LetsEncrypt CAFile for pkcs12 format

you may get “Error unable to get local issuer certificate getting chain.” while creating a keystore in the pkcs12 with Letsencrypt certificate.  You need to create CAFile to fix this issue.

install openjdk-8-jre for keytool, if you do not have keytool command on Linux

# sudo apt-get install openjdk-8-jre

To create CAFile, download  and merge root and intermediate certificate of Letsencrypt at https://letsencrypt.org/certs

# wget https://letsencrypt.org/certs/isrgrootx1.pem.txt  #

# wget https://letsencrypt.org/certs/letsencryptauthorityx3.pem.txt

# cat isrgrootx1.pem.txt letsencryptauthorityx3.pem.txt > letsencryptCA.pem

# openssl pkcs12 -export -in domain.crt -inkey domain.key -chain -CAfile letsencryptCA.pem -name “mycert” -out myapp.p12

# keytool -importkeystore -deststorepass myapppass -destkeystore myapp.keystore -srckeystore myapp.p12 -srcstoretype PKCS12

Verify the keystore;

# keytool -list -v -keystore myapp.keystore -storepass myapppass

Now you can use this keystore on Tomcat/Jboss

ismail yenigul

Advertisements
LetsEncrypt CAFile for pkcs12 format

pg_prewarm extention to Pre-warming the buffer cache in PostgreSQL

The pg_prewarm module provides to load relation data into either the operating system buffer cache or the PostgreSQL buffer cache.
It is available for PostgreSQL 9.4 or higher releases.

You can load the most important tables to the cache when the postgresql was restarted.

First install postgresql contrib package

example:
yum install postgresql96-contrib
apt-get install postgresql-contrib-9.6

Login to database and create the extension.

psql -U user databasename
create extension pg_prewarm;

enable prewarn on desired tables
SELECT pg_prewarm(‘tablename’);

example
SELECT pg_prewarm(‘languages’);
SELECT pg_prewarm(‘messages’);

 

You have to run SELECT pg_prewarm(‘tablename’); whenever you restart postgresql database. You can add SELECT statements into a bash script and call it when the database become online.

References:

https://www.postgresql.org/docs/9.4/static/pgprewarm.html

https://blog.dbi-services.com/pre-warming-the-buffer-cache-in-postgresql/

https://www.depesz.com/2014/01/10/waiting-for-9-4-pg_prewarm-a-contrib-module-for-prewarming-relationd-data/

 

ismail yenigul

 

pg_prewarm extention to Pre-warming the buffer cache in PostgreSQL

Pfsense on AWS and IPSec Peer identifier issue

 

As you know AWS uses private IP address block in VPC. If you install a Pfsense as a NAT Instance, you will see private IP for WAN interface.  You can assign en Elastic IP but it will not be visible by ec2 instance.

For that reason, If you are creating a IPSec tunnel you need to set Peer identifier under Phase 1 Proposal (Authentication) on other remote peer of pfsense on AWS.

If you use public IP address of pfsense as Peer identifier you will get

IDir ‘10.1.1.1’ does not match to ‘X.X.X.X’   (X.X.X.X is Elastic IP of AWS pfsense)

Choose ‘IP address’ as Peer Identifier(default: Peer IP Address) and enter IP address of pfsense ec2 instance WAN IP(10.1.1.1 in this example)

aws-pfsense

 

ismail yenigul

Pfsense on AWS and IPSec Peer identifier issue

‘Parachute’ on cloud: Azure Linux Extensions: Custom Script for Linux

One of the big problem with cloud providers (AWS, Azure etc) does not provide console login to the server. If sshd does not start at boot time then you are in big trouble!

Luckily, Azure support team told me about Azure linux extension to run a script on virtual machine as root.

Here is the very comprehensive article about this extension;

https://blogs.msdn.microsoft.com/linuxonazure/2017/02/12/extensions-custom-script-for-linux/

Unfortunately, there is not way to get a output of the executed commands. Maybe you can send the output outside of the server via curl,ftp or email  🙂

 

ismail yenigul

 

‘Parachute’ on cloud: Azure Linux Extensions: Custom Script for Linux

Pfsense on AWS and Source/Dest. Check tip

Hi,

 

If you are going to deploy pfsense  on AWS.  https://www.netgate.com/docs/aws-vpn-appliance/vpc-guide.html document is pretty good.

But there is a one important point that you should take care.

Be sure that Source/Dest. Check: false on both ethernet interfaces(eth0 and eth1) of pfsense instance.

If you select the pfsense instance and disable source/destination check from the menu like above. It will disable only one interface(eth0)

pfsense.png

 

Unfortunately, private ethernet interface eth1  Source/Dest. Check status will stay Enabled.

You have to go to the network interfaces section on the left and find your eth1 interface then disable it choosing Action-> Networking->Change source/Dest. Check

pfsense2.png

also do not forget to create NAT rules on pfsense.

 

ismail yenigul

 

Pfsense on AWS and Source/Dest. Check tip

Postfix Certificate verification failed for gmail-smtp-in.l.google.com issue

If you see this error message in your postfix logs

 postfix/smtp[19417]: certificate verification failed for gmail-smtp-in.l.google.com[74.125.71.26]:25: untrusted issuer /C=US/O=Equifax/OU=Equifax Secure Certificate Authority

just add the following line in your /etc/postfix/main.cf

    smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt

and restart postfix

service postfix restart  or  systemctl restart postfix

 

 

 

Postfix Certificate verification failed for gmail-smtp-in.l.google.com issue