Posts Tagged ‘error message’

How to fix “sslserver: fatal: unable to load certificate” Qmail error on GNU / Linux

Friday, October 14th, 2011

After setupping a brand new Qmail installation following the QmailRocks Thibs Qmail Debian install guide , I’ve come across unexpected re-occuring error message in /var/log/qmail/qmail-smtpdssl/ , here is the message:

@400000004e9807b10d8bdb7c command-line: exec sslserver -e -vR -l my-mailserver-domain.com -c 30 -u 89 -g 89
-x /etc/tcp.smtp.cdb 0 465 rblsmtpd -r zen.spamhaus.org -r dnsbl.njabl.org -r dnsbl.sorbs.net -r bl.spamcop.net qmail-smtpd
my-mailserver-domain.com /home/vpopmail/bin/vchkpw /bin/true 2>&1
@400000004e9807b10dae2ca4 sslserver: fatal: unable to load certificate

I was completely puzzled initially by the error as the sertificate file /var/qmail/control/servercert.pem was an existing and properly self generated one. Besides that qmail daemontools init script /service/qmail-smtpd/run was loading the file just fine, where the same file failed to get loaded when sslserver command with the cert argument was invoked via /service/qmail-smtpdssl/run

It took me quite a while to thoroughfully investigate on what’s wrong with the new qmail install. Thanksfully after almost an hour of puzzling I found it out and I was feeling as a complete moron to find that the all issues was caused by incorrect permissions of the /var/qmail/control/servercert.pem file.
Here are the incorrect permissions the file possessed:

linux:~# ls -al /var/qmail/control/servercert.pem
-rw------- 1 qmaild qmail 2311 2011-10-12 13:21 /var/qmail/control/servercert.pem

To fix up the error I had to allow all users to have reading permissions over servercert.pem , e.g.:

linux:~# chmod a+r /var/qmail/control/servercert.pem

After adding all users readable bit on servercert.pem the file permissions are like so:

linux:~# ls -al /var/qmail/control/servercert.pem
-rw-r--r-- 1 qmaild qmail 2311 2011-10-12 13:21 /var/qmail/control/servercert.pem

Consequently I did a qmail restart to make sure the new readable servercert.pem will get loaded from the respective init script:

linux:~# qmailctl restart
* Stopping qmail-smtpdssl.
* Stopping qmail-smtpd.
* Sending qmail-send SIGTERM and restarting.
* Restarting qmail-smtpd.
* Restarting qmail-smtpdssl.

Now the annoying sslserver: fatal: unable to load certificate message is no more and all works fine, Hooray! 😉

Fix vnstat error “eth0: Not enough data available yet.” on Debian GNU / Linux

Monday, November 21st, 2011

Vnstat GNU Linux console terminal traffic statistics logo

After installing vnstat to keep an eye on server IN and OUT traffic on a Debian Squeeze server. I used the usual:

debian:~# vnstat -u -i eth0

In order to generate the initial database for the ethernet interface used by vnstat to generate its statistics.

However even though /var/lib/vnstat/eth0 got generated with above command statistics were not further generated and trying to check them with command:

debian:~# vnstat --days

Returned the error message:

eth0: Not enough data available yet.

To solve the eth0: Not enough data available yet. message I tried completely removing vnstat package by purging the package e.g.:

debian:~# apt-get --yes remove vnstat
...
debian:~# dpkg --purge vnstat
...

Even though dpkg –purge was invoked /var/lib/vnstat/ refused to be removed since it contained vnstat’s db file eth0

Therefore I deleted by hand before installing again vnstat:

debian:~# rm -rf /var/lib/vnstat/

Tried installing once again vnstat “from scratch”:

debian:~# apt-get install vnstat
...

After that I tried regenerating the vnstat db file eth0 once again with vnstat -u -i eth0 , hoping this should fix the error but it was no go and after that the error:

debian:~# vnstat --hours
eth0: Not enough data available yet.

persisted.

I checked in Debian bugs mailing lists and I found, some people complaining about the same issue with some suggsetions on how the error can be work arouned, anyways none of the suggestions worked for me.

