okcomputer.org

As promised, I finally made new certificates for all okcomputer.org TLS and SSL-enabled services. The new certs were pushed into production for HTTPS, SMTP STARTTLS and IMAPS this afternoon, and (so far) they seem to be working fine.

As usual, my recommendation is to set-up the okcomputer.org CA certificate as a trusted authority in your web browser and/or email client, and you won’t be bothered by certificate warnings until 2013. (The new service certificates will expire in February 2011.)

Please contact me if you have any questions.

Shortly after the big server rebuild a few weeks back I was examining the web server logs and I noticed that several sites were stealing okcomputer.org bandwidth by linking images from the okcomputer.org Photo Gallery directly into their web sites. So while I was rebuilding the web server I implemented a very common Apache mod_rewrite recipe so that these bandwidth stealers would get a very different image than the one they linked to — nothing gross, just the pic of me playing the ukulele that I drag out every now and then.

Well, apologies if you accidentally got that photo when you were trying to print your Photo Gallery pictures through Shutterfly. I hadn’t thought about that, but it’s fixed now.

I will be upgrading all WordPress installations tonight from version 2.3.2 to 2.3.3. Blogs will be offline for a short period of time around Midnight.

In the interest of security, I have already updated the version of the vulnerable xmlrpc.php file to a patched version in each installation with no obvious ill effects.

I spent last night rebuilding the okcomputer.org certificate authority and creating new certificates for all TLS and SSL-enabled services. Very early this morning I pushed the new certificates for HTTPS, SMTP STARTTLS and IMAPS into production and they seem to be working fine.

The beauty of this is that you can now set-up the okcomputer.org CA certificate as a trusted authority in your web browser and/or email client and you won’t be bothered by certificate warnings for the next five years. (The individual service certificates expire yearly.)

I’ll try to get a page up here soon explaining how to import the CA certificate (you should just be able to click the link above to install it in your browser), but please feel free to contact me if you have any questions.

User accounts, IMAP service and SMTP will be migrated to the new server Friday night, January 11, between 10:00PM and Midnight EST. During this time period SSH logins will be disabled (including scp) and mail services will not be functional. Incoming mail will be queued on an external server so nothing should be dropped.

Please let me know if you have any questions.

UPDATE 1/12/2008:

I’ve synchronized all login accounts and moved SMTP and IMAP to the new server. IMAP and SMTP relaying have tested good using SquirrelMail and Thunderbird. Exim is receiving mail and testing it with SpamAssassin.

Jessica reported a password problem, which has me a bit nervous, so please try to test your accounts ASAP and let me know about any problems.

During yesterday’s SquirrelMail migration I re-remembered that you can’t use multiple SSL certificates for different Apache NameVirtualHosts. This has put the kibosh on my plan to split all the okcomputer.org web services out to different DNS hostnames — everything’s gotta move back under www.

So far that will probably only affect the Photo Gallery, the Kid Amnesiac blog and the new okcomputer.org home page (i.e. the new apps I’ve implemented since the rebuild). SquirrelMail went under www where it needed to be since I discovered the problem while migrating it yesterday.

The new structure will look something like this:

• http://www.okcomputer.org/home/ (Home Page)
• http://www.okcomputer.org/gallery/ (Photo Gallery)
• http://www.okcomputer.org/blogs/<blogname> (Blogs)
• https://www.okcomputer.org/squirrelmail/ (Web Mail)
• http://www.okcomputer.org/~<username>/ (User Home Pages)

I’ll try to schedule the change for tonight. Please let me know if you have any questions.

UPDATE 1/10/2008:

Last night’s migrations ended up being a bit more complicated than I thought. After a bit of pain Gallery and the okcomputer.org home page have been migrated. The Kid Amnesiac blog will have to wait for tonight.

