flyinweb's blog

VMware vCenter Converter导入计算机时出错

shanyiwan@live.com(flyinweb) — Fri, 03 Feb 2012 03:20:11 GMT

VMware vCenter Converter导入计算机时出错，对话框内容如下：

---------------------------
VMware vCenter Converter
---------------------------
出现错误。此错误的原因可能由网络连接故障所致。
向导将立即关闭。
请检查网络连接并重试。
---------------------------
确定
---------------------------

解决办法：

重启以下服务：

VMware vCenter Converter Integrated Server

VMware vCenter Converter Integrated Worker

mysql-mmm Installation Guide

shanyiwan@live.com(flyinweb) — Tue, 31 Jan 2012 08:19:48 GMT

A basic installation contains at least 2 database servers and 1 monitoring server. In this guide, I used 5 servers with Debian Lenny (5.0)

function	ip	hostname	server id
monitoring host	192.168.0.10	mon	-
master 1	192.168.0.11	db1	1
master 2	192.168.0.12	db2	2
slave 1	192.168.0.13	db3	3
slave 2	192.168.0.14	db4	4

I used the following virtual IPs. They will be distributed across the hosts by MMM.

ip	role	description
192.168.0.100	writer	Your application should connect to this IP for write queries.
192.168.0.101	reader	Your application should connect to one of these four IPs for read queries
192.168.0.102	reader
192.168.0.103	reader
192.168.0.104	reader

Basic configuration of master 1

First we install MySQL on all hosts:

aptitude install mysql-server

Then we edit the configuration file /etc/mysql/my.cnf and add the following lines - be sure to use different server ids for all hosts:

server_id           = 1
log_bin             = /var/log/mysql/mysql-bin.log 
log_bin_index       = /var/log/mysql/mysql-bin.log.index 
relay_log           = /var/log/mysql/mysql-relay-bin 
relay_log_index     = /var/log/mysql/mysql-relay-bin.index 
expire_logs_days    = 10 
max_binlog_size     = 100M 
log_slave_updates   = 1

Then remove the following entry:

bind-address = 127.0.0.1

Do not bind of any specific IP, use 0.0.0.0 instead:

bind-address = 0.0.0.0

Afterwards we need to restart MySQL for our changes to take effect:

/etc/init.d/mysql restart

Create users

Now we can create the required users. We'll need 3 different users:

function	description	privileges
monitor user	used by the mmm monitor to check the health of the MySQL servers	REPLICATION CLIENT
agent user	used by the mmm agent to change read-only mode, replication master, etc.	SUPER, REPLICATION CLIENT, PROCESS
relication user	used for replication	REPLICATION SLAVE

GRANT REPLICATION CLIENT                 ON *.* TO 'mmm_monitor'@'192.168.0.%' IDENTIFIED BY 'monitor_password';
GRANT SUPER, REPLICATION CLIENT, PROCESS ON *.* TO 'mmm_agent'@'192.168.0.%'   IDENTIFIED BY 'agent_password';
GRANT REPLICATION SLAVE                  ON *.* TO 'replication'@'192.168.0.%' IDENTIFIED BY 'replication_password';

Note: We could be more restrictive here regarding the hosts from which the users are allowed to connect: mmm_monitor is used from 192.168.0.10. mmm_agent and replication are used from 192.168.0.11 - 192.168.0.14.

Synchronisation of data between both databases

I'll assume that db1 contains the correct data. If you have an empty database, you still have to syncronize the accounts we have just created.

First make sure that no one is altering the data while we create a backup.

(db1) mysql> FLUSH TABLES WITH READ LOCK;

Then get the current position in the binary-log. We will need this values when we setup the replication on db2, db3 and db4.

(db1) mysql> SHOW MASTER STATUS;
+------------------+----------+--------------+------------------+
| File             | Position | Binlog_Do_DB | Binlog_Ignore_DB |
+------------------+----------+--------------+------------------+ 
| mysql-bin.000002 |      374 |              |                  | 
+------------------+----------+--------------+------------------+ 
1 row in set (0.00 sec)

DON'T CLOSE this mysql-shell. If you close it, the database lock will be removed. Open a second console and type:

db1$ mysqldump -u root -p --all-databases > /tmp/database-backup.sql

Now we can remove the database-lock. Go to the first shell:

(db1) mysql> UNLOCK TABLES;

Copy the database backup to db2, db3 and db4.

db1$ scp /tmp/database-backup.sql <user>@192.168.0.12:/tmp
db1$ scp /tmp/database-backup.sql <user>@192.168.0.13:/tmp
db1$ scp /tmp/database-backup.sql <user>@192.168.0.14:/tmp

Then import this into db2, db3 and db4:

db2$ mysql -u root -p < /tmp/database-backup.sql
db3$ mysql -u root -p < /tmp/database-backup.sql
db4$ mysql -u root -p < /tmp/database-backup.sql

Then flush the privileges on db2, db3 and db4. We have altered the user-table and mysql has to reread this table.

(db2) mysql> FLUSH PRIVILEGES;
(db3) mysql> FLUSH PRIVILEGES;
(db4) mysql> FLUSH PRIVILEGES;

On debian and ubuntu, copy the passwords in /etc/mysql/debian.cnf from db1 to db2, db3 and db4. This password is used for starting and stopping mysql.

Both databases now contain the same data. We now can setup replication to keep it that way.

Note: Import just only add records from dump file. You should drop all databases before import dump file.

Setup replication

Configure replication on db2, db3 and db4 with the following commands:

(db2) mysql> CHANGE MASTER TO master_host='192.168.0.11', master_port=3306, master_user='replication', 
              master_password='replication_password', master_log_file='<file>', master_log_pos=<position>;
(db3) mysql> CHANGE MASTER TO master_host='192.168.0.11', master_port=3306, master_user='replication', 
              master_password='replication_password', master_log_file='<file>', master_log_pos=<position>;
(db4) mysql> CHANGE MASTER TO master_host='192.168.0.11', master_port=3306, master_user='replication', 
              master_password='replication_password', master_log_file='<file>', master_log_pos=<position>;

Please insert the values return by “show master status” on db1 at the <file> and <position> tags.

Start the slave-process on all 3 hosts:

(db2) mysql> START SLAVE;
(db3) mysql> START SLAVE;
(db4) mysql> START SLAVE;

Now check if the replication is running correctly on all hosts:

(db2) mysql> SHOW SLAVE STATUS\G
*************************** 1. row *************************** 
             Slave_IO_State: Waiting for master to send event 
                Master_Host: 192.168.0.11
                Master_User: replication
                Master_Port: 3306 
              Connect_Retry: 60 
…
(db3) mysql> SHOW SLAVE STATUS\G
*************************** 1. row *************************** 
             Slave_IO_State: Waiting for master to send event 
                Master_Host: 192.168.0.11
                Master_User: replication
                Master_Port: 3306 
              Connect_Retry: 60 
…
(db4) mysql> SHOW SLAVE STATUS\G
*************************** 1. row *************************** 
             Slave_IO_State: Waiting for master to send event 
                Master_Host: 192.168.0.11
                Master_User: replication
                Master_Port: 3306 
              Connect_Retry: 60 
…

Now we have to make db1 replicate from db2. First we have to determine the values for master_log_file and master_log_pos:

(db2) mysql> SHOW MASTER STATUS;
+------------------+----------+--------------+------------------+ 
| File             | Position | Binlog_Do_DB | Binlog_Ignore_DB | 
+------------------+----------+--------------+------------------+ 
| mysql-bin.000001 |       98 |              |                  |
+------------------+----------+--------------+------------------+ 
1 row in set (0.00 sec)

Now we configure replication on db1 with the following command:

(db1) mysql> CHANGE MASTER TO master_host = '192.168.0.12', master_port=3306, master_user='replication',
              master_password='replication_password', master_log_file='<file>', master_log_pos=<position>;

Now insert the values return by “show master status” on db2 at the <file> and <position> tags.

Start the slave-process:

(db1) mysql> START SLAVE;

Now check if the replication is running correctly on db1:

(db1) mysql> SHOW SLAVE STATUS\G
*************************** 1. row *************************** 
             Slave_IO_State: Waiting for master to send event 
                Master_Host: 192.168.0.12
                Master_User: <replication>
                Master_Port: 3306 
              Connect_Retry: 60 
…

Replication between the nodes should now be complete. Try it by inserting some data into both db1 and db2 and check that the data will appear on all other nodes.

Install MMM

Create user

Optional: Create user that will be the owner of the MMM scripts and configuration files. This will provide an easier method to securely manage the monitor scripts.

useradd --comment "MMM Script owner" --shell /sbin/nologin mmmd

Monitoring host

First install dependencies:

aptitude install liblog-log4perl-perl libmailtools-perl liblog-dispatch-perl libclass-singleton-perl libproc-daemon-perl libalgorithm-diff-perl libdbi-perl libdbd-mysql-perl

Then fetch the latest mysql-mmm-common*.deb and mysql-mmm-monitor*.deb and install it:

dpkg -i mysql-mmm-common_*.deb mysql-mmm-monitor*.deb

Database hosts

On UbuntuFirst install dependencies:

aptitude install liblog-log4perl-perl libmailtools-perl liblog-dispatch-perl iproute libnet-arp-perl libproc-daemon-perl libalgorithm-diff-perl libdbi-perl libdbd-mysql-perl

Then fetch the latest mysql-mmm-common*.deb and mysql-mmm-agent*.deb and install it:

dpkg -i mysql-mmm-common_*.deb mysql-mmm-agent_*.deb

On RedHat

yum install -y mysql-mmm-agent

This will take care of all the dependencies, which may include:

Installed:

mysql-mmm-agent.noarch 0:2.2.1-1.el5

Dependency Installed:

libart_lgpl.x86_64 0:2.3.17-4                                                 
mysql-mmm.noarch 0:2.2.1-1.el5                                                
perl-Algorithm-Diff.noarch 0:1.1902-2.el5                                     
perl-DBD-mysql.x86_64 0:4.008-1.rf                                            
perl-DateManip.noarch 0:5.44-1.2.1                                            
perl-IPC-Shareable.noarch 0:0.60-3.el5                                        
perl-Log-Dispatch.noarch 0:2.20-1.el5                                         
perl-Log-Dispatch-FileRotate.noarch 0:1.16-1.el5                              
perl-Log-Log4perl.noarch 0:1.13-2.el5                                         
perl-MIME-Lite.noarch 0:3.01-5.el5                                            
perl-Mail-Sender.noarch 0:0.8.13-2.el5.1                                      
perl-Mail-Sendmail.noarch 0:0.79-9.el5.1                                      
perl-MailTools.noarch 0:1.77-1.el5                                            
perl-Net-ARP.x86_64 0:1.0.6-2.1.el5                                           
perl-Params-Validate.x86_64 0:0.88-3.el5                                      
perl-Proc-Daemon.noarch 0:0.03-1.el5                                          
perl-TimeDate.noarch 1:1.16-5.el5                                             
perl-XML-DOM.noarch 0:1.44-2.el5                                              
perl-XML-Parser.x86_64 0:2.34-6.1.2.2.1                                       
perl-XML-RegExp.noarch 0:0.03-2.el5                                           
rrdtool.x86_64 0:1.2.27-3.el5                                                 
rrdtool-perl.x86_64 0:1.2.27-3.el5

Configure MMM

All generic configuration-options are grouped in a separate file called /etc/mysql-mmm/mmm_common.conf. This file will be the same on all hosts in the system:

active_master_role          writer
<host default>
    cluster_interface       eth0
    pid_path                /var/run/mmmd_agent.pid
    bin_path                /usr/lib/mysql-mmm/
    replication_user        replication
    replication_password    replication_password
    agent_user              mmm_agent
    agent_password          agent_password
</host>
<host db1>
    ip                      192.168.0.11
    mode                    master
    peer                    db2
</host>
<host db2>
    ip                      192.168.0.12
    mode                    master
    peer                    db1
</host>
<host db3>
    ip                      192.168.0.13
    mode                    slave
</host>
<host db4>
    ip                      192.168.0.14
    mode                    slave
</host>
<role writer>
    hosts                   db1, db2
    ips                     192.168.0.100
    mode                    exclusive
</role>
<role reader>
    hosts                   db1, db2, db3, db4
    ips                     192.168.0.101, 192.168.0.102, 192.168.0.103, 192.168.0.104
    mode                    balanced
</role>

Don't forget to copy this file to all other hosts (including the monitoring host).

On the database hosts we need to edit /etc/mysql-mmm/mmm_agent.conf. Change “db1” accordingly on the other hosts:

include mmm_common.conf
this db1

On the monitor host we need to edit /etc/mysql-mmm/mmm_mon.conf:

include mmm_common.conf
<monitor>
    ip                      127.0.0.1
    pid_path                /var/run/mmmd_mon.pid
    bin_path                /usr/lib/mysql-mmm/
    status_path             /var/lib/misc/mmmd_mon.status
    ping_ips                192.168.0.1, 192.168.0.11, 192.168.0.12, 192.168.0.13, 192.168.0.14
</monitor>
<host default>
    monitor_user            mmm_monitor
    monitor_password        monitor_password
</host>
debug 0

ping_ips are some ips that are pinged to determine whether the network connection of the monitor is ok. I used my switch (192.168.0.1) and the four database server.

Start MMM

Start the agents

(On the database hosts)

Debian/Ubuntu

Edit /etc/default/mysql-mmm-agent to enable the agent:

ENABLED=1

Red Hat

RHEL/Fedora does not enable packages to start at boot time per default policy, so you might have to turn it on manually so the agents will start automatically when server is rebooted:

chkconfig mysql-mmm-agent on

Then start it:

/etc/init.d/mysql-mmm-agent start

Start the monitor

(On the monitoring host)Edit /etc/default/mysql-mmm-monitor to enable the monitor:

ENABLED=1

Then start it:

/etc/init.d/mysql-mmm-monitor start

Wait some seconds for mmmd_mon to start up. After a few seconds you can use mmm_control to check the status of the cluster:

mon$ mmm_control show
  db1(192.168.0.11) master/AWAITING_RECOVERY. Roles: 
  db2(192.168.0.12) master/AWAITING_RECOVERY. Roles: 
  db3(192.168.0.13) slave/AWAITING_RECOVERY. Roles: 
  db4(192.168.0.14) slave/AWAITING_RECOVERY. Roles:

Because its the first startup the monitor does not know our hosts, so it sets all hosts to state AWAITING_RECOVERY and logs a warning message:

mon$ tail /var/log/mysql-mmm/mmmd_mon.warn
…
2009/10/28 23:15:28  WARN Detected new host 'db1': Setting its initial state to 'AWAITING_RECOVERY'. Use 'mmm_control set_online db1' to switch it online.
2009/10/28 23:15:28  WARN Detected new host 'db2': Setting its initial state to 'AWAITING_RECOVERY'. Use 'mmm_control set_online db2' to switch it online.
2009/10/28 23:15:28  WARN Detected new host 'db3': Setting its initial state to 'AWAITING_RECOVERY'. Use 'mmm_control set_online db3' to switch it online.
2009/10/28 23:15:28  WARN Detected new host 'db4': Setting its initial state to 'AWAITING_RECOVERY'. Use 'mmm_control set_online db4' to switch it online.

Now we set or hosts online (db1 first, because the slaves replicate from this host):

mon$ mmm_control set_online db1
OK: State of 'db1' changed to ONLINE. Now you can wait some time and check its new roles!
mon$ mmm_control set_online db2
OK: State of 'db2' changed to ONLINE. Now you can wait some time and check its new roles!
mon$ mmm_control set_online db3
OK: State of 'db3' changed to ONLINE. Now you can wait some time and check its new roles!
mon$ mmm_control set_online db4
OK: State of 'db4' changed to ONLINE. Now you can wait some time and check its new roles!

mysql-mmm实现mysql高可用

shanyiwan@live.com(flyinweb) — Tue, 31 Jan 2012 08:04:20 GMT

一、MMM简介：

MMM即Master-Master Replication Manager for MySQL（mysql主主复制管理器）关于mysql主主复制配置的监控、故障转移和管理的一套可伸缩的脚本套件（在任何时候只有一个节点可以被写入），这个套件也能对居于标准的主从配置的任意数量的从服务器进行读负载均衡，所以你可以用它来在一组居于复制的服务器启动虚拟ip，除此之外，它还有实现数据备份、节点之间重新同步功能的脚本。

MySQL本身没有提供replication failover的解决方案，通过MMM方案能实现服务器的故障转移，从而实现mysql的高可用。

MMM项目来自 Google：http://code.google.com/p/mysql-master-master

官方网站为：http://mysql-mmm.org

Mmm主要功能由下面三个脚本提供

lmmm_mond负责所有的监控工作的监控守护进程，决定节点的移除等等

lmmm_agentd运行在mysql服务器上的代理守护进程，通过简单远程服务集提供给监控节点

lmmm_control通过命令行管理mmm_mond进程

二、mysql-mmm架构的搭建

1、先介绍下本文的环境：

系统环境：CentOS release 5.4（32bit）

server1 ip: 192.168.1.161 virtual read ip:192.168.1.111
server2 ip: 192.168.1.162 virtual read ip:192.168.1.112
server3 ip: 192.168.1.163 virtual write ip: 192.168.1.113

2、mysql-mmm架构配置简介：

u在server1、server2上安装mysql，并配置为master-master架构（就是互为主从）----------配置很简单，就不对着部分进行详细解释，有问题的话请查看：http://blog.chinaunix.net/u3/93755/showart.php?id=2213538

u在server1、server2，server3上安装mmm，并配置：mmm_common.conf、mmm_agent.conf以及mmm_mon.conf文件

3、Mysql-mmm实战

前提：server1和server2上已经配置好mysql主主同步

u安装mysql-mmm

CentOS软件仓库默认是不含这些软件的，必须要有epel这个包的支持。故我们必须先安装epel：

wget http://download.fedora.redhat.com/pub/epel/5/i386/epel-release-5-4.noarch.rpm

rpm -Uvh epel-release-5-4.noarch.rpm

yum -y install mysql-mmm*

u配置mmm代理和监控账号的权限

在server1和server2上分别执行：

GRANT REPLICATION CLIENT ON *.* TO 'mmm_monitor'@'192.168.1.%' IDENTIFIED BY 'monitor_password';

GRANT SUPER, REPLICATION CLIENT, PROCESS ON *.* TO 'mmm_agent'@'192.168.1.%'IDENTIFIED BY 'agent_password';

flush privileges;

u配置mysql-mmm

所有的配置选项都集合在了一个叫/etc/mysql-mmm/mmm_common.conf的单独文件中，系统中所有主机的该文件内容都是一样的, 配置完后不要忘记了拷贝这个文件到所有的主机（包括监控主机）！，内容如下：

