Linux – DevOps Journal

December 3, 2019

ElementaryOS: Resolution fix for 2560×1440

Edit /usr/share/X11/xorg.conf.d/10-monitor.conf and paste the following:

Section "Monitor"

Identifier "Monitor0"

Section "Monitor"

Identifier "Monitor0"

Modeline "2560x1440_60.00" 661.25 2560 2784 3064 3568 1440 1443 1448 1545 -hsync +vsync

EndSection

Section "Screen"

Identifier "Screen0"

Device "Virtual1"

Monitor "Monitor0"

DefaultDepth 24

SubSection "Display"

Depth 24

Modes "2560x1440_60.00"

EndSubSection

EndSection

Section "Monitor" Identifier "Monitor0" Section "Monitor" Identifier "Monitor0" Modeline "2560x1440_60.00" 661.25 2560 2784 3064 3568 1440 1443 1448 1545 -hsync +vsync EndSection Section "Screen" Identifier "Screen0" Device "Virtual1" Monitor "Monitor0" DefaultDepth 24 SubSection "Display" Depth 24 Modes "2560x1440_60.00" EndSubSection EndSection

Section "Monitor"
  Identifier "Monitor0"
  Section "Monitor"
  Identifier "Monitor0"
  Modeline "2560x1440_60.00"  661.25  2560 2784 3064 3568 1440 1443 1448 1545 -hsync +vsync
EndSection
Section "Screen"
  Identifier "Screen0"
  Device "Virtual1"
  Monitor "Monitor0"
  DefaultDepth 24
  SubSection "Display"
    Depth 24
    Modes "2560x1440_60.00"
  EndSubSection
EndSection

And reboot system with sudo reboot

# sudo reboot

# sudo reboot

Thanks!

October 14, 2019

Apache 2.4.6 + mod_wsgi + Python 3.6 + Django 2.2.6 on CentOS 7

There are many how-to’s on installing Apache with mod_wsgi, python 3.x and Django, but nothing worked for me, looks like mod_wsgi libraries installed by default with yum use Python 2.x, and I keep getting the following error message:

[Mon Oct 14 09:42:07.713418 2019] [:error] [pid 18066] [remote 10.30.40.31:0] mod_wsgi (pid=18066): Target WSGI script '/usr/local/val/app/app/wsgi.py' cannot be loaded as Python module.

[Mon Oct 14 09:42:07.713497 2019] [:error] [pid 18066] [remote 10.30.40.31:0] mod_wsgi (pid=18066): Exception occurred processing WSGI script '/usr/local/val/app/wsgi.py'.

[Mon Oct 14 09:42:07.713560 2019] [:error] [pid 18066] [remote 10.30.40.31:0] Traceback (most recent call last):

[Mon Oct 14 09:42:07.713596 2019] [:error] [pid 18066] [remote 10.30.40.31:0] File "/usr/local/val/app/app/wsgi.py", line 12, in <module>

[Mon Oct 14 09:42:07.713701 2019] [:error] [pid 18066] [remote 10.30.40.31:0] from django.core.wsgi import get_wsgi_application

[Mon Oct 14 09:42:07.713718 2019] [:error] [pid 18066] [remote 10.30.40.31:0] File "/usr/local/val/venv/lib/python3.6/site-packages/django/__init__.py", line 1, in <module>

[Mon Oct 14 09:42:07.713789 2019] [:error] [pid 18066] [remote 10.30.40.31:0] from django.utils.version import get_version

[Mon Oct 14 09:42:07.713804 2019] [:error] [pid 18066] [remote 10.30.40.31:0] File "/usr/local/val/venv/lib/python3.6/site-packages/django/utils/version.py", line 71, in <module>

[Mon Oct 14 09:42:07.713886 2019] [:error] [pid 18066] [remote 10.30.40.31:0] @functools.lru_cache()

[Mon Oct 14 09:42:07.713914 2019] [:error] [pid 18066] [remote 10.30.40.31:0] AttributeError: 'module' object has no attribute 'lru_cache'

[Mon Oct 14 09:42:07.713418 2019] [:error] [pid 18066] [remote 10.30.40.31:0] mod_wsgi (pid=18066): Target WSGI script '/usr/local/val/app/app/wsgi.py' cannot be loaded as Python module. [Mon Oct 14 09:42:07.713497 2019] [:error] [pid 18066] [remote 10.30.40.31:0] mod_wsgi (pid=18066): Exception occurred processing WSGI script '/usr/local/val/app/wsgi.py'. [Mon Oct 14 09:42:07.713560 2019] [:error] [pid 18066] [remote 10.30.40.31:0] Traceback (most recent call last): [Mon Oct 14 09:42:07.713596 2019] [:error] [pid 18066] [remote 10.30.40.31:0] File "/usr/local/val/app/app/wsgi.py", line 12, in <module> [Mon Oct 14 09:42:07.713701 2019] [:error] [pid 18066] [remote 10.30.40.31:0] from django.core.wsgi import get_wsgi_application [Mon Oct 14 09:42:07.713718 2019] [:error] [pid 18066] [remote 10.30.40.31:0] File "/usr/local/val/venv/lib/python3.6/site-packages/django/__init__.py", line 1, in <module> [Mon Oct 14 09:42:07.713789 2019] [:error] [pid 18066] [remote 10.30.40.31:0] from django.utils.version import get_version [Mon Oct 14 09:42:07.713804 2019] [:error] [pid 18066] [remote 10.30.40.31:0] File "/usr/local/val/venv/lib/python3.6/site-packages/django/utils/version.py", line 71, in <module> [Mon Oct 14 09:42:07.713886 2019] [:error] [pid 18066] [remote 10.30.40.31:0] @functools.lru_cache() [Mon Oct 14 09:42:07.713914 2019] [:error] [pid 18066] [remote 10.30.40.31:0] AttributeError: 'module' object has no attribute 'lru_cache'

[Mon Oct 14 09:42:07.713418 2019] [:error] [pid 18066] [remote 10.30.40.31:0] mod_wsgi (pid=18066): Target WSGI script '/usr/local/val/app/app/wsgi.py' cannot be loaded as Python module.
[Mon Oct 14 09:42:07.713497 2019] [:error] [pid 18066] [remote 10.30.40.31:0] mod_wsgi (pid=18066): Exception occurred processing WSGI script '/usr/local/val/app/wsgi.py'.
[Mon Oct 14 09:42:07.713560 2019] [:error] [pid 18066] [remote 10.30.40.31:0] Traceback (most recent call last):
[Mon Oct 14 09:42:07.713596 2019] [:error] [pid 18066] [remote 10.30.40.31:0]   File "/usr/local/val/app/app/wsgi.py", line 12, in <module>
[Mon Oct 14 09:42:07.713701 2019] [:error] [pid 18066] [remote 10.30.40.31:0]     from django.core.wsgi import get_wsgi_application
[Mon Oct 14 09:42:07.713718 2019] [:error] [pid 18066] [remote 10.30.40.31:0]   File "/usr/local/val/venv/lib/python3.6/site-packages/django/__init__.py", line 1, in <module>
[Mon Oct 14 09:42:07.713789 2019] [:error] [pid 18066] [remote 10.30.40.31:0]     from django.utils.version import get_version
[Mon Oct 14 09:42:07.713804 2019] [:error] [pid 18066] [remote 10.30.40.31:0]   File "/usr/local/val/venv/lib/python3.6/site-packages/django/utils/version.py", line 71, in <module>
[Mon Oct 14 09:42:07.713886 2019] [:error] [pid 18066] [remote 10.30.40.31:0]     @functools.lru_cache()
[Mon Oct 14 09:42:07.713914 2019] [:error] [pid 18066] [remote 10.30.40.31:0] AttributeError: 'module' object has no attribute 'lru_cache'

Installing Apache and devel package

$ yum install httpd httpd-devel wget

$ yum install httpd httpd-devel wget

So, I had to compile mod_wsgi library from sources, which actually helped me to fix the error above with running Django app with wsgi.

