Stuff I'm Up To

Technical Ramblings

Exchange 2013 – Certificate Revocation — May 30, 2018

Exchange 2013 – Certificate Revocation

Using the Exchange Control Panel showed that the certificate being used whilst not expired and valid could not pass a revocation check.

I figured this would be because the server couldn’t get out on the internet to read the necessary CRL. But it wasn’t even trying to get online according to our corporate proxy logs.

The netsh proxy settings were correct, but obviously something wasn’t proxy aware.

The resolution goes back to a 2010 hack that calls Internet Explorer as the Local System account. Only thing is, this didn’t work on Windows 2012. It did however give me the necessary light bulb moment to resolve it.

http://blogs.technet.com/b/bshukla/archive/2012/04/30/certificate-revocation-checked-failed.aspx

By using the Sysinternals PsExec to launch a command prompt as the local system I could then run Iexplorer.exe and set the proxy for the Local System account.

https://specopssoft.com/blog/how-to-become-the-local-system-account-with-psexec/

C:\> psexec -s -i cmd.exe

and up pops a new cmd window that runs as Local System. Now call Iexplorer.exe in that new cmd window.

C:\> "C:\Program Files (x86)\Internet Explorer\iexplorer.exe"

and up pops IE for you to set the proxy as necessary. Give it 15 minutes or so and go back to check the Certificate status and now it shows as “Valid” – Job done!

 

Advertisements
Lidarr — May 23, 2018

Lidarr

Since trying out Headphones a few years ago I got frustrated with it in the first hour and ditched it and went back to manually downloading music. That was until I got pointed to Lidarr.

Lidarr is either a fork of, or certainly based on the excellent Sonarr project for downloading TV series.  Lidarr applies the same methodology and familiar interface to download music.

Continue reading

Debian Stretch NTP Time Sync — May 16, 2018

Debian Stretch NTP Time Sync

No more messing about with installing ntp. Just a simple edit of what ntp servers to use.

Internally my ntp fails and reports regularly in syslog:

May 16 14:07:05 testserver systemd-timesyncd[394]: Timed out waiting for reply from 134.0.16.1:123 (3.debian.pool.ntp.org).

Which isn’t surprising as we don’t allow internal services access to external services. So we need to tell the system what servers to use.

$ sudo vi /etc/systemd/timesyncd.conf

add in your own space separated list of servers:

NTP=192.168.1.55 192.168.1.108

Restart the timesyncd service daemon:

$ sudo systemctl restart systemd-timesyncd

And in syslog you’ll see:

May 16 14:17:01 testserver systemd[1]: Stopping Network Time Synchronization...
May 16 14:17:01 testserver systemd[1]: Stopped Network Time Synchronization.
May 16 14:17:01 testserver systemd[1]: Starting Network Time Synchronization...
May 16 14:17:01 testserver systemd[1]: Started Network Time Synchronization.
May 16 14:17:02 testserver systemd-timesyncd[10047]: Synchronized to time server 192.168.1.55:123 (192.168.1.55).
May 16 14:17:02 testserver systemd[9968]: Time has been changed
May 16 14:17:02 testserver systemd[1]: Time has been changed

 

Nginx and Keepalived — May 15, 2018

Nginx and Keepalived

I have a need to deploy a High Availability Load Balanced reverse proxy solution. We have a back end web service that requires resilience. To achieve this I’ve been looking at Nginx and Keepalived. The Nginx Plus product appears to contain high availability support – but we’re in the realms of zero budget and open source/community supported products.

The front end reverse proxy I’ll use is Nginx, but it could be anything. The clever part is going to be using keepalived to pass a single IP address between two servers.

Continue reading

Proftpd and LDAP / Active Directory — May 10, 2018

Proftpd and LDAP / Active Directory

We’ve had a vsftpd server for a while and it’s performed very well for us. But it would appear that it’s not actively maintained. This may not be a problem as it still currently works just fine and we don’t have any obvious vulnerabilities with it, but as the OS it’s running on is Wheezy we need to move on at least up to Stretch. So I figured I’d try deploying a new server but configured with proftpd.

Continue reading

Repository Not Trusted — May 8, 2018

Repository Not Trusted

On a Wheezy box I saw this but was able to continue by answering yes to ignore the authentication warning.

WARNING: The following packages cannot be authenticated!

On a Stretch system, no can do. Apt was blocked from downloading updates.

W: The repository 'http://ftp.uk.debian.org/debian stretch/updates Release' does not have a Release file.
N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use.
N: See apt-secure(8) manpage for repository creation and user configuration details.
E: The repository 'http://security.debian.org/debian-security stretch/updates Release' is no longer signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

First i thought someone forgot to update their repository keys.

$ sudo apt-key update

Nope. Still not downloading updates.

So I tried download the Release file myself using wget – success. So then I tried to download the Release.gpg file using wget – failed with an HTTP status code 500!

I could download all the files apart from the .gpg file. I checked the corporate proxy for errors and sure enough the .gpg files are being picked up by the Anti-Virus scanning. So a quick addition of a filter exception to disable the virus scanning for the Debian repository and my servers start updating again.