active_master_rolewriter

cluster_interfaceeth0

pid_path/var/run/mysql-mmm/mmm_agentd.pid

bin_path/usr/libexec/mysql-mmm/

#同步的帐号（这些要和前面设置的保持一致！）

replication_userreplication

replication_password123456#同步的密码

agent_usermmm_agent#mmm-agent用户名

agent_passwordagent_password#mmm-agent用户密码

</host>

ip192.168.1.161#db1的ip

modemaster

peerdb2

</host>

ip192.168.1.162#db2的ip

modemaster

peerdb1

</host>

hostsdb1, db2

ips192.168.1.113#设置写如的虚拟IP

modeexclusive

</role>

hostsdb1, db2

ips192.168.1.111, 192.168.1.112#设置读取的虚拟IP

modebalanced

</role>

在数据库主机上我们需要编辑/etc/mysql-mmm/mmm_agent.conf文件，根据其他主机的不同更改db1的值（db2就将db1更改成db2）：

include mmm_common.conf
this db1

在监控主机上我们需要编辑/etc/mysql-mmm/mmm_mon.conf文件：

include mmm_common.conf

ip127.0.0.1

pid_path/var/run/mysql-mmm/mmm_mond.pid

bin_path/usr/libexec/mysql-mmm

status_path/var/lib/mysql-mmm/mmm_mond.status

ping_ips192.168.1.161,192.168.1.162#监控服务器ip

auto_set_online60

# The kill_host_bin does not exist by default, though the monitor will

# throw a warning about it missing.See the section 5.10 "Kill Host

# Functionality" in the PDF documentation.

# kill_host_bin/usr/libexec/mysql-mmm/monitor/kill_host

</monitor>

monitor_usermmm_monitor#mmm_monitor用户名

monitor_passwordmonitor_password #mmm_monitor密码

</host>

debug 0

u启动MMM

启动代理：

（在数据库服务器上server1、2）编辑/etc/default/mysql-mmm-agent来开启：

ENABLED=1

然后启动它：

/etc/init.d/mysql-mmm-agent start

启动监控（在监控机上）：

/etc/init.d/mysql-mmm-monitor start

u利用mmm_control监控mysql服务器状态：

[root@server3 mysql-mmm]# mmm_control show

db1(192.168.1.161) master/ONLINE. Roles: reader(192.168.1.112), writer(192.168.1.113)

db2(192.168.1.162) master/ONLINE. Roles: reader(192.168.1.111)

u测试看两个mysql服务器能否实现故障自动切换

停掉作为写的db1上的mysql，查看写的服务器会不会自动转移到db2上去

停掉几秒钟后用mmm_control show查看：

[root@server3 mysql-mmm]# mmm_control show

db1(192.168.1.161) master/HARD_OFFLINE. Roles:

db2(192.168.1.162) master/ONLINE. Roles: reader(192.168.1.111), reader(192.168.1.112), writer(192.168.1.113)

我们可以看到已经把db2当作主写服务器

再来看看db1恢复后会是什么情况：

[root@server3 mysql-mmm]# mmm_control show

db1(192.168.1.161) master/ONLINE. Roles: reader(192.168.1.111)

db2(192.168.1.162) master/ONLINE. Roles: reader(192.168.1.112), writer(192.168.1.113)

我们可以看到当db1恢复后就充当slave的角色了！只有当db2挂了以后db1又会担当起主服务器的写入功能

ummm_control命令简介

[root@server3 mysql-mmm]# mmm_control help

Valid commands are:

help- show this message

#查看帮助信息

ping- ping monitor

#ping监控

show- show status

#查看状态信息

checks [<host>|all [<check>|all]] - show checks status

#显示检查状态，包括（ping、mysql、rep_threads、rep_backlog）

set_online <host>- set host <host> online

#设置某host为online状态

set_offline <host>- set host <host> offline

#设置某host为offline状态

mode- print current mode.

#打印当前的模式，是ACTIVE、MANUAL、PASSIVE？

#默认ACTIVE模式

set_active- switch into active mode.

#更改为active模式

set_manual- switch into manual mode.

#更改为manual模式

set_passive- switch into passive mode.

#更改为passive模式

move_role [--force] <role> <host> - move exclusive role <role> to host <host>

#更改host的模式，比如更改处于slave的mysql数据库角色为write

(Only use --force if you know what you are doing!)

set_ip <ip> <host>- set role with ip <ip> to host <host>

#为host设置ip，只有passive模式的时候才允许更改！

Diagnosing Windows Memory Problems

shanyiwan@live.com(flyinweb) — Mon, 30 Jan 2012 02:39:19 GMT

Overview

I can remember way back when how amazed I was to order a new desktop computer with 2MB of RAM. Even the days of ordering a server with 64MB of RAM seemed like sooooo much memory. And in case you missed it, those are values in megabytes. Naturally today’s systems are in another class altogether. And while I’d like to think the quality of memory manufacturing has also increased over the years, things can still go wrong.

Failing or faulty memory doesn’t always manifest itself with a huge announcement. In the event that Windows 7 or Windows Server 2008 detects such a problem, it will most likely prompt you to run the Windows Memory Diagnostic tool. But you can also manually run this tool anytime you’d like if you prefer to be a bit more proactive.

Using the Windows Memory Diagnostic Tool

You can manually launch the Windows Memory Diagnostic tool from the Administrator Tools menu short cut. Or if you prefer a command line approach run this:

C:\> mdsched

Alas, there do not appear to be any command line parameters. However you launch it you should get something like Figure 1.

Figure 1 Windows Memory Diagnostic

As the dialog suggests you can either reboot immediately or schedule the diagnostic for the next reboot. Whichever option you choose, upon reboot, the memory diagnostic will launch automatically and begin running. You will see something like Figure 2.

Figure 2 Running Memory Diagnostic

Press F1 to customize the tools. You can modify what tools are run and how many passes. Figure 3 shows the Basic tests that will be run. These tests run pretty quickly.

Figure 3 Basic Memory Tests

Figure 4 shows the Standard tests. This is the default behavior.

Figure 4 Standard Memory Tests

If you prefer a more thorough examination, select the Extended test mix, as shown in Figure 5.

By default, the diagnostic will run two passes, but you can tab down to the Pass Count section and put in a number between 0 and 99. I wish there was a way to set this when configuring the scheduled task, but I have yet to fine one.

Figure 5 Extended Memory Tests

Now, it would be nice to have a more granular selection of tests or even an explanation about what all these acronyms mean. But I guess that’s why we have search engines. In any event, all that really matters is if you pass or fail. Upon completion, the computer will automatically reboot. After you logon, you should get a balloon message in the system tray. It may take a few minutes for it to appear and it will fade away as Figure 6 demonstrates.

Figure 6 Memory Diagnostic Result

But at least I have no issues. You can also check the Windows event log for the results. Open the Event Viewer Management Console and select the System Event Log. Then do a search for MemoryDiagnostics-Results. Or if you’re using PowerShell, run a command like this:

PS C:\> get-eventlog system -after "12/26/2011 12:00PM"
-source Microsoft-Windows-MemoryDiagnostics-Results |
Select EntryType,InstanceID,Message |
format-list
EntryType : Information
InstanceId : 1201
Message : The Windows Memory Diagnostic tested the computer's memory
and detected no errors
EntryType : Information
InstanceId : 1101
Message : The Windows Memory Diagnostic tested the computer's memory
and detected no errors

I’m using the –After parameter to speed up my search to only return results from the last run.

Conclusion

You can run this tool on both Windows 7 and Windows Server 2008. It is a simple tool in some regards but it is free and readily available. I expect most of you will have vendor or OEM supplied tools for this sort of diagnostic, but if not this is a good place to start.

Apache编译失败及其解决方案

shanyiwan@live.com(flyinweb) — Fri, 13 Jan 2012 02:47:45 GMT

1、checking for SSL_set_cert_store... no
configure: error: ... Error, SSL/TLS libraries were missing or unusable

安装openssl,在编译参数中添加--with-ssl=/usr/local/ssl （ssl安装路径，根据安装的实际路径设置）

Nginx as an IMAP/POP3 proxy

shanyiwan@live.com(flyinweb) — Thu, 12 Jan 2012 03:55:12 GMT

At Gigahost we are managing a lot of mailboxes for our users.

At the moment these are all located on one high speced server with the outgoing SMTP split to another server.

We allow our users to connect via both IMAP and POP3 and support STARTTLS on ports 110/143 and SSL/TLS on ports 993/995.

Since we are constantly adding new users and these in turn add new mailboxes we are running out of options as to upgrade the current server. Hosting mailboxes via Courier, Dovecot or similar is very IO intensive and therefore in the long run disk IO becomes a problem.

The solution to this is ofcourse to scale the setup to more servers. Some hosting providers do this by simply adding users to a new mail server eg. mail2.example.com, mail3.example.com and so on.

What we would like to do is use a reverse proxy so that the user always connects to mail.gigahost.dk and the proxy ensures that the user is send to the correct server.

Enter nginx.

nginx is mostly known as the reverse proxy that drives sites such as youtube.com, wordpress.com, hulu.com, github.com and many many more.

But nginx can also act as an IMAP/POP3 proxy and does quite a good job at it.

Using nginx you can authenticate the mail user before she/he reaches the mailserver and specify i) if the user can be authenticated, ii) what server the user should be send to. You can infact also alter the username and do other magic stuff.

excerpt from nginx.conf

                http {
                  perl_modules  perl/lib;
                  perl_require  mailauth.pm;
            
                  server {
                    location /auth {
                      perl  mailauth::handler;
                    }
                  }
                }
            
                mail {
                  auth_http  127.0.0.1:80/auth;
                  auth_http_header X-NGX-Auth-Key "some secret";
            
                  imap_auth plain login cram-md5;
                  pop3_auth plain apop cram-md5;
                }

In the above excerpts you will see that I use the embedded perl module in nginx (you must add this a compile time). This serves up the mailauth.pm script on port 80.

Be aware that the embedded perl parser blocks the current nginx process – so you might consider running a few and ensure that the script executes fast.