Let’s make sure we have Python 3.6 or 3.7 installed or actually it would work with any Python 3 minor version.

$ python3

Python 3.6.8 (default, Aug 7 2019, 17:28:10)

[GCC 4.8.5 20150623 (Red Hat 4.8.5-39)] on linux

Type "help", "copyright", "credits" or "license" for more information.

$ python3 Python 3.6.8 (default, Aug 7 2019, 17:28:10) [GCC 4.8.5 20150623 (Red Hat 4.8.5-39)] on linux Type "help", "copyright", "credits" or "license" for more information.

$ python3
Python 3.6.8 (default, Aug  7 2019, 17:28:10) 
[GCC 4.8.5 20150623 (Red Hat 4.8.5-39)] on linux
Type "help", "copyright", "credits" or "license" for more information.

If we have Python 3 installed, we need to make sure we got mod_wsgi removed, which was installed by yum.

$ yum remove mod_wsgi

$ yum remove mod_wsgi

Downloading, compiling and installing a mod_wsgi package by doing this:

$ cd /opt

$ wget https://files.pythonhosted.org/packages/25/d8/1df4ba9c051cd88e02971814f0867274a8ac821baf983b6778dacd6e31f7/mod_wsgi-4.6.8.tar.gz

$ tar -zxvf mod_wsgi-4.6.8.tar.gz

$ cd mod_wsgi-4.6.8

$ ./configure --with-python=/usr/bin/python3.6

$ LD_RUN_PATH=/usr/local/lib make

$ sudo make install

$ cd /opt $ wget https://files.pythonhosted.org/packages/25/d8/1df4ba9c051cd88e02971814f0867274a8ac821baf983b6778dacd6e31f7/mod_wsgi-4.6.8.tar.gz $ tar -zxvf mod_wsgi-4.6.8.tar.gz $ cd mod_wsgi-4.6.8 $ ./configure --with-python=/usr/bin/python3.6 $ LD_RUN_PATH=/usr/local/lib make $ sudo make install

$ cd /opt
$ wget https://files.pythonhosted.org/packages/25/d8/1df4ba9c051cd88e02971814f0867274a8ac821baf983b6778dacd6e31f7/mod_wsgi-4.6.8.tar.gz
$ tar -zxvf mod_wsgi-4.6.8.tar.gz
$ cd mod_wsgi-4.6.8
$ ./configure --with-python=/usr/bin/python3.6
$ LD_RUN_PATH=/usr/local/lib make
$ sudo make install

Add a new entry to /etc/ld.so.conf

include ld.so.conf.d/*.conf

include /usr/local/lib

include ld.so.conf.d/*.conf include /usr/local/lib

include ld.so.conf.d/*.conf
include /usr/local/lib

Run:

ldconfig

ldconfig

Make sure mod_wsgi linked properly:

# ldd usr/lib64/httpd/modules/mod_wsgi.so

linux-vdso.so.1 => (0x00007ffd5bdd7000)

libpython3.6m.so.1.0 => /lib64/libpython3.6m.so.1.0 (0x00007fe5ab02b000)

libpthread.so.0 => /lib64/libpthread.so.0 (0x00007fe5aae0f000)

libdl.so.2 => /lib64/libdl.so.2 (0x00007fe5aac0b000)

libutil.so.1 => /lib64/libutil.so.1 (0x00007fe5aaa08000)

libm.so.6 => /lib64/libm.so.6 (0x00007fe5aa706000)

libc.so.6 => /lib64/libc.so.6 (0x00007fe5aa338000)

/lib64/ld-linux-x86-64.so.2 (0x00007fe5ab78f000)

# ldd usr/lib64/httpd/modules/mod_wsgi.so linux-vdso.so.1 => (0x00007ffd5bdd7000) libpython3.6m.so.1.0 => /lib64/libpython3.6m.so.1.0 (0x00007fe5ab02b000) libpthread.so.0 => /lib64/libpthread.so.0 (0x00007fe5aae0f000) libdl.so.2 => /lib64/libdl.so.2 (0x00007fe5aac0b000) libutil.so.1 => /lib64/libutil.so.1 (0x00007fe5aaa08000) libm.so.6 => /lib64/libm.so.6 (0x00007fe5aa706000) libc.so.6 => /lib64/libc.so.6 (0x00007fe5aa338000) /lib64/ld-linux-x86-64.so.2 (0x00007fe5ab78f000)

# ldd usr/lib64/httpd/modules/mod_wsgi.so
	linux-vdso.so.1 =>  (0x00007ffd5bdd7000)
	libpython3.6m.so.1.0 => /lib64/libpython3.6m.so.1.0 (0x00007fe5ab02b000)
	libpthread.so.0 => /lib64/libpthread.so.0 (0x00007fe5aae0f000)
	libdl.so.2 => /lib64/libdl.so.2 (0x00007fe5aac0b000)
	libutil.so.1 => /lib64/libutil.so.1 (0x00007fe5aaa08000)
	libm.so.6 => /lib64/libm.so.6 (0x00007fe5aa706000)
	libc.so.6 => /lib64/libc.so.6 (0x00007fe5aa338000)
	/lib64/ld-linux-x86-64.so.2 (0x00007fe5ab78f000)

Install Django:

$ pip3.6 install --upgrade pip

$ pip3.6 install Django

$ pip3.6 install --upgrade pip $ pip3.6 install Django

$ pip3.6 install --upgrade pip
$ pip3.6 install Django

Verify Django installed properly:

$ django-admin version

2.2.6

$ django-admin version 2.2.6

$ django-admin version
2.2.6

My httpd configuration file looks like this:

Alias /static /usr/local/val/app/static

Require all granted

</Directory>

Require all granted

</Files>

</Directory>

WSGIDaemonProcess app python-path=/usr/local/val/app:/usr/local/val/venv/lib/python3.6/site-packages python-home=/usr/local/val/env

WSGIProcessGroup app

WSGIScriptAlias / /usr/local/val/app/app/wsgi.py

WSGIPassAuthorization On

Alias /static /usr/local/val/app/static <Directory /usr/local/val/app/static> Require all granted </Directory> <Directory /usr/local/val/app/app> <Files wsgi.py> Require all granted </Files> </Directory> WSGIDaemonProcess app python-path=/usr/local/val/app:/usr/local/val/venv/lib/python3.6/site-packages python-home=/usr/local/val/env WSGIProcessGroup app WSGIScriptAlias / /usr/local/val/app/app/wsgi.py WSGIPassAuthorization On

Alias /static /usr/local/val/app/static
<Directory /usr/local/val/app/static>
 Require all granted
</Directory>

<Directory /usr/local/val/app/app>
   <Files wsgi.py>
       Require all granted
   </Files>
</Directory>

WSGIDaemonProcess app python-path=/usr/local/val/app:/usr/local/val/venv/lib/python3.6/site-packages python-home=/usr/local/val/env
WSGIProcessGroup app
WSGIScriptAlias / /usr/local/val/app/app/wsgi.py
WSGIPassAuthorization On

Where app is the name of my django app, and val is directory where app is located.

