You have not chosen to trust [certificate] the issuer of the server’s security certificate (SSL error 61)

Both the problem and the solution is the same as before, only the name and the path is different. The path depends on whether you installed the client/receiver as a normal user, or root, also known as the superuser.

I’ve used Ubuntu 11.04 here, but I reckon it’ll work on any Linux distribution.

The problem is this; When you install the Citrix Receiver, it will only install a handful of certificate files, and we’ll have to provide the rest. Now, where can we find a reliable source of SSL certificates? Well, it turns out that we most likely have that already. The same source our browser is using.

 /usr/share/ca-certificates/mozilla/

Just copy those .crt files over to the Citrix keystore, and we should be done. If the client is installed under /opt/Citrix/ICAClient/, run this command in a terminal:

sudo cp /usr/share/ca-certificates/mozilla/* \
/opt/Citrix/ICAClient/keystore/cacerts/

If it’s installed in your home directory, this command should work:

cp /usr/share/ca-certificates/mozilla/* \
$HOME/ICAClient/linuxx86/keystore/cacerts/

If you are using a home made certificate, or for some reason this doesn’t work for you, you’ll have to track down the correct .crt files yourself. But at least now you’ll know where to place them.

At first I thought that Opera wasn’t my default browser in Gnome. I’m currently using Linux Mint, a distribution based on Ubuntu. So I checked the “Preferences->Preferred Applications” and made sure Opera was the default application for browsing the web. I also checked with “gconf-editor” just to be safe that Opera was set as default browser.

Having checked all this. I did a few tests and found out that Opera was indeed the default application for surfing the web. So the problem had to be limited to TweetDeck or Adobe AIR.

Now. I checked all the xml-files regarding Adobe AIR and TweetDeck, I even installed SQLite3 to read the database file for TweetDeck in my home directory. No luck.

But the Internet is a collection of tubes amazing and brilliant people. So I searched and found Andrea Olivato, which in turned had found the solution to my (and many others) problem. He discovered that Adobe AIR has hard-coded firefox as default browser in libCore.so, which (usually) can be found in /opt/Adobe AIR/Versions/1.0.

The solution

His solution to the problem was to open libCore.so with vim, or any other editor for that matter, and search for the word “firefox”. Ok, he writes that he jumps directly to line 15500, but this might change. But then again, maybe Adobe will make it work in the future. Anyway. He replaced “firefox” with “browser”, which is the same length. Very important. And created a symlink from his favourite browser to, well, browser.

In my case:

ln -s /usr/bin/opera /usr/local/browser

I noticed that in libCore.so, Adobe has a reference to /desktop/gnome/url-handlers/http/command, which is the registry setting for Gnome when it comes to default browser. Why this isn’t used I don’t understand. Perhaps the hard-coded firefox is a backup solution in case AIR fails to retrieve the information from the registry.

Up until now, Linksys firmware has been working great. I didn’t need more than a simple wireless router. But recently I’ve started playing with VMware ESXi, which led to a few virtual servers. And with a few virtual servers, there was also a need to make them accessible from the Internet. With the only way of opening up ports on my router was through my ISPs web page, and that every change needed to be accompanied by a reboot of my router, I decided it was time to set up my own firewall.

Support for VLANs

OpenWRT support VLANs, and this is one of the main reasons I wanted to upgrade to a third-party firmware. Running a firewall with just one network adapter isn’t really possible, unless you can split networks within the same physical medium. And that’s when VLANs come in to the picture. This technology makes it possible to have several different networks within the same physical medium. Even the with the same network addresses.

The firewall, which is a virtual machine, doesn’t know that the host it’s running on only has one network adapter. I gave the firewall three adapters, all connected to different virtual switches. These switches tag their traffic with VLAN data and sends it to my Linksys router, which in also was configured the same way. One port on the router could hand out data for VLAN1, the next port for VLAN2.

