Manipulating ssl certificates

Overview

Last updated 2017-12-14

SSL certificates are used in almost every network application to encrypt traffic to increase the safety of communications.

Manipulating ssl certs

Converting .crt to .pem

A .crt file can be identical to a .pem: They are both a b64-encoded block.

openssl x509 < rapidssl.crt -out rapidssl.pem

A .crt is usually the public key, and a .key is usually the private key.

Converting .crt set to a .pfx for Windows

Run each step separately because you might need to enter an import or export password. Use a simple password for each one for ease.

openssl pkcs12 -export -in wildcard-2016.crt -inkey wildcard-2016.key -out wildcard-2016.p12 -name wildcard -CAfile rapidssl-2016.crt -caname root
openssl pkcs12 -in wildcard-2016.p12 -out wildcard-2016.pem -nodes –clcerts
openssl x509 -in rapidssl-2016.crt -out rapidssl-2016.pem
cat wildcard-2016.pem rapidssl-2016.pem > wildcardchain-2016.pem
openssl pkcs12 -export -in wildcardchain-2016.pem -out wildcardchain-2016.pfx

Source: http://stackoverflow.com/questions/18787491/adding-certificate-chain-to-p12pfx-certificate/18830742#18830742.

Converting pkcs7 to pkcs12

openssl pkcs7 -print_certs -in crx.p7b | openssl pkcs12 -export -inkey crx.key -out crx.pfx -certfile crx.crt

Preparing hash file for ldap

Openldap can use ssl to encrypt its traffic, and the file needs to be rather specific. Around here, the /etc/openldap/ldap.conf file tends to have these directives:

URI ldaps://example.com
BASE dc=example,dc=com
TLS_CACERTDIR /etc/openldap/cacerts

And in /etc/openldap/cacerts you might see these files:

4669ff29.0 -> authconfig.pem
authconfig.pem (the examplemicrosoft certs catted)
examplemicrosoftintermeidateca.crt
examplemicrosoftrootca.crt
examplenovellca.crt

Observe that there is a hashed file as a symlink to the real cert file. Openldap will look for the hashed filename, whether it is a real file or just a symlink.
You can generate the hashed file by running c_rehash /etc/openldap/cacerts (or try cacertdir_rehash) from package openssl-perl or you can generate the symlink this way:

cd /etc/openldap/cacerts
ln -sf certs-example-2016.pem "$( openssl x509 -in certs-example-2016.pem -hash -noout ).0"

Reference: Weblink 2

Requesting a certificate signing

A CSR is for when you have a certificate you generated that you want signed by a certificate authority, whether that be the local CA or a public one.
You need a private key to start with, so the genrsa command will generate one.

openssl genrsa -aes256 -out wwwexamplecom-2016.key 2048
openssl req -new -key wwwexamplecom-2016.key -out wwwexamplecom-2016.csr
Enter pass phrase for wwwexamplecom-2016.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:Anystate
Locality Name (eg, city) [Default City]:Anytown
Organization Name (eg, company) [Default Company Ltd]:Example Company
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:www.example.com
Email Address []:linuxadmin@example.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Generally, don’t use a passphrase. If you must, do a simple one like linksys.

Send the csr to someone. This uses the send.sh script from bgscripts package.
send.sh -hs "csr for www.example.com" wwwexamplecom-2016.csr usertwo@example.com

Removing passphrase from private key

Apache in particular struggles with a private key protected with a passphrase. Apparently admins just leave the passphrase blank when generating a cert.
If you already applied one, and want to remove the passphrase, just use openssl.

openssl rsa -in old.key -out new.key

It will ask you for the passphrase, and then export the private key to the new file.
Reference: https://www.mnxsolutions.com/apache/removing-a-passphrase-from-an-ssl-key.html

Adding AD certs to host trusted certificate store

Procure your AD root CA cert or download it from the certificate authority web portal, which could resemble https://ca2.example.com/certsrv/. Save as ca2.example.com.crt.
Reference: Weblink 4 https://support.microsoft.com/en-us/help/555252

cp ca2.example.com.crt /etc/pki/ca-trust/source/anchors/
update-ca-trust

Reference: Weblink 5 https://stackoverflow.com/questions/29236078/how-to-ldap-bindauthenticate-using-python-ldap/30221592#30221592

Signing a certificate

Internal link 3 https://ca2.example.com/certsrv/ provides the certificate signing operations for Active Directory.

