
The *.sh scripts must be made executable with chmod +x *.sh and the following owners must be set on the scripts, see below

srv1:/etc/zabbix/scripts # ls -ltr
total 72
-rw-r--r-- 1 postgres postgres  884 Jul 25 07:45 priority5.sql
-rw-r--r-- 1 postgres postgres  884 Jul 25 07:45 priority4.sql
-rw-r--r-- 1 postgres postgres  884 Jul 25 07:45 priority3.sql
-rw-r--r-- 1 postgres postgres  884 Jul 25 07:45 priority2.sql
-rw-r--r-- 1 postgres postgres  884 Jul 25 07:45 priority1.sql
-rwxr-xr-x 1 root     root     2038 Jul 25 07:45 get_zabbix_alarms.sh
-rwxr-xr-x 1 zabbix   zabbix    374 Jul 25 07:45 check_war.sh
-rwxr-xr-x 1 zabbix   zabbix    394 Jul 25 07:45 check_info.sh
-rwxr-xr-x 1 zabbix   zabbix    376 Jul 25 07:45 check_high.sh
-rwxr-xr-x 1 zabbix   zabbix    386 Jul 25 07:45 check_dis.sh
-rwxr-xr-x 1 zabbix   zabbix    380 Jul 25 07:45 check_ave.sh
-rw-r--r-- 1 postgres postgres  893 Jul 25 07:45 all_alarms.sql
srv1:/etc/zabbix/scripts #

Below is what the priority*.sql scripts look like, make 6 files, named
priority5.sql, priority4.sql, priority3.sql, priority2.sql, priority1.sql and all_alarms.sql

Change the
t.priority
line to 5 for the priority5.sql
line to 4 for the priority4.sql
line to 3 for the priority3.sql
line to 2 for the priority2.sql
line to 1 for the priority1.sql
line to t.priority>=0 for the all_alarms.sql

srv1:/etc/zabbix/scripts # cat priority5.sql
--SQL script to get all priority 5 alarms
SELECT DISTINCT
case
 when t.priority = 0 then 'Not classified'
 when t.priority = 1 then 'Information'
 when t.priority = 2 then 'Low '
 when t.priority = 3 then 'Medium '
 when t.priority = 4 then 'High '
 when t.priority = 5 then 'Emergency'
 else 'Error no priority found'
end priority,
h.host,
t.description,
to_char(to_timestamp(t.lastchange),'YYYY-MM-DD HH24:MI:SS') date_time
FROM
zabbix_server.triggers AS t ,
zabbix_server.hosts AS h ,
zabbix_server.items AS i ,
zabbix_server.functions AS f ,
zabbix_server.acknowledges
Inner Join zabbix_server.events ON events.eventid = acknowledges.eventid
WHERE
t.priority=5
AND
f.itemid=i.itemid
AND h.hostid=i.hostid 
AND t.triggerid=f.triggerid
AND t.status=0
AND i.status=0
AND h.hostid not in (-1) 
AND h.status=0 
AND ((t.value=1)) 
AND t.value<>2
order by 1 desc, t.description
srv1:/etc/zabbix/scripts #

And the sql produces a log (*.alarmlog) with the contents below

srv1:/etc/zabbix/scripts # cat priority4alarms.alarmlog
 priority | host |                    description                     |      date_time     
----------+------+----------------------------------------------------+---------------------
 High     | srv1 | Free disk space is less than 10% on volume /backup | 2014-07-24 02:03:32
(1 row)
 
srv1:/etc/zabbix/scripts #

The scripts that are fired by the Master Zabbix server, the check*.sh scripts looks like this below

srv1:/etc/zabbix/scripts # cat check_high.sh
#!/bin/bash
# This is the script that gets fire by the Zabbix Master server to

# list the High Priority alarms
# King Rat 25 July 2014
 
if [ `cat /etc/zabbix/scripts/priority4alarms.alarmlog | grep "row" | wc -l` -gt 0 ]; then
    cat /etc/zabbix/scripts/priority4alarms.alarmlog | grep "row" | awk '{print substr($1,2,4)}'
else
    echo "No High priority alarms"
fi
 
srv1:/etc/zabbix/scripts #

You would need 5 scripts, check_war.sh, check_info.sh, check_high.sh, check_dis.sh and check_ave.sh, just change the alarmlog name in the sh scripts to suit the priority of the alarm

Run the get_zabbix_alarms.sh manually to see if it works, if you get a Postgres password failure, add the user and password to the /opt/directory_where_postgres_resides/.pgpass

srv1:/etc/zabbix/scripts # ./get_zabbix_alarms.sh
Password for user zabbix:
Session terminated, killing shell... ...killed.
Password for user zabbix:
Session terminated, killing shell... ...killed.
Password for user zabbix:
Session terminated, killing shell... ...killed.
Password for user zabbix:
Session terminated, killing shell... ...killed.
Password for user zabbix:
Session terminated, killing shell... ...killed.
Password for user zabbix:
Session terminated, killing shell... ...killed.
srv1:/etc/zabbix/scripts #
srv1:/etc/zabbix/scripts #

localhost:5432:*:zabbix:the_password
And try again

srv1:/etc/zabbix/scripts # ./get_zabbix_alarms.sh
srv1:/etc/zabbix/scripts # ls -ltr
total 72
-rw-r--r-- 1 postgres postgres  884 Jul 25 07:45 priority5.sql
-rw-r--r-- 1 postgres postgres  884 Jul 25 07:45 priority4.sql
-rw-r--r-- 1 postgres postgres  884 Jul 25 07:45 priority3.sql
-rw-r--r-- 1 postgres postgres  884 Jul 25 07:45 priority2.sql
-rw-r--r-- 1 postgres postgres  884 Jul 25 07:45 priority1.sql
-rwxr-xr-x 1 root     root     2038 Jul 25 07:45 get_zabbix_alarms.sh
-rwxr-xr-x 1 zabbix   zabbix    374 Jul 25 07:45 check_war.sh
-rwxr-xr-x 1 zabbix   zabbix    394 Jul 25 07:45 check_info.sh
-rwxr-xr-x 1 zabbix   zabbix    376 Jul 25 07:45 check_high.sh
-rwxr-xr-x 1 zabbix   zabbix    386 Jul 25 07:45 check_dis.sh
-rwxr-xr-x 1 zabbix   zabbix    380 Jul 25 07:45 check_ave.sh
-rw-r--r-- 1 postgres postgres  893 Jul 25 07:45 all_alarms.sql
-rw-r--r-- 1 zabbix   zabbix     98 Jul 25 13:34 priority5alarms.alarmlog
-rw-r--r-- 1 zabbix   zabbix    507 Jul 25 13:34 priority4alarms.alarmlog
-rw-r--r-- 1 zabbix   zabbix    245 Jul 25 13:34 priority3alarms.alarmlog
-rw-r--r-- 1 zabbix   zabbix   2589 Jul 25 13:34 priority2alarms.alarmlog
-rw-r--r-- 1 zabbix   zabbix    432 Jul 25 13:34 priority1alarms.alarmlog
-rw-r--r-- 1 zabbix   zabbix   3406 Jul 25 13:34 all_alarms.alarmlog
srv1:/etc/zabbix/scripts # date
Fri Jul 25 13:35:02 SAST 2014
srv1:/etc/zabbix/scripts #

On the Master Zabbix server I created a template that I then assign to the hosts (Remote Zabbix servers) that I want to monitor

And these are the triggers

Remember to set your zabbix_agentd.conf to accept the incoming requests from the Master Zabbix Server and of course restart the agent once done

REMEMBER those BitCoins....

Add plsh to Postgres 9.3

Nope no BitCoins yet... So, yet again....If this helped you in any way and you have some spare BitCoins, you may donate them to me -16tb2Rgn4uDptrEuR94BkhQAZNgfoMj3ug
PLEASE.....Pretty PLEASE?

