Alex Le’s Blog

I got the invitation to CloudFoundry (http://cloudfoundry.com), the new PaaS (Platform as a Service) sponsored by VMWare, so I decided to deploy my side project PushPuppy to evaluate the platform. CloudFoundry (CF) supports a wider selection of platforms and technologies including Ruby (1.8.7 and 1.9.2), NodeJS, and Java 6, as opposed to Heroku’s Ruby-only support. So for weekend or experimental projects, CF is an excellent choice.

The basic application deployment process was pretty straightforward, download the vmc gem, run a few commands to push the app to CF and fingers-crossed hoping that the app starts successfully. For PushPuppy, I’m using Rails 3 and MongoDB with Mongoid as the ORM, and I had to change a few things to get the app deployed properly.

Because CloudFoundry provide a ready environment for your app, the configuration is only available at deploy time. Since Mongoid tries to connect to the database when your app is starting, the app would fail in a normal CloudFoundry push with something like

Error: Application ‘pushpuppy’s state is undetermined, not enough information available.

and if you hit the public URL, the site will return

VCAP ROUTER: 404 - DESTINATION NOT FOUND

Essentially the app couldn’t get started in the backend, so you’ll get a 404 since CF can’t route the request to the application server. Luckily, CloudFoundry provides some basic logging access to help you troubleshoot the issue:

$ vmc logs YOUR_APP_NAME

The command will show you all the logs from stderr or stdout. Using the error logs I was able to get Mongoid to connect properly.

First of all, add

gem ‘json’

to your Gemfile. CloudFoundry requires all the gems to be explicitly listed in the Gemfile.

Next, Remove the mongoid.yml file, and create a new initializer: config/initializers/mongoid.rb

The idea is to sniff if there’s a VCAP_SERVICES environment variable, we’d connect to MongoDB using the CloudFoundry provided parameters. Now update your app again and hopefully your app will start.

This is the full log for my deployment of PushPuppy with Ruby1.9.2

Conclusion:

Pros:
- CloudFoundry is a cool new PaaS that is free and supports a great variety of bleeding-edge technologies like Mongo, Redis, NodeJS. I’m especially intrigued about the NodeJS support since I’ve been looking for a service to host my projects.

Cons:
- The deployment process is simple, but still not as streamlined as Heroku’s. The error messages are not as clear as they should be, especially for a new starter, it may takes a little bit of digging to figure out what goes wrong.
- CF currently doesn’t support domain mapping. So it remains only a development/test platform. Hopefully VMWare will add this feature soon.
- No rake support, so basic things like db:seed or running custom rake tasks directly are not possible. CF automatically runs db:migrate, but for db:seed you have to put in an initializer (more here).
- No console support.
- No way to have direct access to your data so please don’t run your production app here

Nonetheless, CloudFoundry is a cool platform and it makes me as a developer happy because I now can experiment with new technologies without having to worry about the hosting and sysadmin part.

While installing a new Ubuntu server on Linode for a client using the “Stackscripts for Ruby 1.9.2, Passenger, Nginx, Rails, and MySQL”, I ran into an issue with bundler unable to install a few gems, notably mislav/will_paginate and collectiveidea/delayed_job. The gemspecs files of these particular gems have UTF-8 characters, and rubygems barks with the following errors:

Using will_paginate (3.0.pre3) from https://github.com/mislav/will_paginate.git (at rails3) /usr/local/lib/ruby/site_ruby/1.9.1/rubygems/specification.rb:724:in `gsub': invalid byte sequence in US-ASCII (ArgumentError)

It turned out that for the default LANG environment variable wasn’t set by default. If you run

$ locale

you’d see something similar to this

LANG=
LC_CTYPE="en_US.UTF-8"
LC_NUMERIC="en_US.UTF-8"
LC_TIME="en_US.UTF-8"
LC_COLLATE="en_US.UTF-8"
LC_MONETARY="en_US.UTF-8"
LC_MESSAGES="en_US.UTF-8"
LC_PAPER="en_US.UTF-8"
LC_NAME="en_US.UTF-8"
LC_ADDRESS="en_US.UTF-8"
LC_TELEPHONE="en_US.UTF-8"
LC_MEASUREMENT="en_US.UTF-8"
LC_IDENTIFICATION="en_US.UTF-8"
LC_ALL=

Notice that the $LANG variable is empty. Since ruby relies on the LANG to pick out the correct encoding, it got confused when trying to process the gemspecs containing the UTF-8 characters. To fix this issue, you can set the LANG option system-wise by adding 1 more line to your /etc/environment file. Just run this 1-liner and you’ll be all set.