Adding key to java keystore

You might need to add a certificate to a java-like keystore. It is interesting to note that many java keystore files are actually symlinks to /etc/pki/java/cacerts.

/usr/lib/jvm/java/jre/bin/keytool -import -trustcacerts -alias "myaliasname" -storetype jks -keystore /usr/lib/jvm/java/jre/lib/security/cacerts -file ./comodo.cer -storepass changeit

Testing ssl cert from server

To find out if the https or other ssl-enabled service is serving the right certificate, you can use openssl as a client and pull down the ssl cert.

printf '\n' | openssl s_client -connect ipa.example.com:443

And observe the output for the certificate information.
To test SNI, add the parameter -servername myurl.example.com.
Reference: weblink 6 https://major.io/2012/02/07/using-openssls-s_client-command-with-web-servers-using-server-name-indication-sni/

Convert cer to pem format

openssl x509 -inform der -in certificate.cer -out certificate.pem

Reference: weblink 7 https://www.sslshopper.com/article-most-common-openssl-commands.html

Read info from pkcs12 file

openssl pkcs12 -in cert.pfx -passin pass:'' -nodes -clcerts | openssl x509 -noout -subject -issuer -startdate -enddate

Delineate certificates in chain being served by a web connection

certchain="$( mktemp )" ; echo '' | openssl s_client -showcerts -connect pypi.python.org:443 > ${certchain} ; certcount=$( grep -cE '^-----BEGIN CERT' ${certchain} 2>/dev/null ); cat ${certchain} | { x=0 ; while test $x -lt ${certcount} ; do openssl x509 -noout -subject -issuer -dates ; x=$(( x + 1 )) ; done ; }

References

Weblinks

  1. Pkcs12 chained certificates demo: http://stackoverflow.com/questions/18787491/adding-certificate-chain-to-p12pfx-certificate/18830742#18830742
  2. How to get the cert file hash without the c_rehash tool http://www.linuxquestions.org/questions/linux-server-73/openldap-certificate-4175480164-print/
  3. Removing passphrase from ssl key https://www.mnxsolutions.com/apache/removing-a-passphrase-from-an-ssl-key.html
  4. AD get root CA certificate https://support.microsoft.com/en-us/help/555252
  5. https://stackoverflow.com/questions/29236078/how-to-ldap-bindauthenticate-using-python-ldap/30221592#30221592
  6. https://major.io/2012/02/07/using-openssls-s_client-command-with-web-servers-using-server-name-indication-sni/
  7. https://www.sslshopper.com/article-most-common-openssl-commands.html
Advertisements

Samba share with AD authentication

Updates

AD is great for a Windows environment. Now I have a guide for Samba shares with freeipa auth!

Overview

This document describes how to configure a Linux system joined to an AD environment to have a working Samba share for Windows users that uses the AD users and groups for authentication.

Preliminary steps

These steps are covered in the internal CentOS and Ubuntu 16.04 templates.

  • Ensure ntp is running and enabled
  • The server is joined to the domain

Setting up samba

Install samba (which should include samba-client and samba-common, at least for rpm)

Centos 7 Ubuntu 16.04
yum -y install samba
apt-get install -y samba

Reference: https://www.howtoforge.com/samba-server-installation-and-configuration-on-centos-7#-preliminary-note

Open firewall

Centos 7 Ubuntu 16.04
firewall-cmd --permanent --add-service=samba
systemctl restart firewalld.service
ufw allow samba

Reference: https://wiki.centos.org/HowTos/SetUpSamba
Modify /etc/samba/smb.conf

bup /etc/samba/smb.conf 2>/dev/null
cat <<EOFSMB > /etc/samba/smb.conf
[global]
        security = ads
        workgroup = EXAMPLE
        realm = EXAMPLE.COM
        kerberos method = system keytab
        netbios name = $( hostname -s )
        server string = Samba Server Version %v
        log file = /var/log/samba/log.%m
        max log size = 50
        dns proxy = no
        encrypt passwords = yes
        passdb backend = tdbsam
        load printers = no
        cups options = raw
        printcap name = /dev/null
[homes]
        comment = Home Directories
        browseable = no
        writable = yes