Problem with Postgres is that you cannot move, rename files etc from within the Postgres psql. Well this has changed with this brilliant binary from Peter Eisentraut, see https://github.com/petere/plsh
Thanks Peter!!
Peter's Blog
The binary allow you to run a bash or sh shell from a function. See below how I implemented it

Download the GZ file from https://github.com/petere/plsh and place it in /opt/temp, the file is called plsh-1.20130823.tar.gz

super173:/opt/temp # ls -ltr
total 1467348
-rw-r--r-- 1 root root 11182 Jul 15 12:11 plsh-1.20130823.tar.gz
super173:/opt/temp #

Gunzip and untar the file, my Postgres is installed under /opt/app, so the -C will extract the files to a new directory under /opt/app/pgdata, this is up to you where you want to place it

super173:/opt/temp # gunzip plsh-1.20130823.tar.gz
super173:/opt/temp # tar -xvf plsh-1.20130823.tar -C /opt/app/pgdata/
plsh-1.20130823/
plsh-1.20130823/.travis.yml
plsh-1.20130823/COPYING
plsh-1.20130823/Makefile
plsh-1.20130823/NEWS
plsh-1.20130823/README.md
plsh-1.20130823/plsh--1--2.sql
plsh-1.20130823/plsh--unpackaged--1.sql
plsh-1.20130823/plsh-inline.sql
plsh-1.20130823/plsh-noinline.sql
plsh-1.20130823/plsh.c
plsh-1.20130823/plsh.control
plsh-1.20130823/test/
plsh-1.20130823/test/expected/
plsh-1.20130823/test/expected/crlf.out
plsh-1.20130823/test/expected/event_trigger.out
plsh-1.20130823/test/expected/function.out
plsh-1.20130823/test/expected/init.out
plsh-1.20130823/test/expected/init_1.out
plsh-1.20130823/test/expected/inline.out
plsh-1.20130823/test/expected/psql.out
plsh-1.20130823/test/expected/psql_1.out
plsh-1.20130823/test/expected/trigger.out
plsh-1.20130823/test/expected/trigger_1.out
plsh-1.20130823/test/sql/
plsh-1.20130823/test/sql/crlf.sql
plsh-1.20130823/test/sql/event_trigger.sql
plsh-1.20130823/test/sql/function.sql
plsh-1.20130823/test/sql/init.sql
plsh-1.20130823/test/sql/inline.sql
plsh-1.20130823/test/sql/psql.sql
plsh-1.20130823/test/sql/trigger.sql
super173:/opt/temp #

I renamed the plsh-1.20130823 to plsh just to make it easier to remember, the plsh-1.20130823 directory was created with the tar command above. I then changed the ownership of the plsh directory to postgres as well.

super173:/opt/app/pgdata # cd /opt/app/pgdata

super173:/opt/app/pgdata # ls -ltr
total 8
drwx------ 16 postgres postgres 4096 Jun 30 09:16 9.3
drwxrwxr-x  4 postgres postgres 4096 Jul 15 12:16 plsh-1.20130823

super173:/opt/app/pgdata # mv plsh-1.20130823 plsh
super173:/opt/app/pgdata # chown -R postgres:postgres plsh/

su to your postgres user and change directory to /opt/app/pgdata/plsh

super173:/opt/app/pgdata # su - postgres
postgres@super173:~> cd /opt/app/pgdata/plsh/

Now to build the binary, use make, make install

postgres@super173:/opt/app/pgdata/plsh> make
gcc -O2 -Wall -Wpointer-arith -Wdeclaration-after-statement -Wendif-labels -Wmissing-format-attribute -Wformat-security -fno-strict-aliasing -fwrapv -fpic -I. -I. -I/opt/app/PostgreSQL/9.3/include/postgresql/server -I/opt/app/PostgreSQL/9.3/include/postgresql/internal -D_GNU_SOURCE -I/opt/local/20130819/0d87f820-0a63-11e3-9b6d-000c29d23b02/include/libxml2 -I/usr/local/include/libxml2 -I/usr/local/include -c -o plsh.o plsh.c
gcc -O2 -Wall -Wpointer-arith -Wdeclaration-after-statement -Wendif-labels -Wmissing-format-attribute -Wformat-security -fno-strict-aliasing -fwrapv -fpic -shared -o plsh.so plsh.o -L/opt/app/PostgreSQL/9.3/lib -L/opt/local/20130819/0d87f820-0a63-11e3-9b6d-000c29d23b02/lib -L/usr/local/lib -Wl,--as-needed -Wl,-rpath,'/opt/app/PostgreSQL/9.3/lib',--enable-new-dtags
cp plsh-inline.sql plsh.sql
cp plsh.sql plsh--2.sql
postgres@super173:/opt/app/pgdata/plsh> make install
/bin/mkdir -p '/opt/app/PostgreSQL/9.3/lib/postgresql'
/bin/mkdir -p '/opt/app/PostgreSQL/9.3/share/postgresql/extension'
/bin/mkdir -p '/opt/app/PostgreSQL/9.3/share/postgresql/extension'
/usr/bin/install -c -m 755 plsh.so '/opt/app/PostgreSQL/9.3/lib/postgresql/plsh.so'
/usr/bin/install -c -m 644 ./plsh.control '/opt/app/PostgreSQL/9.3/share/postgresql/extension/'
/usr/bin/install -c -m 644 ./plsh--unpackaged--1.sql ./plsh--1--2.sql plsh--2.sql '/opt/app/PostgreSQL/9.3/share/postgresql/extension/'
postgres@super173:/opt/app/pgdata/plsh>

If you encounter problem with the make complaining about the pg_config file, you can make the binary with

make PG_CONFIG=/where/ever/your/pgconfig/file/is/pg_config
make install PG_CONFIG=/where/ever/your/pgconfig/file/is/pg_config

You can test your make with make installcheck

postgres@super173:/opt/app/pgdata/plsh> make installcheck
/opt/app/PostgreSQL/9.3/lib/postgresql/pgxs/src/makefiles/../../src/test/regress/pg_regress --inputdir=. --psqldir='/opt/app/PostgreSQL/9.3/bin' --inputdir=test --dbname=contrib_regression init function trigger crlf psql inline event_trigger
(using postmaster on Unix socket, default port)
============== dropping database "contrib_regression" ==============
NOTICE: database "contrib_regression" does not exist, skipping
DROP DATABASE
============== creating database "contrib_regression" ==============
CREATE DATABASE
ALTER DATABASE
============== running regression test queries ==============
test init ... ok
test function ... ok
test trigger ... ok
test crlf ... ok
test psql ... ok
test inline ... ok
test event_trigger ... ok

=====================
 All 7 tests passed.
=====================

postgres@super173:/opt/app/pgdata/plsh>

And you are done, keep in mind if you want to move, rename, copy etc any files, Postgres must have permissions to do this, what I did is to give Postgres sudo rights to the /bin directory where cp, mv, chown etc lives
To do this, as root type visudo and add this to the file

visudo
# Runas alias specification

# User privilege specification
root ALL=(ALL) ALL
postgres ALL=(ALL) NOPASSWD: /bin/

# Uncomment to allow people in group wheel to run all commands
# %wheel ALL=(ALL) ALL

An example of the function creation is below, keep in mind you have to create the extension plsh, touch a test file in /opt/temp called testThisFile

CREATE EXTENSION plsh;

CREATE or REPLACE FUNCTION renameFileBash(inputDir text, inputFile text, outputDir text, outputFile text) RETURNS text AS '
#!/bin/bash
cp $1$2 $3$4;
cp $3$4 $3$4".bkp";
sudo mv $3$4 /opt/temp/$4".tmp";
sudo chown testuser:testgroup /opt/temp/$4".tmp";
sudo chmod 664 /opt/temp/$4".tmp";
sudo mv /opt/temp/$4".tmp" /opt/temp/$4".somextension";
echo $3$4;
' LANGUAGE plsh;

commit;

select renameFileBash('/opt/temp/', 'testThisFile', '/opt/temp/', 'mvFileAllOver')

Running https for Apache2 on SLES

I have received NO BitCoins yet..so yet again ... If this helped you in any way and you have some spare BitCoins, you may donate them to me - 16tb2Rgn4uDptrEuR94BkhQAZNgfoMj3ug
PLEASE.....