Before that I created virtual environment by running this:

$ python3 -m venv /usr/local/val/env

$ python3 -m venv /usr/local/val/env

Test if everything works correctly, you may probably also want to add your hosts to ALLOWED_HOSTS in your settings.py file and setup static files by specifying the following paths in your settings.py

STATIC_ROOT = '/usr/local/val/app/static/'

STATIC_URL = '/static/'

STATIC_ROOT = '/usr/local/val/app/static/' STATIC_URL = '/static/'

STATIC_ROOT = '/usr/local/val/app/static/'
STATIC_URL = '/static/'

Let me know if you have any questions

Thanks!

September 5, 2019

Nagios environment variables

As soon as Nagios is managed by systemd, you have to change the passing environment variables from /etc/sysconfig/nagios to systemd

Edit the file

$ vi /etc/systemd/system/multi-user.target.wants/nagios.service

$ vi /etc/systemd/system/multi-user.target.wants/nagios.service

Add Environment=”” or EnvironmentFile=”” to [service] section

[Service]

Type=forking

ExecStartPre=/usr/sbin/nagios -v /etc/nagios/nagios.cfg

ExecStart=/usr/sbin/nagios -d /etc/nagios/nagios.cfg

ExecStop=/usr/bin/kill -s TERM ${MAINPID}

ExecStopPost=/usr/bin/rm -f /var/spool/nagios/cmd/nagios.cmd

ExecReload=/usr/bin/kill -s HUP ${MAINPID}

Environment="PYTHONHTTPSVERIFY=1"

[Service] Type=forking ExecStartPre=/usr/sbin/nagios -v /etc/nagios/nagios.cfg ExecStart=/usr/sbin/nagios -d /etc/nagios/nagios.cfg ExecStop=/usr/bin/kill -s TERM ${MAINPID} ExecStopPost=/usr/bin/rm -f /var/spool/nagios/cmd/nagios.cmd ExecReload=/usr/bin/kill -s HUP ${MAINPID} Environment="PYTHONHTTPSVERIFY=1"

[Service]
Type=forking
ExecStartPre=/usr/sbin/nagios -v /etc/nagios/nagios.cfg
ExecStart=/usr/sbin/nagios -d /etc/nagios/nagios.cfg
ExecStop=/usr/bin/kill -s TERM ${MAINPID}
ExecStopPost=/usr/bin/rm -f /var/spool/nagios/cmd/nagios.cmd
ExecReload=/usr/bin/kill -s HUP ${MAINPID}
Environment="PYTHONHTTPSVERIFY=1"

Restart systemd and nagios

$ sudo systemctl daemon-reload

$ sudo systemctl restart nagios

$ sudo systemctl daemon-reload $ sudo systemctl restart nagios

$ sudo systemctl daemon-reload
$ sudo systemctl restart nagios

Check the process environment

$ cat /proc/30195/environ

LANG=en_US.UTF-8PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/binPYTHONHTTPSVERIFY=1

$ cat /proc/30195/environ LANG=en_US.UTF-8PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/binPYTHONHTTPSVERIFY=1 $

$ cat /proc/30195/environ
LANG=en_US.UTF-8PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/binPYTHONHTTPSVERIFY=1
$

That will pass all variables into Nagios daemon

Nagios, the Nagios logo, and Nagios graphics are the servicemarks, trademarks, or registered trademarks owned by Nagios Enterprises.

Let me know if you have any issues with monitoring. Will be glad to help

July 4, 2019

Happy Independence Day!

Wishing everybody a wonderful time on this special day in American history. Happy Fourth of July! God bless America!

May 2, 2019

Open-Xchange IMAP: STARTTLS failure

During some experiments with open-sources code, found an issue with STARTTLS on the latest open-xchange appsuite 7.10.1-Rev9

Something like this:

com.openexchange.exception.OXException: LGI-0003 Categories=ERROR Message='Unknown problem: "STARTTLS failure".' exceptionID=-1484511495-7

at com.openexchange.exception.OXExceptionFactory.create(OXExceptionFactory.java:175)

at com.openexchange.exception.OXExceptionFactory.create(OXExceptionFactory.java:165)

at com.openexchange.exception.OXExceptionFactory.create(OXExceptionFactory.java:138)

at com.openexchange.authentication.LoginExceptionCodes.create(LoginExceptionCodes.java:267)

at com.openexchange.authentication.imap.impl.IMAPAuthentication.handleLoginInfo(IMAPAuthentication.java:373)

at com.openexchange.authentication.service.Authentication.login(Authentication.java:111)

at com.openexchange.authentication.service.Authentication.login(Authentication.java:98)

at com.openexchange.login.internal.NormalLoginMethod.doAuthentication(NormalLoginMethod.java:83)

at com.openexchange.login.internal.LoginPerformer.doLogin(LoginPerformer.java:216)

at com.openexchange.login.internal.LoginPerformer.doLogin(LoginPerformer.java:157)

at com.openexchange.login.internal.LoginPerformer.doLogin(LoginPerformer.java:145)

at com.openexchange.ajax.login.Login$1.doLogin(Login.java:109)

at com.openexchange.ajax.login.AbstractLoginRequestHandler.loginOperation(AbstractLoginRequestHandler.java:226)

at com.openexchange.ajax.login.AbstractLoginRequestHandler.loginOperation(AbstractLoginRequestHandler.java:184)

at com.openexchange.ajax.login.Login.doLogin(Login.java:97)

at com.openexchange.ajax.login.Login.handleRequest(Login.java:90)

at com.openexchange.ajax.LoginServlet.doJSONAuth(LoginServlet.java:793)

at com.openexchange.ajax.LoginServlet.doGet(LoginServlet.java:758)

at com.openexchange.ajax.LoginServlet.doPost(LoginServlet.java:878)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:706)

at com.openexchange.ajax.AJAXServlet.doService(AJAXServlet.java:566)

at com.openexchange.ajax.LoginServlet.service(LoginServlet.java:738)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:791)

at org.glassfish.grizzly.servlet.FilterChainImpl.doFilter(FilterChainImpl.java:147)

at com.openexchange.http.grizzly.servletfilter.RequestReportingFilter.doFilter(RequestReportingFilter.java:138)

at org.glassfish.grizzly.servlet.FilterChainImpl.doFilter(FilterChainImpl.java:137)

at com.openexchange.http.grizzly.servletfilter.WrappingFilter.doFilter(WrappingFilter.java:222)

at org.glassfish.grizzly.servlet.FilterChainImpl.doFilter(FilterChainImpl.java:137)

