Category: Mini How-Tos


How to Encrypt SSL Certificate Private Keys from the Command Line With OpenSSL

In this mini how-to, I show you how to encrypt SSL certificate private keys from the command line using OpenSSL.

Why would you want to encrypt an SSL certificate private key? If you found this how-to by doing a Google search, chances are you already know why and you just want the command syntax. Nevertheless, I’ll briefly explain why you should encrypt your private keys. After the explanation, I’ll provide the command. Continue reading » How to Encrypt SSL Certificate Private Keys from the Command Line With OpenSSL




Pages: 1 2

How to Clear the ARP Cache

In this story, I show you how to clear the Address Resolution Protocol cache (ARP cache). This story is based largely on a post I made to the pfSense forums back in December, 2010.

Recently I swapped out an internet router that was in production and replaced it with a router of the same make and model, with the exact same configuration. Both routers were running pfSense 2. The only difference was that the WAN network interface adapter had a different MAC address.

In addition to one physical IP address, the WAN interface also had multiple virtual IP addresses (e.g. CARP and Proxy ARP addresses) bound to it. After doing the swap, the replacement router did not receive any packets where the destination IP was a virtual IP. For example, pings from the internet to any virtual IP address were not responding. However, pings of the physical IP address did respond.

I was pulling my hair out, thinking that I misconfigured something on the replacement router because we’ve done similar router swaps in the past and never had problems with virtual IP addresses.

After waiting several hours, the ISP’s arp cache finally cleared and the replacement  router was again receiving packets destined for the router’s virtual IP addresses.

After searching the pfSense forums, I found the post Virtual IP Proxy Arp Not Working, which was very helpful. In the post, Jimp suggested use the command arping -S. The original poster said that arping -S did not work for him. However, it did work for me.

In my case, I had to add the -i switch to specify which interface to send the arping out. Specifically, here is the syntax that worked for me and forced my ISP’s arp cache to be cleared immediately:

arping -i <interface name> -S <virtual IP address that I want cleared from arp cache> <IP address of ISP’s gateway>

For example:

arping -i sis2 -S 192.168.1.50 192.168.1.1

I’m not sure if the -S switch causes a “gratuitous” arp packet to be sent out or if something else is happening under the hood. There is a good discussion of this here (scroll down to the “ARP Cache” section). If you’re curious, version 2.09 of the arping package in pfSense version 2.0-BETA4 appears to use Thomas Habets’ arping and not Alexey Kuznetsov’s arping. If you were using Alexey Kuznetsov’s arping, I think the magic switch for gratuitous arp is -U.

In my case, my virtual IPs were CARP VIPs. However, I would imagine arping -S would probably also work with Proxy ARP VIPs.

Physical IPs (i.e. real interface IPs, not virtual IPs) seem to get automatically cleared from the ISP’s arp cache immediately without using arping -S.  You might have to reboot or it might be enough just to bring the interface up. I can’t remember what I did in my case.

Repeated STATE_MAIN_I1 EVENT_RETRANSMIT Messages in OpenSwan Status Log

A couple of years ago I wrote a story about how to setup an IPSec VPN between a Linksys RV082 (or RV042) and a Linksys WRT54GL (or WRT54G, WRT54GS, etc) running OpenWrt and OpenSwan. Over the years, that solution has proved to work reasonably well for connecting a few small satellite offices with low data throughput demands to a head office. Recently, however, our requirements have outgrown that solution. In particular, the WRT54GL side of the VPN is just too slow for our needs. Continue reading » Repeated STATE_MAIN_I1 EVENT_RETRANSMIT Messages in OpenSwan Status Log

MySQL ERROR 1045, silly HOW-TOs and RTFM moment …

OK, so I was installing a new piece of server software today.  It’s so great that many of these packages now have detailed HOW-TOs (usually in the form of some WIKI) for the lazy admin who just wants to get it up and running.  Not that I’m usually lazy, but hey it’s a slow day between Christmas and New Years — I just want to get this installed … so I’m doing the “copy and paste from the HOW-TO thing”.

I came across this line:

“Next we have to create a database which <software> needs to store information:”

$ sudo mysql -u root

No problems, I’ve done that before.  I dutifully type that into my shell not thinking much.  This is what I get:

$ sudo mysql -u root
ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: NO)

Hrmm.  What the heck is “ERROR 1045″ ?!  Googling it returns a whole bunch of strange answers.

Turns out this is partly a “RTFM” (read the fine manual) type problem, and partly a “depends how you have MySQL configured” problem.  Anyway, if your system allows passwords to be specified at the command line, here is the solution:

You need to add a “-p” after to indicate that you wish MySQL to prompt you for a password.

Thus,

$ sudo mysql -u root -p
Enter password:

Hope this helps the next lazy admin googling it. :-)

Page 2 of 11«12345»10...Last »