Aug 112016
 

https://www.gofundme.com/2j8nnw4

I normally would not do this here but a friend of mine is in a bad spot, working two job, going to school and needs help. Please check it out and drop a $1.00, $2.00, $5.00 or whatever you can to help. She’s a single mom with two small kids who could use a hand and I know this killed her to ask for this… she does not know I am dropping this here…

I’ve been here long enough to know how generous, kind and awesome my fellow g33k’s are in helping those who have hit a rough spot in life…

Thanks for anything you can do to help in advance…

(p.s. she’s an awesome mom and deserves a break!)

https://www.gofundme.com/2j8nnw4

Share This!
Jun 172016
 

The Problem:

There is an issue on CloudLinux 6.8 and CentOS 6.8 servers with the nss package version numbered 3.21.0-8. In general, if you see either:

curl https://google.com > /dev/null
Illegal instruction (core dumped)

or

rhn_check
Illegal instruction (core dumped)

In both cases, the fix that is being advised amounts to downgrading the nss packages to version 3.21.0-0.3.
The instructions are different between CloudLinux and CentOS.
 

CloudLinux

The older package is still in CloudLinux’s repositories, so this is easy. Run the following command and check that you are going to 3.21.0-0.3

NSS_DISABLE_HW_GCM=1 yum downgrade nss nss-util nss-tools nss-sysinit

Then edit the

vim /etc/yum.conf

file adding nss* to the end of the exclude= line like so

exclude=courier* dovecot* exim* filesystem httpd* mod_ssl* mydns* mysql* nsd* php* proftpd* pure-ftpd* spamassassin* squirrelmail* nss*

Then, check your work with the following command

curl https://google.com > /dev/null

 

CentOS

CentOS is a bit more difficult, since everything just upgraded to CentOS 6.8 and the older package is not in the system repositories.

Create the file

touch /etc/yum.repos.d/nss-fix.repo

with the following contents:

[nss-fix]
name=repository used solely to fix nss
baseurl=http://vault.centos.org/6.7/updates/x86_64/
enabled=0
includepkgs=nss*
#gpgcheck=1
priority=3

Then, run the following command and check that you are going to 3.21.0-0.3

yum --enablerepo=nss-fix downgrade nss nss-sysinit nss-util nss-tools

Next, change

vim /etc/yum.conf

adding nss* to the end of the exclude= line like so

exclude=courier* dovecot* exim* filesystem httpd* mod_ssl* mydns* mysql* nsd* php* proftpd* pure-ftpd* spamassassin* squirrelmail* nss*

Check your work with the following command

curl https://google.com > /dev/null
Share This!
Jun 172016
 

tl;dr

  • When cPanel starts up, if it doesn’t have a valid SSL (now valid properly signed SSL) it reissues it’s own SSL, or panics if it cannot.
  • cPanel is now requiring a valid hostname check (similar to Let’s Encrypt) as a part of that check.
  • Therefore, a server’s hostname now has to point at the server or cPanel not start.
  • You will receive an email every day if the hostname doesn’t line up.
  • You’ve have to touch a file to disable this, and then run the script and then it should be set.

Due to cPanel’s recent change to their self-signed SSL’s, hostnames are required to have DNS entries. If this is not in place, they will not get a valid SSL and therefore cPanel will start and cpsrvd will immediately fail. To correct this we basically need to fix the DNS entry for the server’s hostname and then run

/usr/local/cpanel/bin/checkallsslcerts

Error from the /usr/local/cpanel/logs/error_log:

cpsrvd: Setting up native SSL support ... Could not load ssl libraries or certificate from /var/cpanel/ssl/cpanel/ at cpsrvd.pl line 554.
[[email protected]] cpanel:/usr/local/cpanel/bin/checkallsslcerts
The system failed to acquire a signed certificate from the cPanel Store because of an error: (XID y4txyq) “host.domain.com” does not resolve to any IPv4 addresses on the internet.

Updating DNS for the hostname and then running the check again will resolve the issue. If you do not have access to the customer’s DNS, this will require them to modify the DNS entries at the registrar and cPanel/WHM will remain down until that change is made.

Additionally, this may be a concern when DNS can not change (or should not be changed for some reason). When this is the case, you can skip the cPanel signed SSL. If you touch this file,

/var/cpanel/ssl/disable_auto_hostname_certificate

the system will no longer order, download, and install a free cPanel-signed hostname certificate.
https://documentation.cpanel.net/display/ALD/Manage+>Service+SSL+Certificates has more information on this. After touching this file, you can run a

/usr/local/cpanel/bin/checkallsslcerts

for a selfsigned ssl on the services.

p.s. You must restart Cpanel after updating the SSL Certs.

Share This!
Jun 082016
 

Check it! Nice…

bootfail2

Full size image here (7000×7000) or here:

Share This!
 Posted by at 11:55 am
May 282016
 

Hey all,

We all know the feeling of dread (eg. pucker) when a linecard goes down because someone uploaded and then rebooted into a corrupt IOS on a core router and the phones start ringing off the hook… le sigh…

Here. It. Comes.

I AM LOSING THOUSANDS OF DOLLARS A SECOND….!!!

In having to deal with this and a multitude of other issue which caused client’s “concern”, I have found that the following thoughts and ideas can shape your perspective on how to address a client’s concerns in a manner that is beneficial to both you and them and will ultimately address the overriding issue at hand, which is the primary goal. (Is some of it positive psychological manipulation? yup… Knowing and understanding human behavior is the best way to deal with any issues, even in such a temporarily client/vendor relationship as addressing a new issue)
Continue reading »

Share This!
 Posted by at 11:18 am