:::: MENU ::::

Home

  • Jul 05 / 2017
  • 0
Linux

Generate self-generated SSL certificate (cert/key pair)

Here is a simple script with configuration file to generate a self-generated SSL certificate (cert/key pair).

First define a config file openssl.cnf containing the certificate informations:

[ req ]
default_bits = 2048
encrypt_key = yes
distinguished_name = req_dn
x509_extensions = cert_type
prompt = no

[ req_dn ]
# country (2 letter code)
C=FR

# State or Province Name (full name)
ST=IdF

# Locality Name (eg. city)
L=Paris

# Organization (eg. company)
O=MyOrg

# Organizational Unit Name (eg. section)
OU=My SSL server

# Common Name (*.example.com is also possible)
CN=my.domain.com

# E-mail contact
[email protected]

[ cert_type ]
nsCertType = server

Then, create the bash script makessl.sh and configure your own parameters (directories, cert filename and validity duration):

#!/bin/sh

# Generates a self-signed certificate.
# Edit openssl.cnf before running this.

umask 077
OPENSSL=${OPENSSL-openssl}

# Define SSL directory
SSLDIR=${SSLDIR-/opt}
# Define SSL config file
OPENSSLCONFIG=${OPENSSLCONFIG-/opt/openssl.cnf}
# Define crt/key directories
CERTDIR=$SSLDIR/certs
KEYDIR=$SSLDIR/private
# Define crt/key file
CERTFILE=$CERTDIR/mynewssl.pem
KEYFILE=$KEYDIR/mynewssl.key
# Define validity duratin for the cert
DAYS=365

# Check that directories exist or create themt
if [ ! -d $CERTDIR ]; then
  mkdir -p $CERTDIR
fi
if [ ! -d $KEYDIR ]; then
  mkdir -p $KEYDIR
fi

# Check that the files do not exist or move them
if [ -f $CERTFILE ]; then
  mv $CERTFILE $CERTFILE.old
fi
if [ -f $KEYFILE ]; then
  mv $KEYFILE $KEYFILE.old
fi

# Generate crt/key files
$OPENSSL req -new -x509 -nodes -config $OPENSSLCONFIG -out $CERTFILE -keyout $KEYFILE -days $DAYS || exit 2
chmod 0600 $KEYFILE
echo
$OPENSSL x509 -subject -fingerprint -noout -in $CERTFILE || exit 2

Now, execute the bash script:

$ bash makessl.sh
Generating a 2048 bit RSA private key
...............+++
................................................................................+++
writing new private key to '/opt/private/mynewssl.key'
-----

subject= /C=FR/ST=IdF/L=Paris/O=MyOrg/OU=My SSL server/CN=my.domain.com/[email protected]
SHA1 Fingerprint=F0:B1:B3:DF:F9:4D:A0:97:4E:71:E0:7F:8E:DA:13:F9:D5:E8:AF:88

Let’s check your freshly created certificate and double check the information:

$ openssl x509 -in /opt/certs/mynewssl.pem -noout -dates -subject
notBefore=Jul  5 19:45:17 2017 GMT
notAfter=Jul  5 19:45:17 2018 GMT
subject= /C=FR/ST=IdF/L=Paris/O=MyOrg/OU=My SSL server/CN=my.domain.com/[email protected]
  • Jun 25 / 2017
  • 0
Linux

Check SSL certificate of an URL with openssl

You can get standard information about the certificate directly by opening a connection to a website:

openssl s_client -showcerts -connect python.org:443 </dev/null

Answer will be like:

