After reading how CloudFlare handles their PKI and that LetsEncrypt will use it I wanted to give CFSSL a shot.

Reading the project’s documentation doesn’t really help in building your own CA, but searching the Internet I found Fernando Barillas’ blog explaining how to create your own root certificate and how to create intermediate certificates from this.

I took it a step further I wrote a script generating new certificates for several services with different intermediates and possibly different configurations (e.g. depending on your distro and services certain cyphers (e.g. using ECC) may not be supported).
I also streamlined generating service specific key, cert and chain files. 😀

Have a look at the full Gist or just the most interesting part:

	#!/bin/bash
	#
	# Author: Riyad Preukschas <riyad@informatik.uni-bremen.de>
	# License: MIT
	#
	# Generates root, internediate CA and service keys.

	function generate_root_ca() {
	local root_ca="$1"
	echo "Generating root CA into ${root_ca}/"
	[[ ! -d "${root_ca}" ]] && mkdir "${root_ca}"
	cfssl genkey -initca "${root_ca}_csr.json" \| cfssljson -bare "${root_ca}/root"
	}

	function generate_intermediate_ca() {
	local root_ca="$1"
	local intermediate_ca="$2"
	echo "Generating intermediate CA into ${intermediate_ca}/ (for root CA ${root_ca}/)"
	[[ ! -d "${intermediate_ca}" ]] && mkdir "${intermediate_ca}"
	cfssl gencert -ca "${root_ca}/root.pem" -ca-key "${root_ca}/root-key.pem" -config="config.json" -profile="intermediate" "${intermediate_ca}_csr.json" \| cfssljson -bare "${intermediate_ca}/intermediate"
	}

	function generate_service_keys() {
	local root_ca="$1"
	local intermediate_ca="$2"
	local service_type="$3"
	local key_name="$4"
	local dist_dir="${intermediate_ca}/dist"
	echo "Generating ${service_type} key pair into ${intermediate_ca}/"
	[[ ! -d "${dist_dir}" ]] && mkdir "${dist_dir}"
	cfssl gencert -ca "${intermediate_ca}/intermediate.pem" -ca-key "${intermediate_ca}/intermediate-key.pem" -config="config.json" -profile="server" "${key_name}_csr.json" \| cfssljson -bare "${intermediate_ca}/${key_name}"
	cp "${intermediate_ca}/${key_name}.pem" "${dist_dir}/"
	cp "${intermediate_ca}/${key_name}-key.pem" "${dist_dir}/"
	case "${service_type}" in
	dovecot)
	cat "${intermediate_ca}/intermediate.pem" "${root_ca}/root.pem" > "${dist_dir}/${key_name}-cachain.pem"
	;;
	nginx)
	cat "${intermediate_ca}/${key_name}.pem" "${intermediate_ca}/intermediate.pem" "${root_ca}/root.pem" > "${dist_dir}/${key_name}.pem"
	;;
	postfix)
	cat "${intermediate_ca}/intermediate.pem" "${root_ca}/root.pem" > "${dist_dir}/${key_name}-cachain.pem"
	;;
	esac
	}



	# Foo root CA
	ROOT_CA="foo-root-ca"
	#generate_root_ca "${ROOT_CA}"

	# Some intermediate CA
	generate_intermediate_ca "${ROOT_CA}" "some-intermediate-ca"
	generate_service_keys "${ROOT_CA}" "some-intermediate-ca" "nginx" "foo-some-web"

	# Another intermediate CA
	generate_intermediate_ca "${ROOT_CA}" "another-intermediate-ca"
	generate_service_keys "${ROOT_CA}" "some-intermediate-ca" "dovecot" "foo-another-imap"
	generate_service_keys "${ROOT_CA}" "some-intermediate-ca" "postfix" "foo-another-smtp"

view raw renew-certs.sh hosted with ❤ by GitHub

You’ll still have to deploy them yourself.

Update 2016-10-04:
Fixed some issues with this Gist.

