Openssl certificates for apache

Posted on September 20, 2017 by manuel

In my former post i described a way how to create self signed SSL certificates with an own certificate authority. These certificates didn’t work in latest chrome versions so I updated my scripts to create valid certificates for chrome. This time I only create wildcard certificates because creating one for every subdomain was annoying.

#!/bin/bash
if [ -e ca.key ]; then
	echo "ca.key already exists"
	exit 1
fi

openssl genrsa -out ca.key 4096
openssl req -new -x509 -days 3650 -key ca.key -out ca.crt \
  -subj "/C=AT/ST=Vienna/L=Vienna/O=Coffeebeans/CN=Coffeebeans Domain Validation Secure Server CA/emailAddress=office@coffeebeans.at"

#!/bin/bash

if [ -e ca.key ]; then

echo "ca.key already exists"

exit 1

openssl genrsa -out ca.key 4096

openssl req -new -x509 -days 3650 -key ca.key -out ca.crt \

-subj "/C=AT/ST=Vienna/L=Vienna/O=Coffeebeans/CN=Coffeebeans Domain Validation Secure Server CA/emailAddress=office@coffeebeans.at"

#!/bin/bash
NAME=star.$1
if [ "star." == $NAME ]; then
	echo "usage: $0 <domain.name>"
	exit 1
fi
if [ -e $NAME.key ]; then
	echo "$NAME.key already exists"
	exit 1
fi
if [ ! -e ca.crt ]; then
	echo "no ca certificate created"
	exit 1
fi

CONFIG=$(cat <<-EOF
[ca]
default_ca=CA_default

[CA_default]
dir=./ca
database=\$dir/index.txt
new_certs_dir=\$dir/newcerts
serial=\$dir/serial
private_key=./ca.key
certificate=./ca.crt
default_days=3650
default_md=sha256
policy=policy_anything
copy_extensions=copyall

[policy_anything]
countryName=optional
stateOrProvinceName=optional
localityName=optional
organizationName=optional
organizationalUnitName=optional
commonName=supplied
emailAddress=optional

[req]
default_bits=4096
prompt=no
default_md=sha256
req_extensions=req_ext
distinguished_name=dn
 
[ dn ]
C=AT
ST=Vienna
L=Vienna
OU=Domain Control Validated
emailAddress=office@coffeebeans.at
CN=*.$1
 
[ req_ext ]
subjectAltName=@alt_names
 
[ alt_names ]
DNS.1=$1
DNS.2=*.$1
EOF
)

# PREPARE
echo "$CONFIG" > config.txt
if [ ! -d ./ca ]; then
	mkdir -p ./ca/newcerts
	touch ./ca/index.txt
fi

openssl genrsa -out $NAME.key 4096
openssl req -new -key $NAME.key -out $NAME.csr -config config.txt
openssl ca -create_serial -batch -in $NAME.csr -out $NAME.crt -config config.txt

# CLEANUP
rm -f *.csr config.txt
chmod 644 *.key *.crt

#!/bin/bash

NAME=star.$1

if [ "star." == $NAME ]; then

echo "usage: $0 <domain.name>"

exit 1

if [ -e $NAME.key ]; then

echo "$NAME.key already exists"

exit 1

if [ ! -e ca.crt ]; then

echo "no ca certificate created"

exit 1

CONFIG=$(cat <<-EOF

[ca]

default_ca=CA_default

[CA_default]

dir=./ca

database=\$dir/index.txt

new_certs_dir=\$dir/newcerts

serial=\$dir/serial

private_key=./ca.key

certificate=./ca.crt

default_days=3650

default_md=sha256

policy=policy_anything

copy_extensions=copyall

[policy_anything]

countryName=optional

stateOrProvinceName=optional

localityName=optional

organizationName=optional

organizationalUnitName=optional

commonName=supplied

emailAddress=optional

[req]

default_bits=4096

prompt=no

default_md=sha256

req_extensions=req_ext

distinguished_name=dn

[ dn ]

C=AT

ST=Vienna

L=Vienna

OU=Domain Control Validated

emailAddress=office@coffeebeans.at

CN=*.$1

[ req_ext ]

subjectAltName=@alt_names

[ alt_names ]

DNS.1=$1

DNS.2=*.$1

EOF

)

# PREPARE

echo "$CONFIG" > config.txt

if [ ! -d ./ca ]; then

mkdir -p ./ca/newcerts

touch ./ca/index.txt

openssl genrsa -out $NAME.key 4096

openssl req -new -key $NAME.key -out $NAME.csr -config config.txt

openssl ca -create_serial -batch -in $NAME.csr -out $NAME.crt -config config.txt

# CLEANUP

rm -f *.csr config.txt

chmod 644 *.key *.crt

I also tried to use these certificates in postfix which did NOT work. To create files for postfix see my former post.

