![]() |
SSL certificate error on all browsers, for all HTTPS sites |
Saturday, 28 May 2022
Thursday, 12 May 2022
[Solved] SSH and Gitlab negotiate error "no matching host key type found"
When using new Linux operating systems like Ubuntu 22.04 you may have trouble with SSH when you want to connect to old Linux servers.
Unable to negotiate with ***.***.***.*** port 22: no matching host key type found. Their offer: ssh-rsa,ssh-dss
This error can be encountered when you directly access an old server via SSH. Or when you use Git, SVN, or any other software that uses the SSH protocol.
Reason
To be able to make an ssh connection, the Server and the client need to negotiate a secure connection encryption method. That is to find an encryption method that both the server and the client support. OpenSSH in older OS versions like Centos 6 only supports the old encryption standards ssh-rsa and ssh-dss. These 2 encryption standards are outdated and potentially dangerous. Therefore, the new version of OpenSSH disables these encryptions by default. Newer encryption commonly used is ssh-ed25519, ecdsa-sha2 ...
Solved
To solve this error, you need to configure ssh on the new server to accept the old encryption standards as ssh-rsa or ssh-dss (just 1 is enough). We suggest 2 solutions to do just that.
Solution 1:
Enable dss or rsa encryption for ssh on your new server.
To do so open the file "~/.ssh/config"
vi ~/.ssh/config
Then add the following content to the file (change ssh-rsa to ssh-dss if your old server only support it)
Host *HostkeyAlgorithms +ssh-rsaPubkeyAcceptedKeyTypes +ssh-rsa
Done ! Now you can connect ssh to old servers via terminal normally. However, if you are using Git over ssh with a privateKey file, this will not work (to solve see solution below).
Tip: you can also restrict opening this encryption method only to a certain ip by substituting that ip in the "Host: oldserverIP" section. This will make your server more secure.
Solution 2:
Enable dss or rsa encryption only when a connection is needed by adding a parameter to the ssh connect statement.
Ex:
ssh 123.123.123.123
become
ssh -oHostKeyAlgorithms=+ssh-rsa -oPubkeyAcceptedAlgorithms=+ssh-rsa 123.123.123.123
Done !
Fix negotiate error for Git/Gitlab via ssh privateKey file
With git or edit the config file as follows
vi yourProjectPath/.git/config
[core]
repositoryformatversion = 0
filemode = true
bare = false
logallrefupdates = true
sshCommand = ssh -oHostKeyAlgorithms=+ssh-rsa -oPubkeyAcceptedAlgorithms=+ssh-rsa -oIdentitiesOnly=yes -i /yourPath/privateKeyFile.ppk -F /dev/null
...
Friday, 15 April 2022
Laravel 9 Error: Undefined constant Illuminate\Http\Request::HEADER_X_FORWARDED_ALL
Solve the error when upgrading the system to laravel 9 or 10. "Undefined constant Illuminate\Http\Request::HEADER_X_FORWARDED_ALL"
Reason:
As of Laravel 9, the framework switched to using a built-in middleware to handle proxy queries instead of Fideloper\Proxy\TrustProxies. So when upgrading from lower versions like laravel 5.8, laravel 8 to laravel 9 we also need to edit to replace this middleware. If you don't make changes you will get an error when you run "composer update" and you won't be able to access the website
Solve the problem:
Step 1: Edit your current TrustProxies Middleware (app/Http/Middleware/TrustProxies.php)
Step 2: Update middleware according to the following example
<?php
namespace App\Http\Middleware;
use Illuminate\Http\Middleware\TrustProxies as Middleware;
use Illuminate\Http\Request;
class TrustProxies extends Middleware
{
/**
* The trusted proxies for this application.
*
* @var array<int, string>|string|null
*/
protected $proxies;
/**
* The headers that should be used to detect proxies.
*
* @var int
*/
// Before...
