How to install/change SSL/TLS certificate

How to add new SSL/TLS certificate

If you need to set up HTTPS, you will need a new SSL/TLS certificate:
1. following information which is needed for certificate request (CSR):

    Country Name (2 letter code)
    State or Province Name (full name)
    Locality Name (eg, city)
    Organization Name (eg, company)
    Organizational Unit Name (eg, section)
    Common Name (e.g. server FQDN or YOUR name)
    Email Address
    you can get FQDN from your serving hostname/domain.

2. Generate a private key and certificate request:

1
openssl req -out cert.csr -new -newkey rsa:2048 -nodes -keyout cert.key

3. buy certificate using generated csr.
4. Add certificate for expiration monitoring (if you have monitoring).
5. setup it to your server

How to install/change SSL/TLS certificate

1. If you received .pfx file, use the following command to decode it:

1
openssl pkcs12 -in domain.pfx -out certificate -nodes

This will write both private key and certificate in certificate file.
2. You should get about 4 files:

    domain-name.crt — X.509 certificate file
    domain-name.csr — X.509 certificate request file
    intermediate.crt — X.509 certificate file of intermediate (proxy) level
    domain-name.key — RSA private key file for certificate

3. Check that files compatible:

1
2
3
openssl rsa -noout -modulus -in cert.key
openssl req -noout -modulus -in cert.csr
openssl x509 -noout -modulus -in cert.crt

All files should have the same modulus.
4. Check dates for new certificate:

1
openssl x509 -noout -dates -in cert.crt

5. Check that domain and intermediate certificate are compatible:

1
2
openssl verify -CAfile intermediate.crt domain-name.crt
domain-name.crt: OK

If you have several intermediate certificates, put them into one intermediate.crt file.
6. Create chain certificate file:

1
cat domain-name.crt intermediate.crt > cert.crt

Remember that first certificate should be for desired domain and intermediate goes after.
7. Put cert.crt and cert.key into server's ssl folder
8. restart web-server
9. Check that certificate updated successfully:

1
openssl s_client -connect domain.name:443 2>/dev/null < /dev/null | openssl x509 -noout -dates

Checking for missing intermediate certificate

if your browser says that site is untrusted and you get the following error:

1
2
3
4
5
6
7
8
9
10
11
12
openssl s_client -connect display.intencysrv.com:443 -showcerts
CONNECTED(00000003)
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = display.intencysrv.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = display.intencysrv.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = display.intencysrv.com
verify error:num=21:unable to verify the first certificate
verify return:1
<...>

than you probably missing intermediate certificate. Find it in Google, check that it's compatible and install (see 4-5 upper). You can check remotely that downloaded intermediate certificate is compatible:

1
openssl s_client -connect domain.name:443 -CAfile ca.crt

Remember,
Apache supports bundled certificates starting from 2.4.8. If you using Apache prior this version you might get a message about a missing intermediate certificate.

useful functions for .bashrc/.zshrc

ssh domain.name will open tmux terminal on the remote side or reconnect to the old one.
Also it reconnects when get issue with connection.

1
2
3
4
5
6
7
8
9
10
11
12
function ssh () {
    if ! command -v autossh &> /dev/null; then echo "Install autossh"; fi
    AUTOSSH_POLL=20
    export AUTOSSH_POLL
    if [ $# -eq 1 ]; then
        autossh -M 0 $@ -t "tmux attach -t alter || tmux new -s alter";
    elif [ $# -gt 1 ]; then
        /usr/bin/ssh -A $@
    else
        /usr/bin/ssh -h
    fi
}

Insert to pastebin service your message:
$ echo 'test1' | pb
https://pb.idone.su/view/8f60b2b5
$ curl https://pb.idone.su/view/raw/8f60b2b5
test1

$ pb «test2»
https://pb.idone.su/view/32974896
$ curl https://pb.idone.su/view/raw/32974896
test2

1
2
3
4
5
6
7
8
function pb(){
    if [ -n "$1" ]; then
        echo "$1" | curl -d expire=1440 -d private=1 --data-urlencode text@- https://pb.idone.su/index.php/api/create
    else
        stdin="$(cat)"
        echo "$stdin" | curl -d expire=1440 -d private=1 --data-urlencode text@- https://pb.idone.su/index.php/api/create
    fi
}

Security: mongodb

If you don't have auth on mongo servers which are open for all your network hacker could:
— use system commands like: ls (), cat (), removeFile (), fuzzFile ().
— use command: load (), which loads javascript script
— also he could enable auth for your instances and you loose control
— detect if it's a windows or linux host by _isWindows ()

Puppet: apt-get update before Package installation

Obvious way:

1
2
3
4
package {
        'pssh': ensure => 'present',
         require  => Exec['apt-get update']
}

But if you have several package definitions with Exec in each of them — apt-get update will be executed several times.

I found a better way:

1
2
3
4
exec { "apt-update":
        command => "/usr/bin/apt-get update",
    }
Exec["apt-update"] -> Package <| |>

It'll execute apt-get update one time before Packages.