The Linux Questions Thread: a bunch of pitfalls, but technically it's possible

The Something Awful Forums > Discussion > Serious Hardware/Software Crap > The Linux Questions Thread: a bunch of pitfalls, but technically it's possible

«‹›1035 »

Suspicious Dish: Sep 24, 2011; 2020 is the year of linux on the desktop, bro; Fun Shoe

A tiny bit. The application input model is a lot better than XInput 2, but hardware support is still the same.

# ? Aug 13, 2015 08:39

Adbot: ADBOT LOVES YOU

# ? May 29, 2024 00:52

theperminator: Sep 16, 2009; by Smythe; Fun Shoe

RFC2324 posted:

If I add a disk without a partition to an LVM group, is it going to mess anything up?

ie the following commands being run
code:
pvcreate /dev/sda
vgextend systemvg /dev/sda
then extend the partition to use that extra space.

This should be fine, it's how I usually do it.
It also helps you avoid rebooting, you used to be able to expand the partition on disk without rebooting but some assholes patched the kernel to block rescans of the partition table when some of the partitions are in use. (At least on redhat)

Also if you add -r to your lvextend command it will automagically extend your XFS partition, fsck is done by XFS automatically at mount, the fsck.xfs command literally does nothing.

theperminator fucked around with this message at 08:48 on Aug 13, 2015

# ? Aug 13, 2015 08:42

Jerry Bindle: May 16, 2003

What's the right way to route :80 traffic to :8080? I'm flooded with ways to do this, and unable to determine what the 'right' way is on CentOS w/ systemd. Seems like the way is to do it with iptables, right?

# ? Aug 13, 2015 15:33

RFC2324: Jun 7, 2012; http 418

Barnyard Protein posted:

What's the right way to route :80 traffic to :8080? I'm flooded with ways to do this, and unable to determine what the 'right' way is on CentOS w/ systemd. Seems like the way is to do it with iptables, right?

I prefer doing it at the router, but if I had to do it at the system, I would use either iptables, or an htaccess redirect if its for web traffic.

# ? Aug 13, 2015 15:38

kujeger: Feb 19, 2004; OH YES HA HA

probably best to manipulate iptables/firewalld with firewall-cmd

# ? Aug 13, 2015 15:38

RFC2324: Jun 7, 2012; http 418

kujeger posted:

probably best to manipulate iptables/firewalld with firewall-cmd

if your distro uses that.

# ? Aug 13, 2015 16:26

spankmeister: Jun 15, 2008

I don't like firewalld and I use the old iptable scripts instead :corsair:

# ? Aug 13, 2015 16:32

kujeger: Feb 19, 2004; OH YES HA HA

RFC2324 posted:

if your distro uses that.

Barnyard Protein said centos w/ systemd, and that is centos 7 -- which uses firewalld

# ? Aug 13, 2015 16:52

evol262: Nov 30, 2010; #!/usr/bin/perl

spankmeister posted:

I don't like firewalld and I use the old iptable scripts instead

The point of firewalld is that iptables is going away. You can learn nftables if you want to when the switch happens, but we're slowly trying to make it a little friendlier than "we deprecated $arcane_syntax so learn $new_arcane_syntax ASAP!"

# ? Aug 13, 2015 18:01

RFC2324: Jun 7, 2012; http 418

No, don't take away my $arcane_syntax !!!!

# ? Aug 13, 2015 18:02

spankmeister: Jun 15, 2008

RFC2324 posted:

No, don't take away my $arcane_syntax !!!!

# ? Aug 13, 2015 18:04

fuf: Sep 12, 2004; haha

I just got a Debian server provided by oneprovider and logging in for the first time there are two user accounts with directories in /home called "onepad67" and "ssadmin". What are they? :shobon:

# ? Aug 13, 2015 18:48

Powered Descent: Jul 13, 2008; We haven't had that spirit here since 1969.

Speaking of systemd, can anyone recommend a decent intro to it for us oldschool sysadmins who don't trust the newfangled whizbang? :corsair:

Where I work, we're staying on CentOS 6 for the foreseeable future specifically to avoid systemd. But I know I'm going to encounter it sooner or later, and when that happens, it'd be nice to at least have some clue what the hell I'm even looking at.

# ? Aug 13, 2015 19:20

unruly: May 12, 2002; YES!!!

Powered Descent posted:

Speaking of systemd, can anyone recommend a decent intro to it for us oldschool sysadmins who don't trust the newfangled whizbang?

Where I work, we're staying on CentOS 6 for the foreseeable future specifically to avoid systemd. But I know I'm going to encounter it sooner or later, and when that happens, it'd be nice to at least have some clue what the hell I'm even looking at.

Arch's Wiki Page is a pretty decent place to start. It's not everything you need to know, but it covers a lot of the common stuff you're likely to encounter.

