Wednesday, June 1, 2011

Creating A Local Yum Repository on CentOS 5.x

In our University we have multiple systems those running on Linux platforms so it is good to have local repository to prevent from downloading the remote repository over and over again. Also in university day time our downloading speed is low because of high network traffic so having a local repository is a big advantage to update our all systems once and its save our internet bandwidth because it use fast LAN connection.
Today I'm going to explain how to create local Centos repository to update our local Centos systems. So for that first we need to have rcync  software and httpd server in Centos, default we can get these two in Centos otherwise you can use following command to install it.

su -c 'yum install httpd rsync'
Now we want to create directory to repo , that will hold all the RPM files. For that if we get all the Centos files from rsync we can create just one directory and rsync will automatically create folder structure according to it.

mkdir /var/www/html/CentOS/

If u copy Centos first from DVD or CDs you want to create Centos folder structure, because when rsync update your repository it used this folder structure to update for that.

su -c 'mkdir -p /var/www/html/centos/5/{os,updates}/x86_64'
Here 5 is your Centos vertion and  x86_64 is architecture, Then you can copy relevant files into   
 eg:su -c 'mount /dev/cdrom /mn
su -c 'cp -rv /mnt/CentOS /mnt/repodata /var/www/html/CentOS/5/os/x86_64/'
su -c 'umount /mnt' 
Now you can verify it's working by opening your Centos folder using browser (in localhost or remote). 
Eg:htp://your IP or 
This how its look like in my server 
Now our repository server is ready since distributions change often we need to sync with the distribution update servers. So we use rsync for this job it scan directory tree of distribution servers and applies changes to local directory. So we need rsync mirror for updates.Centos OS Mirror List you can identify it with rsync.Now we need to create script to run this rsync when we need, following is the script that I used. (



for (( c=1; c<=3; c++ ))

if [ $s -ne 0 ]; then
rsync -avSHP --delete --exclude "local*" --exclude "isos" /var/www/html/CentOS/ 2> error_log.txt


cp /usr/local/test /usr/local/suc 
To run this script manually you can type  
Updating this repository should done often so running script manually is not good so we can use cron job to run this script automatically in relevant time. For that enter  

crontab -e
this will promt your current crontab table so you can enter your crontab here as follow. When you save this crontab file will loaded and ready for use.  
0 2 * * * /myscripts/updaterepo 
In this crontab, myscript is in /myscripts directory  I'm going to run this script every morning at 2am. There are five fields for setting the date and time in cron tab that a program should be run. The five time settings are in the following order. 
  • Minutes - in therange of 0 - 59
  • Hour - in the range of 0 - 23  
  • Day of month - in the range 1 - 31 
  • Month - in the range 1 -12  
  • Day of week - in the range 0 - 6 (0 = Sunday)
Any field with a * means run every possible match, so for example a * in the day of month field will run the script every single day of the month at the specified time. More about crontab

That was all on the server part. Now client should chang his /etc/yum.repos.d/CentOS-Base.repo to get local mirror instance of other mirrors. for that you should change base url with your local ip. Its good to copy following my file and replace my IP with your one.

#replace your repo IP with my

name=CentOS-$releasever - Base

#released updates 
name=CentOS-$releasever - Updates


#packages used/produced in the build but not released
name=CentOS-$releasever - Addons


#additional packages that may be useful
name=CentOS-$releasever - Extras


#additional packages that extend functionality of existing packages
name=CentOS-$releasever - Plus


#contrib - packages by Centos Users
name=CentOS-$releasever - Contrib


Now you are done


Thursday, March 24, 2011

How to Enable SSL+ Apache2 on Ubuntu from source

Today I'm going to start System administration tutorial because currently I got opportunity to work in University Of Colombo Network Operating Center as trainee Network and System Administrator so I believe that I can get lot of experience in this period and  also I hope to share all the new knowledge with you all. Today I'm going to talk about enabling SSL in our own Ubuntu apache2 server. In here I'm not going to talk installing apache2 because easily you can do it but in enabling ssl is little bit hard and it gives some unexpected errors so in this post I'm going to show  how successfully enable ssl in our Apache2 server.

