Chrome, certificates and missing_subjectAltNames

Google has been actively trying to ensure certificate security especially in the last months.

Sometimes this created quite some buzz in the IT World, e.g. when Symantecs policies came into the focus.

Current version 58 of Google Chrome has again adjusted the certificate policy.

Certificates provide two ways to store hostnames: CommonName and SubjectAltName (SAN). RFC 2818 specified in 2000 that CommonName should be deprecated, which Chrome now complies to.

Other browsers are currently still accepting the CommonName, which is mostly used by selfsigned certificates, as in our case :/

Users who wanted to access our internal sites encountered error messages and were forced to use quick and dirty workarounds, such as using a Windows registry “hack”:

Open a cmd-Shell as Administrator and enter:

reg add \HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome /v EnableCommonNameFallbackForLocalAnchors /t REG_DWORD /d 1 /f

which reactivates the fallback to CommonName

As this is just a temporary “solution”, you should issue an RFC 2818 conform certificate. This can be realized by using a complete and compliant certificate signing request (CSR).

You can either use a specially designed *.conf File for this or simply adapt the following shell command:

openssl req -new-key endpoint.com.key -sha256 -nodes  -subj '/C=US/ST=New York/L=New York/O=End Point/OU=Hosting Team/CN=www.endpoint.com/
         emailAddress=administrative-not-existent-address@our-awesome-domain.com/
         subjectAltName=DNS.1=endpoint.com,
         DNS.2=usually-not-convered-domain.endpoint.com,
         DNS.3=multiple-domains-crt.endpoint.com' > www.endpoint.com.csr
The created csr can be fed e.g. into your local CA to issue new certificates which can be rolled out in your environment.
Live long and prosper and be RFC compliant 🙂
Tim Albert

Autor: Tim Albert

Tim kommt aus einem kleinen Ort zwischen Nürnberg und Ansbach, an der malerischen B14 gelegen. Er hat in Erlangen Lehramt und in Koblenz Informationsmanagement studiert, wobei seine Tätigkeit als Werkstudent bei IDS Scheer seinen Schwenk von Lehramt zur IT erheblich beeinflusst hat. Neben dem Studium hat Tim sich außerdem noch bei einer Werkskundendienstfirma im User-Support verdingt. Blerim und Sebastian haben ihn Anfang 2016 zu uns ins Managed Services Team geholt, wo er sich nun insbesondere um Infrastrukturthemen kümmert. In seiner Freizeit engagiert sich Tim in der Freiwilligen Feuerwehr - als Maschinist und Atemschutzgeräteträger -, spielt im Laientheater Bauernschwänke und ist auch handwerklich ein absolutes Allroundtalent. Angefangen von Mauern hochziehen bis hin zur KNX-Verkabelung ist er jederzeit einsatzbereit. Ansonsten kocht er sehr gerne – alles außer Hase!

OSDC 2017 – What a great week full of open source!

Over the weekend, we caught up on missed sleep and we were really happy about the successful Open Source Data Center Conference last week in Berlin.

The OSDC 2017 began with our workshop day on Tuesday with „Graylog-Centralized Log Management“, „Mesos Marathon – Orchestrating Docker Containers“ and „Terraform – Infrastructure as Code“.

On Wednesday and Thursday attendees could join 23 interesting talks on case studies, the latest developments and best practices. CONTAINERS AND MICROSERVICES | CONFIGURATION MANAGEMENT | TESTING, METICS AND ANALYSIS and TOOLS&INFRASTRUCTURE were forming the core of the conference! Details about the talks, you can get in Michi’s and Dirk’s Blogposts.

On Wednesday evening, we went to the Umspannwerk Ost. There was much sun, and so we could all sit outside and discuss the exciting days. Furthermore, it was enough time for networking, establishing contacts and becoming more familiar with the open source community!

After the conference was gone on Thursday, we were happy to meet you all in Berlin and also a little bit sad, because three exciting conference days came to an end.

At this point, it is time to say a cordial THANK YOU!

Thanks to our speakers who made us laugh and who gave us so much knowledge!
Thanks to our sponsors for the wonderful support and your confidence!
Thanks to our attendees for making the OSDC unique!

We’ll hope to see you all next year! The date for 2018 is already fixed.

The pictures, slides and videos of the OSDC will be available soon!

OSDC 2018 | June 14 – 16, 2018 | Berlin

Julia Hackbarth

Autor: Julia Hackbarth

Julia ist seit 2015 bei NETWAYS. Sie hat im September ihre Ausbildung zur Kauffrau für Büromanagement gestartet. Etwas zu organisieren macht ihr großen Spaß und sie freut sich auf vielseitige Herausforderungen. In ihrer Freizeit spielt Handball eine große Rolle: Julia steht selbst aktiv auf dem Feld, übernimmt aber auch gerne den Part als Schiedsrichterin.