I use Zabbix, see www.zabbix.com for monitoring the servers at work, problem is that the front end runs on http and not https, which poses a problem for some of our customers... but fear not my little minions... below is how to activate https on Apache2 using SLES 11 SP3

Make sure apache2 is started

SuperNinja4:~ # service apache2 status
Checking for httpd2:                            unused        
SuperNinja4:~ # service apache2 start
Starting httpd2 (prefork)          done   
SuperNinja4:~

Make sure that you have some kind of index page that can be displayed with normal http

SuperNinja4:~ # cd /srv/www/
SuperNinja4:/srv/www # ls
cgi-bin  hawk  htdocs
SuperNinja4:/srv/www # cd htdocs/
SuperNinja4:/srv/www/htdocs # ls
apache_pb.gif  apache_pb.png  apache_pb2.gif  apache_pb2.png  apache_pb2_ani.gif  favicon.ico  gif  index.html  info2html.css  robots.txt
SuperNinja4:/srv/www/htdocs # vi index.html
SuperNinja4:/srv/www/htdocs # cat index.html
<html><body><h1>Hello this is King Rat -  It works!</h1></body></html>
SuperNinja4:/srv/www/htdocs #

Check if the webpage is displayed with http

With https you should get an error

Stop apache2 and make sure you are in the directory /etc/apache2

SuperNinja4:/srv/www/htdocs # cd /etc/apache2
SuperNinja4:/etc/apache2 # service apache2 stop
Shutting down httpd2 (waiting for all children to terminate)      done          
SuperNinja4:/etc/apache2 #

Start by creating all the certificates needed. Let's generate our own Certificate Authority key. In this step, we are impersonating someone like Verisign or Thawte. Well, not impersonating, but we are going to do the same thing for ourselves that they would normally do.

SuperNinja4:/etc/apache2 # openssl genrsa -des3 -out ca.key 4096
Generating RSA private key, 4096 bit long modulus
...................................++
......................................++
e is 65537 (0x10001)
Enter pass phrase for ca.key:
Verifying - Enter pass phrase for ca.key:

For the certificate I used the pass phrase (insert your pass phase here, for example I used M1cr0s0f7), make sure that you use the same for all certificates. Note that those pass phrases are something you make up right then. You are not authenticating anything, but rather setting up a pass phrase for authenticating later.

Next, we’ll need to use that key to create a certificate. Before we do this, the information that you will enter here is NOT the information you will enter later for your own server. Remember, we are emulating a Certificate Authority here. When we generate our server certificate, we will put in the real information which must differ from what is here. Notice that we are making it good for 3650 days, or 10 years. Adjust to what you need.

SuperNinja4:/etc/apache2 # openssl req -new -x509 -days 3650 -key ca.key -out ca.crt
Enter pass phrase for ca.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:WA
Locality Name (eg, city) []:Redmond
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Microsoft
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:www.microsoft.com
Email Address []:bill.gates@microsoft.com
SuperNinja4:/etc/apache2 # ls -ltr
total 136
-rw-r--r-- 1 root root 12958 Mar 27  2013 magic
-rw-r--r-- 1 root root    22 Mar 27  2013 uid.conf
-rw-r--r-- 1 root root  2957 Mar 27  2013 ssl-global.conf
-rw-r--r-- 1 root root  4648 Mar 27  2013 server-tuning.conf
-rw-r--r-- 1 root root    85 Mar 27  2013 mod_usertrack.conf
-rw-r--r-- 1 root root  1255 Mar 27  2013 mod_userdir.conf
-rw-r--r-- 1 root root   344 Mar 27  2013 mod_status.conf
-rw-r--r-- 1 root root   958 Mar 27  2013 mod_reqtimeout.conf
-rw-r--r-- 1 root root  5075 Mar 27  2013 mod_mime-defaults.conf
-rw-r--r-- 1 root root  1057 Mar 27  2013 mod_log_config.conf
-rw-r--r-- 1 root root   369 Mar 27  2013 mod_info.conf
-rw-r--r-- 1 root root  1503 Mar 27  2013 mod_autoindex-defaults.conf
-rw-r--r-- 1 root root  1053 Mar 27  2013 listen.conf
-rw-r--r-- 1 root root  8496 Mar 27  2013 httpd.conf
-rw-r--r-- 1 root root  2765 Mar 27  2013 errors.conf
-rw-r--r-- 1 root root  3763 Mar 27  2013 default-server.conf
-rw-r--r-- 1 root root  1764 Mar 27  2013 charset.conv
drwxr-xr-x 2 root root  4096 May 23 08:19 vhosts.d
drwxr-xr-x 2 root root  4096 May 23 08:19 ssl.prm
drwx------ 2 root root  4096 May 23 08:19 ssl.key
drwxr-xr-x 2 root root  4096 May 23 08:19 ssl.csr
drwxr-xr-x 2 root root  4096 May 23 08:19 ssl.crt
drwxr-xr-x 2 root root  4096 May 23 08:19 ssl.crl
lrwxrwxrwx 1 root root    13 May 23 08:19 mime.types -> ../mime.types
drwxr-xr-x 2 root root  4096 May 23 08:37 conf.d
drwxr-xr-x 2 root root  4096 Jul  8 09:01 sysconfig.d
-rw-r--r-- 1 root root  3311 Jul  8 09:16 ca.key
-rw-r--r-- 1 root root  2309 Jul  8 09:23 ca.crt
SuperNinja4:/etc/apache2 #

Our Server Key and CSR

Next is to create a key that corresponds to our server. The first one we made was for the Certificate Authority. This one will be generated by and for our own server. Remember the pass phase M1cr0s0f7

SuperNinja4:/etc/apache2 # openssl genrsa -des3 -out server.key 4096
Generating RSA private key, 4096 bit long modulus
...........................................................................................................................................................................................................................................................................................................................................................................................++
............++
e is 65537 (0x10001)
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:
SuperNinja4:/etc/apache2 # ls -ltr
total 140
-rw-r--r-- 1 root root 12958 Mar 27  2013 magic
-rw-r--r-- 1 root root    22 Mar 27  2013 uid.conf
-rw-r--r-- 1 root root  2957 Mar 27  2013 ssl-global.conf
-rw-r--r-- 1 root root  4648 Mar 27  2013 server-tuning.conf
-rw-r--r-- 1 root root    85 Mar 27  2013 mod_usertrack.conf
-rw-r--r-- 1 root root  1255 Mar 27  2013 mod_userdir.conf
-rw-r--r-- 1 root root   344 Mar 27  2013 mod_status.conf
-rw-r--r-- 1 root root   958 Mar 27  2013 mod_reqtimeout.conf
-rw-r--r-- 1 root root  5075 Mar 27  2013 mod_mime-defaults.conf
-rw-r--r-- 1 root root  1057 Mar 27  2013 mod_log_config.conf
-rw-r--r-- 1 root root   369 Mar 27  2013 mod_info.conf
-rw-r--r-- 1 root root  1503 Mar 27  2013 mod_autoindex-defaults.conf
-rw-r--r-- 1 root root  1053 Mar 27  2013 listen.conf
-rw-r--r-- 1 root root  8496 Mar 27  2013 httpd.conf
-rw-r--r-- 1 root root  2765 Mar 27  2013 errors.conf
-rw-r--r-- 1 root root  3763 Mar 27  2013 default-server.conf
-rw-r--r-- 1 root root  1764 Mar 27  2013 charset.conv
drwxr-xr-x 2 root root  4096 May 23 08:19 vhosts.d
drwxr-xr-x 2 root root  4096 May 23 08:19 ssl.prm
drwx------ 2 root root  4096 May 23 08:19 ssl.key
drwxr-xr-x 2 root root  4096 May 23 08:19 ssl.csr
drwxr-xr-x 2 root root  4096 May 23 08:19 ssl.crt
drwxr-xr-x 2 root root  4096 May 23 08:19 ssl.crl
lrwxrwxrwx 1 root root    13 May 23 08:19 mime.types -> ../mime.types
drwxr-xr-x 2 root root  4096 May 23 08:37 conf.d
drwxr-xr-x 2 root root  4096 Jul  8 09:01 sysconfig.d
-rw-r--r-- 1 root root  3311 Jul  8 09:16 ca.key
-rw-r--r-- 1 root root  2309 Jul  8 09:23 ca.crt
-rw-r--r-- 1 root root  3311 Jul  8 09:46 server.key
SuperNinja4:/etc/apache2 #

