Category: Ubuntu

Getting a ubuntu clone in VirtualBox to connect to the network

I’ve spent a large amount of time today trying to get cloning working within Virtual Box with a copy of Ubuntu 12.04 server with limited success.

Now by default a VM is set to use NAT for it’s network interfaces but I needed bridging and this causes a problem – when the clone starts it comes up with no ethernet interfaces, even though the original vm works fine.

In the end it appears to be udev thats causing the problem. The clone gets a new mac address (correctly) but udev knows the original mac address so disables eth0 hence no networking.

The fix is simple – tell udev to bugger off:

$ sudo rm /etc/udev/rules.d/70-persistent-net.rules
$ sudo mkdir /etc/udev/rules.d/70-persisitent-net.rules

Reboot and you should find the network interface reappear. Do this on the original vm and all your clones will work first time.

It’s a bit of a hack but it works – the mkdir simply prevents udev from recreating the rules on startup.

How to fix OpenJDK-7 certificates on Ubuntu 11.10 running on Amazon EC2

After a second crash of my EC2 instance which was running Amazon‘s own Linux distribution I had to rebuild so this time I decided to put the latest official Ubuntu AMI on it. Everything ran fine until I fired up an application which takes a feed from Twitter using their stream api.

When I fired that up I got the following stack trace:

17 Feb 2012 21:13:00,790 ERROR [Twitter Stream consumer-1[Waiting for 500 milliseconds]] [in.setra.twitter.TwitterModule] Exception during processing
java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-emptyRelevant discussions can be on the Internet at:
 http://www.google.co.jp/search?q=b5e7486f or
 http://www.google.co.jp/search?q=24943238
TwitterException{exceptionCode=[b5e7486f-24943238 b5e7486f-2494320e b5e7486f-2494320e b5e7486f-2494320e], statusCode=-1, retryAfter=-1, rateLimitStatus=null, featureSpecificRateLimitStatus=null, version=2.2.5-SNAPSHOT}
 at twitter4j.internal.http.HttpClientImpl.request(HttpClientImpl.java:200)
 at twitter4j.internal.http.HttpClientWrapper.request(HttpClientWrapper.java:65)
 at twitter4j.internal.http.HttpClientWrapper.post(HttpClientWrapper.java:102)
 at twitter4j.TwitterStreamImpl.getFilterStream(TwitterStreamImpl.java:290)
 at twitter4j.TwitterStreamImpl$7.getStream(TwitterStreamImpl.java:279)
 at twitter4j.TwitterStreamImpl$7.getStream(TwitterStreamImpl.java:277)
 at twitter4j.TwitterStreamImpl$TwitterStreamConsumer.run(TwitterStreamImpl.java:427)
Caused by: javax.net.ssl.SSLException: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
 at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
 at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1697)
 at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1660)
 at sun.security.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1643)
:
Caused by: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
 at java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.java:200)
 at java.security.cert.PKIXParameters.<init>(PKIXParameters.java:120)
 at java.security.cert.PKIXBuilderParameters.<init>(PKIXBuilderParameters.java:104)
 at sun.security.validator.PKIXValidator.<init>(PKIXValidator.java:73)
 ... 23 more

After a brief search I found that for some reason when you install OpenJDK-7-jre-headless you don’t get the certificates installed & most people just switched back to the Sun/Oracle jre.

Now this worked for me – the install was a virgin setup so I hadn’t installed the sun JDK before but I found the Java 6 cacerts installed, so the following two lines fixed the problem:

cd /usr/lib/jvm/java-6-openjdk/jre/lib/security
sudo ln -s /usr/lib/jvm/java-7-openjdk-i386/jre/lib/security/cacerts cacerts

This may work elsewhere, it may not – in this instance it worked & I’m now getting a realtime stream in from Twitter.

Generating private keys with openssl

Keys are the basis of public key algorithms and PKI. Keys usually come in pairs, with one half being the public key and the other half being the private key. With OpenSSL, the private key contains the public key information as well, so a public key doesn’t need to be generated separately.

Public keys come in several flavors, using different cryptographic algorithms. The most popular ones associated with certificates are RSA and DSA, and this  article will show how to generate each of them.

Generating an RSA key

A RSA key can be used both for encryption and for signing and generating a key is quite easy, all you have to do is the following:

  openssl genrsa -des3 -out privkey.pem 2048

That will generate a private key with is password protected (it will prompt you for the password during generation). If you don’t want it password protected (usually for server side use) then leave the -des3 parameter out, i.e.:

  openssl genrsa -out privkey.pem 2048
 The number 2048 is the size of the key, in bits. Today, 2048 or higher is recommended for RSA keys, as fewer amount of bits is considered insecure.

Generating a DSA key

A DSA key can be used for signing only. This is important to keep in mind to know what kind of purposes a certificate request with a DSA key can really be used for.

Generating a key for the DSA algorithm is a two-step process. First, you have to generate parameters from which to generate the key then to generate the key itself.

  openssl dsaparam -out dsaparam.pem 2048
  openssl gendsa -des3 -out privkey.pem dsaparam.pem

Again like RSA, 2048 is the size of the key, in bits with anything smaller than 2048 being insecure in todays standards.

Also the -des3 parameter will prompt you for a pass phrase – for server use leave it out:

  openssl dsaparam -out dsaparam.pem 2048
  openssl gendsa -out privkey.pem dsaparam.pem