建立https的SSL憑證

建立https的SSL憑證(適用RHEL 4及FC 3)

一、RHEL4 及 FC3 版本

　1. 到 /etc/httpd/conf/ 目錄下來建立憑證，目錄下有許多 ssl.* 的目錄，建立後的憑證要各別放入所屬的目錄中。

　　# cd /etc/httpd/conf/

　2. 建立 server.key 使用 1024-bit key 加密，一般也可使用 512-bit key 或 2048 -bit key，使用越大的 bit 數加密，解密的時間越長，雖然安全性越高，但所花的連線時間也會越長，所以建議使用 1024-bit 即可。

　　# openssl genrsa -out server.key 1024

　　　Generating RSA private key, 1024 bit long modulus

　　　..++++++

　　　.......++++++++

　　　e is 65537 (0x10001)

　　每次執行時上面的訊息都會有些許不同，檢查執行後目錄下是否有產生 server.key 的檔案。

genrsa generate an RSA private key.

　3. 建立 server.crt 憑證，有效時間為 365 天，使用 X.509 憑證格式。

　　# openssl req -new -key server.key -out server.crt -x509 -days 365

　　　You are about to ....................................................................................

　　　...................................................................................................................

　　　If you enter '.', the field will be left blank.

　　　-----

　　　Country Name (2 letter code) [GB]：TW　＜輸入國家簡稱（兩個字母）

　　　State or Province Name (full name) [Berkshire]：Taiwan　＜輸入省或州

　　　Locality Name (eg, city) [Newbury]：Taipei　＜輸入城市名稱

　　　Organization Name (eg, company) [My Company Ltd]：XYZ　＜輸入公司名稱

　　　Organizational Unit Name (eg, section) [ ]：ABC　＜輸入部門

　　　Common Name (eg, your name or your server's hostname) [ ]：www.xyz.com.tw　＜建議輸入主機的FQDN

　　　Email Address [ ]：service@mail.xyz.com.tw　＜輸入管理者的mail

　　檢查執行後目錄下是否有產生 server.crt 的檔案。

req - PKCS#10 certificate request and certificate generating utility.

-new

this option generates a new certificate request. It will prompt the user for
the relevant field values. The actual fields prompted for and their maximum
and minimum sizes are specified in the configuration file and any requested
extensions.

If the -key option is not used it will generate a new RSA private key using
information specified in the configuration file.

-x509
this option outputs a self signed certificate instead of a certificate
request. This is typically used to generate a test certificate or a self
signed root CA. The extensions added to the certificate (if any) are speci-
fied in the configuration file. Unless specified using the set_serial option
0 will be used for the serial number.

　在Linux下只要兩行指令即可產生憑證及key。

　4. 接下來只要將 server.crt 及 server.key 搬移到相關的目錄中即可。

　　# mv server.key /etc/httpd/conf/ssl.key/

　　# mv server.crt /etc/httpd/conf/ssl.crt/

　5. 若不知道你的 httpd 所放置 crt 及 key 的位置，可檢查 httpd.conf 裡，SSLCertificateFile 及 SSLCertificateKeyFile　的參數。

　　#vi /etc/httpd/conf/httpd.conf

　　　SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt

　　　SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key

　6. 最後只要重新啟動 httpd 新的憑證即可生效。

　　# service httpd restart

二、網路版本（應適用舊版本Linux，也適用FC3及REL4）

　1. 先建立 server.csr

　　# openssl req -new > server.csr

　　　Generating a 1024 bit RSA private key

　　　.++++++

　　　.........................................++++++++

　　　writing new private key to 'privkey.pem'

　　　Enter PEM pass phrase：　＜輸入四碼以上的 password

　　　Verifying - Enter PEM pass phrase：　＜再輸入一次四碼以上的 password

　　　-----

　　　You are ....................................

　　　-----

　　　Country Name (2 letter code) [GB]：TW　＜輸入國家簡稱，以下與方法一相同。

　　　.............................

　　　Please enter ..................

　　　A challenge password [ ]：　＜直接按"Enter"

　　　An optional company name [ ]：　＜直接按"Enter"

　　　執行後會產生兩個檔案 server.csr 及 privkey.pem。

　2. 接下來產生加密的 key

　　# openssl rsa -in privkey.pem -out server.key

　　　Enter pass phrase for privkey.pem：　＜輸入上一個指令中phrase 的 password，必須要與上一個指令中所輸入的 phrase 密碼一樣，輸入後會寫入 server.key 中。