Fixed a bug where intermediate CA certificates weren’t marked as CAs any more
Updated the example CSRs and the script so it can now be run without errors

Update 2017-10-08:

Cleaned up `renew-certs.sh` by extracting functions for generating root CA, intermediate CA and service keys.

A Service Monitor built with Polymer

I tried to build a service monitor having the following features:

showing the reachability of HTTP servers
plotting the amount of messages in a specific RabbitMQ queue
plotting the amount of queues with specific prefixes
showing the status of RabbitMQ queues i.e. how many messages are in there? are there any consumers? are they hung?
showing the availability of certain Redis clients

Well, you can find the result on GitHub.
It uses two things I published before: polymer-flot and flot-sparklines. 😀

An example dashboard:

too long for Unix domain socket

If you’re an Ansible user and encounter the following error:

unix_listener: "..." too long for Unix domain socket

you need to set the control_path option in your ansible.cfg file to tell SSH to use shorter path names for the control socket. You should have a look at the ssh_config(5) man page (under

ControlPath

) for a list of possible substitutions.

I chose:

control_path = %(directory)s/ssh-%%C

Widow Update FUBAR

Microsoft accidentally published a weird “test” patch via Windows Update … world-wide! ?

Update 2015-10-05: And now they also seem to use an untrusted certificate(German). o.O

Making RabbitMQ Recover from (a)Mnesia

In the company I work for we’re using RabbitMQ to offload non-timecritical processing of tasks. To be able to recover in case RabbitMQ goes down our queues are durable and all our messages are marked as persistent. We generally have a very low number of messages in flight at any moment in time. There’s just one queue with a decent amount of them: the “failed messages” dump.

The Problem

It so happens that after a botched update to the most recent version of RabbitMQ (3.5.3 at the time) our admins had to nuke the server and install it from scratch. They had made a backup of RabbitMQ’s Mnesia database and I was tasked to recover the messages from it.
This is the story of how I did it.

Since our RabbitMQ was configured to persist all the messages this should be generally possible. Surely I wouldn’t be the first one to attempt this. ?

Looking through the Internet it seems there’s no way of ex/importing a node’s configuration if it’s not running. I couldn’t find any documentation on how to import a Mnesia backup into a new node or extract data from it into a usable form. ?

The Idea

My idea was to setup a virtual machine (running Debian Wheezy) with RabbitMQ and then to somehow make it read/recover and run the broken server’s database.

In the following you’ll see the following placeholders:

RABBITMQ_MNESIA_BASE will be
```
/var/lib/rabbitmq/mnesia
```
on Debian (see RabbitMQ’S file locations)
RABBITMQ_MNESIA_DIR is just $RABBITMQ_MNESIA_BASE/$RABBITMQ_NODENAME
BROKEN_NODENAME the $RABBITMQ_NODENAME of the broken server we have backups from
BROKEN_HOST the hostname of said server

One more thing before we start: if I say “fix permissions” below I mean

sudo chown -R rabbitmq:rabbitmq $RABBITMQ_MNESIA_DIR

1st Try

My first try was to just copy the broken node’s Mnesia files to the VM’s $RABBITMQ_MNESIA_DIR failed. The files contained node names that RabbitMQ tried to reach but were unreachable from the VM.

Error description:
   {could_not_start,rabbit,
       {{failed_to_cluster_with,
            ['$BROKEN_NODENAME'],
            "Mnesia could not connect to any nodes."},
        {rabbit,start,[normal,[]]}}}

So I tried to be a little bit more picky on what I copied.

First I had to reset $RABBITMQ_MNESIA_DIR by deleting it and have RabbitMQ recreate it. (I needed to do this way too many times ?)

sudo service rabbitmq-server stop
rm -r $RABBITMQ_MNESIA_DIR
sudo service rabbitmq-server start

Stopping RabbitMQ I tried to feed it the broken server’s data in piecemeal fashion. This time I only copied the

rabbit_*.[DCD,DCL]

and restarted RabbitMQ.