# ? Aug 13, 2015 19:29

evol262: Nov 30, 2010; #!/usr/bin/perl

Powered Descent posted:

Where I work, we're staying on CentOS 6 for the foreseeable future specifically to avoid systemd. But I know I'm going to encounter it sooner or later, and when that happens, it'd be nice to at least have some clue what the hell I'm even looking at.

Upstart (which is on EL6) is a pile of poo poo.

systemd should be mostly invisible to you, except in the cases where it's way, way better than anything else. Like writing very dynamic, human-readable unit files for services in 20 lines, which properly trigger on a whole mess of dependency chains later, or filesystems being mounted, or whatever without 100-500 lines of horrible boilerplate shell that sources other awful shell utility scripts (or in the case of upstart, simply has bugs which will never be fixed), plus it can track forked children, etc

What real reason do you have to avoid systemd other than "it's different", which applies to 500 other technologies you're not avoiding which are also different from their predecessors?

# ? Aug 13, 2015 19:50

Super-NintendoUser: Jan 16, 2004; COWABUNGERDER COMPADRES; Soiled Meat

I'm having a terrible time sorting out some TLS w/ LDAP problems. Maybe someone can help me. I've been killing myself for a few days and it's driving me nuts.

So I need to auth against LDAP from a Linux process. I don't need user login on the linux server itself, I just need my application to auth against ldap. I have all that working, just not with TLS, which is required for me to promote from dev to production. I'm having a CA Cert problem, and I'm just stumped. I know 100% what I'm doing, but it's just not working.

1) I went to the domain controller and download the CA Cert:
http://dc1.company.com/certsrv
Download CA Certificate in DER format

2) Uploaded it to the linux server and converted it to a PEM
openssl x509 -inform der -in /service/ssl/certnew.cer -outform PEM -out /service/ssl/dc1.pem

3) Connect to LDAP Server on port 636 with openssl to test:
openssl s_client -CAfile dc1.pem -connect dc1.em.corp:636

Usually this works, but I get an error (big CP) sorry.

code:

BASH-root@dev /service/ssl# openssl s_client -CAfile dc1.pem -connect dc1.em.corp:636
CONNECTED(00000003)
depth=0 CN = DC1.me.corp
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = DC1.me.corp
verify error:num=27:certificate not trusted
verify return:1
depth=0 CN = DC1.me.corp
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/CN=DC1.me.corp
   i:/DC=corp/DC=me/CN=me-MECLOUD-SERV-CA
---
Server certificate
-----BEGIN CERTIFICATE-----
lol no copy
-----END CERTIFICATE-----
subject=/CN=DC1.me.corp
issuer=/DC=corp/DC=me/CN=me-MECLOUD-SERV-CA
---
Acceptable client certificate CA names
/DC=corp/DC=me/CN=me-DC1-CA
/CN=DC1.me.corp
/DC=corp/DC=me/CN=me-SERVICES1-CA
/DC=corp/DC=me/CN=WIRELESS-CA
/DC=corp/DC=me/CN=me-MECLOUD-SERV-CA
/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority - G2/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust Network
/C=US/O=U.S. Government/OU=FPKI/CN=Federal Common Policy CA
/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root
/C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root
/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Root Certificate Authority 2010
/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Root Certificate Authority 2011
/OU=Copyright (c) 1997 Microsoft Corp./OU=Microsoft Corporation/CN=Microsoft Root Authority
/DC=com/DC=microsoft/CN=Microsoft Root Certificate Authority
/CN=NT AUTHORITY
---
SSL handshake has read 3520 bytes and written 601 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES128-SHA
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1439494432
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---

read:errno=104

So I don't trust the cert, but I'm pointing at the CAfile. Also:

subject=/CN=DC1.me.corp
issuer=/DC=corp/DC=me/CN=me-MECLOUD-SERV-CA

Acceptable client certificate CA names

/DC=corp/DC=me/CN=me-MECLOUD-SERV-CA

Doesn't that mean the CA should match and be trusted? I can't figure it out. Is there a way to check the cert? Maybe our DC cert is invalid or something. Any help?

# ? Aug 13, 2015 20:41

ChubbyThePhat: Dec 22, 2006; Who nico nico needs anyone else

You could try supplying the server name to openssl in the event that the server requires SNI?

openssl s_client -CAfile dc1.pem -connect dc1.em.corp:636 -servername dc1.em.corp

# ? Aug 13, 2015 21:41

Super-NintendoUser: Jan 16, 2004; COWABUNGERDER COMPADRES; Soiled Meat

ChubbyThePhat posted:

You could try supplying the server name to openssl in the event that the server requires SNI?

openssl s_client -CAfile dc1.pem -connect dc1.em.corp:636 -servername dc1.em.corp

Nope, doesn't work. I think from what I gathered via Googles, is that the LDAP server doesn't provide the entire certificate chain, so open_ssl doesn't trust it, even with the CA file.

# ? Aug 13, 2015 21:45

spankmeister: Jun 15, 2008

ChubbyThePhat posted:

You could try supplying the server name to openssl in the event that the server requires SNI?

openssl s_client -CAfile dc1.pem -connect dc1.em.corp:636 -servername dc1.em.corp

I don't think LDAP uses SNI at all.

