Monthly Archives: March 2012

Request a SSL certificate

When you often use openSSL there are a couple of commands which are handy and come by often. Here are a few of those command that come by regularly.

General OpenSSL Commands

These commands allow you to generate CSRs, Certificates, Private Keys and do other miscellaneous tasks.

  • Generate a new private key and Certificate Signing Request
    openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key

     

  • Generate a self-signed certificate (see How to Create and Install an Apache Self Signed Certificate for more info)
    openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out certificate.crt

     

  • Generate a certificate signing request (CSR) for an existing private key
    openssl req -out CSR.csr -key privateKey.key -new

     

  • Generate a certificate signing request based on an existing certificate
    openssl x509 -x509toreq -in certificate.crt -out CSR.csr -signkey privateKey.key
  • Remove a passphrase from a private key
    openssl rsa -in privateKey.pem -out newPrivateKey.pem

Checking Using OpenSSL

If you need to check the information within a Certificate, CSR or Private Key, use these commands. You can also check CSRs and check certificates using our online tools.

  • Check a Certificate Signing Request (CSR)
    openssl req -text -noout -verify -in CSR.csr
  • Check a private key
    openssl rsa -in privateKey.key -check
  • Check a certificate
    openssl x509 -in certificate.crt -text -noout
  • Check a PKCS#12 file (.pfx or .p12)
    openssl pkcs12 -info -in keyStore.p12

Debugging Using OpenSSL

If you are receiving an error that the private doesn’t match the certificate or that a certificate that you installed to a site is not trusted, try one of these commands. If you are trying to verify that an SSL certificate is installed correctly, be sure to check out the SSL Checker.

  • Check an MD5 hash of the public key to ensure that it matches with what is in a CSR or private key
    openssl x509 -noout -modulus -in certificate.crt | openssl md5
    openssl rsa -noout -modulus -in privateKey.key | openssl md5
    openssl req -noout -modulus -in CSR.csr | openssl md5
  • Check an SSL connection. All the certificates (including Intermediates) should be displayed
    openssl s_client -connect :443

Converting Using OpenSSL

These commands allow you to convert certificates and keys to different formats to make them compatible with specific types of servers or software. For example, you can convert a normal PEM file that would work with Apache to a PFX (PKCS#12) file and use it with Tomcat or IIS. Use our SSL Converter to convert certificates without messing with OpenSSL.

  • Convert a DER file (.crt .cer .der) to PEM
    openssl x509 -inform der -in certificate.cer -out certificate.pem
  • Convert a PEM file to DER
    openssl x509 -outform der -in certificate.pem -out certificate.der
  • Convert a PKCS#12 file (.pfx .p12) containing a private key and certificates to PEM
    openssl pkcs12 -in keyStore.pfx -out keyStore.pem -nodes

    You can add -nocerts to only output the private key or add -nokeys to only output the certificates.

  • Convert a PEM certificate file and a private key to PKCS#12 (.pfx .p12)
    openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt

source: http://www.sslshopper.com/article-most-common-openssl-commands.html

Backup Exec 2012 – HP MSL 2024

I installed Backup Exec 2012 on a new DL380 Machine which I connected to our HP MSL 2024. When I started to backup our environments all the backup’s ran into problems.

They all run into one of this two errors:

  1. Adamm Mover Error: Write Failure!
  2. An unknown error has occurred.

And for both Symantec Backup Exec 2012 blamed the tape drive. A device attached to the computer doesn’t work correctly. I ran all the HP Tape storage tools tests and they all indicated that the MSL was working correctly. After digging into google I found the solution for this problem on the site from Symantec  (http://www.symantec.com/business/support/index?page=content&id=TECH61192).

Disabling SCSI Information from HP did the trick. 

Disable the HP Management Agents:  
Go to Control Panel > HP Management Agents, select the Services tab, then move SCSI Information to the Inactive Agents column.  Retry the backup job.
If it still fails, try moving the performance monitor agent to the disabled column and try the backup again.
Disable the following HP services, and reboot the server and test another backup:  –  HP Insight Server Agents
–  HP Insight Storage Agents
–  HP Insight Foundation Agents
   –  HP WMI Storage Providers service
NOTE: Not all three services may be present. Only disable what is listed above.

