CAA checking becomes mandatory for SSL/TLS certificates

2017/04/10

This was news to me in a few ways; first, there’s a new DNS resource record called CAA (Certificate Authority Authorization) and second, Certificate Authorities are now required to check that record before issuing a certificate, to determine if they’re allowed to do so. Cool! What’s a CAA (Certificate Authority Authorization)? When in doubt, consult the RFC: […]

Source: CAA checking becomes mandatory for SSL/TLS certificates

Advertisements

JIRA, Confluence and Lets Encrypt

2017/02/17

I recently had to move a JIRA and Confluence environment to a new infrastructure stack. During the move, we also changed the TLS Certificates and instead of using one of the paid-for incumbents we decided to give Lets Encrypt a go.

Everything with the migration went smoothly. The first hurdle we hit was when we were checking the Application Integration between the two systems. The integration wasnt functioning and no amount of delete, change, recreate would fix it. The admin pages in JIRA and Confluence were both reporting SSL errors. When I dug into the actual Tomcat logs for each instance, the following errors were appearing:

Confluence:

Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException
: unable to find valid certification path to requested target

JIRA:

Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification
path to requested target

Some quick googlephoo found a few items on the internet about this, not specific to JIRA and Confluence though.

ttps://community.letsencrypt.org/t/will-the-cross-root-cover-trust-by-the-default-list-in-the-jdk-jre/134/3

http://stackoverflow.com/questions/34110426/does-java-support-lets-encrypt-certificates

The root cause of the problem is that the JRE thats included with our version JIRA and Confluence is too old and doesn’t include the Lets Encrypt root keychain in its included keystore. The above articles had references and code snippets to help get the Lets Encrypt certificates into the JRE keystore but they were all very ugly.

Its worth mentioning that Oracle JAVA JRE 1.8.0_101 DOES include the Lets Encrypt certificates.

Options at this point were:

  • Find a way to get the required certificates into the JRE keystore (the CLI method to do this is described in the Lets Encrypt community post above).
  • Install a new JRE on the servers and make JIRA and Confluence work with that. Most likely putting us out of support with Atlassian.
  • Find out if current JIRA and Confluence include the required JRE version and then upgrade JIRA and Confluence. This would need another round of testing to properly do the upgrade.

Moving to unsupported configuration was undesirable and I didnt have the time to properly dive into a new round of testing to see if newer JIRA and Confluence had the required JRE version. I did look for some detail on the Atlassian pages to determine the answer to this and wasn’t able to locate anything.

What I did find on an Atlassian page was this article https://confluence.atlassian.com/kb/unable-to-connect-to-ssl-services-due-to-pkix-path-building-failed-779355358.html which shows how to use a free JIRA and Confluence plugin to get third party root certificates into the JRE keystore using a simple web page GUI. Some small CLI steps (a cp) are still required after the plug-in does its thing but it does make the fix less likely to fail.

Recommended.


Internet Performance Measurement Tools

2016/11/23

This post contains a catalogue of useful Internet performance testing tools.

ICSI Netalyzr

http://netalyzr.icsi.berkeley.edu/cli.html

sivel/speedtest-cli: Command line interface for testing internet bandwidth using speedtest.net

A nifty tool for the CLI jockeys to test the internet performance of their machine.

speedtest-cli – Command line interface for testing internet bandwidth using speedtest.net

Source: sivel/speedtest-cli: Command line interface for testing internet bandwidth using speedtest.net


A real view inside DR and BCP

2014/01/29

Here is a good presentation given at SAGE-AU back in February 2011 about how an Australian ISP dealt with a flood crisis in Queensland.

Provides good insight into how DR and BCP is a business issue and NOT a technology issue.

http://www.youtube.com/watch?v=wew02S-JwSo
http://www.youtube.com/watch?v=G-icIskgCeA
http://www.youtube.com/watch?v=jCvFPGwakjQ


Simon Hackett’s NBN Prediction

2014/01/13

The following link describes Simon Hackett’s prediction for the NBN under the Liberal Party. Leaving it here for future reference.

http://imgur.com/r/australia/edGhZ7p


Home Internet Monitoring Appliance

2013/07/02

My home internet has been pretty flakey of late and I needed a way to monitor the performance of the connection over long periods of time so that I could gather evidence to escalate to my ISP for support and troubleshooting.

Due to the absence of a suitable machine at home to run the tools on I decided to build an Ubuntu VM with smokeping and Cacti. This would allow me to build the environment quickly and then move the VM to a temporary laptop running VMware Workstation at home.

The following steps describe the sequence of events and references I used to complete the work.