In my setup, the traffic coming from Internet is connected to a port in VLAN2. This is sent, along with data in VLAN3, via port 4 to the ESXi host. Here the traffic is divided into virtual switches. One switch for each VLAN. So my firewall is connected to both the switch for VLAN2, and for VLAN3. VLAN2 is being labeled as WAN, while VLAN3 is labeled LAN. I also have a VLAN4 named SERVERS.

Installing OpenWRT

This is easy. If you haven’t installed a third-party firmware on your Linksys, you can use the web interface from Linksys to upgrade. Just as you would if you were to upgrade the original firmware. Download the correct image from OpenWRT, select it in the web interface and click the upgrade button.

After the new firmware is installed, the router will reboot and ready for configuration. By default the routers IP-address is 192.168.1.1. You can log in via telnet with no user name and password. It is advised to set a password at first log in. Doing so, telnet will be disabled and ssh enabled instead.

If you manage to lock yourself out, it’s possible to restart OpenWRT into a safe mode. Just take the power, when it starts up, press any button just when the DMZ light is lid. Now you can access it via telnet at address 192.168.1.1 again, no matter what address you have specified earlier. In safe mode you can change password and reconfigure firewall rules, if you have enabled a rule you shouldn’t have.

Setting up different VLANs (and trunking them)

First you should be aware of how the WRT54GL hardware is mapped internally. It is essential to understand the logic when configuring the router. The image shows the default configuration where port 1 – 4 is a regular switch on VLAN0, and the WAN port is separated on VLAN1. If you only want a dumb switch with 5 ports, you could put the WAN port into VLAN0 as well.

The configuration file can be found under /etc/config/network. Here we can set the IP-address of the box, but also configure the ports. I only need a dumb switch with VLAN capabilities, so I won’t set up any fancy routing rules in this post.

config switch "eth0"
   option vlan0 "0t 5"
   option vlan1 "0t 5"
   option vlan2 "0t 4 5"
   option vlan3 "0t 3 2 5*"
   option vlan4 "0t 5"

In this setup I have created five VLANs, three of which are unused at the moment. VLAN3 is the default VLAN, as marked by the asterisk (*). Port 5, the internal, has to be included. Data on LAN port 4 (which is internally mapped as port 0), is tagged, which basically means it’s a trunk. If a port isn’t tagged, it can’t belong to more than one VLAN (except the internal port 5). If a port is tagged, it can’t be used by a computer which doesn’t support trunk or tagging.

My Internet connection is connected to the WAN-port on the router, also known as internal port 4. It belongs to VLAN2, and is tagged on LAN port 4, which is known as internal port 0. On the other side of LAN port 4 is my ESXi server, which supports trunking (surprise). VLAN2 then goes into my firewall, on the other side of my firewall is VLAN3, which goes over the same cable back to the OpenWRT box, which in turn distributes it to my main computer and media center on LAN port 1 and 2.

Conclusion

Linksys WRT54GL is a great product, and with third-party firmware such as OpenWRT, it’s even greater. This box can be transformed from a boring wireless router, to a full blown firewall if needed.

I thought about posting it here, but that wouldn’t be fair to the author. So, please visit his site for more information.

However, be prepared to answer some questions regarding different configuration files. More specifically if you want to keep the original, or overwrite with a new one. I myself have edited a quite a few configuration files over the last year, so I had to do a manual screening before I decided what to do.

After doing some searching in the logs I found a few lines complaining about /dev/null also being read-only filesystem. So I checked the permission with ls -al /dev/null, and it turned out this had been changed into a regular file rather then the special file it’s supposed to be.

The fix is easy. Delete the file called /dev/null and re-create the special device with the command mknod -m 666 /dev/null c 1 3.

You can also read about how to create this special file by reading the man-pages. Command: man 4 null.

If the string we were looking for first would appear, it would most likely show up somewhere between 5 to 50 times within an hour.It’s hard to guess, really. But we are looking for a problem that won’t solve itself, and the program checking for this problem will continue to write to the log file upon each encounter with the problem.

