Fixing OpenSSL on WordPress Windows PHP 5.6+

Background:

i ran into OpenSSL errors during the Disqus plugin setup.
there’s tons of hits suggesting various solutions, below is the very simple solution that worked for me…

Sample error messages:

SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Failed to enable crypto in ...

TL;DR:

  1. download latest cacert.pem
  2. place it in a pertinent folder (e.g. $\wp-includes\certificates)
  3. edit your php.ini > openssl.cafile={full path to cacert.pem}

Ethereum 101 on Windows

background / baseline context

  • I’m not even remotely suggesting that this is new info but even though there’s some very friendly guides already cooking out there, I ran into mild snags and this is my attempt to really grease the rails on the way to running the greeter sample smart contract
  • now that we have Ubuntu running natively on Windows 10 this, the native windows binary path for what are obviously linuxy bits sorta feels like a less direct path to success but IIRC i had initial snags that kicked me in this direction
  • these commands target a local private net instance… we get free gas this way so i figure inhale that immediate gratification as quickly as possible and use that energy to conquer our next ether mountain

getting spun up and ready to spend some ether

  1. Ethereum.org/cli feels like the canonical starting point so keep that handy -BUT- for starters, the referenced Windows binary installation url was down for me as of this writing
  2. so here’s the geth install bits… geth is the preferred CLI based server and admin console (installed to C:\Program Files\Geth for me)
  3. and we’ll also need the smart contract compiler “SOLC” (C:\Program Files\cpp-ethereum)… make sure those are both in your path
  4. create a working folder for this instance (aka “private network”) and make it current, hereby referred to as {workdir}
  5. throw together a genesis.json like so, filling in the as blanks as noted (from here 1)

    • nonce: throw in a self generated hex guid … one way to create a guid would be to install ScriptCS.exe and then System.Guid.NewGuid().ToString("n") … recommend installing ScriptCS and anything else via Chocolatey Windows package manager
    • coinbase & alloc: note that later we’ll replace those “0x0” values with your primary account number as where you want your mined ether to deposit and build up
  6. initialize your working folder files:
  7. do ourselves a big favor and create a default javascript file to toss in any of our own custom convenience routines to be available whenever the server starts up… save the following to e.g. helpers.js (referenced in the ethStart.cmd below)

  8. save the following to ethStart.cmd and launch it to fire up the server

    • 2 full CLI option reference
    • networkid: make yours up
    • datadir: crucial your other files are in the current working folder
    • dev: developer mode… this seems to make certain initialization steps do a faster minimal burn
    • unlock: this will prompt you for password and thereby start server with specified etherbase aka coinbase account unlocked to enable spending ether which is REQUIRED TO SUBMIT ANY TRANSACTIONS, including our first hello world sample smart contract!! =)
    • etherbase: update this with your primary account, next step…
    • password: create pw.txt with the same password you specify in next step…
    • rpc: fire up the http-rpc endpoint… defaults to: http://localhost:8545
    • preload: loads our custom convenience routines
  9. create your primary account: personal.newAccount("fill in a password") … this will output the hex number of your first account# aka primary aka eth.accounts[0]
  10. stop the server with CTRL-D
  11. plug this account# into genesis.json and ethStart.cmd > coinbase & alloc properties… and add the unlock parm back into ethStart.cmd
  12. drumroll… restart ethStart.cmd … watch for any errors in the output
  13. i had to wait a few minutes for mining activity like below to kick in… it would be interesting to hear what it’s doing during this extended delay…

    • definitely try miner.start(1) from the geth javascript command line if nothing happens after say 3 minutes tops
    • good troubleshooting ref 3
  14. once you see mined block output, then try balance() and you should see a few ethers piling up in your kettle
  15. here is my actual full happy output for your reference… don’t worry, all “secret” values herein (e.g. account#, password, etc) are local testnet only / completely sacrificial

    saving “greeter” sample smart contract to your blockchain

    now we can jump into the greeter hello world sample

    1. save this to greeter.js

    2. fire that greeter.js which compiles the greeter contract and send it off to be committed to your blockchain via: loadScript("greeter.js")
      • expecting output:
    3. again, sit and twiddle your thumbs for an excruciatingly long time (7 minutes for me!?!?)… and hopefully you eventually see output
    4. now we finally get to do: greeter.greet()
      • expected output

     