# END BASELINE SMB.CONF 
EOFSMB
/bin/cp -p /etc/samba/smb.conf /etc/samba/smb.conf.example

Reference for kerberos method: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/sssd-ad-integration.html
On CentOS 7 only, set SELinux to allow samba to share nfs locations if necessary.

setsebool -P samba_share_nfs 1

Reference: http://serverfault.com/questions/470878/is-there-a-way-to-share-via-smb-a-filesystem-mounted-via-nfs-without-disabling-s/470879#470879
Start and enable the samba service

Centos 7 Ubuntu 16.04
systemctl enable smb
systemctl start smb
systemctl enable smbd nmbd
systemctl start smbd nmbd

Making smb.conf dynamic

Unfortunately smb.conf does not provide support for a directive similar to “include = /etc/samba/smb.conf.d/*.conf.” However, with some modifications and a shell script this can be simulated.
A template file, input directory for extra snippets, and output file can be used along with this script.

cat <<'EOFSCRIPT' > /usr/local/bin/samba-conf
#!/bin/sh
# File: /usr/local/bin/samba-conf

infile1=/etc/samba/smb.conf.example
indir1=/etc/samba/smb.conf.d
outfile1=/etc/samba/smb.conf
tmpfile1=/etc/samba/smb.conf.orig.$( date "+%Y-%m-%d").$$

[[ ! -f "${infile1}" ]] && echo "$0: 2. Template not found: ${infile1}. Aborted." 1>&2 && exit 1

{
   cat "${infile1}"
   printf "\n"
   find "${indir1}" -type f -regex ".*.conf" 2>/dev/null | sed -e 's/^/include = /;'
} > "${tmpfile1}"

{
   if ! diff -q "${tmpfile1}" "${outfile1}";
   then
      /bin/chmod --ref "${outfile1}" "${tmpfile1}"
      /bin/cp -p "${tmpfile1}" "${outfile1}"
      /bin/rm -rf "${tmpfile1}"
   fi
   /bin/rm -rf "${tmpfile1}"
} >/dev/null 2>&1
EOFSCRIPT
chmod 750 /usr/local/bin/samba-conf

Modify any files in /etc/samba/smb.conf.d/ and then run samba-conf.

Connecting client to the share

On a Windows client, use Windows Explorer and navigate to \\hostname.example.com\ and see if the share is available. If you must log in as a different user, you can use the Windows command on the command line:

net use \\hostname.example.com\bgscripts /user:example\bgscripts

Also to clear a connection to a shared location, use:

net use \\hostname.example.com\bgscripts /delete

Appendices

Sample share file /etc/samba/smb.conf.d/bgscripts.conf

mkdir -p /etc/samba/smb.conf.d/
cat <<EOF > /etc/samba/smb.conf.d/bgscripts.conf
[bgscripts]
        path = /mnt/scripts/share
        comment = Test samba share
        browsable = yes
        public = yes
        writable = yes
        valid users = @"Linux-Server-Access_grp@EXAMPLE.COM"
EOF

References

Weblinks

  1. https://wiki.centos.org/HowTos/SetUpSamba
  2. https://www.howtoforge.com/samba-server-installation-and-configuration-on-centos-7#-preliminary-note
  3. Complete working guide with AD users and everything http://www.hexblot.com/blog/centos-7-active-directory-and-samba
  4. SELinux managing contexts http://www.linuxquestions.org/questions/linux-security-4/selinux-and-help-with-chcon-762735/

SELinux Policy: Managing File Contexts
Change file context

chcon -R -t public_content_t /mydata/html

Does not persist across a relabel! (eg reboot)
Add new mapping

semanage fcontext -a -t public_content_t '/mydata/html(/.*)?'