CONNECTED(00000003)
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
verify return:1
depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
verify return:1
depth=1 C = FR, ST = Paris, L = Paris, O = Gandi, CN = Gandi Standard SSL CA 2
verify return:1
depth=0 OU = Domain Control Validated, OU = Gandi Standard Wildcard SSL, CN = *.python.org
verify return:1
---
Certificate chain
 0 s:/OU=Domain Control Validated/OU=Gandi Standard Wildcard SSL/CN=*.python.org
   i:/C=FR/ST=Paris/L=Paris/O=Gandi/CN=Gandi Standard SSL CA 2
-----BEGIN CERTIFICATE-----
MIIE9jCCA96gAwIBAgIQHln71qn2oJvHLSLy+zxhezANBgkqhkiG9w0BAQsFADBf
MQswCQYDVQQGEwJGUjEOMAwGA1UECBMFUGFyaXMxDjAMBgNVBAcTBVBhcmlzMQ4w
DAYDVQQKEwVHYW5kaTEgMB4GA1UEAxMXR2FuZGkgU3RhbmRhcmQgU1NMIENBIDIw
HhcNMTcwMjAyMDAwMDAwWhcNMjAwMjAyMjM1OTU5WjBgMSEwHwYDVQQLExhEb21h
aW4gQ29udHJvbCBWYWxpZGF0ZWQxJDAiBgNVBAsTG0dhbmRpIFN0YW5kYXJkIFdp
bGRjYXJkIFNTTDEVMBMGA1UEAwwMKi5weXRob24ub3JnMIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEAtQa3kv/HeLbcZb07lBvqM/etX3Cu3vLfvQ2fWQvC
46fAzdQ8eV3p/ZOkqLxaSWlgLATNDOyGBMZLsO1Tg/iEhAMoSa9XZMdax76DAPh1
fdRllDvJ6Z8Mi2BW3KiIEfXhMkFU6M8ROcrvQNh/D8GL8+s/8pgTsuWM5xqmV1ng
8fSE4mD6QdYFtw9T7DgSECLt12KDII01fJnbNWp488PDFt1UKJrPzEMUZ5/osjHE
vlbU1EKwLSKBQsFjMnYq/797VhA30P2LywWkHpZH/6ImGINR1R5legpb+NN5v8kv
9JXXqrwcs/6l63Y0PncedHn/pmbLW0cDaONC7Z/IpJkRLQIDAQABo4IBqzCCAacw
HwYDVR0jBBgwFoAUs5Cn2MmvTs1hPJ98rV1/Qf1pMOowHQYDVR0OBBYEFK1TlIvL
TxQ50kgLdmFfn2MQo8onMA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMB0G
A1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBLBgNVHSAERDBCMDYGCysGAQQB
sjEBAgIaMCcwJQYIKwYBBQUHAgEWGWh0dHBzOi8vY3BzLnVzZXJ0cnVzdC5jb20w
CAYGZ4EMAQIBMEEGA1UdHwQ6MDgwNqA0oDKGMGh0dHA6Ly9jcmwudXNlcnRydXN0
LmNvbS9HYW5kaVN0YW5kYXJkU1NMQ0EyLmNybDBzBggrBgEFBQcBAQRnMGUwPAYI
KwYBBQUHMAKGMGh0dHA6Ly9jcnQudXNlcnRydXN0LmNvbS9HYW5kaVN0YW5kYXJk
U1NMQ0EyLmNydDAlBggrBgEFBQcwAYYZaHR0cDovL29jc3AudXNlcnRydXN0LmNv
bTAjBgNVHREEHDAaggwqLnB5dGhvbi5vcmeCCnB5dGhvbi5vcmcwDQYJKoZIhvcN
AQELBQADggEBAIdLnn5Rk/RcaFP1zBsbuDTLJpRR1lsMNPjMTJ/mR+h12A8vU76Z
IjhHDTbSS4a/yBAFFyH+83Y/ykY9/FTlVZUwWmzZJA5/RqYoQNq7EXXNAsGp8jcg
KD51NWID4c/rn02uL3+rWUQRRR0+/cYdR4jZQswrd+gRMO5KVPhHnoUIbFQFQ0yS
WwqV8em1GIKHjYtaIuPEbc36elzL14BXN37b+0lWTJDFeeG/K0YNqrYxlCIDUn+3
etbaf0wYVeg5Nl6QGu0Na1F3XTScl+SdkZXfh1e9lIr2U+Pm/yoBNDL5R/HkliAg
ZzgFJZql5yymhSQuZEc7Qe6AvcB58QGvgPo=
-----END CERTIFICATE-----
 1 s:/C=FR/ST=Paris/L=Paris/O=Gandi/CN=Gandi Standard SSL CA 2
   i:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