UPDATE 1/11/2008:

Last night’s Kid Amnesiac migration didn’t go as expected either — Jessica told me she’d break my face if I moved the blog URL again.  So instead I just moved it off of the Debian wordpress package and onto a clean copy of 2.3.2 and left the URL intact.  There was some database pain involving character codes from where blog entries had been copied in from Microsoft Word, but that appears to be fixed now.  I also decided to move the home page out of /home and into the root — much easier to do know that I know how to separate out the index.php file from the rest of the WordPress installation.

Jessica, Simon & I all have the plague today, so I took advantage of the sick day to migrate SquirrelMail to the new server.  So far everything seems to be functioning properly. Address books and preferences should be synchronized. Sending mail works fine.

All SquirrelMail functionality will be a bit slower until I migrate the SMTP and IMAP services over to the new server as well. That’s a bit more complicated, but might happen this weekend.

Please let me know if you have any problems.

I’ve finally built the new server — this time with RAID 1 disk mirroring as promised! Actually, I just rebuilt the old warsaw.okcomputer.org (the server that ran okcomputer.org out of my San Francisco apartment February 2004 – May 2005), this time running Ubuntu Server and making use of that second SATA hard drive that I always intended to integrate. I’m particularly happy with Ubuntu. The install was remarkably smooth, and I’m excited to have the manageability of a Debian derivative combined with the up-to-date software provided by Ubuntu’s six-month release cycle.

Last week I drove the new server over to the colocation facilities at IgLou Internet Services and got it up on the Net. So far I’ve migrated DNS, Gallery and Kid Amnesiac to the new server. A first attempt at migrating Squirrelmail had some bumps, so I’ve backed off for a few days. Mail, user accounts and the remainder of the web site will follow shortly.

The ISP has replaced the server’s harddrive and has reinstalled Debian on it. The old harddrive is still attached, but the filesystem is trashed. I’ve got a bajillion files in the lost+found directory with completely meaningless numerical file names. I’ll see what I can do with this mess, but it’s gonna take some time.

In the meantime, here’s the status of what I’ve restored so far:

Accounts

Most accounts that appeared to be active at the time of the disk failure have been restored. Home directories and email folders are semi-restored. If you have an okcomputer.org account that you are interested in maintaining, please try to login to serenity.okcomputer.org via SSH (or at least by SquirrelMail) to confirm the status of your password, files and email folders.

E-mail

All e-mail functionality has been restored, including IMAPS, SMTP and SMTP STARTTLS AUTH. SquirrelMail is tested and functional, as is MUA access using Mozilla Thunderbird.

Also, I’ve started rejecting obvious spam (SpamAssassin score >= 12) at the gateway. I tried this in the past and had some problems with false positives, so I’m being extra careful this time around. Already rejected 412 in the last 48 hours. This isn’t the best set-up, but it’s at least RFC compliant and nothing gets bit-bucketed. If you’re still getting spam in your inbox you can use procmail to filter on the SpamAssassin mark-up, or you can use SpamAssassin or bogofilter on your own. (I’ll try to provide details later.)

Photo Gallery

I really hope you all didn’t use okcomputer.org as the the only repository for your photographs, but if you did I’ve made some progress recovering the JPEG’s on the old filesystem. Last night (10/22/2007) I recovered 8822 digital photographs (7.3G) and sorted them out into directories based on the model of camera they came from (as taken from the EXIF tags). Photos can be found here for the time being.

The last “back-up” of the OK Computer Photo Gallery occurred in May 2005, right before we relocated to Louisville. I’ve restored the Gallery from this back-up. My apologies for all the lost work, but that’s really the best I think I can do with this application.

New Server?

Now that it’s the end of the year and I’ve got a bit of time, I’ve started building a new okcomputer.org server with RAID1 disk mirroring. Yes, you heard right — almost a real back-up strategy. I need to do some scouting for a co-location facility, but pretty soon we should be up and running in glorious double-hard-drive stereo.

The okcomputer.org server has suffered a nasty disk failure and is going to be down for a bit. We are currently working as hard as we can to restore as much data as we can and to get services running again. Details to follow.

Many thanks to Tony B for for hosting okcomputer.org web and DNS services while we rebuild.