Author:
erics, Posted on Thursday, September 14th, 2023 at 6:26:30am
Summary
In this blog we explore how to use certificates from Let’s Encrypt to secure self-hosted Bamboo and Crucible.
Process To Follow
- Install Certbot
- Ensure that external DNS resolves to the correct IP address
ping example.yourdomain.com
- Ensure that Port 80 is open from the outside to that IP address so that Let’s Encrypt can validate the domain
- Ensure nothing is listening on Port 80
netstat -pan | grep 80 | grep LISTEN | wc -l
- Generate the new certificate via Let’s Encrypt
- Create the new Java keystore for use with Bamboo and Crucible
- Copy the new keystore into place and set ownership and permissions
- Restart the services
- Test
Install Certbot
You must first install Python >= 3
I like using pip to install certbot, but urge you to use any method that is the easiest and most familiar:
https://certbot.eff.org/instructions?ws=other&os=pip
Run certbot help to confirm that it has been installed properly
Generate the Let’s Encrypt Certificate
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 |
shell> sudo -i shell# touch ~/ssl shell# chmod 755 ~/ssl shell# cat >> ~/ssl <<EOF #!/bin/sh certbot certonly \ --standalone \ --renew-by-default \ --agree-tos \ -v \ --debug \ --email admin@yourdomain.com \ -d example.yourdomain.com EOF OPEN Port 80 on your firewall now. shell# ~/ssl CLOSE Port 80 on your firewall now. shell# ls -l /etc/letsencrypt/live/example.yourdomain.com/ total 4 lrwxrwxrwx 1 root root 45 Sep 13 12:38 cert.pem -> ../../archive/example.yourdomain.com/cert2.pem lrwxrwxrwx 1 root root 46 Sep 13 12:38 chain.pem -> ../../archive/example.yourdomain.com/chain2.pem lrwxrwxrwx 1 root root 50 Sep 13 12:38 fullchain.pem -> ../../archive/example.yourdomain.com/fullchain2.pem lrwxrwxrwx 1 root root 48 Sep 13 12:38 privkey.pem -> ../../archive/example.yourdomain.com/privkey2.pem |
Create The New Java Keystore
This step will result in two new files being created: example.p12 and example.jks
IMPORTANT:
- the name/alias MUST be “tomcat” (no quotes)
- the password MUST be “changeit” (no quotes), unless you modify the config xml settings which is beyond the scope of this blog post.
- when you list out the new example.jks keystore using keytool, ensure that it says PrivateKeyEntry next to the alias tomcat.
- ignore the warning at the end because Apache Tomcat requires the JKS keystore format, not the PKCS12 format – do NOT convert!
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
shell> sudo -i shell# openssl pkcs12 -export -in /etc/letsencrypt/live/example.yourdomain.com/cert.pem -inkey /etc/letsencrypt/live/example.yourdomain.com/privkey.pem -name tomcat -out example.p12 -password pass:changeit shell# keytool -importkeystore -deststorepass changeit -destkeystore example.jks -srckeystore example.p12 -srcstoretype PKCS12 -srcstorepass changeit shell# keytool -list -keystore example.jks Enter keystore password: changeit Keystore type: jks Keystore provider: SUN Your keystore contains 1 entry tomcat, Sep 13, 2023, PrivateKeyEntry, Certificate fingerprint (SHA-256): 02:F7:E8:07:F1:03:EA:97:3F:30:56:73:5F:06:0E:44:9E:FD:16:85:D1:73:E0:3A:46:52:15:47:FF:28:F9:1F Warning: The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore bamboo.jks -destkeystore bamboo.jks -deststoretype pkcs12". |
Copy The Java Keystore Into Place
This step will copy the new keystore (bamboo.jks)into place for both bamboo and Crucible as ~/.keystore for each user. Ownership and permissions must also be set.
|
|
shell> sudo -i BAMBOO STEPS shell# cp example.jks ~bamboo/.keystore shell# chown bamboo ~bamboo/.keystore shell# chmod 664 ~bamboo/.keystore CRUCIBLE STEPS shell# cp example.jks ~crucible/.keystore shell# chown crucible ~crucible/.keystore shell# chmod 664 ~crucible/.keystore |
Restart Bamboo and Crucible
This step will restart the processes, so they read in the new certificate.