# ? Aug 13, 2015 21:52

ChubbyThePhat: Dec 22, 2006; Who nico nico needs anyone else

spankmeister posted:

I don't think LDAP uses SNI at all.

Oh poo poo, you might be right.

# ? Aug 13, 2015 21:54

Powered Descent: Jul 13, 2008; We haven't had that spirit here since 1969.

evol262 posted:

What real reason do you have to avoid systemd other than "it's different", which applies to 500 other technologies you're not avoiding which are also different from their predecessors?

A few of the folks here do have that philosophical grudge against systemd, but the real reason we decided to stick with CentOS 6 for a while yet was because none of us really know what the hell we're doing, systemd-wise. There were no compelling reasons to make the leap that we could see, so we didn't.

# ? Aug 13, 2015 23:25

evol262: Nov 30, 2010; #!/usr/bin/perl

SIR FAT JONY IVES posted:

Nope, doesn't work. I think from what I gathered via Googles, is that the LDAP server doesn't provide the entire certificate chain, so open_ssl doesn't trust it, even with the CA file.

Did you set TLS_CACERT? IIRC, this is required, but ldaps is hell.

Powered Descent posted:

A few of the folks here do have that philosophical grudge against systemd, but the real reason we decided to stick with CentOS 6 for a while yet was because none of us really know what the hell we're doing, systemd-wise. There were no compelling reasons to make the leap that we could see, so we didn't.

From an administrator's perspective, it's identical to previous init systems, except where it's better.

All the same commands you're used to still work (other than initctl, but you're probably not using that anyway). sysv init scripts still work with no changes if you have them, but you can probably scrap those and move to unit files.

Everything boots faster, in parallel. It's an order of magnitude faster on most systems.

There are really no downsides, and you don't need to know what you're doing, "systemd-wise", because all the tooling you're used to ("service foo start", "chkconfig foo on", etc) still works, though it may give deprecation warnings. You can mentally replace almost all of those with "systemctl start foo" or "systemctl enable foo" instead. That's it.

There aren't really any valid philosophical objections to systemd. We've (I've) rehashed it repeatedly in this thread, but you should just tell whatever "folks" there who have a "philosophical objection" to it (presumably on the basis of Red Hat and Poettering being mustache twirling Linux villains) to read the Debian debates on init systems and why they settled on systemd. It's inarguably better than all its competitors in every way, and most of the complaints about systemd containing everything are actually about optional components under the systemd umbrella and not actually the init part.

But if you want to learn way too much about systemd and all the ways in which it makes life as an admin better, you should go read this series

# ? Aug 13, 2015 23:49

telcoM: Mar 21, 2009; Fallen Rib

SIR FAT JONY IVES posted:

1) I went to the domain controller and download the CA Cert:
http://dc1.company.com/certsrv
Download CA Certificate in DER format

The domain controller certainly seems to be a CA. However, it might not be your root CA, but just an intermediate one.

SIR FAT JONY IVES posted:

code:

BASH-root@dev /service/ssl# openssl s_client -CAfile dc1.pem \
    -connect dc1.em.corp:636
CONNECTED(00000003)
depth=0 CN = DC1.me.corp
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = DC1.me.corp
verify error:num=27:certificate not trusted
verify return:1
depth=0 CN = DC1.me.corp
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/CN=DC1.me.corp
   i:/DC=corp/DC=me/CN=me-MECLOUD-SERV-CA

You've told OpenSSL to trust whatever certificate is in the dc1.pem file **for the purpose of validating other certificates only**. This means its validity for working as a server might still be undecided. And OpenSSL really wants to see the complete chain anyway.

The "Certificate chain" indicates the certificate returned from dc1.em.corp port 636 had Subject /CN=dc1.me.corp, pretty much as expected.

The issuer of that certificate was /DC=corp/DC=me/CN=me-MECLOUD-SERV-CA, and now OpenSSL wants to see a CA certificate that has exactly that as its Subject.

SIR FAT JONY IVES posted:

Is there a way to check the cert? Maybe our DC cert is invalid or something.

Sure.
Simple, but overly verbose:

code:

$ openssl x509 -in dc1.pem -noout -text
or
$ openssl x509 -in /service/ssl/certnew.cer -inform DER -noout -text

Longer command, but nicer output for most purposes:

code:

$ alias viewcert='openssl x509 -noout -text -certopt no_pubkey,no_sigdump,no_header,ext_parse -in'
then
$ viewcert dc1.pem
or
$ viewcert /service/ssl/certnew.cer -inform DER

(Put that "alias ..." line to your .profile, .bashrc or equivalent to have a handy command to view certificates in human-readable form that has no useless hex dumps of the public key and signature included.)

I am guessing your problem might be that the certificate in your dc1.pem has Subject: CN=dc1.me.corp.

