Generate new Server Certificates

• Generate CSR, certificate and private key for fqdn:

  fqdn=host.domain.tld
  cfssl gencert -ca intermediate/intermediate_ca.pem \
    -ca-key intermediate/intermediate_ca-key.pem \
    -config config.json \
    -profile server certificates/${fqdn}.json | cfssljson -bare certificates/${fqdn}
  

• Generate chain

  cat certificates/${fqdn}.pem intermediate/intermediate_ca.pem > certificates/${fqdn}-full.pem 
  

• Generate PKCS#12

  openssl pkcs12 -export \
    -in certificates/${fqdn}.pem \
    -inkey certificates/${fqdn}-key.pem \
    -out certificates/${fqdn}.p12 \
    -name ${fqdn} \
    -CAfile brank.pem \
    -chain
  

• Convert to Java Keystore

  keytool -importkeystore \
    -deststorepass changeit \
    -destkeypass changeit \
    -destkeystore foo.keystore \
    -srckeystore certificates/${fqdn}.p12 \
    -srcstoretype PKCS12 \
    -srcstorepass password \
    -alias fqdn
  

• Cleaning up

  unset fqdn
  

Renew expired intermediate CA certificate

• New CSR

  cfssl gencsr -key intermediate/intermediate_ca-key.pem \
  	intermediate/intermediate-ca.json  |\
  	cfssljson -bare intermediate/intermediate_ca
  

• Sign CSR

  cfssl sign -ca root/ca.pem \
  	-ca-key root/ca-key.pem \
  	-config config.json \
  	-profile intermediate_ca \
  	intermediate/intermediate_ca.csr |\
  	cfssljson -bare /tmp/intermediate_ca
  

• Recreate chain

  fqdn=relayd.rand.clacks.xyz
  cat certificates/${fqdn}.pem intermediate/intermediate_ca.pem > certificates/${fqdn}-full.pem
  

• Cleanup environment

  unset fqdn
  

Renew expired server certificate

• Set variable to make our life easier

  fqdn=host.domain.tld
  

• New CSR

  cfssl gencsr -key certificates/${fqdn}-key.pem \
    certificates/${fqdn}.json |\
    cfssljson -bare certificates/${fqdn}
  

• Sign CSR

  cfssl sign -ca intermediate/intermediate_ca.pem \
  	-ca-key intermediate/intermediate_ca-key.pem \
  	-config config.json \
  	-profile server \
  	certificates/${fqdn}.csr |\
  	cfssljson -bare certificates/${fqdn}
  

• Recreate chain

  cat certificates/${fqdn}.pem intermediate/intermediate_ca.pem > certificates/${ …

I am really glad about the paradigm shift the pandemic brought into my workplace with regards to remote work. Being able to stay at home 80% of my time is something I grew to be fond of and it helped a lot overcoming some personally challenging situations during the pandemic. I really enjoy the benefits and having the possibility to adjust my space to my needs which really helps to bring me more often into the flow which is beneficial for both me and my employer.

Sure there are distractions you will never have at the office. But it’s also easier to structure your work around your personal life and still deliver as it gives you greater flexibility. There’s also no denying that remote working fuels my self exploitation more than being on prem as it’s easier to just spin up the machine and start to work on stuff e.g. later in the evening but overall for me, personally, the benefits for both me and my employer outweigh the problems. With one notable exception that I absolutely dislike about remote working and that’s about meetings. Not neccessarily about the meetings themselves but how people in online meetings attend to them in a fashion that seems to be more and more common: inattentive to a point that said attendees almost are phased out of the meeting. I have witnessed more than one meeting in which everybody was leaving but one who apparently did not realize that the meeting concluded.

Signs of which are attendess which do not really attend the meeting but instead go on and work on different things, accept a phone call, read their e-mails or the newest messages in the chat. Obviously they feel like the meeting is a waste of their time but it’s definetely wasted time for others which are e.g. waiting for a response from someone who’s just not paying attention. And most likely it really is wasted time for both of them. This is not something that’s novel or unique to online meetings. You can observe it in presence meetings, …

A while ago I decided to ditch my Windows machine at home as I never really felt at home with the way Windows made me handle the system and the overall `ergonomics' of the OS. Sure, things got better with the introduction of powershell, winget and the Microsoft Terminal but still I always felt like working against the OS and not with it and most of the time I was using my Huawei Matebook running OpenBSD. But more and more often I needed a commercial OS especially due to the pandemic going on.

Having had fond enough memories of macOS from my time at one of my last employers I decided to treat myself to a new M1 based macbook and it’s now being months and frankly, I loved almost every moment of it. Especially running macOS alongside nixpkgs is something that I really enjoy.

But with the move I lost the tools I used to generate the static pages for my blog as they are not readily available as a nixpkg and as my whole blog thingy was very makeshifty I finally decided to jump boat and convert my blog over to hugo. The conversion has been pretty straightforward, easy and enjoyable so far. Despite a steep learning curve, at least for me it was. But after getting more and more into the flow of how stuff work with hugo things started to become easier the pieces of the puzzle fell more and more into their place.

Funnily enough, the structure I created for running my old blog with sblg and a bunch of shell scripts really helped me making the switch and really eased my way into converting the blog into hugo’s go templating and no kidding, hugo really is blazing fast and having hugo -D server running in a shell and manipulation files or working on a new blog post is instantaneous. The amazing speed makes the whole process easy and provides a fantastically low bar for getting back into blogging!

So if you are on the lookout for a static site generator give hugo a chance 😀.

At my day job I often have to resolve a MAC address to a vendor. Since a while I was using https://hwaddr.com but always had 2 gripes with the service they provide:

1. too much advertisements
2. can’t use it from the CLI

so I decided to embark on a journey to create my own site to give me a clutter free service that I can also facilitate from the CLI and thus lladdr.info was born. As I am not too much of a fan of python and gunicorn I decided to try something new and used the project as a vessel to learn some go. Killing two birds with one stone.

So now I can check my mac addresses quickly via CLI and my browser:

Source can be found here

CAVEAT

OUI will only be fetched at service start and not refreshed during the lifetime of the process. Not really mobile friendly at the moment.

There was a discussion lately at my workplace about how to label cables. Currently our cables at the datacenter sadly haven’t been labelled by the previous staff which makes tracing them a nightmare as cables tend to span multiple racks.

So I went ahead and proposed some types of labels I came across in my career so far; about one I’d like to write about here: label each cable at both ends with a word that’s unique across all our sites. Why a word and not a number like e.g. ANSI/TIA 606-C promotes? We deal a lot with 3rd party and non IT remote hands and I found words to be more robust than numbers against spelling errors.

Imagine e.g. that you need to find cable 123080. There’s the risk that an introduced spelling error might lead to the wrong cable being decommissioned. Just imagine a snafu and you misspelled the number in any of the following places:

• while writing the ticket for the remote hands
• while printing the actual label
• while documenting the cable’s current connection
• you grabbed the wrong cable with a similar number back then after a long and exhausting day at work not spotting the error

There is literally no chance for anybody to recognize if 123080 really is the cable number we are searching or if it really should be e.g. 132080. Using words really helps in that regard as it addresses the following points:

• typos can be easily recognized and fixed by humans, sometimes even silently
• grabbing the wrong label can be easily recognized (wait, this is bert but I was suppossed to install hugo!)

Cables will be connected to the chosen word for the rest of it’s lifetime, no matter where the cable will be repurposed. This reduces the amount of labels you actually need to print and moving a cable does not require to issue new labels which comes especially handy on our remote sites where we can’t expect a 3rd party to have a label printer ready to issue new labels which are unique to our company. This leaves us with one …