Now, we have to create a signing request, or CSR, from the server key we just made.To generate our signed certificate, we’ll need to first have a signing request so we can make the signed certificate.
To create the CSR, we do this, this has to have the REAL information, no bull, special attention to this part below, Common Name (eg, YOUR name) []:SuperNinja4.xxxx.com, it must be the server name that you have set in /etc/hosts

SuperNinja4:/etc/apache2 # openssl req -new -key server.key -out server.csr
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:WZ
Locality Name (eg, city) []:New York
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Your company name here
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:SuperNinja4.xxxx.com
Email Address []:root@SuperNinja4.xxxx.com
 
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: HIT ENTER
An optional company name []: HIT ENTER
SuperNinja4:/etc/apache2 # ls -ltr
total 144
-rw-r--r-- 1 root root 12958 Mar 27  2013 magic
-rw-r--r-- 1 root root    22 Mar 27  2013 uid.conf
-rw-r--r-- 1 root root  2957 Mar 27  2013 ssl-global.conf
-rw-r--r-- 1 root root  4648 Mar 27  2013 server-tuning.conf
-rw-r--r-- 1 root root    85 Mar 27  2013 mod_usertrack.conf
-rw-r--r-- 1 root root  1255 Mar 27  2013 mod_userdir.conf
-rw-r--r-- 1 root root   344 Mar 27  2013 mod_status.conf
-rw-r--r-- 1 root root   958 Mar 27  2013 mod_reqtimeout.conf
-rw-r--r-- 1 root root  5075 Mar 27  2013 mod_mime-defaults.conf
-rw-r--r-- 1 root root  1057 Mar 27  2013 mod_log_config.conf
-rw-r--r-- 1 root root   369 Mar 27  2013 mod_info.conf
-rw-r--r-- 1 root root  1503 Mar 27  2013 mod_autoindex-defaults.conf
-rw-r--r-- 1 root root  1053 Mar 27  2013 listen.conf
-rw-r--r-- 1 root root  8496 Mar 27  2013 httpd.conf
-rw-r--r-- 1 root root  2765 Mar 27  2013 errors.conf
-rw-r--r-- 1 root root  3763 Mar 27  2013 default-server.conf
-rw-r--r-- 1 root root  1764 Mar 27  2013 charset.conv
drwxr-xr-x 2 root root  4096 May 23 08:19 vhosts.d
drwxr-xr-x 2 root root  4096 May 23 08:19 ssl.prm
drwx------ 2 root root  4096 May 23 08:19 ssl.key
drwxr-xr-x 2 root root  4096 May 23 08:19 ssl.csr
drwxr-xr-x 2 root root  4096 May 23 08:19 ssl.crt
drwxr-xr-x 2 root root  4096 May 23 08:19 ssl.crl
lrwxrwxrwx 1 root root    13 May 23 08:19 mime.types -> ../mime.types
drwxr-xr-x 2 root root  4096 May 23 08:37 conf.d
drwxr-xr-x 2 root root  4096 Jul  8 09:01 sysconfig.d
-rw-r--r-- 1 root root  3311 Jul  8 09:16 ca.key
-rw-r--r-- 1 root root  2309 Jul  8 09:23 ca.crt
-rw-r--r-- 1 root root  3311 Jul  8 09:46 server.key
-rw-r--r-- 1 root root  1760 Jul  8 09:50 server.csr
SuperNinja4:/etc/apache2 #

Sign the Certificate

Let sign the signing request using the Certificate Authority certificate and key that we made at the beginning. What we will get is our perfectly forged signed certificate.
The command we’re going to run looks like this below

SuperNinja4:/etc/apache2 # openssl x509 -req -days 3650 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt
Signature ok
subject=/C=US/ST=WZ/L=New York/O=xxxx/CN=SuperNinja4.xxxx.com/emailAddress=root@SuperNinja4.xxxx.com
Getting CA Private Key
Enter pass phrase for ca.key:
SuperNinja4:/etc/apache2 # ls -ltr
total 148
-rw-r--r-- 1 root root 12958 Mar 27  2013 magic
-rw-r--r-- 1 root root    22 Mar 27  2013 uid.conf
-rw-r--r-- 1 root root  2957 Mar 27  2013 ssl-global.conf
-rw-r--r-- 1 root root  4648 Mar 27  2013 server-tuning.conf
-rw-r--r-- 1 root root    85 Mar 27  2013 mod_usertrack.conf
-rw-r--r-- 1 root root  1255 Mar 27  2013 mod_userdir.conf
-rw-r--r-- 1 root root   344 Mar 27  2013 mod_status.conf
-rw-r--r-- 1 root root   958 Mar 27  2013 mod_reqtimeout.conf
-rw-r--r-- 1 root root  5075 Mar 27  2013 mod_mime-defaults.conf
-rw-r--r-- 1 root root  1057 Mar 27  2013 mod_log_config.conf
-rw-r--r-- 1 root root   369 Mar 27  2013 mod_info.conf
-rw-r--r-- 1 root root  1503 Mar 27  2013 mod_autoindex-defaults.conf
-rw-r--r-- 1 root root  1053 Mar 27  2013 listen.conf
-rw-r--r-- 1 root root  8496 Mar 27  2013 httpd.conf
-rw-r--r-- 1 root root  2765 Mar 27  2013 errors.conf
-rw-r--r-- 1 root root  3763 Mar 27  2013 default-server.conf
-rw-r--r-- 1 root root  1764 Mar 27  2013 charset.conv
drwxr-xr-x 2 root root  4096 May 23 08:19 vhosts.d
drwxr-xr-x 2 root root  4096 May 23 08:19 ssl.prm
drwx------ 2 root root  4096 May 23 08:19 ssl.key
drwxr-xr-x 2 root root  4096 May 23 08:19 ssl.csr
drwxr-xr-x 2 root root  4096 May 23 08:19 ssl.crt
drwxr-xr-x 2 root root  4096 May 23 08:19 ssl.crl
lrwxrwxrwx 1 root root    13 May 23 08:19 mime.types -> ../mime.types
drwxr-xr-x 2 root root  4096 May 23 08:37 conf.d
drwxr-xr-x 2 root root  4096 Jul  8 09:01 sysconfig.d
-rw-r--r-- 1 root root  3311 Jul  8 09:16 ca.key
-rw-r--r-- 1 root root  2309 Jul  8 09:23 ca.crt
-rw-r--r-- 1 root root  3311 Jul  8 09:46 server.key
-rw-r--r-- 1 root root  1760 Jul  8 09:50 server.csr
-rw-r--r-- 1 root root  1988 Jul  8 10:06 server.crt
SuperNinja4:/etc/apache2 #

Generate server.key that won’t prompt for a password

Now, we have a little problem. Our server.key file will cause apache2 to prompt us for a password every time it starts. We need to fix it so that doesn’t happen. We’ll do that with these three commands:

SuperNinja4:/etc/apache2 # openssl rsa -in server.key -out server.key.insecure
Enter pass phrase for server.key:
writing RSA key
SuperNinja4:/etc/apache2 # mv server.key server.key.secure
SuperNinja4:/etc/apache2 # mv server.key.insecure server.key
SuperNinja4:/etc/apache2 # ls -ltr
total 152
-rw-r--r-- 1 root root 12958 Mar 27  2013 magic
-rw-r--r-- 1 root root    22 Mar 27  2013 uid.conf
-rw-r--r-- 1 root root  2957 Mar 27  2013 ssl-global.conf
-rw-r--r-- 1 root root  4648 Mar 27  2013 server-tuning.conf
-rw-r--r-- 1 root root    85 Mar 27  2013 mod_usertrack.conf
-rw-r--r-- 1 root root  1255 Mar 27  2013 mod_userdir.conf
-rw-r--r-- 1 root root   344 Mar 27  2013 mod_status.conf
-rw-r--r-- 1 root root   958 Mar 27  2013 mod_reqtimeout.conf
-rw-r--r-- 1 root root  5075 Mar 27  2013 mod_mime-defaults.conf
-rw-r--r-- 1 root root  1057 Mar 27  2013 mod_log_config.conf
-rw-r--r-- 1 root root   369 Mar 27  2013 mod_info.conf
-rw-r--r-- 1 root root  1503 Mar 27  2013 mod_autoindex-defaults.conf
-rw-r--r-- 1 root root  1053 Mar 27  2013 listen.conf
-rw-r--r-- 1 root root  8496 Mar 27  2013 httpd.conf
-rw-r--r-- 1 root root  2765 Mar 27  2013 errors.conf
-rw-r--r-- 1 root root  3763 Mar 27  2013 default-server.conf
-rw-r--r-- 1 root root  1764 Mar 27  2013 charset.conv
drwxr-xr-x 2 root root  4096 May 23 08:19 vhosts.d
drwxr-xr-x 2 root root  4096 May 23 08:19 ssl.prm
drwx------ 2 root root  4096 May 23 08:19 ssl.key
drwxr-xr-x 2 root root  4096 May 23 08:19 ssl.csr
drwxr-xr-x 2 root root  4096 May 23 08:19 ssl.crt
drwxr-xr-x 2 root root  4096 May 23 08:19 ssl.crl
lrwxrwxrwx 1 root root    13 May 23 08:19 mime.types -> ../mime.types
drwxr-xr-x 2 root root  4096 May 23 08:37 conf.d
drwxr-xr-x 2 root root  4096 Jul  8 09:01 sysconfig.d
-rw-r--r-- 1 root root  3311 Jul  8 09:16 ca.key
-rw-r--r-- 1 root root  2309 Jul  8 09:23 ca.crt
-rw-r--r-- 1 root root  3311 Jul  8 09:46 server.key.secure
-rw-r--r-- 1 root root  1760 Jul  8 09:50 server.csr
-rw-r--r-- 1 root root  1988 Jul  8 10:06 server.crt
-rw-r--r-- 1 root root  3243 Jul  8 10:08 server.key
SuperNinja4:/etc/apache2 #

Placing the files

At this stage, you should now have a bunch of files. Just having them doesn’t get us anywhere, so let’s get them installed. First, we are going to change some permissions, because we don’t want just anyone having access to these files. To apply the appropriate permissions, run this below

SuperNinja4:/etc/apache2 # chmod 0600 server.key.secure server.key server.csr server.crt
SuperNinja4:/etc/apache2 # ls -ltr
total 152
-rw-r--r-- 1 root root 12958 Mar 27  2013 magic
-rw-r--r-- 1 root root    22 Mar 27  2013 uid.conf
-rw-r--r-- 1 root root  2957 Mar 27  2013 ssl-global.conf
-rw-r--r-- 1 root root  4648 Mar 27  2013 server-tuning.conf
-rw-r--r-- 1 root root    85 Mar 27  2013 mod_usertrack.conf
-rw-r--r-- 1 root root  1255 Mar 27  2013 mod_userdir.conf
-rw-r--r-- 1 root root   344 Mar 27  2013 mod_status.conf
-rw-r--r-- 1 root root   958 Mar 27  2013 mod_reqtimeout.conf
-rw-r--r-- 1 root root  5075 Mar 27  2013 mod_mime-defaults.conf
-rw-r--r-- 1 root root  1057 Mar 27  2013 mod_log_config.conf
-rw-r--r-- 1 root root   369 Mar 27  2013 mod_info.conf
-rw-r--r-- 1 root root  1503 Mar 27  2013 mod_autoindex-defaults.conf
-rw-r--r-- 1 root root  1053 Mar 27  2013 listen.conf
-rw-r--r-- 1 root root  8496 Mar 27  2013 httpd.conf
-rw-r--r-- 1 root root  2765 Mar 27  2013 errors.conf
-rw-r--r-- 1 root root  3763 Mar 27  2013 default-server.conf
-rw-r--r-- 1 root root  1764 Mar 27  2013 charset.conv
drwxr-xr-x 2 root root  4096 May 23 08:19 vhosts.d
drwxr-xr-x 2 root root  4096 May 23 08:19 ssl.prm
drwx------ 2 root root  4096 May 23 08:19 ssl.key
drwxr-xr-x 2 root root  4096 May 23 08:19 ssl.csr
drwxr-xr-x 2 root root  4096 May 23 08:19 ssl.crt
drwxr-xr-x 2 root root  4096 May 23 08:19 ssl.crl
lrwxrwxrwx 1 root root    13 May 23 08:19 mime.types -> ../mime.types
drwxr-xr-x 2 root root  4096 May 23 08:37 conf.d
drwxr-xr-x 2 root root  4096 Jul  8 09:01 sysconfig.d
-rw-r--r-- 1 root root  3311 Jul  8 09:16 ca.key
-rw-r--r-- 1 root root  2309 Jul  8 09:23 ca.crt
-rw------- 1 root root  3311 Jul  8 09:46 server.key.secure
-rw------- 1 root root  1760 Jul  8 09:50 server.csr
-rw------- 1 root root  1988 Jul  8 10:06 server.crt
-rw------- 1 root root  3243 Jul  8 10:08 server.key
SuperNinja4:/etc/apache2 #

Now, here’s where things depend on the distribution that you are using.

I will try and describe what I am doing so that if you are not on SLES, you will still be able to get this working.

In SLES, the apache2 config directory is located at /etc/apache2. Underneath that, there are a handful of directories. The three we care about are /etc/apache2/ssl.crt, /etc/apache2/ssl.csr, and /etc/apache2/ssl.key. The server.crt needs to be moved to /etc/apache2/ssl.crt. The server.csr file needs to be moved to /etc/apache2/ssl.csr. And the server.key file needs to be moved to /etc/apache2/ssl.key:

SuperNinja4:/etc/apache2 # mv /etc/apache2/server.key /etc/apache2/ssl.key/server.key
SuperNinja4:/etc/apache2 # mv /etc/apache2/server.crt /etc/apache2/ssl.crt/server.crt
SuperNinja4:/etc/apache2 # mv /etc/apache2/server.csr /etc/apache2/ssl.csr/server.csr
SuperNinja4:/etc/apache2 # ls -ltr
total 140
-rw-r--r-- 1 root root 12958 Mar 27  2013 magic
-rw-r--r-- 1 root root    22 Mar 27  2013 uid.conf
-rw-r--r-- 1 root root  2957 Mar 27  2013 ssl-global.conf
-rw-r--r-- 1 root root  4648 Mar 27  2013 server-tuning.conf
-rw-r--r-- 1 root root    85 Mar 27  2013 mod_usertrack.conf
-rw-r--r-- 1 root root  1255 Mar 27  2013 mod_userdir.conf
-rw-r--r-- 1 root root   344 Mar 27  2013 mod_status.conf
-rw-r--r-- 1 root root   958 Mar 27  2013 mod_reqtimeout.conf
-rw-r--r-- 1 root root  5075 Mar 27  2013 mod_mime-defaults.conf
-rw-r--r-- 1 root root  1057 Mar 27  2013 mod_log_config.conf
-rw-r--r-- 1 root root   369 Mar 27  2013 mod_info.conf
-rw-r--r-- 1 root root  1503 Mar 27  2013 mod_autoindex-defaults.conf
-rw-r--r-- 1 root root  1053 Mar 27  2013 listen.conf
-rw-r--r-- 1 root root  8496 Mar 27  2013 httpd.conf
-rw-r--r-- 1 root root  2765 Mar 27  2013 errors.conf
-rw-r--r-- 1 root root  3763 Mar 27  2013 default-server.conf
-rw-r--r-- 1 root root  1764 Mar 27  2013 charset.conv
drwxr-xr-x 2 root root  4096 May 23 08:19 vhosts.d
drwxr-xr-x 2 root root  4096 May 23 08:19 ssl.prm
drwxr-xr-x 2 root root  4096 May 23 08:19 ssl.crl
lrwxrwxrwx 1 root root    13 May 23 08:19 mime.types -> ../mime.types
drwxr-xr-x 2 root root  4096 May 23 08:37 conf.d
drwxr-xr-x 2 root root  4096 Jul  8 09:01 sysconfig.d
-rw-r--r-- 1 root root  3311 Jul  8 09:16 ca.key
-rw-r--r-- 1 root root  2309 Jul  8 09:23 ca.crt
-rw------- 1 root root  3311 Jul  8 09:46 server.key.secure
drwx------ 2 root root  4096 Jul  8 10:11 ssl.key
drwxr-xr-x 2 root root  4096 Jul  8 10:11 ssl.crt
drwxr-xr-x 2 root root  4096 Jul  8 10:12 ssl.csr
SuperNinja4:/etc/apache2 #

