Archive | Linux

My SSL/Certificate Cheatsheet

Whenever a certificate needs to be renewed, I always have to scramble to remember how to update/renew. I finally put a cheat sheet together.

I decided I will do all cert related stuff form Linux. Here are some commands:

To request a new csr with a new key:

openssl req -newkey rsa:2048 -keyout yourcompany.com.key -out yourcompany.com.csr

Generating a 2048 bit RSA private key
.............................................................................................+++
.............+++
writing new private key to 'stratgovadvisors.com'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:New York
Locality Name (eg, city) []:New York
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Your Company name
Organizational Unit Name (eg, section) []:IT
Common Name (e.g. server FQDN or YOUR name) []:*.yourcompany.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

To request a new csr with an existing key:

openssl req -new -key yourcompany.com.key -out yourcompany.com.csr 

To make a PFX form a Private key and a cert:

openssl pkcs12 -export -out yourcompany.com.pfx -inkey yourcompany.com.key -in yourcompany.com.crt

To extract Private key and Cert from a PFX (3 steps)

Export the private key

openssl pkcs12 -in yourcompany.com.pfx -nocerts -out yourcompany.com.pem -nodes

Export the certificate

openssl pkcs12 -in yourcompany.com.pfx -nokeys -out yourcompany.com.crt

Remove the passphrase from the private key

openssl rsa -in yourcompany.com.pem -out yourcompany.com.key 
0

Using Let’s Encrypt, cerbot-auto with Apache on CentOS 6

There are plenty of better documented examples out there, so this is more of a note to self.

cd /opt
mkdir YourDir
cd YourDir/
wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto

/certbot-auto --apache certonly -d www.FirstDomain.com -d FirstDomain.com -d www.SecondDoamin.com -d SecondDoamin.com -d www.ThirdDoamin.com -d ThirdDoamin.com -d www.FourthDomain.com -d FourthDomain.com

The name on the cert will be the first domain you list int he command above. All the other names will be part of the SAN cert.

And to renew, cron this up:
/opt/YourDir/certbot-auto renew

0

Raspberry Pi, Raspbian Jessie (based on Debian Jessie) disable AutoLogin GUI & Console

I did NOT want my Raspbian Jessie install to automatically boot into the GUI, and I did Not want it to autologin.

I know I can run raspi-config to change it, but I like to script things! I finally tracked down the code for the new raspi-config that supports systemd. It can be found here .

Here are the commands to change what used to be the run level.

Console

systemctl set-default multi-user.target
ln -fs /lib/systemd/system/getty@.service /etc/systemd/system/getty.target.wants/getty@tty1.service

Console Autologin

systemctl set-default multi-user.target
ln -fs /etc/systemd/system/autologin@.service /etc/systemd/system/getty.target.wants/getty@tty1.service

Desktop

systemctl set-default graphical.target
ln -fs /lib/systemd/system/getty@.service /etc/systemd/system/getty.target.wants/getty@tty1.service
sed /etc/lightdm/lightdm.conf -i -e "s/^autologin-user=pi/#autologin-user=/"

Desktop AutoLogin

systemctl set-default graphical.target
ln -fs /etc/systemd/system/autologin@.service /etc/systemd/system/getty.target.wants/getty@tty1.service
sed /etc/lightdm/lightdm.conf -i -e "s/^#autologin-user=.*/autologin-user=pi/"

 

Hope that helps someone.

BASH script to change the Security Keys and SALTs in a wp-config.php file

I wanted to automatically change the Security Keys/SALTS when provisioning a new WordPress site. WordPress.com has a service that spits back random values. (https://api.wordpress.org/secret-key/1.1/salt/). The script below CURLs the values and then modifies a wp-config.php file with the new random values.

SALTS=$(curl -s https://api.wordpress.org/secret-key/1.1/salt/)
while read -r SALT; do
SEARCH="define('$(echo "$SALT" | cut -d "'" -f 2)"
REPLACE=$(echo "$SALT" | cut -d "'" -f 4)
echo "... $SEARCH ... $SEARCH ..."
sed -i "/^$SEARCH/s/put your unique phrase here/$(echo $REPLACE | sed -e 's/\\/\\\\/g' -e 's/\//\\\//g' -e 's/&/\\\&/g')/" /Path/To/Your/wp-config.php
done <<< "$SALTS"

Don’t remember where I got the pieces of this, but here it is, I have been using it for a while and it seems to work well.
Hope that helps someone.