//protected $headers = Request::HEADER_X_FORWARDED_ALL;// After...
protected $headers =
Request::HEADER_X_FORWARDED_FOR |
Request::HEADER_X_FORWARDED_HOST |
Request::HEADER_X_FORWARDED_PORT |
Request::HEADER_X_FORWARDED_PROTO |
Request::HEADER_X_FORWARDED_AWS_ELB;
}
Step 3: Remove Fideloper TrustProxies from composer file
composer remove fideloper/proxy
Step 4: Done ! run "composer update" to complete update
Friday, 20 August 2021
[Tips] How to use Cloudflare Free SSL for Socket.io Server
Free SSL is a very interesting feature of Cloudflare. Cloudflare SSL has full support for WebSocket protocol. However, if you are using the web in conjunction with a socket.io server on the same server, you may encounter problems with the ssl port. Because the default port for ssl is always 443 but it is already used by the web server.
There are many ways to handle this problem, here I will guide you in a very simple way. That's how to configure Socket.io SSL through a proxy using Apache or Nginx.
Prepare:
NodeJs SocketIO server is listen on port 8088
Webserver (Apache or Nginx) is listen on port 80 and 443
Step 1: SocketServer config
Configure NodeJs SocketIO server to run in long polling mode without ssl on a certain port, eg port 8088.
Eg:
var app = require('express')(); //npm install express
var http = require('http').createServer(app);
var socketServer = require('socket.io')(http, { //npm install socketio
cors: {
origin: "*",
methods: ["GET", "POST"]
},
transports: ['polling']
});
http.listen(8088, () => {
console.log('listening on port 8088');
});
Configure socket.io client to use 'polling' mode
Eg:
var socket = io('https://subdomain.yourdomain.com', { });
socket.on('connect', function () {
console.log('connected');
});
Step 2: Configure virtualhost proxy for Socket Server
Configure virtual host proxy to forward port 80 from cloudflare to the actual port of our Socket Server (I listen on port 80 because I am using Cloudflare flexible ssl, if you use Cloudflare full ssl or full strict ssl then listen on port 443 like your other virtualhost)
Apache:
<VirtualHost *:80>
ServerAdmin admin@yourdomain.com
ProxyPreserveHost On
ServerName subdomain.yourdomain.com
ProxyPass / http://127.0.0.1:8088/
ProxyPassReverse / http://127.0.0.1:8088/
</VirtualHost>
Nginx:
server {
listen 80;
server_name subdomain.yourdomain.com;
location / {
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $http_host;
proxy_pass http://127.0.0.1:8088;
}
}
Done !
Remember to reload your web server
Now your NodeJs Socket Server is working perfectly with free ssl from CLoudflare
Tuesday, 3 August 2021
Ubuntu - MySQL Can't set password for root account, even though all command are successful
After a fresh install of MySQL or MariaDB on an Ubuntu server, you can run the "mysql" command line without being asked for your password, even if you have successfully changed the password. While you still cannot access root account from other software like Navicat, php ... the error encountered is "Access denied for user 'root'@'localhost' (using password: YES)"
What happened ?
Security issue?
Solving problems
mysqlWelcome to the MySQL monitor. Commands end with ; or \g.Your MySQL connection id is 8Server version: 8.0.21-0ubuntu20.0 (Ubuntu)Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.mysql>
use mysql;
select Host,User,authentication_string,plugin from mysql.user;
ALTER USER root@localhost IDENTIFIED WITH mysql_native_password;
ALTER USER root@localhost IDENTIFIED BY 'newpassword';
FLUSH PRIVILEGES;exit;
Problem solved !
Tuesday, 29 December 2020
Gitlab Error: couldn't deduce an advertise address: no private IP found, explicit advertise addr not provided
Gitlab log view:
gitlab-ctl tail
Something error:
cluster.go:154 component=cluster err="couldn't deduce an advertise address: no private IP found, explicit advertise addr not provided"
How to fix !
edit file gitlab.rb
vi /etc/gitlab/gitlab.rb
Add the following code
alertmanager['flags'] = {
'cluster.advertise-address' => "127.0.0.1:9093",
}
Then
gitlab-ctl reconfigure
gitlab-ctl restart
Done ! now recheck gitlab log
gitlab-ctl tail alertmanager
Check alertmanager service
netstat -tulpn | grep LISTEN
output
tcp 0 0 127.0.0.1:9093 0.0.0.0:* LISTEN 30633/alertmanager
Monday, 28 December 2020
Centos 6 - Yum Error: Cannot find a valid baseurl for repo base
When using the commands "yum install/update" on Centos 6 you will get an error:
Loaded plugins: fastestmirror, replace
Setting up Update Process
Determining fastest mirrors
YumRepo Error: All mirror URLs are not using ftp, http[s] or file.
