Installing a CA certificate on Ubuntu

4 Comments

Successfully tested on Ubuntu Server 12.04 LTS 64-bit

SSL/TLS certificates are everywhere. Whether you connect to your online bank account, setup an FTPS server or sign your applications, you use SSL/TLS certificates. All these certificates have been issued by a certification authority (CA) which your operating system must recognize as a trusted third party. This recognition relies on the CA certificate installation.

In the following example, we’ll install the Class 1 Primary Intermediate Server CA certificate from StartCom, a CA particularly known to supply free domain validated certificates (see StartSSL website for more information). As StartCom Root CA certificate is already installed by default in /usr/share/ca-certificates/mozilla, we’ll use the same path for its intermediate CA certficate.

First, download the certificate:

sudo wget https://www.startssl.com/certs/sub.class1.server.ca.pem -O /usr/share/ca-certificates/mozilla/StartCom_Class_1_Primary_Intermediate_Server_CA.crt

 
Then, add the path to this new certificate (relative to /usr/share/ca-certificates) in /etc/ca-certificates.conf:

mozilla/StartCom_Class_1_Primary_Intermediate_Server_CA.crt

 
Finally, now that everything is in place, just launch:

sudo update-ca-certificates

 
to complete the installation. During this process, /etc/ssl/certs folder’s content will be updated to hold the SSL certificates and ca-certificates.crt, a concatenated single-file list of certificates.

That’s all Folks!


For further reading, refer to Ubuntu manuals.

Useful commands #1: Preventing the update of a package

Leave a comment

Successfully tested on Ubuntu Server 12.04 LTS 64-bit

Doing frequent updates of your favorite OS and programs is always recommended. Not only does it allow you to take advantage of new features but it also minimizes the security risks by correcting the possible flaws spotted since the installation or the previous update.

In Ubuntu, software updates can be either automatic (see Automatic Updates in the official documentation for details) or… manual. If you choose to go the manual way, you’ll have to make sure to do the updates by yourself on a regular basis (Ubuntu’s welcome screen advises you of updates availability) using two commands:

sudo apt-get update

 
first, to re-synchronize the package index files from their sources (the repositories are listed in /etc/apt/sources.list), followed by:

sudo apt-get upgrade

 
to finally install the newest versions of all packages currently installed on the system.

This full update in one shot is very handy of course, but what to do if you don’t want to update a specific package? For instance, let say you patched and rebuilt a program for whatever reason and you don’t want it to be replaced by the new latest official version. What to do? This is where today’s useful command comes in:

sudo apt-mark hold package_name

 
Now, this package will never be updated automatically as well as manually as long as it is on “hold” status. To display this status, you can use:

dpkg --get-selections | grep "package_name"

 
Finally, the day you decide to allow the upgrade to the latest version available in the official repository, just type:

sudo apt-mark unhold package_name

 
to put the package back on “install” status.

That’s all Folks!


For further reading, take a look at Package Management in Ubuntu’s official documentation.

Using scanner buttons on Ubuntu with scanbd (part 2/2)

8 Comments

Successfully tested on Ubuntu Server 10.04 LTS 64-bit

Few days ago, I described how to build and install scanbd. Now, it needs to be configured to perfectly suit the scanner it’s used with. As you’ll see, you have some very interesting possibilities with a four buttons scanner such as the EPSON Perfection V200 Photo.

First, install xinetd which will allow to use scanbd as a wrapper:

apt-get install xinetd

 
Create a sane-port service configuration file /etc/xinetd.d/sane-port with the following content:

service sane-port
{
socket_type = stream
server = /usr/local/bin/scanbd
server_args = -m -c /usr/local/etc/scanbd/scanbd.conf
protocol = tcp
user = saned
group = saned
wait = no
disable = no
}

 
Stop saned service

service saned stop

 
and disable it as it will now be launched through xinetd/scanbd. Just modify /etc/default/saned as follows:

RUN=no

 
Now, restart xinetd:

service xinetd restart

 
It should return:

 * Stopping internet superserver xinetd                             [ OK ]
 * Starting internet superserver xinetd                             [ OK ]

 
Next, create your own /usr/local/etc/scanbd/scanbd.conf file (keep the original file, just in case…) to describe the available actions (buttons) on your scanner model. The configuration file I created for the EPSON Perfection V200 Photo is available here.
 
Copy the scanbd.debian initialisation script located in scanbd source directory to /etc/init.d/scanbd and install its link using the following command:

update-rc.d scanbd defaults

 
Make sure all the backends except the SANE network backend are commented out in /etc/sane.d/dll.conf:

net

 
Uncomment the following line at the end of /etc/sane.d/net.conf:

localhost

 
Comment out the SANE backend for EPSON scanners in /etc/sane.d/dll.d/iscan:

#epkowa

 
Create a /usr/local/etc/scanbd/dll.conf file including the following line:

epkowa

 
Copy (don’t move!) /etc/sane.d/epkowa.conf to /usr/local/etc/scanbd/epkowa.conf.

Copy /etc/sane.d/saned.conf to /usr/local/etc/scanbd/saned.conf.

Then, verify that you have no access list entry configured in /etc/sane.d/saned.conf and add one in /usr/local/etc/scanbd/saned.conf to restrict access to local subnet hosts only (adapt to your own network configuration):

192.168.253.0/24

 
Now that scanbd is configured for both local and LAN hosts access, let’s continue with the most interesting part of the configuration: The script executed when each button is pressed. You’ll find here the one I use to manage the 4 buttons “Start”, “Copy”, “Email” and “Pdf” available on the EPSON Perfection V200 Photo. Save it as /usr/local/etc/scanbd/actions.sh and make it executable with a chmod 755 command.

In association with my scanner model, this script offers the following functions:
– Single page scan to JPEG
– Instant copy (scan to printer)
– Email creation with JPEG or multi-page PDF attachment
Multi-page PDF creation
All this using only the scanner front buttons!

The buttons usage is explained at the beginning of the script file, along with some variables (such as SCANDIR and PRINTER) you’ll have to modify according to your needs. Also make sure to have imagemagick and mpack packages installed. If not, install them:

apt-get install imagemagick mpack

 
Scanbd setup is complete now but I added a last refinement. Having xinetd always running on the server, just because of the scanner buttons, bothered me (I don’t have any other service depending on xinetd). I updated the existing udev rule (previously added to assign the scanner to the saned group) to automatically start/stop the internet superserver when turning on/off the scanner, respectively. All you have to do is to replace your existing “scanner” udev rule (mine was /etc/udev/rules.d/40-saned.rules) with the following file and disable xinetd, scanbd and saned startup scripts using the following three commands:

update-rc.d xinetd disable
update-rc.d scanbd disable
update-rc.d saned disable

 
If ever you have other services depending on xinetd and only want to stop the scanbd service, take a look at the chkconfig package.

That’s all Folks!

(Thanks for the help, bro. You’re da man!)


For further reading, see scanbd website and Gentoo udev Guide.

Older Entries Newer Entries