Tuesday, August 05, 2014

Installing a DigiCert star SSL certificate in AWS Load Balancer

This should be quite a straightforward task, especially since I have been installing countless of HAProxy SSL terminated load balancers. When I was reading that setting an AWS load balancer with SSL can be a royal pain, I confess my first reaction was 'n00bs!'.

However I want to be quite clear here, the load balancer dashboard on AWS is a bit buggy. Let's take you through the process of setting up the load balancer for SSL termination as documented by AWS:

So we first start by created the port mapping between the ELB and the instances. If you want to terminate the SSL on port 80, you can set both ports as 80 on the instance. I prefer to terminate them on different ports so I make an explicit rewrite from HTTP to HTTPS. Example: I set up instance ports to 80 and 81, the latter being the "SSL" (although in reality, internally we have standard HTTP). If someone requests resource by http, I have a rewrite to https, which will redirect to port 81 by the ELB.

After you follow the next screens (read, click click click) you get to a point where you "upload" (read, copy paste) your SSL certificates. Now this is the trickiest part, which should not be in reality - so I do not know if this is a bug in AWS or there is something wrong integration-wise with DigiCert star certificates and AWS.

The dialog asks you to enter four pieces of information:

  • Certificate Name – The name you want to use to keep track of the certificate within the AWS console.
  • Private Key – The key file you generated as part of your request for certificate.
  • Public Key Certificate – The public facing certificate provided by your certificate authority.
  • Certificate Chain – An optional group of certificates to validate your certificate.

The private key is normally called star_<domain_name>.key, the public key certificate star_<domain_name>.crt and the Certificate Chain is a concatenation of the previous two and the DigiCertCA.crt intermediate certificate. But here comes the cockup. When you arrive at this screen, just fill the Private Key and Public Key Certificate and click Create.

Once the Load Balancer is created, go to the Listeners tab and click Change SSL certificate. Upload a "new one", by repeating the same process as before, but this time let's fill the Certificate Chain. Unlike traditional Certificate Chain, AWS expects just the Intermediate Certificate here, so just paste the contents of DigiCertCA.crt.

Note: You might ask that instead of repeating the last step, why don't we just paste the Certificate Chain at the LB setup. Now this is why I stated that AWS might be buggy - if you past the Certificate Chain at the ELB setup, a cryptic error will occur stating that the intermediate certificate is not valid. This is the only way I know it works (and which I haven't seen documented anywhere in the interwebs).

To check that you have the Chain installed correctly, use curl:
─james@darktech  ~
╰─$ curl -v https://<domain_name>.com                                                                                                                                                             60 ↵
* Rebuilt URL to: https://<domain_name>.com/
* Adding handle: conn: 0x23f2970
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 0 (0x23f2970) send_pipe: 1, recv_pipe: 0
* About to connect() to <domain_name>.com port 443 (#0)
*   Trying
* Connected to omarsys.com ( port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSL connection using TLS_RSA_WITH_AES_128_CBC_SHA
* Server certificate:
* subject: CN=*.<domain_name>.com,OU=IT,O=acme Limited,L=Sliema,C=MT
* start date: Dec 06 00:00:00 2013 GMT
* expire date: Dec 11 12:00:00 2014 GMT
* common name: *.omarsys.com
* issuer: CN=DigiCert High Assurance CA-3,OU=www.digicert.com,O=DigiCert Inc,C=US

The part marked in bold should state the details of the CA, signing Certificate and encryption cipher.

The 12 Factor App

Quoted from 12factor.net, this is how an application infrastructure should be built - no exceptions to the rule!

I. Codebase

One codebase tracked in revision control, many deploys

II. Dependencies

Explicitly declare and isolate dependencies

III. Config

Store config in the environment

IV. Backing Services

Treat backing services as attached resources

V. Build, release, run

Strictly separate build and run stages

VI. Processes

Execute the app as one or more stateless processes

VII. Port binding

Export services via port binding

VIII. Concurrency

Scale out via the process model

IX. Disposability

Maximize robustness with fast startup and graceful shutdown

X. Dev/prod parity

Keep development, staging, and production as similar as possible

XI. Logs

Treat logs as event streams

XII. Admin processes

Run admin/management tasks as one-off processes

Thursday, July 17, 2014

If you can RTFM, we WANT YOU!

