Sysadmin Blog

How to remove Private Key Password from pkcs12 container?

- Export to temporary pem file

openssl pkcs12 -in protected.p12 -nodes -out temp.pem
#  -> Enter password

- Convert pem back to p12

openssl pkcs12 -export -in temp.pem  -out unprotected.p12
# -> Just press [return] twice for no password

- Remove temporary certificate

rm temp.pem

How do I verify that a private key matches a certificate?

To verify that an RSA private key matches the RSA public key in a certificate you need to i) verify the consistency of the private key and ii) compare the modulus of the public key in the certificate against the modulus of the private key.

To verify the consistency of the RSA private key:

openssl rsa -check -noout -in myserver.key
RSA Key is ok

If it doesn't say 'RSA key ok', it isn't OK!"

To view its modulus:

openssl rsa -modulus -noout -in myserver.key | openssl md5

To view the modulus of the RSA public key in a certificate:

openssl x509 -modulus -noout -in myserver.crt | openssl md5

If the first commands shows any errors, or if the modulus of the public key in the certificate and the modulus of the private key do not exactly match, then you're not using the correct private key.

Check CRL for revoked certificates and valitity of CRL itself

To find out if a client certificate was rejected or if the Certificate Revocation List itself is still valid (not older than "Next Update" attribute defined):

openssl crl -inform DER -text -noout -in mycrl.crl

Most CRLs are DER encoded, but you can use -inform PEM if your CRL is not binary. If you’re unsure if it is DER or PEM open it with a text editor. If you see —–BEGIN X509 CRL—– then it’s PEM and if you see strange binary-looking garbage characters it’s DER.

i-mscp certbot fix

The current let's encrypt plugin won't work any more, it throws an error about expired certificate when verifing after issuance, and removes SSL/TLS encryption for the site. This is caused because one of the LE root certificates has been expired.

So I searched for a quick fix so that newly issued certificates will work again, and have written a small patch for the certbot client you can find here. This will remove the expired root CA cert within the certificate chain, resulting in verification done by i-mscp won't fail any more.

SELinux Survival Guide

On SELinux enabled systems (default on CentosOS/RHEL 6.x and higher), it may deny access when system utilities are called from a daemon's context used for automation or monitoring purposes.

You will see some deny messages within /var/log/audit.log that indicate SELinux is blocking access.

So follow this procedure for simply allow things denied by SELinux policies:

Build SELinux Policy

1. Set concerning context to permissive (will still log whitn audit.log:

semanage permissive -a zabbix_agent_t

2. Allow logging even rules are set to dontaudit:

semodule -DB

3. Now let the programme or script do its intended job.

Important: If the programme is doing things that wouldn't be done at every run, like caching (e.g. yum), try to clean programme's cache before running so you catch everything it may do!

4. Search for log entries and build a policy module & package out of it, analysis beginning from date today" (and optionally a time spec):

ausearch -r -m avc -ts today [HH:MM] | audit2allow -M zabbix_megacli

5. Import policy package:

semodule -i zabbix_megacli.pp

6. Disable permissive mode for context again:

semanage permissive -d zabbix_agent_t

7. Disable logging of rules defined as dontaudit:

semodule -B

8. Test if intended stuff works now!

Adjust policy

When you still see some single denials within audit.log, and quickly what to complete the policy with the rules seen, you may:

1. Edit zabbix_megacli.te and add missing operations like write, lock, etc. to the allow rules - don't forget to also specify those ops within concerning class!

2. Compile module file:

checkmodule -M -m -o zabbix_megacli.mod zabbix_megacli.te

3. (Re-)create the module package from module file:

semodule_package -o zabbix_megacli.pp -m zabbix_megacli.mod

For more info, see here:
https://www.centos.org/docs/5/html/Deployment_Guide-en-US/sec-sel-building-policy-module.html
3. Import policy package:

semodule -i zabbix_megacli.pp

Apply Policy to other hosts

1. Copy the policy package (.pp) to the host you want to apply policy

2. Run the following command on every machine to load the package:

semodule -i zabbix_megacli.pp

Windows always fails on installing monthly security rollup update

When trying to install Windows security rollup update on computer with dual boot, Windows Update always fails.

Symptom

During shutdown, Windows starts preparing the update and during the next boot, it continues until around 80-100%. Then it fails, rolls back the upgrade and reboots again. After that, the update is still listed for installation and shows as failed attempt in the update log with error code 80004005.

Solution

1. Get Windows to boot using its native boot loader

Windows will then boot the active partition from MBR, temporarily remove the boot loader!. So make sure that partition where Windows is installed is the active partition (e.g. using Disk Management)!

Start Ubuntu (either installed one or from a USB Stick) and run following commands:

sudo apt-get install mbr
sudo install-mbr -i n -p D -t 0 /dev/sdX

(replace sdX with the disk where Windows is installed!)

Attention: This makes your linux installation unbootable if you run mbr command on the disk you normally boot Linux from, so ensure:
- you have a current backup of your value data
- have a USB stick at hand with Ubuntu ISO Image

If you have installed Windows on an other (second) harddisk, also go to BIOS Setup and change boot order so the disk containing Windows is in first order (before the one containing Linux).

2. Install Security Rollup Update

On subsequent reboots, your computer will now boot directly into Windows (without showing GRUB menu anymore).