Set title OSX tab

If you’re like me and you have one terminal window in OSX with a lot of tabs. It is handy to see which tab holds which connection to a which server.

The terminal title can easily be set to something you like.

Example: Set to the hostname of the server:

echo -n -e "\033]0;`hostname`\007"

Example: Set to something else

echo -n -e "\033]0;something else\007"

Just add this to the .profile file in you home directory and the shell appears with your line set in the tab title.

Send postfix-logwatch from previous day

I like to monitor my mail servers with postfix-logwatch which is a great tool to tell what was happening on you’re server. And because I don’t wanna miss anything I added the following line to my crontab to mail me an update every night around 4 in the morning.

0       4       *       *       *       
    root    /usr/bin/zcat /var/log/maillog.0.bz2 
    | /usr/local/bin/postfix-logwatch 
    | mail -s "Mailserver log summary for: `hostname`" sysadmin@example.com

All of this in actually in one line in my cronfile but it does not fit the page :). If you don’t compress you’re logs. remove bz2 and use cat instead of zcat.

telnet client for a ssl line.

Sometimes it is handy to debug services by hand. For plain services telnet is always a handy tool. But it is completely useless for ssl encoded services. But OpenSSL to the rescue!

openssl s_client -connect

Test SMTP server using telnet

The steps to test a email server are quite simple.
below you will find the steps to do so.
In these examples mail.example.com is the domain of the server which is tested.

> telnet mail.example.com 25
< 220 fallback.xeed.nl ESMTP Postfix
> EHLO test.com
< 250-mail.example.com
< 250-PIPELINING
< 250-SIZE 10240000
< 250-VRFY
< 250-ETRN
< 250-ENHANCEDSTATUSCODES
< 250-8BITMIME
< 250 DSN
> MAIL FROM: foo@test.com
<
250 OK – MAIL FROM foo@test.com
> RCPT TO: User@test.com
< 250 OK – Recipient User@test.com
> DATA
<  354 Send data. End with CRLF.CRLF
> type the message and end with <return> . <return>
< 250 OK
> QUIT
< 221 closing connection

The output of the server may vary from server to server. but the commands are the same.

 

Set the timeserver in a windows domain.

  1. First, locate your PDC Server. Open the command prompt and type:C:\>netdom /query fsmo
  2. Log in to your PDC Server and open the command prompt.
  3. Stop the W32Time service: C:\>net stop w32time
  4. Configure the external time sources, type: C:\> w32tm /config /syncfromflags:manual /manualpeerlist:”0.pool.ntp.org, 1.pool.ntp.org, 2.pool.ntp.org”
  5. Make your PDC a reliable time source for the clients. Type:C:\>w32tm /config /reliable:yes
  6. Start the w32time service: C:\>net start w32time
  7. The windows time service should begin synchronizing the time. You can check the external NTP servers in the time configuration by typing: C:\>w32tm /query /configuration
  8. Check the Event Viewer for any errors.

Error: pw: user ‘username’ disappeared during update

Today I ran into a problem which made pw produce an error on creation of a new user.
When i tried to create a user it simply told me:

“pw: user ‘nagios’ already exists”

What the hell!?!?! Luckily the problem was quickly fixed by recreating the /etc/passwd file.

pwd_mkdb -p /etc/master.passwd

Install chroot bind on FreeBSD

Sometimes when you search on the internet you’ll find howto’s that are good enough. This one explained greatly how to install bind in a chroot envirioment. The original how to is located here. Just for my own reference and updates it is copied and altered below.

 

FreeBSD known as one of the most rock solid reliable and perfect operating systems, I personally lover of FreeBSD OS, so I want to publish a very nice howto about dns (Bind).

In this tutorial I’ll describe to you that how to set up secure FreeBSD based master/slave DNS server. You can use this tutorial on both 64-bit and 32-bit platforms.

 

We will use 192.168.0.1 as a Master Server and 192.168.0.2 as Slave Server

Installing and Configuring DNS:

FreeBSD 9.0 will be use for this tutorial. BIND is already installed in FreeBSD installation. You can check installed bind version using this link

1) Update your ports tree, I personally preferred portsnap for ports tree management. After updating ports tree check the version you have in the ports collection.

cat /usr/ports/dns/bind99/Makefile | grep PORTVERSION

If ports version equal your existing installed bind version then we don’t need to installation new bind version otherwise we will install new version.

