Scenario

You are doing a Ubuntu LTS upgrade from 14.04. Having new 16.04 installed, everything seems fine, but after the upgrade to 18.04, Apache shows only blank pages for PHP sites. Even simple commands like phpinfo() do not work. The common log files do not show any information about it.

Cause

The general PHP upgrading process from 5 to 7 (and to 7.2) seems to not always work well.

For whatever reason, the Ubuntu upgrade process declares some Apache PHP library modules as obsolete and deletes them, or at least disables them. So you might finish the upgrade with Apache having not enabled any PHP library module at all.

Quick Fix

Re-enable the module:

a2enmod php7.2

Details

See /etc/apache2/mods-available directory to find the most recent available PHP module version.

If no PHP module is installed, run

apt install libapache2-mod-php7.2

See /etc/apache2/mods-enabled for potential dead links, then re-enable the module via above a2enmod command.

Additional Note

Ubuntu 18 upgrade also removes Let’s Encrypt’s certbot tool, you might have to reinstall it.

 [:]

But especially in small organizations the port 443 has already been used, in most cases for the various tools of MS Exchange Server.

Changing to alternative ports for certain services globally often is de facto not realizable, so one solution can be a webserver’s reverse proxy feature which I will explain here.

This tutorial is tested with and should work with Ubuntu/Apache2 as public webserver, Windows 2016 Server for Exchange Server 2016 and Outlook 2016, using SSL certificates from Let’s Encrypt.

Preparation

Basically, our webserver will be our new public port 443 access point. It will handle all HTTPS web requests and will also forward data to Exchange if necessary.

So in the end, we need to have valid SSL certificates on the webserver and on the Exchange server. For Exchange, we copy the certificate from the webserver and import it (creating it “live” on Exchange is hardly possible in this case due to the webserver’s needed proxy settings).

Router / Firewall

In your router config, create a new NAT rule which allows you to quickly switch incoming port 443 forwarding from mailserver to webserver. Do not enable it at this point, we will need that later.

DNS

If you use external DNS providers with automatic HTTP(S) proxies to speed up your website like Cloudflare, you might want to disable it (at least the proxy features) for the time of the configuration process, as it can produces some unpredictable behaviour in combination with the browser cache, tests etc.

Webserver / WordPress

You might also want to temporarily disable plugins for first tests like WP Super Cache, Minify etc. to get immediate results of the changes.

New configurations

Webserver

First we install Let’s Encrypt’s Certbot . Make a snapshot or backup before, then run it without any parameters. It shows a user friendly wizard which assists you in converting your existing Apache Virtual Hosts to SSL enabled websites. If everything runs fine, you have your websites easily prepared for HTTPS and Apache is configured automatically.

Note for Cloudflare

If you are using web cache/proxy services, certbot/letsencrypt might end with TLS handshake errors.

Workaround:

certbot –preferred-challenges http

Reverse Proxy for Exchange

Create a new Apache configuration file for Exchange’s new reverse proxy:

<VirtualHost *:443>

ServerName mail.example.com
ServerAlias autodiscover.example.com
ServerAdmin webmaster@example.com

ErrorLog /var/log/apache2/error.log
CustomLog /var/log/apache2/access.log combined

Header always set X-Frame-Options SAMEORIGIN
Header set Server Apache
Header unset X-AspNet-Version
Header unset X-OWA-Version
Header unset X-Powered-By
RequestHeader unset Expect early

SetEnvIf User-Agent ".*MSIE.*" value BrowserMSIE
Header unset WWW-Authenticate
Header add WWW-Authenticate "Basic realm=mail.example.com"

ProxyRequests Off
ProxyPreserveHost On

SSLProxyEngine on
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off

#longer connection timeout to prevent activesync errors
ProxyPass / https://exchange2016.example.local/ connectiontimeout=600
ProxyPassReverse / https://exchange2016.example.local/

<Directory /Microsoft-Server-ActiveSync>
#attachment/activesync bugfix
SSLRenegBufferSize 31457280
</Directory>

#charset e.g. for german special chars
AddDefaultCharset ISO-8859-1

DocumentRoot /var/www/html

<Directory />
    Order deny,allow
    Deny from all
</Directory>

<Directory /var/www/html>
    DirectoryIndex index.php index.html
    Options -Indexes +FollowSymLinks
    Order allow,deny
    Allow from all
</Directory>

<Proxy *>
        SetEnv proxy-nokeepalive 1
        SetEnv force-proxy-request-1.0 1
        Order deny,allow
        Allow from all
</Proxy>

  SSLEngine on

    BrowserMatch "MSIE [2-6]" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
  # MSIE 7 and newer should be able to use keepalive
    BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>

We only need this reverse proxy on port 443, not 80.