System configuration

First thing is to edit /etc/sysconfig/apache2. Search through that file for the directive called APACHE_MODULES. Make sure you see ’ssl’ in there. If not, add it. Then, search through the file and find APACHE_SERVER_FLAGS. Make sure it has ‘SSL’ in it. If not, add it. Save and close the file. Note that in APACHE_SERVER_FLAGS, ssl must be in caps SSL.

SuperNinja4:/etc/apache2 # vi /etc/sysconfig/apache2
SuperNinja4:/etc/apache2 # cat /etc/sysconfig/apache2 | grep APACHE_MODULES
# * In the APACHE_MODULES variable, you can use mod_xyz or just xyz syntax.
# APACHE_MODULES="authz_host alias auth dir log_config mime setenvif"
# APACHE_MODULES="authz_host actions alias asis auth autoindex cgi dir imap include log_config mime negotiation setenvif status userdir"
APACHE_MODULES="actions alias auth_basic authn_file authz_host authz_groupfile authz_default authz_user authn_dbm autoindex cgi dir env expires include log_config mime negotiation setenvif ssl suexec userdir php5 reqtimeout ssl"
SuperNinja4:/etc/apache2 # cat /etc/sysconfig/apache2 | grep APACHE_SERVER_FLAGS
# * to finally enable ssl support, you need to add 'SSL' to APACHE_SERVER_FLAGS
APACHE_SERVER_FLAGS="SSL"
SuperNinja4:/etc/apache2 #

You can also manage apache’s modules with the ‘a2enmod’ command. To view the list of loaded modules, run ‘a2enmod -l’. Make sure that ssl is loaded

SuperNinja4:/etc/apache2 # a2enmod -l
actions alias auth_basic authn_file authz_host authz_groupfile authz_default authz_user authn_dbm autoindex cgi dir env expires include log_config mime negotiation setenvif ssl suexec userdir php5 reqtimeout ssl
SuperNinja4:/etc/apache2 #

Next, open up the config file that tells apache2 which ports to listen on. In SLES, this file is /etc/apache2/listen.conf. Add the Listen port 443, add the following lines

Listen 443
NameVirtualHost *:443

SuperNinja4:/etc/apache2 # vi listen.conf
SuperNinja4:/etc/apache2 # cat listen.conf
 
# Listen: Allows you to bind Apache to specific IP addresses and/or
# ports. See also the <VirtualHost> directive.
#
# http://httpd.apache.org/docs-2.2/mod/mpm_common.html#listen
#
# Change this to Listen on specific IP addresses as shown below to
# prevent Apache from glomming onto all bound IP addresses (0.0.0.0)
#
# When we also provide SSL we have to listen to the
# standard HTTP port (see above) and to the HTTPS port
#
# Note: Configurations that use IPv6 but not IPv4-mapped addresses need two
#       Listen directives: "Listen [::]:443" and "Listen 0.0.0.0:443"
#
Listen 80
Listen 443
 
# Use name-based virtual hosting
#
# - on a specified address / port:
#
#
# - name-based virtual hosting:
#
NameVirtualHost *:80
NameVirtualHost *:443
#
# - on all addresses and ports. This is your best bet when you are on
#   dynamically assigned IP addresses:
#
 
SuperNinja4:/etc/apache2 #

Next is to setup the vhost.template, make a file called vhost-ssl.conf in the directory /etc/apache2/vhosts.d, make sure that
ServerName SuperNinja4.xxxx.com
ServerAdmin root@SuperNinja4.xxxx.com
Is set to what you used in the certificates

SuperNinja4:/etc/apache2/vhosts.d # vi vhost-ssl.conf
SuperNinja4:/etc/apache2/vhosts.d # cat vhost-ssl.conf
# Template for a VirtualHost with SSL
# Note: to use the template, rename it to /etc/apache2/vhost.d/yourvhost.conf.
# Files must have the .conf suffix to be loaded.
#
# See /usr/share/doc/packages/apache2/README.QUICKSTART for further hints
# about virtual hosts.
 
# NameVirtualHost statements should be added to /etc/apache2/listen.conf.
 
#
# This is the Apache server configuration file providing SSL support.
# It contains the configuration directives to instruct the server how to
# serve pages over an https connection. For detailing information about these
# directives see <URL:http://httpd.apache.org/docs-2.2/mod/mod_ssl.html>
#
# Do NOT simply read the instructions in here without understanding
# what they do.  They're here only as hints or reminders.  If you are unsure
# consult the online docs. You have been warned. 
#
 
<IfDefine SSL>
<IfDefine !NOSSL>
 
##
## SSL Virtual Host Context
##
 
<VirtualHost *:443>
 
 
    #  General setup for the virtual host
    DocumentRoot "/srv/www/htdocs/"
    ServerName SuperNinja4.xxxx.com
    ServerAdmin root@SuperNinja4.xxxx.com
    ErrorLog /var/log/apache2/error_log
    TransferLog /var/log/apache2/access_log
 
    #   SSL Engine Switch:
    #   Enable/Disable SSL for this virtual host.
    SSLEngine on
    SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
    SSLCertificateFile /etc/apache2/ssl.crt/server.crt
    SSLCertificateKeyFile /etc/apache2/ssl.key/server.key
 
 
    # 4 possible values: All, SSLv2, SSLv3, TLSv1. Allow TLS only:
    SSLProtocol all -SSLv2 -SSLv3
 
    <Files ~ "\.(cgi|shtml|phtml|php3?)$">
        SSLOptions +StdEnvVars
    </Files>
    <Directory "/srv/www/cgi-bin">
        SSLOptions +StdEnvVars
    </Directory>
 
    CustomLog /var/log/apache2/ssl_request_log   ssl_combined
 
</VirtualHost>                                 
 
</IfDefine>
</IfDefine>
SuperNinja4:/etc/apache2/vhosts.d #

Start apache2 and make sure that there are no errors

SuperNinja4:/etc/apache2/vhosts.d # service apache2 start
Starting httpd2 (prefork) [Tue Jul 08 10:28:29 2014] [warn] module ssl_module is already loaded, skipping
[Tue Jul 08 10:28:29 2014] [warn] NameVirtualHost *:80 has no VirtualHosts
                                                                                                                                                                           done
SuperNinja4:/etc/apache2/vhosts.d #
SuperNinja4:/etc/apache2/vhosts.d # tail -200f /var/log/apache2/error_log
[Tue Jul 08 09:01:35 2014] [warn] Init: Session Cache is not configured [hint: SSLSessionCache]
[Tue Jul 08 09:01:35 2014] [notice] Apache/2.2.12 (Linux/SUSE) mod_ssl/2.2.12 OpenSSL/0.9.8j-fips PHP/5.3.17 configured -- resuming normal operations
[Tue Jul 08 09:15:08 2014] [notice] caught SIGTERM, shutting down
[Tue Jul 08 10:28:29 2014] [warn] module ssl_module is already loaded, skipping
[Tue Jul 08 10:28:29 2014] [notice] Apache/2.2.12 (Linux/SUSE) mod_ssl/2.2.12 OpenSSL/0.9.8j-fips PHP/5.3.17 configured -- resuming normal operations

