We build innovative web based applications

UPDATE Tuesday December 28, 2010 05:27 GMT+11: I have combined this post and it's follow up into one more coherent, useful post: Installing an Independently Verified SSL Certificate. This post is preserved in it's original form for historical purposes. The original follow up is: Installing a Signed SSL Certificate.

Although It's such an obvious protection racket, when you're accepting payments on the web, you just have to bite the bullet and pay for a signed certificate.

Fortunately, you don't have to go with the really extremely expensive Thawte and Verisign to get good browser coverage. And let me just preface this article with this statement: there is ABSOLUTELY no security advantage in encrypting with a paid certificate. The only advantage is in the background check that the company does to verify that the person who created the certificate owns the domain, but in terms of the actual encryption, a self-signed certificate is perfectly adequate.

We recently set up a payment gateway for the Veterinary Practitioners Board and went with a self-signed certificate. We were okay with the standard browser warnings, but then we discovered that Norton Anti-Virus and other virus software was throwing up really ugly looking warnings about the self-signed "Untrusted!" certificates.

We shopped around and found a cheaper certificate provider than Thawte or Verisign (because those guys are REALLY expensive). So now it's time to create a CSR (Certificate Signing Request).

We already have the 'requests' we made for our self-signed certificates, but we can't just re-use them because we made them 'wild card' certificates (that is, they work for any sub-domain of vpb.nsw.gov.au, but these cost more to get signed for some absurd reason. The mind boggles).

So I just type:

onto my command line. It then prompted me for the password. I chose a really really strong password that I haven't used before that combines upper case and lower case letters, numbers and symbols. It's so unhackable.

I just followed the prompts to enter in all the company information for VPB. The most important thing here is the common name. In the prompt it says "eg. YOUR name", which I don't really understand at all, because what you're required to put here is the domain for which you want the signing request. I entered in www.vpb.nsw.gov.au. This is what I was referring to earlier when I said we couldn't re-use our wildcard certificate, which was created with *.vpb.nsw.gov.au as the common name. All the other stuff it asks for is pretty self-explanatory.

When I was done it spat out my certificate request which I just copied into a file vpb-req.pem and then sent off to that file to the certificate authority. It also created a key file, called privkey.pem which I copied to vpb-key.pem and saved for later (because I'll need to use it when I install my certificate).

We're getting ours registered through Chris Langlands at www.backend.com so I'm going to email the pem file off to him and I'll write about how to install the certificate once I get the signed certificate back from him.

I've also written about how to install your signed certificate.

Quite often in the FreeBSD ports system, the same application will have several different ports for different branches of development.

One example of this is the Apache web server. There are separate ports for version 1.3, 2.1, 2.2 etc.

I had apache21 installed. I couldn't just use:

because this would update to the latest version on the 2.1.x branch and i needed to upgrade to 2.2.x, however trying to install apache22 straight away from the port stopped with an error that the installation of apache22 conflicted with apache21.

I needed a way to upgrade apache21 to apache22 without first deinstalling apache21, and which would update all other package dependencies automatically.

Luckily, portupgrade came to the rescue (thanks _Steve_ from ##freebsd on freenode for this one):

the -o switch to portupgrade means 'set the origin', so the above command upgrades the apache21 port using the apache22 as the source for the upgrade.

UPDATE Monday December 27, 2010 21:45 GMT+11: This original post was pretty brief and I've posted in more detail on the same subject

In general, PHP's date handling functions are amazing. You should make yourself familiar with the GNU Date Input formats because they can be used to great effect with strtotime().

Also, the formatting output of the date() function is such that you can usually get any information you need out of a date quite easily. For instance to get the current year, you would do:

To get the previous year you could do:

This type of date manipulation is a big time saver and it pays to learn it as early as possible.

EDIT Monday December 27, 2010 19:07 GMT+11: This post is referring to the very first version of the Decal CMS which was a module for the RocketSled PHP framework which simplified the task of making small parts of any page in your application editable. I've kept this post here for historical purposes, mostly because this original implementation is where the name Decal comes from.