So yesterday I was tasked to take care of putting up a job description for a devops engineer in our team. This is what I came up, and to my surprise, even non-techies enjoyed it:

Monday, May 12, 2014

Easy way to confirm that Centos is patched against Heartbleed

This post should have been posted earlier, but here it is anyway... If you run a Centos box you'll notice that packages are not updated as regular as other distros like Ubuntu. However since the Heartbleed vulnerability is pretty sick, the developers at Centos issued a patch. A simple yum update openssl should fix it. To confirm:
╭─james@darktech  ~ 
╰─$ for i in `seq 1 4`; do ssh root@tech-qa0$i "rpm -q --changelog openssl | grep CVE-2014-0160"; done                       255 ↵

- fix CVE-2014-0160 - information disclosure in TLS heartbeat extension
- fix CVE-2014-0160 - information disclosure in TLS heartbeat extension
- fix CVE-2014-0160 - information disclosure in TLS heartbeat extension
- fix CVE-2014-0160 - information disclosure in TLS heartbeat extension

The Internet of Things

Today I stumbled across a concept which although not new to me, never realized it was called like that  - The Internet of Things.
In a seminal 2009 article for the RFID Journal, "That 'Internet of Things' Thing", Ashton made the following assessment:
Today computers—and, therefore, the Internet—are almost wholly dependent on human beings for information. Nearly all of the roughly 50 petabytes (a petabyte is 1,024 terabytes) of data available on the Internet were first captured and created by human beings—by typing, pressing a record button, taking a digital picture, or scanning a bar code. Conventional diagrams of the Internet ... leave out the most numerous and important routers of all - people. The problem is, people have limited time, attention and accuracy—all of which means they are not very good at capturing data about things in the real world. And that's a big deal. We're physical, and so is our environment ... You can't eat bits, burn them to stay warm or put them in your gas tank. Ideas and information are important, but things matter much more. Yet today's information technology is so dependent on data originated by people that our computers know more about ideas than things. If we had computers that knew everything there was to know about things—using data they gathered without any help from us—we would be able to track and count everything, and greatly reduce waste, loss and cost. We would know when things needed replacing, repairing or recalling, and whether they were fresh or past their best. The Internet of Things has the potential to change the world, just as the Internet did. Maybe even more so.[21]
—Kevin Ashton, 'That 'Internet of Things' Thing', RFID Journal, July 22, 2009

Wednesday, April 30, 2014

Compiling FontForge2 on Centos 6

As devops engineer I get often challenged by PHP developers to install cutting edge (almost bleeding!) packages against a conservative and stable distro like Centos. Recently I was asked to install grunt-webfont on one of the deployment servers which runs on Centos 6.

This npm package requires FontForge 2 which is not available on the base repo of Centos 6 (the current one is very outdated...dating to 2009!). Looking for prebuilt RPMs proved difficult, if not pointless so I decided to take a shot in compiling from sources. Since compiling FontForge 2 on Linux is a royal pain in the ass, I hope that this document will save you some time (read hours!):

Install these packages with yum:

$ sudo yum install libtool libtool-ltdl libtool-ltdl-devel libuninameslist-devel libXt-devel xorg-x11-proto-devel gettext pango-devel cairo-devel freetype-devel libxml2 libxml2-devel ibpng libpng-devel giflib-devel giflib libjpeg-turbo-devel libjpeg-turbo libtiff-devel libtiff libspiro-devel libspiro cairo

Install autoconf 2.69 from rpm:
$ wget ftp://ftp.pbone.net/mirror/ftp5.gwdg.de/pub/opensuse/repositories/home:/monkeyiq:/centos6updates/CentOS_CentOS-6/noarch/autoconf-2.69-12.2.noarch.rpm

$ sudo yum localinstall autoconf-2.69-12.2.noarch.rpm

Install the iPython module:
$ pip2.7 install ipython

Install bdwgc:
$git clone https://github.com/ivmai/bdwgc/

$ push bdwgc

$ git clone https://github.com/ivmai/libatomic_ops/

$ pushd libatomic_ops && ./configure

$ make && sudo make install

$ popd

$ ./autogen.sh && ./configure

$ make && sudo make install

$ popd

Install FontForge 2:
$git clone https://github.com/fontforge/fontforge.git

$ pushd && ./bootstrap

$ ./configure

$ make && sudo make install