-----BEGIN CERTIFICATE-----
MIIF6TCCA9GgAwIBAgIQBeTcO5Q4qzuFl8umoZhQ4zANBgkqhkiG9w0BAQwFADCB
iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0pl
cnNleSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNV
BAMTJVVTRVJUcnVzdCBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTQw
OTEyMDAwMDAwWhcNMjQwOTExMjM1OTU5WjBfMQswCQYDVQQGEwJGUjEOMAwGA1UE
CBMFUGFyaXMxDjAMBgNVBAcTBVBhcmlzMQ4wDAYDVQQKEwVHYW5kaTEgMB4GA1UE
AxMXR2FuZGkgU3RhbmRhcmQgU1NMIENBIDIwggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQCUBC2meZV0/9UAPPWu2JSxKXzAjwsLibmCg5duNyj1ohrP0pIL
m6jTh5RzhBCf3DXLwi2SrCG5yzv8QMHBgyHwv/j2nPqcghDA0I5O5Q1MsJFckLSk
QFEW2uSEEi0FXKEfFxkkUap66uEHG4aNAXLy59SDIzme4OFMH2sio7QQZrDtgpbX
bmq08j+1QvzdirWrui0dOnWbMdw+naxb00ENbLAb9Tr1eeohovj0M1JLJC0epJmx
bUi8uBL+cnB89/sCdfSN3tbawKAyGlLfOGsuRTg/PwSWAP2h9KK71RfWJ3wbWFmV
XooS/ZyrgT5SKEhRhWvzkbKGPym1bgNi7tYFAgMBAAGjggF1MIIBcTAfBgNVHSME
GDAWgBRTeb9aqitKz1SA4dibwJ3ysgNmyzAdBgNVHQ4EFgQUs5Cn2MmvTs1hPJ98
rV1/Qf1pMOowDgYDVR0PAQH/BAQDAgGGMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYD
VR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMCIGA1UdIAQbMBkwDQYLKwYBBAGy
MQECAhowCAYGZ4EMAQIBMFAGA1UdHwRJMEcwRaBDoEGGP2h0dHA6Ly9jcmwudXNl
cnRydXN0LmNvbS9VU0VSVHJ1c3RSU0FDZXJ0aWZpY2F0aW9uQXV0aG9yaXR5LmNy
bDB2BggrBgEFBQcBAQRqMGgwPwYIKwYBBQUHMAKGM2h0dHA6Ly9jcnQudXNlcnRy
dXN0LmNvbS9VU0VSVHJ1c3RSU0FBZGRUcnVzdENBLmNydDAlBggrBgEFBQcwAYYZ
aHR0cDovL29jc3AudXNlcnRydXN0LmNvbTANBgkqhkiG9w0BAQwFAAOCAgEAWGf9
crJq13xhlhl+2UNG0SZ9yFP6ZrBrLafTqlb3OojQO3LJUP33WbKqaPWMcwO7lWUX
zi8c3ZgTopHJ7qFAbjyY1lzzsiI8Le4bpOHeICQW8owRc5E69vrOJAKHypPstLbI
FhfFcvwnQPYT/pOmnVHvPCvYd1ebjGU6NSU2t7WKY28HJ5OxYI2A25bUeo8tqxyI
yW5+1mUfr13KFj8oRtygNeX56eXVlogMT8a3d2dIhCe2H7Bo26y/d7CQuKLJHDJd
ArolQ4FCR7vY4Y8MDEZf7kYzawMUgtN+zY+vkNaOJH1AQrRqahfGlZfh8jjNp+20
J0CT33KpuMZmYzc4ZCIwojvxuch7yPspOqsactIGEk72gtQjbz7Dk+XYtsDe3CMW
1hMwt6CaDixVBgBwAc/qOR2A24j3pSC4W/0xJmmPLQphgzpHphNULB7j7UTKvGof
KA5R2d4On3XNDgOVyvnFqSot/kGkoUeuDcL5OWYzSlvhhChZbH2UF3bkRYKtcCD9
0m9jqNf6oDP6N8v3smWe2lBvP+Sn845dWDKXcCMu5/3EFZucJ48y7RetWIExKREa
m9T8bJUox04FB6b9HbwZ4ui3uRGKLXASUoWNjDNKD/yZkuBjcNqllEdjB+dYxzFf
BT02Vf6Dsuimrdfp5gJ0iHRc2jTbkNJtUQoj1iM=
-----END CERTIFICATE-----
 2 s:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
-----BEGIN CERTIFICATE-----
MIIFdzCCBF+gAwIBAgIQE+oocFv07O0MNmMJgGFDNjANBgkqhkiG9w0BAQwFADBv
MQswCQYDVQQGEwJTRTEUMBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFk
ZFRydXN0IEV4dGVybmFsIFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBF
eHRlcm5hbCBDQSBSb290MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFow
gYgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpOZXcgSmVyc2V5MRQwEgYDVQQHEwtK
ZXJzZXkgQ2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBOZXR3b3JrMS4wLAYD
VQQDEyVVU0VSVHJ1c3QgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIICIjAN
BgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAgBJlFzYOw9sIs9CsVw127c0n00yt
UINh4qogTQktZAnczomfzD2p7PbPwdzx07HWezcoEStH2jnGvDoZtF+mvX2do2NC
tnbyqTsrkfjib9DsFiCQCT7i6HTJGLSR1GJk23+jBvGIGGqQIjy8/hPwhxR79uQf
jtTkUcYRZ0YIUcuGFFQ/vDP+fmyc/xadGL1RjjWmp2bIcmfbIWax1Jt4A8BQOujM
8Ny8nkz+rwWWNR9XWrf/zvk9tyy29lTdyOcSOk2uTIq3XJq0tyA9yn8iNK5+O2hm
AUTnAU5GU5szYPeUvlM3kHND8zLDU+/bqv50TmnHa4xgk97Exwzf4TKuzJM7UXiV
Z4vuPVb+DNBpDxsP8yUmazNt925H+nND5X4OpWaxKXwyhGNVicQNwZNUMBkTrNN9
N6frXTpsNVzbQdcS2qlJC9/YgIoJk2KOtWbPJYjNhLixP6Q5D9kCnusSTJV882sF
qV4Wg8y4Z+LoE53MW4LTTLPtW//e5XOsIzstAL81VXQJSdhJWBp/kjbmUZIO8yZ9
HE0XvMnsQybQv0FfQKlERPSZ51eHnlAfV1SoPv10Yy+xUGUJ5lhCLkMaTLTwJUdZ
+gQek9QmRkpQgbLevni3/GcV4clXhB4PY9bpYrrWX1Uu6lzGKAgEJTm4Diup8kyX
HAc/DVL17e8vgg8CAwEAAaOB9DCB8TAfBgNVHSMEGDAWgBStvZh6NLQm9/rEJlTv
A73gJMtUGjAdBgNVHQ4EFgQUU3m/WqorSs9UgOHYm8Cd8rIDZsswDgYDVR0PAQH/
BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wEQYDVR0gBAowCDAGBgRVHSAAMEQGA1Ud
HwQ9MDswOaA3oDWGM2h0dHA6Ly9jcmwudXNlcnRydXN0LmNvbS9BZGRUcnVzdEV4
dGVybmFsQ0FSb290LmNybDA1BggrBgEFBQcBAQQpMCcwJQYIKwYBBQUHMAGGGWh0
dHA6Ly9vY3NwLnVzZXJ0cnVzdC5jb20wDQYJKoZIhvcNAQEMBQADggEBAJNl9jeD
lQ9ew4IcH9Z35zyKwKoJ8OkLJvHgwmp1ocd5yblSYMgpEg7wrQPWCcR23+WmgZWn
RtqCV6mVksW2jwMibDN3wXsyF24HzloUQToFJBv2FAY7qCUkDrvMKnXduXBBP3zQ
YzYhBx9G/2CkkeFnvN4ffhkUyWNnkepnB2u0j4vAbkN9w6GAbLIevFOFfdyQoaS8
Le9Gclc1Bb+7RrtubTeZtv8jkpHGbkD4jylW6l/VXxRTrPBPYer3IsynVgviuDQf
Jtl7GQVoP7o81DgGotPmjw7jtHFtQELFhLRAlSv0ZaBIefYdgWOWnU914Ph85I6p
0fKtirOMxyHNwu8=
-----END CERTIFICATE-----
---
Server certificate
subject=/OU=Domain Control Validated/OU=Gandi Standard Wildcard SSL/CN=*.python.org
issuer=/C=FR/ST=Paris/L=Paris/O=Gandi/CN=Gandi Standard SSL CA 2
---
No client certificate CA names sent
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 4712 bytes and written 373 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: CA736CD734AA037795DE0BDCE046E201AD47343EB3E70F63F60BEC0E477F354E
    Session-ID-ctx:
    Master-Key: 72EC4ADFDFCC6DF2D2E7B086F39DB021891B2F5752D9DC8CFA8C86124085E6B223673C00B140553751654E030D39ADC0
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1497599739
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
DONE