　　　執行後會產生 server.key 的檔案。

　3. 最後產生 server.crt 的憑證

　　# openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 365

　　執行後會產生 server.crt 的憑證。

　4. 接下來只要將 server.crt 及 server.key 搬移到相關目錄中，然後將 httpd 重新啟動即可生效。

三、由第三方產生憑證

　1. 若要由第三方公信單位授發憑證，則需產生 server.csr 檔案

　　# openssl genrsa -out server.key 1024

　　# openssl req -new -key server.key -out server.csr

　　執行後會產生 server.csr 的檔案，並將 server.csr 寄給第三方公信單位產生 server.crt 憑證即可。

Tips and Tricks: Building rpms without being root

Do the following:

mkdir -p $HOME/rpmbuild/{BUILD,RPMS,SOURCES,SPECS,SRPMS}
echo 「%home %(echo $HOME)」 >> $HOME/.rpmmacros

echo 「%_topdir     %{home}/rpmbuild」 >> $HOME/.rpmmacros

Now when you install a src.rpm it will go to $HOME/rpmbuild/ instead of /usr/src/redhat/.

多鍵式滑鼠

※參考資料
http://wshlab2.ee.kuas.edu.tw/personal/yurenju/archives/000727.php
http://fanqiang.chinaunix.net/system/linux/2005-03-24/3019.shtml

※多鍵式滑鼠
筆者的滑鼠比一般的滑鼠多了兩個鍵，在windows下那兩個鍵是當成
瀏覽網頁時的上一頁及下一頁，但在linux下就不是了
經過一番研究終於讓這功能重現成功了

※xev
xev是個小程式，請在終端機下使用，如圖

在小框內的動作都會顯示在終端機中，包含按鍵
可以看見每個按鍵的值(包含鍵盤)
在預設下，原來的滑鼠其他鍵的值和滾輪是重覆的(滾輪算是兩個鍵)
所以要修改按鍵的數量

※第一步
修改XF86Config-4或xorg.conf的mouse部份。
~~~~~~~~
Section 「InputDevice」
Identifier 「Mouse1〞
Driver 「mouse」
Option 「Protocol」 「ExplorerPS/2〞
Option 「Device」 「/dev/psaux」
Option 「ZAxisMapping」 「6 7〞
EndSection
~~~~~~~~
此法會讓按鍵數變為7個，而左右鍵會變成滾輪，
原來的滾輪會變成上一頁及下一頁，
於是要進行下一步，修改按鍵的配置順序

※第二步
執行xmodmap
xmodmap -e 「pointer = 1 2 3 6 7 4 5〞
它就會將滑鼠的順序設定好
不過xmodmap必須是在進入xwindow後設定，不能放在rc*中
筆者建議放在Desktop/Autostart中
這樣就會在進入xwindow後啟動

RPM Tips English Version

RPM Tips

Traditional Chinese Version

Be forewarned, I am not going to write anything on how to create an RPM spec file. There are enough howtos in the Internet on this regard. Writing an RPM spec file can be very simple, but it can also be very complicated, depending on the program you want to write an RPM spec file for. No matter what, this requires quite a lot of time.

When I do write an RPM spec file, my main references are:

http://www.rpm.org/max-rpm/
http://www.rpm.org/RPM-HOWTO/

I never ever want to install a program from source. It is not because it is difficult. On the contrary, it is quite easy to install from source. It is just that I do not want to mess up my system. When I update a program installed from source, quite often enough, there are old files around not deleted. And sometimes, this may cause some problems. If I want to uninstall this program, where do you go to make sure that all the installed files are really removed?

If at all possible, I would rather install an RPM. RPM updates and uninstalls programs very cleanly.

So, what I want to talk about is when you only have a source program available, are there ways to convert it to an RPM package?

If I need a particular program, I would first go to the installation CD to check if this program is already available. If not, I would then go to freshmeat, to sourceforge.net or maybe google.

If there is no RPM package available, I would search rpmfind.

But, if I am unable to find an RPM package of the program, what to do then? The following discussion might solve the problem, i.e., building the RPM package is possible after all.

But before you can build or rebuild an RPM, you need to install the rpm-build package:

rpm -Uvh rpm-build-4.3.2-21.i386.rpm

Note: I am using Fedora Core 3, so I will be using RPM packages available in this distribution.

It is always recommended to build/rebuild an RPM package as a regular, not root, user. You also need to create the RPM build directories. Now login as a regular user and do the following:

mkdir rpmbuild
mkdir rpmbuild/BUILD
mkdir rpmbuild/RPMS
mkdir rpmbuild/RPMS/athlon
mkdir rpmbuild/RPMS/i386
mkdir rpmbuild/RPMS/i486
mkdir rpmbuild/RPMS/i586
mkdir rpmbuild/RPMS/i686
mkdir rpmbuild/RPMS/noarch
mkdir rpmbuild/SOURCES
mkdir rpmbuild/SPECS
mkdir rpmbuild/SRPMS

Now create the file .rpmmacros (look closely it is a dot file, i.e., the filename is preceded by a period) and the content is:

%_topdir /home/username/rpmbuild

Replace username with the actual user account name.

We are ready ready to build an RPM package.