Make sure you really use local server names (e.g. for ProxyPass) which are always resolved to the server’s local IP (not the firewall ot public IP)! If not sure, you can also use IP addresses, SSL certs are not checked at this point. Otherwise you might experience senseless loopbacks.

Enable the necessary Apache modules:

a2enmod headers
a2enmod rewrite
a2enmod proxy_http
a2enmod ssl

Enable the new virtual host (a2ensite exchange).

Re-run certbot, it should append lines to the file, e.g. “SSLCertificateFile”, keyfile, chainfile etc.

Run “service apache2 reload” and check for errors.

WordPress

Change your site’s URLs to https://www.example.com within the admin area.

Mailserver

In Exchange’s virtual directories, make sure you have basic authentification enabled (for OWA, EWS, …). Apache is not able to use NTLM mechanism, so we need this workaround. You can enable it either via Exchange Administrative Center -> Server -> Virtual Directories, or IIS, or Exchange Management Shell.

Firewall

Activate the new rule you created before, so port 443 is forwarded to your webserver instead of Exchange directly.

Tests

Use Microsoft’s Analyzer to test Exchange connectivity features you need, e.g. Autodiscover, ActiveSync (e.g. mobile phones), Exchange Web Services (EWS) etc.

Check your Apache logfiles for connection errors (500, timeouts, …).

Check if your websites are loading fine via HTTPS URL in every browser. Parts of your sites might still contain HTTP links to scripts or graphics; in this case change the link to the more generic “//” to avoid browser warnings.

Refreshing certificates

Webserver

Create a cronjob similar to this one:

0 0 1 * * /usr/bin/certbot renew --preferred-challenges http >> /var/log/letsencrypt-renew.log
#(HTTP option only for e.g. Cloudflare)

Because your Exchange Server also needs the certificate, but cannot request it itself any more, publish it on your webserver. Exchange will it download later for further processing.

#!/bin/bash

PW=mypw
SHARE=/var/www/html/other
CERTPATH=/etc/letsencrypt/live
MAINDOMAIN=example.com #the first domain name letsencrypt uses (main CN)

#conversion for exchange
openssl pkcs12 -export -in $CERTPATH/$MAINDOMAIN/cert.pem -inkey $CERTPATH/$MAINDOMAIN/privkey.pem -out  $SHARE/exch.p12 -password pass:$PW

Also create a cronjob for it, which runs a few minutes after certbot.

Mailserver

Create a PowerShell script which downloads the certificate from your webserver and imports it into Exchange Server:

$CertPath="c:\letsencrypt\exch.p12"
$ImportPassword="mypw"

Add-PSSnapin *exchange* -ea 0

wget http://www/other/exch.p12 -OutFile $CertPath

$ImportPassword = ConvertTo-SecureString $ImportPassword -AsPlainText -Force

Import-ExchangeCertificate -FileName $CertPath -FriendlyName "example.com" -Password $ImportPassword -PrivateKeyExportable:$true | Enable-ExchangeCertificate -Services "SMTP, IMAP, POP, IIS" –force

Also create a scheduled task for it to make it run e.g. twice a week.

Finally, you should have all your websites accessible via HTTP and HTTPS, and Exchange Server including OWA, ActiveSync etc. should work besides.