Eg. Invalid release/repo/arch combination/
removing mirrorlist with no valid mirrors: /var/cache/yum/x86_64/6/base/mirrorlist.txt
Error: Cannot find a valid baseurl for repo: base (base/updates/contrib)
Reason: Centos 6 is out of date and is no longer officially supported.
Solution: Manual change CentOS-Base.repo
Step 1:
Open the following files one by one:
/var/cache/yum/x86_64/6/base/mirrorlist.txt
/var/cache/yum/x86_64/6/extras/mirrorlist.txt
/var/cache/yum/x86_64/6/updates/mirrorlist.txt
Add the following line at the end of the files:
https://vault.centos.org/6.10/
Step 2:
Open file "CentOS-Base.repo" and modify all blocks according to the form below
vi /etc/yum.repos.d/Centos-Base.repo
[base]
name=CentOS-$releasever - Base
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=os&infra=$infra
baseurl=http://vault.centos.org/6.10/centosplus/$basearch/
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
gpgcheck=1
#released updates
[updates]
name=CentOS-$releasever - Base
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=os&infra=$infra
baseurl=http://vault.centos.org/6.10/centosplus/$basearch/
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
gpgcheck=1
#additional packages that may be useful
[extras]
name=CentOS-$releasever - Base
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=os&infra=$infra
baseurl=http://vault.centos.org/6.10/centosplus/$basearch/
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
gpgcheck=1
#contrib - packages by Centos Users
[contrib]
name=CentOS-$releasever - Base
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=os&infra=$infra
baseurl=http://vault.centos.org/6.10/centosplus/$basearch/
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
gpgcheck=1
Step 3: Done ! Solved !
Now on you can continue to use yum normally
Tuesday, 6 October 2020
Laravel: Force to use HTTPS for all routes and url (Support Cloudflare Flexible SSL)
Laravel - In some special cases but especially when you are using Cloudflare Flexible SSL. We need a solution so that all URL on our website (created by url, route function) must be https even though our server currently doesn't support ssl.
Solution:
Edit App\Providers\AppServiceProvider.php in the boot() method
public function boot()
{
// custom for cloudflase flexible ssl
if($this->checkHTTPSStatus()){
URL::forceScheme('https');
}
/*...some other code...*/
}
private function checkHTTPSStatus()
{
/*Select code in an option below*/
}
Option 1: Switch to https according to the configuration in the env file
private function checkHTTPSStatus()
{
return env('APP_HTTPS',false) === true;
}
In .env file you must to declare APP_HTTPS parameter
APP_HTTPS=true
Option 2: Automatically switch to https if the user comes from Cloudflare Flexible SSL
private function checkHTTPSStatus()
{
return (isset($_SERVER['HTTP_X_FORWARDED_PROTO'])&&$_SERVER['HTTP_X_FORWARDED_PROTO']==='https');
}
Option 3: Full SSL
private function checkHTTPSStatus()
{
return !empty($_SERVER['HTTPS']);
}
Solved !
Monday, 10 August 2020
Laravel Error "$errors is undefined"
$errors is undefined
Sunday, 26 July 2020
Laravel Fix Error : Function name must be a string by Illuminate\Pipeline\Pipeline.php
$carry = method_exists($pipe, $this->method)? $pipe->{$this->method}(...$parameters): $pipe(...$parameters);
protected $routeMiddleware = ['auth' => \Illuminate\Auth\Middleware\Authenticate::class,...}