For the OpenSSL -CAfile option, you'll need a certificate that has Subject: DC=corp, DC=me, CN=me-MECLOUD-SERV-CA. If that's the top level certificate (i.e. its Subject and Issuer fields both have the exact same value), you're done. But if that certificate has a different Issuer, then you haven't reached the root of the chain yet and you'll have to get the certificate whose Subject is the same as the Issuer you just found.

telcoM fucked around with this message at 06:01 on Aug 14, 2015

# ? Aug 14, 2015 05:59

Gucci Loafers: May 20, 2006; Ask yourself, do you really want to talk to pair of really nice gaudy shoes?

While we're all on the subject of certificates, is there a good walkthrough of how they work?

I'm able to install them blindly following instructions but I'd like to know how things work under the hood so if something breaks I'm not endlessly searching in Google spinning my wheels.

# ? Aug 14, 2015 15:18

Suspicious Dish: Sep 24, 2011; 2020 is the year of linux on the desktop, bro; Fun Shoe

There's a payload specifying various fields (e.g. who issued it? what website is it for?), specified in a standard called "X.509". You send that certificate to a certificate authority, who signs it. Your OS / browser has code and data to check for signatures for hundreds of different certificate authorities, and verifies that the signature is signed by one of those, and that the fields match up.

# ? Aug 14, 2015 16:52

evol262: Nov 30, 2010; #!/usr/bin/perl

The whole "who issued it" thing can get tricky, because it's possible that "who issued it" wasn't a root CA, and the "issuer" field in "who issued it" also isn't a root CA, so you end up walking the chain back up, which is where Tony's issue potentially gets thorny.

# ? Aug 14, 2015 17:37

Super-NintendoUser: Jan 16, 2004; COWABUNGERDER COMPADRES; Soiled Meat

Yeah, I think that's the problem. So the problem I have now is that I can get, at the client, LDAP with TLS working if I use a standalone ldap browser, and ldapsearch tools. In our software, though, TLS fails for user auth. I open a dev ticket, but until I reproduce it on a dev system here in house, they won't do anything. The problem with that, is this cert nonsense we are dealing with.

They even sent me a cert and credentials on a test domain, but they fail too.

# ? Aug 14, 2015 19:06

covener: Jan 10, 2004; You know, for kids!

SIR FAT JONY IVES posted:

Yeah, I think that's the problem. So the problem I have now is that I can get, at the client, LDAP with TLS working if I use a standalone ldap browser, and ldapsearch tools. In our software, though, TLS fails for user auth. I open a dev ticket, but until I reproduce it on a dev system here in house, they won't do anything. The problem with that, is this cert nonsense we are dealing with.

They even sent me a cert and credentials on a test domain, but they fail too.

Are you sure your failing executable uses with the systems native LDAP SDK?

Beyond just having a different LDAP client library with a different SSL impl or trust store, more obscure problems I've seen in this neighborhood is servers that send their intermediate certificates out-of-order, which is tolerated by some SSL libraries and not others. If it's a total blackbox, In a pinch, I'd look at strace to see if any on-disk certificates or vaguely cert-related directories are loaded.

If you can get a little bit of code slipped into your executable, have them try ldap_set_option of LDAP_DEBUG to produce some debugging to stderr. Values that are useful vary wildly (see e.g. http://httpd.apache.org/docs/trunk/mod/mod_ldap.html#ldaplibrarydebug).

I don't recall seeing a verbatim error from your real app. On the off chance this happens to be some proprietary IBM software on Linux, name it and I can probable help as I have a lot of experience with their SSL and LDAP client libraries.

# ? Aug 14, 2015 19:16

evol262: Nov 30, 2010; #!/usr/bin/perl

If it's the large financial I used to work for, they'll have 7 certificates in the signing chain, and the native ldapsearch stuff is the crap packed with VAS, but hopefully you're luckier.

# ? Aug 14, 2015 20:06

Super-NintendoUser: Jan 16, 2004; COWABUNGERDER COMPADRES; Soiled Meat

covener posted:

Are you sure your failing executable uses with the systems native LDAP SDK?

Beyond just having a different LDAP client library with a different SSL impl or trust store, more obscure problems I've seen in this neighborhood is servers that send their intermediate certificates out-of-order, which is tolerated by some SSL libraries and not others. If it's a total blackbox, In a pinch, I'd look at strace to see if any on-disk certificates or vaguely cert-related directories are loaded.

If you can get a little bit of code slipped into your executable, have them try ldap_set_option of LDAP_DEBUG to produce some debugging to stderr. Values that are useful vary wildly (see e.g. http://httpd.apache.org/docs/trunk/mod/mod_ldap.html#ldaplibrarydebug).

I don't recall seeing a verbatim error from your real app. On the off chance this happens to be some proprietary IBM software on Linux, name it and I can probable help as I have a lot of experience with their SSL and LDAP client libraries.

It's a total black box, I'm just the SA that is installing it.