References

https://serverfault.com/questions/113026/apache-2-2-disable-reverse-proxy-on-location

https://znil.net/index.php?title=Apache2_als_Reverse_Proxy_f%C3%BCr_Exchange_2010_2013_inklusive_Outlook_Anywhere_RPC_over_http

https://testconnectivity.microsoft.com

https://www.msxfaq.de/internet/apache.htm

https://stackoverflow.com/questions/14814419/how-do-i-make-urls-case-insensitive-in-linux-server

https://github.com/phr0gz/Apache-reverse-proxy-for-Exchange-2010-2013-2016/blob/master/webmail.conf[:]

Kodinerds IPTV

Die IPTV-Senderliste von Kodinerds ist kostenlos, völlig legal, wird regelmäßig aktualisiert und beinhaltet viele der bekannten TV-Sender, unter anderem aus Deutschland, Österreich und der Schweiz (z.B. ORF, ARD, ZDF, SF1 usw.).

Variante 1: Kodi mit PVR-Addon IPTV Simple Client

Der einfachste Weg z.B. für erste Tests mit dem Kodi Mediacenter bietet sich über das Addon IPTV Simple Client, zu finden im offiziellen Kodi Addons-Repository unter “PVR-Clients”.

In der Addon-Konfiguration einfach die entsprechende URL angeben, danach füllt sich die Kodi TV-Ansicht mit Sendern.

EPG

Für das TV-Programm bietet sich das Addon Rytec EPG Downloader an, welches jedoch des öfteren als defekt gemeldet wird. Alternativ lassen sich die EPG-Daten auch manuell von http://rytecepg.ipservers.eu/epg_data/ oder http://koditvepg.com/epgs/ http://xmltv.xmltv.se/ beziehen. Die XML-Datei nach dem Download entpacken und in dem IPTV Simple Client-Einstellungen angeben. Der Vorgang lässt sich natürlich auch über ein Shell-Skript automatisieren. Teilweise sind nach dem XML-Download noch einige Anpassungen in der Datei zu machen, um die automatische Senderzuordnung zu ermöglichen.

Beispiel: Bei österreichischen Senden ist teilweise in EPGs das Präfix “AT: ” angegeben, welches entfernt werden muss, z.B. mit diesem Befehl im Skript:

sed -i 's/AT: //g' /[mydownloadsfolder]/guide.xml

Variante 2: Kodi-Client mit Tvheadend-Server

Die weitaus flexiblere, jedoch etwas aufwändigere Variante bietet sich in Kombination mit Tvheadend (anstatt des Simple Client) an.

Vorteile:

• Saubere Trennung von Client und Server -> sinnvoll, wenn es mehrere Kodi-Stationen im Haus gibt
• Eigenständige, detailliertere Verwaltung von Senderlisten, Senderlogos, EPG-Daten, zentralisierte TV-Aufnahmen uvm.

Tvheadend-Server einrichten

Tvheadend.org und Ubuntuusers.de bieten sehr gute Tutorials für die Installation an, daher werde ich nur eine Kurzanleitung für Ubuntu beschreiben.

1. Ubuntu Server installieren; auf Hardware, in virtueller Maschine, oder alternativ auch Raspbian auf einem Raspberry Pi.
2. Tvheadend-Repositories lt. obiger Tutorial-Links hinzufügen und tvheadend-Paket installieren (“stable”-Zweig empfohlen).
3. Das Webinterface ist danach unter dem Port 9981 erreichbar.

Zum Hinzufügen der Kodinerds IPTV-Listen einfach dem Wizard folgen und den entsprechenden Link angeben (Achtung: “pipe“-Listen verwenden!).

Weitere Listen können auch später hinzugefügt werden, über “Configuration -> DVB Inputs -> Networks”. Dies ist z.B. hilfreich, wenn die Kodinerds-main-Liste mit über 400 Kanälen zu unübersichtlich erscheint; in diesem Fall verwendet man z.B. die abgespeckte Senderliste für die deutschen Hauptsender, und zusätzlich die Liste der Österreich- und Schweiz-Kanäle.

Nach Ergänzung einer Liste den vollständigen Scan abwarten und prüfen, ob die Sender im Bereich “Muxes” und “Services” aufscheinen; ggf. Services -> “Map all services” ausführen.

Debugging

Tvheadend läuft – vor allem während der Konfiguration – nicht immer perfekt, meist sind jedoch Probleme nach Neustart des Dienstes behoben:

sudo service tvheadend restart

Unter /var/log/syslog befinden sich unter anderem auch die Tvheadend-Logs.