But this is not giving you some interesting information like the expiration date for example! To work around that, you can simply redirect the output (certificate) to openssl and ask for some specific information:

openssl s_client -showcerts -connect python.org:443 </dev/null |openssl x509 -dates -text -noout

This time, output will be:

depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
verify return:1
depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
verify return:1
depth=1 C = FR, ST = Paris, L = Paris, O = Gandi, CN = Gandi Standard SSL CA 2
verify return:1
depth=0 OU = Domain Control Validated, OU = Gandi Standard Wildcard SSL, CN = *.python.org
verify return:1
DONE
notBefore=Feb  2 00:00:00 2017 GMT
notAfter=Feb  2 23:59:59 2020 GMT
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            1e:59:fb:d6:a9:f6:a0:9b:c7:2d:22:f2:fb:3c:61:7b
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=FR, ST=Paris, L=Paris, O=Gandi, CN=Gandi Standard SSL CA 2
        Validity
            Not Before: Feb  2 00:00:00 2017 GMT
            Not After : Feb  2 23:59:59 2020 GMT
        Subject: OU=Domain Control Validated, OU=Gandi Standard Wildcard SSL, CN=*.python.org
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:b5:06:b7:92:ff:c7:78:b6:dc:65:bd:3b:94:1b:
                    ea:33:f7:ad:5f:70:ae:de:f2:df:bd:0d:9f:59:0b:
                    c2:e3:a7:c0:cd:d4:3c:79:5d:e9:fd:93:a4:a8:bc:
                    5a:49:69:60:2c:04:cd:0c:ec:86:04:c6:4b:b0:ed:
                    53:83:f8:84:84:03:28:49:af:57:64:c7:5a:c7:be:
                    83:00:f8:75:7d:d4:65:94:3b:c9:e9:9f:0c:8b:60:
                    56:dc:a8:88:11:f5:e1:32:41:54:e8:cf:11:39:ca:
                    ef:40:d8:7f:0f:c1:8b:f3:eb:3f:f2:98:13:b2:e5:
                    8c:e7:1a:a6:57:59:e0:f1:f4:84:e2:60:fa:41:d6:
                    05:b7:0f:53:ec:38:12:10:22:ed:d7:62:83:20:8d:
                    35:7c:99:db:35:6a:78:f3:c3:c3:16:dd:54:28:9a:
                    cf:cc:43:14:67:9f:e8:b2:31:c4:be:56:d4:d4:42:
                    b0:2d:22:81:42:c1:63:32:76:2a:ff:bf:7b:56:10:
                    37:d0:fd:8b:cb:05:a4:1e:96:47:ff:a2:26:18:83:
                    51:d5:1e:65:7a:0a:5b:f8:d3:79:bf:c9:2f:f4:95:
                    d7:aa:bc:1c:b3:fe:a5:eb:76:34:3e:77:1e:74:79:
                    ff:a6:66:cb:5b:47:03:68:e3:42:ed:9f:c8:a4:99:
                    11:2d
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Authority Key Identifier:
                keyid:B3:90:A7:D8:C9:AF:4E:CD:61:3C:9F:7C:AD:5D:7F:41:FD:69:30:EA