Source RPM

If you want to install ClamAV anti-virus program, you may download the RPM package from crash-hat. It also provides a source rpm (.src.rpm). I prefer to download the source RPM and then rebuild it against my own server.

To do this, just execute the following command:

rpmbuild --rebuild clamav-0.83-1.src.rpm

After rebuilding the source RPM, you have the RPM files in:

rpmbuild/RPMS/i386/clamav-0.83-1.i386.rpm
rpmbuild/RPMS/i386/clamav-milter-0.83-1.i386.rpm
rpmbuild/RPMS/i386/clamav-devel-0.83-1.i386.rpm

Source Tarball with spec file

If, for example, you want to install SpamAssassin. No RPM package is made available. But what is provided contains the RPM spec file (Mail-SpamAssassin-3.0.2.tar.bz2 and Mail-SpamAssassin-3.0.2.tar.gz).

How do you know if an RPM spec file is included in the source tarball? Taking the two files above as an example, execute the following:

tar fzt Mail-SpamAssassin-3.0.2.tar.gz | grep .spec
tar fjt Mail-SpamAssassin-3.0.2.tar.bz2 | grep .spec

Build the RPM packaged this way:

rpmbuild -tb Mail-SpamAssassin-3.0.2.tar.gz
rpmbuild -tb --define "srcext .bz2" Mail-SpamAssassin-3.0.2.tar.bz2

Source tarball without spec file

I mentioned above that I do not want to install from source. So, what to do? Install CheckInstall and let it make an RPM for you.

The procedure for creating an RPM program is as follows:

tar xvfz program_name-version.tar.gz
cd program_name-version
./configure
make

Now instead of executing:

make install

Execute instead:

checkinstall

Perl Modules

How I hate perl! It is very difficult to manage the perl module packages installed in your system. I absolutely refuse to install perl modules from source. It has been a cause of many problems. If you upgrade to a newer version from source, you might find that your application does not work anymore.

But I need a particular perl module package. What can I do? For example, we are using OpenWebMail in our school to access our emails. It requires a perl module Text-Iconv. As I do not want to install from source, I searched the Internet and found an RPM perl-Text-Iconv package. I downloaded and installed it. But OpenWebMail was still complaining that it could not find Text-Iconv. After a few days of scratching my head, I found out that the RPM perl-Text-Iconv that I downloaded and installed was compiled against a different version of perl. So it does not work. Now what to do?

I finally found the program cpan2rpm that solved my problem. Download and install it. And then just execute:

cpan2rpm Text-Iconv-1.4.tar.gz

And it will create the following files:

rpmbuild/RPMS/i386/perl-Text-Iconv-1.4-1.i386.rpm
rpmbuild/SRPMS/perl-Text-Iconv-1.4.1.src.rpm

Now you can install the RPM package without any problem.

Fr. Visminlu Vicente L. Chua, S.J.
2005/03/21

RPM Tips

RPM Tips

English Version

首先，我不會寫有關如何撰寫 RPM 的 spec 檔案。有關這個題目在網際網路已經有很多的 howto。撰寫一個 RPM spec 檔案可能很簡單或可能很複雜。這要看你要撰寫 RPM spec 檔案的程式本身。無論如何，這會需要蠻 多時間。

如果我要撰寫一個 RPM spec 檔案的話，我主要參考資料如下：

http://www.rpm.org/max-rpm/
http://www.rpm.org/RPM-HOWTO/

我從來不願意從來源程式安裝。不是因為難。相反的，蠻容易。只是，我不願意搞亂我的系統。如果我將從source安裝 的程式更新，常常會發生的問題是還有一些檔案沒有被刪除的乾淨。有時候這種情況會產生問題。如果要刪除這個程式， 你怎麼保證所有被安裝的檔案都被刪除？

盡可能，我寧願用 RPM 來安裝。用 RPM 來更新和刪除，RPM 做的很乾淨。

所以，我在這邊想談的是：如果你只有source程式，是否有辦法將來源程式轉換成 RPM 包裝？

如果我需要一個特定的程式，我會先到安裝 CD 找這程式。找不到的話，我會到 freshmeat，然後到 sourceforge.net 或者 google去找。

如果找不到 RPM 包裝，我會去找 rpmfind.