The way to solve this kind of problem, where we want to ignore the timestamp, is to understand how NimBUS handle incoming alarms. If it receives the same message two or more times, it would just upper the count, instead of creating a new entry in the alarm window.

Lets say our log file looks like this:

Mar 14 14:55:35 ErrorCheck: Oh noes, error detected in A51
Mar 14 14:57:32 ErrorCheck: Oh noes, error detected in A51

We only want to get one alarm, but with a count of two (actually one), not two alarms which is identical except for the timestamp. First, set up logmon to detect the correct line in the log file using regular expressions. The logmon probe supports both pattern recognition and regular expressions, so make sure to use the right one. Regex starts and end with a forward slash, otherwise it assumes pattern is used.

In this case we can use the following simple regex:

/.*ErrorCheck.*/

Of course my regex where more advanced since I had to detect other parameters as well, since the output of our program also had to be checked.

Now, with this regex in place, we are at the point where every entry will be treated uniquely. But logmon also give you the possibility to construct your own message, and to define variables. And that is what we have to do.

We can construct variables both by row or column number. Since this is a single line, we will use the column offset. So, let us create the variables:

prog = column number 4
error = column number 10

This is only a simplified view. The logmon probe has a user interface for this. Right click, add new variable (or something like that).

When this is done, add your own message text in the field saying so:

$prog: Error detected in $error

When this is set as the outbound message, NimBUS will count it instead of creating a new entry in the alarm view each time, since the message now is identical. If the error code changes, a new alarm will be sent.

Short version:

Create your own output message when using NimBUS logmon probe on a log file which has a timestamp.

(This short version was a lot better and could have saved me some time)

One of my ideas is to test web application prior to deployment. This is kind of hard now that I only have one machine. It’s would be shameful if I accidently killed the web service because of a faulty configuration. Also I have a few projects which I want to separate from the machine visible on the internet.

VMware Server is a free product which can be installed on top of either Windows or Linux, so it’s not a bare-metal hypervisor. I recommend running it on top of Linux for minimal footprint, not to mention all the rebooting you have to do with Windows. A minimal Ubuntu server installation takes less than 1GB of disc space, and use next to nothing when it comes to terms of memory.

For the moment I’m doing some testing with one mySQL server, one Apache web server and one server running Varnish, which is a cache/proxy service. It’s not because I’m expecting high load in the near future, but it’s an interesting solution.

Anyway; the next few months I expect this blog to focus more on virtualization, but I can’t guarantee anything. I would be satisfied if I keep writing semi regular, no matter the topic.

In this blog entry I will use some bogus internal network addresses. We had the following:

eth0 directly connected to 10.0.100.0/24
eth1 directly connected to 192.168.0.0/24
eth2 directly connected to 192.168.10.0/24


Our new (virtual) server was configured using 192.168.0.1 as default gateway, via eth1. But we also needed to reach the following networks via eth2:

• 192.168.20.0/24
• 192.168.30.0/24
• 192.168.55.0/24
• 10.50.0.0/16

Configuring this “on-the-fly” is easy. All we have to do is run the following commands as root:

route add -net 192.168.20.0/24 gw 192.168.10.5
route add -net 192.168.30.0/24 gw 192.168.10.5
route add -net 192.168.55.0/24 gw 192.168.10.5
route add -net 10.50.0.0/16 gw 192.168.10.5


As you have guessed, 192.168.10.5 is the gateway being connected to eth2. Now the following is taking place:

Traffic for 10.0.100.0/24 is directly pushed out eth0, no routing needed.
Traffic for 192.168.0.0/24 is directly pushed out eth1, no routing needed.
Traffic for 192.168.10.0/24 is directly pushed out eth2, no routing needed.
Traffic for 192.168.20.0/24, 192.168.30.0/24, 192.168.55.0/24 and 10.50.0.0/16 is pushed to gateway 192.168.10.5 via eth2.
Everything else is directed to gateway 192.168.0.1 via eth1.