Apply the policy context to existing files

restorecon -vvFR /mydata/html
  1. SELinux policy http://serverfault.com/questions/470878/is-there-a-way-to-share-via-smb-a-filesystem-mounted-via-nfs-without-disabling-s/470879#470879
  2. Ubuntu needed help accessing AD through SSSD. Found solution here https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/sssd-ad-integration.html

Internal documents

  1. The environment required, including krb5.conf and sssd.conf, comes from Building the Centos 7 Template
  2. Firewall commands from Adding the service httpd

Hide comments and blank lines in file

Hide comments and blank lines when viewing file

Original title: Show all non-blank non-comment lines in file

If you want to see just the lines with content, such as in a config file, use this one-liner:

grep -viE '^\s*((#|;).*)?$' smb.conf

How it works

grep -v means invert the selection, i.e., everything that does not match this search.
-iE case Insensitive, and treat this as a regular Expression. Technically there are no letters being searched, so the i is irrelevant, but I always use it in my searches anyway.
^ start of line
\s* white space, any amount from zero onward. This is a greedy search, so it will match all the white space (spaces, tabs, etc.)
(#|;) either a pound or a semicolon, which usually denote comments in config files (in my case, smb.conf)
((#|;).*) the above sentence, followed by any character (the period), and any amount of those “any characters.”
((#|;).*)? the whole thing in parentheses shown here, optionally.
$ end of line
So any line that starts with any amount of white space, followed by (a comment symbol, followed by anything else) optionally, and the end of the line.
So show everything but the above sentence, and tada, just the important stuff.

Building an apt repository on CentOS

Apt is a dpkg management tool used by Debian and its offpsring, particularly Ubuntu and Linux Mint.
CentOS is from the RHEL/Fedora side of the Linux family tree and uses yum (and dnf nowadays).
Making a simple, signed apt repository on centos (or manually, on any system really) is possible. This is how to do it.

Building an apt repository

So you have packages you want to make available for your LAN or wherever. This document will show you how to make a directory with all the right parts for an apt repository that is gpg-signed (to stave off that annoying “Do you trust the source?” question).

Preparing gpg keys

Note: generating new keys can require some time orand entropy generation.

# as root; no sudo!
gpg --gen-key

The first time you run gpg –gen-key, break it after it has generated some directories and files.
Add the SHA256 requirement to the gpg conf.

cat <<'EOF' >> ~/.gnupg/gpg.conf
cert-digest-algo SHA256
digest-algo SHA256
EOF

Reference: Weblink 3
Run gpg again and this time follow the prompts to generate a key.

gpg --gen-key

If you need to generate extra entropy, consider running some mundane tasks in another terminal.

while true; do dd if=/dev/sda of=/dev/zero; find / | xargs file >/dev/null 2>&1; done

Just break it off when you get the gpg keys you need.
Export the keys as needed with these commands.

gpg --list-keys
# take the key name shown and do this:
gpg --output debian-repo-public.gpg --armor --export 123456AB
gpg --output debian-repo-private.gpg --armor --export-secret-key 123456AB

So the end state of this section is to have the public key as a file, preferably in the repository directory.

Installing required packages

Install epel-release which wil lget you the dpkg-dev and tar packages you need (just in case tar isn’t on your system).

yum –y install epel-release
yum –y install dpkg-dev tar

Building the repository building script

Make a script that automates building the Release and Package files.

updatescript=/mnt/mirror/ubuntu/example-debian/update-repo.sh
cat <<'EOFSH' >${updatescript}
#!/bin/sh

# working directory
repodir=/mnt/mirror/ubuntu/example-debian/
cd ${repodir}

# create the package index
dpkg-scanpackages -m . > Packages
cat Packages | gzip -9c > Packages.gz

# create the Release file
PKGS=$(wc -c Packages)
PKGS_GZ=$(wc -c Packages.gz)
cat <<EOF > Release
Architectures: all
Date: \$(date -R)
MD5Sum:
 $(md5sum Packages  | cut -d" " -f1) $PKGS
 $(md5sum Packages.gz  | cut -d" " -f1) $PKGS_GZ
SHA1:
 $(sha1sum Packages  | cut -d" " -f1) $PKGS
 $(sha1sum Packages.gz  | cut -d" " -f1) $PKGS_GZ
SHA256:
 $(sha256sum Packages | cut -d" " -f1) $PKGS
 $(sha256sum Packages.gz | cut -d" " -f1) $PKGS_GZ
EOF
gpg -abs -o Release.gpg Release
EOFSH
chmod 755 ${updatescript}

It might be useful to modify the script to chmod 444 *.deb or something similar.
When running the script, make sure you use the correct key to sign the release file. Note that this script calls gpg, which will interactively ask the user to enter the passphrase for the key.