問題是：如果還是找不到這程式的 RPM 包裝呢？該怎麼辦才好？以下討論可能會解決這個問題，就是建 RPM 包裝終究是可能的。

你要建或重建 RPM 之前，你必須先安裝 rpm-build 包裝：

rpm -Uvh rpm-build-4.3.2-21.i386.rpm

要建或重建 RPM 的話，專家建議以一般使用者﹝不是 root﹞的身分來做這個工作。但做這個工作之前， 你必須建所謂的 RPM build directories ﹝建 RPM 所需要的子目錄﹞。現在以一般使用者身分登入， 然後建以下子目錄：

mkdir rpmbuild
mkdir rpmbuild/BUILD
mkdir rpmbuild/RPMS
mkdir rpmbuild/RPMS/athlon
mkdir rpmbuild/RPMS/i386
mkdir rpmbuild/RPMS/i486
mkdir rpmbuild/RPMS/i586
mkdir rpmbuild/RPMS/i686
mkdir rpmbuild/RPMS/noarch
mkdir rpmbuild/SOURCES
mkdir rpmbuild/SPECS
mkdir rpmbuild/SRPMS

現在建一個檔案，檔名為 .rpmmacros ﹝請注意這是所謂的 dot file，就是檔案名稱第一個字元是一個句點﹞，內容為：

%_topdir /home/username/rpmbuild

username 應該改為真正一個使用者的帳號名稱。

我們現在已經就緒建 RPM 包裝了。

Source RPM

如果你想安裝 ClamAV 防毒程式，從 crash-hat 你可以下載 RPM 包裝。 這個地方也提供 source rpm (.src.rpm)。我自己喜歡下載 source RPM 然後重建一個 RPM。這樣的做法是 完全針對我的系統來編譯。

重建就執行以下指令：

rpmbuild --rebuild clamav-0.83-1.src.rpm

重建 source RPM 之後，會建三個檔案如下：

rpmbuild/RPMS/i386/clamav-0.83-1.i386.rpm
rpmbuild/RPMS/i386/clamav-milter-0.83-1.i386.rpm
rpmbuild/RPMS/i386/clamav-devel-0.83-1.i386.rpm

Source Tarball with spec file

假如你想安裝 SpamAssassin。 在這網頁沒有提供 RPM 包裝。但是所提供的 source tarball 已包含了 RPM spec 檔﹝Mail-SpamAssassin-3.0.2.tar.bz2 和 Mail-SpamAssassin-3.0.2.tar.gz﹞。

你怎麼知道在 source tarball 裡有 RPM spec 檔？拿上段兩個檔案做例子，執行以下指令就會知道的：

tar fzt Mail-SpamAssassin-3.0.2.tar.gz | grep .spec
tar fjt Mail-SpamAssassin-3.0.2.tar.bz2 | grep .spec

用這種方式建 RPM 包裝：

rpmbuild -tb Mail-SpamAssassin-3.0.2.tar.gz
rpmbuild -tb --define "srcext .bz2" Mail-SpamAssassin-3.0.2.tar.bz2

Source tarball without spec file

我上面已提過，我不喜歡從source程式安裝。但是來源程式沒有 spec 檔案，怎麼辦？請你安裝 CheckInstall 讓它幫你建 RPM。

建 RPM 包裝的程序如下：

tar xvfz program_name-version.tar.gz
cd program_name-version
./configure
make

下一部本來要下：

make install

但是，這一次應該下：

checkinstall

a motto

Rocky對兒子的一段對白：
生命並非永遠充滿光明，這個世界殘酷而陰險，隨時會把你擊得永不翻身。如果把受到的打擊通通歸罪於別人身上，那是懦夫的行為。因為最重要不是你出拳有多重，而是你能夠捱得了多重的拳。你只有在重拳的攻擊全力支撐並奮戰不懈，你才可能贏。

The world ain't all sunshine and rainbows. It is a very mean and nasty place and it will beat you to your knees and keep you there permanently if you let it. You, me, or nobody is gonna hit as hard as life. But it ain't how hard you hit; it's about how hard you can get hit, and keep moving forward. How much you can take, and keep moving forward. That's how winning is done.


告訴我，有誰不是激情的奴隸？
－－哈姆雷特

傑斐遜
（Thomas Jefferson）︰無知和自由兼具者，過去沒有，將來也不可能有

If a Nation expects to be ignorant and free in a state of civilization, it expects what never was and never will be... if we are to guard against ignorance and remain free, it is the responsibility of every American to be informed."

-- Thomas Jefferson


“Knowledge and human power are synonymous,” once said the great philosopher
Francis Bacon.



沒有音樂,人生將會是一場錯誤~~~~尼采



蘇格拉底名言︰“智慧意味著自知無知。”除了無知，還有什么能促使我們進行探索？



小品賞析
距離 泰戈爾

世界最遙遠的距離不是生與死,
而是　我就站在你面前　你卻不知道我愛你
世界上最遙遠的距離不是我就站在你面前　
你卻不知道我愛你 而是　明明知道彼此相愛　卻不能在一起
世界上最遙遠的距離不是明明知道彼此相愛　卻不能在一起
而是　明明無法抵擋這一股氣息 卻還得裝作毫不在意
世界上最遙遠的距離不是明明無法抵擋這一股氣息 卻還得裝作毫不在意
而是　用自己冷漠的心　對愛你的人所築起的一道鴻溝……