The auth_http setting in the nginx config is where the magic happens. This points to the HTTP server that handles the authentication and find the server the connection should be proxied to.

mailauth.pm

                package mailauth;
                use Digest::HMAC_MD5 qw/ hmac_md5_hex /;
                use nginx;
                use DBI;
                use URI::Escape;
                my $dsn="DBI:mysql:database=postfix;host=10.0.0.1";
                our $dbh=DBI->connect_cached($dsn, 'mail-proxy', 'p@ssword', {AutoCommit => 1, mysql_auto_reconnect => 1});
              
                our $auth_ok;
                our $protocol_ports={};
                $protocol_ports->{'pop3'}=110;
                $protocol_ports->{'imap'}=143;
                $protocol_ports->{'smtp'}=25;
              
                sub handler {
                  if (!$dbh->ping()) {
                    ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst)=localtime(time);
                    $dbh=DBI->connect_cached($dsn, 'mail-proxy', 'p@ssword', {AutoCommit => 1, mysql_auto_reconnect => 1});
                    printf STDERR "%4d/%02d/%02d %02d:%02d:%02d [notice] : MySQL server connection lost. Reconnecting.\n", $year+1900,$mon+1,$mday,$hour,$min,$sec;
                  }
                  
                  my $r = shift;
              
                  my $auth_method = $r->header_in("Auth-Method");
                  my $username = uri_unescape($r->header_in("Auth-User"));
                  my $password = uri_unescape($r->header_in("Auth-Pass"));
                  my $salt = $r->header_in("Auth-Salt");
              
                  our $sth=$dbh->prepare("select clear from users where email=? limit 1"); 
                  $sth->execute($username);
                  my $hash=$sth->fetchrow_hashref();
                  my $real_password = $hash->{'clear'};
              
                  # Authorize user
                  if (($auth_method eq "plain" && $password eq $real_password) or
                    ($auth_method eq "cram-md5" && $password eq hmac_md5_hex($salt, $real_password))) {
                    # Auth OK, find mail server
                    our $sth=$dbh->prepare("select destination_mailstore from transport where domain=? limit 1"); 
                    my $domain = $r->header_in("Auth-User");
                    $domain =~ s/^.*@//; # remove @ and everything before 
                    $sth->execute($domain);
                    my $hash=$sth->fetchrow_hashref();
                    my $mailserver = $hash->{'destination_mailstore'};
                    $mailserver =~ s/smtp://;
              
                    $r->header_out("Auth-User", $username);
                    $r->header_out("Auth-Pass", $real_password);
                    $r->header_out("Auth-Status", "OK");
                    $r->header_out("Auth-Server", $mailserver);
                    $r->header_out("Auth-Port", $protocol_ports->{$r->header_in("Auth-Protocol")});
                    
                    # Shared secret to ensure that the request comes from this script
                    $r->header_out("X-NGX-Auth-Key", "some secret");
                  } else {
                    $r->header_out("Auth-Status", "Invalid login or password");
                  }
              
                  $r->send_http_header("text/html");
              
                  return OK;
                }
              
                1;
                __END__

The above script supports both plain and CRAM-MD5 authentication. The request headers set by nginx are visible as header_in("...") and the response headers that the script sets are header_out.

It should be pretty self-explanatory what the script does and how. The main feature here is ofcourse setting the Auth-Server response header to the mailserver where you would like to point the user.

UPDATE 2011/02/08:
nginx sends the HTTP headers for the auth script urlencoded. Therefore it is emparative that they be decoded so passwords like my little p%ony works.

I’ve updated the script here to make use of the Perl uri library (you might have to install this).

Also I’ve added a small check to ensure that the MySQL connection is still alive and if not reconnect.

It seems that either my Perl script or the nginx embedded Perl module suffers from memory leaks.

Now, the easy way to fix this would be to run a /etc/init.d/nginx restart every so often. However, that would of course suck.

So I started looking into alternative ways, using FastCGI to serve the authentication script.

The normal fcgiwrapper in Debian was way to slow though. Handling only about 30 requests/sec.

Enter FCGI-Daemon by Dmitry Smirnov. It works by keeping the processes alive not respawning Perl on every request.

With this I was able to achieve 2500-3000 request/sec. More than enough to handle IMAP/POP3 authentications.

I’ve included an updated authentication script for use with this.

auth.pl

               #!/usr/bin/perl
            
               use Digest::HMAC_MD5 qw/ hmac_md5_hex /;
               use DBI;
               use URI::Escape;
               use CGI;
            
               print "Content-type: text/html\n";
            
               my $q = CGI->new;
               my $auth_shared_secret = $q->http("X-NGX-Auth-Key");
            
               # Shared secret to ensure that the request comes from nginx
               if ( $auth_shared_secret ne "your secret" ) {
                 print "Auth-Status: Authentication failed.\n\n";
                 print STDERR "Wrong X-NGC-Auth-Key $auth_shared_secret";
                 exit(0);
               }
            
               my $dsn = "DBI:mysql:database=postfix;host=1.2.3.4";
               our $dbh =
                 DBI->connect_cached( $dsn, 'mailproxy', 'p@ssw0rd',
                   { AutoCommit => 1, mysql_auto_reconnect => 1 } );
            
               our $auth_ok;
               our $protocol_ports = {};
               $protocol_ports->{'pop3'} = 110;
               $protocol_ports->{'imap'} = 143;
               $protocol_ports->{'smtp'} = 25;
            
               if ( !defined $dbh || !$dbh->ping() ) {
                   ( $sec, $min, $hour, $mday, $mon, $year, $wday, $yday, $isdst ) =
                     localtime(time);
                   $dbh =
                     DBI->connect_cached( $dsn, 'mailproxy', 'p@ssw0rd',
                       { AutoCommit => 1, mysql_auto_reconnect => 1 } );
                   printf STDERR
               "%4d/%02d/%02d %02d:%02d:%02d [notice] : MySQL server connection lost. Reconnecting.\n",
                     $year + 1900, $mon + 1, $mday, $hour, $min, $sec;
               }
            
               my $auth_method = $q->http("Auth-Method");
               my $username    = uri_unescape( $q->http("Auth-User") );
               my $password    = uri_unescape( $q->http("Auth-Pass") );
               my $salt        = $q->http("Auth-Salt");
            
               our $sth = $dbh->prepare("select clear from users where email=? limit 1");
               $sth->execute($username);
               my $hash          = $sth->fetchrow_hashref();
               my $real_password = $hash->{'clear'};
            
               # Authorize user
               if (
                   ( $auth_method eq "plain" && $password eq $real_password )
                   or (   $auth_method eq "cram-md5"
                       && $password eq hmac_md5_hex( $salt, $real_password ) )
                 )
               {
            
                   # Auth OK, find mail server
                   our $sth = $dbh->prepare(
                       "select destination_mailstore from transport where domain=? limit 1");
                   my $domain = $q->http("Auth-User");
            
                   # remove @ and everything before
                   $domain =~ s/^.*@//;
                   $sth->execute($domain);
                   my $hash       = $sth->fetchrow_hashref();
                   my $mailserver = $hash->{'destination_mailstore'};
                   $mailserver =~ s/smtp://;
            
                   print "Auth-User: $username\n";
                   print "Auth-Pass: $real_password\n";
                   print "Auth-Status: OK\n";
                   print "Auth-Server: $mailserver\n";
                   $auth_port = $protocol_ports->{ $q->http("Auth-Protocol") };
                   print "Auth-Port: $auth_port\n";
               }
               else {
                   print "Auth-Status: Authentication failed.\n";
               }
            
               print "\n";

#!/usr/bin/perl
use Digest::HMAC_MD5 qw/ hmac_md5_hex /;
use DBI;
use URI::Escape;
use CGI;
print "Content-type: text/html\n";
my $q = CGI->new;
my $auth_shared_secret = $q->http("X-NGX-Auth-Key");
# Shared secret to ensure that the request comes from nginx
if ( $auth_shared_secret ne "your secret" ) {
  print "Auth-Status: Authentication failed.\n\n";
  print STDERR "Wrong X-NGC-Auth-Key $auth_shared_secret";
  exit(0);
}
my $dsn = "DBI:mysql:database=postfix;host=1.2.3.4";
our $dbh =
  DBI->connect_cached( $dsn, 'mailproxy', 'p@ssw0rd',
    { AutoCommit => 1, mysql_auto_reconnect => 1 } );
our $auth_ok;
our $protocol_ports = {};
$protocol_ports->{'pop3'} = 110;
$protocol_ports->{'imap'} = 143;
$protocol_ports->{'smtp'} = 25;
if ( !defined $dbh || !$dbh->ping() ) {
    ( $sec, $min, $hour, $mday, $mon, $year, $wday, $yday, $isdst ) =
      localtime(time);
    $dbh =
      DBI->connect_cached( $dsn, 'mailproxy', 'p@ssw0rd',
        { AutoCommit => 1, mysql_auto_reconnect => 1 } );
    printf STDERR
"%4d/%02d/%02d %02d:%02d:%02d [notice] : MySQL server connection lost. Reconnecting.\n",
      $year + 1900, $mon + 1, $mday, $hour, $min, $sec;
}
my $auth_method = $q->http("Auth-Method");
my $username    = uri_unescape( $q->http("Auth-User") );
my $password    = uri_unescape( $q->http("Auth-Pass") );
my $salt        = $q->http("Auth-Salt");
our $sth = $dbh->prepare("select clear from users where email=? limit 1");
$sth->execute($username);
my $hash          = $sth->fetchrow_hashref();
my $real_password = $hash->{'clear'};
# Authorize user
if (
    ( $auth_method eq "plain" && $password eq $real_password )
    or (   $auth_method eq "cram-md5"
        && $password eq hmac_md5_hex( $salt, $real_password ) )
  )
{
    # Auth OK, find mail server
    our $sth = $dbh->prepare(
        "select destination_mailstore from transport where domain=? limit 1");
    my $domain = $q->http("Auth-User");
    # remove @ and everything before
    $domain =~ s/^.*@//;
    $sth->execute($domain);
    my $hash       = $sth->fetchrow_hashref();
    my $mailserver = $hash->{'destination_mailstore'};
    $mailserver =~ s/smtp://;
    print "Auth-User: $username\n";
    print "Auth-Pass: $real_password\n";
    print "Auth-Status: OK\n";
    print "Auth-Server: $mailserver\n";
    $auth_port = $protocol_ports->{ $q->http("Auth-Protocol") };
    print "Auth-Port: $auth_port\n";
}
else {
    print "Auth-Status: Authentication failed.\n";
}
print "\n";

基于nginx的pop3/imap/smtp的反向代理解决方案

shanyiwan@live.com(flyinweb) — Thu, 12 Jan 2012 03:44:05 GMT

1、Using a php script on apache server as the auth backend

Start with the configuration from NginxImapProxyExample. For detail information about different configuration parameters, see the NginxMailCoreModule page.