    Fun next steps…

    1. Get BlockApps Strato rolling

    • Strato4 is a convenient REST API layer on top of raw Ethereum

      Each BlockApps node exposes a RESTful api to interact with the node. This allows you to deploy contracts/publish transactions with simple REST calls. Bloc-server also generates a REST api for each smart contract you deploy with it. This allows for a clean separation from your dapps frontend and smart contracts

    • Solidity extension for Visual Studio has an nicely easy run through on setting up BlockApps

    • BlockApps Strato GitHub Readme is also short install guide with the following steps
    1. install nodeJS / npm via: choco install nodejs
    2. npm install -g blockapps-bloc
    3. test your Ethereum dev net apiUrl is listening: curl http://localhost:8545, expecting output: {"jsonrpc":"2.0","error":{"code":-32600,"message":"EOF"}}
    4. create a fresh BlockApps project…
      1. CD into PARENT directory of your new project folder
      2. block init and follow the prompts – the Visual Studio extension link has nice screenshots
      1. then CD into your project folder
      2. bloc genkey – will prompt for password and create initial “admin” user, expecting output: transaction successfully mined!
    5. bloc start fires up the Strato server listening for REST requests, expecting output:

      • that’s pretty cool we’re running on top of our own custom dev net
    6. (open yet another CMD window) curl "http://localhost:8000/users", expecting: ["admin"]
    7. continue on with the guides…
    8. particularly this Ether transfer example
      • tip, curl "http://localhost:8000/users/admin" yields the necessary user address number
      • sample transfer: curl -X POST -d "password=ann0ying&toAddress=39b32d2be0c29c1011f7d1481f945b9d355cae96&value=10" http://localhost:8000/users/admin/a962a8e09ae6a096258d988588f2e8639cd2a664/send
      • ran into this error: {"errorTags":["transactionResult","submitTransaction","Transaction"],"message":"txHash must be a hex string (got: [object Object])"}
      • only mention of this kind of error i’ve found so far has no response
      • i got node.exe JS file breakpoints working in Visual Studio 2015… a little tricky because bloc “spawn”s the main web listener as child process… so basically tweak this %appdata%\npm\node_modules\blockapps-bloc\bin\main.js line as so var server = spawn('node', ['--debug-brk=5859', 'app.js' ]); and follow this VS guide
      • debugging showed me the underlying error back from ethereum is missing request id… which i ran across firing basic curl requests at ethereum when i left out {“id”: number} on my curl calls… so i hacked that into the source {myProj}\node_modules\blockapps-js\js\Transaction.js but then…
      • the next error i’m stuck on now is The method _ does not exist/is not availableso something is off
      • even though Strato is basically happy with my Ethereum install enough to execute the new user APIs no problem
      • i posted issue on their forum
      • [update 2016-12-24] not only did support respond promptly next day but it was Kieren James-Lubin (kjameslubin) the founder no less! turns out, quote: “You must run a Strato node to be able to use bloc. No other Ethereum client supports it… You can use strato-dev4.blockapps.net:9000 or launch one from the Azure market place or contact us at hello@blockapps.net to install.”… so, that is welcome clarity straight from the horse’s mouth… a rare luxury that i am grateful for on this christmas eve… we’ll hop over to those other options … and the adventure continues… 🙂

     

    2. get cracking on some real DAPPs!!

     

    Handy References

Exposing Azure Function web API to native & web clients through Azure AD authentication

Problem

Azure AD writeups are prevalent but I was really struggling to find examples of calling the same Azure Function API, secured by Azure AD Authentication, by both Native as well as Web clients (since we can only select one app type in the Azure AD App registration, not both).

TL;DR

The kicker solution for me was having both a web and native App registration (i.e. two Client Id’s) and providing the WEB App registration’s Application Id as the “RESOURCE” parameter to the AuthenticationContext.AcquireTokenAsync() call in the Native app (see code sample below).

So the web registration is tied directly to the Azure Function… and then we’re piggybacking the web registration by requesting the web as the resource parameter in the native client call … i haven’t seen this documented yet so i can’t say whether this is an officially preferred solution.

Basic Steps

This is a good getting started guide guide, in parity with current landscape.