Vodafone #Fail & Goodbye

2011/01/25
I posted a few months ago about the problems I was having getting a Vodafone (Huawei) K3765 USB dongle to work on Windows 7 64bit. I’m happy to say I resolved the fault however I failed to get the equipment working to my satisfaction.
I had time recently to follow up my case with Vodafone and get the software working on my laptop. I called the Vodafone contact centre on 1555 and got through to Valencia. I gave her my case number and SIM number and put me through right away to the Vodafone contact centre in Tasmania. I was impressed by that, its always a pleasure to speak to local people and for extra bonus the person I spoke to in Tasmania (Sonya) knew her stuff, understood my situation and did many things to try and resolve the problem.
Alas nothing she could think to try would make the dongle work. What I did learn though is that one should always use the software that comes on the USB key and not the software that comes with the dongle on CD-ROM or from the Vodafone website.
During our troubleshooting and the subsequent troubleshooting I did over the course of the following weekend I was able to determine that the cause of the issues appeared to be that Windows considered the drivers for the K3765 to be unsigned and refused to load them. By default Windows 7 64bit will not run unsigned drivers. Sonya had told me that she wasn’t working on the following Monday and that I should expect a call back from one of her work mates on Monday morning.
By 3pm the following Monday I had not had the return call I had been promised. I wended my way through the Vodafone IVR again and ended up speaking to Valencia again. She got me through to Heath in the Tasmanian contact centre. Heath put a lot of effort into troubleshooting and resolving the problems. He had me put Windows 7 into test mode so that it would accept the unsigned drivers. Hardly a satisfactory solution but hey, I’m prepared to try anything at this stage. Unfortunately the solution didn’t resolve the fault. After a reboot and reinstall of the software the same problems persisted. Heaths conclusion at this stage was that a reinstall of Windows 7 was the only way to go.
During the course of the call I had been poking a lot of fun at the reliability and quality of the Huawei brand of equipment and software. Heath was careful to not make any comments about my fun at the expense of Huawei.
I spent a few hours the next day gathering all the CDs and DVDs I would need to complete the reinstall. The day after that I completed my backups and reinstalled Windows. Once the base OS was installed and patched and the vendor drivers were all updated I installed the Vodafone dongle and Vodafone Mobile Connect software that comes with the key (not the CD in the box). Success! Worked first time, no errors, no faults.
From this point I ran through my software installation and patching. Once I had all my tools and apps installed I connected the USB dongle again and it failed to show in Device Manager, only one of its devices showed up. A few reboots and more testing later and my problem had returned. I was not impressed BUT at least I knew now that the cause was something I had installed.
I had a look through the list of installed applications and decided to start troubleshooting by uninstalling all the applications which had a driver component. First one to go was Daemon Tools. That didn’t resolve it. The next to uninstall was VMware Workstation 7.1.3. After a reboot I tested the Vodafone dongle again and it was now working fine.
So, having successfully identified the cause of the failure I had a decision to make. Stick with the Vodafone dongle or use VMware workstation. Hardly a pleasant choice since I use both to do my job.
At the moment I’m still using the Vodafone dongle. With all the ongoing problems Vodafone is having in Australia at the moment the company I work for is about to churn to Telstra Nextgen which hopefully wont have this problem.
The only task that remained was to contact Heath in Tasmania again and let him know my findings so that some other poor Vodafone customer wouldn’t have to suffer my fate. I contacted 1555 again, wended my way through their IVR and ended up speaking to Suraj who, on the quality Vodafone VoiP connected to sunny India, I was sure was telling me his name was Sewerage. I gave Suraj the case number and he tells me that he needs my mobile number and account password to access my history because he cannot use a case number to look up a customers history. I describe the case to him in a nutshell and request connection to the Tasmanian call centre and he tells me that Vodafone doesnt have any call centres in Australia.
At this stage I’m pretty unhappy. I’m going out of my way to help Vodafone and they are giving me the run around. I push on Suraj a little harder and after about 5 minutes on hold I’m talking to Heath. Heath laughs when I explain what just happened. I relay my findings to Heath who expresses gratitude and assures me the notes are going to his supervisor for further action internally.
So, what did I learn from this exercise?
– The software that Vodafone provides with the USB key package on CD isn’t the best software to use.
– Huawei USB keys don’t have a fantastic reputation for reliability and I suspect Vodafone knows this.
– Level 1 Vodafone support/customer service need substantially more training, particularly about what countries do in fact have call centres.
– The software that Huawei provide Vodafone is not compatible with VMware Workstation 7.1.X.
I’m glad that this exercise is over and I’m also glad that my employer has decided to ditch Vodafone as seems to be somewhat of a theme going on in Australia at the moment.