Your Proxy server for pop/imap is running on 192.168.1.1
You have 2 backend pop/imap servers: 192.168.1.22 and 192.168.1.33
You have a webserver that you will use for the authentication and redirection logic 192.168.1.44.
The authentication script is /mail/auth.php

nginx.conf

user  nobody;  
worker_processes  1;  
error_log  logs/error.log  info;  
pid        logs/nginx.pid;  
 
events {  
  worker_connections  1024;  
  multi_accept on;  
}  
 
mail {  
  auth_http  192.168.1.44:80/mail/auth.php;  
  pop3_capabilities  "TOP"  "USER";  
  imap_capabilities  "IMAP4rev1"  "UIDPLUS";  
 
  server {  
    listen     110;  
    protocol   pop3;  
    proxy      on;  
  }  
 
  server {  
    listen     143;  
    protocol   imap;  
    proxy      on;  
  }  
}

/mail/auth.php

<?php  
/*  
Nginx sends headers as  
Auth-User: somuser  
Auth-Pass: somepass  
On my php app server these are seen as  
HTTP_AUTH_USER and HTTP_AUTH_PASS  
*/ 
if (!isset($_SERVER["HTTP_AUTH_USER"] ) || !isset($_SERVER["HTTP_AUTH_PASS"] )){  
  fail();  
}  
$username=$_SERVER["HTTP_AUTH_USER"] ;  
$userpass=$_SERVER["HTTP_AUTH_PASS"] ;  
$protocol=$_SERVER["HTTP_AUTH_PROTOCOL"] ;  
// default backend port  
$backend_port=110;  
if ($protocol=="imap") {  
  $backend_port=143;  
}  
if ($protocol=="smtp") {  
  $backend_port=25;  
}  
// nginx likes ip address so if your  
// application gives back hostname, convert it to ip address here  
$backend_ip["mailhost01"] ="192.168.1.22";  
$backend_ip["mailhost02"] ="192.168.1.33";  
// Authenticate the user or fail  
if (!authuser($username,$userpass)){  
  fail();  
  exit;  
}  
// Get the server for this user if we have reached so far  
$userserver=getmailserver($username);  
// Get the ip address of the server  
// We are assuming that you backend returns hostname  
// We try to get the ip else return what we got back  
$server_ip=(isset($backend_ip[$userserver]))?$backend_ip[$userserver] :$userserver;  
// Pass!  
pass($server_ip, $backend_port);  
   
//END  
   
   
function authuser($user,$pass){  
  // put your logic here to authen the user to any backend  
  // you want (datbase, ldap, etc)  
  // for example, we will just return true;  
  return true;  
}  
   
function getmailserver($user){  
  // put the logic here to get the mailserver  
  // backend for the user. You can get this from  
  // some database or ldap etc  
  // dummy logic, all users that start with a,c,f and g get mailhost01  
  // the others get mailhost02  
  if in_array(substr($user,0,1), array("a", "c", "f", "g")){  
    return "mailhost01";  
  } else {  
    return "mailhost02";  
  }  
}  
   
function fail(){  
  header("Auth-Status: Invalid login or password");  
  exit;  
}  
   
function pass($server,$port){  
  header("Auth-Status: OK");  
  header("Auth-Server: $server");  
  header("Auth-Port: $port");  
  exit;  
}  
?>

Retrieved from "http://wiki.nginx.org/index.php?title=ImapAuthenticateWithApachePhpScript&oldid=178"

2、基于nginx的pop3/imap/smtp的反向代理解决方案

本文介绍基于nginx的邮局反向代理配置方案。nginx对来源于客户端的pop3/smtp/imap请求予以转发到后端postfix，后端邮件服务器采用postfix 2.8.0，已配置并正常运行。

配置nginx.conf：

#user nobody;
worker_processes 1;
error_log logs/error.log info;
events {
worker_connections 1024;
}
mail {
auth_http 指定IP:80/auth.php;
pop3_capabilities "TOP" "USER";
imap_capabilities "IMAP4rev1" "UIDPLUS";

server {
listen 110;
protocol pop3;
proxy on;
}
server {
listen 143;
protocol imap;
proxy on;
}
server {
listen 25;
protocol smtp;
proxy on;
smtp_auth login plain;
xclient off;
}
}

说明：
1.安装nginx时禁掉了http（–without-http），因为我们的目标只是转发pop3/smtp/imap请求，故nginx.conf也是相当简单，只有mail模块。如果还需要代理80端口（例如webmail），可以自行编译对http的支持。

2.smtp的配置模块里必须加入xclient off，否则当nginx向后转发smtp请求时，postfix将报“lost connection after XCLIENT”，同时nginx报“550 5.7.0 Error: insufficient authorization”. nginx对smtp的代理，与pop3/imap是不同的，详细见后文。

3.指定IP是用于认证的，需要放认证脚本auth.php. 认证脚本的作用就是验证用户和密码，一般自定义，可以放在任意的服务器上。本方案中选择放在后端邮件服务器上，便于管理。

这里有一个问题，postfix本身已经集成了认证机制（本人采用的是cyrus sasl2+courier-authlib），为什么加了反向代理，认证过程就要移动到反向代理上呢？这样岂不是就变成非透明代理了吗？为什么不作纯碎的透明代理呢？
根据测试，如果这个认证脚本不设验证，直接透传所有pop3/imap请求到后端，在后端邮件服务器还会进行一次认证，但是对于smtp请求，将不再认证，而直接按照转发规则进行转发（因为反向代理的ip加到了postfix的mynetworks中，见后文）。这两种不同的差异应该是跟协议有关。
为了保持统一，在本文的方案中，auth.php集成了pop3/imap/smtp的三种认证。这样的功能架构类似于游戏服务器的，登录服务器和游戏服务器是分开的。

4.在邮件服务器postfix/etc/main.cf中，修改mynetworks值，加入本反向代理的ip，并重载postfix：postfix -s reload

关于xclient：xclient的作用，是将前端的服务器模拟作为一个邮件客户端，而向后端的postfix进行认证和执行发送，但是postfix还需要一个打patch才能完美支持xclient。
关于此问题的讨论可以参见 http://forum.nginx.org/read.php?2,173197,173246#msg-173246

auth.php：

<?php
/**
* @see xiabaibai.net
*/
if(!isset($_SERVER ["HTTP_AUTH_USER"] ) || ! isset($_SERVER ["HTTP_AUTH_PASS"] )) {
fail(0);
}
$username = $_SERVER ["HTTP_AUTH_USER"];
$userpass = $_SERVER ["HTTP_AUTH_PASS"];
$protocol = $_SERVER ["HTTP_AUTH_PROTOCOL"];
$backend_port = 110;
if($protocol == "imap") {
$backend_port = 143;
} elseif ($protocol == "smtp") {
$backend_port = 25;
}
list($uid, $domain) = explode("@", $username);
$auth = authuser($username, $userpass);
if(!$auth) fail (-2);
pass($_SERVER["SERVER_ADDR"], $backend_port);
//自定义认证，sql查询或者api
function authuser($user, $pass) {
return true;
}
function fail($code) {
switch($code){
case 0: header("Auth-Status: Parameter lost"); break;
case -1: header("Auth-Status: No Back-end Server"); break;
case -2: header("Auth-Status: Invalid login or password" ); break;
}
exit();
}
function pass($server, $port) {
header("Auth-Status: OK" );
header("Auth-Server: $server" );
header("Auth-Port: $port" );
exit();
}

?>

PHP编译错误及其解决方案

shanyiwan@live.com(flyinweb) — Wed, 11 Jan 2012 07:48:36 GMT

本专题主题收集PHP编译过程中的错误及其解决方案。
1、编译php出错
/php-5.3.2/ext/fileinfo/libmagic/apprentice.c:147:internal compiler error:Segmentation fault
Please submit a full bug report,
with preprocessed source if appropriate.
See <URL:http://bugzilla.redhat.com/bugzilla> for instructions.
The bug is not reproducible,so it is likely a hardware or OS problem.
make:*** [ext/fileinfo/libmagic/apprentice.lo] Error 1
解决方法：内存大于1G即可，这是php5.3.2的一个bug
--------------------------------------------------------------------
2、重新构造configure文件出错
./buildconf --force
Forcing buildconf
buildconf:checking installation…
buildconf:autoconf version 2.59 （ok）
buildconf:Your version of autoconf likely contains buggy cache code.
Running vcsclean for you.
To avoid this,install autoconf-2.13.
Can't figure out your VCS, not cleaning.
解决方法：编译安装autoconf-2.13
再将autoconf-2.13的auotconf文件至/usr/local/autoconf

--------------------------------------------------------------------
3、编译时缺少库
configure: error: libXpm.（a|so） not found.
解决方法：yum install libXpm-devel
--------------------------------------------------------------------
4、编译时缺少gmp.h文件
configure: error: Unable to locate gmp.h
解决方法：yum install gmp-devel
--------------------------------------------------------------------
5、Configure: error: xml2-config not found. Please check your libxml2 installation.
解决方法：
#yum install libxml2 libxml2-devel （For Redhat & Fedora）
# aptitude install libxml2-dev      （For ubuntu）
--------------------------------------------------------------------
6、Checking for pkg-config… /usr/bin/pkg-config
configure: error: Cannot find OpenSSL’s <evp.h>
解决方法：
#yum install openssl openssl-devel
--------------------------------------------------------------------
7、Configure: error: Please reinstall the BZip2 distribution
解决方法：
# yum install bzip2 bzip2-devel
--------------------------------------------------------------------
8、Configure: error: Please reinstall the libcurl distribution -
easy.h should be in <curl-dir>/include/curl/
解决方法：
# yum install curl curl-devel   （For Redhat & Fedora）
# install libcurl4-gnutls-dev    （For Ubuntu）
--------------------------------------------------------------------
9、Configure: error: libjpeg.（also） not found.
解决方法：
# yum install libjpeg libjpeg-devel
--------------------------------------------------------------------
10、Configure: error: libpng.（also） not found.
--------------------------------------------------------------------
解决方法：
# yum install libpng libpng-devel
--------------------------------------------------------------------
11、Configure: error: freetype.h not found.
解决方法：
#yum install freetype-devel
--------------------------------------------------------------------
12、Configure: error: Unable to locate gmp.h
解决方法：
# yum install gmp-devel
--------------------------------------------------------------------
13、Configure: error: Cannot find MySQL header files under /usr.
Note that the MySQL client library is not bundled anymore!
解决方法：
# yum install mysql-devel            （For Redhat & Fedora）
# apt-get install libmysql++-dev      （For Ubuntu）
--------------------------------------------------------------------
14、Configure: error: Please reinstall the ncurses distribution
解决方法：
# yum install ncurses ncurses-devel
--------------------------------------------------------------------
15、Checking for unixODBC support… configure: error: ODBC header file ‘/usr/include/sqlext.h’ not found!
解决方法：
# yum install unixODBC-devel
--------------------------------------------------------------------
16、Configure: error: Cannot find pspell
解决方法：
# yum install pspell-devel
--------------------------------------------------------------------
17、configure: error: mcrypt.h not found. Please reinstall libmcrypt.
解决方法：
# yum install libmcrypt libmcrypt-devel    （For Redhat & Fedora）
# apt-get install libmcrypt-dev
--------------------------------------------------------------------
18、Configure: error: snmp.h not found. Check your SNMP installation.
解决方法：
# yum install net-snmp net-snmp-devel
--------------------------------------------------------------------
19、configure:error:Cannot find ldap.h
解决方法：
#yum install openldap-devel openldap