EPG

Es gibt zahlreiche Wege für die EPG-Aktualisierung. Eine mögliche Variante:

1. Tvheadend -> Configuration -> Channel / EPG -> EPG Grabber Modules -> “External: XMLTV” aktivieren; alle anderen Module deaktivieren.
2. Skript erstellen (Variablen und evtl. den sed-Befehl für andere Länder anpassen):

   1. #!/bin/bash
      
      HOME=/home/hts
      XML=$HOME/guide.xml
      URL=http://epg.koditvepg.com/AT/guide.xml
      SOCKET=/home/hts/.hts/tvheadend/epggrab/xmltv.sock
      
      rm $XML*
      echo "$(date) Download starting..."
      wget $URL -P $HOME -nv
      sed -i 's/AT: //g' $XML
      cat $XML | sudo socat - UNIX-CONNECT:$SOCKET
      echo "$(date) EPG update finished."
      

       

   2. Berechtigungen anpassen (chmod +x epgupdate.sh) und ausführen; nach kurzer Zeit sollten die EPG-Infos unter Tvheadend -> “Electronic Program Guide” sichtbar sein.
   3. Evtl. zur täglichen Ausführung als Cronjob anlegen (crontab -e).

Update 11.2019

koditvepg.com ist mittlerweile kostenpflichtig.

Aktuell funktionierende – und kostenlose – Variante für den deutschsprachigen Raum:

• EPG-Grabbermodul “XMLTV: German speaking area (Egon zappt)” in der Weboberfläche aktivieren, Standardeinstellungen belassen. Alle anderen Module deaktivieren.
• Konfigurieren des Moduls per SSH:

  • su hts
    tv_grab_eu_egon --configure
    #Standard-Url
    #Einzelne Sender aktivieren, oder alle

     

• Ausführen z.B. per Reboot, Service-Restart oder “Re-Run”-Button; dabei /var/log/syslog beobachten.
• Sollte sich EPG nicht aktualisieren, Service stoppen, Cache löschen (/home/hts/.hts/tvheadend/epgdb.v2) und wieder starten.

Kodi-Client einrichten

Abschließend das Kodi-Addon “PVR Tvheadend” am Client installieren, aktivieren und konfigurieren.

IP oder DNS-Name des Tvheadend-Servers angeben und optional die gewählten Zugangsdaten, mit denen sich Kodi zum TV-Server verbinden darf.

Danach erscheint, wie auch in Variante 1, die gewohnte TV-Senderliste mit EPG in Kodi.

 [:]

Solution

Within the boot partition of the SD card (which can also be accessed via Windows Explorer), create a simple file called “ssh” (no extension!).

When you boot Raspian afterwards, you can easily log in with default user “pi” and password “raspberry”.

Reference[:]

In a previous post, I explained how to set up Mikrotik Routerboards as a VPN gateway.

This post is about how to remotely switch the VPN on and off via Smart Home visualization OpenHAB 2, so it affects your whole LAN. You can even switch to other VPN servers, conveniently via phone or browser interface.

Basic procedure: User starts a command via OpenHAB interface -> SSH commands are executed via shell -> RouterOS accepts the commands.

SSH preparation

First we need to establish a simple and secure connection between your server (e.g. Ubuntu, running OpenHAB) and your routerboard, which can be used in scripts without passwords.

On your OH server, execute:

su - openhab -s /bin/bash #the Linux user which is running the OpenHAB process
mkdir /ssh-mikrotik
cd /ssh-mikrotik
ssh-keygen -t rsa #as location, choose /ssh-mikrotik/id_rsa

Copy the file /ssh-mikrotik/id_rsa.pub to your Mikrotik device, e.g. via WinSCP and RouterOS WinBox (or FTP / terminal).

Then open WinBox -> System -> Users and create a user “openhab” with full permissions. If you want, restrict it to a certain IP address.

In “SSH keys” tab, import the file id_rsa.pub you copied before, and assign it to Mikrotik user “openhab”.