  1. get your Azure Function working as a web api… probably doesn’t matter whether web or native comes first but it seems like the web is more “trusted” from an OAuth standpoint and more clearly documented… OAuth refers to native clients as “public” and requiring a couple more OAuth contortions than web clients.
  2. create a Web type entry for your Function under New Portal > Azure Active Directory > App registrations… all the defaults are good, except you’ll need to create the Reply URLs that are valid for you… reply url is a parameter to your ADAL.js client call… in the end this entry provides the crucial Application Id aka Client Id
  3. now configure this web registration for AD Auth via New Portal > App Services > {your Function app} > Function app settings > Configure authentication > Authentication Providers > Azure AD > Express >
    1. Azure AD App = the Web App registration name you gave above
  4. Now create another Azure AD > App registration as Native type and (HERE’S THE KICKER) > Settings > Required Permissions > Add > Select an API > TYPE IN YOUR web App registration name in the search box and it’ll show up to be selected
  5. finally, use the Application Id guid from your web app as the RESOURCE parameter to the AcquireTokenAsync() call in your native app

Working ADAL.js web client code sample

Working Xamarin Native iOS app client code sample

Typical error responses

Various attempts at sussing out a valid resource value for the AcquireTokenAsync() in my Xamarin Forms native iOS app would yield the following error:
AADSTS65005: The client application has requested access to resource <xyz>. This request has failed because the client has not specified this resource in its requiredResourceAccess list

i was also getting these where {app} was the resource i was passing when i had the ClientId parameter wrong
AADSTS50001: The application named {app} was not found in the tenant named {tentant}.

Helpful references

What is my Tenant Id or “Authority” URL ???

Wanted to mention this in closing since “Tentant” is currently so ambiguously referred to in the documentation i ran into…
New Portal > Azure Active Directory > App registrations > Endpoints is where you pull the “Authority” Url from the “OAUTH 2.0 AUTHORIZATION ENDPOINT” slot – the main argument for new AuthenticationContext()

for example:
https://login.windows.net/9198d419-6ce5-4229-a457-8c38421f7466/oauth2/authorize
this “9198…” guid is your Tenant Id (don’t worry this one is made up)

our tenant appears to be simply our azure ad domain name, at least in typical configurations… so this works here as well:
https://login.windows.net/XYZ.onmicrosoft.com/oauth2/authorize

image

Lighter Spin on ADAL in Xamarin Forms

tl;dr

new-up the elusive “PlatformParameters” in your AppDeligate.cs::FinishedLoading / MainActivity.cs::OnCreate
 

ts;wm (too short; want more ; )

thankfully we have solid writeups on ADAL with XF… this post is just me trying to boil it down to essence and PCL as much as possible…
(BTW: ADAL = Active Directory Auth Lib… i needed it for PowerBI embedding)

  1. http://www.appzinside.com/2016/02/22/implement-adal-for-cross-platform-xamarin-applications/
  2. https://blog.xamarin.com/authenticate-mobile-apps-using-microsoft-authentication-library/

the first post keeps the platform specific surface area pretty minimal but also winds up wrappering the stock ADAL classes quite a bit…
the second post seems pretty minimal and leverages CustomRenderers for the right timing to grab this context… seems like a good general trick to tuck away…
 

the approach i came to is grabbing this context right up front in app initialization and then providing it through dependency injection later…
both pieces of that are basically one liners which feels nice
also it’s now conveniently available to other services should needs arise…
and theoretically we’ve kept things clean for TDD but honestly i don’t readily see how to test this flow since it requires interactive auth… i’ll have to read up on how people generally recommend mocking this kind of thing
 

iOS AppDeligate.cs::FinishedLoading()

Android MainActivity.cs::OnCreate

then later in calling code just reference via DI

Free SSL Certs

LetsEncrypt.org is a wonderfully progressive initiative… free certs for all, to promote better internet security, nice!
 

this windows tool made quick work of plugging it into IIS vs the more unix’y stuff they suggest on their home page
literally just seconds to launch the win tool and hitting a key to select which IIS site you want the cert for… none of the ol’ CSR hassle, yay!
 

Tips:

  • your web server has to be reachable on the public internet at the domain url (port 80) you wish to gen the cert for
  • the win tool will be most automatic when you plug your domain into the host-header (port 80)

Note: The LetEncrypt certs come set to expire in 90 days – BUT, the windows tool schedules a recurring task to reach out and automatically renew the certs before that expiration. Pretty slick… will have watch if that actually works come time.