MySQL SSL connections not working with phpMyAdmin and mysqli

I had a problem with phpMyAdmin not using encrypted connections.

My server was correctly configured for SSL as indicated by:


Which returned:

Variable_name Value
have_openssl YES
have_ssl YES
ssl_ca /etc/mysql/cacert.pem
ssl_cert /etc/mysql/server-cert.pem
ssl_key /etc/mysql/server-key.pem

However when I ran:


I got back a null result, indicating that the connection was not encrypted.

Eventually I figured out that the problem was caused by using the ‘mysqli’ provider for my connections in phpMyAdmin. When I switched my connections to use ‘mysql’ instead then encryption started working and an Ssl_cipher was reported.

I’d love to know what the actual problem is, but for now I’m just happy that my connections are actually encrypted. I spent a while hacking on the mysqli dbi interface to try and get it to play nice with SSL but I didn’t make any progress.

fail2ban.actions.action: ERROR

Found some discussion on dealing with “fail2ban.actions.action: ERROR” errors from fail2ban. Basically there’s a race condition and a few suggestions to deal with it. One is to modify /usr/bin/fail2ban-client like this:

def __processCmd(self, cmd, showRet = True):
	beautifier = Beautifier()
	for c in cmd:

But the other one, that I think I like better, is to edit /etc/fail2ban/actions.d/iptables-multiport.conf to include a call to sleep for a random time up to three seconds:

 actionstart =   sleep `perl -e 'print rand(3);'`
             iptables -N fail2ban-<name>
             iptables -A fail2ban-<name> -j RETURN
             iptables -I INPUT -p <protocol> -m multiport --dports <port> -j fail2ban-<name>

Getting absolute path from relative path in Bash

I was writing a shell script and I wanted to change directory. But before I changed directory I wanted to get the absolute path to a file relative to the current directory so that I could access the file again later. I learned that you can do this in Bash with the readlink facility, passing in the -f command line switch, i.e.:

 $ readlink -f ./some/path

HTTPS and Client Certificates

I’m half-way through setting up my web-server for client certificate authentication. Have to get a few other things done first so I’m going to come back to this. Here are my notes so far.

I’m reading OpenSSL and Certificates over on Ubuntu help, and that seems to be a fairly good guide for setting up the server side of things.

I read this article on Email Certificates but that wasn’t that useful for what I’m doing.

I learned a little bit about the update-ca-certificates command that is part of the ca-certificates package, and maybe that will be useful down the track.

In my travels I discovered NSS and SSL Error Codes, but that’s probably not too useful either.

The OpenSSL FAQ was a really useful read. I’ll probably be referring back to that.

I learned about which is interesting but probably something I won’t be using.

There’s an SSL Certificates HOWTO over on TLDP and if I can find the time I’d like to read that whole thing, although from what I’ve read so far it’s not complete.

The mod_ssl project has a really handy Reference for all the Apache configuration options, worth a read of.

And that’s it for now. I’ll pick this up again in a day or two.

Configuring bind for LAN PTR records

I have a hosts file that defines IP addresses on the LAN for all of my virtual hosts. The good thing about using the LAN IP addresses for inter-host communication is that it’s free bandwidth. I had a problem with Postfix though, because Postfix does a reverse lookup on IP addresses to get the corresponding hostname, and the IP address Postfix has for local addresses is the LAN IP address, not the public IP address. The public IP addresses are configured with proper reverse DNS PTR records, but the local addresses weren’t. So I decided to fix that.

Basically I installed bind and configured it with PTR records for the network. Now when Postfix asks for the RDNS of a LAN IP address it should get the corresponding hostname. I didn’t need to configure bind with zones for the local IP addresses, because those are all specified in my /etc/hosts file. At least I hope I don’t have to configure DNS zones for my local IP addresses in bind, because that’d just be a pain in the arse.