Test the SSH connection on your OH server:

ssh -l openhab -i /ssh-mikrotik/id_rsa 10.1.0.11 "echo asdf" # assuming 10.1.0.11 is your RouterOS device

Scripts

You need some scripts on your OH server to get the VPN state and be able to control it.

#!/bin/bash

if [ "$1" = "ON" ]
then
        echo "enabling vpn"
        ssh -l openhab -i /ssh-mikrotik/id_rsa 10.1.0.11 "/interface pptp-client enable myvpn" #assuming your VPN runs via PPTP and is called "myvpn"
fi

if [ "$1" = "OFF" ]
then
        echo "disabling vpn"
        ssh -l openhab -i /ssh-mikrotik/id_rsa 10.1.0.11 "/interface pptp-client disable myvpn"
fi

<?php

$result = `ssh -l openhab -i /ssh-mikrotik/id_rsa  10.1.0.11 "/interface pptp-client print where name=myvpn"`;

#echo $result;

$lines = explode("\n", $result);

//offline?
if (count($lines) < 5)
{
        echo "error";
        exit;
}

$line = $lines[1];

$expl = explode(" ",$line);

#var_dump($expl);

if ($expl[3] == "R")
{
        echo "ON";
}
else
{
        echo "OFF";
}

?>

Make both scripts executable by the openhab user:

chmod a+x openhab /ssh-mikrotik/vpn-*

You can later extend these scripts e.g. to be able to switch to another VPN host. Use the commands like in WinBox terminal, e.g. “/interface pptp-client set myvpn connect-to=example.com”.

Execute the scripts in your OH server’s shell manually to see if they work (they must be able to run under user openhab).

OpenHAB2 configuration

The last step is to configure OH visualization.

We use the Exec binding for OH2, so make sure it is enabled in runtime.cfg (or in your preferred OH admin interface).

Thing exec:command:Vpn-Control [command="/ssh-mikrotik/vpn-control.sh %2$s", interval=0, autorun=true] 
Thing exec:command:Vpn-Status [command="/usr/bin/php /ssh-mikrotik/vpn-status.php", interval=3600, timeout=15]

String VPN "VPN" <network> (All) { channel="exec:command:Vpn-Control:input", channel="exec:command:Vpn-Status:output", autoupdate="true"}

Switch item=VPN

You should now be able to control your VPN interface via OpenHAB:

[:]

Decline disposable email domains

To add another obstacle for bots and to make the checkout process not more complex than needed, I added some additional code in Magento’s root directory.

It declines the customer’s email address if it comes from a disposable email (trash mail) provider. So for the checkout to complete, the customer is forced to enter a valid (non-trash) email address.

This list on Github seems to be pretty much complete and can be queried directly e.g. here.

<?php

//2017-06 DXSdata.com

if (isset($_POST['billing']))
{
       //https://github.com/ivolo/disposable-email-domains
        //look if listed as disposable email domain
        if (@$tmp['email'])
        {
                $result = @file_get_contents("https://open.kickbox.io/v1/disposable/".$tmp['email']);

                if ($result)
                {
                        $result = json_decode($result);
                        if ($result)
                        {
                                if ($result -> disposable)
                                {
                                        $_POST['billing']['email'] = '';
                                        mail("office@dxsdata.com", "disposable email detected: ".$tmp['email'], "", "From: office@mywebser.ver");
                                        exit;
                                }
                        }
                        else mail("office@dxsdata.com", "could not check disposable email domain","","From: office@mywebser.ver");
                }
                else mail("office@dxsdata.com", "could not check disposable email domain","","From: office@mywebser.ver");
        }


}

Then include it in your Magento’s index.php:

<?php
#only add the following line:

include('checks.inc.php');

#original:
/**
 * Magento
 *
...

Note: After every update, security patch etc., check your index.php file if the include command is still there. Re-add it, if necessary.