Robo 3T MongoDB client fails to start on ubuntu 16.04

Posted on September 11, 2017 by manuel

I tried to rim robo3t-1.1.1-linux-x86_64 downloaded from https://robomongo.org/ and got the following error when trying to run it:

This application failed to start because it could not find or load the Qt platform plugin "xcb"
in "".

Available platform plugins are: xcb.

Reinstalling the application may fix this problem.
Aborted

This application failed to start because it could not find or load the Qt platform plugin "xcb"

in "".

Available platform plugins are: xcb.

Reinstalling the application may fix this problem.

Aborted

Trying to install xcb via apt install xcb doesn’t change the behavior. Then I found a solution by removing all libstdc++* files from the lib directory in the extracted directory:

rm lib/libstdc++*

1	rm lib/libstdc++*

failed to run Kubelet: failed to create kubelet: misconfiguration: kubelet cgroup driver: “systemd” is different from docker cgroup driver: “cgroupfs”

Posted on August 28, 2017 by manuel

Distributor ID: Ubuntu
Description: Ubuntu 16.04.3 LTS
Release: 16.04
Codename: xenial

Docker version 17.06.0-ce, build 02c1d87

openshift-origin-server-v3.6.0-c4dd4cf-linux-64bit

I followed the steps under https://docs.openshift.org/latest/getting_started/administrators.html#downloading-the-binary and got the error in the title. To fix this you have to add “–exec-opt native.cgroupdriver=systemd” to ExecStart of docker. The best way to do this is to add a addin file /etc/systemd/system/docker.service.d/override.conf with following content:

[Service]
ExecStart=
ExecStart=/usr/bin/dockerd -H fd:// --exec-opt native.cgroupdriver=systemd

[Service]

ExecStart=

ExecStart=/usr/bin/dockerd -H fd:// --exec-opt native.cgroupdriver=systemd

Then reload systemd and restart docker:

sudo systemctl daemon-reload
sudo systemctl restart docker

1 2	sudo systemctl daemon-reload sudo systemctl restart docker

SSL certificates for apache

Posted on August 7, 2017 by manuel

Simple way to create self-signed SSL certificates.

#!/bin/bash
# usage: ./create-ca.sh
if [ -e ca.key ]; then
	echo "ca.key already exists"
	exit 1
fi

openssl genrsa -out ca.key 4096
openssl req -new -x509 -days 3650 -key ca.key -out ca.crt \
  -subj "/C=AT/ST=Vienna/L=Vienna/O=coffeebeans.at/OU=IT/CN=coffeebeans.at/emailAddress=office@coffeebeans.at"

#!/bin/bash

# usage: ./create-ca.sh

if [ -e ca.key ]; then

echo "ca.key already exists"

exit 1

openssl genrsa -out ca.key 4096

openssl req -new -x509 -days 3650 -key ca.key -out ca.crt \

-subj "/C=AT/ST=Vienna/L=Vienna/O=coffeebeans.at/OU=IT/CN=coffeebeans.at/emailAddress=office@coffeebeans.at"

#!/bin/bash
# usage: ./create-key.sh CN
NAME=$1
SERIAL=`ls -l *.key | wc -l`

if [ $SERIAL -lt 10 ]; then
	SERIAL="0$SERIAL"
fi

if [ -e $NAME.key ]; then
	echo "$NAME.key already exists"
	exit 1
fi

if [ ! -e ca.crt ]; then
	echo "no ca certificate created"
	exit 1
fi

echo "creating key for $NAME with serial $SERIAL"
openssl genrsa -out $NAME.key 4096
openssl req -new -key $NAME.key -out $NAME.csr \
  -subj "/C=AT/ST=Vienna/L=Vienna/O=coffeebeans.at/OU=IT/CN=$NAME/emailAddress=office@coffeebeans.at"
openssl x509 -req -days 3650 -CA ca.crt -CAkey ca.key \
  -set_serial $SERIAL -in $NAME.csr -out $NAME.crt

rm *.csr

#!/bin/bash

# usage: ./create-key.sh CN

NAME=$1

SERIAL=`ls -l *.key | wc -l`

if [ $SERIAL -lt 10 ]; then

SERIAL="0$SERIAL"

if [ -e $NAME.key ]; then

echo "$NAME.key already exists"

exit 1

if [ ! -e ca.crt ]; then

echo "no ca certificate created"

exit 1

echo "creating key for $NAME with serial $SERIAL"