Being irritated I further removed / purged once again vnstat and decided to give it a try by installing vnstat from source
As of time of writting this article, the latest stable vnstat version is 1.11 .
Therefore to install vnstat from source I issued:

debian:~# cd /usr/local/src
debian:/usr/local/src# wget http://humdi.net/vnstat/vnstat-1.11.tar.gz
...
debian:/usr/local/src# tar -zxvvf vnstat-1.11.tar.gz
debian:/usr/local/src# cd vnstat-1.11
debian:/usr/local/src/vnstat-1.11# make & make all & make install
debian:/usr/local/src/vnstat-1.11# cp examples/vnstat.cron /etc/cron.d/vnstat
debian:/usr/local/src/vnstat-1.11# vnstat -u -i eth0
Error: Unable to read database "/var/lib/vnstat/eth0".
Info: -> A new database has been created.

As a last step I put on root crontab to execute:

debian:~# crontab -u root -e

*/5 * * * * /usr/bin/vnstat -u >/dev/null 2>&1

This line updated vnstat db eth0 database, every 5 minutes. After the manual source install vnstat works, just fine 😉

Error from park wrapper: mydomain.com is already configured. Sorry, that domain is already setup (remove it from httpd.conf) – How to solve

Monday, July 4th, 2011

If you’re administrating a Cpanel server and you come across an error message while trying to use cpanel’s domain addon menu and you want to fix that you will need to do the following logged in as root over an ssh connection:

1. Remove dns related stuff in /var/named and /var/named/cache cpanel:~# rm -f /var/named/mydomain.com.dbcpanel:~# rm -f /var/named/cache/mydomain.com.db

2. Edit the current used httpd.conf on the server and remove all virtualhost domain definitions

cpanel:~# vim /etc/httpd/conf/httpd.conf
# find the mydomain.com Virtualhost definitions and completely remove them

3. Remove any domain occurance in /var/cpanel/users

cpanel:~# cd /var/cpanel/users/
cpanel:/var/cpanel/users# grep -rli 'mydomain.com' *
/var/cpanel/users/hipo
cpanel:~# vim /var/cpanel/users/hipo
# remove in above file any domain related entries

3. Remove anything related to mydomain.com in /etc/userdomains and /etc/localdomains

cpanel:~# vim /etc/userdomains
cpanel:~# vim /etc/localdomains
# again look inside the two files and remove the occuring entries

4. Edit /etc/named.conf and remove any definitions of mydomain.com

cpanel:~# vim /etc/named.conf
# in above file remove DNS configuration for mydomain.com

5. Run /scripts/updateuserdomains

cpanel:~# /scripts/updateuserdomains

6. Delete any valias configurations

cpanel:~# rm -f /etc/valiases/mydomain.com
cpanel:~# rm -f /etc/vdomainaliases/mydomain.com
cpanel:~# rm -f/etc/vfilters/mydomain.com

7. Remove any occurance of mydomain.com in the user directory which experiences the Error from park wrapper: error

Let’s say the user testuser is experiencing the error, in that case you will have to remove:

cpanel:~# rm -rf /home/testuser/public_html/mydomain.com

8. Restart Cpanel

This step is optional though I think it’s also a good practice as it will at least restart the Cpanel webserver (Apache or Litespeed depending on your conf)

cpanel:~# /etc/init.d/cpanel restart

Now try to add up the domain via the Cpanel domain addon interface, hopefully the issue should be fixed by now. If not you might also check if there is no some record about mydomain.com in the mysql server.
Cheers 😉

How to fix “Could not verify this certificate for unknown reasons” SSL certificate lighttpd troubles

Tuesday, June 28th, 2011

Firefox SSL Pro could not verify for uknown reasons solve error

I’ve been issuing new wildcard multiple SSL certificate to renew an expiring ones. After I completed the new certificate setup manually on the server (a CentOS 5.5 Final running SoluSVM Pro – Virtual Private Manager), I launched Firefox to give a try if the certificate is properly configured.