$ sudo echo LANG=en_US.UTF-8 >> /etc/environment

Now the LANG will be set for your system, and thus will be passed to your ruby and passenger environment properly.

Here’s the updated version of the stackscript: http://www.linode.com/stackscripts/view/?StackScriptID=2166

I recently purchased and installed a new SSL certificate from GoDaddy for Marrily. During the process, I came to learn more about SSL and the different steps to set everything up from scratch. There are an abundant amount of articles and tutorials on how you can get started, but surprisingly there are no articles on “why” you have to follow those steps. Truth is I was pretty confused when I first started. There were a bunch of different steps and different key, pem, crt, csr files that need to be generated. The result was that I got lost and screwed up during the process. I then add insults to injury by accidentally revoking my certificate instead of re-keying it and ended up having to call GoDaddy to revert the deletion. Since any entrepreneur with a SaaS website will eventually need to implement SSL to protect their customers, having a better understanding of SSL will be greatly beneficial. This is my explanation to the entire process in plain English in hope that I can help clear up the confusion.

Why SSL?

To protect the communications between your web server and the client’s browser, you need to implement an encrypted channel so that all data transferred back and forth can only be read by your server and the browser. Anyone who eavesdrops in between will just see gibberish. Only your web server and the client’s browser know the right “secrets” to unlock the encrypted message. This communication protocol is called https, with the s stands for “secured”.

When user requests a page via https, your server will need to encrypt the content using a secret which the user’s browser can decrypt using a well-known identity. If somehow the content is encrypted with an unknown identity, the browser will be very hesitant to accept it, and it will ask user to make the hard decision to proceed or not.

Why Purchase a SSL Certificate?

To purchase a SSL certificate is to obtain a publicly verifiable identity for your domain that is accepted in all browsers. Most modern browsers include a list of well-known root Certificate Authority (CA) public keys, and any encryption done using these CA sources will be accepted by the browser. It is also possible for you to generate a root Certificate Authority set of key as well, technically speaking you become your own Certificate Authority. However, since your identity is unknown and not verifiable, the browser will not trust your keys and thus it will pop up an alert to notify the user. Nonetheless, once you add your certificate key to your browser’s list of accepted certificates, it will come to know about your identity and hence it won’t bother popping up anymore.

Since you can’t ask everyone to manually install your public key to their browser’s list of accepted certificates, you will need to buy the certificate from an established vendor whose public key already came bundled by default in the browser. I read somewhere that this is how browser vendors can make some money, e.g. the SSL guys will need to pay to have their identity (the public key) included in the browser. In exchange, these SSL vendors can turn around and certify (or “sign”) anyone who wants to get a SSL certificate for a fee.

If you think about becoming a SSL vendor, you will need to convince all other browsers that you’re completely trustworthy, and you protect your private key used to generate the SSL certificate with your life, since whoever gets their hands on your private key will be able to sign any SSL request, thus compromising your identity as the reputable Certificate Authority. All SSL vendors offer a warranty on their SSL certificate service from $1,000 to $10,000 to a lot more specifically as a statement that they keep their secret hidden really well to protect the identity of their customers’ SSL certificates.

