rubysecurity.org

It is quite simple to automate checking for near expiring SSL certificates in CentOS. This is accomplished using the certwatch tool. This tool is part of the crypto-utils package.

yum install crypto-utils

Installing crypto-utils, will create the following cron job, /etc/cron.daily/certwatch. By default the /etc/cron.daily/certwatch script only checks for SSL certificates loaded by Apache (httpd -t -DDUMP_CERTS). So Apache users don't have to do any additional config changes to in order to automate the check of near expiring SSL certificates.

Since in https://www.rubysecurity.org I use Nginx as a SSL termination proxy for an Apache backend webapp on a different machine. I had to manually update the /etc/cron.daily/certwatch script to point to my SSL certificates directly.

    #certs=`${httpd} ${OPTIONS} -t -DDUMP_CERTS 2>/dev/null | /bin/sort -u`
    INCLUDE_CERTS='/etc/nginx/certs/*.crt'
    certs=`ls $INCLUDE_CERTS 2>/dev/null`

Here is an example of an expired SSL certificate alert

[[email protected] certs]# certwatch /etc/nginx/certs/www.rubysecurity.org_2014/www.rubysecurity.org.crt
To: root
Subject: The certificate for www.rubysecurity.org has expired

################# SSL Certificate Warning ################

Certificate for hostname 'www.rubysecurity.org', in file (or by nickname):
/etc/nginx/certs/www.rubysecurity.org_2014/www.rubysecurity.org.crt

The certificate needs to be renewed; this can be done
using the 'genkey' program.

Browsers will not be able to correctly connect to this
web site using SSL until the certificate is renewed.

##########################################################
Generated by certwatch(1)

certwatch is far from perfect. It doesn't have any verbose output when doing a check, it solely relies on its exit status to verify if the check was successful. Excerpt from the man page is somewthat appalling.

DIAGNOSTICS
The exit code indicates the state of the certificate:

0
The certificate is outside its validity period, or approaching expiry

1
The certificate is inside its validity period, or could not be parsed

I have a quadroboot OS installation environment in my primary laptop.

• Ubuntu (primary OS)
• Kali
• Fedora
• Windows 7

I decided to upgrade my Ubuntu installing to the latest 15.04. As soon the upgrade completed and rebooted, I noticed the GRUB menu was no longer displaying my Fedora 21 environment. The problem was because I had installed Fedora under an LVM partition, while the others weren't.

Restoring boot access to Fedora was fairly simple.

First, I had install lvm2 package in Ubuntu so it's able to view and configure the LVM

[email protected]:~$ sudo apt-get install lvm2

Then I had to activate the Volume Group.

[email protected]:~$ sudo vgchange -a y

After updating the Volume Group, I was able to verify that Ubuntu was able to my Fedora 21 install.

[email protected]:~$ sudo os-prober
/dev/sda1:Windows 7 (loader):Windows:chain
/dev/sda6:Debian GNU/Linux (Kali Linux 1.0):Debian:linux
/dev/mapper/fedora-root:Fedora release 21 (Twenty One):Fedora:linux

So the last step was to generate a new grub config.

[email protected]:~$ sudo grub-mkconfig > /boot/grub/grub.cfg

I was pleasantly surprise to learn about a utility which lets you spell check text files or any string passed as standard input, directly from the command line.

Example 1

[email protected]:~$ echo "What the fuc or what the fuck" | spell
fuc

Example 2

[email protected]:~$ cat test.txt
Fuck thi shit.
[email protected]:~$ spell test.txt
thi

So, system-config-kickstart fails to start after the initial install.

Error:

[email protected]:~$ system-config-kickstart
Traceback (most recent call last):
File "/usr/share/system-config-kickstart/system-config-kickstart.py", line 92, in
kickstartGui.kickstartGui(file)
File "/usr/share/system-config-kickstart/kickstartGui.py", line 131, in __init__
self.X_class = xconfig.xconfig(xml, self.kickstartData)
File "/usr/share/system-config-kickstart/xconfig.py", line 80, in __init__
self.fill_driver_list()
File "/usr/share/system-config-kickstart/xconfig.py", line 115, in fill_driver_list
raise RuntimeError, (_("Could not read video driver database"))
RuntimeError: Could not read video driver database

Fix:
Downgrade the hwdata package.

# apt-get remove hwdata
# wget ftp://mirror.ovh.net/mirrors/ftp.debian.org/debian/pool/main/h/hwdata/hw...
# dpkg -i hwdata_0.234-1_all.deb
# apt-mark hold hwdata
# apt-get install system-config-kickstart

This is a known bug in Ubuntu that is yet to be fixed...
https://bugs.launchpad.net/ubuntu/+source/system-config-kickstart/+bug/1260107
https://bugs.launchpad.net/ubuntu/+source/system-config-kickstart/+bug/1236315

After updating the themes of www.alpha01.org, www.rubysecurity.org, www.rubyninja.org I completely forgot to also update the header template files to include once again their respective Google Analytics tracking code. This resulting in almost three months of no stats. When I originally setup the Nagios check_http 's on my sites, I didn't set them to also search for the custom Google Analytics string, which I always use this configuration at work on all http checks.

This can easily be accomplish using the -s|--string option of the check_http plugin.

/usr/local/nagios/libexec/check_http -I www.rubysecurity.org -S -t 10 --string UA-12912270-3

So the lesson learned, you should always configure your check_http Nagios service checks to also search for a custom string as part of the check!

So I literally was just about to start flipping tables because I wasn't able to get my Google Apps API OAuth2 api verification to work. I was getting the following error:

401. That’s an error.

Error: invalid_client

no support email

As the documentation describes, I created my application and enabled Calendar API access to it, and lastly setup my credentials. The problem was that I was generating my OAuth 2.0 client IDs without completing the app's consent screen data. As soon as I specified my email address in my app's consent screen data and regenerated new a client ID, I was able to authenticate my application. If only the Google Developer Console would've given a warning of some sort prior to generating a client ID, a lot of #!%[email protected]*# moments would've been avoided.

[[email protected] /etc]# pfctl -nf /etc/pf.conf
/etc/pf.conf:4: syntax error

service netif restart em0

I remember when I first discovered the tab key autocomplete in Bash and being absolutely jollied because of it. Having just found the existence of the script utility, it feels almost identical.

script gives you the capability of logging every thing within your current shell session. In the past, I would always resort to manually copying the text output of my terminal window to a file. In some cases, I would have a really long command line session that I wanted its output saved, which resulted in the entire terminal window crashing when being manually copied due to the extremely large output buffer! Thankfully with script those problems are a thing of the past.

Its usage is dead simple:

[email protected]:~$ script logmyshit.log
Script started, file is logmyshit.log
[email protected]:~$ echo "script is fucking awesome!"
script is fucking awesome!
[email protected]:~$ exit

Contents of logmyshit.log:

Script started on Wed 04 Feb 2015 10:15:32 PM PST
[email protected]:~$ echo "script is fucking awesome!"
script is fucking awesome!
[email protected]:~$ exit

Script done on Wed 04 Feb 2015 10:16:00 PM PST

CentOS

ansible centosbox -m yum -a 'name=* state=latest'

Debian

ansible debianbox -m apt -a 'update_cache=yes name=* state=latest'