To enable ssl we need to enable mod_ssl with apache and install openssl for generate keys.
To configure secure server, use public key cryptography so we need to generate public and private key pair and need to get certificate. In my case I'm going to create self-signed certificate otherwise we can get certificate from Certificate Authority (CA) also using Google we can find several commercial and free CA's. So first I compile and install openssl to generate above things as follow.
01. Installing openssl

Here I used openssl source ( openssl-0.9.7e.tar.gz ) you can download it from   then you should extract it as following

tar -zxvf  openssl-0.9.7e.tar.gz

tar -xvf and gunzip
After this you should cd into openssl-0.9.7 and can configure using following command.

./counfigure --prefix=/usr/local

using prefix we can specify directory for Openssl and next we can compile and install openssl using make and make install (first make then make install )commands

02. Generating key for Certificate Signing Request (CSR)
 We need to generate key for that we can use (I use mkdir ssl and create directory for keys and inside it)

         openssl genrsa -des -out keyname.key 1024

 during key generation we should enter password for our key.

03.  Then I create Certificate Signing Request (CSR)
        Using following command

      openssl req -new -key keyname.key -out csrname.csr

This command will prompt for a series of things as follow Country Name, State or Province Name, Locality Name, Organization Name, Organizational Unit Name, Common Name, Email Address...etc
Then we can submit this CSR file to a CA  (Certificate Authority)for process. They will use this CSR file and issue the certificate. On the other hand, we can create self-signed certificate using this CSR.

04.  Creating self-signed Certificate
Using following command.
          openssl x509 -req -days 365 -in csrname.csr -signkey keyname.key -out crtname.crt

Here I got error because my .key file is not inside my current directory so remember to execute this command inside relevant directory (my case directory ssl) that include your above generated key
After executing above command we can see our certificate using following command (following is my certificate).

                    Openssl x509 -in crtname.crt -text -noout

Now in my ssl directory include following files and I change file permission of all the keys to 400 as follow.

05. Enabling the ssl module for Apache2 using a2enmod ssl
 Now we finished creating Certificate now we can enable ssl module for apache2

        Sudo a2enmod ssl

            06. To enable ssl site we should add following things to our apache httpd.conf (/usr/local/apache2/conf) file 

#Instruct Apache2 to listen port 443

Listen 443

#Creating vertual host to listen 443

# I create ssl directory to kept my secure website
DocumentRoot /usr/local/apache2/htdocs/ssl
ErrorLog /usr/local/apache2/logs/server2log

       SSLEngine On

   # Here, I am allowing only "high" and "medium" security key lengths.
# Here I am allowing SSLv3 and TLSv1, I am NOT allowing the old SSLv2.
SSLProtocol all -SSLv2
#   Server Certificate That I create in above step:
SSLCertificateFile /usr/local/apache2/
#   Server Private Key:
SSLCertificateKeyFile /usr/local/apache2/conf/
#   Server Certificate Chain these things related to my Certificat Athority(CA) I create different .crt #for my CA this not compulsory:
SSLCertificateChainFile /usr/local/apache2/conf/my-ca.crt
#   Certificate Authority (CA):
SSLCACertificateFile /usr/local/apache2/conf/my-ca.crt

07. Finally to get load ssl module to apache we need to add following line into httpd.conf

LoadModule ssl_module modules/

Now  restart apache server(/usr/local/apache2/bin apachectl restart or ./apachectl restart). Following is how my ssl site and certificate work  on my browser.

During this installation I got several errors and I found solutions for those errors using forums and Internet so I hope it may help you too .

01)when I compile openssl on my Ubuntu os I got following error.

I found this solution
 Unpack openssl-0.9.7m.tar.gz
edit Configure and Makefile and change all instances of -m486 to -mtune=i486 .

Run "tar -pczf openssl-0.9.7m.tar.gz openssl-0.9.7m" to repack dir, remove the unpacked directory. Make sure you do this before running ./config setup on any upgrades in the future until this is fixed in ./setup package.

02) When I configure httpd.conf and restart the server I got following error.

It may Forget to add listen 443 line in httpd.conf
Also his occurs when several apache instances running same time we can use netstat and ps command and can kill instances.  

03) After finishing create virtual host for port 443 I got following error.

This error gives when apache server couldn't load from usr/local/apache2/module directory. This can occur when we didn't configure apache (apache installation from source) with ssl enabling. in apache configuration we want to  use as follow to enable ssl

./configure  --enable-mods-shared=”all ssl” --with-ssl

°.MคNןU.°Powered by Blogger