Restrict admin access to certain IP ranges

In addition, it definitely makes sense to make the virtual /admin subdirectory more secure. It does not really exist in Magento’s file structure, so you cannot use .htaccess files like it can be done for the /downloader directory. But you can extend the new checks.inc.php file you created before:

<php
#addition

function isAllowedAsAdmin()
{
    $whitelist = array(
        '10.1.*',
        '192.168.1.*',
        '77.1.2.34',
        '234.45.567.80'
    );

    if(in_array($_SERVER['REMOTE_ADDR'], $whitelist))
        return true;
    else{
        foreach($whitelist as $i){
            $wildcardPos = strpos($i, "*");

            if($wildcardPos !== false && substr($_SERVER['REMOTE_ADDR'], 0, $wildcardPos) . "*" == $i)
                return true;
        }
    }

    return false;
}

if (strpos($_SERVER['REQUEST_URI'], "/admin") !== false)
{
    if (!isAllowedAsAdmin())
    {
        echo $_SERVER['REMOTE_ADDR'] . " not allowed.";
        exit;
    }
}

 [:]

Scenario

You have some webservers or mailservers in your LAN which you want to work with the Let’s Encrypt SSL service. It provides the creation of free SSL certificates which are known by most browsers.

The only drawback is, they are valid for only 90 days. So if you do not want to renew manually every 3 months, you can automate most parts of the process.

In this tutorial, we will create a certificate server which provides always up-to-date certificates, so they can be fetched by other servers in your LAN.

Steps

Certbot, the LetsEncrypt utility for getting certificates e.g. under Ubuntu, basically needs an open outgoing Port 80 TCP, and also an incoming Port 80 TCP. I didn’t want to open outgoing internet for all of the servers, so I decided to create a separate LetsEncrypt certificate server which runs certbot regularly.

Create a new Ubuntu Server virtual machine: Default setup, install Samba/CIFS, Apache2 and certbot.

Configure:

• Apache’s ports.conf and 000-default.conf to only listen on port 81, docroot: /share
  • (Do not use port 80 because certbot needs it later)
• Samba’s smb.conf: Add a public read-only share “certs” for /share

You might already have another Apache webserver running which listens on your router’s public port 80, so we have to redirect certain request from there to the new cert server.

Modify every virtual host config of Apache which needs SSL certificates like in this example:

<VirtualHost *:80>
    DocumentRoot "/var/www"
    ServerName www
    ServerAlias *
    ErrorLog "/var/log/apache2/error.log"
    CustomLog "/var/log/apache2/access.log" common

    #letsencrypt
    ProxyPass /.well-known/acme-challenge/ http://certs/.well-known/acme-challenge/
    ProxyPassReverse /.well-known/acme-challenge/ http://certs/.well-known/acme-challenge/
</VirtualHost>

Note: In this example, certbot always uses port 80! Make sure to consider all of your subdomains, e.g. also for your mailserver etc.

The following script can be run as a cronjob (crontab -e), it gets and renews the certificates from LetsEncrypt and creates password protected zip files for easy local distribution:

#!/bin/bash

#www.dxsdata.com, 2017-05
#creates pw protected zip archives containing certificate files

PW=somepw
SHARE=/share
CERTPATH=/etc/letsencrypt/live
EMAIL=it@example.com

declare -a DOMAINS=(
                "myfirst.example.com"
                "mysecond.example.com -d autodiscover.example.com"
                )

#halt on any error
set -e

#clean share
rm -rf $SHARE/*

for DOMAIN in "${DOMAINS[@]}"
do
        MAINDOMAIN=`echo $DOMAIN | head -n1 | cut -d " " -f1`
        #echo $MAINDOMAIN
        certbot certonly --standalone -d $DOMAIN --preferred-challenges http --agree-tos -n -m $EMAIL --keep-until-expiring

        #create file for ms exchange server
        openssl pkcs12 -export -in $CERTPATH/$MAINDOMAIN/cert.pem -inkey $CERTPATH/$MAINDOMAIN/privkey.pem -out  $CERTPATH/$MAINDOMAIN/cert.p12 -password pass:$PW
        zip -er --password $PW $SHARE/$MAINDOMAIN.zip $CERTPATH/$MAINDOMAIN -j
done

The main part is done, we should be able to get the certificate zip files via CIFS and browser (port 81).

Now we want the “client” servers to fetch the certificates from the local certs server.