|
|
shell> sudo -i BAMBOO STEPS shell# su - bamboo -c ./current/bin/stop-bamboo.sh shell# su - bamboo -c ./current/bin/start-bamboo.sh shell# tail -f ~bamboo/current/logs/catalina.out CRUCIBLE STEPS shell# su - crucible -c ./current/bin/stop.sh shell# su - crucible -c ./current/bin/start.sh shell# tail -f ~crucible/instances/default/var/log/fisheye.out |
Test Bamboo and Crucible
Use the openssl command to test the new certs:
|
|
BAMBOO STEPS shell> openssl s_client -state -debug -showcerts -verify 0 -connect bamboo.continuent.com:8443 ^C CRUCIBLE STEPS shell> openssl s_client -state -debug -showcerts -verify 0 -connect bamboo.continuent.com:6443 ^C |
Categories: How-To's, Technology Tags: Bamboo, Crucible, howto, https, keytool, openssl, security, ssl, tips | 
No comments
Author:
erics, Posted on Wednesday, September 13th, 2023 at 5:22:39pm
Add inbound rule(s) for a security group ID:
|
|
shell> aws ec2 authorize-security-group-ingress --group-id sg-NNNNNNNN --protocol tcp --port 80 --cidr '0.0.0.0/0' |
## Delete inbound rule(s) for a security group ID
|
|
shell> aws ec2 revoke-security-group-ingress --group-id sg-NNNNNNNN --protocol tcp --port 80 --cidr '0.0.0.0/0' |
## List security groups by security group ID
|
|
shell> aws ec2 describe-security-groups --output json | jq -r '.SecurityGroups[]|.GroupId+" "+.GroupName' |
## List inbound rules for a specific security group ID
|
|
shell> aws ec2 describe-security-groups --group-ids sg-NNNNNNNN --output json | jq -r '.SecurityGroups[].IpPermissions[]|. as $parent|(.IpRanges[].CidrIp+" "+($parent.ToPort|tostring))' |
Thanks to:
https://www.bluematador.com/learn/aws-cli-cheatsheet
Categories: How-To's, Technology Tags: Add, AWS, aws cli, cli, Delete, Group, howto, Remove, security, Security Group, tips | No comments
Author:
erics, Posted on Thursday, September 7th, 2023 at 11:02:30am
SUMMARY
If sysbench is started with the “–mysql-ssl=on” option, it looks in the current directory for the following files:
|
|
client-cert.pem client-key.pem cacert.pem (note no dash) |
PROCEDURE
Locate the current MySQL database certificates, usually in /var/lib/mysql, and make sure that the OS user running sysbench is able to read the following 3 files:
|
|
ca.pem client-cert.pem client-key.pem |
Next, cd to the OS user’s home directory and create symbolic links as follows:
|
|
export DIR=/var/lib/mysql cd ln -s ${DIR}/ca.pem cacert.pem ln -s ${DIR}/client-cert.pem ln -s ${DIR}/client-key.pem |
Finally, create a simple wrapper to ensure proper location and adding --mysql-ssl=on to sysbench command, for example:
|
|
#!/bin/sh (cd; sysbench --mysql-ssl=on --mysql-debug=off --db-driver=mysql --mysql-user=app_user --mysql-password=secret --mysql-host=127.0.0.1 --mysql-port=3306 --mysql-db=test --db-ps-mode=disable --range_size=100 --table_size=10000 --tables=2 --threads=$threads --events=0 --time=60 --rand-type=uniform /usr/share/sysbench/oltp_read_write.lua run) |
Categories: How-To's, Technology Tags: How To, howto, mysql, ssl, SysBench, tips | No comments
Author:
erics, Posted on Thursday, August 31st, 2023 at 11:02:51am
START: Server version: 5.7.43-log MySQL Community Server (GPL)
FINISH: Server version: 8.0.34-log MySQL Community Server (GPL)
|
|
mysql --execute="SET GLOBAL innodb_fast_shutdown=0;" service mysqld stop yum remove mysql mysql-* mysql57-community-release yum install https://dev.mysql.com/get/mysql80-community-release-el6-3.noarch.rpm yum update yum install mysql-community-server cp /etc/my.cnf.rpmsave /etc/my.cnf service mysqld start grep 'temporary password' /var/log/mysqld.log | tail -1 mysql -p Enter password: ALTER USER 'root'@'localhost' IDENTIFIED BY 'newRootPassword'; |
https://dev.mysql.com/doc/refman/8.0/en/default-privileges.html
Check and veify your my.cnf ssl entries if you see the following error in the /var/log/mysqld.log file at startup:
|
|
Failed to set up SSL because of the following SSL library error: SSL_CTX_set_default_verify_paths failed |
Categories: How-To's, Technology Tags: 5.7, 8.0, AWS, AWS Linux, CentOS, howto, mysql, MySQL 5.7, MySQL 8.0, tips, upgrade | No comments
Author:
erics, Posted on Friday, July 21st, 2023 at 9:38:26am
I wanted to save the iptables list to disk, but got an error when I tried:
# service iptables save
The service command supports only basic LSB actions (start, stop, restart, try-restart, reload, force-reload, status). For other actions, please try to use systemctl.