I've created a new version of the Decal page based CMS and implemented it for the first time on the Catfish Films intranet, and it is working very nicely. In order to implement it, you need to put:

into your Display::init() method. Then you need to put the following RSML into your template:

Then in your Pilot installationn (ed: The Pilot was the name of the user management package in RocketSled - pilot controls the sled, get it?), add the site function ManageDecal under the desired access level. Whenever authorised users are logged into the site, they will see 'Edit This' whenever there is some editable Decal data.

When I configured FreeBSD jails, I added this line to /usr/local/etc/postfix/main.cf:

This stops postfix from listening on all network interfaces on the machine, and means that jail processes can run separate postfix instances.

However, I didn't use this machine to receive incoming mail at first, only for sending mail out through a relay (mostly from web applications).

I want to start using this machine as my main mail server, and also wanted to have bugmail@workingsoftware.com.au deliver mail to the Bugzilla mail interface script, but even though postfix was listening on port 25, as shown by this command and the corresponding output:

I was unable to connect on port 25. I couldn't figure out how to fix it, but adding this line to /usr/local/etc/postfix/master.cf seems to work:

and I can now see this process listening on port 25:

telnet socata.scoastnet.com.au 25 now works also, so I assume this has done the trick.

Now that I'm in charge of a rack full of servers, one of the most important considerations is backup strategy. There are a number of open source solutions around, but the one that really caught my eye was rdiff-backup.

The main things that I liked about rdiff-backup that i like are:

• easy to install, zero config
• one liner to run and restore
• backups stored as a normal file tree so you can browse a backed up system, and even mount it if need be
• all diffs etc. stored as gz format, and in a browsable file structure, good for "if all else fails" situations
• runs over ssh so I can just use keychain and ssh keys and cron to automate it (rather than having to learn how to use/configure daemon processes on a machine)

It's not perfect, of course, and I've seen a few bugs show up in the mailing lists to do with backing up OSX and Windows file systems, but that's not something I will ever have to worry about.

I've also seen some issues with ACL (Access Control Lists) permissions which I'm not too worried about as I don't use them anyway.

So all I had to do was install the FreeBSD port for 1.5.3 (which has the added --preserve-numerical-ids switch) which, at the time of this writing, is in /usr/ports/sysutils/rdiff-backup-devel and I was ready to roll.

I put the following in the root crontab:

And then I made this script (paths and passwords removed for brevity and security, line breaks added for readability denoted by "\"):

I also created a restore.sh script:

Which can be used as follows:

This is all backing up to another machine in the same rack, to a single, large IDE drive. I then do a remote backup (just rsync, no incremental backups required) to machines at two remote locations to external USB IDE drives that are encrypted using FreeBSD's GBDE hard drive encryption.

The combination of rdiff-backup, rsync and GBDE have given me a robust, easy to install and configure, fast to restore and above all very cost effective backup solution. No tapes, no NAS, no RAID, no security holes (I think!!).

Well, 2006 has been a pretty hectic year. Since discontinuing my Bachelor of Mechatronic Engineering at Sydney Uni at the beginning of the year I've been devoutly focussed on building up my business as a web based application developer.

For the most part, this has involved a lot of development and refining of my open source PHP 5 Web Application Framework, RocketSled.

After spending the last few years kicking around doing this and that with various websites, I've come to realise that my one true passion is for building intranets, and for building online applications that allow businesses to function more efficiently and interact with clients more effectively.

That's where the name Working Software came from: it's software that works, but it's also software that you work with.

I can see so many opportunities to improve workflow and decrease reliance on closed source office software, as well as reducing paperwork through simple solutions like open blogs, project wikis and the use of email gateways, intranets and the power of IRC (Internet Relay Chat)

Another recent development has been the introduction of several new people to my immediate working team. Pretty soon they'll all be posting their own blogs on here about their trials and tribulations working with software, and tips and tricks they discover along the way, as well as anything else they feel compelled to contribute.

I look forward to working with them, and with you to create some Working Software in 2007 and the years ahead!