at com.openexchange.http.grizzly.service.http.OSGiAuthFilter.doFilter(OSGiAuthFilter.java:139)

at org.glassfish.grizzly.servlet.FilterChainImpl.doFilter(FilterChainImpl.java:137)

at org.glassfish.grizzly.servlet.FilterChainImpl.invokeFilterChain(FilterChainImpl.java:106)

at org.glassfish.grizzly.servlet.ServletHandler.doServletService(ServletHandler.java:226)

at org.glassfish.grizzly.servlet.ServletHandler.service(ServletHandler.java:178)

at com.openexchange.http.grizzly.service.http.OSGiMainHandler.service(OSGiMainHandler.java:301)

at org.glassfish.grizzly.http.server.HttpHandler$1.run(HttpHandler.java:224)

at com.openexchange.threadpool.internal.CustomThreadPoolExecutor$MDCProvidingRunnable.run(CustomThreadPoolExecutor.java:2575)

at com.openexchange.threadpool.internal.CustomThreadPoolExecutor$Worker.runTask(CustomThreadPoolExecutor.java:841)

at com.openexchange.threadpool.internal.CustomThreadPoolExecutor$Worker.run(CustomThreadPoolExecutor.java:868)

at java.lang.Thread.run(Thread.java:748)

Caused by: javax.mail.MessagingException: STARTTLS failure

at com.sun.mail.imap.IMAPStore.protocolConnect(IMAPStore.java:954)

at javax.mail.Service.connect(Service.java:369)

at com.openexchange.authentication.imap.impl.IMAPAuthentication.handleLoginInfo(IMAPAuthentication.java:357)

... 34 common frames omitted

com.openexchange.exception.OXException: LGI-0003 Categories=ERROR Message='Unknown problem: "STARTTLS failure".' exceptionID=-1484511495-7 at com.openexchange.exception.OXExceptionFactory.create(OXExceptionFactory.java:175) at com.openexchange.exception.OXExceptionFactory.create(OXExceptionFactory.java:165) at com.openexchange.exception.OXExceptionFactory.create(OXExceptionFactory.java:138) at com.openexchange.authentication.LoginExceptionCodes.create(LoginExceptionCodes.java:267) at com.openexchange.authentication.imap.impl.IMAPAuthentication.handleLoginInfo(IMAPAuthentication.java:373) at com.openexchange.authentication.service.Authentication.login(Authentication.java:111) at com.openexchange.authentication.service.Authentication.login(Authentication.java:98) at com.openexchange.login.internal.NormalLoginMethod.doAuthentication(NormalLoginMethod.java:83) at com.openexchange.login.internal.LoginPerformer.doLogin(LoginPerformer.java:216) at com.openexchange.login.internal.LoginPerformer.doLogin(LoginPerformer.java:157) at com.openexchange.login.internal.LoginPerformer.doLogin(LoginPerformer.java:145) at com.openexchange.ajax.login.Login$1.doLogin(Login.java:109) at com.openexchange.ajax.login.AbstractLoginRequestHandler.loginOperation(AbstractLoginRequestHandler.java:226) at com.openexchange.ajax.login.AbstractLoginRequestHandler.loginOperation(AbstractLoginRequestHandler.java:184) at com.openexchange.ajax.login.Login.doLogin(Login.java:97) at com.openexchange.ajax.login.Login.handleRequest(Login.java:90) at com.openexchange.ajax.LoginServlet.doJSONAuth(LoginServlet.java:793) at com.openexchange.ajax.LoginServlet.doGet(LoginServlet.java:758) at com.openexchange.ajax.LoginServlet.doPost(LoginServlet.java:878) at javax.servlet.http.HttpServlet.service(HttpServlet.java:706) at com.openexchange.ajax.AJAXServlet.doService(AJAXServlet.java:566) at com.openexchange.ajax.LoginServlet.service(LoginServlet.java:738) at javax.servlet.http.HttpServlet.service(HttpServlet.java:791) at org.glassfish.grizzly.servlet.FilterChainImpl.doFilter(FilterChainImpl.java:147) at com.openexchange.http.grizzly.servletfilter.RequestReportingFilter.doFilter(RequestReportingFilter.java:138) at org.glassfish.grizzly.servlet.FilterChainImpl.doFilter(FilterChainImpl.java:137) at com.openexchange.http.grizzly.servletfilter.WrappingFilter.doFilter(WrappingFilter.java:222) at org.glassfish.grizzly.servlet.FilterChainImpl.doFilter(FilterChainImpl.java:137) at com.openexchange.http.grizzly.service.http.OSGiAuthFilter.doFilter(OSGiAuthFilter.java:139) at org.glassfish.grizzly.servlet.FilterChainImpl.doFilter(FilterChainImpl.java:137) at org.glassfish.grizzly.servlet.FilterChainImpl.invokeFilterChain(FilterChainImpl.java:106) at org.glassfish.grizzly.servlet.ServletHandler.doServletService(ServletHandler.java:226) at org.glassfish.grizzly.servlet.ServletHandler.service(ServletHandler.java:178) at com.openexchange.http.grizzly.service.http.OSGiMainHandler.service(OSGiMainHandler.java:301) at org.glassfish.grizzly.http.server.HttpHandler$1.run(HttpHandler.java:224) at com.openexchange.threadpool.internal.CustomThreadPoolExecutor$MDCProvidingRunnable.run(CustomThreadPoolExecutor.java:2575) at com.openexchange.threadpool.internal.CustomThreadPoolExecutor$Worker.runTask(CustomThreadPoolExecutor.java:841) at com.openexchange.threadpool.internal.CustomThreadPoolExecutor$Worker.run(CustomThreadPoolExecutor.java:868) at java.lang.Thread.run(Thread.java:748) Caused by: javax.mail.MessagingException: STARTTLS failure at com.sun.mail.imap.IMAPStore.protocolConnect(IMAPStore.java:954) at javax.mail.Service.connect(Service.java:369) at com.openexchange.authentication.imap.impl.IMAPAuthentication.handleLoginInfo(IMAPAuthentication.java:357) ... 34 common frames omitted

