Skip to main content
  1. Notes/

OpenBSD

·

These are random notes – more or less about OpenBSD. Some may not fit here well, but they could relate to OpenBSD or similar operating systems in some way…

Apache with wildcard certificates #

I often got errors when I clicked a link on my main website for example to the weather page. It was complaining about different SNI because both hosts used different certificates and I wasn’t sure how I could fix that easily. I thought wildcard certs could fix that because I’d only have one cert for all the domains.

$ doas pkg_add certbot

Run and follow instructions:

$ doas certbot certonly --manual --preferred-challenges dns \
  --server https://acme-v02.api.letsencrypt.org/directory \
  --manual-public-ip-logging-ok -d '*.oe7drt.com' -d oe7drt.com

[...]
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/oe7drt.com/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/oe7drt.com/privkey.pem
This certificate expires on 2024-04-25.
These files will be updated when the certificate renews.

NEXT STEPS:
- This certificate will not be renewed automatically. Autorenewal of --manual
  certificates requires the use of an authentication hook script (--manual-auth-hook)
  but one was not provided. To renew this certificate, repeat this same certbot
  command before the certificate's expiry date.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Also adding my .net domain to the certs:

$ doas certbot certonly --manual --manual-public-ip-logging-ok \
  --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory \
  -d "*.oe7drt.com" -d "*.oe7drt.net" -d oe7drt.com -d oe7drt.net

Some changes to the apache2 configuration were made:

<MDomain oe7drt.com oe7drt.net>
    MDMember *.oe7drt.com
    MDMember *.oe7drt.net
    MDCertificateFile /etc/letsencrypt/live/oe7drt.com/fullchain.pem
    MDCertificateKeyFile /etc/letsencrypt/live/oe7drt.com/privkey.pem
</MDomain>

MDChallengeDns01 /etc/apache2/dns/dns-challenge.phar --
MDCertificateAgreement accepted
MDContactEmail {email_redacted}
MDCAChallenges dns-01

It seems Apache likes this:

cropped output of apaches status website /md-status

This is currently testing because I have no idea if mod_md will update these certs itself or if I should run certbot again when it’s needed. In the meantime I monitor my website with UptimeKuma which alerts me on expiring certificates.

The binary (dns-challenge.phar) that actually does the DNS Challenge is taken from kategray/dns-challenge-cloudflare.

An easier way to obtain wildcard certificates would be the use of Cloudflares proxy. They would also create a second wildcard cert of another issuer in case the first one would get compromised so they would actually replace your main cert with a backup cert just with a whoooop.

Certbot commands have been taken from this article by nabbisen at dev.to.

Update on April 25 2024
I’ve now seen that no certificate gets renewed automatically.

The actual certificate got renewed with the command from above (including the .net domain). The output of that command clearly states:

NEXT STEPS:
- This certificate will not be renewed automatically. Autorenewal of
--manual certificates requires the use of an authentication hook script
(--manual-auth-hook) but one was not provided. To renew this certificate,
repeat this same certbot command before the certificate's expiry date.

I will execute the same certbot command before the certificate’s expiry date the next time to enhance my experience 😉

Update: Another interesting article can be found there on mzonline.com

Get some filesystem information #

$ dumpfs /dev/rsd1a
magic	19540119 (FFS2)	time	Thu Nov 16 21:14:34 2023
[...] (snip; lots of output...)

This can be helpful if you want to know, which filesystem you actually use on your OpenBSD box.

Create a Win95 FAT32 USB stick #

When you fdisk -iy sd2 (for example) a USB stick, you usually create one single OpenBSD partition at the 4th position. When you then try to newfs_msdos -F 32 -L Label sd2i the layout is gone – happened to me several times until I got fed up and investigated.

I don’t know why that happened, but I got my way to create USB sticks, that actually work with other devices like my amateur radios that need those fancy microSD cards.

Delete the first bytes on the stick:

$ doas dd if=/dev/zero bs=1m count=1 of=/dev/rsd2c

Create the needed partition:

$ echo -n 'edit 0\n0c\n\n2048\n*\nq\n' | doas fdisk -e sd2

A short explanation (\n is basically a newline; the Enter key):

  • edit 0\n: edit the first entry (fdisk -iy sd2 would edit the 4th entry)
  • 0c\n: selects Win95 FAT32L as file system format
  • \n: only hit enter and use the default [n]
  • 2048\n: Start of the partition
  • *\n: Special size value – means the remainder of the disk (like -1 on many other tools)
  • q\n: write MBR and quits the program

This results in a partition table like this:

$ fdisk sd2
Disk: sd2	geometry: 966/255/63 [15523840 Sectors]
Offset: 0	Signature: 0xAA55
            Starting         Ending         LBA Info:
 #: id      C   H   S -      C   H   S [       start:        size ]
-------------------------------------------------------------------------------
 0: 0C      0  32  33 -    966  80  10 [        2048:    15521792 ] Win95 FAT32L
 1: 00      0   0   0 -      0   0   0 [           0:           0 ] Unused
 2: 00      0   0   0 -      0   0   0 [           0:           0 ] Unused
 3: 00      0   0   0 -      0   0   0 [           0:           0 ] Unused

whereas a fdisk -iy sd2 creates a table like this:

$ fdisk sd2
Disk: sd2	geometry: 966/255/63 [15523840 Sectors]
Offset: 0	Signature: 0xAA55
            Starting         Ending         LBA Info:
 #: id      C   H   S -      C   H   S [       start:        size ]
-------------------------------------------------------------------------------
 0: 00      0   0   0 -      0   0   0 [           0:           0 ] Unused
 1: 00      0   0   0 -      0   0   0 [           0:           0 ] Unused
 2: 00      0   0   0 -      0   0   0 [           0:           0 ] Unused
*3: A6      0   1   2 -    966  80  10 [          64:    15523776 ] OpenBSD

Don’t forget to create the file system:

$ doas newfs_msdos -F 32 -L 8GB_Stick sd2i

Mounting disk images #

$ doas vnconfig /dev/vnd0c /path/to/imagefile.img
$ doas mount_msdos /dev/vnd0i ~/mnt/disk

Packages / Ports #

…because of libraries #

Updating dependencies before installing (switch -U) does help sometimes…

Can’t install [package] because of libraries

$ doas pkg_add -uiU

Should fix that.

Python #

ModuleNotFoundError #

Install python modules with pip.

$ python3 -m pip install --user --upgrade ${example_module}

Rust #

starship prompt #

This is usually blocked via the rust-battery crate, as there is still no progress made on issue #19, which probably leads to no progress on issue #2267.

Though, there is a comment that disables the optional features (battery).

So the final installation of Starship looks like:

$ cargo install starship --locked --no-default-features

The compilation took about 9½ minutes.

Git #

Cloudlog (server) #

Cloudlog is a webapplication written in PHP that allows ham radio amateurs to log contacts online. I host my own instance on my server and I finally looked into why I never got satellites shown in SAT Timers.

I use php-fpm and it is running as the user www. It is kind of jailed and it cannot read /etc/ssl/cert.pem – so the https connections cannot be verified and it failes at downloading the satellites infos from other websites.

I solved this by copying /etc/ssl to /var/www/etc/ssl via rsync, keeping file permissions intact. I may setup a cronjob for this maybe.

$ cd /var/www
$ doas rsync -avhzrp /etc/ssl/ etc/ssl
sending incremental file list
created directory etc/ssl
./
cert.pem
ikeca.cnf
openssl.cnf
x509v3.cnf
private/

sent 155.82K bytes  received 133 bytes  311.90K bytes/sec
total size is 344.08K  speedup is 2.21
$ doas rcctl restart php80_fpm
php80_fpm(ok)
php80_fpm(ok)

Cloudlog (client) #

Use of the online logging tool Cloudlog on my OpenBSD machine.

First off, connect the TX-500 with the computer (CAT cable) and start rigctld:

$ rigctld -m 2014 -r /dev/cuaU0 -s 9600 -v

I use 2014 which is actually a Kenwood TS-2000 – but on OpenBSD hamlib is currently at version 4.4 and the TX-500 is only available on version ≥4.5.

For newer hamlib versions (≥4.5) use the rig 2050 like:

$ rigctld -m 2050 -r /dev/cuaU0 -s 9600 -v

In combination with Digirig I would probably use something like this, because otherwise Digirig would instantly key the transceiver:

$ rigctld -m 2014 -r /dev/cuaU0 -s 9600 --set-conf=rts_state=OFF -v

Well, I tested this on my desk at home but never used my Laptop for doing digital modes with my TX-500 though – but I want this to be noted here just in case I should need it someday.

On another terminal start cloudlogbashcat.sh:

$ cloudlogbashcat.sh

Now, if you open the website of your Cloudlog installation (and if you have setup your rigs) and select the radio that uses cloudlogbashcat.

cloudlog radio selection dialog
You can select your pre-defined radio in the Live QSO tab

Z-Shell #

Where is this alias defined? #

I defined an alias ls but I forgot where it was.

$ PS4='+%x:%I>' zsh -i -x -c '' |& grep ls

There will be a lot of screen output probably.