What I have now is:

1) Client gave me a CA Cert, user, password, and dev LDAP server address.
2) From Java Explorer (an unrelated java app that I'm testing with) TLS, user, password, it all works
3) From our Management Console, which is a program we run that lets you configure our application, you can verify against LDAP, it works with TLS.
4) From our actual application, ldap auth works, but when you set "TLS=true" it always fails. The MC from #3 uses the same authentication, I though, so I'm not sure why that one fails. It's almost for sure a bug with or program.

What sucks is that our docs don't specifically say where the CACert has to live. They mention how to confirm openldap, but don't give a reason why. For the MC you need to have the cert locally (like on your Windows PC) even though the Linux server does the actual auth. For the windows client I guess it's the same, but in the MC there's a field for Cert, no such field on the client side. In my applications log it says "LDAP ERROR:0" and that's it.

So I opened up a ticket, but they told me I need to get it working locally before I sandbox on a client's LDAP system. My engineering manager helpfully pointed out we have an in-house test ldap domain, so I requested the cert, username, password, and address. I was given that, but the username and password fail.

However, even if I had a working set of credentials, on the test server, I still get this:

code:

eMacbook:Desktop eric$ openssl s_client -CAfile emtest.pem -connect 10.9.2.2:636
CONNECTED(00000003)
depth=0 /CN=DC1TEST.EMTEST.corp
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /CN=DC1TEST.EMTEST.corp
verify error:num=27:certificate not trusted
verify return:1
depth=0 /CN=DC1TEST.EMTEST.corp
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/CN=DC1TEST.EMTEST.corp
   i:/DC=corp/DC=EMTEST/CN=EMTEST
---
Server certificate
-----BEGIN CERTIFICATE-----
snip
-----END CERTIFICATE-----
subject=/CN=DC1TEST.EMTEST.corp
issuer=/DC=corp/DC=EMTEST/CN=EMTEST
---
Acceptable client certificate CA names
/DC=corp/DC=EMTEST/CN=DC1TEST
/DC=corp/DC=EMTEST/CN=EMTEST
/C=US/O=VeriSign, Inc./OU=Class 1 Public Primary Certification Authority - G2/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust Network
/C=US/O=VeriSign, Inc./OU=Class 4 Public Primary Certification Authority - G2/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust Network
/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting/OU=Certification Services Division/CN=Thawte Personal Freemail CA/emailAddress=personal-freemail@thawte.com
/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting/OU=Certification Services Division/CN=Thawte Personal Premium CA/emailAddress=personal-premium@thawte.com
/C=US/O=First Data Digital Certificates Inc./CN=First Data Digital Certificates Inc. Certification Authority
/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting/OU=Certification Services Division/CN=Thawte Personal Basic CA/emailAddress=personal-basic@thawte.com
/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
/C=US/O=VeriSign, Inc./OU=Class 2 Public Primary Certification Authority
/C=US/O=VeriSign, Inc./OU=Class 1 Public Primary Certification Authority
/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority - G2/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust Network
/C=HU/L=Budapest/O=NetLock Halozatbiztonsagi Kft./OU=Tanusitvanykiadok/CN=NetLock Uzleti (Class B) Tanusitvanykiado
/C=US/O=GTE Corporation/CN=GTE CyberTrust Root
/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root
/C=US/O=Entrust.net/OU=www.entrust.net/CPS incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Secure Server Certification Authority
/C=HU/ST=Hungary/L=Budapest/O=NetLock Halozatbiztonsagi Kft./OU=Tanusitvanykiadok/CN=NetLock Kozjegyzoi (Class A) Tanusitvanykiado
/C=US/O=VeriSign, Inc./OU=Class 2 Public Primary Certification Authority - G2/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust Network
/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Root
/C=HU/L=Budapest/O=NetLock Halozatbiztonsagi Kft./OU=Tanusitvanykiadok/CN=NetLock Expressz (Class C) Tanusitvanykiado
/OU=Copyright (c) 1997 Microsoft Corp./OU=Microsoft Corporation/CN=Microsoft Root Authority
/DC=com/DC=microsoft/CN=Microsoft Root Certificate Authority
---
SSL handshake has read 4793 bytes and written 324 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : RC4-MD5
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Key-Arg   : None
    Start Time: 1439580232
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---

read:errno=0

viewing the CA Cert they provided I get this:

code:

eMacbook:Desktop eric$ viewcert emtest.pem
        Version: 3 (0x2)
        Serial Number:
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: DC=corp, DC=EMTEST, CN=EMTEST
        Validity
            Not Before: Aug 14 09:10:36 2015 GMT
            Not After : Aug 13 09:10:36 2016 GMT
        Subject: CN=DC1TEST.EMTEST.corp
        X509v3 extensions:
            X509v3 Key Usage:
                Digital Signature, Key Encipherment
            S/MIME Capabilities:
    0:d=0  hl=2 l=  53 cons: SEQUENCE
    2:d=1  hl=2 l=  14 cons:  SEQUENCE
    4:d=2  hl=2 l=   8 prim:   OBJECT            :rc2-cbc
   14:d=2  hl=2 l=   2 prim:   INTEGER           :80
   18:d=1  hl=2 l=  14 cons:  SEQUENCE
   20:d=2  hl=2 l=   8 prim:   OBJECT            :rc4
   30:d=2  hl=2 l=   2 prim:   INTEGER           :80
   34:d=1  hl=2 l=   7 cons:  SEQUENCE
   36:d=2  hl=2 l=   5 prim:   OBJECT            :des-cbc
   43:d=1  hl=2 l=  10 cons:  SEQUENCE
   45:d=2  hl=2 l=   8 prim:   OBJECT            :des-ede3-cbc