20、configure:error:xslt-config not found. Please reinstall the libxslt >= 1.1.0 distribution
解决方法：
#yum install libxslt libxslt-devel

21、checking for libevent >=1.4.11 install prefix… configure: error: Could not find libevent >=1.4.11 in /usr/local/php
解决方法：
安装libevent-1.4.11以上版本至/usr/local
tar xzvf libevent-1.4.14-stable.tar.gz
cd libevent-1.4.14-stable
./configure --prefix=/usr/local
make&&make install
在编译。/configure时添加--with-libevent-dir=/usr/local即可

22、cc1: out of memory allocating 2036 bytes after a total of 81846272 bytes
make: *** [ext/date/lib/parse_date.lo] Error 1
报错：
/usr/bin/ld: cannot find -lltdl
collect2: ld returned 1 exit status
make:*** [sapi/fpm/php-fpm] Error 1
解决方法：
安装ltdl
#cd /libmcrypt-2.5.7/libltdl/
#./configure --enable-ltdl-install
#ldconfig
#cd php-5.3.6
#make ZEND_EXTRA_LIBS='-liconv'

23、configure: error: utf8_mime2text() has new signature, but U8T_CANONICAL is missing.
yum install libc-client-devel

24、libiconv相关的未定义引用

/libxmlrpc/encoding.c:101:undefined reference to 'libiconv_close'
collect2: ld returned 1 exit status
make:*** [sapi/fpm/php-fpm] Error 1
解决方法：
#make ZEND_EXTRA_LIBS='-liconv'

/usr/local/src/php-5.2.17/ext/iconv/iconv.c:2615: undefined reference to `libiconv'
/usr/local/src/php-5.2.17/ext/iconv/iconv.c:2537: undefined reference to `libiconv'
ext/iconv/.libs/iconv.o: In function `php_iconv_stream_filter_ctor':
/usr/local/src/php-5.2.17/ext/iconv/iconv.c:2491: undefined reference to `libiconv_open'
collect2: ld returned 1 exit status
make: *** [sapi/cli/php] Error 1

原因：可能是由于系统中手工编译了libiconv

解决办法：
./configure ............
vi Makefile
找到下面这行：
EXTRA_LIBS = -lcrypt ...在最后添加-liconv保存

make
make instal

How To Verify SSL Certificate From A Shell Prompt

shanyiwan@live.com(flyinweb) — Tue, 10 Jan 2012 01:50:32 GMT

How do I verify and diagnosis SSL certification installation from a Linux / UNIX shell prompt? How do I validate SSL Certificate installation and save hours of troubleshooting headaches without using a browser? How do I confirm I've the correct and working SSL certificates?

OpenSSL comes with a generic SSL/TLS client which can establish a transparent connection to a remote server speaking SSL/TLS. It’s intended for testing purposes only and provides only rudimentary interface functionality but internally uses mostly all functionality of the OpenSSL ssl library. For testing purpose I will use mail.nixcraft.net:443 SSL certificate which is issued by Go Daddy.

Step # 1: Getting The Certificate

Create directory to store certificate:
$ mkdir -p ~/.cert/mail.nixcraft.net/ $ cd ~/.cert/mail.nixcraft.net/
Retrieve the mail.nixcraft.net certificate provided by the nixcraft HTTPD mail server:
$ openssl s_client -showcerts -connect mail.nixcraft.net:443
Sample output:

CONNECTED(00000003)
depth=0 /O=mail.nixcraft.net/CN=mail.nixcraft.net/OU=Domain Control Validated
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /O=mail.nixcraft.net/CN=mail.nixcraft.net/OU=Domain Control Validated
verify error:num=27:certificate not trusted
verify return:1
depth=0 /O=mail.nixcraft.net/CN=mail.nixcraft.net/OU=Domain Control Validated
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/O=mail.nixcraft.net/CN=mail.nixcraft.net/OU=Domain Control Validated
   i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287
-----BEGIN CERTIFICATE-----
MIIE5zCCA8+gAwIBAgIEAOJk2zANBgkqhkiG9w0BAQUFADCByjELMAkGA1UEBhMC
VVMxEDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAYBgNV
BAoTEUdvRGFkZHkuY29tLCBJbmMuMTMwMQYDVQQLEypodHRwOi8vY2VydGlmaWNh
dGVzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkxMDAuBgNVBAMTJ0dvIERhZGR5IFNl
Y3VyZSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTERMA8GA1UEBRMIMDc5NjkyODcw
HhcNMDkwMTE4MjEyMjMxWhcNMTEwMTE4MjEyMjMxWjBbMRowGAYDVQQKExFtYWls
Lm5peGNyYWZ0Lm5ldDEaMBgGA1UEAxMRbWFpbC5uaXhjcmFmdC5uZXQxITAfBgNV
BAsTGERvbWFpbiBDb250cm9sIFZhbGlkYXRlZDCBnzANBgkqhkiG9w0BAQEFAAOB
jQAwgYkCgYEA0LhCDXvNXhTHov9Szh474Cv3Nz7QspVOI4p5M+zZt18VTVCHJz0Z
TleJum8RblpU4NPHJgOauIb1CAE3vLSKySV2DjHMt2L2/NUatJiKjDQKAEloKwQK
t75BP0mAGFPZmHlMNUQ32Sr/0byxxM4ElL2SSBasJE3PPVkSBOtLfssCAwEAAaOC
AcUwggHBMA8GA1UdEwEB/wQFMAMBAQAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsG
AQUFBwMCMA4GA1UdDwEB/wQEAwIFoDAyBgNVHR8EKzApMCegJaAjhiFodHRwOi8v
Y3JsLmdvZGFkZHkuY29tL2dkczEtMS5jcmwwUwYDVR0gBEwwSjBIBgtghkgBhv1t
AQcXATA5MDcGCCsGAQUFBwIBFitodHRwOi8vY2VydGlmaWNhdGVzLmdvZGFkZHku
Y29tL3JlcG9zaXRvcnkvMIGABggrBgEFBQcBAQR0MHIwJAYIKwYBBQUHMAGGGGh0
dHA6Ly9vY3NwLmdvZGFkZHkuY29tLzBKBggrBgEFBQcwAoY+aHR0cDovL2NlcnRp
ZmljYXRlcy5nb2RhZGR5LmNvbS9yZXBvc2l0b3J5L2dkX2ludGVybWVkaWF0ZS5j
cnQwHwYDVR0jBBgwFoAU/axhMpNsRdbi7oVfmrrndplozOcwMwYDVR0RBCwwKoIR
bWFpbC5uaXhjcmFmdC5uZXSCFXd3dy5tYWlsLm5peGNyYWZ0Lm5ldDAdBgNVHQ4E
FgQUAYML0uoVH8Sn8JZ3xbR9NLzE0tYwDQYJKoZIhvcNAQEFBQADggEBAJ/1/mGM
tF/UPwOvmiNE0i46qXCJDs6Ui7kCxWWQzC+CbT6x3fe8VwZ2/9OVeScw5aGkG7sU
kfid0XmfXxYrqkVsubrhQt/1MKKowB35M5a/wRd7E0h2ucYhBF3dnTQ29yJ9ppHC
HOvsUDGOan+e7japMyTYn9PU9Y8QtnzovRXk55iYfL4p57YvPwk4yMnBtc/krQcd
m6ZdvmY+zbbjWaDyarfIp3fQCL2HD/lC5rJaGUn633GIT0OrrQ4Gfy6hQ98UC+Pt
I8LFuzs02dJlCpDhGquvQ0W6o4uuvjSP28HfGBcmKholG0GT9wyZZCBvUlFyV6kq
/KNTisOW4so6I+Q=
-----END CERTIFICATE-----
---
Server certificate
subject=/O=mail.nixcraft.net/CN=mail.nixcraft.net/OU=Domain Control Validated
issuer=/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287
---
No client certificate CA names sent
---
SSL handshake has read 1823 bytes and written 316 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: BF3662B2C597A7473E477D0CAD2D5002FCC370661BA5A7364BDCDD9C1247C0F5
    Session-ID-ctx:
    Master-Key: BFF4A2556DB4D7810D63DFF1905A97215185E94A791A2385A20290067F60208F108E54B0BC194E5AEBD130B9CB092B46
    Key-Arg   : None
    Start Time: 1243050920
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)

Copy from the "-----BEGIN CERTIFICATE-----" to the "-----END CERTIFICATE-----" , and save it in your ~/.cert/mail.nixcraft.net/ directory as mail.nixcraft.net.pem.

