Re: [blfs-dev] Oddities in testing a server build
On Sun, Sep 02, 2018 at 05:24:03PM +0100, Ken Moffat via blfs-dev wrote: > > > > Just get 'ssh higgs.linuxfromscratch.org' to work. That's what svn is doing > > under the hood (bonnet?). > > > > That should really only rely on what is in ~/.ssh > > > > In ~/,ssh/config. I have: > > > > # Global > > > > ServerAliveInterval 45 > > ServerAliveCountMax 10 > > Protocol 2 > > IdentityFile ~/.ssh/ > > > > Host *.linuxfromscratch.org > > User > > > > -- Bruce > > > Thanks! I'd forgotten about ~/.ssh (on my desktop machines I only > normally ssh to my local server). > In fact, the machine where I'm testing is the only one with a /.ssh/config, and that only tells it to log as Error on syslog. But: I guess I had used ssh to lfs in the distant past because I had the old id_dsa stuff, but not the id_rsa (changed to that almost 3 years ago. Sorted, updated. Still misconfiguring apache, good thing I don't do this for a living. ĸen -- Also Spuke Zerothruster (Finnegans Wake) -- http://lists.linuxfromscratch.org/listinfo/blfs-dev FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
Re: [blfs-dev] Certificate updating
On Sun, Sep 2, 2018 at 4:13 AM, DJ Lucas wrote:
>
> Finally added this in git version. Sorry it took me so long.
>
No problem, by the way I also had to add the same to
update-pciids.service and update-usbids.service.
>
> Please open yet another bug report with Debian to get that part fixed
> properly. :-) I'm kidding. Debian has had a slightly broken setup for
> several years now, not that we didn't at one time either, but I imagine it's
> a much more difficult problem to solve for them - quite a few more packages
> - coordination would be a royal pain.
>
> Anyway, with current make-ca, you don't want it there before the script
> completes (so the directory is overwritten each time). I can't do this for
> LFS proper, but if you can commit to never running 'openssl c-rehash' on the
> directory manually, a suitable workaround is to simply add the following
> line to the end of the /usr/sbin/make-ca script (or really, anywhere after
> c_rehash is run in that script):
> ls -s ../ca-bundle.crt "${DESTDIR}${CERTDIR}/ca-certificates.crt"
>
> I'll be ditching c_rehash in the next version of that script (0.9), but
> p11-kit does the same thing with the directory in our use case (overwrite).
> Same workaround should be good, however, it must be moved to just before the
> last "fi" in the 0.9 version of make-ca, which should land in the
> development BLFS in a couple of days.
>
> HTH
>
>
Thanks for the info, that should definitely help with my use case.
--
http://lists.linuxfromscratch.org/listinfo/blfs-dev
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page
Re: [blfs-dev] Oddities in testing a server build
On Sat, Sep 01, 2018 at 10:46:02PM -0500, Bruce Dubbs via blfs-dev wrote: > On 09/01/2018 07:38 PM, Ken Moffat via blfs-dev wrote: > > > > http://www.linuxfromscratch.org/lfs/view/stable/chapter06/util-linux.html > > First instruction. > Thanks. For some reason I commented it when applying the changes of r11437 (remove symlinks in sysv book) to my own scripts. > > > 2. Unable to serve files with apache. > > > > I screwed up the configuration (used to serve from /raid/www/ on my > > old test server, but /raid doesn't exist here. Edited the configu > > to use /srv/www/books/ and set that, and the directories within it, > > to 755 all the way down. Rebooted, but trying to browse to > > localhost, or to this machine from a desktop, still gets 403. > > Shouldn't have to reboot: '/etc/init.d/httpd restart' should do it > > Did you look at /var/log/httpd/*.log ? Sounds like a permissions problem to > me, but it could be configuration. > Didn't need to reboot for that part, but wanted to for other reasons. Yes, I did look at the error log, but all it said was client denied by server configuration /srv/www/books. I think I'll rebuild apache (my subsequent configuration changes things) and then run my updated configuration. > > 3. Cannot use svn+ssh to lfs - I've copied the keys from the old > > test server (same as on my real server), and copied an old version > > of the BLFS repo (from a few months ago). But svn up fails. > > > > This latter seems critical - no point in me updating. > > > > Sorry to not have time to find this out until we've released. > > Just get 'ssh higgs.linuxfromscratch.org' to work. That's what svn is doing > under the hood (bonnet?). > > That should really only rely on what is in ~/.ssh > > In ~/,ssh/config. I have: > > # Global > > ServerAliveInterval 45 > ServerAliveCountMax 10 > Protocol 2 > IdentityFile ~/.ssh/ > > Host *.linuxfromscratch.org > User > > -- Bruce > Thanks! I'd forgotten about ~/.ssh (on my desktop machines I only normally ssh to my local server). ĸen -- Also Spuke Zerothruster (Finnegans Wake) -- http://lists.linuxfromscratch.org/listinfo/blfs-dev FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
Re: [blfs-dev] Certificate updating
On 02/13/2018 03:35 PM, Brendan L wrote:
Hey, I think I've spotted an issue with the update-pki.service file in
the make-ca package. On my system the update would always fail, when
looking at my logs it was because it would try to run before I had a
network connection. My solution after reading this:
https://www.freedesktop.org/wiki/Software/systemd/NetworkTarget/
Change this:
After=local-fs.target
Before=shutdown.target
To this:
After=local-fs.target network-online.target
Before=shutdown.target
Wants=network-online.target
Finally added this in git version. Sorry it took me so long.
Another issue I have, and might be something blfs doesn't support, is
when updating the certificates it deletes my
/etc/ssl/certs/ca-certificates.crt link to ca-bundle.crt. I need that
link because steam requires it. Not a huge deal, just annoying to
have to remember to recreate it when it's deleted.
Please open yet another bug report with Debian to get that part fixed
properly. :-) I'm kidding. Debian has had a slightly broken setup for
several years now, not that we didn't at one time either, but I imagine
it's a much more difficult problem to solve for them - quite a few more
packages - coordination would be a royal pain.
Anyway, with current make-ca, you don't want it there before the script
completes (so the directory is overwritten each time). I can't do this
for LFS proper, but if you can commit to never running 'openssl
c-rehash' on the directory manually, a suitable workaround is to simply
add the following line to the end of the /usr/sbin/make-ca script (or
really, anywhere after c_rehash is run in that script):
ls -s ../ca-bundle.crt "${DESTDIR}${CERTDIR}/ca-certificates.crt"
I'll be ditching c_rehash in the next version of that script (0.9), but
p11-kit does the same thing with the directory in our use case
(overwrite). Same workaround should be good, however, it must be moved
to just before the last "fi" in the 0.9 version of make-ca, which should
land in the development BLFS in a couple of days.
HTH
--DJ
--
http://lists.linuxfromscratch.org/listinfo/blfs-dev
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page
