Archives / Search ›

Alternate OpenVPN OS X DNS updating script

Arjan van der Velde made several valiant attempts to post a shell script that did most of what my Python script did, but there seem to be some issues with the HTML parser in the comments truncating whatever he tried to post.

I’ve posted Arjan’s script; you may prefer it to mine because it doesn’t have the PyObjC/SystemConfiguration wrapper dependencies, though it doesn’t support multiple VPN domains/nameservers. It uses scutil to apply the same changes as my script, unlike the first shell script linked in the comments.

Here are a few minor tweaks I’ve made to my OpenVPN client setup.

First, I start OpenVPN with a zsh function and completion:

vpn () {
        title "OpenVPN" "${1:r}"
        sudo openvpn --config ~/.openvpn/$1
        chpwd
}
compctl -W ~/.openvpn -g '*.conf' vpn

which lets me type vpn <tab> to see a list of the (currently four) networks I can connect to, and the window title will change to OpenVPN:calamity or similar, courtesy of the title function:

title () {
        if [[ $TERM = "screen" ]]
        then
                print -Pn "\ek$1\e\\"
                print -Pn "\e]0;$2\a"
        elif [[ -n $xterm_prompt ]]
        then
                print -Pn "\e]0;$1:$2\a"
        fi
}

That’s part of another tweak I made a few months ago to get screen titles to be concise yet helpful… I’ll write about that another time.

Second, I added a line under if going_up at the end of acm-client.py to minimize the window once it’s connected:

if going_up:
	[...]
	print '\x1b[2t'

That way there’s a very visual cue indicating the VPN connection is established, and I can mouse over the minimized Terminal windows in my Dock to see what VPNs I’m connected to. Not exactly the world’s best UI, but it works.

Updating certificates

Evening at Adler was smaller and more intimate than I expected; the few photos I took are on Flickr. The last week has been rather busy, but in a good way—I’m getting work done. Paper revision is about 99% done, hopefully will be finished today, and I got Abe Fettig’s new Twisted book yesterday, which looks good so far. The annoying DSL outages at my parents’ place that started last week appear to be resolved, though it was an excuse to clean up my Nagios configuration, and get Cacti and Smokeping set up for some additional monitoring. Smokeping is extremely cool and easy to set up on Debian; I’m not sure why I hadn’t heard of it before.

Like many people, I run a bunch of private services for family, and we have our own certificate authority (CA) for SSL access to Web sites, mail, and so forth. When I’m home at Thanksgiving, as part of a larger transition to Mac OS X Server, I’ll probably move at least mail to Kerberos, which doesn’t require all the PKI stuff, but has its own problems.

Every year when Nagios starts bugging me that certificates are about to expire, I end up spending hours tracking down the right way to create a CA, sign certificates, install them, and so forth; for tools that are as widely used as they are, openssl and friends are not particularly user-friendly or flexible.

So, in an effort to save time next year, here’s what I came up with. Before doing the first few steps, you should edit /etc/ssl/openssl.cnf to include sane defaults appropriate to your site.

  • Create a new CA:
    # cd /etc/ssl
    # /usr/lib/ssl/misc/CA.sh -newca
    Accept defaults, except: 
    Organizational Unit Name (eg, section) []:Certificate Authority
    Common Name (eg, YOUR name) [mail.rileys.us]:Rileys CA
    Email Address []:ca@rileys.us
    # mv demoCA rileysCA
    
  • Create and sign a certificate request:
    # /usr/lib/ssl/misc/CA.sh -newreq
    Accept defaults, except:
    Email Address []:postmaster@rileys.us
    # /usr/lib/ssl/misc/CA.sh -signreq
    # install -m 644 newcert.pem /etc/apache/ssl.crt/mail-server.crt
    
  • Remove the passphrase on the certificate; extract the private key
    # openssl rsa -in newreq.pem -out /etc/apache/ssl.key/mail-server.key
    
  • Restart Apache (note that “restart” won’t pull in the new certificate)
    # /etc/init.d/apache stop
    # /etc/init.d/apache start
    
  • Remove the CSR, it’s no longer needed
    # rm newreq.pem
    
  • Copy the CA cert to rileys.us
    # scp /etc/ssl/rileysCA/cacert.pem nicholas@arnold:/var/www/rileys.us
    # ssh nicholas@arnold chmod 644 /var/www/rileys.us/cacert.pem
    
  • Add the CA cert to the Macs
    % curl -O http://rileys.us/cacert.pem
    

    On Tiger:

    % sudo certtool i cacert.pem v k=/System/Library/Keychains/X509Anchors
    

    On Leopard, the above command returns a warning and is ineffective. Instead use:

    % sudo security add-trusted-cert -d -k /Library/Keychains/System.keychain cacert.pem
    
  • Add the CA cert to the Debian machines (OpenSSL)
    # cd /etc/ssl/certs
    # wget -O rileys-ca.pem http://rileys.us/cacert.pem
    # chmod 644 rileys-ca.pem
    # update-ca-certificates
    

Update, February 2007:: Recent versions of Gecko-based browsers (and Thunderbird, etc.) give you a very confusing error message claiming that there’s a duplicate serial number, even if the certificate has only expired. (Since I create a new CA certificate every time, I don’t think this is giving me the right answer). So, you do need to remove the old certificate from the browser’s certificate store before adding the new one.