Managing the repository

The repository is ready to receive files and be updated.
The example location is /mnt/mirror/ubuntu/example-debian/.

Adding packages to the repo

Move any .deb packages you want to the repo directory.
Run the update-repo script form root (because the gpg keys were generated as root).

./update-repo.sh

Provide the passphrase.

Configuring a client

For each system you want to add the repository to, you need to follow these steps.
Import the public key into apt and add the repo to the sources.

sudo wget --quiet http://mirror.example.com/ubuntu/example-debian/example-debian.gpg -O /root/example-debian.gpg
sudo apt-key add /root/example-debian.gpg	
sudo wget --quiet http://mirror.example.com/ubuntu/example-debian/example-debian.list -O /etc/apt/sources.list.d/example-debian.list

Update the available package list.

apt-get update

The system is now ready to install packages from your repository.

Weblinks

  1. Main layout of entire document https://www.sidorenko.io/blog/2015/05/19/easy-creation-of-a-simple-apt-repo/
  2. Manipulating gpg keys https://www.debuntu.org/how-to-importexport-gpg-key-pair/
  3. Using SHA256 for apt http://askubuntu.com/questions/760796/how-to-fix-apt-signature-by-key-uses-weak-digest-algorithm-sha1-after-install/776599#776599
  4. Extra information about debian repos https://wiki.debian.org/RepositoryFormat
  5. Discussion of various debian repo utilities https://wiki.debian.org/HowToSetupADebianRepository
  6. Alternate method for making a repo http://hyperlogos.org/page/Simple-recipe-custom-UbuntuDebian-repositories-apt-ftparchive
  7. How to make a super simple, unsigned repo https://help.ubuntu.com/community/Repositories/Personal

Dockerizing WordPress in a multi-container architecture

Overview

This document explains how to build a multi-container docker environment that presents a blank WordPress install to the local network.
The project will be given the random name Bilbo to make it obvious when an object is related to this example.
This document has additional features as well:

  • How to install WordPress to operate behind a reverse proxy (apache shown)
  • How to configure WordPress to get downloads through a corporate proxy
  • How to build a simple WordPress docker container with persistent storage

Building the environment

Docker Compose can be used to build multi-container architecture easily.

Assembling the files

Make a work directory.

mkdir ~/bilbo
cd ~/bilbo

docker-compose.yml

cat <<EOF > docker-compose.yml
version: '2'
services:
  db:
    image: mariadb:latest
    volumes:
      - "/var/bilbo/db:/var/lib/mysql"
    restart: always
    environment:
      MYSQL_ROOT_PASSWORD: wordpress
      MYSQL_DATABASE: bilbo
      MYSQL_USER: wordpress
      MYSQL_PASSWORD: wordpress

  wpmod:
    depends_on:
      - db
    #image: wordpress:latest
    build:
      context: .
      dockerfile: Dockerfile
    links:
      - db
    ports:
      - "8000:80"
    restart: always
    volumes:
      - "/var/bilbo/www:/var/www/html"
    environment:
      WORDPRESS_DB_HOST: db:3306
      WORDPRESS_DB_PASSWORD: wordpress
      http_proxy: http://proxy.example.com:8080/
      https_proxy: http://proxy.example.com:8080/
      WP_HOME: http://kim.example.com/bilbo
      WP_SITEURL: http://kim.example.com/bilbo
EOF

Observe that the proxy commands will allow WordPress to download updates if the docker host is authenticated to the corporate proxy.

