scuba_mike's questions

I'm in the process of transferring some of my old-and-busted apache2 web servers to newer and more resilient nginx containers.

On my old web server, I have an apache2 server that hosts secretbackdoor.example.com, which authenticates "users" (only me) using a signed certificate. The CA is setup in the following way:

> ROOT CA (self-signed, obviously)
|--> Intermediate CA (Signed by ROOT CA)
  |--> Client Certificate (Signed by Intermediate CA)

This stack overflow question showed that I can't do direct intermediate CA verification. Aside: I agree technically that nginx is right but practically, it's useful to have certificates scoped to a specific Intermediate CA....I digress.

That being said, I've followed the instructions on the question but have hit a wall. I've set ssl_client_certificate to be the CA certificate. When I try to connect with my browser that has a client certificate, I get the following error in my error.log file:

client SSL certificate verify error: (21:unable to verify the first certificate) while reading client request headers, client: 1.1.1.1, server: secretbackdoor.example.com, request: "GET / HTTP/2.0", host: "secretbackdoor.example.com"

I've tried using the intermediary CA in addition to setting ssl_client_certificate to the chained certificates to no avail.

I'm running nginx using docker with letsencrypt certificates securing the traffic. I'm not sure if that's what's causing the issues, but thought it shouldn't be a problem since client certificates can and often are signed by different CA authorities.

Here is my site setup:

server {
    listen       443;
    server_name  secretbackdoor.example.com;

    ssl_certificate /etc/letsencrypt/live/secretbackdoor.example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/secretbackdoor.example.com/privkey.pem;
    ssl_client_certificate /etc/nginx/conf.d/certs/root_ca.pem;

    ssl_verify_client on;
    ssl_verify_depth 2;

    # https://github.com/certbot/certbot/blob/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf
    include /etc/letsencrypt/options-ssl-nginx.conf;
    # https://github.com/certbot/certbot/blob/master/certbot/certbot/ssl-dhparams.pem
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

    location / {
        root   /usr/share/nginx/html;
        index  index.html index.htm;
    }

    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }
}

Any assistance would be greatly appreciated!

I'm migrating my mail server from an older instance of postfix (3.2.0) to 3.3.0 on Ubuntu. I'm installing from apt and installation went fine. I'm in the process of trying to set up my MySQL connections, copying them from my old system to this one.

I'm running into a problem when I try to run postmap -q [email protected] mysql:aliases.cf. The error I get is:

postmap: fatal: bad string length 0 < 1: aliases.cf_dbname =

The file in question (aliases.cf) is simple:

hosts = 127.0.0.1
user = postfix_user
password = hunter2
dbname = postfix_db

query = SELECT `destination`
        FROM `mail_aliases`
        WHERE
        `alias_address` = '%u'
        AND `domain` = '%d'
        AND `active` = 1

I've done a couple of things to troubleshoot this:

• I've tried adding options_file and options_group which didn't help.
• Kept options_file and options_group and removed hosts, user, and `password. Didn't work
• Created a hash file (flat file) and that works
• Sent an email to an address in the database (via sendmail on the local box) but get this error: Sep 17 01:06:42 ec21234 postfix/cleanup[4230]: warning: mysql:/etc/postfix/virtual/aliases.cf lookup error for "[email protected]"
• Connecting to the database directly with username and password works perfectly.

I've done a bit of google searching and haven't been able to find anything useful. The closest I could find was this result which only loads when viewed with Google Cache.

I'm trying to create a script that will automatically deploy and install an AWS EC2 instance using a bash script. I have a deployment script that looks something like this:

#!/bin/bash

# Update apt-get
echo Updating apt-get repositories
apt-get update -yqq

# Install pre-requisits
echo Installing AWS CLI and Python 3
apt-get install -yqq awscli python3 python3-pip

# Set timezone to US/Eastern
# https://help.ubuntu.com/community/UbuntuTime
echo "US/Eastern" | sudo tee /etc/timezone
dpkg-reconfigure --frontend noninteractive tzdata

echo cloud-init userdata processed.

The deployment script (lets call userdata.bash) runs fine when I deploy the instance via arguments:

aws ec2 run-instances \ 
  --image-id ami-064a0193585662d74 \
  --instance-type t3.micro \
  --key-name "ssh key" \
  --security-group-ids sg-abcdef01 sg-abcdef02 \
  --user-data file://userdata.bash

The instance starts, the script runs, everything is great!

But when I put these same options into a json file, the user-data part doesn't parse properly.

The json file named launch.json:

{
  "BlockDeviceMappings": [
    {
      "DeviceName": "/dev/sda1",
      "Ebs": {
        "DeleteOnTermination": true,
        "VolumeType": "gp2",
        "VolumeSize": 8
      }
    }
  ],
  "ImageId": "ami-064a0193585662d74",
  "InstanceType": "t3.micro",
  "KeyName": "ssh key",
  "SecurityGroupIds": ["sg-abcdef01", "sg-abcdef02"],
  "Placement": {
    "AvailabilityZone": "us-east-1a"
  },
  "IamInstanceProfile": {
      "Arn": "arn:aws:iam::111111111111:instance-profile/some-role"
  },
  "UserData": "file://userdata.bash"
}

When I run with the --cli-input-json argument, everything loads fine, with the exception of the userdata script.

I've tried converting the script to base64 and loading directly, which didn't work. I've tried just the file name, and that didn't work either. The documentation seems to be mum about the format of the userdata part of the yaml file.

Any suggestions would be greatly appreciated.