com.openexchange.exception.OXException: LGI-0003 Categories=ERROR Message='Unknown problem: "STARTTLS failure".' exceptionID=-1484511495-7
	at com.openexchange.exception.OXExceptionFactory.create(OXExceptionFactory.java:175)
	at com.openexchange.exception.OXExceptionFactory.create(OXExceptionFactory.java:165)
	at com.openexchange.exception.OXExceptionFactory.create(OXExceptionFactory.java:138)
	at com.openexchange.authentication.LoginExceptionCodes.create(LoginExceptionCodes.java:267)
	at com.openexchange.authentication.imap.impl.IMAPAuthentication.handleLoginInfo(IMAPAuthentication.java:373)
	at com.openexchange.authentication.service.Authentication.login(Authentication.java:111)
	at com.openexchange.authentication.service.Authentication.login(Authentication.java:98)
	at com.openexchange.login.internal.NormalLoginMethod.doAuthentication(NormalLoginMethod.java:83)
	at com.openexchange.login.internal.LoginPerformer.doLogin(LoginPerformer.java:216)
	at com.openexchange.login.internal.LoginPerformer.doLogin(LoginPerformer.java:157)
	at com.openexchange.login.internal.LoginPerformer.doLogin(LoginPerformer.java:145)
	at com.openexchange.ajax.login.Login$1.doLogin(Login.java:109)
	at com.openexchange.ajax.login.AbstractLoginRequestHandler.loginOperation(AbstractLoginRequestHandler.java:226)
	at com.openexchange.ajax.login.AbstractLoginRequestHandler.loginOperation(AbstractLoginRequestHandler.java:184)
	at com.openexchange.ajax.login.Login.doLogin(Login.java:97)
	at com.openexchange.ajax.login.Login.handleRequest(Login.java:90)
	at com.openexchange.ajax.LoginServlet.doJSONAuth(LoginServlet.java:793)
	at com.openexchange.ajax.LoginServlet.doGet(LoginServlet.java:758)
	at com.openexchange.ajax.LoginServlet.doPost(LoginServlet.java:878)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:706)
	at com.openexchange.ajax.AJAXServlet.doService(AJAXServlet.java:566)
	at com.openexchange.ajax.LoginServlet.service(LoginServlet.java:738)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:791)
	at org.glassfish.grizzly.servlet.FilterChainImpl.doFilter(FilterChainImpl.java:147)
	at com.openexchange.http.grizzly.servletfilter.RequestReportingFilter.doFilter(RequestReportingFilter.java:138)
	at org.glassfish.grizzly.servlet.FilterChainImpl.doFilter(FilterChainImpl.java:137)
	at com.openexchange.http.grizzly.servletfilter.WrappingFilter.doFilter(WrappingFilter.java:222)
	at org.glassfish.grizzly.servlet.FilterChainImpl.doFilter(FilterChainImpl.java:137)
	at com.openexchange.http.grizzly.service.http.OSGiAuthFilter.doFilter(OSGiAuthFilter.java:139)
	at org.glassfish.grizzly.servlet.FilterChainImpl.doFilter(FilterChainImpl.java:137)
	at org.glassfish.grizzly.servlet.FilterChainImpl.invokeFilterChain(FilterChainImpl.java:106)
	at org.glassfish.grizzly.servlet.ServletHandler.doServletService(ServletHandler.java:226)
	at org.glassfish.grizzly.servlet.ServletHandler.service(ServletHandler.java:178)
	at com.openexchange.http.grizzly.service.http.OSGiMainHandler.service(OSGiMainHandler.java:301)
	at org.glassfish.grizzly.http.server.HttpHandler$1.run(HttpHandler.java:224)
	at com.openexchange.threadpool.internal.CustomThreadPoolExecutor$MDCProvidingRunnable.run(CustomThreadPoolExecutor.java:2575)
	at com.openexchange.threadpool.internal.CustomThreadPoolExecutor$Worker.runTask(CustomThreadPoolExecutor.java:841)
	at com.openexchange.threadpool.internal.CustomThreadPoolExecutor$Worker.run(CustomThreadPoolExecutor.java:868)
	at java.lang.Thread.run(Thread.java:748)
Caused by: javax.mail.MessagingException: STARTTLS failure
	at com.sun.mail.imap.IMAPStore.protocolConnect(IMAPStore.java:954)
	at javax.mail.Service.connect(Service.java:369)
	at com.openexchange.authentication.imap.impl.IMAPAuthentication.handleLoginInfo(IMAPAuthentication.java:357)
	... 34 common frames omitted

Looks like empty vars for SSL protocol and SSL ciphersuites are not working properly, if specify them everything works just fine.

# File /opt/open-xchange/etc/imap.properties

# Specifies the SSL protocols that will be enabled for SSL connections. The property value is a whitespace separated list of tokens.

# Default is empty

com.openexchange.imap.ssl.protocols=TLSv1 TLSv1.1 TLSv1.2

# Specifies the SSL cipher suites that will be enabled for SSL connections. The property value is a whitespace separated list of tokens.

# Check "http://<ox-grizzly-hostname>:<ox-grizzly-port>/stats/diagnostic?param=ciphersuites" to check available cipher suites.

# Default value is empty (fall-back to current JVM's default SSL cipher suite)

com.openexchange.imap.ssl.ciphersuites=SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA SSL_RSA_WITH_3DES_EDE_CBC_SHA TLS_DHE_DSS_WITH_AES_128_CBC_SHA TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 TLS_DHE_DSS_WITH_AES_256_CBC_SHA TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA TLS_ECDH_RSA_WITH_AES_128_CBC_SHA TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDH_RSA_WITH_AES_256_CBC_SHA TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 TLS_EMPTY_RENEGOTIATION_INFO_SCSV TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA256

# File /opt/open-xchange/etc/imap.properties # Specifies the SSL protocols that will be enabled for SSL connections. The property value is a whitespace separated list of tokens. # Default is empty com.openexchange.imap.ssl.protocols=TLSv1 TLSv1.1 TLSv1.2 # Specifies the SSL cipher suites that will be enabled for SSL connections. The property value is a whitespace separated list of tokens. # # Check "http://<ox-grizzly-hostname>:<ox-grizzly-port>/stats/diagnostic?param=ciphersuites" to check available cipher suites. # # Default value is empty (fall-back to current JVM's default SSL cipher suite) com.openexchange.imap.ssl.ciphersuites=SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA SSL_RSA_WITH_3DES_EDE_CBC_SHA TLS_DHE_DSS_WITH_AES_128_CBC_SHA TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 TLS_DHE_DSS_WITH_AES_256_CBC_SHA TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA TLS_ECDH_RSA_WITH_AES_128_CBC_SHA TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDH_RSA_WITH_AES_256_CBC_SHA TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 TLS_EMPTY_RENEGOTIATION_INFO_SCSV TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA256

# File /opt/open-xchange/etc/imap.properties

# Specifies the SSL protocols that will be enabled for SSL connections. The property value is a whitespace separated list of tokens.
# Default is empty
com.openexchange.imap.ssl.protocols=TLSv1 TLSv1.1 TLSv1.2

# Specifies the SSL cipher suites that will be enabled for SSL connections. The property value is a whitespace separated list of tokens.
#
# Check "http://<ox-grizzly-hostname>:<ox-grizzly-port>/stats/diagnostic?param=ciphersuites" to check available cipher suites.
#
# Default value is empty (fall-back to current JVM's default SSL cipher suite)
com.openexchange.imap.ssl.ciphersuites=SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA SSL_RSA_WITH_3DES_EDE_CBC_SHA TLS_DHE_DSS_WITH_AES_128_CBC_SHA TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 TLS_DHE_DSS_WITH_AES_256_CBC_SHA TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA TLS_ECDH_RSA_WITH_AES_128_CBC_SHA TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDH_RSA_WITH_AES_256_CBC_SHA TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 TLS_EMPTY_RENEGOTIATION_INFO_SCSV TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA256

Hope that helps, thanks!

August 13, 2018

Paperkey: How to backup your GnuPG keys on paper

To create a backup of your GPG Key, you may use one of the following commands

img-alternative-text

paperkey --secret-key my-secret-key.gpg --output to-be-printed.txt

paperkey --secret-key my-secret-key.gpg --output to-be-printed.txt

Or using this if you have exported (not armored) GPG Key in file:

paperkey --secret-key my-secret-key.gpg --output to-be-printed.txt

paperkey --secret-key my-secret-key.gpg --output to-be-printed.txt

To restore it you will need a paperkey data in file and you public key. The following command will take public key from public-key.gpg file and paperkey data from secret-paperkey.gpg file and will import it to ~/.gnupg.