Dockerfile

cat <<EOF > Dockerfile
FROM wordpress:latest
MAINTAINER bgstack15@gmail.com

COPY entrymod.sh /entrymod.sh
RUN chmod +x /entrymod.sh
CMD ["/entrymod.sh","apache2","-DFOREGROUND"]
EOF

Entrymod.sh

This script wraps around the normal docker wordpress image entrypoint.sh file. It waits for the wp-config file to exist and then updates it with the right information provided in the docker-compose file. Basically it dynamically hard-codes the wordpress base URLs.

cat <<'EOFENTRYMOD' > entrymod.sh
#!/bin/bash
# File: entrymod.sh
# Purpose: Adds a few key elements to wp-config.php
# History 2016-06-20 changed to make entrymod the entry point and it just points to entrypoint.sh at the end
# Reference: https://wordpress.org/support/topic/wordpress-behind-reverse-proxy-1

infile1=/var/www/html/wp-config.php
tmpfile1=/tmp/295816928f7597.tmp
tmpfile2=/tmp/295816928f7598.tmp
WP_BLOGDIR=$( echo "${WP_HOME}" | sed 's!https\?://[^/]*!!;' )

function dotask {

rm -rf ${tmpfile1} ${tmpfile2} >/dev/null 2>&1

{
   sed -n -e '1,/.*define.*DB_NAME.*/p;' ${infile1}
   echo "# BEGIN ADDITIONS"
   [[ -n "${WP_HOME}" ]] && echo "define('WP_HOME','${WP_HOME}');"
   [[ -n "${WP_SITEURL}" ]] && echo "define('WP_SITEURL','${WP_SITEURL}');"
   [[ -n "${WP_BLOGDIR}" ]] && {
      echo "\$_SERVER['REQUEST_URI'] = '${WP_BLOGDIR}' . \$_SERVER['REQUEST_URI'];"
      echo "\$_SERVER['SCRIPT_NAME'] = '${WP_BLOGDIR}' . \$_SERVER['SCRIPT_NAME'];"
      #echo "\$_SERVER['PHP_SELF'] = '${WP_BLOGDIR}' . $_SERVER['PHP_SELF'];"
   }

   cat <<'EOF'
$_SERVER['HTTP_HOST'] = $_SERVER['HTTP_X_FORWARDED_HOST'];
$_SERVER['REMOTE_ADDR'] = $_SERVER['HTTP_X_FORWARDED_FOR'];
# END ADDITIONS
EOF
   tac ${infile1} | sed -n -e '1,/^define.*DB_NAME.*\|^\# END ADDITIONS/{/^define.*DB_NAME.*\|^\# END ADDITIONS/!p;}' | tac

} > ${tmpfile1}

chmod 0644 ${tmpfile1}
mv ${tmpfile1} ${infile1} >/dev/null 2>&1
}

{ while [[ ! -f ${infile1} ]]; do echo "waiting for ${infile1} to exist. Sleeping 3." && sleep 3; done; dotask;} &

exec /entrypoint.sh "$@"
EOFENTRYMOD

I learned that here-documents can employ variable names without being parsed by bash if you put the end string in quotes, as shown in this script file. Reference: Weblink 5

Running the wordpress install

Now start up the docker-compose.

sudo docker-compose up

Configuring Apache as a reverse proxy

Enable these mods. For ubuntu apache2:

a2enmod xml2enc headers rewrite proxy_http proxy_html proxy

Here is a virtualhost directive.

<VirtualHost *:80>
        ServerName kim.example.com

        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        RewriteEngine On

        ProxyPass               /frodo          http://kim.example.com:8001
        ProxyPassReverse        /frodo          http://kim.example.com:8001

        ProxyPass               /bilbo          http://kim.example.com:8000
        ProxyPassReverse        /bilbo          http://kim.example.com:8000

</VirtualHost>

Appendices

Commands used during my building and testing

Aliases in ~/.bashrc.local

alias dc='/usr/bin/sudo docker-compose'
alias docker='/usr/bin/sudo docker'

Command lines

dc down && docker rmi bilbo_wpmod && sudo rm -rf /var/bilbo
watch 'head -n58 /var/bilbo/www/wp-config.php | tail -n 17'

Adding vim to a docker container

In the wordpress container, to get to the local organization mirror for ubuntu.
Need 3 apt keys, two of which are the main ubuntu keys.

apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 3B4FE6ACC0B21F32 40976EAF437D05B5
curl http://mirror.example.com/ubuntu/my-debian/my-debian.gpg > /root/my-debian.gpg
apt-key add /root/my-debian.gpg
apt-get update
apt-get install -y vim