Start Security Rollup Update again:
* Go to Windows Update (Control Panel -> Sytem and Security -> Windows Update)
* Choose "Check for updates"
* Make sure Security Rollup is selected
* Choose "Install Updates"

This time, after 2-3 reboots, update should succeed.

3. Make Linux bootable again

a) When changed boot order to start Windows directly from another disk, go to BIOS Setup again and switch order back, so the harddisk with GRUB installed will be ordered before the HD containing Windows installation.

b) When installed "original" MBR to the disk where GRUB was installed, you have to repair the Linux Bootloader:
* boot using a USB Stick containing e.g. Ubuntu Linux ISO image
* mount your root and boot Linux partitions, e.g.

mkdir -p /mnt/root && mount /dev/sda6 /mnt/root && mount /dev/sda5 /mnt/root/boot

(replace with device where your linux partitions resides, if in doubt, first run fdisk -l /dev/sda)

* chroot your Linux installation:

chroot /mnt/root /bin/bash

* install grub again to Master Boot Record, e.g.

grub-install /dev/sda

(grub configuration should be available on /boot)

* Exit chroot environment

exit

* Unmount Linux partitions:

umount /mnt/root/boot /mnt/root

* reboot your system

You now should see GRUB boot menu again, where you can boot either Linux or Windows...

Reverse Proxy mit HTTP Auth im Backend

Damit man über einen Reverse-Proxy auf einen Web-Server zugreifen kann, welcher seinerseits wieder mit HTTP Basic Authentifizierung geschützt ist (und im Backend andere Login-Informationen als für die Anmeldung am Reverse Proxy erforderlich sind), muss die HTTP-Authentifizierung für den Backend-Server im Proxy-Abschnitt mitgegeben werden.

Dazu muss zuerst Benutzername und Passwort in eine Base64-Zeichenkette encodiert werden:

echo -n "User:Pass" | base64
VXNlcjpQYXNz

(auch wenn kein Benutzername benutzt wird, muss das Doppelpunkt im zu encodierenden String enthalten sein!)

Danach in der Konfiguration des als Reverse-Proxy verwendeten Frontend-Servers folgendes z.B. in einen Location-Abschnitt hinzufügen.

Apache:

RequestHeader set Authorization "Basic VXNlcjpQYXNz"

Nginx:

proxy_set_header Authorization "Basic VXNlcjpQYXNz";

Technischer Hintergrund:

Sofern dieselben Anmelde-Informationen im Backend verwendet werden wie im Frontend (Reverse-Proxy), sollte dieses bei der nachfolgenden HTTP-Auth Anfrage transparent vom Client Web-Browser weitergereicht werden, und obiger Parameter ist nicht notwendig.

Wird hingegen versucht, sich mit unterschiedlichen HTTP-Auth Passwörter anzumelden (zuerst dasjenige für den Reverse-Proxy, dann dasjenige, welches der Backend-Webserver verlangt), ist darauf sofort die Anmeldung am Proxy nicht mehr gültig -> Ein Zugriff würde so also nie funktionieren!

Test SMTP Auth

Sometimes, you need to test SMTP auth (for sending e-mails) is working properly and you don't want (or can't) test with an ordinary email client.

One can test using a telnet session. But first, you must encode username and password using this command snipplet:

echo -en "testlogin" | openssl enc -base64
dGVzdGxvZ2lu
echo -en "testpass" | openssl enc -base64
dGVzdHBhc3M=

Then:

telnet  25 (or 587)

Now you do the same as an e-mail client:

HELO mybox.mydomain.tld
250 host.domain.tld
AUTH LOGIN
334 VXNlcm5hbWU6
dGVzdGxvZ2lu
334 UGFzc3dvcmQ6
dGVzdHBhc3M=
235 2.7.0 Authentication successful
quit
221 2.0.0 Bye

If something with "Authentication successful" appears, login was able to authenticate against the mail server for sending e-mail.

REMARK: There are some other sites with examples in perl that don't work with full e-mail address usernames (user@domain.tld) because of lack of escaping the "@" sign that designates a perl array.

Turning SSLv3 off on Apache Server to mitigate "POODLE" attack (CVE-2014-3566)

Add the following to your SSL configuration section:


   # Disable SSLv2 & SSLv3 against POODLE issue (CVE-2014-3566)
    SSLProtocol All -SSLv2 -SSLv3

Note to insert this to all VirtualHost sections where SSL is enabled!

Check your config:

apachectl configtest

Then restart apache server:

sudo service apache2 restart

To check if SSLv3 is turned off:

openssl s_client -connect server.domain.tld:443 -ssl3

Then you shold see a message like this:

error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1260:SSL alert number 40

To disable SSLv3 within other services:
see this post

Check certificate on a server

Issue the following command:

openssl s_client -CApath /etc/ssl/certs/ -connect :993

For testing on a mail server supporting both non-encrypted and encrypted (TLS) connections using STARTTLS method:

openssl s_client -CApath /etc/ssl/certs/ -starttls smtp -connect :25

There should be stated quite at end of command output:

    Verify return code: 0 (ok)

before an eventual greeting message of the server.

A bit above, you can check the certificate chain completeness:

Certificate chain
 0 s:/description=3UwjnK9kRZ2wUo8e/C=CH/CN=domain1.ownspace.ch/emailAddress=hostmaster@ownspace.ch
   i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
 1 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
   i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
---

The last i(ssuer) is the root cert that most client will trust.