Openssl certificates for apache

In my former post i described a way how to create self signed SSL certificates with an own certificate authority. These certificates didn’t work in latest chrome versions so I updated my scripts to create valid certificates for chrome. This time I only create wildcard certificates because creating one for every subdomain was annoying.

#!/bin/bash
if [ -e ca.key ]; then
	echo "ca.key already exists"
	exit 1
fi

openssl genrsa -out ca.key 4096
openssl req -new -x509 -days 3650 -key ca.key -out ca.crt \
  -subj "/C=AT/ST=Vienna/L=Vienna/O=Coffeebeans/CN=Coffeebeans Domain Validation Secure Server CA/emailAddress=office@coffeebeans.at"

#!/bin/bash
NAME=star.$1
if [ "star." == $NAME ]; then
	echo "usage: $0 <domain.name>"
	exit 1
fi
if [ -e $NAME.key ]; then
	echo "$NAME.key already exists"
	exit 1
fi
if [ ! -e ca.crt ]; then
	echo "no ca certificate created"
	exit 1
fi

CONFIG=$(cat <<-EOF
[ca]
default_ca=CA_default

[CA_default]
dir=./ca
database=\$dir/index.txt
new_certs_dir=\$dir/newcerts
serial=\$dir/serial
private_key=./ca.key
certificate=./ca.crt
default_days=3650
default_md=sha256
policy=policy_anything
copy_extensions=copyall

[policy_anything]
countryName=optional
stateOrProvinceName=optional
localityName=optional
organizationName=optional
organizationalUnitName=optional
commonName=supplied
emailAddress=optional

[req]
default_bits=4096
prompt=no
default_md=sha256
req_extensions=req_ext
distinguished_name=dn
 
[ dn ]
C=AT
ST=Vienna
L=Vienna
OU=Domain Control Validated
emailAddress=office@coffeebeans.at
CN=*.$1
 
[ req_ext ]
subjectAltName=@alt_names
 
[ alt_names ]
DNS.1=$1
DNS.2=*.$1
EOF
)

# PREPARE
echo "$CONFIG" > config.txt
if [ ! -d ./ca ]; then
	mkdir -p ./ca/newcerts
	touch ./ca/index.txt
fi

openssl genrsa -out $NAME.key 4096
openssl req -new -key $NAME.key -out $NAME.csr -config config.txt
openssl ca -create_serial -batch -in $NAME.csr -out $NAME.crt -config config.txt

# CLEANUP
rm -f *.csr config.txt
chmod 644 *.key *.crt

I also tried to use these certificates in postfix which did NOT work. To create files for postfix see my former post.

Robo 3T MongoDB client fails to start on ubuntu 16.04

I tried to rim robo3t-1.1.1-linux-x86_64 downloaded from https://robomongo.org/ and got the following error when trying to run it:

This application failed to start because it could not find or load the Qt platform plugin "xcb"
in "".

Available platform plugins are: xcb.

Reinstalling the application may fix this problem.
Aborted

Trying to install xcb via apt install xcb doesn’t change the behavior. Then I found a solution by removing all libstdc++* files from the lib directory in the extracted directory:

rm lib/libstdc++*

failed to run Kubelet: failed to create kubelet: misconfiguration: kubelet cgroup driver: “systemd” is different from docker cgroup driver: “cgroupfs”

Distributor ID: Ubuntu
Description: Ubuntu 16.04.3 LTS
Release: 16.04
Codename: xenial

Docker version 17.06.0-ce, build 02c1d87

openshift-origin-server-v3.6.0-c4dd4cf-linux-64bit

I followed the steps under https://docs.openshift.org/latest/getting_started/administrators.html#downloading-the-binary and got the error in the title. To fix this you have to add “–exec-opt native.cgroupdriver=systemd” to ExecStart of docker. The best way to do this is to add a addin file /etc/systemd/system/docker.service.d/override.conf with following content:

[Service]
ExecStart=
ExecStart=/usr/bin/dockerd -H fd:// --exec-opt native.cgroupdriver=systemd

Then reload systemd and restart docker:

sudo systemctl daemon-reload
sudo systemctl restart docker

SSL certificates for apache

Simple way to create self-signed SSL certificates.