Obtaining a SSL Certificate

Step 1: Generate your private key

To handle https requests, your web server will need to encrypt the data. Hence the first step you need to do is to generate a private key that will be used for the encryption. You can use different encryption algorithms but a SSL vendor can ask you to use a specific method and key length. The longer the key, the better the encryption strength. If the key is too short, the bad guy can quickly run through all the possibilities and found out your private key, then he can pretend to be you. In my case, GoDaddy want to have 2048 bits (256 bytes) for the strength for the private key. For personal use, a key strenght of 1024 bits (128 bytes) would be sufficient.

openssl genrsa -out private.key 2048
Generating RSA private key, 2048 bit long modulus
..............................+++
.+++
e is 65537 (0x10001)

Step 2: Generate a new SSL Request .csr file

The next step is to generate a “request” for a new SSL using your private key. This request file has an extension of .csr which stands for Certificate Signing Request, and it contains the identity about you (or your company), and most importantly, where the SSL certificate would be valid for: a single domain (cheapest) or any sub-domains (a.k.a. wildcard, and a bit more pricey). All these information will be encrypted using your private key and saved to a file. The SSL Vendor will then take this file and sign it to produce a valid SSL certificate that can be applied to your server.

EV SSL
If you pay more money, you can also get your identity in the SSL certificate confirmed as a legitimate business entity. This type of SSL certificate is called EV SSL (Extended Validated Certificate). Essentially the SSL vendor will verify the identity of your company by asking you to submit your business registration paperwork, bank account, letter from attorney or accountant, etc., for an additional fee ($400 to $1,000). In return, you will have a green-bar status with your company’s name next to the browser’s address bar. The theory is that user can identify your company’s name, and thus feels more secured as he/she knows that the website is the correct one, not a phished site that just pretend to be your website. Most (if not all) banks and prominent businesses have this type of EV certificate to protect their identity.

To generate a new CSR from your private key, use the command:

$ openssl req -new -key private.key -out marrily.com.csr

As I mentioned, the most important bit of the CSR file is where the SSL Cert should be valid for, which is defined in the “Common Name” attribute. For single domain (https://marrily.com, or https://www.marrily.com), you can use either “domain.com” or “www.domain.com”, since the “www” subdomain is so commonly used and thus can be omitted. Check out line 14 below for more details:

$ openssl req -new -key private.key -out marrily.com.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Marrily
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:marrily.com
Email Address []:alexle@marrily.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

I did not specify any challenge password in this case to keep everything simple.

Step 3: Submit your CSR to get a SSL Cert

Now that you have the CSR file containing your identity and which domain the SSL would be valid for, you can submit this CSR file to the SSL vendor (of course you will have to pay them first). They will take your CSR file and generate a new .crt (certificate) file using their own private key. Essentially they “sign” your CSR file with their carefully guarded secret file. You will then get back the your .crt file corresponding to the CSR, and another .crt file that belongs to the SSL vendor.

Chances that the SSL Vendor’s crt file actually contains a list of different certificates (public keys). The reason is that more or less your SSL vendor is actually a re-seller of another Certificate Authority, which can also be a reseller of another higher-level CA. So the first certificate would belong to your immediate SSL vendor, the one after that belongs to the higher-level CA that signed your vendor’s cert, and the cert listed after that belongs to an even higher CA that signed the CA’s cert that signed your vendor’s cert which signed your own certificate. Essentially it’s a tree of certificates that lead all the way up to the highest level of CA, which is a root certificate that is included in the browsers by default. For GoDaddy, the root CA is www.valicert.com, and for VeriSign, it is VeriSign’s own Class 3 Public Primay Certification Authority - G5.

(notice the green bar, that’s the EV SSL which costs you some more money to obtain)

Step 4: Configure Your Web Server

Now you should have in your possession these files:

1) your private key
2) your .csr file (not used anymore)
3) your new SSL certificate provided by your vendor as a .crt file, which is valid for your domain.
4) your SSL vendor’s crt file, containing a list of different certificates.

You are now ready to go and configure the web server to use your private key and your new SSL certificate (which is technically a public key) for the https-enabled website. The specific configuration for each web server is different, but the process will be the same. Also, the .crt files sometimes have a “.pem” extension as well, but for simplicity’s sake, they can be used interchangeably.

Nginx and GoDaddy SSL

In my case, I used nginx to serve my Rails application. I originally installed this nginx instance from source using passenger’s installer but ssl was not enabled by default (you can check this by running “nginx -V” and look for - -with-http_ssl_module). I re-ran the passenger’s installer again and add the - -with-http_ssl_module switch to the optional parameters, and everything was good to go.