Example script for an Ubuntu Apache webserver “client”

#!/bin/bash

#www.dxsdata.com, 2017-05
#gets SSL certificates from local certs server and replaces the existing/old ones

PW=somepw
REMOTECERTPATH="http://certs:81"
CERTPATH=/certs/letsencrypt
TMPPATH=/tmp/certzip

declare -a DOMAINS=(
                "myfirst.example.com"
                )

mkdir -p $TMPPATH

#halt on any error
set -e

for DOMAIN in "${DOMAINS[@]}"
do
        wget -O $TMPPATH/$DOMAIN.zip $REMOTECERTPATH/$DOMAIN.zip
        unzip -o -P $PW $TMPPATH/$DOMAIN.zip -d $CERTPATH/$DOMAIN/
done


apachectl configtest
service apache2 restart

Make sure your Apache certificate config and the script’s certpath point to the same directory.

Example for MS Exchange 2010/2013/2016

This is not a functional Powershell script, but some useful commands to create one:

//Load zip file from \\certs\certs or http://certs:81, then:
Get-ExchangeCertificate -> you get the Thumbprint
Enable-ExchangeCertificate -> SMTP,IIS,IMAP,POP + Thumbprint from above
(Alternative: Import-ExchangeCertificate)

 [:]

Upgrading Ubuntu from v14 to 16 LTS can lead to MySQL server issues (MySQL is upgraded from v5.6 to 5.7 during the upgrade process).

E.g. if you use deprecated variables in /etc/mysql/my.cnf, MySQL server will fail to start after the upgrade is finished.

My recommendations for the upgrade:

1. If the server is a virtual appliance, create a snapshot when the system is shut down. Otherwise create a full backup.
2. Within Ubuntu v14, do an “apt-get update && apt-get upgrade” and check if everything is running fine.
3. Create a snapshot again.
4. Edit /etc/mysql/my.cnf. In my case I had to delete variables
   1. table_cache
   2. log-slow-queries
   3. (long query time)
5. Run “do-release-upgrade” to v16 Xenial.
6. If you are using phpMyAdmin, the dbcommon upgrade procedure might fail during the upgrade process (“cannot access mysqld.sock” or similar). Simply ignore it for now.
7. When the upgrade is finished, check if MySQL is running (“ps ax”) and if not, try to start it manually (e.g. “service mysql restart”).
   1. If MySQL server is unable to start, look at /var/log/mysql/error.log, maybe you have to modify my.cnf again, e.g. remove further certain variables. In this case, I recommend to note the vars and start from the latest snapshot again.
8. If you have huge MySQL databases, watch /var/log/mysql/error.log and/or mysql.log. It might take several minutes as some DB types might be converted to newer formats in all tables.
9. Check if phpMyAdmin works. If Dbcommon failed during the upgrade, run “dpkg-reconfigure phpmyadmin”.

Additions:

It turned out that more modifications are necessary:

MySQL 5.7 seems to ignore max_connections value. If it is e.g. set to 600 in my.cnf, it still uses value 214.

To solve this issue, we have to do a few more adaptions.

LimitNOFILE=infinity
LimitMEMLOCK=infinity

* soft nofile 1024000
* hard nofile 1024000
* soft nproc 10240
* hard nproc 10240

open_files_limit = 1024000
table_open_cache = 500

Optionally, also decrease the timeout values:

wait_timeout = 5000
interactive_timeout = 5000

Run afterwards:

systemctl daemon-reload
service mysql restart

Check the currently used max_connections value e.g. with phpMyAdmin or MySQL console.

Update 2017-05-04:

If you encounter further MySQL errors like “ERROR 1366 Incorrect integer value: ” for column ‘xx’ at row xx, you might want to change sql_mode’s value to the default one from v5.6 (if modifying the SQL query is not an option):

sql_mode=NO_ENGINE_SUBSTITUTION

Reference

Reference[:]

If you are already using a visualization tool like OpenHAB for your smart home, it’s quite easy to get it running.

Because every smart home installation is configured very individually, I will only explain some basics here.

OpenHAB 2

If you are running OpenHAB v1, please upgrade it to v2. Most OH1’s add-ons, bindings etc. can be used with OH2 and the migration process is quite feasible.