Installation from Ports: Master/Slave

cd /usr/ports/dns/bind99
make configure ; make clean

You have to select REPLACE_BASE from options menu using press spacebar, you can leave other options.

Configuration:

We need to add “NO_BIND = YES” in /etc/make.conf file on both master/slave, you can do that using the following command:

echo "NO_BIND = YES" >> /etc/make.conf

The above configuration will let the make command not to build the base version of BIND in case you rebuild FreeBSD from the source.

Chroot Environment: master/slave

Now, let’s set up the directory structure for chroot jaild BIND. The directory can be anywhere on your system’s file system. I have planed to use /var/chroot/named as BIND directory. Let’s start by creating the following directory structure.

mkdir -p /var/chroot/named/etc/namedb/log
mkdir -p /var/chroot/named/etc/namedb/master
mkdir -p /var/chroot/named/etc/namedb/slave
mkdir -p /var/chroot/named/dev
mkdir -p /var/chroot/named/var/run

Placing existing Data

We need to copy named.root file into chroot directory, so BIND can easily communicate with root servers. For example:

cp /etc/namedb/named.root /var/chroot/named/etc/namedb/

We need another file in the /etc directory inside the chroot jail. You must copy /etc/localtime, so that BIND logs things with the right time on them.

cp /etc/localtime /var/chroot/named/etc

System Supported Files

When BIND is running in the chroot jail then it will not be able to access files outside the jail. However, few necessary files required for proper working within chroot environment.

cd /var/chroot/named/dev
mknod zero c 2 12
ln -s /dev/random .
mknod null c 2 2
chmod 666 zero random null

When you’ve created the directories, (re)move ore take backup old /etc/namedb directory.

cd /etc
mv namedb old.namedb
ln -s /var/chroot/named/etc/namedb .

Change the ownership newly created directories

cd /var/chroot
chown -R bind:bind named
chmod 700 named

RNDC Key

Now we need to generate rndc.key file and then add its contents into named.conf, rndc.key is an encryption key that rndc utility needs to work, also it’s used in case you are using dynamic DNS together with DHCP.

rndc-confgen -a -c /etc/namedb/rndc.conf -k dnsadmin -b 256

This will create a key named dnsadmin with the size of 256 bits. At least 256 bits is recommended is you’re using this for a public server. When you‚Äôve generated the key, edit /etc/namedb/rndc.conf and add these line end of this file.

options {
    default-key "dnsadmin";
    default-server 127.0.0.1;
};

That’s all every thing is now configured and placed now we need to create named.conf files for both master and slave server, lets create named.conf file on master and slave dns server.

named.conf – master/slave

 vi /etc/named.conf

First we will create ACL for our slave servers

acl "slaves" {
        192.168.1.2;
        };

Set general options like base directory, pid file and other controlling options

options {
        directory "/etc/namedb";
        pid-file "/var/run/named.pid";
        };

In above configuration we have defined /etc/namedb as a base directory which is linked from /var/chroot/named/etc/namedb & then pid file path has been mentioned.

Now wee need to define control clause and key section for rndc connection and port where bind will be listen.

controls {
        inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { dnsadmin; };
        };
key "dnsadmin" {
        algorithm hmac-md5;
        secret "o/cb6L1GDSbJWfRBpY3L=";
        };

In the above configuration we have created key “dnsadmin” for rndc connection, you may need to copy secret line from /etc/namedb/rndc.conf file and then place within key { } section mentioned above.

For caching name server we need to define root server’s file

zone "." {
        type hint;
        file "named.root";
        };

Our named.conf file has been configured on both servers, lets configure /etc/rc.conf file on master/slave servers so bind can start on system startup.

named_enable="YES"
named_program="/usr/sbin/named"
named_chrootdir="/var/chroot/named"
named_flags="-u bind -c /etc/named.conf"

Let’s configure our domain’s forward and reverse lookup zone on master server and then start bind server

For forward lookup zone add the following into named.conf file

zone "techbabu.com" {
        type master;
        file "master/techbabu.com";
        allow-transfer { slaves; };
};

Now we need to add the reverse lookup zone, same thing need to be add after forward zone section into named.conf file

zone "0.168.192.in-addr.arpa" {
        type master;
        file "master/techbabu.rev";
        allow-transfer { slaves; };
};

