root

Linux: openssl to validate whether private key and TLS certificate match

In environments where certificates are manually deployed, reloading TLS certs is often only done annually when the certificate is near expiration.  This long lapse in time often means that someone else has inherited the task of renewal, and the original key in use may even be in question. Luckily, openssl provides a way to validate Linux: openssl to validate whether private key and TLS certificate match

Ansible: creating SAN certificates with a custom root CA

Ansible has support for generating self-signed certificates as well as certificates using a custom root CA (certificate authority).  This is possible using the community.crypto collection. I’ve put this into a role named ansible-role-cert-with-ca available on github, and it can be used from a playbook like below: vars: # custom CA, leaving undefined will create self-signed Ansible: creating SAN certificates with a custom root CA

Ubuntu: using ldapsearch to query against a secure Windows Domain Controller

Using ldapsearch to query against the insecure port of a Windows Domain Controller is straightforward.  However, it can be challenging to get all the pieces in place for a production environment where the secure port must be used and the root CA certificate is typically not from a public CA. Assuming the standard insecure port Ubuntu: using ldapsearch to query against a secure Windows Domain Controller

Ubuntu: Adding a root certificate authority

If your backend components or application servers use a custom CA (Certificate Authority), then you may need to add it to the system trusted root certificate store so that the standard tools and other utilities trust the TLS communication.

Git: client error, server certificate verification failed

Especially with private git repositories that may be self-signed or have private CA, you may get the following error from the git client after a certificate has been updated: fatal: unable to access ‘https://git.mycompany.com/myuser/myrepo.git/’: server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none This means that the git client cannot verify the integrity of the certificate Git: client error, server certificate verification failed

iptables: Running service as non-root, iptables to forward from privileged port

There are multiple approaches to allowing a process to run as a non-root user but still provide access to privileged ports (<1024). There are applications like Apache that handle this by starting the master process as root, and then worker processes as a less privileged user.  Another way is setting the privilege on a binary iptables: Running service as non-root, iptables to forward from privileged port