Step # 2: Getting The Certificate Of The Issuer

This certificate was issued by Go Daddy, so you need to get "Certification Authority Root Certificate" (visit your CA's website to get root certificate):
$ wget https://certs.godaddy.com/repository/gd_bundle.crt -O ~/.cert/mail.nixcraft.net/gd.pem

Step # 3: Rehashing The Certificates

Create symbolic links to files named by the hash values using c_rehash, enter:
$ c_rehash ~/.cert/mail.nixcraft.net/
Sample output:

Doing  ~/.cert/mail.nixcraft.net/
mail.nixcraft.net.pem => 1d97af50.0
gd.pem => 219d9499.0

Test It

To confirm you have the correct and working certificates, enter:
$ openssl s_client -CApath ~/.cert/mail.nixcraft.net/ -connect mail.nixcraft.net:443
Sample output:

CONNECTED(00000003)
depth=3 /L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 2 Policy Validation Authority/CN=http://www.valicert.com//emailAddress=info@valicert.com
verify return:1
depth=2 /C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
verify return:1
depth=1 /C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287
verify return:1
depth=0 /O=mail.nixcraft.net/CN=mail.nixcraft.net/OU=Domain Control Validated
verify return:1
---
Certificate chain
 0 s:/O=mail.nixcraft.net/CN=mail.nixcraft.net/OU=Domain Control Validated
   i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIE5zCCA8+gAwIBAgIEAOJk2zANBgkqhkiG9w0BAQUFADCByjELMAkGA1UEBhMC
VVMxEDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAYBgNV
BAoTEUdvRGFkZHkuY29tLCBJbmMuMTMwMQYDVQQLEypodHRwOi8vY2VydGlmaWNh
dGVzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkxMDAuBgNVBAMTJ0dvIERhZGR5IFNl
Y3VyZSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTERMA8GA1UEBRMIMDc5NjkyODcw
HhcNMDkwMTE4MjEyMjMxWhcNMTEwMTE4MjEyMjMxWjBbMRowGAYDVQQKExFtYWls
Lm5peGNyYWZ0Lm5ldDEaMBgGA1UEAxMRbWFpbC5uaXhjcmFmdC5uZXQxITAfBgNV
BAsTGERvbWFpbiBDb250cm9sIFZhbGlkYXRlZDCBnzANBgkqhkiG9w0BAQEFAAOB
jQAwgYkCgYEA0LhCDXvNXhTHov9Szh474Cv3Nz7QspVOI4p5M+zZt18VTVCHJz0Z
TleJum8RblpU4NPHJgOauIb1CAE3vLSKySV2DjHMt2L2/NUatJiKjDQKAEloKwQK
t75BP0mAGFPZmHlMNUQ32Sr/0byxxM4ElL2SSBasJE3PPVkSBOtLfssCAwEAAaOC
AcUwggHBMA8GA1UdEwEB/wQFMAMBAQAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsG
AQUFBwMCMA4GA1UdDwEB/wQEAwIFoDAyBgNVHR8EKzApMCegJaAjhiFodHRwOi8v
Y3JsLmdvZGFkZHkuY29tL2dkczEtMS5jcmwwUwYDVR0gBEwwSjBIBgtghkgBhv1t
AQcXATA5MDcGCCsGAQUFBwIBFitodHRwOi8vY2VydGlmaWNhdGVzLmdvZGFkZHku
Y29tL3JlcG9zaXRvcnkvMIGABggrBgEFBQcBAQR0MHIwJAYIKwYBBQUHMAGGGGh0
dHA6Ly9vY3NwLmdvZGFkZHkuY29tLzBKBggrBgEFBQcwAoY+aHR0cDovL2NlcnRp
ZmljYXRlcy5nb2RhZGR5LmNvbS9yZXBvc2l0b3J5L2dkX2ludGVybWVkaWF0ZS5j
cnQwHwYDVR0jBBgwFoAU/axhMpNsRdbi7oVfmrrndplozOcwMwYDVR0RBCwwKoIR
bWFpbC5uaXhjcmFmdC5uZXSCFXd3dy5tYWlsLm5peGNyYWZ0Lm5ldDAdBgNVHQ4E
FgQUAYML0uoVH8Sn8JZ3xbR9NLzE0tYwDQYJKoZIhvcNAQEFBQADggEBAJ/1/mGM
tF/UPwOvmiNE0i46qXCJDs6Ui7kCxWWQzC+CbT6x3fe8VwZ2/9OVeScw5aGkG7sU
kfid0XmfXxYrqkVsubrhQt/1MKKowB35M5a/wRd7E0h2ucYhBF3dnTQ29yJ9ppHC
HOvsUDGOan+e7japMyTYn9PU9Y8QtnzovRXk55iYfL4p57YvPwk4yMnBtc/krQcd
m6ZdvmY+zbbjWaDyarfIp3fQCL2HD/lC5rJaGUn633GIT0OrrQ4Gfy6hQ98UC+Pt
I8LFuzs02dJlCpDhGquvQ0W6o4uuvjSP28HfGBcmKholG0GT9wyZZCBvUlFyV6kq
/KNTisOW4so6I+Q=
-----END CERTIFICATE-----
subject=/O=mail.nixcraft.net/CN=mail.nixcraft.net/OU=Domain Control Validated
issuer=/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287
---
No client certificate CA names sent
---
SSL handshake has read 1823 bytes and written 316 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: 37E5AF0EE1745AB2DACAEE0FB7824C178A58C6AEF7A0EF93609643F16A20EE51
    Session-ID-ctx:
    Master-Key: 7B9F8A79D3CC3A41CA572ED266076A1531E12EE8D07D859D65F24368ABA0D2CAE670AA0652433D9E0585E566D9C16FCF
    Key-Arg   : None
    Start Time: 1243051912
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

There should be lots of data, however the important thing to note down is that the final line "Verify return code: 0 (ok)". I'm using the same certificate for dovecot IMAP mail server, type the following to verify mail server SSL certificate:
$ openssl s_client -CApath ~/.cert/mail.nixcraft.net/ -connect mail.nixcraft.net:993
Sample output:

CONNECTED(00000003)
depth=2 /C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
verify return:1
depth=1 /C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287
verify return:1
depth=0 /O=mail.nixcraft.net/CN=mail.nixcraft.net/OU=Domain Control Validated
verify return:1
---
Certificate chain
 0 s:/O=mail.nixcraft.net/CN=mail.nixcraft.net/OU=Domain Control Validated
   i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287
 1 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287
   i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIE5zCCA8+gAwIBAgIEAOJk2zANBgkqhkiG9w0BAQUFADCByjELMAkGA1UEBhMC
VVMxEDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAYBgNV
BAoTEUdvRGFkZHkuY29tLCBJbmMuMTMwMQYDVQQLEypodHRwOi8vY2VydGlmaWNh
dGVzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkxMDAuBgNVBAMTJ0dvIERhZGR5IFNl
Y3VyZSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTERMA8GA1UEBRMIMDc5NjkyODcw
HhcNMDkwMTE4MjEyMjMxWhcNMTEwMTE4MjEyMjMxWjBbMRowGAYDVQQKExFtYWls
Lm5peGNyYWZ0Lm5ldDEaMBgGA1UEAxMRbWFpbC5uaXhjcmFmdC5uZXQxITAfBgNV
BAsTGERvbWFpbiBDb250cm9sIFZhbGlkYXRlZDCBnzANBgkqhkiG9w0BAQEFAAOB
jQAwgYkCgYEA0LhCDXvNXhTHov9Szh474Cv3Nz7QspVOI4p5M+zZt18VTVCHJz0Z
TleJum8RblpU4NPHJgOauIb1CAE3vLSKySV2DjHMt2L2/NUatJiKjDQKAEloKwQK
t75BP0mAGFPZmHlMNUQ32Sr/0byxxM4ElL2SSBasJE3PPVkSBOtLfssCAwEAAaOC
AcUwggHBMA8GA1UdEwEB/wQFMAMBAQAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsG
AQUFBwMCMA4GA1UdDwEB/wQEAwIFoDAyBgNVHR8EKzApMCegJaAjhiFodHRwOi8v
Y3JsLmdvZGFkZHkuY29tL2dkczEtMS5jcmwwUwYDVR0gBEwwSjBIBgtghkgBhv1t
AQcXATA5MDcGCCsGAQUFBwIBFitodHRwOi8vY2VydGlmaWNhdGVzLmdvZGFkZHku
Y29tL3JlcG9zaXRvcnkvMIGABggrBgEFBQcBAQR0MHIwJAYIKwYBBQUHMAGGGGh0
dHA6Ly9vY3NwLmdvZGFkZHkuY29tLzBKBggrBgEFBQcwAoY+aHR0cDovL2NlcnRp
ZmljYXRlcy5nb2RhZGR5LmNvbS9yZXBvc2l0b3J5L2dkX2ludGVybWVkaWF0ZS5j
cnQwHwYDVR0jBBgwFoAU/axhMpNsRdbi7oVfmrrndplozOcwMwYDVR0RBCwwKoIR
bWFpbC5uaXhjcmFmdC5uZXSCFXd3dy5tYWlsLm5peGNyYWZ0Lm5ldDAdBgNVHQ4E
FgQUAYML0uoVH8Sn8JZ3xbR9NLzE0tYwDQYJKoZIhvcNAQEFBQADggEBAJ/1/mGM
tF/UPwOvmiNE0i46qXCJDs6Ui7kCxWWQzC+CbT6x3fe8VwZ2/9OVeScw5aGkG7sU
kfid0XmfXxYrqkVsubrhQt/1MKKowB35M5a/wRd7E0h2ucYhBF3dnTQ29yJ9ppHC
HOvsUDGOan+e7japMyTYn9PU9Y8QtnzovRXk55iYfL4p57YvPwk4yMnBtc/krQcd
m6ZdvmY+zbbjWaDyarfIp3fQCL2HD/lC5rJaGUn633GIT0OrrQ4Gfy6hQ98UC+Pt
I8LFuzs02dJlCpDhGquvQ0W6o4uuvjSP28HfGBcmKholG0GT9wyZZCBvUlFyV6kq
/KNTisOW4so6I+Q=
-----END CERTIFICATE-----
subject=/O=mail.nixcraft.net/CN=mail.nixcraft.net/OU=Domain Control Validated
issuer=/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287
---
No client certificate CA names sent
---
SSL handshake has read 3076 bytes and written 316 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: 509D310C0184E0540FC24F60F36D3E2A62C1F98D6367DBC62E8432FFDC79757A
    Session-ID-ctx:
    Master-Key: 72013A336DAFAF16917C4082785D3D9ADA3D0D3420B63FC5A6C9E5F44117D340A1051653849179A5ADEA57BE2BD65A24
    Key-Arg   : None
    Start Time: 1243052074
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
* OK [CAPABILITY IMAP4rev1 SASL-IR SORT THREAD=REFERENCES MULTIAPPEND UNSELECT LITERAL+ IDLE CHILDREN NAMESPACE LOGIN-REFERRALS UIDPLUS LIST-EXTENDED I18NLEVEL=1 QUOTA AUTH=PLAIN AUTH=LOGIN] Dovecot ready.