openssl genrsa -out $NAME.key 4096

openssl req -new -key $NAME.key -out $NAME.csr \

-subj "/C=AT/ST=Vienna/L=Vienna/O=coffeebeans.at/OU=IT/CN=$NAME/emailAddress=office@coffeebeans.at"

openssl x509 -req -days 3650 -CA ca.crt -CAkey ca.key \

-set_serial $SERIAL -in $NAME.csr -out $NAME.crt

rm *.csr

Ubuntu: Docker behind proxy

Posted on August 7, 2017 by manuel

sudo mkdir /etc/systemd/system/docker.service.d
cat /etc/systemd/system/docker.service.d/http-proxy.conf
[Service]
Environment="HTTP_PROXY=http://proxy-address:8080/"
Environment="HTTPS_PROXY=http://proxy-address:8080/"
Environment="NO_PROXY=localhost,127.0.0.1,.localdomain"

sudo systemctl daemon-reload
sudo systemctl restart docker

sudo mkdir /etc/systemd/system/docker.service.d

cat /etc/systemd/system/docker.service.d/http-proxy.conf

[Service]

Environment="HTTP_PROXY=http://proxy-address:8080/"

Environment="HTTPS_PROXY=http://proxy-address:8080/"

Environment="NO_PROXY=localhost,127.0.0.1,.localdomain"

sudo systemctl daemon-reload

sudo systemctl restart docker

12factor App

Posted on August 3, 2017 by manuel

found an interesting page about some base principals you should remember when building an application: https://12factor.net/de/

Java base project for website under tomcat

Posted on April 30, 2017 by manuel

see https://github.com/mbogner/java-website-base

disable input device like a touchpad und linux

Posted on April 28, 2017 by manuel

You get a list of all input devices with the command “xinput list“. You will need the id of the device you want do disable or enable. Here is an example output of this command:

~$ xinput list
⎡ Virtual core pointer                    	id=2	[master pointer  (3)]
...
⎜   ↳ SynPS/2 Synaptics TouchPad              	id=12	[slave  pointer  (2)]
...

~$ xinput list

⎡ Virtual core pointer id=2 [master pointer (3)]

...

⎜ ↳ SynPS/2 Synaptics TouchPad id=12 [slave pointer (2)]

...

To disable (0) or enable (1) the touchpad with id=12 you can use these commands:

xinput set-prop 12 "Device Enabled" 1

1	xinput set-prop 12 "Device Enabled" 1

xinput set-prop 12 "Device Enabled" 0

1	xinput set-prop 12 "Device Enabled" 0

Install docker-compose

Posted on April 7, 2017 by manuel

See https://github.com/docker/compose/releases for instructions. The documentation possibly doesn’t show the latest infos.

error: symbol ‘grub_efi_find_last_device_path’ not found

Posted on April 5, 2017 by manuel

Updating to the latest grub version leads to “error: symbol ‘grub_efi_find_last_device_path’ not found” on my dual boot system having Ubuntu 15.10 next to Windows 10.

This can be fixed by downgrading to the version before the latest one in the ubuntu repository till this bug is fixed.

Here is how I downgraded my grub installation:

sudo apt-get install grub2-common=2.02~beta2-29ubuntu0.2 \
  grub-common=2.02~beta2-29ubuntu0.2 grub-efi-amd64=2.02~beta2-29ubuntu0.2 \
  grub-efi-amd64-bin=2.02~beta2-29ubuntu0.2

sudo apt-mark hold grub-common grub-efi-amd64-bin grub2-common grub-efi-amd64

sudo apt-get install grub2-common=2.02~beta2-29ubuntu0.2 \

grub-common=2.02~beta2-29ubuntu0.2 grub-efi-amd64=2.02~beta2-29ubuntu0.2 \

grub-efi-amd64-bin=2.02~beta2-29ubuntu0.2

sudo apt-mark hold grub-common grub-efi-amd64-bin grub2-common grub-efi-amd64

Without the hold line apt would install the latest version on the next upgrade. As soon as the bug is fixed you can remove the hold mark with

sudo apt-mark install grub-common grub-efi-amd64-bin grub2-common grub-efi-amd64

1	sudo apt-mark install grub-common grub-efi-amd64-bin grub2-common grub-efi-amd64

Manuel's Cheat Sheet

Solutions to everyday IT problems

Openssl certificates for apache

Robo 3T MongoDB client fails to start on ubuntu 16.04

failed to run Kubelet: failed to create kubelet: misconfiguration: kubelet cgroup driver: “systemd” is different from docker cgroup driver: “cgroupfs”

SSL certificates for apache

Ubuntu: Docker behind proxy

12factor App

Java base project for website under tomcat

disable input device like a touchpad und linux

Install docker-compose

error: symbol ‘grub_efi_find_last_device_path’ not found