OSDC 2017 – How it went on!

After the talks on Wednesday were finished, two OSDC-VIP buses stood in front of the MOA Hotel. After all attendees found their seats, we drove threw the whole city and finally reached the Umspannwerk Ost.

Bright Sunshine, perfect. As in the last year, there was a huge variety of culinary delights. Due to the bright sunshine till the evening hours, most of us sat outside the listed building, which is the oldest substation in Berlin. With some soft drinks and yummy food (look at the pictures), the evening ran its course.

As a little surprise for the attendees, we organised a kicker. Not a standard kicker, but a kicker for more than four persons. It was really funny!
And so the hours passed until the third shuttle VIP-Bus brought all of us back to the conference hotel. After a very short night, the talks for today started on time. What the talks are about, you can find out in Michi’s Blogpost after the conference has been finished.

For our events team, it’s now the final spurt, before the post processing may start tomorrow. We hope, all attendees have an interesting second conference day and a save journey home!

SAVE THE DATE FOR 2018 | June 12-14

 

This slideshow requires JavaScript.

Julia Hackbarth

Autor: Julia Hackbarth

Julia ist seit 2015 bei NETWAYS. Sie hat im September ihre Ausbildung zur Kauffrau für Büromanagement gestartet. Etwas zu organisieren macht ihr großen Spaß und sie freut sich auf vielseitige Herausforderungen. In ihrer Freizeit spielt Handball eine große Rolle: Julia steht selbst aktiv auf dem Feld, übernimmt aber auch gerne den Part als Schiedsrichterin.

Like meeting the family – OSDC 2017: Day 1

OSDC Logo
I was happy to join our conference crew for OSDC 2017 again because it is like meeting the family as one of our attendees said. Conference started for me already yesterday because I could join Gabriel‘s workshop on Mesos Marathon. It was a quite interesting introduction into this topic with examples and know how from building our Software-As-A-Service platform “Netways Web Services“. But it was also very nice to meet many customers and long-time attendees again as I already knew more than half of the people joining the workshops. So day zero ended with some nice conversation at the hotel’s restaurant.

As always the conference started with a warm welcome from Bernd before the actual talks (and the hard decision which talk to join) started. For the first session I joined Daniel Korn from Red Hat’s Container Management Team on “Automating your data-center with Ansible and ManageIQ“. He gave us an good look behind “one management solution to rule them all” like ManageIQ (the upstream version of Red Hat Cloudform) which is designed as an Open source management platform for Hybrid IT. So it integrates many different solutions like Openshift, Foreman or Ansible Tower in one interface. And as no one wants to configure such things manually today there are some Ansible modules to help with automating the setup. Another topic covered was Hawkular a time series database including triggers and alarming which could be used get alerts from Openshift to ManageIQ.

The second talk was Seth Vargo with “Taming the Modern Data Center” on how to handle the complexity of data centers today. He also covered the issues of life cycles shrinking from timeframes measured in days, weeks and month to seconds and minutes and budget moving from CapEx to OpEx by using cloud or service platforms. With Terraform he introduced one of HashiCorp’s solutions to help with solving these challenges by providing one abstraction layer to manage multiple solutions. Packer was another tool introduced to help with image creation for immutable infrastructure. The third tool shown was Consul providing Service Discovery (utilizing DNS or a HTTP API), Health Checking (and automatic removal from discovered services), Key/Value Store (as configuration backend for these services) and Multi-Datacenter (for delegating service request to nearest available system). In addition Seth gave some good look inside workflows and concepts inside HashCorp like they use their own software and test betas in production before releasing or trust developers of the integrated software to maintain the providers required for this integration.

Next was Mandi Walls on “Building Security Into Your Workflow with InSpec”. The problem she mentioned and is tried to be resolved by InSpec is security reviews can slow down development but moving security reviews to scanning a production environment is to late. So InSpec is giving the administrator a spec dialect to write human-readable compliance tests for Linux and Windows. It addresses being understandable for non-technical compliance officers by doing so and profiles give them a catalog to satisfy all their needs at once. If you want an example have a look at the chef cookbook os-hardening and the InSpec profile /dev-sec/linux-baseline working nicely together by checking compliance and running remediation.