$ paperkey --pubring public-key.gpg --secrets secret-paperkey.gpg | gpg --import

$ paperkey --pubring public-key.gpg --secrets secret-paperkey.gpg | gpg --import

If you have armored gpg public key, you will need to dearmor it first by doing this:

$ gpg --dearmor public-key.gpg

$ gpg --dearmor public-key.gpg

To install it on your mac, you may use brew:

$ brew install paperkey

$ brew install paperkey

Paperkey by David Shaw

Thanks!

January 28, 2018

Using YubiKey with GPG

Using Yubikey with GPG encryption

Let me try to show my experience in using Yubikey as a Smartcard for storing signing and GPG encryption keys. There are a lot of information in the internet about that, but that my first try in configuring yubikey for such purposes.

Firstly we need to install necessary packages on our mac by doing the following command, I’m using brew:

$ brew install gnupg yubikey-personalization

$ brew install gnupg yubikey-personalization

This will allow us to program our Yubikey.

The next step is we need to create a new keys for further usage.

Generate a key

Let’s do a temporary directory:

export GNUPGHOME=$(mktemp -d)

export GNUPGHOME=$(mktemp -d)

And create a GPG configuration:

$ cat << EOF > $GNUPGHOME/gpg.conf

use-agent

personal-cipher-preferences AES256 AES192 AES CAST5

personal-digest-preferences SHA512 SHA384 SHA256 SHA224

default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed

cert-digest-algo SHA512

s2k-digest-algo SHA512

s2k-cipher-algo AES256

charset utf-8

fixed-list-mode

no-comments

no-emit-version

keyid-format 0xlong

list-options show-uid-validity

verify-options show-uid-validity

with-fingerprint

EOF

$ cat << EOF > $GNUPGHOME/gpg.conf use-agent personal-cipher-preferences AES256 AES192 AES CAST5 personal-digest-preferences SHA512 SHA384 SHA256 SHA224 default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed cert-digest-algo SHA512 s2k-digest-algo SHA512 s2k-cipher-algo AES256 charset utf-8 fixed-list-mode no-comments no-emit-version keyid-format 0xlong list-options show-uid-validity verify-options show-uid-validity with-fingerprint EOF

$ cat << EOF > $GNUPGHOME/gpg.conf
use-agent
personal-cipher-preferences AES256 AES192 AES CAST5
personal-digest-preferences SHA512 SHA384 SHA256 SHA224
default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed
cert-digest-algo SHA512
s2k-digest-algo SHA512
s2k-cipher-algo AES256
charset utf-8
fixed-list-mode
no-comments
no-emit-version
keyid-format 0xlong
list-options show-uid-validity
verify-options show-uid-validity
with-fingerprint
EOF

Generate a master key

During creation a new master key, we will need to choose RSA (sign only) key and I would go with 4096 bits. And you’ll be asked to enter a passphrase, try to enter something unique and strong

VKAFEDZH-M-2R3C:~ val$ gpg --full-generate-key

This is free software: you are free to change and redistribute it.

There is NO WARRANTY, to the extent permitted by law.

gpg: keybox '/var/folders/yy/bp5hkvxs1px1_f1q_10kzgk40000gn/T/tmp.SRHTb4gb/pubring.kbx' created

Please select what kind of key you want:

(1) RSA and RSA (default)

(2) DSA and Elgamal

(3) DSA (sign only)

(4) RSA (sign only)

Your selection? 4

RSA keys may be between 1024 and 4096 bits long.

What keysize do you want? (2048) 4096

Requested keysize is 4096 bits

Please specify how long the key should be valid.

0 = key does not expire

<n> = key expires in n days

<n>w = key expires in n weeks

<n>m = key expires in n months

<n>y = key expires in n years

Key is valid for? (0) 0

Key does not expire at all

Is this correct? (y/N) y

GnuPG needs to construct a user ID to identify your key.

Real name: Valerii

Email address: vkafed@gmail.com

Comment:

You selected this USER-ID:

"Valerii <vkafed@gmail.com>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o

We need to generate a lot of random bytes. It is a good idea to perform

some other action (type on the keyboard, move the mouse, utilize the

disks) during the prime generation; this gives the random number

generator a better chance to gain enough entropy.

public and secret key created and signed.

Note that this key cannot be used for encryption. You may want to use

the command "--edit-key" to generate a subkey for this purpose.

pub rsa4096/0xA2B71234247579BE 2018-01-28 [SC]

Key fingerprint = 1A28 A73B A841 4311 FA0A BA28 A4A7 1383 1171 7A99

uid Valerii <vkafed@gmail.com>

VKAFEDZH-M-2R3C:~ val$ gpg --full-generate-key gpg (GnuPG) 2.2.4; Copyright (C) 2017 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. gpg: keybox '/var/folders/yy/bp5hkvxs1px1_f1q_10kzgk40000gn/T/tmp.SRHTb4gb/pubring.kbx' created Please select what kind of key you want: (1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only) Your selection? 4 RSA keys may be between 1024 and 4096 bits long. What keysize do you want? (2048) 4096 Requested keysize is 4096 bits Please specify how long the key should be valid. 0 = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n years Key is valid for? (0) 0 Key does not expire at all Is this correct? (y/N) y GnuPG needs to construct a user ID to identify your key. Real name: Valerii Email address: vkafed@gmail.com Comment: You selected this USER-ID: "Valerii <vkafed@gmail.com>" Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. public and secret key created and signed. Note that this key cannot be used for encryption. You may want to use the command "--edit-key" to generate a subkey for this purpose. pub rsa4096/0xA2B71234247579BE 2018-01-28 [SC] Key fingerprint = 1A28 A73B A841 4311 FA0A BA28 A4A7 1383 1171 7A99 uid Valerii <vkafed@gmail.com>

VKAFEDZH-M-2R3C:~ val$ gpg --full-generate-key
gpg (GnuPG) 2.2.4; Copyright (C) 2017 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

gpg: keybox '/var/folders/yy/bp5hkvxs1px1_f1q_10kzgk40000gn/T/tmp.SRHTb4gb/pubring.kbx' created
Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection? 4
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct? (y/N) y

GnuPG needs to construct a user ID to identify your key.

Real name: Valerii
Email address: vkafed@gmail.com
Comment:
You selected this USER-ID:
    "Valerii <vkafed@gmail.com>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
public and secret key created and signed.

Note that this key cannot be used for encryption.  You may want to use
the command "--edit-key" to generate a subkey for this purpose.
pub   rsa4096/0xA2B71234247579BE 2018-01-28 [SC]
      Key fingerprint = 1A28 A73B A841 4311 FA0A BA28 A4A7 1383 1171 7A99
uid                              Valerii <vkafed@gmail.com>

Export a new key

export KEYID=0xA2B71234247579BE

export KEYID=0xA2B71234247579BE

Create subkeys

VKAFEDZH-M-2R3C:~ val$ gpg --expert --edit-key $KEYID

This is free software: you are free to change and redistribute it.