#!/bin/bash
# usage: ./create-ca.sh
if [ -e ca.key ]; then
	echo "ca.key already exists"
	exit 1
fi

openssl genrsa -out ca.key 4096
openssl req -new -x509 -days 3650 -key ca.key -out ca.crt \
  -subj "/C=AT/ST=Vienna/L=Vienna/O=coffeebeans.at/OU=IT/CN=coffeebeans.at/emailAddress=office@coffeebeans.at"

#!/bin/bash
# usage: ./create-key.sh CN
NAME=$1
SERIAL=`ls -l *.key | wc -l`

if [ $SERIAL -lt 10 ]; then
	SERIAL="0$SERIAL"
fi

if [ -e $NAME.key ]; then
	echo "$NAME.key already exists"
	exit 1
fi

if [ ! -e ca.crt ]; then
	echo "no ca certificate created"
	exit 1
fi

echo "creating key for $NAME with serial $SERIAL"
openssl genrsa -out $NAME.key 4096
openssl req -new -key $NAME.key -out $NAME.csr \
  -subj "/C=AT/ST=Vienna/L=Vienna/O=coffeebeans.at/OU=IT/CN=$NAME/emailAddress=office@coffeebeans.at"
openssl x509 -req -days 3650 -CA ca.crt -CAkey ca.key \
  -set_serial $SERIAL -in $NAME.csr -out $NAME.crt

rm *.csr

Ubuntu: Docker behind proxy

sudo mkdir /etc/systemd/system/docker.service.d
cat /etc/systemd/system/docker.service.d/http-proxy.conf
[Service]
Environment="HTTP_PROXY=http://proxy-address:8080/"
Environment="HTTPS_PROXY=http://proxy-address:8080/"
Environment="NO_PROXY=localhost,127.0.0.1,.localdomain"

sudo systemctl daemon-reload
sudo systemctl restart docker

12factor App

found an interesting page about some base principals you should remember when building an application: https://12factor.net/de/

Java base project for website under tomcat

see https://github.com/mbogner/java-website-base

disable input device like a touchpad und linux

You get a list of all input devices with the command “xinput list“. You will need the id of the device you want do disable or enable. Here is an example output of this command:

~$ xinput list
⎡ Virtual core pointer                    	id=2	[master pointer  (3)]
...
⎜   ↳ SynPS/2 Synaptics TouchPad              	id=12	[slave  pointer  (2)]
...

To disable (0) or enable (1) the touchpad with id=12 you can use these commands:

xinput set-prop 12 "Device Enabled" 1

xinput set-prop 12 "Device Enabled" 0

Install docker-compose

See https://github.com/docker/compose/releases for instructions. The documentation possibly doesn’t show the latest infos.

error: symbol ‘grub_efi_find_last_device_path’ not found

Updating to the latest grub version leads to “error: symbol ‘grub_efi_find_last_device_path’ not found” on my dual boot system having Ubuntu 15.10 next to Windows 10.

This can be fixed by downgrading to the version before the latest one in the ubuntu repository till this bug is fixed.

Here is how I downgraded my grub installation:

sudo apt-get install grub2-common=2.02~beta2-29ubuntu0.2 \
  grub-common=2.02~beta2-29ubuntu0.2 grub-efi-amd64=2.02~beta2-29ubuntu0.2 \
  grub-efi-amd64-bin=2.02~beta2-29ubuntu0.2

sudo apt-mark hold grub-common grub-efi-amd64-bin grub2-common grub-efi-amd64

Without the hold line apt would install the latest version on the next upgrade. As soon as the bug is fixed you can remove the hold mark with

sudo apt-mark install grub-common grub-efi-amd64-bin grub2-common grub-efi-amd64

Manuel's Cheat Sheet

Solutions to everyday IT problems