            X509v3 Subject Key Identifier:
            1.3.6.1.4.1.311.20.2:
    0:d=0  hl=2 l=  32 prim: BMPSTRING

            X509v3 Authority Key Identifier:

            X509v3 CRL Distribution Points:
                URI:ldap:///CN=EMTEST,CN=DC1TEST,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=EMTEST,DC=corp?certificateRevocationList?base?objectClass=cRLDistributionPoint
                URI:[url]http://dc1test.emtest.corp/CertEnroll/EMTEST.crl[/url]

            Authority Information Access:
                CA Issuers - URI:ldap:///CN=EMTEST,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=EMTEST,DC=corp?cACertificate?base?objectClass=certificationAuthority
                CA Issuers - URI:[url]http://dc1test.emtest.corp/CertEnroll/DC1TEST.EMTEST.corp_EMTEST.crt[/url]

            X509v3 Extended Key Usage:
                TLS Web Client Authentication, TLS Web Server Authentication
            X509v3 Subject Alternative Name:
                othername:<unsupported>, DNS:DC1TEST.EMTEST.corp

I have no idea, it seems to match up.

# ? Aug 14, 2015 20:43

Super-NintendoUser: Jan 16, 2004; COWABUNGERDER COMPADRES; Soiled Meat

evol262 posted:

If it's the large financial I used to work for, they'll have 7 certificates in the signing chain, and the native ldapsearch stuff is the crap packed with VAS, but hopefully you're luckier.

The issue is not at the bank, it's with the test dc my company has. They won't help me troubleshoot it at the bank, I have to duplicate it here, which means figuring out the cert from this system. At the bank it all works fine, except for in our app, so I know the cert is good there. I have to solve a problem that I'm not having at the client here first, then I can get help from my developers. It's irritating.

# ? Aug 14, 2015 20:44

Super-NintendoUser: Jan 16, 2004; COWABUNGERDER COMPADRES; Soiled Meat

I think I finally get it:

code:

eMacbook:emtest eric$ viewcert emtest.ca.pem
        Issuer: DC=corp, DC=EMTEST, CN=EMTEST
        Subject: CN=DC1TEST.EMTEST.corp

So this CA file they gave me is issued by emtest.emtest.corp.
However, the server I'm connecting to gives me the same thing:

code:

eMacbook:emtest eric$ viewcert emtest.server.crt
       Issuer: DC=corp, DC=EMTEST, CN=EMTEST
       Subject: CN=DC1TEST.EMTEST.corp

Openssl looks at the cert the server gives me and needs to see a CA with the same SUBJECT as the ISSUER of the cert the server gives me, in this case EMTEST.EMTEST.CORP. So since my CA has as it's subject DC1TEST.EMTEST.corp, it's bogus. I need a cert with the right subject, preferably they CA cert has the same subject and issuer, but I atleast need the subject to match the issuer of the cert I'm attempting to trust, or atleast fill in all the steps in the servers cert, but there's only one step here.

How can I get that cert? I have no idea. usually I'd just go to http://dc1.emtest.corp/certsrv and grab it, but gives me the same one I have here.

# ? Aug 14, 2015 21:16

telcoM: Mar 21, 2009; Fallen Rib

SIR FAT JONY IVES posted:

code:

eMacbook:Desktop eric$ openssl s_client -CAfile emtest.pem -connect 10.9.2.2:636
CONNECTED(00000003)
depth=0 /CN=DC1TEST.EMTEST.corp
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /CN=DC1TEST.EMTEST.corp
verify error:num=27:certificate not trusted
verify return:1
depth=0 /CN=DC1TEST.EMTEST.corp
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/CN=DC1TEST.EMTEST.corp
   i:/DC=corp/DC=EMTEST/CN=EMTEST

It's telling you:
"I got a certificate with Subject 'CN=dc1test.emtest.corp' and Issuer 'DC=corp, DC=EMTEST, CN=EMTEST'.
To validate this, I would need a certificate one higher up in the chain: one with Subject 'DC=corp, DC=EMTEST, CN=EMTEST'.
But I don't have such a certificate."

This is how the trust chain is built up:
1.) there is a self-signed root CA certificate: it has subject X and issuer X.
2.) the root certificate is used to sign the certificate(s) of intermediate CA(s). They will have subject Y and issuer X.
3.) whatever is signed by the intermediate CA(s) will have subject Z (= whatever they are certifying) and issuer Y.