RabbitMQ Management Interface lists all the queues, but the node it thinks they're on is "down" — RabbitMQ’s management interface lists all the queues, but it thinks the node they’re on is “down”

Looking at the web management interface there were all the queues we were missing, but they were “down” and clicking on them told you

The object you clicked on was not found; it may have been deleted on the server.

Copying any more data didn’t solve the issue. So this was a dead end. ?

2nd Try

So I thought why doesn’t the RabbitMQ in the VM pretend to be the exact same node as on the broken server?

So I created a

/etc/rabbitmq/rabbitmq-env.conf

with

NODENAME=$BROKEN_NODENAME

in there.

I copied the backup to $RABBITMQ_MNESIA_DIR (now with the new node name) and fixed the permissions.

Now starting RabbitMQ failed with

ERROR: epmd error for host $BROKEN_HOST: nxdomain (non-existing domain)

I edited

/etc/hosts

to add $BROKEN_HOST to the list of names that resolve to 127.0.0.1.

Now restarting RabbitMQ failed with yet another error:

Error description:
   {could_not_start,rabbit,
       {{schema_integrity_check_failed,
            [{table_attributes_mismatch,rabbit_queue,
                 [name,durable,auto_delete,exclusive_owner,arguments,pid,
                  slave_pids,sync_slave_pids,recoverable_slaves,policy,
                  gm_pids,decorators,state],
                 [name,durable,auto_delete,exclusive_owner,arguments,pid,
                  slave_pids,sync_slave_pids,mirror_nodes,policy]}]},
        {rabbit,start,[normal,[]]}}}

Now what? Why don’t I try to give it the Mnesia files piece by piece again?

Reset $RABBITMQ_MNESIA_DIR
Stop RabbitMQ
Copy
```
rabbit_*
```
files in again and fix their permissions
Start RabbitMQ

All our queues were back and all their configuration seemed OK as well. But we still didn’t have our messages back yet.

RabbitMQ Data Recovery Screen Shot 2 - Node Up, Queues Empty — The queues have been restored, but they have no messages in them

Solution

So I tried to copy more and more files over from the backup repeating the above steps. I finally reached my goal after copying

rabbit_*

msg_store_*

queues

and

recovery.dets

. Fixing their permissions and starting RabbitMQ it had all the queues restored with all the messages in them. ?

RabbitMQ Data Recovery Screen Shot 3 - Messages Restored — Queues and messages restored

Now I could use ordinary methods to extract all the messages. Dumping all the messages and examining them they looked OK. Publishing the recovered messages to the new server I was pretty euphoric. ?

Android Backup and Restore with ADB

Updating my OnePlus One recently to Cyanogen OS 12 I had to reset my phone a few times before everything ran smoothly … so I wrote a pair of scripts to help me copy things around.

It uses the Android SDK’s ADB tool to do the copying since the Android File Transfer Tool for Mac has a laughable quality for Google’s standards.

Update 2018-11-22:
Since the scripts became more sophisticated I moved them to a proper project on GitHub.

Mass Storage

There’re three types of mass storage: NAS, SAN and NSA 😂
— Random Internet Troll

https://twitter.com/riyadpr/status/593528317568880641

Monitor Activity in your OS X Dock

Just found a nice trick on TUAW on how to make the OS X Activity Monitor show graphs in place of its app icon.

Looking Up Crash Reports In OS X

If you find yourself–like me–in the situation that your Mac has crashed and you want to retrieve the crash reports (some call them logs 😉 )? Well, there are basically two ways.

You can look them up with the “Console” tool (find it in

/Applications/Utilities/Console

or with Spotlight). Open the “System Diagnostic Reports” section on the left and find an entry similar to

Kernel_<date>_<your_pc_name>.panic

at the top.

You can also find these reports as text files under

/Library/Logs/DiagnosticReports

with the same names. OS X will open them with the Console tool per default.

Cheers. 😀

Tag: Admin

Most Awesome Script Collection

CFSSL FTW