Tuesday, December 18, 2012

/var/log/mail.err: dovecot: Fatal: Time just moved backwards

I had this error appear almost on every reboot in my /var/log/mail.err file. Rather frustrating considering reboots are so infrequent that I would forget that dovecot failed to start and troubleshoot anew IMAP access failure. Well last time this happened I decided to fix the root cause and below is the solution.

As per dovecot wiki this error can appear on some VPS hosts. Resolving this is relatively easy but it's not obvious, the solution consists of installing NTP - Network Time Protocol daemon which keep your time correct and synchronized and then delaying the execution of dovecot service until ntpd service is loaded.

Ubunty/Debian Sollution

Install the ntp package:

# aptitude update
Get:1 http://security.debian.org squeeze/updates Release.gpg [836 B]
...
# aptitude install ntp

By default dovecot startup script does not require the ntp servicet before it starts, so we must modify it that it waits for the ntp before it starts itself. Edit the /etc/init.d/dovecot startup script and add 'ntp' to the end of '# Required-Start' line like so:

# nano /etc/init.d/dovecot
...
# Required-Start: $local_fs $remote_fs $network $syslog $time ntp
...

Delete and re-add the start up script which will place in its proper order in the startup sequence (thanks Linode for help with this):

# insserv -r dovecot
# insserv dovecot

Reboot your system and verify that dovecot is indeed running:

root@shared-hosting-1:~# ps aux | grep dovecot
root      2208  0.0  0.1   3996   796 ?        Ss   23:51   0:00 /usr/sbin/dovecot -c /etc/dovecot/dovecot.conf
root      2213  0.0  0.4  10072  2508 ?        S    23:51   0:00 dovecot-auth
root      2221  0.0  0.5  10264  2668 ?        S    23:51   0:00 dovecot-auth -w
dovecot   2234  0.0  0.4   5604  2200 ?        S    23:51   0:00 imap-login
dovecot   2235  0.0  0.3   5464  1940 ?        S    23:51   0:00 imap-login
dovecot   2236  0.0  0.3   5464  1940 ?        S    23:51   0:00 imap-login
dovecot   2246  0.0  0.3   5464  1936 ?        S    23:53   0:00 imap-login
root      2307  0.0  0.1   3356   740 pts/0    R+   23:54   0:00 grep dovecot

Do +1 or share this if it has helped you.

Saturday, December 15, 2012

Verisign/Symantec "Failed to configure CA certificate chain!"

I've deployed a few SSL enabled sites in the past but have never encountered as much trouble as I did with Verisign/Symantec Secure Site SSL certificate. And the thing is it can all be blamed on a poorly formatted Download Symantec Secure Site Primary and Secondary Intermediate CA bundle page. Yes even though it does say the word 'Download' you are actually asked to copy and paste; brilliant considering that if you do so your resulting file is malformed due to additional white space on each line

I did not notice the white space until well into my second hour of frustration and pain. Apache just chokes with "Failed to configure CA certificate chain!" or "Unable to configure verify locations for client authentication" errors. For the substantial premium clients pay to use SSL Verisign certificates I must say I really expected better.

To resolve the issue either manually remove the white spaces or create the chain file by copying and pasting from the 'Get Certificate' page (format X.509) the First Intermediate Certificate: and Second Intermediate Certificate: sections - End Entity Certificate: is your SSLCertificateFile.

Hope this helps you out, feel free to follow me on twitter: @danielsokolows or google plus.

Sunday, December 9, 2012

Ruby on Rails Apache Deployment

Setting up apache + passanger to serve a RoR app on Ubuntu/Debian (VPS Linode)

I'm a Django/Python developer that was tasked with transitioning a Heroku hosted app to a Linode VPS running stock Ubuntu. This turned to be a two day adventure with a lot of dead ends and a fair share of frustration. I had the app running relatively quickly using the `rails server` built in command but could not get apache + mod_passanger to serve it.

I must say that in my opinion RoR cummunity is doing it's self a disservice by not having solid easy to follow deployment instructions - doing a search on ruby on rails deployment returns outdated noise and official page that is of no help.

Below is a quick summary of what I have learned and how I deployed a Ruby on Rails site with Apache on a Ubuntu system running on a Linode VPS. If this blog does help you out I ask that you do +1 or share it; so now let's begin.