One gotcha for Nginx is that you will have to combine the 2 certs that GoDaddy give you into one .crt file, with your SSL certificate comes first, then GoDaddy’s crt file (gd_bundle.crt). The browser would understand this as your SSL was signed by the CA whose public key is next cert entry, then that one was signed by the one after it, etc. all the way to the root CA.


$ cat www.marrily.com.crt gd_bundle.crt > marrily_combined.crt


I then added a new server{} block to listen for ssl requests on port 443. After restarting Nginx, Marrily is now ssl-protected with a green padlock.

server {
    listen          443;
    server_name     marrily.com;
    # passenger stuff

    ssl on;
    ssl_certificate         /your/ssl/folder/marrily_combined.crt;
    ssl_certificate_key     /your/ssl/folder/private.key;
}

Self-Signing your Certificate and Testing SSL Locally

Now that Marrily is https-enabled and some of the actions requires SSL, I wanted to develop the site locally using SSL as well to make sure all the logic worked correctly. I’d need to self-sign a new SSL certificate and have it installed locally.

Preparation
In my environment (Mac OS X Snow Leopard), I also have nginx installed using Homebrew. Homebrew installed nginx with ssl support by default so no recompilation was needed. I also added a new entry to my host file so that I can use a fake domain to access my local site, and I’d use this fake domain in my CSR as well.

# /etc/hosts
127.0.0.1 marrilydev.com

Self-Signing a New Certificate
I generated a new private key using openssl:

$ openssl genrsa -out privatekey.pem 2048

Then I generated a CA cert using this private key:

$ openssl req -new -x509 -key privatekey.pem -out cacert.pem -days 3650
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:marrilydev.com
Email Address []:

I didn’t care about any of the details except for the Common Name field, which I specified the fake domain.

Since the cacert.pem file was generated (a.k.a. signed) using the same privatekey.pem file, we could use it as the SSL certificate directly. All we’d need to do is set the ssl_certificate_key setting in the configuration to the privatekey.pem file:

upstream rails { server 127.0.0.1:3000; }

server {
   listen       443;
   server_name  marrilydev.com;

   ssl                  on;
   ssl_certificate      /Users/sr3d/projects/misc/ssl/cacert.pem;
   ssl_certificate_key  /Users/sr3d/projects/misc/ssl/privatekey.pem;
   ssl_session_timeout  5m;

   server_name   marrilydev.com;
   access_log    /Users/sr3d/projects/marrily/svn/marrily_marrily/m3/app/log/access.log;
   error_log     /Users/sr3d/projects/marrily/svn/marrily_marrily/m3/app/log/error.log;
   root          /Users/sr3d/projects/marrily/svn/marrily_marrily/m3/app/public/;

   location / {
     proxy_set_header  X-Real-IP  $remote_addr;
     proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
     proxy_set_header Host $http_host;
     proxy_connect_timeout 74; # max is 75s
     proxy_redirect off;

     # Proxy to Backend
     if (!-f $request_filename) {
        proxy_pass http://rails;
        break;
     }
   }
}

(Note: locally I have the nginx proxy all traffic to the development server running on port 3000)

Also, since Mac OS X has special restrictions for port 80 and port 443, nginx must run with sudo to listen to port 443, otherwise it would silently fail and you won’t be able to hit the site via https.

Getting Rid of SSL Warnings by Installing the Self-Signed Cert
With nginx configured to listen to secured requests, I opened up the site in Chrome, and saw a huge red error message complaining about the validity of the certificate, since Chrome did not recognize the identity of the cacert.pem. Obviously I could just ignore the warning and proceed to the https site for the current session, but there’s a better solution: add the cacert.pem to the list of approved certificates.

To install the self-signed certificate, just double click on the cacert.pem file in Finder. The cert would be added automatically to Keychain Access.

With the cert added to Keychain, all browsers installed in the system would gladly accept a https connection to https://marrilydev.com.