There may be zero, one or many levels of intermediate CAs between the root CA and the actual server certificate you are trying to validate.

SIR FAT JONY IVES posted:

code:

---
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : RC4-MD5
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Key-Arg   : None
    Start Time: 1439580232
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---

read:errno=0

Also, that's a bit shortish key (only 1024 bits) with a weakish cipher (RC4-MD5). But this does not seem to be an actual problem, at least not yet. Newer OpenSSL versions may have stricter requirements, but these requirements are usually adjustable.

SIR FAT JONY IVES posted:

viewing the CA Cert they provided I get this:

code:

eMacbook:Desktop eric$ viewcert emtest.pem
        Version: 3 (0x2)
        Serial Number:
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: DC=corp, DC=EMTEST, CN=EMTEST
        Validity
            Not Before: Aug 14 09:10:36 2015 GMT
            Not After : Aug 13 09:10:36 2016 GMT
        Subject: CN=DC1TEST.EMTEST.corp

That's just a copy of the certificate of the host you're talking to.
Subject = "who I am"
Issuer = "who vouches for me"
You have the first, but you'll need the second.

OpenSSL needs to see the certificate of the issuer in order to verify that the CA signature in this certificate is valid.

Fortunately, the certificate itself tells you where you can (hopefully) get the issuer's certificate:

SIR FAT JONY IVES posted:

code:

            Authority Information Access:
                CA Issuers - URI:ldap:///CN=EMTEST,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=EMTEST,DC=corp?cACertificate?base?objectClass=certificationAuthority
                CA Issuers - URI:http://dc1test.emtest.corp/CertEnroll/DC1TEST.EMTEST.corp_EMTEST.crt

This gives you both LDAP and HTTP URLs where the issuer certificate is supposed to be available.

Try:

code:

$ wget http://dc1test.emtest.corp/CertEnroll/DC1TEST.EMTEST.corp_EMTEST.crt
...
$ viewcert DC1TEST.EMTEST.corp_EMTEST.crt

That certificate should have Subject 'DC=corp, DC=EMTEST, CN=EMTEST'. If its Issuer is the same, you've reached the root certificate and you can use this as the CAfile for OpenSSL tools. If not, this was just another intermediate CA. Check the Issuer field and the Authority Information Access extension (if it exists) of that intermediate CA certificate, and keep following the chain upwards until you reach the root certificate.

If you want/have to use the CAfile option of OpenSSL, just add all the required CA certificates in a single file in PEM format.

# ? Aug 14, 2015 21:32

MrPablo: Mar 21, 2003

Suspicious Dish posted:

There's a payload specifying various fields (e.g. who issued it? what website is it for?), specified in a standard called "X.509". You send that certificate to a certificate authority, who signs it. Your OS / browser has code and data to check for signatures for hundreds of different certificate authorities, and verifies that the signature is signed by one of those, and that the fields match up.

A minor point of clarification: You send a certificate signing request (CSR) to a certificate authority (CA). The CA verifies and signs the CSR and issues a certificate.

In case anyone is interested, here is a brief overview of X.509 certificate generation and X.509 certificate verification:

OpenSSL (openssl req, or your crypto tool of choice) generates a public and private key (called a keypair).
You enter various attributes describing what the certificate is going to represent. These attributes are typically (but not always!) things like the country, state, organization, and a so-called Common Name (CN). For server certificates the CN is typically the fully-qualified domain name (FQDN) of the server. For personal certificates the CN is typically a full name.
OpenSSL constructs the certificate subject Designated Name (DN) using the attributes from the previous step. A DN looks like this: /C=US/ST=VA/L=Falls Church/O=PoopCorp/OU=Butt/CN=www.poopcorp.com.
OpenSSL generates a certificate signing request (CSR) consisting of the subject, your public key, and a few additional certificate attributes, all signed with your private key.
You send the CSR to a Certificate Authority (CA), typically via a web interface.
The CA verifies the validity of the CSR by checking the signature in the CSR. In other words, it hashes the contents of the CSR using the specified hash algorithm, then decrypts the signature in the CSR using the public key and verifies that the two match.
What the CA does at this point varies wildly depending on the CA, the type of certificate, and the type of validation requested. For example, "Extended Validation" certificates cost more and have additional verification steps. At a minimum, reputable CAs will attempt to verify that you own the FQDN and that you are associated with the organization specified in the CSR.
If everything checks out, the CA issues a certificate by signing the CSR with one of their signing certificates. The generated certificate includes the valid date range, usage constraints. and a trust chain. The trust chain consists of the signing certificate, the signing certificate's signer, and so on up to the root certificate (more on that later).
The CA provides the generated certificate to you, typically via email or a web interface.
You install the generated certificate. For server certificates this means copying the provided certificate file to the server and configuring the relevant daemon (e.g., Apache) to use it.