            X509v3 Subject Key Identifier:
                AD:53:94:8B:CB:4F:14:39:D2:48:0B:76:61:5F:9F:63:10:A3:CA:27
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Certificate Policies:
                Policy: 1.3.6.1.4.1.6449.1.2.2.26
                  CPS: https://cps.usertrust.com
                Policy: 2.23.140.1.2.1

            X509v3 CRL Distribution Points:

                Full Name:
                  URI:http://crl.usertrust.com/GandiStandardSSLCA2.crl

            Authority Information Access:
                CA Issuers - URI:http://crt.usertrust.com/GandiStandardSSLCA2.crt
                OCSP - URI:http://ocsp.usertrust.com

            X509v3 Subject Alternative Name:
                DNS:*.python.org, DNS:python.org
    Signature Algorithm: sha256WithRSAEncryption
         87:4b:9e:7e:51:93:f4:5c:68:53:f5:cc:1b:1b:b8:34:cb:26:
         94:51:d6:5b:0c:34:f8:cc:4c:9f:e6:47:e8:75:d8:0f:2f:53:
         be:99:22:38:47:0d:36:d2:4b:86:bf:c8:10:05:17:21:fe:f3:
         76:3f:ca:46:3d:fc:54:e5:55:95:30:5a:6c:d9:24:0e:7f:46:
         a6:28:40:da:bb:11:75:cd:02:c1:a9:f2:37:20:28:3e:75:35:
         62:03:e1:cf:eb:9f:4d:ae:2f:7f:ab:59:44:11:45:1d:3e:fd:
         c6:1d:47:88:d9:42:cc:2b:77:e8:11:30:ee:4a:54:f8:47:9e:
         85:08:6c:54:05:43:4c:92:5b:0a:95:f1:e9:b5:18:82:87:8d:
         8b:5a:22:e3:c4:6d:cd:fa:7a:5c:cb:d7:80:57:37:7e:db:fb:
         49:56:4c:90:c5:79:e1:bf:2b:46:0d:aa:b6:31:94:22:03:52:
         7f:b7:7a:d6:da:7f:4c:18:55:e8:39:36:5e:90:1a:ed:0d:6b:
         51:77:5d:34:9c:97:e4:9d:91:95:df:87:57:bd:94:8a:f6:53:
         e3:e6:ff:2a:01:34:32:f9:47:f1:e4:96:20:20:67:38:05:25:
         9a:a5:e7:2c:a6:85:24:2e:64:47:3b:41:ee:80:bd:c0:79:f1:
         01:af:80:fa
  • Jun 14 / 2017
  • 0
Linux

Change ownership (chown) on a symbolic link

You already probably noticed that if you want to update the ownership of a symbolic link on any UNIX system, a simple chown won’t do the job.

Indeed, let’s suppose you have this:

8 lrwxr-xr-x   1 user1            group1         4 Jun 13 23:46 link -> test 
8 -rw-r--r--   1 user1            group1         6 Jun 13 23:54 test

If you’re doing a simple chown:

chown user2:group2 link

You can see that it changes the ownership on the target file and not on the symbolic link:

8 lrwxr-xr-x   1 user1            group1         4 Jun 13 23:46 link -> test 
8 -rw-r--r--   1 user2            group2         6 Jun 13 23:54 test

If you want to update the symbolic link, you need to use the -h or –no-dereference option to apply the changes on the symbolic link and not on the target:

chown -h user2:group2 link

Then, you can see that it’s now updated:

8 lrwxr-xr-x   1 user2            group2         4 Jun 13 23:46 link -> test 
8 -rw-r--r--   1 user2            group2         6 Jun 13 23:54 test
  • May 30 / 2017
  • 0
Linux, Python

DNS queries from a file/list to CSV

It’s not easy to perform bulk DNS resolution when you have many DNS/IPs to control. Here is a simple script allowing you to perform DNS resolution over a list of DNS entries or IPs.