Fun Part

To make this routing permanent, meaning it will return upon reboot, we need to store this information somewhere. In this case we’re using CentOS 4, so the file we need to edit is /etc/sysconfig/static-routes. Per default this file doesn’t exists, at least it didn’t on my machine, so I created one and entered the following:

any net 192.168.20/24 gw 192.168.10.5
any net 192.168.30/24 gw 192.168.10.5
any net 192.168.55.0/24 gw 192.168.10.5
any net 10.50.0.0/16 gw 192.168.10.5


Also, check the files /etc/sysconfig/network-scripts/ifcfg-ethx, replace x. Only eth1, in my example, should have a line which says “GATEWAY=192.168.0.1″. If anyone of the other files also has a line which starts with “GATEWAY”, something will most likely go wrong.

I’m not sure how interesting this is for anyone. But at least I hope someone will benefit from it. I might start some more “in-depth” articles about network configuration in the future.

Please leave a comment if you found this useful, or ask questions if there is something I can improve.

For the record. I’m running Ubunty Hardy (8.04) on the X61 and Ubuntu Gutsy (7.04) on the X31. Both 32-bit systems.

The first thing I did was checking Launchpad.net for any known bugs. I found bug 224876 to be promising, it’s titled “Hardy does not control the CPU fan properly.”
After reading this thread I ran the tests described myself, which gave these results.

Machine temperature and fan speed when idle (X61):

$ cat /proc/acpi/thermal_zone/THM0/temperature
temperature: 41 C
$ cat /proc/acpi/thermal_zone/THM1/temperature
temperature: 42 C
$ cat /proc/acpi/ibm/fan
status: enabled
speed: 3207
level: auto


After 5 minutes of “yes | sha512sum” (X61):

$ cat /proc/acpi/thermal_zone/THM0/temperature
temperature: 76 C
$ cat /proc/acpi/thermal_zone/THM1/temperature
temperature: 78 C
$ cat /proc/acpi/ibm/fan
status: enabled
speed: 3242
level: auto


As you can see there is as good as no change in the fan speed.
However; doing the same check on my older, one core, IBM ThinkPad X31.
I get this results:

Machine temperature and fan speed when idle (X31):


$ cat /proc/acpi/thermal_zone/THM0/temperature
temperature: 44 C
$ cat /proc/acpi/ibm/fan
status: enabled
speed: 0
level: auto


Actually, the fan doesn’t start until the temperature reach 68 degrees Celsius. Then it will speeds up to around ~3500 rpm, thus keeping the processor at around 70 degrees Celsius during “yes | sha512sum”.

My question is: Why does the fan constantly run on the X61? Is it really necessary to keep the processor cool? I must say I prefer the silence of the X31 when I’m just browsing the web.

Karl Trygve has suggested that this is a result of a new design team and BIOS which is more restrictive than the one found on the X31.

However it now seems like I might have overcome this problem. At first I thought it might had something to do with my docking station. Hibernating while docked, booting up while not and vice versa. The problem was that the machine would freeze during startup after being in hibernation. So to be able to actually see what was going on, I removed the splash screen, and afther this I haven’t had any problems with hibernate what so ever.

Come to think of it, this isn’t the only time the splash screen have caused problems. I had another machine where it refused to boot as long as the splash parameter was set. Luckily, with grub, we are able to edit the boot parameters at boot. Something that wasn’t possible with LILO in the good old days.

To remove the splash screen more permanently than editing grub at each boot. You can,would be to edit the file /boot/grub/menu.1st and remove the word ‘splash’ from the kernel parameters. Just remember that this will sneak its way in the next time you upgrade the kernel. Or rather, Ubuntu upgrades your kernel. as Stian said in the first comment, edit the line “# defoptions=quiet splash” to “#defopts=”quiet nosplash” in the file /boot/grub/menu.1st. Do not remove the leading #.

Please leave a comment if you found this useful.