njr 3.0

Evening at Adler was smaller and more intimate than I expected; the few photos I took are on Flickr. The last week has been rather busy, but in a good way—I’m getting work done. Paper revision is about 99% done, hopefully will be finished today, and I got Abe Fettig’s new Twisted book yesterday, which looks good so far. The annoying DSL outages at my parents’ place that started last week appear to be resolved, though it was an excuse to clean up my Nagios configuration, and get Cacti and Smokeping set up for some additional monitoring. Smokeping is extremely cool and easy to set up on Debian; I’m not sure why I hadn’t heard of it before.

Like many people, I run a bunch of private services for family, and we have our own certificate authority (CA) for SSL access to Web sites, mail, and so forth. When I’m home at Thanksgiving, as part of a larger transition to Mac OS X Server, I’ll probably move at least mail to Kerberos, which doesn’t require all the PKI stuff, but has its own problems.

Every year when Nagios starts bugging me that certificates are about to expire, I end up spending hours tracking down the right way to create a CA, sign certificates, install them, and so forth; for tools that are as widely used as they are, openssl and friends are not particularly user-friendly or flexible.

So, in an effort to save time next year, here’s what I came up with. Before doing the first few steps, you should edit /etc/ssl/openssl.cnf to include sane defaults appropriate to your site.

• Create a new CA:

  # cd /etc/ssl
  # /usr/lib/ssl/misc/CA.sh -newca
  Accept defaults, except: 
  Organizational Unit Name (eg, section) []:Certificate Authority
  Common Name (eg, YOUR name) [mail.rileys.us]:Rileys CA
  Email Address []:ca@rileys.us
  # mv demoCA rileysCA
  

• Create and sign a certificate request:

  # /usr/lib/ssl/misc/CA.sh -newreq
  Accept defaults, except:
  Email Address []:postmaster@rileys.us
  # /usr/lib/ssl/misc/CA.sh -signreq
  # install -m 644 newcert.pem /etc/apache/ssl.crt/mail-server.crt
  

• Remove the passphrase on the certificate; extract the private key

  # openssl rsa -in newreq.pem -out /etc/apache/ssl.key/mail-server.key
  

• Restart Apache (note that “restart” won’t pull in the new certificate)

  # /etc/init.d/apache stop
  # /etc/init.d/apache start
  

• Remove the CSR, it’s no longer needed

  # rm newreq.pem
  

• Copy the CA cert to rileys.us

  # scp /etc/ssl/rileysCA/cacert.pem nicholas@arnold:/var/www/rileys.us
  # ssh nicholas@arnold chmod 644 /var/www/rileys.us/cacert.pem
  

• Add the CA cert to the Macs

  % curl -O http://rileys.us/cacert.pem
  

  On Tiger:

  % sudo certtool i cacert.pem v k=/System/Library/Keychains/X509Anchors
  

  On Leopard, the above command returns a warning and is ineffective. Instead use:

  % sudo security add-trusted-cert -d -k /Library/Keychains/System.keychain cacert.pem
  

• Add the CA cert to the Debian machines (OpenSSL)

  # cd /etc/ssl/certs
  # wget -O rileys-ca.pem http://rileys.us/cacert.pem
  # chmod 644 rileys-ca.pem
  # update-ca-certificates
  

Update, February 2007:: Recent versions of Gecko-based browsers (and Thunderbird, etc.) give you a very confusing error message claiming that there’s a duplicate serial number, even if the certificate has only expired. (Since I create a new CA certificate every time, I don’t think this is giving me the right answer). So, you do need to remove the old certificate from the browser’s certificate store before adding the new one.

3:35 PM | Administrivia, Computing, macOS
No Comments

Yes, I’m still alive. Between research (paper #2 got accepted, and I’m presenting it at HPCA in February; currently revising paper for publication, and incredibly excited about getting back to my current project), the class I’m TAing this semester (advanced introduction to operating systems, being offered for the first time with Linux kernel programming assignments), and other miscellaneous duties, I haven’t had a lot of free time. I did finally get to see Serenity at the Lorraine last weekend, and have been watching some anime (Honey and Clover is phenomenal), but that’s been about it for fun.

I’ll be in rhe Chicago area this Friday, Saturday and most of Sunday, ostensibly for a cool-sounding Mac event but also to meet a bunch of friends and acquaintances who are flying in for the occasion. Despite my proximity to Chicago I’ve only been there about once a year since moving to Illinois.

Some of that time I’ll be working, but if anyone wants to get together for a meal or just to hang out, let me know (leave a comment or email me).

11:00 PM | Administrivia, Computing, macOS
1 Comment

Just a minor fix because 1001 1.0b44 gained a hyphen in its bundle identifier; it is now tv.kung-foo.1001 instead of tv.kungfoo.1001. Download here; requires Mac OS X 10.3 or later and, obviously, 1001 and a Flickr account.

And since I posted the original message about this, 1.0b45 came out. 1001 continues getting nicer; maybe I should actually use my real camera a bit more, instead of just posting screenshots and poor-quality phonecam pictures :-)

Now, off to install my new bike tires before I go to school.

(Doh, the link was broken; fixed. The new tire I installed survived the trip to school; so far, so good.)

2:39 PM | macOS, Python
No Comments

I haven’t seen this complained about very much, but see here. If you run recent versions of the Mac OS X Cisco VPN client installer, it will destroy the permissions on the contents of /opt, and turn /opt into a symbolic link to /private/opt for no good reason. I’m currently restoring my DarwinPorts setup from a backup.

Luckily, the one reason I needed to use the campus VPN is gone (dcsfiles.cs.uiuc.edu supported only SMB access, which is firewalled, and not WebDAV/SSL, which works now). Unfortunately, despite the usability of vpnc, I couldn’t get it to work on OS X; after a bit of minor source hacking, the tunnel would be set up and the routes established but nothing would go through it.

1:41 PM | Computing, macOS
5 Comments

gilford.textdrive.com, the server hosting this weblog, is now in San Diego. I’m looking forward to less downtime now TextDrive has physical access to their servers; I couldn’t really have asked for a much smoother transition.

I revised my OpenVPN DNS script and the associated weblog entry earlier today; it’s now generic and should work unmodified as long as you’ve set up your server to send the right DHCP options. I’ve been getting a steady stream of requests for it, so I hope it helps some people…

12:11 AM | Administrivia, Computing, macOS
No Comments