Month: December 2025

Help, my OpenSSL CA expired!

Many folks and organizations are running their own Certificate Authority (CA) internally, to manage certificates for internal services and (infrastructure) devices, which won’t ever be exposed to regular users. Some manage those CAs manually, e.g., via OpenSSL directly, or via tools like easyrsa, cfssl, etc.

In the Freifunk Hochstift infrastructure, we use an internal CA for host certificates (e.g., used for Icinga2), internal services like LDAP, OpenVPN, NetBox, IPMIs, etc. The CA is managed by some helper scripts directly calling the openssl binary. When I created the CA back in 2015 I didn’t think much about the expiry date, set it to 10 years from then, and focused on the infrastructure to be set up. I’ve also set up monitoring for the certificates of the services, we deployed, but did not set up monitoring for the CA expiry.

So here we are, and recently, those 10 years were up, and our OpenVPN used for managed access stopped failing because it couldn’t connect to the Anycasted LDAP servers. All 4 instances failing at once was wild and didn’t make much sense. Some debugging revealed problems to be related to SSL/TLS, yet the service certificates were OK. After a while, I figured out the CA had expired, but now what?

Turns out, you can build a new certificate from an existing key and get yourself unstuck. As this journey wasn’t very pleasant, I stumbled across some mostly-but-not-fully-working articles out there, and had to dive into /usr/lib/ssl/misc/CA.pl, here’s the way I got myself out of this mess.

Continue reading Help, my OpenSSL CA expired!

Bracketed-paste or why does my mutt-in-screen-IMAP-login not work anymore?

After I upgraded my IRC-host to the next Debian release, I rebooted the box, restarted the IRC and mail client to get things back up again, and wanted to log into my mailbox again. I pasted the password from the password store into mutt (running inside screen) as I had always done and got login failed. Wat?

The IMAP login still worked fine via Thunderbird or mobile app from other devices, and dovecot wasn’t logging anything related to the failed login attempts from mutt. Wat?!

When I start mutt directly on that very box, so outside screen, login works just fine, too. WAT?

So, enable some verbose auth logging in dovecot, including incorrect passwords in plain text, to see what’s going on here:

# From /etc/dovecot/dovecot.conf

# Verbose logging for authentication things
auth_verbose = yes

# Log passwords from invalid logins in plaintext, use carefully!
auth_verbose_passwords = plain

With that in place, I could see, that the password pasted into mutt‘s password prompt, when running inside screen, resulted in the password being prepended by 200~ and having a trailing 201~, WAT?!

Noting my findings in the DENOG IRC channel, someone pointed me to Bracketed-paste, which explained the control characters I was seeing. Without that pointer in the right direction, I would have search way longer – I love the DENOG and Open Source communities 💜.

  • ESC [ 200 ~ to signify the beginning of pasted text and
  • ESC [ 201 ~ to signify the end.
Description of bracketed-paste (Wikipedia)

That lead to the discovery that you can disable this behavior in multiple ways, including adding the following line into ~/.inputrc:

set enable-bracketed-paste 0

And hence, I can paste happily ever after.

Crimpson Thunder

Many, many years ago, I was introduced to Hammerfall, and especially their album Crimson Thunder, with the song of the same name. At that time, we did a lot Freifunk installations and crimped a lot of cables. On the way back from one of those installations, I heard said album, and it struck me: They are singing about the Crimpson Thunder, so had to look into the text, and see what can be done about it, and here we are.

I present: The Crimpson Thunder – networker’s version:

We are the packets in the dark
Inside the fiber we are the
Eternal Spark that will guide the way

We are the stars up in the sky
We gather winds so you can fly
We are the beam when you’re sending

All your links can come up
Where do we go?
We’re just a next-hop away

Follow the signs of the Crimpson Thunder
We will stay by your side
Let our labels be there to guide you

We are the forces in the rain
Inside your net, we are the
unending answer to all your pings
So take a step towards the shell
The Crimpson sky fulfills the night
The revelation is near

All your links can come up
here do we go?
We’re just a next-hop away

Follow the signs of the Crimpson Thunder
We will stay by your side
Let our labels be there to guide you

Guitar solo

All your links can come up
Where do we go?
We’re just a next-hop away

Guitar solo

Follow the signs of the Crimpson Thunder
Follow the signs of the Crimpson Thunder
Follow the signs of the Crimpson Thunder
We will stay by your side
Let our labels be there to guide you


Follow the signs of the Crimpson Thunder
We will stay by your side
Let our labels be there to guide you
Follow the signs of the Crimpson Thunder
We will stay by your side
Let our labels be there to guide you