James Shubin giving a big life demo of mgmt was entertaining and informative as always. I have already seen some of the demos on other events, but it is still exciting to see configuration management with parallelization (no unnecessary waiting for resources), event driven (instant recreation of resources), distributed topology (no single point of failure), automatic grouping of resource (no more running the package manager for every package), virtual machines as resources (including managing them from cockpit and hot plug cpus), remote execution (allowing to spread configuration management through SSH from one laptop over your data center). mgmt is not production ready for now, but its very promising. Future work includes a descriptive language, more resource types and more improvements. I can recommend watching the recording when it goes online in the next days.

“Do you trust your containers?” was the question asked by Erez Freiberger in his talk before he gave the audience some tools to increase the trust. After a short introduction into SCAP and OpenSCAP Erez spoke about Image inspector which is build on top of them and is utilized by OpenShift and ManageIQ to inspect container images. It is very good to see security getting nicely integrated into such tools and with the mentioned future work it will be even nicer to use.

For the last talk of today I joined Colin Charles from Percona who let us take part on “Lessons learned from database failures”. On his agenda were backups, replication and security. Without blaming and shaming Colin took many examples which failed and explained how it could be done better with current software and architecture. This remembers me to catch up on MySQL and MariaDB features before they hit enterprise distributions.

So this is it for today, after so many interesting talks I will have some food, drinks and conversation at the evening event taking place at Umspannwerk Ost. Tomorrow I will hand over the blog to Michael because I will give a talk about Foreman myself.

Dirk Götz

Autor: Dirk Götz

Dirk ist Red Hat Spezialist und arbeitet bei NETWAYS im Bereich Consulting für Icinga, Nagios, Puppet und andere Systems Management Lösungen. Früher war er bei einem Träger der gesetzlichen Rentenversicherung als Senior Administrator beschäftigt und auch für die Ausbildung der Azubis verantwortlich.

OSDC 2017 – How it all began

On Monday evening, there was a group of some very excited NETWAYS guys, who arrived in Berlin to prepare the OSDC. After the rooms were ready for the workshops on Tuesday, the pizza for our busy bees was definetely rewarded. Then it was still very late and so they all fell into a deep deep sleep before the bewitched bell was ringing again. Then at 10 o’ clock, our Workshops started. There were „Graylog – Centralized Log Management“ by Jan Doberstein and Bernd Ahlers, „Terraform – Infrastructure as Code“ by Seth Vargo and „Mesos Marathon – Orchestrating DOcker Containers“ by Gabriel Hartmann. The attendees learned a lot and we hope theres a little space left for the talks on Wednesday are Thursday! Then the NETWAYS – Crew started with the last preparations for Wednesday and then the first conference day was already gone! After a joyful night with our beloved Tele-Inder (classic Berlin Späti), the conference started with Bernd’s Opening and talks. What the talks are about, you can read in Dirks Blogpost! But we’ll only say this much: It was equally interesting new things and fun! 😊 The pictures will follow!

 

This slideshow requires JavaScript.

Julia Hackbarth

Autor: Julia Hackbarth

Julia ist seit 2015 bei NETWAYS. Sie hat im September ihre Ausbildung zur Kauffrau für Büromanagement gestartet. Etwas zu organisieren macht ihr großen Spaß und sie freut sich auf vielseitige Herausforderungen. In ihrer Freizeit spielt Handball eine große Rolle: Julia steht selbst aktiv auf dem Feld, übernimmt aber auch gerne den Part als Schiedsrichterin.

OSDC 2017 Countdown – 1 day until Berlin

This entry is part 17 of 17 in the series OSDC 2017 Countdown

OSDC-Countdown 2017: rkt and Kubernetes – What´s new with Container Runtimes and Orchestration by Jonathan Boulle

OSDC 2017 | Simplifying Complex IT Infrastructures with Open Source | May 16 – 18, 2017

Join us in Berlin and take part in the Open Source Data Center Conference 2017, where internationally recognized Open Source specialists report on the latest developments in Data Center solutions and share their experiences and best practices with experienced administrators and architects. This is also a great opportunity for you to deepen and expand your own know-how in a relaxed atmosphere as well as to establish contacts and to get to know the Open Source community.

In addition to the speeches, you have the opportunity to take part in one of three interesting hands-on workshops on May 16.

More information and your tickets can be found on: www.osdc.de

See you in Berlin!

Julia Hackbarth

Autor: Julia Hackbarth

Julia ist seit 2015 bei NETWAYS. Sie hat im September ihre Ausbildung zur Kauffrau für Büromanagement gestartet. Etwas zu organisieren macht ihr großen Spaß und sie freut sich auf vielseitige Herausforderungen. In ihrer Freizeit spielt Handball eine große Rolle: Julia steht selbst aktiv auf dem Feld, übernimmt aber auch gerne den Part als Schiedsrichterin.