i summon one kim - Kimmo Suominen

i summon one kim
» Page 3

» Patch for HTTP Request Smuggling (19.1.20 9:52 / 19.1.20 9:52) by Kimmo Suominen: I added a patch to www/nginx from an upstream commit to address CVE-2019-20372. Version 1.16.1nb2 includes the patch. [pkgsrc, security]

» Cherry-picked patches for ncurses (11.1.20 4:49 / 19.1.20 9:52) by Kimmo Suominen: In order to reduce the number of vulnerabilities on my systems, I added some patches to devel/ncurses (and devel/ncursesw) to address CVE-2018-19211, CVE-2019-17594, and CVE-2019-17595. Version 6.1nb7 includes the patches. [pkgsrc, security]

» Restored correct psify source (7.1.20 16:12 / 11.1.20 4:40) by Kimmo Suominen: I have restored fetching of correct upstream files for print/psify. Looks like we pointed to the wrong files for 13 years. [pkgsrc]

» Updated rsnapshot (7.1.20 14:53 / 11.1.20 4:34) by Kimmo Suominen: I updated sysutils/rsnapshot to 1.4.3 in another long-overdue commit (notable changes). [pkgsrc]

» Updated tcptraceroute6 (7.1.20 14:14 / 11.1.20 4:26) by Kimmo Suominen: I updated net/tcptraceroute6 to 1.0.4 to incorporate portability fixes from upstream. [pkgsrc]

» Remind release detected (7.1.20 13:34 / 31.5.20 10:39) by Kimmo Suominen: New releases of Remind have been coming out again, so I’ve updated time/remind to version 3.2.0. (more…) [pkgsrc]

» Update Cisco MIB files (5.1.20 21:04 / 11.1.20 4:08) by Kimmo Suominen: I committed a long overdue update for net/cisco-mibs to version 20170101, which appears to be the latest currently available. A good number of additional MIB files are now included. [pkgsrc]

1.1.20

Addressing failed setrlimit calls in sudo

Written in the mid-afternoon in English • Tags: pkgsrc, software

After installing sudo 1.8.29 from pkgsrc (security/sudo) I started frequently seeing this warning message:

sudo: setrlimit(3): Invalid argument

It took a few rounds, but eventually I applied an acceptable patch for the pkgsrc-2019Q4 release. Later an upstream workaround was committed and included in the sudo 1.8.30 release. (more…)

» Trusting the Proxmox CA (26.12.19 15:39 / 26.12.19 15:41) by Kimmo Suominen: The Proxmox wiki has instructions for importing the CA certificate. Instead of following the OS X instructions to the letter and importing the host certificate of each cluster node, just import the pve-root-ca.pem file in Keychain Access (File > Import Items), then open the item and mark it trusted (e.g. Always trust). [Proxmox, software]

26.12.19

Regenerating Proxmox certificates

Written early in the afternoon in English • Tags: Proxmox, software

The new requirements for trusted certificates on macOS Catalina and iOS 13 blocked me from accessing the web UI on Proxmox installations (NET::ERR_CERT_REVOKED). Fresh installations would work, as Proxmox has been updated to generate “better” certificates. Existing installations, unfortunately, are not automatically fixed on upgrading to Proxmox 6.

Certificate management on Proxmox is handled with pvenode(1) — except when it isn’t. There is no functionality there for regenerating the self-signed certificates. An older wiki page for HTTPS certificate configuration provided some useful hints: pvecm(1) has an updatecerts command. It won’t, however, regenerate existing (unexpired) certificates.

Against the warnings on the Certificate mangement page I thought I’d try removing the apparently relevant files manually:

cd /etc/pve
rm pve-root-ca.pem priv/pve-root-ca.key nodes/*/pve-ssl.{key,pem}

Then I regenerated the certificates and restarted pveproxy(8) on each node:

pvecm updatecerts --force
systemctl restart pveproxy

Refreshing the page in the browser restores access to the web UI.

« Previous Page

Copyright © 2019–2022 Kimmo Suominen. All rights reserved.