The solution was to install the iptables-services package:
# yum install iptables-services -y
...
Installed:
iptables-services.x86_64 0:1.8.4-10.amzn2.1.2
Complete!
I was then able to save properly:
root@inbound2:/var/log # service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]
Categories: How-To's, Technology Tags: howto, IPTables, Save, service, service iptables save, tips | No comments
Author:
erics, Posted on Friday, June 23rd, 2023 at 4:43:39pm
When trying to mount can XFS filestsen on an AWS instance, I got the error “mount: wrong fs type, bad option, bad superblock on /dev/sdh”
Examine the volume’s UUID with the xfs_db command:
shell> sudo xfs_db -c uuid /dev/nvme2n1
To fix the problem, you have two options…
Temporary Solution
Add nouuid mount option to temporarily ignore the duplicate validation:
shell> sudo mount -t xfs -o nouuid /dev/nvme2n1 /volumes/tmp
Permanent Solution
The xfs_admin command can permanently adjust the UUID for the volume:
|
|
shell> sudo xfs_admin -U generate /dev/nvme2n1 Clearing log and setting UUID writing all SBs new UUID = 5eb71513-2d234-4b79-9a35-f22f2974672d |
Categories: How-To's, Technology Tags: Bad Superblock, Error, Filesystem, howto, ifs_admin, ifs_db, mount, Mounting, tips, volume, Wrong Fs Type, XFS | No comments
Author:
erics, Posted on Friday, June 23rd, 2023 at 4:31:14pm
When trying to access the serial console on AWS, I got the following error:
Cannot open access to console, the root account is locked
Since I had edited /etc/fstab, the host would not boot.
The only way to fix this problem is to unmount the root volume from the affected instance, mount it on another node, edit the stab file, and reverse the process., ending up with that volume re-attached as root on the problem node
https://unix.stackexchange.com/questions/684169/cannot-open-access-to-console-the-root-account-is-locked
Categories: How-To's, Technology Tags: /etc/fstab, AWS, Console, Error, fstab, howto, Locked, root, tips | No comments
Author:
erics, Posted on Tuesday, May 23rd, 2023 at 8:23:49am
In the macOS Terminal, my mouse scroll wheel would magically start scrolling the command line history instead of the window buffer scroll bar on the right to show window history.
This happened when an SSH session was disconnected or timed out.
The fix is to run the reset command.
Categories: How-To's, Technology Tags: apple, bash, cli, Command line, Disconnect, History, howto, MacOS, Mouse, Scroll, Shell, ssh, Terminal, Timeout, tips | No comments
Author:
erics, Posted on Friday, May 19th, 2023 at 10:37:58am
I was unable to login from my old iMac running Yosemite to my new iMac running Ventura using RSA keys.
It turns out that RSA key support was disabled in Ventura.
To correct the problem, I added the following two lines to the bottom of /etc/ssh/sshd_config:
|
|
HostkeyAlgorithms +ssh-rsa PubkeyAcceptedAlgorithms +ssh-rsa |
Categories: How-To's, Technology Tags: denied, HostKeyAlgorithms, howto, key, login, MacOS, OSX, Permission, Pubkey, PubkeyAcceptedAlgorithms, PublicKey, RSA, ssh, sshd, tips, Ventura, Yosemite | No comments
Author:
erics, Posted on Tuesday, May 9th, 2023 at 9:55:13am
I have been using RSA SSH keys forever to login to my various AWS EC2 instances.
With macOS Ventura 13.3.1 ssh failed with the “Permission Denied” error. Using ssh -vvv, I saw that the RSA key was now being rejected.
After much research, I decided to implement new keys on the client (Ventura) side using ed25519, like this:
|
|
cd ~/.ssh ssh-keygen -t ed25519 cat id_ed25519.pub |
I then placed the new id_ed25519.pub contents into the ~/.ssh/authorized_keys files on the target nodes, and everything started working!
Categories: How-To's, Technology Tags: AWS, denied, ed25519, Error, Generate, howto, key, Linux, MacOS, Permission Denied, public, Public Key, ssh, ssh-keygen, sshd, tips, Ventura | No comments
