Category: Uncategorized

Help, my OpenSSL CA expired!

Many folks and organizations are running their own Certificate Authority (CA) internally, to manage certificates for internal services and (infrastructure) devices, which won’t ever be exposed to regular users. Some manage those CAs manually, e.g., via OpenSSL directly, or via tools like easyrsa, cfssl, etc.

In the Freifunk Hochstift infrastructure, we use an internal CA for host certificates (e.g., used for Icinga2), internal services like LDAP, OpenVPN, NetBox, IPMIs, etc. The CA is managed by some helper scripts directly calling the openssl binary. When I created the CA back in 2015 I didn’t think much about the expiry date, set it to 10 years from then, and focused on the infrastructure to be set up. I’ve also set up monitoring for the certificates of the services, we deployed, but did not set up monitoring for the CA expiry.

So here we are, and recently, those 10 years were up, and our OpenVPN used for managed access stopped failing because it couldn’t connect to the Anycasted LDAP servers. All 4 instances failing at once was wild and didn’t make much sense. Some debugging revealed problems to be related to SSL/TLS, yet the service certificates were OK. After a while, I figured out the CA had expired, but now what?

Turns out, you can build a new certificate from an existing key and get yourself unstuck. As this journey wasn’t very pleasant, I stumbled across some mostly-but-not-fully-working articles out there, and had to dive into /usr/lib/ssl/misc/CA.pl, here’s the way I got myself out of this mess.

Continue reading Help, my OpenSSL CA expired!

Unlocking your LUKS encrypted disks via SSH

If you are like me and have some systems with fully encrypted disks, where you can’t or don’t want to be physically present for a system (re)boot, or which don’t have OOBM/KVM/CIMC access, this might be for you!

Having a look at how the generic disk decryption works on Debian-based systems, but likely also on others, is to add a script into the init-ramdisk (or initrd) which wraps a call to cryptsetup luksOpen for a given device(s).

So we can use the same mechanism to set up an SSH daemon within the initrd, configure the network so we can get administrative access, and then unlock the disks remotely. The only two things we have to do are to make sure all the plumbing is added to the initrd and the script is started before the regular interactive disk unlock script gets executed.

For Debian-based systems I’ve build this a while ago and finally Open Sourced it as fluffy-unluks on GitHub.

The add-unluks script set ups sshd and the required environment (NSS, etc.) for it to run as well as installing potentially needed Kernel modules for advanced network configs when building a new initrd.

The unluks script will be run on boot-up, configure the network as needed (including an LACP LAG and/or VLAN sub-interface, if desired), start the SSH server and wait for you to unlock the disks. If all configured disks have been unlocked – by checking for existing block devices or LVM volume groups – the temporary network configured is purged, sshd stopped and the system resumes the normal boot.

An optional safeword can be configured to instruct the unluks script to do nothing so the regular boot sequence will be used.