Author: erics, Posted on Thursday, September 14th, 2023 at 6:26:30am
Summary
In this blog we explore how to use certificates from Let’s Encrypt to secure self-hosted Bamboo and Crucible.
Process To Follow
Install Certbot
Ensure that external DNS resolves to the correct IP address ping example.yourdomain.com
Ensure that Port 80 is open from the outside to that IP address so that Let’s Encrypt can validate the domain
Ensure nothing is listening on Port 80 netstat -pan | grep 80 | grep LISTEN | wc -l
Generate the new certificate via Let’s Encrypt
Create the new Java keystore for use with Bamboo and Crucible
Copy the new keystore into place and set ownership and permissions
Restart the services
Test
Install Certbot
You must first install Python >= 3
I like using pip to install certbot, but urge you to use any method that is the easiest and most familiar: https://certbot.eff.org/instructions?ws=other&os=pip
Run certbot help to confirm that it has been installed properly
Generate the Let’s Encrypt Certificate
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
shell>sudo-i
shell# touch ~/ssl
shell# chmod 755 ~/ssl
shell# cat >> ~/ssl <<EOF
#!/bin/sh
certbot certonly\
--standalone\
--renew-by-default\
--agree-tos\
-v\
--debug\
--email admin@yourdomain.com\
-dexample.yourdomain.com
EOF
OPEN Port80on your firewall now.
shell# ~/ssl
CLOSE Port80on your firewall now.
shell# ls -l /etc/letsencrypt/live/example.yourdomain.com/
The JKS keystore usesaproprietary format.It isrecommended tomigrate toPKCS12 which isan industry standard format using"keytool -importkeystore -srckeystore bamboo.jks -destkeystore bamboo.jks -deststoretype pkcs12".
Copy The Java Keystore Into Place
This step will copy the new keystore (bamboo.jks)into place for both bamboo and Crucible as ~/.keystore for each user. Ownership and permissions must also be set.
1
2
3
4
5
6
7
8
9
10
11
shell>sudo-i
BAMBOO STEPS
shell# cp example.jks ~bamboo/.keystore
shell# chown bamboo ~bamboo/.keystore
shell# chmod 664 ~bamboo/.keystore
CRUCIBLE STEPS
shell# cp example.jks ~crucible/.keystore
shell# chown crucible ~crucible/.keystore
shell# chmod 664 ~crucible/.keystore
Restart Bamboo and Crucible
This step will restart the processes, so they read in the new certificate.
1
2
3
4
5
6
7
8
9
10
11
shell>sudo-i
BAMBOO STEPS
shell# su - bamboo -c ./current/bin/stop-bamboo.sh
shell# su - bamboo -c ./current/bin/start-bamboo.sh
Author: erics, Posted on Thursday, September 7th, 2023 at 11:02:30am
SUMMARY
If sysbench is started with the “–mysql-ssl=on” option, it looks in the current directory for the following files:
1
2
3
client-cert.pem
client-key.pem
cacert.pem(note no dash)
PROCEDURE
Locate the current MySQL database certificates, usually in /var/lib/mysql, and make sure that the OS user running sysbench is able to read the following 3 files:
1
2
3
ca.pem
client-cert.pem
client-key.pem
Next, cd to the OS user’s home directory and create symbolic links as follows:
1
2
3
4
5
export DIR=/var/lib/mysql
cd
ln-s${DIR}/ca.pem cacert.pem
ln-s${DIR}/client-cert.pem
ln-s${DIR}/client-key.pem
Finally, create a simple wrapper to ensure proper location and adding --mysql-ssl=on to sysbench command, for example:
Author: erics, Posted on Friday, July 21st, 2023 at 9:38:26am
I wanted to save the iptables list to disk, but got an error when I tried:
# service iptables save
The service command supports only basic LSB actions (start, stop, restart, try-restart, reload, force-reload, status). For other actions, please try to use systemctl.
The solution was to install the iptables-services package:
# yum install iptables-services -y
...
Installed:
iptables-services.x86_64 0:1.8.4-10.amzn2.1.2
Complete!
I was then able to save properly:
root@inbound2:/var/log # service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]
Author: erics, Posted on Friday, June 23rd, 2023 at 4:31:14pm
When trying to access the serial console on AWS, I got the following error: Cannot open access to console, the root account is locked
Since I had edited /etc/fstab, the host would not boot.
The only way to fix this problem is to unmount the root volume from the affected instance, mount it on another node, edit the stab file, and reverse the process., ending up with that volume re-attached as root on the problem node
Author: erics, Posted on Tuesday, May 23rd, 2023 at 8:23:49am
In the macOS Terminal, my mouse scroll wheel would magically start scrolling the command line history instead of the window buffer scroll bar on the right to show window history.
This happened when an SSH session was disconnected or timed out.