There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

gpg: checking the trustdb

gpg: marginals needed: 3 completes needed: 1 trust model: pgp

gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u

sec rsa4096/0xA2B71234247579BE

created: 2018-01-28 expires: never usage: SC

trust: ultimate validity: ultimate

[ultimate] (1). Valerii <vkafed@gmail.com>

VKAFEDZH-M-2R3C:~ val$ gpg --expert --edit-key $KEYID gpg (GnuPG) 2.2.4; Copyright (C) 2017 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Secret key is available. gpg: checking the trustdb gpg: marginals needed: 3 completes needed: 1 trust model: pgp gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u sec rsa4096/0xA2B71234247579BE created: 2018-01-28 expires: never usage: SC trust: ultimate validity: ultimate [ultimate] (1). Valerii <vkafed@gmail.com>

VKAFEDZH-M-2R3C:~ val$ gpg --expert --edit-key $KEYID
gpg (GnuPG) 2.2.4; Copyright (C) 2017 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

gpg: checking the trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
sec  rsa4096/0xA2B71234247579BE
     created: 2018-01-28  expires: never       usage: SC
     trust: ultimate      validity: ultimate
[ultimate] (1). Valerii <vkafed@gmail.com>

During a creating a new subkeys enter the passphrase you entered during making a master key. In the following example I selected to generate a key with expiration in 1 year.

gpg> addkey

Please select what kind of key you want:

(3) DSA (sign only)

(4) RSA (sign only)

(5) Elgamal (encrypt only)

(6) RSA (encrypt only)

(7) DSA (set your own capabilities)

(8) RSA (set your own capabilities)

(10) ECC (sign only)

(11) ECC (set your own capabilities)

(12) ECC (encrypt only)

(13) Existing key

Your selection? 4

RSA keys may be between 1024 and 4096 bits long.

What keysize do you want? (2048) 4096

Requested keysize is 4096 bits

Please specify how long the key should be valid.

0 = key does not expire

<n> = key expires in n days

<n>w = key expires in n weeks

<n>m = key expires in n months

<n>y = key expires in n years

Key is valid for? (0) 1y

Key expires at Mon Jan 28 14:13:38 2019 EST

Is this correct? (y/N) y

Really create? (y/N) y

We need to generate a lot of random bytes. It is a good idea to perform

some other action (type on the keyboard, move the mouse, utilize the

disks) during the prime generation; this gives the random number

generator a better chance to gain enough entropy.

sec rsa4096/0xA1289348BA3879AE

created: 2018-01-28 expires: never usage: SC

trust: ultimate validity: ultimate

ssb rsa4096/0xA1CDBEFBA21203A4

created: 2018-01-28 expires: 2019-01-28 usage: S

[ultimate] (1). Valerii <vkafed@gmail.com>

gpg> addkey Please select what kind of key you want: (3) DSA (sign only) (4) RSA (sign only) (5) Elgamal (encrypt only) (6) RSA (encrypt only) (7) DSA (set your own capabilities) (8) RSA (set your own capabilities) (10) ECC (sign only) (11) ECC (set your own capabilities) (12) ECC (encrypt only) (13) Existing key Your selection? 4 RSA keys may be between 1024 and 4096 bits long. What keysize do you want? (2048) 4096 Requested keysize is 4096 bits Please specify how long the key should be valid. 0 = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n years Key is valid for? (0) 1y Key expires at Mon Jan 28 14:13:38 2019 EST Is this correct? (y/N) y Really create? (y/N) y We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. sec rsa4096/0xA1289348BA3879AE created: 2018-01-28 expires: never usage: SC trust: ultimate validity: ultimate ssb rsa4096/0xA1CDBEFBA21203A4 created: 2018-01-28 expires: 2019-01-28 usage: S [ultimate] (1). Valerii <vkafed@gmail.com>

gpg> addkey
Please select what kind of key you want:
   (3) DSA (sign only)
   (4) RSA (sign only)
   (5) Elgamal (encrypt only)
   (6) RSA (encrypt only)
   (7) DSA (set your own capabilities)
   (8) RSA (set your own capabilities)
  (10) ECC (sign only)
  (11) ECC (set your own capabilities)
  (12) ECC (encrypt only)
  (13) Existing key
Your selection? 4
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 1y
Key expires at Mon Jan 28 14:13:38 2019 EST
Is this correct? (y/N) y
Really create? (y/N) y
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.

sec  rsa4096/0xA1289348BA3879AE
     created: 2018-01-28  expires: never       usage: SC
     trust: ultimate      validity: ultimate
ssb  rsa4096/0xA1CDBEFBA21203A4
     created: 2018-01-28  expires: 2019-01-28  usage: S
[ultimate] (1). Valerii <vkafed@gmail.com>

Next, let’s create n encryption key by selecting RSA (encrypt only) – number 6

gpg> addkey

Please select what kind of key you want:

(3) DSA (sign only)

(4) RSA (sign only)

(5) Elgamal (encrypt only)

(6) RSA (encrypt only)

(7) DSA (set your own capabilities)

(8) RSA (set your own capabilities)

(10) ECC (sign only)

(11) ECC (set your own capabilities)

(12) ECC (encrypt only)

(13) Existing key

Your selection? 6

RSA keys may be between 1024 and 4096 bits long.

What keysize do you want? (2048) 4096

Requested keysize is 4096 bits

Please specify how long the key should be valid.

0 = key does not expire

<n> = key expires in n days

<n>w = key expires in n weeks

<n>m = key expires in n months

<n>y = key expires in n years

Key is valid for? (0) 1y

Key expires at Mon Jan 28 14:16:29 2019 EST

Is this correct? (y/N) y

Really create? (y/N) y

We need to generate a lot of random bytes. It is a good idea to perform

some other action (type on the keyboard, move the mouse, utilize the

disks) during the prime generation; this gives the random number

generator a better chance to gain enough entropy.

sec rsa4096/0xA1289348BA3879AE

created: 2018-01-28 expires: never usage: SC

trust: ultimate validity: ultimate

ssb rsa4096/0xA1CDBEFBA21203A4

created: 2018-01-28 expires: 2019-01-28 usage: S

ssb rsa4096/0x181FFBA2120AA342

created: 2018-01-28 expires: 2019-01-28 usage: E

[ultimate] (1). Valerii <vkafed@gmail.com>

gpg> addkey Please select what kind of key you want: (3) DSA (sign only) (4) RSA (sign only) (5) Elgamal (encrypt only) (6) RSA (encrypt only) (7) DSA (set your own capabilities) (8) RSA (set your own capabilities) (10) ECC (sign only) (11) ECC (set your own capabilities) (12) ECC (encrypt only) (13) Existing key Your selection? 6 RSA keys may be between 1024 and 4096 bits long. What keysize do you want? (2048) 4096 Requested keysize is 4096 bits Please specify how long the key should be valid. 0 = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n years Key is valid for? (0) 1y Key expires at Mon Jan 28 14:16:29 2019 EST Is this correct? (y/N) y Really create? (y/N) y We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. sec rsa4096/0xA1289348BA3879AE created: 2018-01-28 expires: never usage: SC trust: ultimate validity: ultimate ssb rsa4096/0xA1CDBEFBA21203A4 created: 2018-01-28 expires: 2019-01-28 usage: S ssb rsa4096/0x181FFBA2120AA342 created: 2018-01-28 expires: 2019-01-28 usage: E [ultimate] (1). Valerii <vkafed@gmail.com>

gpg> addkey
Please select what kind of key you want:
   (3) DSA (sign only)
   (4) RSA (sign only)
   (5) Elgamal (encrypt only)
   (6) RSA (encrypt only)
   (7) DSA (set your own capabilities)
   (8) RSA (set your own capabilities)
  (10) ECC (sign only)
  (11) ECC (set your own capabilities)
  (12) ECC (encrypt only)
  (13) Existing key
Your selection? 6
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 1y
Key expires at Mon Jan 28 14:16:29 2019 EST
Is this correct? (y/N) y
Really create? (y/N) y
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.