Renaming multiple directories #

$ count=1; zmv -n '*' '$f[1,4]/$((count++))-$f[12,-1]'
mv -- 2023-08-05-problems-with-apt-keys-on-my-hotspots 2023/51-problems-with-apt-keys-on-my-hotspots
mv -- 2023-08-26-dmrhost-on-a-raspberrypi4-with-openbsd-or-freebsd 2023/52-dmrhost-on-a-raspberrypi4-with-openbsd-or-freebsd
mv -- 2023-09-16-openbsd-current-built-from-source 2023/53-openbsd-current-built-from-source

Moves subdirectories into other folder structure with a counting variable.

$ count=16; zmv -Q '*(/)' '$((count++))-$f[12,-1]'
mv -- 2021-08-08-win10-grub2-and-uefi 16-win10-grub2-and-uefi
mv -- 2021-08-12-running-n1mm-logger-on-linux 17-running-n1mm-logger-on-linux
mv -- 2021-10-03-winlink-and-vara-on-linux 18-winlink-and-vara-on-linux
mv -- 2021-10-03-wordlist-generation 19-wordlist-generation
mv -- 2021-10-26-processes-accessing-mountpoints 20-processes-accessing-mountpoints

That was the second part, counting from where we stopped from the previous directory.

There was a draft post left in 2022 which I deleted, now I had to renumber the folders from 28-* to 34- to a number lower by 1.

$ for i in {29..34}; do zmv -n -W $i'*' $((--i))'*'; done
mv -- 29-using-nfs-on-a-raspberry-pi 28-using-nfs-on-a-raspberry-pi
mv -- 30-vpn-tunnel-into-hamnet-on-fedora-36 29-vpn-tunnel-into-hamnet-on-fedora-36
mv -- 31-winlink-on-linux-fix-invalid-handle-on-logfiles 30-winlink-on-linux-fix-invalid-handle-on-logfiles
mv -- 32-hamnet-on-the-pfsense 31-hamnet-on-the-pfsense
mv -- 33-changing-network-metrics-on-linux 32-changing-network-metrics-on-linux
mv -- 34-change-git-submodule-url 33-change-git-submodule-url

So, there is still one post left that is actually a draft post and I’d like to remove the leading number from that directory.

$ zmv -n -W '59-*' '*'
mv -- 59-pat-winlink-on-openbsd pat-winlink-on-openbsd

Neovim #

Update plugins that use make #

GNU make and BSD make are not compatible, and it is kind of annoying if people think everybody has installed the same tools to compile software on their boxes.

In this example I often get some errors when I try to update plugins from withing AstroNvim, a plugin-packaged neovim confgiuration framework.

  • Open Neovim and initiate the update procedure (space, p, a)
  • Remember what folder the errors occur
  • Visit those folders and update the file Makefile (usually)
  • in Makefile replace make with gmake
    (you need that installed, pkg_add gmake)
  • run the update procedure again

If that does not work, it is mostly a submodule. You can try to update and compile by hand. Switch to the folder, update make with gmake and finally run gmake in that folder. That will produce a compiled output (a library) and the updated procedure will pick that up at the next run and the submodule will usually be ignored unless the main repo has new commits in its tree. You may then stash the local changes and re-run the update procedure again.

Concatenate sound files (.wav) #

$ sox *.wav one-big-soundfile.wav

cat *.wav > bigfile.wav works too, but different. That would put all audio files into separate streams at the output file whereas sox appends one file after another in the big output file.

Manual page sections #

SectionDescription
1General Commands
2System Calls
3Library Functions
3pPerl Library
4Device Drivers
5File Formats
6Games
7Miscallaneous Information
8System Manager’s Manual
9Kernel Developer’s Manual
Dominic Reich
Author
Dominic Reich
late-30s, construction worker since 2016, electrician before, likes tech stuff and nature. Amateur radio operator since 2019. Uses this website as a digital notebook. Read more about me →

Related Posts

  • FLEcli on OpenBSD // 2023, September 24
    Quickly create ADIF or CSV files to import into any logging program later. Also creates logfiles for the SOTA program.
  • Neovim, Telescope, FreeBSD: problems? // 2023, June 23
    I dropped my old configuration that I practically copied from other people for Neovim. I’m now using AstroNvim…
  • Publishing dotfiles // 2023, November 2
    Another quick'n'dirty post about how I published my dotfiles.
  • Converting big videos // 2023, October 1
    I am subscribed to a few mailing lists and I stumbled across a big video file in one of them recently. Here is a small command-line command using ffmpeg that cut its filesize in half.
  • Following OpenBSD-current snapshots // 2023, September 30
    I guesss this is now a working scenario in which I can update to a working current snapshots but without the need of building OpenBSD from source.