Instead of my expectations that the browser would just accept the certificate without spitting any error messages and all will be fine, insetad I got error with the just installed certificate and thus the browser failed to report the SSL cert is properly authenticated.

The company used to issue the SSL certificate is GlobeSSL – http://globessl.com , it was quite “hassle”, with the tech support as the first certficate generated by globessl was generation based on SSL key file with 4096 key encryption.

As the first issued Authenticated certificate generated by GlobeSSL was not good further on about a week time was necessery to completethe required certificate reissuing ….

It wasn’t just GlobeSSL’s failure, as there were some spam filters on my side that was preventing some of GlobeSSL emails to enter normally, however what was partially their fault as they haven’t made their notification and confirmation emails to pass by a mid-level strong anti-spam filter…

Anyways my overall experience with GlobeSSL certificate reissue and especially their technical support is terrible.
To make a parallel, issuing certificates with GoDaddy is a way more easier and straight forward.

Now let me come back to the main certificate error I got in Firefox …

A bit of further investigation with the cert failure, has led me to the error message which tracked back to the newly installed SSL certificate issues.
In order to find the exact cause of the SSL certificate failure in Firefox I followed to the menus:

Tools -> Page Info -> Security -> View Certificate

Doing so in the General browser tab, there was the following error:

Could not verify this certificate for unknown reasons

The information on Could not verify this certificate for unknown reasons on the internet was very mixed and many people online suggested many possible causes of the issue, so I was about to loose myself.

Everything with the certificate seemed to be configured just fine in lighttpd, all the GlobeSSL issued .cer and .key file as well as the ca bundle were configured to be read used in lighttpd in it’s configuration file:
/etc/lighttpd/lighttpd.conf

Here is a section taken from lighttpd.conf file which did the SSL certificate cert and key file configuration:

$SERVER["socket"] == "0.0.0.0:443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/lighttpd/ssl/wildcard.mydomain.bundle"
}

The file /etc/lighttpd/ssl/wildcard.mydomain.bundle was containing the content of both the .key (generated on my server with openssl) and the .cer file (issued by GlobeSSL) as well as the CA bundle (by GlobeSSL).

Even though all seemed to be configured well the SSL error Could not verify this certificate for unknown reasons was still present in the browser.

GlobeSSL tech support suggested that I try their Web key matcher interfacehttps://confirm.globessl.com/key-matcher.html to verify that everything is fine with my certificate and the cert key. Thanks to this interface I figured out all seemed to be fine with the issued certificate itself and something else should be causing the SSL oddities.
I was further referred by GlobeSSL tech support for another web interface to debug errors with newly installed SSL certificates.
These interface is called Verify and Validate Installed SSL Certificate and is found here

Even though this SSL domain installation error report and debug tool did some helpful suggestions, it wasn’t it that helped me solve the issues.

What helped was First the suggestion made by one of the many tech support guy in GlobeSSL who suggested something is wrong with the CA Bundle and on a first place the documentation on SolusVM’s wiki – http://wiki.solusvm.com/index.php/Installing_an_SSL_Certificate .
Cccording to SolusVM’s documentation lighttpd.conf‘s file had to have one extra line pointing to a seperate file containing the issued CA bundle (which is a combined version of the issued SSL authority company SSL key and certificate).
The line I was missing in lighttpd.conf (described in dox), looked like so:

ssl.ca-file = “/usr/local/solusvm/ssl/gd_bundle.crt”

Thus to include the directive I changed my previous lighttpd.conf to look like so:

$SERVER["socket"] == "0.0.0.0:443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/lighttpd/ssl/wildcard.mydomain.bundle"
ssl.ca-file = "/etc/lighttpd/ssl/server.bundle.crt"
}

Where server.bundle.crt contains an exact paste from the certificate (CA Bundle) mailed by GlobeSSL.

There was a couple of other ports on which an SSL was configured so I had to include these configuration directive everywhere in my conf I had anything related to SSL.

Finally to make the new settings take place I did a lighttpd server restart.