sec  rsa4096/0xA1289348BA3879AE
     created: 2018-01-28  expires: never       usage: SC
     trust: ultimate      validity: ultimate
ssb  rsa4096/0xA1CDBEFBA21203A4
     created: 2018-01-28  expires: 2019-01-28  usage: S
ssb  rsa4096/0x181FFBA2120AA342
     created: 2018-01-28  expires: 2019-01-28  usage: E
[ultimate] (1). Valerii <vkafed@gmail.com>

I selected to create 4096 bit RSA encrypt only key which is going to be valid for 365 days only.

And let’s create an authentification key now.

Happy Halloween!

Wishing Happy Halloween to everyone!

October 27, 2017

Icinga2 Director: How to import a server IP from local file

Hey all,

#shortstory

Today I had a pretty interesting task with Icinga2 and Director. The issue was with accessibility to DNS server which was installed in AWS without any public access, so basically it was used only for internal requests. To make story short, the task was to get IP address from local file, hostname from SQL database and assign it to each other.

Here is the changes that I made for ‘PropertyModifierGetHostByName.php’ file.

<?php

// - /usr/share/icingaweb2/modules/director/library/Director/PropertyModifier/PropertyModifierGetHostByName.php

namespace Icinga\Module\Director\PropertyModifier;

use Icinga\Exception\InvalidPropertyException;

use Icinga\Module\Director\Hook\PropertyModifierHook;

use Icinga\Module\Director\Web\Form\QuickForm;

class PropertyModifierGetHostByName extends PropertyModifierHook

{

public static function addSettingsFormFields(QuickForm $form)

{

$form->addElement('select', 'on_failure', array(

'label' => 'On failure',

'description' => $form->translate('What should we do if the host (DNS) lookup fails?'),

'multiOptions' => $form->optionalEnum(array(

'null' => $form->translate('Set no value (null)'),

'keep' => $form->translate('Keep the property (hostname) as is'),

'fail' => $form->translate('Let the whole import run fail'),

)),

'required' => true,

));

}

public function getName()

{

return 'Get host by name (DNS lookup)';

}

public function transform($value)

{

//$host = gethostbyname($value);

$lines_array = file("/usr/share/icingaweb2/dns.txt"); //comma-separated txt file

foreach($lines_array as $line) {

if(strpos($line, $value) !== false) {

list(, $new_str) = explode(",", $line);

$host = trim($new_str); }

}

if (strlen(@inet_pton($host)) !== 4) {

switch ($this->getSetting('on_failure')) {

case 'null':

return null;

case 'keep':

return $value;

case 'fail':

default:

throw new InvalidPropertyException(

'Host lookup failed for "%s"',

$value

);

}

return $host;

}

<?php // - /usr/share/icingaweb2/modules/director/library/Director/PropertyModifier/PropertyModifierGetHostByName.php namespace Icinga\Module\Director\PropertyModifier; use Icinga\Exception\InvalidPropertyException; use Icinga\Module\Director\Hook\PropertyModifierHook; use Icinga\Module\Director\Web\Form\QuickForm; class PropertyModifierGetHostByName extends PropertyModifierHook { public static function addSettingsFormFields(QuickForm $form) { $form->addElement('select', 'on_failure', array( 'label' => 'On failure', 'description' => $form->translate('What should we do if the host (DNS) lookup fails?'), 'multiOptions' => $form->optionalEnum(array( 'null' => $form->translate('Set no value (null)'), 'keep' => $form->translate('Keep the property (hostname) as is'), 'fail' => $form->translate('Let the whole import run fail'), )), 'required' => true, )); } public function getName() { return 'Get host by name (DNS lookup)'; } public function transform($value) { //$host = gethostbyname($value); $lines_array = file("/usr/share/icingaweb2/dns.txt"); //comma-separated txt file foreach($lines_array as $line) { if(strpos($line, $value) !== false) { list(, $new_str) = explode(",", $line); $host = trim($new_str); } } if (strlen(@inet_pton($host)) !== 4) { switch ($this->getSetting('on_failure')) { case 'null': return null; case 'keep': return $value; case 'fail': default: throw new InvalidPropertyException( 'Host lookup failed for "%s"', $value ); } } return $host; } }

<?php

// - /usr/share/icingaweb2/modules/director/library/Director/PropertyModifier/PropertyModifierGetHostByName.php
namespace Icinga\Module\Director\PropertyModifier;

use Icinga\Exception\InvalidPropertyException;
use Icinga\Module\Director\Hook\PropertyModifierHook;
use Icinga\Module\Director\Web\Form\QuickForm;

class PropertyModifierGetHostByName extends PropertyModifierHook
{
    public static function addSettingsFormFields(QuickForm $form)
    {
        $form->addElement('select', 'on_failure', array(
            'label'        => 'On failure',
            'description'  => $form->translate('What should we do if the host (DNS) lookup fails?'),
            'multiOptions' => $form->optionalEnum(array(
                'null' => $form->translate('Set no value (null)'),
                'keep' => $form->translate('Keep the property (hostname) as is'),
                'fail' => $form->translate('Let the whole import run fail'),
            )),
            'required'    => true,
        ));
    }

    public function getName()
    {
        return 'Get host by name (DNS lookup)';
    }

    public function transform($value)
    {
        //$host = gethostbyname($value);
        $lines_array = file("/usr/share/icingaweb2/dns.txt"); //comma-separated txt file
        
        foreach($lines_array as $line) {
            if(strpos($line, $value) !== false) {
            list(, $new_str) = explode(",", $line);
            $host = trim($new_str); }
        }

        if (strlen(@inet_pton($host)) !== 4) {
            switch ($this->getSetting('on_failure')) {
                case 'null':
                    return null;
                case 'keep':
                    return $value;
                case 'fail':
                default:
                    throw new InvalidPropertyException(
                        'Host lookup failed for "%s"',
                        $value
                    );
            }
        }

        return $host;
    }
}

The file dns.txt contains IP and domain names, which are comma-separated. You may change the location of the file, use many of them, or even use key-value database for such queries, it’s pretty easy.

So, basically it search for IP address in dns.txt file for provided hostname in Import function. It will return null or fail (based on your settings), if returned IP is not IPv4.

Extra module will be created and pushed to the github on next Monday.

Happy monitoring!