Summary

• SSL certificate is not all that confusing once you understand the gist of it and why each file is needed
• The process in simple steps:
  • generate a new private key for encryption
  • Using this private key, generate a CSR containing the domain information for the SSL
  • submit the CSR file to the SSL vendor to obtain a new CRT certificate file
  • configure your web server to listen to 443 https traffic using the private key in step 1 and the CRT obtained from the vendor
• GoDaddy SSL has different pricing on their SSL stuff, so search around and don’t pay a full price.
• SSL is cheap, implement it to protect your customers and gain their trust
• If you’re gziping your site, should add this line to your nginx’s conf file:
  gzip_buffers 16 8k; to make sure nginx doesn’t loose large gzipped JS or CSS

Reference

• How to setup GoDaddy SSL certificate on Nginx
• Nginx Gzip SSL

I ran into an issue with latest Devise (1.2.0 6e71eca).

BCrypt::Errors::InvalidSalt in SessionsController#create
invalid salt


This was caused due to the fact that in later versions of Devise, the default “cryptor” was changed to :bcrypt instead of :sha1. I did not specify the default encryptor before, and thus the issue with encryption algorithms mismatch arises. This means that all the existing users created using older version of Devise would not work with the new Devise after running “bundle update”.

To fix this issue, in the devise.rb initializer file (config/initializers/devise.rb), specify the encryptor to :sha1 (the previous default).

config.encryptor = :sha1


I was caught off-guard with this issue since all my test cases passed with flying colors. For Marrily I use FactoryGirl and Shoulda to test. In the setup method of most test cases, a new user object is created from a factory definition. Since the generated password and salt of the test user are always created with the latest code from Devise, this issue of cryptor mis-match will never happen. Had I used static fixtures, this bug would be caught, because the salt would always be static and thus Devise would throw an exception. In an existing database with users generated from a previous version of Devise, the change could be a huge problem. To fix the issue, all registered users after the Devise gem upgrade will need to have their passwords reset with the right cryptor.

Marrily has started out with Rails 3beta2 and it’s been upgraded ever since all the way to Rails 3.0.0. I launched the closed-alpha version August 1st, and had many users signed up using the :sha1 cryptor. Had I released the latest code to production without specifying the cryptor, it would probably cause a lot of issues to the site. The lesson learned here is to make sure that you are as specific as possible with your plugins, especially for default values. When in doubt, specify it. And really test your application. There’s no way around it. Rails and many popular plugins and gems move fast. To protect your application, having a test suite is the only way to ensure a smooth sail.

If you have to deal with multiple configuration values for different environments, this easy and very simple trick will let you put all these values to an external YML file and have a convenient global hash to access the values. Another benefit of putting config values in a YML file is that you can re-factor shared values into a default block, and override values in environment-specific blocks. You can keep your code DRY, now keep your config DRY as well, instead of littering your different environment config files.

In your environment.rb, add this one line between the Rails::Initializer.run do … end block

Rails::Initializer.run do |config|
  # ... other config code

  SITE_CONFIG = YAML.load_file(  "#{RAILS_ROOT}/config/site_config.yml" )[ ENV['RAILS_ENV'] || RAILS_ENV ]
end

Create a new “site_config.yml” file the /config folder using the following skeleton:

# config/site_config.yml

# the shared configurations.  Override values here in each individual environment.
defaults: &defaults
  twitter_username: your_username
  twitter_password: your_password

  # Blog
  blog_url: http://alexle.net
  blog_feed: http://alexle.net/feed/
  blog_email: 

development:
  <<: *defaults
  # override
  twitter_username: dev_username
  twitter_password: dev_password

slicehost:
  <<: *defaults

test:
  <<: *defaults

staging:
  <<: *defaults

production:
  <<: *defaults

Restart your web server so that the environment.rb file is picked up. Now within your code, you can access the values using

  logger.debug SITE_CONFIG["twitter_username"]

The only gotcha of this method is that we cannot override nested configuration blocks due to the way YML files are interpreted.

# this sample won't work
defaults: &defaults
  twitter:
    username:
    password:

development:
  <<: *defaults

  # this override doesn't work since it replaces the twitter hash in the defaults block with a new
  # hash containing only the "username" key (The "password" key-value is gone!)
  twitter:
    username: dev_username

cheers!