System Administration

Creating a new cert using my CA

I run my own personal CA, so that I can issue certificates for internal and management services, such as Dell iDRAC web interfaces, web connected terminal servers, internal Grafana and Prometheus, etc.

Originally I was using OpenSSL’s CA functionality, but I recently moved to using Smallstep CA as it is much friendlier.

It is not meant to be a comprehensive guide, but rather a quick reference for myself and so I can copy and paste.

Creating a certificate

To create a certificate, you can use the `step` CLI tool. The basic command is:

$ step ca certificate --offline --san localhost --san example.com 192.0.2.1 test.example.com.crt test.example.com.key

Inspecting a certificate

To inspect a certificate, you can use the `step certificate inspect` CLI tool.

The basic command:

$ step certificate inspect --short test.example.com.crt                                                   
X.509v3 TLS Certificate (ECDSA P-256) [Serial: 2898...3200]
  Subject:     127.0.0.1
  Issuer:      Kumari Intermediate CA
  Provisioner: warren@example.com [ID: Odw5...Aisg]
  Valid from:  2026-03-08T08:11:53Z
          to:  2036-03-05T08:12:53

List issued certificates

To list issued certificates, you can use the `step ca list` CLI tool. The basic command:

step-badger  x509Certs ~/.step/db  
Serial number                            Subject             Start                 Finish                Validity
302993289828619663782218509723082042948  CN=text.kumari.net  2026-03-08T04:05:50Z  2026-03-09T04:06:50Z  Valid
288747816944534935195190911414687768787  CN=text.kumari.net  2026-03-08T04:06:41Z  2026-03-09T04:07:41Z  Valid
256594984883023829367820058718959011064  CN=text.kumari.net  2026-03-08T04:13:24Z  2026-03-09T04:14:24Z  Valid
110820592971243850069853866489777680598  CN=text.kumari.net  2026-03-08T04:18:56Z  2026-03-09T04:19:56Z  Valid
290518310107845670357853935107535723354  CN=text.kumari.net  2026-03-08T04:19:50Z  2026-03-09T04:20:50Z  Valid
185857471328644270079771979276526259328  CN=text.kumari.net  2026-03-08T04:24:13Z  2036-03-05T04:25:13Z  Valid
289868830197733569134057562717999143200  CN=127.0.0.1        2026-03-08T08:11:53Z  2036-03-05T08:12:53Z  Valid
210934104339491430029165189931100840639  CN=127.0.0.1        2026-03-08T08:41:06Z  2036-03-05T08:42:06Z  Valid
28982137696241536685507136660775104074   CN=127.0.0.1        2026-03-08T08:43:38Z  2036-03-05T08:44:38Z  Valid

March 9, 2026

Gitea admin tips and tricks…
I recently started having issues with my Yubikey / Security Key that I use for Gitea, and was unable to login.

This explains how to fix it.

Connect to the database. I only have a single user, and so I use the sqlite3 database backend.
```
$ sqlite3 gitea.db

sqlite> select id from user where name="wkumari";
sqlite> delete from u2f_registration where user_id =1;
```
This still didn’t work — and then I noticed that the url ended in ‘webauthn’, so I also did:
```
$ sqlite3 gitea.db

sqlite> select * from webauthn_credential;
sqlite> delete delete from webauthn_credential where id=2;
```
Done!
February 28, 2023
Fixing fish shell reporting ‘fatal: not a git repository (or any of the parent directories): .git’
For a long time I ran the ‘fish‘ shell, with the Oh My Fish extension and Agnoster theme.

I did this purely because I like the magic autocompletion, but never really liked it; Fish has some very strong views on things like scripting, gratuitously different syntax, etc.

E.g:
```
echo $(PATH)
fish: $(...) is not supported. In fish, please use '(PATH)'
```
After a friend showed me that the combination of zsh, Oh My Zsh and zsh-autosuggestions I moved to this, and am much much happier.

However, every now and then I still pick up and use a machine which I haven’t yet migrated. I recently did this and ran into the annoying error:
```
~ $
fatal: not a git repository (or any of the parent directories): .git
 ~ $
fatal: not a git repository (or any of the parent directories): .git
```
This happens on every command, after just pressing enter, etc because it is actually part of building the prompt. I knew I’d run into this before, and that the root cause had filled me with rage, but it once again took some digging to find and fix.

My fish prompt included:
```
command git rev-parse --is-inside-work-tree ^/dev/null >/dev/null
```
Apparently, in some fish update they decided that ^ is no longer a supported redirection, and so I had to change this everywhere to 2> so:
```
command git rev-parse --is-inside-work-tree 2>/dev/null >/dev/null
```
So, next time I run into this run the following:
```
grep -r '\^[/&]' ~/.config/fish/
```
Or, better yet, get around to removing fish and adding zsh instead…
February 28, 2023
Removing an IP address from fail2ban
I use fail2ban to stop annoying things like ssh brute-force attacks, etc. This isn’t really to stop the attack, but rather to stop the attack traffic from filling up my logs.

Sometimes I accidentally manage to get my own address blocked, or need to unblock a specific address.