My git notes

Been playing around with git to manage my “Environment”. This is a note to self. May add more at some point
List files that have been “staged”
  • git diff –name-only –cached
To create a “Centro repo”
  • To setup an empty central repo:
    • mkdir /your/path/folder/project.git
    • cd /your/path/folder/project.git
    • git init –bare –shared
  • To add files to the central repo:
    • Go to the existing file structure and setup a new git repo (if it is not there already)
    • cd your/local/workspace/project
    • git init
    • git add .
    • git commit -m “First Commit”
    • git remote add origin server.domain.com:/your/path/folder/project.git
    • git push origin master
  • If you make a change  in your local copy and you want to push it up to the Centro repo
    • git add .
    • git commit -m “This is what changed”
    • git push origin master
  • And to get those changes to other machines
    • git pull origin master
  • And to setup a new machine
    • git clone server.domain.com:/your/path/folder/project.git

Got most of the info from here

My Debian/Raspberry Pi cheat sheet (translations from CentOS)

I have worked on Solaris and RedHat/CentOS (although Solaris was many years ago, so I  should just admit that I no longer know where anything is). I find Debian to be a different dialect than RedHat. This post is going to serve as my translation cheat sheet.

  1. I use the  bash complete string below with ssh and ping. It was not working under Debain. Turns out that the host names are hashed in the known_hosts files under Debian. I had to add “HashKnownHosts no” to my .ssh/config and then re-populate the known_hosts file.
    complete -W "$(sed -e 's/^  *//' -e '/^#/d' -e 's/[, ].*//' -e '/\[/d' ~/.ssh/known_hosts | sort -u)" ssh ping
    
  2. Debian on arm does not seem to have sysvconfig so I need to go into /etc/init.d/script name to start,stop,restart,status a service
  3. To stop a service from running at boot “update-rc.d -f smb remove” (chkconfig smb off)
  4. To start a service at boot “update-rc.d nfs defaults” (chkconfig nsf off)
  5. cat /etc/debian_version = cat /etc/redhat-release
  6. More to come

Update DynDNS from the command line

My router is not updating DynDNS correctly, so I wanted to use a simple cron job to do the same. Here is a simple BASH/Shell script to update DynDNS:

IP=$(curl -s icanhazip.com)
curl -v -k -u username:password “https://members.dyndns.org/nic/update?hostname=DNSHOSTNAME.dyndns.org&myip=$IP”

How to setup a remote syslog server in CentOS 6

I wanted to have a cisco device send it’s logs to a Centos box for troubleshooting. I just wanted to do a “tail -f” against the error logs. Seems that syslog is now rsyslog in Centos 6. To setup rsyslog to accept syslog logs from other devices, you need to:

1. uncomment out the following lines (not the description lines, the ones that start with “$”)

# Provides UDP syslog reception
$ModLoad imudp.so
$UDPServerRun 514

# Provides TCP syslog reception
$ModLoad imtcp.so
$InputTCPServerRun 514

2. Add a line or two like these below to say where you want the logs written:

:fromhost-ip,startswith,’192.168.1.’ /var/log/remote.log
& ~
:fromhost-ip,isequal,”192.168.1.33″ /var/log/servername.log
& ~

3. service restart rsyslogd

4. add a hole in iptables for 514 (UDP and TCP)

-A INPUT -m state –state NEW -m udp -p udp –dport 514 -j ACCEPT
-A INPUT -m state –state NEW -m tcp -p tcp –dport 514 -j ACCEPT

5. service iptables restart

6. create a new logrotate.d config file in /etc/logrotate.d:

/var/log/remote.log
{
daily
rotate 5
missingok
notifempty
sharedscripts
postrotate
/bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true
endscript
}

CentOS 6 in a VM – Console resolution

I can NEVER remember this, and every time I re-install CentOS in a VM I have to go searching.

If you want the console size to be larger in a vm add vga=791 (for 1024×768) to the end of the kernel line in /etc/grub.conf.

The VESA values (for linux) are here

How to add Gnome to a CentOS 6 minimal install

I have been using the minimal iso (CentOS-6.0-x86_64-minimal.iso) to install CentOS 6. I wanted to add a GUI to my vm, but I could not find easy documentation showing how to add a GUI, or Gnome in this case, to a CentOS 6 minimal install. I was not looking for the smallest X windows install, I was just trying to get the Desktop to function like it would as if I installed from the full DVD.

There are a lot of results of how to do this, but things have been renamed in CentOS 6, so that made it more difficult to figure out. Also, there are “Short Names” and I am assuming they are called “Long Names” associated with a yum groupinstall, which added to my confusion.

To add Gnome/GUI to a minimal CentOS 6 install run (short name version):

yum groupinstall basic-desktop desktop-platform x11 fonts

And the “long name” version:

yum groupinstall "Desktop" "Desktop Platform" "X Window System" "Fonts"

Hope that helps someone or at least help me to remember.

Powered by WordPress. Designed by WooThemes