Another handy command to check what is loaded is httpd2

SuperNinja4:/etc/apache2/vhosts.d # httpd2 -M
[Tue Jul 08 10:42:10 2014] [warn] module ssl_module is already loaded, skipping
[Tue Jul 08 10:42:10 2014] [warn] NameVirtualHost *:443 has no VirtualHosts
[Tue Jul 08 10:42:10 2014] [warn] NameVirtualHost *:80 has no VirtualHosts
Loaded Modules:
 core_module (static)
 mpm_prefork_module (static)
 http_module (static)
 so_module (static)
 actions_module (shared)
 alias_module (shared)
 auth_basic_module (shared)
 authn_file_module (shared)
 authz_host_module (shared)
 authz_groupfile_module (shared)
 authz_default_module (shared)
 authz_user_module (shared)
 authn_dbm_module (shared)
 autoindex_module (shared)
 cgi_module (shared)
 dir_module (shared)
 env_module (shared)
 expires_module (shared)
 include_module (shared)
 log_config_module (shared)
 mime_module (shared)
 negotiation_module (shared)
 setenvif_module (shared)
 ssl_module (shared)
 suexec_module (shared)
 userdir_module (shared)
 php5_module (shared)
 reqtimeout_module (shared)
Syntax OK
SuperNinja4:/etc/apache2/vhosts.d #

Check if port 443 is listening

SuperNinja4:/etc/apache2/vhosts.d # netstat -antp | grep LIST | grep 443
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      6836/httpd2-prefork
SuperNinja4:/etc/apache2/vhosts.d #

NEXT..... Check if https works....

WOOOOPPPPPEEEE!! https

In theory, Zabbix front end has it's webpages in /srv/www/htdocs, so Zabbix should now work with https as well, this was done with the setting in the vhost-ssl.conf file in the directory /etc/apache2/vhosts.d, this part below

# General setup for the virtual host

DocumentRoot "/srv/www/htdocs/"

ServerName SuperNinja4.xxxx.com

ServerAdmin root@SuperNinja4.xxxx.com

ErrorLog /var/log/apache2/error_log

TransferLog /var/log/apache2/access_log

Happy https ing... remember my BitCoins... please.... pretty please.... please please.....

Using a engine hoist to lift a Chinese made milling machine and lathe

Finally after 2 years of the machine being on my garage floor, I got it back on its table, yeah

Moving into the rental 2 years ago, we thought this will be temporary, mmmh 2 years down the drain and we still in the rental. Initially I had 4 guys picking up the machine and placing it on the floor. That proved to be extremely dangerous, broken backs, broken toes, broken fingers, so I decided this time I'll do it better, so off to the tool shop and bought this Cherry Picker as the Americans call it. We call it a Engine Crane...

Very important, fill the jack with HYDRAULIC oil before you use it, I made the mistake if just using it when I got it home and off course blew the one seal as all the oil ran out while in storage....

I also decided to get a load leveler, 750KG LOAD LEVELER WITH HOOKS. I was scared that the machine might tip over to one side and seeing that I'm alone in my quest.... This was important...

Got some 6mm steel cable and made 4 short ropes from the steel cable. Used 2 x 16mm threaded rods through the base of the machine and then LIFT.... scared the living daylights out of me, having a 500kg machine 1.5m off the ground... not for me thanks...

Ready..... uuum no....

Now for the lathe

Dog walking straps are handy for something else...

Little Ariel inspecting my work

Whoopee, now for some serious metalwork...

Zabbix check for RAID failures

As always ... If this helped you in any way and you have some spare BitCoins, you may donate them to me - 16tb2Rgn4uDptrEuR94BkhQAZNgfoMj3ug

Strange thing about Zabbix, support for hardware errors, I suppose one can use IPMI, but what a shlepp to setup, I think a good way to monitor disks in a Linux machine is to use a utility called hpacucli

The one I use is hpacucli-9.0-24.0.noarch.rpm

Download the rpm and save to /etc/zabbix/scripts
Install the RPM

svr1:/etc/zabbix/scripts # ls -ltr *.rpm
-rw-r--r-- 1 root root 6504897 Mar 25 11:27 hpacucli-9.0-24.0.noarch.rpm
svr1:/etc/zabbix/scripts # rpm -ivh hpacucli-9.0-24.0.noarch.rpm
Preparing...                ########################################### [100%]
   1:hpacucli               ########################################### [100%]
svr1:/etc/zabbix/scripts #

vi a script called zx_raid_status.stage1.sh in /etc/zabbix/scripts, the script is below, just copy and paste and save

#!/bin/bash

# Script (run by root) to get raid status

# Changelog

# 0.3 HP GEN 8 2 x controllers - King Rat 20130405
# 0.2 Provide absolute path to hpacucli binary, and make logging clearer
# 0.1 Base version - 20120423

# Params 

# Version 
VER="0.3"

if [ -f /etc/zabbix/scripts/diskstatus.log ];then
 rm /etc/zabbix/scripts/diskstatus.log
fi

touch /etc/zabbix/scripts/diskstatus.log
chown zabbix:zabbix /etc/zabbix/scripts/diskstatus.log

# The logical disk(s)
LOGFILE="/etc/zabbix/scripts/diskstatus.log"
echo "Version "$VER > $LOGFILE
echo "Disk(s) last checked at "`date` >> $LOGFILE
echo `hostname -a` >> $LOGFILE

LDSTAT="/tmp/zx_ldstatus"
> ${LDSTAT}
# The physical disks
PDSTAT="/tmp/zx_pdstatus"
> ${PDSTAT}

# Our logger tag
TAG="zx_raidstatus"

# The app location
APP="/usr/sbin/hpacucli"

# Functions
nocont()
{
# How many controllers
${APP} ctrl all show config | grep -i "slot" | awk '{print $6}' > /etc/zabbix/scripts/cont.txt
sort /etc/zabbix/scripts/cont.txt > /etc/zabbix/scripts/sort.log
}

out()
{
 # Write to the log file
 logger -s -t ${TAG}
}

runroot()
{
 # This has to be run as root
 if [ `whoami` != 'root' ]
 then
  echo "This has to be run by root" | out
  exit
 fi
}

pdstatus()
{
while read line;
do
 # This check the status of all physical disks
 ${APP} ctrl slot=$line pd all show status | out
 ${APP} ctrl slot=$line pd all show status >> $LOGFILE
 ECNT=`${APP} ctrl slot=$line pd all show status | egrep -i "(fail|error|offline|rebuild|ignoring|degraded|skipping|nok)" | wc -l`
 if [ ${ECNT} -gt 0 ]
 then
  echo "${ECNT} non-OK statuses being reported (physical disk)" | out
  echo "${ECNT} non-OK statuses being reported (physical disk)" >> $LOGFILE
  echo ${ECNT} > ${PDSTAT}
 else
  echo 0 > ${PDSTAT}
  echo "Physical drives - all ok" >> $LOGFILE
 fi
done < /etc/zabbix/scripts/sort.log
}

ldstatus()
{
while read line;
do
 # This check the status of all physical disks
 ${APP} ctrl slot=$line logicaldrive all show status | out
 ${APP} ctrl slot=$line logicaldrive all show status >>$LOGFILE
 ECNT=`${APP} ctrl slot=$line pd all show status | egrep -i "(fail|error|offline|rebuild|ignoring|degraded|skipping|nok)" | wc -l`
 if [ ${ECNT} -gt 0 ]
 then
  echo "${ECNT} non-OK statuses being reported (logical disk)" | out
  echo "${ECNT} non-OK statuses being reported (logical disk)" >> $LOGFILE
  echo ${ECNT} > ${LDSTAT}
 else
  echo 0 > ${LDSTAT}
  echo "Logical drives - all ok" >> $LOGFILE
 fi
done < /etc/zabbix/scripts/sort.log
}