Step 1: Confirm the fail2ban really is what is blocking the address:
```
user> sudo fail2ban-client status sshd
Status for the jail: sshd
|- Filter
| |- Currently failed: 0
| |- Total failed: 3
| `- File list: /var/log/auth.log
`- Actions
|- Currently banned: 1
|- Total banned: 1
`- Banned IP list: 192.0.2.1
```
To remove the IP:
```
user> sudo fail2ban-client set sshd unbanip 192.0.2.1
```
February 28, 2023
Performing remote Wireshark and tcpdump over SSH
tcpdump can be configured to write its capture to standard out, and Wireshark can read from standard in. SSH allows you to remote exec a command, and have it stream the output back.

This allows one to perform a remote Wireshark capture quickly and easily – one of the nice uses for this is to perform captures from a Ubiquti router. For exmaple:
```
ssh 192.168.0.1 'sudo tcpdump -f -i eth1 -w - port 53' | /Applications/Local/Wireshark.app/Contents/MacOS/Wireshark  -k -i -
```
This ssh’s to my home router, and starts tcpdump listening on interface eth1. It writes the output to STDOUT (‘-w -‘) and only captures port 53. This then streams to wireshark on my local machine (-k is “start capturing immediately” and -i is interface — in this case, STDIN (-)).
February 28, 2023
Sync’ing a git / GitHub fork.
I need to do this fairly frequently, and for some reason I can never remember the steps, so I’m writing it down!

This isn’t news, it is lifted from the GitHub Configuring a remote for a fork and Syncing a fork pages.
$ git remote add upstream https://github.com/ORIGINAL_OWNER/ORIGINAL_REPOSITORY.git
```
$ git fetch upstream
```
```
$ git checkout master
```
```
$ git merge upstream/master
```
Make your edits, etc. Push (this will push to your fork), make pull-request. Next time you need to sync the orogin, start at the ‘git fetch upstream‘ step.
February 28, 2023
Making Avocent KVM work under OS X.
The promise of Java was “Write once, run anywhere” (WORA), or more aptly, “Write once, run everywhere” (WORE).

Unfortunately, because Oracle, it is more “Write once, spend days beating head against the latest random platform changes, curse, poke at random things, eventually get it to kinda work.”

There is a definite correlation to things made by the Sirius Cybernetics Corporation:

“It is very easy to be blinded to the essential uselessness of them by the sense of achievement you get from getting them to work at all

In other words – and this is the rock solid principle on which the whole of the Corporation’s Galaxy-wide success is founded – their fundamental design flaws are completely hidden by their superficial design flaws.” — Douglas Adams.

Anyway, if you are still reading and determined to get your Avocent DSR1030 / DSR2030 / DSR4030 / DSR 8030 working under OS X, this worked for me (under the specific build of Java on the specific version of OS X, etc. YMMV):

Edit: “/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/lib/security/java.security”

Comment out:
```
jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, \
 RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224
```
```
jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 1024, \
 EC keySize < 224, DES40_CBC, RC4_40, 3DES_EDE_CBC
```
and insert:
```
jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024, DSA keySize < 768, EC keySize < 224
jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize < 768, EC keySize < 224, DES40_CBC, RC4_40, 3DES_EDE_CBC
```
Note that this changes the DSA keySize parameter from requiring 1024bit or longer to allowing 768 bit. This is not great security practice, but I only use Java for this app, and so I’ve decided it is a tradeoff I’m willing to make. In theory, this could be configured with a wrapper script (or possibly handing in -D options on the CLI), but Java (and Avocent) has made my sufficiently annoyed that I’m not willing to spend more time on this.
February 28, 2023
Using AWK to generate a sum / add up all the numbers in a column
This is another of those things I can never remember, and so I’ve finally made myself a note!.
```
cat authors.txt | awk 'BEGIN {FS = " "} ; {sum+=$1} END {print sum}'
```
This will add up and print out all of the numbers in the first column of authors.txt.

sum starts out as 0. For each row, the value of $1 is added to sum. At the end of the input (file / STDIN) we print the value of sum.
February 28, 2023
Removing bullets from slides.com / reveal.js
I often use reveal.js (or slides.com) to made presentations.

I like to use bullets (unordered lists) to organize information, but often don’t want the circles. This can be accomplished using the CSS editor to style the bullets with the following:
```
ul {
list-style-type: none;
}
```
In order to only apply this to certain elements/text blocks, simply create a new target and set the Class Name to ‘nobullets’:
```
.nobullets ul {
list-style-type: none;
}
```
February 27, 2023
Backing up a whole machine using Rsync, without root-login

For easy cut-n-paste:

rsync –stats -av –exclude={“/dev/*”,”/proc/*”,”/sys/*”,”/tmp/*”,”/run/*”,”/mnt/*”,”/media/*”,”/lost+found”,”*/.cache/*”} -e “ssh” –rsync-path=”sudo rsync” wkumari@vimes.kumari.net:/ vimes_rsync

The cute trick here is to call rsync as ‘sudo rync’.

February 27, 2023