Upgrade recommendations:

• Use a fresh installation for OH2 (new Ubuntu VM, Raspberry Pi etc.)
• Decide at the beginning which of the 3 configuration types (text-based, Paper UI, Karaf) you would like to use in the future. It could be error-prone to change in the future, because every type saves the configs to other places. I would prefer Paper UI, but the migration doc linked above recommends text-based config.

When you have OH2 ready to run, install the addon “Hue Emulation”:

• Text-based config: In services/addons.cfg, uncomment the “misc =” line and add “hueemulation”
• Paper UI: Open Add-ons -> Misc -> Install Hue Emulation

Then open your items file. For testing purposes, simply add “[ “Lighting” ]”  or “[ “Switchable” ]” to an already switch.

Example:

Switch myswitch "Test" <myicon> (mygroup) [ "Switchable" ] { channel=... }

Save the items file, then run the Alexa app, connect it and let it search for devices. You can also do this via voice command, e.g. “Alexa, search for connected devices”, or in German “Alexa, suche nach verbundenen Geräten”. Make sure you have enabled the Pairing mode, e.g. via Paper UI addon config.

Alexa should find a device called “Test”. Try it e.g. by saying “Alexa, switch Test on.”.

Send HTTP commands

Sometimes it can be useful to make Echo Dot call simple HTTP GET commands, especially with a KNX / smart home server, which reside in your local network and you want those commands to be called directly in your LAN, not via cloud/Skill feature etc.

To achieve this, enable the OpenHAB HTTP binding. You might also need the TCP binding.

In your items file, add a simple switch item like:

Switch AlexaRollershutters "Shutters" [ "Switchable" ]

You do not have to add it in your sitemap, so it can stay invisible.

Append to your rules file:

rule "Alexa: Rollershutters"
        when
                Item AlexaRollershutters received command
        then
                //sendHttpGetRequest("http://myserver/myCommandToControlShutters") //if you don't have an existing OH switch for your shutters, you could use this way
                switch(receivedCommand) {
                 case ON : MyRollershutters.sendCommand(DOWN)
                 case OFF : MyRollershutters.sendCommand(UP)
                 }

        end

Add the “Shutters” device to Alexa like described above. You should now be able to control your rollershutters.

For debugging purposes, you can temporarily add the switch AlexaRollershutters to your sitemap to test it manually.

Example with Squeezebox / Logitech Media Server:

sendHttpGetRequest("http://10.1.0.21:9000/status.html?p0=play&player=da%3Ada%3Ada%3Ada%3Ada%3A10")

In this case, the MAC address (ID of the player) is “da:da:da:da:da:10”. The command tells the certain player to start playing.

Send SSH commands

This can be one way to execute remote commands on Linux machines, e.g. tell your Raspberry Pi, OpenELEC / LibreELEC / Kodi Mediacenter to power up (see also here).

You can either configure SSH to accept password-less logins (certificates), or the slightly more convenient way would be to install apt-package “sshpass”.

First, connect Putty to your OpenHAB 2 server (in my case Ubuntu 16).

Double-check if the command or script you want to run remotely can be executed by the local openhab user, i.e. check if it has the correct permissions. To test the behavior, run a test command like

ssh root@yourRemoteIp reboot

SSH will ask if it should save the connection hash (important: choose Yes), and then run the reboot command after you have entered the password.

If this works, try the same using sshpass:

sshpass -p yourpassword ssh root@yourRemoteIp reboot

The reboot command should work immediately on the remote machine.

So to integrate this process into OpenHAB and therefore combine it with Alexa, create a simple Switch like in the HTTP example above and create a rule, e.g.:

rule "Alexa: TV on/off"
        when
                Item AlexaTv received command
        then
                executeCommandLine("sshpass -p libreelec ssh root@10.1.0.91 /storage/.kodi/userdata/onOffHelper.sh &")
        end

Be careful if you have to use quotation marks within your SSH command. You can use e.g. “@@”. For more details, have a look at the OH configuration documents.[:]

https://repogen.simplylinux.ch/

My recommendation is to enter

• country
• release (get it with “lsb_release -a” command)
• tick the first 12 checkboxes

Copy the result to your local file and run “apt-get update”.[:]