# Execute

echo "${VER} started"
runroot
nocont
ldstatus
pdstatus

vi a script called zx_raid_status_pdstat.sh in /etc/zabbix/scripts, the script is below, just copy and paste and save

#!/bin/sh

# This is the second stage run by zabbix to get the last physical disk error count

# Changelog

# 0.1 Base version

# Params

# Our version
VER="0.1"

# Our files to read
PDSTAT="/tmp/zx_pdstatus"

cat ${PDSTAT}

vi a script called zx_raid_status_ldstat.sh in /etc/zabbix/scripts, the script is below, just copy and paste and save

#!/bin/sh

# This is the second stage run by zabbix to get the last logical disk error count

# Changelog

# 0.1 Base version

# Params

# Our version
VER="0.1"

# Our files to read
LDSTAT="/tmp/zx_ldstatus"

cat ${LDSTAT}

You should have the following when done

svr1:/opt/temp # cd /etc/zabbix/scripts/
svr1:/etc/zabbix/scripts # ls -ltr
total 6492
-rw-r--r-- 1 root   root        1503 Mar 25 11:25 zx_raid_status.stage1.sh
-rw-r--r-- 1 root   root         242 Mar 25 11:25 zx_raid_status.pdstat.sh
-rw-r--r-- 1 root   root         241 Mar 25 11:25 zx_raid_status.ldstat.sh
-rw-r--r-- 1 root   root     6504897 Mar 25 11:27 hpacucli-9.0-24.0.noarch.rpm
svr1:/etc/zabbix/scripts #

Make the scripts executable with chmod +x *.sh and set the owner to Zabbix

svr1:/etc/zabbix/scripts # chmod +x zx*.sh
svr1:/etc/zabbix/scripts # chown zabbix:zabbix zx*.sh
svr1:/etc/zabbix/scripts # ls -ltr zx*.sh
-rwxr-xr-x 1 zabbix zabbix 1503 Mar 25 11:25 zx_raid_status.stage1.sh
-rwxr-xr-x 1 zabbix zabbix  242 Mar 25 11:25 zx_raid_status.pdstat.sh
-rwxr-xr-x 1 zabbix zabbix  241 Mar 25 11:25 zx_raid_status.ldstat.sh
svr1:/etc/zabbix/scripts #

Run the file manually to make sure that it works - zx_raid_status.stage1.sh

svr1:/etc/zabbix/scripts # /etc/zabbix/scripts/zx_raid_status.stage1.sh
0.2 started
zx_raidstatus:
zx_raidstatus:    logicaldrive 1 (279.4 GB, RAID 1): OK
zx_raidstatus:    logicaldrive 2 (1.1 TB, RAID 0): OK
zx_raidstatus:    logicaldrive 3 (1.4 TB, RAID 1+0): Failed
zx_raidstatus:
zx_raidstatus: 4 non-OK statuses being reported (logical disk)
zx_raidstatus:
zx_raidstatus:    physicaldrive 2C:1:1 (port 2C:box 1:bay 1, 300 GB): OK
zx_raidstatus:    physicaldrive 2C:1:2 (port 2C:box 1:bay 2, 300 GB): OK
zx_raidstatus:    physicaldrive 2C:1:3 (port 2C:box 1:bay 3, 300 GB): OK
zx_raidstatus:    physicaldrive 2C:1:4 (port 2C:box 1:bay 4, 300 GB): OK
zx_raidstatus:    physicaldrive 3C:1:5 (port 3C:box 1:bay 5, 300 GB): OK
zx_raidstatus:    physicaldrive 3C:1:6 (port 3C:box 1:bay 6, 300 GB): OK
zx_raidstatus:    physicaldrive 3C:1:7 (port 3C:box 1:bay 7, 300 GB): Failed
zx_raidstatus:    physicaldrive 3C:1:8 (port 3C:box 1:bay 8, 300 GB): Failed
zx_raidstatus:    physicaldrive 4C:2:1 (port 4C:box 2:bay 1, 300 GB): OK
zx_raidstatus:    physicaldrive 4C:2:2 (port 4C:box 2:bay 2, 300 GB): OK
zx_raidstatus:    physicaldrive 4C:2:3 (port 4C:box 2:bay 3, 300 GB): OK
zx_raidstatus:    physicaldrive 4C:2:4 (port 4C:box 2:bay 4, 300 GB): Failed
zx_raidstatus:    physicaldrive 5C:2:5 (port 5C:box 2:bay 5, 300 GB): OK
zx_raidstatus:    physicaldrive 5C:2:6 (port 5C:box 2:bay 6, 300 GB): OK
zx_raidstatus:    physicaldrive 5C:2:7 (port 5C:box 2:bay 7, 300 GB): OK
zx_raidstatus:    physicaldrive 5C:2:8 (port 5C:box 2:bay 8, 300 GB): Failed
zx_raidstatus:
zx_raidstatus: 4 non-OK statuses being reported (physical disk)
svr1:/etc/zabbix/scripts #

Add the following line to the root crontab, this line will run the script every 5 min and write logfiles to /tmp, The logfiles in /tmp will contain the number of errors on the disks

*/5 * * * * /etc/zabbix/scripts/zx_raid_status.stage1.sh > /dev/null 2>&1

svr1:/etc/zabbix/scripts # crontab -l
# DO NOT EDIT THIS FILE - edit the master and reinstall.
# (/tmp/crontab.XXXXIM2c9I installed on Mon Mar 25 11:37:16 2013)
# (Cron version V5.0 -- $Id: crontab.c,v 1.12 2004/01/23 18:56:42 vixie Exp $)
*/5 * * * * /etc/zabbix/scripts/zx_raid_status.stage1.sh > /dev/null 2>&1
svr1:/etc/zabbix/scripts #

Change the Zabbix config file

svr1:/etc/zabbix/scripts # vi /etc/zabbix/zabbix_agentd.conf

and add this to the bottom of the file
UserParameter=raid.lderror,/etc/zabbix/scripts/zx_raid_status.ldstat.sh
UserParameter=raid.pderror,/etc/zabbix/scripts/zx_raid_status.pdstat.sh

svr1:/etc/zabbix/scripts # tail /etc/zabbix/zabbix_agentd.conf
#UserParameter=mysql.qps,mysqladmin -uroot status|cut -f9 -d":"
#UserParameter=mysql.version,mysql -V
UserParameter=raid.lderror,/etc/zabbix/scripts/zx_raid_status.ldstat.sh
UserParameter=raid.pderror,/etc/zabbix/scripts/zx_raid_status.pdstat.sh
svr1:/etc/zabbix/scripts #

Stop and start the Zabbix agent

svr1:/etc/zabbix/scripts # /etc/init.d/zabbix-agent stop
Shutdown may take a while....
Shutting down zabbix_agent:                                                                                                                                                              done
svr1:/etc/zabbix/scripts # /etc/init.d/zabbix-agent start
Starting zabbix_agent:                                                                                                                                                                   done
svr1:/etc/zabbix/scripts # /etc/init.d/zabbix-agent status
Zabbix agent running(PID): 16290
16291
16292
16293
16294
svr1:/etc/zabbix/scripts #

The ITEMS and TRIGGERS are setup on the Zabbix server as follow

Arduino, Linux, Hadoop, Hive, H-Base, Postgres, Zabbix - Things that matter in life

Pages

Solution to bypass Distributed Monitoring in Zabbix

Add plsh to Postgres 9.3

Running https for Apache2 on SLES

Using a engine hoist to lift a Chinese made milling machine and lathe

Zabbix check for RAID failures

Contact Form

Search This Blog