Here is a list of DNS (names and IPs) that we put in a file called listDNS.txt

www.python.org
www.pyython.org
208.67.220.220
www.bing.com

Let’s copy that script that will do the job in a file called resolverDNS.sh

#!/bin/bash
# Script file - resolverDNS.sh
# Checking existence of arg
if [ "$1" == "" ]
then
  # Display help if wrong usage
  echo "Usage: /bin/bash resolverDNS.sh /path/to/file"
  exit 35
else 
  # Loop over dns and resolve
  while IFS='' read -r line || [[ -n "$line" ]]; do
    dns=''
    # Resolve reverse DNS
    if [[ $line =~ ^[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}$ ]]; then
      dns=`dig +noall +answer -x $line +short|tr 'n' ' '`
    # Resolve A record
    else
      dns=`dig a $line +short|tr 'n' ' '`
    fi
    echo -e "$linetis resolving intot${dns}"
  done < "$1"
fi

And now, execute it by passing file path as an arg, and see the output:

$ bash /home/user/resolverDNS.sh /home/user/listDNS.txt 
www.python.org	is resolving into	python.map.fastly.net. 151.101.60.223 
www.pyython.org	is resolving into	
208.67.220.220	is resolving into	resolver2.opendns.com. 
www.bing.com	is resolving into	www-bing-com.a-0001.a-msedge.net. a-0001.a-msedge.net. 204.79.197.200 13.107.21.200 

Resolution are done for every line, depending on if it’s an IP or a name (and remain empty if it can’t resolve).
Feel free to adjust the script according to your needs!

  • May 15 / 2017
  • 0
Linux

Remove list of mail addresses from postfix queue

There is no easy way to remove a list of mails in queue with a same sender or domain in Postfix. But you can use some standard commands to get this working.

First check the list of mails you want to remove with something like

postqueue -p |grep -e '[email protected]|[email protected]|[email protected]' -B2 |grep "^[A-Z0-9]"

You’re getting the list of mails that you will remove with the sender

FC0177DF1A0     8373 Thu May  6 11:24:56  [email protected]
F179A2C68AB     9469 Sun May  7 03:21:41  [email protected]
EAE217FB850    11049 Sat May  8 04:20:32  [email protected]

And now you can remove those mails from the queue by using postsuper -d

postqueue -p |grep -e '[email protected]|[email protected]|[email protected]' -B2 |grep "^[A-Z0-9]{10}" |cut -d" " -f1 |postsuper -d -

You will see the mails being removed

postsuper: FC0177DF1A0: removed
postsuper: F179A2C68AB: removed
postsuper: EAE217FB850: removed
postsuper: Deleted: 3 messages
  • May 04 / 2017
  • 0
Linux

Reduce partition size on EXT filesystems on Linux

It is possible to modify a partition size on EXT filesystem thanks to some few commands.

We will take here a simple example:

  • We have a /dev/sda5 partition mounted on /home
  • Its size is currently 150G and we want to reduce it to 100G

Let’s check the current config (mounting point and size):

Filesystem      Size  Used Avail Use% Mounted on
/dev/sda1        28G  3.3G   23G   8% /
/dev/sda2       477M  112M  341M  25% /boot
/dev/sda3       4.7G   12M  4.5G   1% /tmp
/dev/sda4        32G  470M   30G   2% /var
/dev/sda5       148G   87M  140G   1% /home

We need to first unmount the partition:

# umount /dev/sda5

If you can’t unmount it, double check what process is using it with the lsof command:

# lsof /home

Then proceed with a check with e2fsck command and resize the partition with resize2fs by defining the new size (M for Megabytes, G for Gigabytes, and so on…)

# e2fsck -f /dev/sda5
# resize2fs /dev/sda5 100G

Mount your partition back to your system:

# mount /home

And check again your partition sizes :

Filesystem      Size  Used Avail Use% Mounted on
/dev/sda1        28G  3.3G   23G   8% /
/dev/sda2       477M  112M  341M  25% /boot
/dev/sda3       4.7G   12M  4.5G   1% /tmp
/dev/sda4        32G  470M   30G   2% /var
/dev/sda5        99G   87M   94G   1% /home

We can see that the partition /home has now a size of 100G as expected!

Pages:1234567...18
Question ? Contact