Tag Cloud
Currently Reading
Latest Book Reviews
- Rancher Deep Dive Posted on March 31, 2023
- Leveraging Kustomize for Kubernetes Manifests Posted on March 24, 2023
- Automating Workflows with GitHub Actions Posted on October 13, 2022
- Deep-Dive Terraform on Azure Posted on August 30, 2022
- Effective DevOps Posted on January 5, 2022 All Book Reviews
Latest Posts
- Automated SSL certificate expiration check Posted on June 4, 2015
- Restoring access to Fedora after Ubuntu upgrade Posted on May 3, 2015
- Spell check from the command line Posted on April 25, 2015
- Installing system-config-kickstart on Ubuntu Posted on April 25, 2015
- Ah Shit - check_http string Posted on April 13, 2015
June 4, 2015
Automated SSL certificate expiration check
by Alpha01
It is quite simple to automate checking for near expiring SSL certificates in CentOS. This is accomplished using the certwatch
tool. This tool is part of the crypto-utils
package.
yum install crypto-utils
``
Installing `crypto-utils`, will create the following cron job, `/etc/cron.daily/certwatch`. By default the `/etc/cron.daily/certwatch` script only checks for SSL certificates loaded by Apache (`httpd -t -DDUMP_CERTS`). So Apache users don't have to do any additional config changes to in order to automate the check of near expiring SSL certificates.
Since in https://www.rubysecurity.org I use Nginx as a SSL termination proxy for an Apache backend webapp on a different machine. I had to manually update the `/etc/cron.daily/certwatch` script to point to my SSL certificates directly.
```bash
#certs=`${httpd} ${OPTIONS} -t -DDUMP_CERTS 2>/dev/null | /bin/sort -u`
INCLUDE_CERTS='/etc/nginx/certs/*.crt'
certs=`ls $INCLUDE_CERTS 2>/dev/null`
Here is an example of an expired SSL certificate alert
[root@rubyninja certs]# certwatch /etc/nginx/certs/www.rubysecurity.org_2014/www.rubysecurity.org.crt
To: root
Subject: The certificate for www.rubysecurity.org has expired
################# SSL Certificate Warning ################
Certificate for hostname 'www.rubysecurity.org', in file (or by nickname):
/etc/nginx/certs/www.rubysecurity.org_2014/www.rubysecurity.org.crt
The certificate needs to be renewed; this can be done
using the 'genkey' program.
Browsers will not be able to correctly connect to this
web site using SSL until the certificate is renewed.
##########################################################
Generated by certwatch(1)
certwatch
is far from perfect. It doesn’t have any verbose output when doing a check, it solely relies on its exit status to verify if the check was successful. Excerpt from the man page is somewthat appalling.
DIAGNOSTICS
The exit code indicates the state of the certificate:
0
The certificate is outside its validity period, or approaching expiry
1
The certificate is inside its validity period, or could not be parsed
centos
monitoring
]
May 3, 2015
Restoring access to Fedora after Ubuntu upgrade
by Alpha01
I have a quadroboot OS installation environment on my Dell XPS laptop.
- Ubuntu (primary OS)
- Kali
- Fedora
- Windows 7
I decided to upgrade my Ubuntu installing to the latest 15.04. As soon the upgrade completed and rebooted, I noticed the GRUB menu was no longer displaying my Fedora 21 environment. The problem was because I had installed Fedora under an LVM partition, while the others weren’t.
Restoring boot access to Fedora was fairly simple.
First, I had install lvm2
package in Ubuntu so it’s able to view and configure the LVM
tony@alpha05:~$ sudo apt-get install lvm2
Then I had to activate the Volume Group.
tony@alpha05:~$ sudo vgchange -a y
After updating the Volume Group, using the os-prober
tool, I was able to verify that Ubuntu was able to see my Fedora 21 install.
tony@alpha05:~$ sudo os-prober
/dev/sda1:Windows 7 (loader):Windows:chain
/dev/sda6:Debian GNU/Linux (Kali Linux 1.0):Debian:linux
/dev/mapper/fedora-root:Fedora release 21 (Twenty One):Fedora:linux
So the last step was to generate a new grub config.
tony@alpha05:~$ sudo grub-mkconfig > /boot/grub/grub.cfg
ubuntu
fedora
lvm
]
April 25, 2015
Spell check from the command line
by Alpha01
I was pleasantly surprise to learn about a utility which lets you spell check text files or any string passed as standard input, directly from the command line. The name of this genius tool is spell
.
Examples
Example 1
tony@alpha05:~$ echo "What the fuc or what the fuck" | spell
fuc
Example 2
tony@alpha05:~$ cat test.txt
Fuck thi shit.
tony@alpha05:~$ spell test.txt
thi
bash
]
April 25, 2015
Installing system-config-kickstart on Ubuntu
by Alpha01
system-config-kickstart
fails to start after the initial install.
Error
tony@alpha05:~$ system-config-kickstart
Traceback (most recent call last):
File "/usr/share/system-config-kickstart/system-config-kickstart.py", line 92, in <module>
kickstartGui.kickstartGui(file)
File "/usr/share/system-config-kickstart/kickstartGui.py", line 131, in __init__
self.X_class = xconfig.xconfig(xml, self.kickstartData)
File "/usr/share/system-config-kickstart/xconfig.py", line 80, in __init__
self.fill_driver_list()
File "/usr/share/system-config-kickstart/xconfig.py", line 115, in fill_driver_list
raise RuntimeError, (_("Could not read video driver database"))
RuntimeError: Could not read video driver database
Fix
Downgrade the hwdata package.
apt-get remove hwdata
wget ftp://mirror.ovh.net/mirrors/ftp.debian.org/debian/pool/main/h/hwdata/hwdata_0.234-1_all.deb
dpkg -i hwdata_0.234-1_all.deb
apt-mark hold hwdata
apt-get install system-config-kickstart
This is a known bug in Ubuntu that is yet to be fixed…
Resources
- https://bugs.launchpad.net/ubuntu/+source/system-config-kickstart/+bug/1260107
- https://bugs.launchpad.net/ubuntu/+source/system-config-kickstart/+bug/1236315
ubuntu
]
April 13, 2015
Ah Shit - check_http string
by Alpha01
After updating the themes of www.alpha01.org, www.rubysecurity.org, www.rubyninja.org I completely forgot to also update the header template files to include once again their respective Google Analytics tracking code. This resulting in almost three months of no stats. When I originally setup the Nagios check_http ‘s on my sites, I didn’t set them to also search for the custom Google Analytics string, which I always use this configuration at work on all http checks.
This can easily be accomplish using the -s |
--string option of the check_http plugin. |
/usr/local/nagios/libexec/check_http -I www.rubysecurity.org -S -t 10 --string UA-12912270-3
So the lesson learned, you should always configure your check_http
Nagios service checks to also search for a custom string as part of the check!
nagios
]