References

Weblinks

  1. Apt-key commands https://chrisjean.com/fix-apt-get-update-the-following-signatures-couldnt-be-verified-because-the-public-key-is-not-available/
  2. http://www.apachetutor.org/admin/reverseproxies
  3. https://codex.wordpress.org/Changing_The_Site_URL
  4. https://pressable.com/blog/2015/10/15/reverse-proxy-plugin-for-using-a-hosted-wordpress-site-in-a-subdirectory/
  5. http://www.tldp.org/LDP/abs/html/here-docs.html#HERELIT

Reverse proxy for wordpress

I spent the most research time on getting wordpress to work behind a reverse proxy.
I ended up writing my own Dockerfile to make my own image based on the wordpress image, because the entrypoint was not sufficient.

  1. One of the first pages you hit https://wordpress.org/support/topic/wordpress-behind-reverse-proxy-1?replies=4
  2. Eventually I got to the point where main site would work, but the wp-admin pages would redirect to host.example.org/ and not include the /blog directory, like this guy who didn’t get it solved. https://wordpress.org/support/topic/stop-rewrites-to-reverse-proxy-for-wp-admin?replies=5
  3. Similar problems to this guy. He also provided his nginx reverse proxy config. https://wordpress.org/support/topic/wordpress-behind-a-reverse-proxyssl-endpoint-slightly-borked?replies=6
  4. At some point I had the wp-admin page working but the main site just wasn’t loading at all.
  5. The holy grail is found here by this WordPress genius. https://wordpress.org/support/topic/wordpress-strips-subdirectory-at-some-wp-admin-pages-with-and-reverse-proxy?replies=11#post-2445234
  6. I didn’t use this, but this might be needed in the future: a .htaccess file that I saw referenced in at least one other location. https://gist.github.com/neverything/7675846

Internal documents

  1. Dockerizing WordPress in One Container with Apache.docx
  2. Adding the service httpd.docx

Installing docker behind a proxy

Installing docker behind a proxy

If you are trying to install docker behind a proxy, you might run into multiple problems.
The first one is getting the gpg key for apt.
From the install instructions for ubuntu, you see the directive to download the apt key. What they don’t tell you on that page is that you need an extra cli option like so:

sudo apt-key adv --keyserver-options http-proxy=http://proxy.example.com:8080/ --keyserver hkp://p80.pool.sks-keyservers.net:80 --recv-keys 58118E89F3A912897C070ADBF76221572C52609D

Pulling images behind a proxy

And then of course since you’re behind that proxy, you might have issues with docker downloading images.
Here are the condensed instructions from the full explanation at the official docker docs.

mkdir /etc/systemd/system/docker.service.d
cat </etc/sytemd/system/docker.service.d/http-proxy.conf
[Service]
Environment="HTTP_PROXY=http://proxy.example.com:80/" "NO_PROXY=localhost,127.0.0.1,docker-registry.somecorporation.com"
EOF
systemctl daemon-reload
systemctl restart docker

Reference

Solve sudo sending useless emails “problem with defaults entries”

sudo problem with defaults entries

I ran into a problem on my Ubuntu 16.04 Server LTS instance.

Whenever a user (whether sssd-ad authenticated user, or local user, or root) uses sudo, it works. But it also sends the administrator a useless email:

host1.example.com : Jun  6 14:40:44 : root : problem with defaults entries ; TTY=pts/2 ; PWD=/root ;

I started removing the defaults entries in /etc/sudoers (using the visudo) command one by one, but after removing them all it still sent the annoying emails. Here are the defaults I was working from:

Defaults        env_reset
Defaults        mail_badpass
Defaults        secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

How do I make sudo stop sending me useless emails?

This problem is caused by sudo looking for directives in a place it cannot find them: sss.
Check the /etc/nsswitch.conf file and modify the sudoers entry.

sudoers:        files sss

The sss should not be there. The sssd-ad package adds itself there, but very few environments store sudoers directives in sss. It’s far more likely your directives are local, so you should have a /etc/nsswitch file entry like the following:

sudoers:        files

References

A user of RHEL6 had the same issue. https://bugzilla.redhat.com/show_bug.cgi?id=879633
The issue is solvable, including on Ubuntu 16.04 https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1249777