When an application (for example, a web browser) initiates a TLS connection, the following happens:

The server sends its certificate as part of the TLS handshake.
The client checks the validity of the certificate. The list of what is actually checked and what constitutes an error (versus a warning) varies wildly by application, but typically includes some combination of the following:
- Does the domain name match the CN of the certificate's subject DN? Note that there are also wildcard certificates (*.poopcorp.com) and multi-domain certificates (poopcorp.com, butt.poopcorp.com, and poop.poopcorp.com), and these are handled slightly differently.
- Has the certificate expired (that is, is the current date within the valid date range of the certificate)?
- Does the usage constraint allow the certificate to be used as a server certificate?
- Has the certificate been revoked by the issuer (CRL, OCSP, etc)?
- Does the certificate use a strong digest algorithm (e.g. SHA1 in 2015 = no bueno)?
- Does the certificate use a strong encryption algorithm and parameters (reject things like 512-bit RSA, RSA with an exponent of 3, etc)?
The client walks up the trust chain and performs similar checks for each intermediate certificate in the trust chain until it either finds a certificate that is implicitly trusted (that is, a certificate in the trusted certificate store: see below) or until it exhausts the certificates in the trust chain.
If the client was able to reach a trusted certificate, then it proceeds with the connection.

A trusted certificate store is a list of trusted certificates. The list of trusted certificate store varies by operating system and application. Under Windows, for example, Chrome and Internet Explorer use the Windows trusted certificate store, while Firefox uses its own. Each application and/or operating system vendor has a set of policies that a CA must comply with in order for the CA's certificates to be included in the vendor's trusted certificate store (here is Mozilla's, and here is Microsoft's).

(Note: Lots of details omitted for brevity).

# ? Aug 14, 2015 22:16

covener: Jan 10, 2004; You know, for kids!

SIR FAT JONY IVES posted:

I think I finally get it:
code:
eMacbook:emtest eric$ viewcert emtest.ca.pem
        Issuer: DC=corp, DC=EMTEST, CN=EMTEST
        Subject: CN=DC1TEST.EMTEST.corp
So this CA file they gave me is issued by emtest.emtest.corp.

I wouldn't call that CA, it's going to lead to a lot of confusion. CA implies a root, self-signed issuer.

# ? Aug 14, 2015 23:13

spankmeister: Jun 15, 2008

telcoM posted:

Also, that's a bit shortish key (only 1024 bits) with a weakish cipher (RC4-MD5). But this does not seem to be an actual problem, at least not yet. Newer OpenSSL versions may have stricter requirements, but these requirements are usually adjustable.

Not just "ish" but plain insecure. You will fail any kind of audit using that.

# ? Aug 15, 2015 05:09

Super-NintendoUser: Jan 16, 2004; COWABUNGERDER COMPADRES; Soiled Meat

spankmeister posted:

Not just "ish" but plain insecure. You will fail any kind of audit using that.

The test domain is just an in-house system designed for that purpose, at the bank, it's considerably more secure, but I didn't copy and paste that cert for overly caution reasons.

Thanks to all the guys that helped out. I see the issue, but since I don't have any admin access to the domain, I opened an internal ticket to get the info I need. I assume they will not be able to help me, but that's that.

telcoM posted:

Try:
code:
$ wget [url]http://dc1test.emtest.corp/CertEnroll/DC1TEST.EMTEST.corp_EMTEST.crt[/url]
...
$ viewcert DC1TEST.EMTEST.corp_EMTEST.crt
If you want/have to use the CAfile option of OpenSSL, just add all the required CA certificates in a single file in PEM format.

The wget did not work. I suppose I can just cat all the files together into a log file, as long as each segment begins and ends with ---BEGIN/END--- right?

# ? Aug 15, 2015 19:24

Al2001: Apr 7, 2007; You've gone through at the back

Bit of a niche question: does anyone have a link to Ubuntu Lightscribe drivers/software. Seem to be a lot of dead links around: does no-one use it anymore?

# ? Aug 17, 2015 11:22

Peggotty: May 9, 2014

The whole thing seems pretty deprecated. There are no offical drivers for any system and I don't think there are any recent linux third party tools.

# ? Aug 17, 2015 14:36

Adbot: ADBOT LOVES YOU

# ? May 29, 2024 00:52

Super-NintendoUser: Jan 16, 2004; COWABUNGERDER COMPADRES; Soiled Meat

Update on the LDAP thing:

I ended up grabbing the cert from here:

http://dc1test.emtest.corp/CertEnroll/DC1TEST.EMTEST.corp_EMTEST.crt

That worked, the problem was that the EMTEST was serving the wrong cert, so our ldap guys fixed that. Once they did, all the TLS ldap starting working.

Relating to our software, turns out there's two different ways to configure ldap with TLS, one way lets you just browse it as an admin to add users, another way to specifically define a CA Cert for user login. Of course they weren't both documented.

# ? Aug 18, 2015 16:10

The Something Awful Forums > Discussion > Serious Hardware/Software Crap > The Linux Questions Thread: a bunch of pitfalls, but technically it's possible

«‹›1035 »