Do not use the Ubuntu/Debian system packages

I mean do NOT, this is the route I went which turned out to be like going down a rabbit's hole. The system packages are outdated and even if you get your app working using the build in `rails server` command chances are apache + mod_passnger will still complain with "no such file to load -- bundler/setup" or "Valid types are [:development, :runtime], not nil"


Use the 'Rails Ready' script and follow it to the letter

I forget how I eventually found this but I am soooo glad that I. This magical script compiles and installs the latest version of RoR and either a Ngnix or Apache passenger module. So run it and it will automatically take care of the entire setup process for you. However in the instructions it states to run `passenger-install-apache-module` but it's actually `passenger-install-apache2-module`.

$ wget --no-check-certificate https://raw.github.com/joshfng/railsready/master/railsready.sh && bash railsready.sh
...
- I picked the build from source option
...
$ passenger-install-apache2-module
... 

Test and Deploy your RoR Application

In summary: clone or copy your Ruby on Rails application, install it's required gems, test it, then setup the apache configuration as advised after running `passenger-install-apache2-module`.

$ git clone git@github.com:danielsokolowski/<your rails application>.git <your rails application>.ca
$ cd <your rails application>.ca/<your rails application>-form/
$ bundle install
$ rails server
=> Booting WEBrick
=> Rails 3.2.8 application starting in development on http://0.0.0.0:3000
=> Call with -d to detach
=> Ctrl-C to shutdown server
=> Ctrl-C to shutdown server
[2012-12-09 00:40:34] INFO  WEBrick 1.3.1
[2012-12-09 00:40:34] INFO  ruby 1.9.3 (2012-11-10) [i686-linux]
[2012-12-09 00:40:34] INFO  WEBrick::HTTPServer#start: pid=6993 port=3000
^C[2012-12-09 00:40:41] INFO  going to shutdown ...
[2012-12-09 00:40:41] INFO  WEBrick::HTTPServer#start done.
Exiting

Now that we know the app runs on the built in development server we can setup apache using the information provided when we installed passenger; below is an example of the site I was moving over that is a PHP site with a RoR application that is run under a sub url directory.

# /srw/www/<your rails application>.ca/apache-httpd.conf but linked as /etc/apache2/sites-avaiable/<your rails application>.ca

# RoR as per the `passenger-install-apache2-module` https://github.com/joshfng/railsready/blob/master/README.md
LoadModule passenger_module /usr/local/lib/ruby/gems/1.9.1/gems/passenger-3.0.18/ext/apache2/mod_passenger.so
PassengerRoot /usr/local/lib/ruby/gems/1.9.1/gems/passenger-3.0.18
PassengerRuby /usr/local/bin/ruby

<VirtualHost *:80>
 ServerAdmin support@danols.com
 ServerName <your rails application>.ca
 ServerAlias www.<your rails application>.ca development.<your rails application>.ca
 # Answering to server alias `development.domain.tld` allows one to develop the site on a development server utilizing 
 # same apache-conf file that will be used on live server. To make this work one only needs to update domain DNS 
 # records for `development.domain.tld` to point a development server and `www.domain.tld` and `domain.tld` to a
 # production server.

 # Canonical - prefix www to `domain.tld` but not `something.domain.foo` - however www prefix is no longer popular
 #RewriteEngine on
 #RewriteCond %{HTTP_HOST} ^w+.w+(:d+|)$
 #RewriteRule !"" http://www.%{HTTP_HOST}%{REQUEST_URI} [R=301,L,NC]

 # Authenticated access to this project, this is only used during development server to prevent unauthorized access. 
 # As a fallback you should have default auth requirement enabled in the global Apache `/etc/apache/conf.d` settings.
 # We also prevent serving of the password logins file however again this is only used for development client access.
 Redirect /apache-logins.htpasswd /
 <Location />
     AuthType basic
        AuthName "Development Area"
        AuthBasicProvider file
        AuthUserFile /srv/www/<your rails application>.ca/apache-logins.htpasswd
        Require user jeremy
 </Location>

 # DocumentRoot where PHP / HTML Files are served from.
 DocumentRoot /srv/www/<your rails application>.ca/        

 # Ruby and Rails application form module - to find your GEM_HOME run 'gem list -d bundler' 
 <Location /<your rails application>-form/>
  RailsEnv development
  #RailsEnv production
  RailsBaseURI /<your rails application>-form
  PassengerAppRoot /srv/www/<your rails application>.ca/<your rails application>-form/
 </Location>
 
 # Apache log file location and settings; keeping log within project is not recommended as site can be on many servers
 ErrorLog /var/log/apache2/<your rails application>.ca-errors
 CustomLog /var/log/apache2/<your rails application>.ca combined
 
 # common redirects
  #Redirect permanent /gapps/ https://www.google.com/a/<your rails application>.ca/
 #Redirect permanent /analytics/ http://www.google.com/analytics/

</VirtualHost>