Creating forward lookup zone files

cd /var/chroot/named/etc/namedb/master/
vi techbabu.com

Add these lines

$TTL 3600
$ORIGIN techbabu.com.
@       IN      SOA     ns1.techbabu.com. postmaster.techbabu.com.  (
               300000328  ; serial
               28800      ; refresh (8 hours)
               7200       ; retry (2 hours)
               604800     ; expire (1 week)
               86400      ; minimum (1 day)
               )
              NS      ns1.techbabu.com.
              NS      ns2.techbabu.com.
              MX      10 mailbox.techbabu.com.
ns1       A       192.168.0.1
ns2       A       192.168.0.2

Creating reverse lookup zone files

cd /var/chroot/named/etc/namedb/master/
vi techbabu.rev

Add these lines

$TTL 3600
$ORIGIN 0.168.192.in-addr.arpa.
@       IN      SOA     ns1.techbabu.com. postmaster.techbabu.com.  (
           300000328  ; serial
           28800      ; refresh (8 hours)
           7200       ; retry (2 hours)
           604800     ; expire (1 week)
           86400      ; minimum (1 day)
           )
              NS      ns1.techbabu.com.
              NS      ns2.techbabu.com.
1       PTR      ns1.techbabu.com.
2       PTR      ns2.techbabu.com.

Our Master server has been configured completely now start our server.

/etc/rc.d/named start

Now edit your /etc/resolv.conf file and set the nameserver 192.168.0.1 then try to dig your domain’s NS (A) record to make sure that Master DNS server running.

dig ns1.techbabu.com

If you saw the output something like this:

;; ANSWER SECTION:
ns1.techbabu.com.  3600  IN	 A  192.168.0.1

So this means your DNS server is working fine.

You can try then to ping outside domains to check either caching is working or not.

That is our Master DNS server is fully functional and ready to use now configure slave named.conf file for slave dns

vi /etc/namedb/name.conf

For forward lookup zone add these lines

zone "techbabu.com" {
        type slave;
        file "slave/techbabu.com";
        masters { 192.168.0.1; };
        allow-notify { 192.168.0.1; };
};

And for reverse lookup

zone "0.168.192.in-addr.arpa" {
        type slave;
        file "slave/techbabu.rev";
        masters { 192.168.0.1; };
        allow-notify { 192.168.0.1; };
};

Our Salve server also configured now start slave server.

/etc/rc.d/named start

Now edit your /etc/resolv.conf file and set the nameserver 192.168.0.2 then try to dig your domain’s NS (A) record to make sure that Slave DNS server running.

If you get the response the its means your slave dns is also functional and ready to use.

Congratulation you have successfully configured Secure Master/Slave DNS server

If you have any suggestion regarding this tutorial please tell us, your comments will be very helpful for us

Upgrade FreeBSD 8.2 to 9.0

Yesterday I tried to update some of the 8.2 servers
to 9.0. which made me run into a error.

The update metadata is correctly signed, but failed an integrity check.
Cowardly refusing to proceed any further.

After some googling I found the solution to this problem. To fix this problem you have to patch the
freebsd-update file. Which can be done with the following see command.

sed -i '' -e 's/=_/=%@_/' /usr/sbin/freebsd-update

The re-run the the upgrade command.

freebsd-update upgrade -r 9.0-RELEASE

If all went fine. Then you can update your system. Just run:

freebsd-update install

When the install is done restart you’re system.

shutdown -r now
OR
init 6

When the system comes back you need to re-run the install command again to install all the user land updates.

freebsd-update install

After this is done. The system prompts for a message which makes the upgrade a huge pain in the but.

Completing this upgrade requires removing old shared object files.
 
Please rebuild all installed 3rd party software (e.g., programs
installed from the ports tree) and then run
"/usr/sbin/freebsd-update install"  again to
finish installing updates.

The rebuild of all application can take from a couple of minutes till long….
I found a couple of lines in the FreeBSD manual which makes life a bit easier.

# portupgrade -f ruby
# rm /var/db/pkg/pkgdb.db
# portupgrade -f ruby18-bdb
# rm /var/db/pkg/pkgdb.db /usr/ports/INDEX-*.db
# portupgrade -af

The system now rebuild all the installed applications.
To finish of the upgrade just re-run:

freebsd-update install

And you’re done.