[root@centos ssl]# /etc/init.d/lighttpd restart
Stopping lighttpd: [ OK ]
Starting lighttpd: [ OK ]

After lighttpd reinitiated the error was gone! Cheers ! 😉

How to fix “vbAccelerator SGrid II Control Runtime Error” popup window in Windows XP

Tuesday, May 24th, 2011

Windows XPI’m in a friend and he asked me to take a look at his Win PC.
When the Windows boots up a weird and annoying error message appears that reads:

vBAccelerator SGrid II Control Runtime Error

I figured out the SGrid II Control Runtime Error was a cause of a mis-working old Malware Bytes portable installation.

I’ve found online the following tool which fixes the stupid VBAccelerator SGrid II error

By simply downloading and starting the mbam-clean.exe binary after a computer restart the error gets fixed.

Getting around “Secure Connection Failed Peer’s, Certificate has been revoked., (Error code: sec_error_revoked_certificate)

Friday, April 8th, 2011

Certificate has been revoked, sec_error_revoked_certificate screenshot

One of the SSL secured websites (https://) which I have recently accessed couldn’t be opened with an error message showing up:

Secure Connection Failed

An error occurred during a connection to www.domain.com.

Peer’s Certificate has been revoked.

(Error code: sec_error_revoked_certificate)

* The page you are trying to view can not be shown because the authenticity of the received data could not be verified.
* Please contact the web site owners to inform them of this problem. Alternatively, use the command found in the help menu to report this broken site.

That error catched my attention so I digged further in what the message means. Here is what I found as an explanation to what is certificate revocation online

What is a SSL Certificate revocation

Revocation of a certificate means that the Certificate Authority (CA) that issuer of the certificate for a website have decided that the certificate is no longer valid, even if it has not expired.

The information about revocation can be distributed in two ways: Certificate Revocation Lists (CRLs), or by using the Online Certificate Status Protocol (OCSP).

CRLs are (usually) large files that contain a list with information about all the currentely active (unexpired) certificates that are no longer valid. This file has to be downloaded from the CA by the client at regular intervals (usually at least a week apart), and may be quite large.

OCSP, on the other hand, means that the client asks the CA “Is this particular certificate still valid?”, and the server responds “Yes” or “No”. This method can usually be fairly well up to date, meaning the information is at most a few days old, as opposed to at least a week for CRLs.

All the major browsers support OCSP, but some (like Opera) does not currently support CRLs.

By this time most of the modern browsers (Firefox, Chrome, Opera and Internet explorer does support revocation lists and all of the aforementioned hsa enabled at least OCSP by default.

Why SSL revocation error might occur:

A CA can revoke a certificate due to a number of reasons:

– A new certificate has been issued to the website, meaning the old one is not going to be used anymore.
– The website with the certificate is being used for purposes that are not accepted by the CA.
– The certificate was issued based on incorrect information.
– The owner is no longer able to use the private key associated with the certificate, for example the password is lost, the key storage was destroyed somehow, etc.
– The private key has been compromised or stolen, which means traffic to the site is no longer secure.
– The certificate and key have been stolen and is actually being used for fraud while posing as a legitimate website …

Now after all above being said the error:

Secure Connection Failed Peer's, Certificate has been revoked., (Error code: sec_error_revoked_certificate)

is a sure indicator that the website which had the certificate problem as a one you could not trust to make money transactions or do any operation that has a direct relation to your personal private date.

However as there are still websites which use an SSL encryption and are entertainment websites or just a news websites, sometimes getting around the ssl revocation issue to check this website is a necessity.

Therefore to enable your Firefox 3.5 / Iceweasel browser with a website which has ssl certificate revocation issue you need to do the following:

Edit -> Preferences -> Advanced -> Encryption -> Validation

After you see the Certificate Validation screen remove the tick set on:

Use the Online Certificate Status Protocol (OCSP) to confirm the current validity of certificates

Now refresh the website and you will skip the certificate revocation issue error and the webpage will open up.
Note that even though this will work, it’s not recommended to use this work around!