Again the final "Dovecot ready" line along with 0 return code indicates that everything is working fine.

Creating Certificate Authorities and self-signed SSL certificates

shanyiwan@live.com(flyinweb) — Sat, 07 Jan 2012 08:35:20 GMT

Following is a step-by-step guide to creating your own CA (Certificate Authority) -- and also self-signed SSL server certificates -- with openssl on Linux. Self-signing is the simpler route to take, but making one's own CA allows the signing of multiple server certificates using the same CA and involves only a few extra steps.

After using openssl to generate the necessary files, you'll need to integrate them into Apache. This process differs between Linux distros and versions of Apache. Additional references exist at the end of this document. My instructions for Setting up SSL: Ubuntu and Apache 2 are kept most current, and will carry you through to completion.

Making a homemade CA or self-signed certificate will cause the client web browser to prompt with a message whether to trust the certificate signing authority (yourself) permanently (store it in the browser), temporarily for that session, or to reject it. The message "web site certified by an unknown authority... accept?" may be a business liability for general public usage, although it's simple enough for the client to accept the certificate permanently.

Whichever route you take, you'll save the periodic expense of paying a recognized signing authority. This is purely for name recognition -- they've paid the major browser producers to have their CA pre-loaded into them. So if you're on a budget, have a special need or small audience, this may be useful.

Before you start
You need Apache and openssl. Compiling them from source, handling dependencies, etc. is beyond the scope of this document. You can consult their documentation, or go with a mainstream Linux distro that will do the preliminary work for you.

Now you need to decide whether you'll make a CA (Certificate Authority) and sign a server certificate with it -- or just self-sign a server certificate. Both procedures are detailed below.

(1A) Create a self-signed certificate.

Complete this section if you do NOT want to make a CA (Certificate Authority). If you want to make a CA, skip 1A entirely and go to 1B instead.

Some steps in this document require priviledged access, and you'll want to limit access to the cert files to all but the root user. So you should su to root and create a working directory that only root has read/write access to (for example: mkdir certwork, chmod 600 certwork). Go to that directory.

Generate a server key:

openssl genrsa -des3 -out server.key 4096

Then create a certificate signing request with it. This command will prompt for a series of things (country, state or province, etc.). Make sure that "Common Name (eg, YOUR name)" matches the registered fully qualified domain name of your box (or your IP address if you don't have one). I also suggest not making a challenge password at this point, since it'll just mean more typing for you.

The default values for the questions ([AU], Internet Widgits Pty Ltd, etc.) are stored here: /etc/ssl/openssl.cnf. So if you've got a large number of certificate signing requests to process you probably want to carefully edit that file where appropriate. Otherwise, just execute the command below and type what needs to be typed:

openssl req -new -key server.key -out server.csr

Now sign the certificate signing request. This example lasts 365 days:

openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

Make a version of the server.key which doesn't need a password:

openssl rsa -in server.key -out server.key.insecure
mv server.key server.key.secure
mv server.key.insecure server.key

These files are quite sensitive and should be guarded for permissions very carefully. Chown them to root, if you're not already sudo'd to root. I've found that you can chmod 000 them. That is, root will always retain effective 600 (read) rights on everything.

Now that you've just completed Step 1A, skip ahead to Step 2.

(1B) Generate your own CA (Certificate Authority).

Complete this section if you want to make a CA (Certificate Authority) and sign a server certificate with it. The steps for making a server certificate are also included here. If you'd rather one-time self-sign a server certificate, skip this step entirely and go to 1A instead.

Some steps in this document require priviledged access, and you'll want to limit access to the cert files to all but the root user. So you should su to root and create a working directory that only root has read/write access to (for example: mkdir certwork, chmod 600 certwork). Go to that directory.

In this step you'll take the place of VeriSign, Thawte, etc. You'll first build the CA key, then build the certificate itself.

The Common Name (CN) of the CA and the Server certificates must NOT match or else a naming collision will occur and you'll get errors later on. In this step, you'll provide the CA entries. In a step below, you'll provide the Server entries. In this example, I just added "CA" to the CA's CN field, to distinguish it from the Server's CN field. Use whatever schema you want, just make sure the CA and Server entries are not identical.

CA:
Common Name (CN): www.somesite.edu CA
Organization (O): Somesite
Organizational Unit (OU): Development

Server:
Common Name (CN): www.somesite.edu
Organization (O): Somesite
Organizational Unit (OU): Development

If you don't have a fully qualified domain name, you should use the IP that you'll be using to access your SSL site for Common Name (CN). But, again, make sure that something differentiates the entry of the CA's CN from the Server's CN.

openssl genrsa -des3 -out ca.key 4096
openssl req -new -x509 -days 365 -key ca.key -out ca.crt

Generate a server key and request for signing (csr).

This step creates a server key, and a request that you want it signed (the .csr file) by a Certificate Authority (the one you just created in Step #1B above.)

Think carefully when inputting a Common Name (CN) as you generate the .csr file below. This should match the DNS name, or the IP address you specify in your Apache configuration. If they don't match, client browsers will get a "domain mismatch" message when going to your https web server. If you're doing this for home use, and you don't have a static IP or DNS name, you might not even want worry about the message (but you sure will need to worry if this is a production/public server). For example, you could match it to an internal and static IP you use behind your router, so that you'll never get the "domain mismatch" message if you're accessing the computer on your home LAN, but will always get that message when accessing it elsewhere. Your call -- is your IP stable, do you want to repeat these steps every time your IP changes, do you have a DNS name, do you mainly use it inside your home or LAN, or outside?

openssl genrsa -des3 -out server.key 4096
openssl req -new -key server.key -out server.csr

Sign the certificate signing request (csr) with the self-created Certificate Authority (CA) that you made earlier.

Note that 365 days is used here. After a year you'll need to do this again.

Note also that I set the serial number of the signed server certificate to "01". Each time you do this, especially if you do this before a previously-signed certificate expires, you'll need to change the serial key to something else -- otherwise everyone who's visited your site with a cached version of your certificate will get a browser warning message to the effect that your certificate signing authority has screwed up -- they've signed a new key/request, but kept the old serial number. There are a couple ways to rectify that. crl's (certificate revocation list) is one method, but beyond the scope of the document. Another method is for all clients which have stored the CA certificate to go into their settings and delete the old one manually. But for the purposes of this document, we'll just avoid the problem. (If you're a sysadmin of a production system and your server.key is compromised, you'll certainly need to worry.)

The command below does a number of things. It takes your signing request (csr) and makes a one-year valid signed server certificate (crt) out of it. In doing so, we need to tell it which Certificate Authority (CA) to use, which CA key to use, and which Server key to sign. We set the serial number to 01, and output the signed key in the file named server.crt. If you do this again after people have visited your site and trusted your CA (storing it in their browser), you might want to use 02 for the next serial number, and so on. You might create some scheme to make the serial number more "official" in appearance or makeup but keep in mind that it is fully exposed to the public in their web browsers, so it offers no additional security in itself.

openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt

To examine the components if you're curious:

openssl rsa -noout -text -in server.key
openssl req -noout -text -in server.csr
openssl rsa -noout -text -in ca.key
openssl x509 -noout -text -in ca.crt

Make a server.key which doesn't cause Apache to prompt for a password.

Here we create an insecure version of the server.key. The insecure one will be used for when Apache starts, and will not require a password with every restart of the web server. But keep in mind that while this means you don't have to type in a password when restarting Apache (or worse -- coding it somewhere in plaintext), it does mean that anyone obtaining this insecure key will be able to decrypt your transmissions. Guard it for permissions VERY carefully.

openssl rsa -in server.key -out server.key.insecure
mv server.key server.key.secure
mv server.key.insecure server.key

(2) Copy files into position and tweak Apache.

Some professors like to pause for a moment after a long lecture, and do a little recap. It's a good pedagogical tool, so let's do so here. If you took route 1A above, you should have four files in a working directory:

server.crt: The self-signed server certificate.
server.csr: Server certificate signing request.
server.key: The private server key, does not require a password when starting Apache.
server.key.secure: The private server key, it does require a password when starting Apache.

If you took route 1B and created a CA, you'll have two additional files:

ca.crt: The Certificate Authority's own certificate.
ca.key: The key which the CA uses to sign server signing requests.

The CA files are important to keep if you want to sign additional server certificates and preserve the same CA. You can reuse these so long as they remain secure, and haven't expired.

At a bare minimum, the following considerations must now be addressed:

You'll need a virtual host and document root set up for the SSL instance.
You'll need to turn on the SSL engine and enable/load the SSL module.
Apache must reference server.crt and server.key somewhere in its configuration.
Apache must be listening to a port for which SSL is enabled (443 is default).

The particulars differ between Linux distros and versions of Apache. I'm only able to keep the Setting up SSL: Ubuntu and Apache 2 documentation current due to time constraints. Those steps should apply broadly to Debian-based distros with little or no modification. Red Hat and openSUSE commentary is kept online here for historical purposes.