OpenBSD
Table of Contents
These are random notes – more or less about OpenBSD. Some may not fit here well, but they could relate to OpenBSD or similar operating systems in some way…
Apache with wildcard certificates #
I often got errors when I clicked a link on my main website for example to the weather page. It was complaining about different SNI because both hosts used different certificates and I wasn’t sure how I could fix that easily. I thought wildcard certs could fix that because I’d only have one cert for all the domains.
$ doas pkg_add certbot
Run and follow instructions:
$ doas certbot certonly --manual --preferred-challenges dns \
--server https://acme-v02.api.letsencrypt.org/directory \
--manual-public-ip-logging-ok -d '*.oe7drt.com' -d oe7drt.com
[...]
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/oe7drt.com/fullchain.pem
Key is saved at: /etc/letsencrypt/live/oe7drt.com/privkey.pem
This certificate expires on 2024-04-25.
These files will be updated when the certificate renews.
NEXT STEPS:
- This certificate will not be renewed automatically. Autorenewal of --manual
certificates requires the use of an authentication hook script (--manual-auth-hook)
but one was not provided. To renew this certificate, repeat this same certbot
command before the certificate's expiry date.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
* Donating to EFF: https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Also adding my .net domain to the certs:
$ doas certbot certonly --manual --manual-public-ip-logging-ok \
--preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory \
-d "*.oe7drt.com" -d "*.oe7drt.net" -d oe7drt.com -d oe7drt.net
Some changes to the apache2 configuration were made:
<MDomain oe7drt.com oe7drt.net>
MDMember *.oe7drt.com
MDMember *.oe7drt.net
MDCertificateFile /etc/letsencrypt/live/oe7drt.com/fullchain.pem
MDCertificateKeyFile /etc/letsencrypt/live/oe7drt.com/privkey.pem
</MDomain>
MDChallengeDns01 /etc/apache2/dns/dns-challenge.phar --
MDCertificateAgreement accepted
MDContactEmail {email_redacted}
MDCAChallenges dns-01
It seems Apache likes this:
This is currently testing because I have no idea if mod_md will update these certs itself or if I should run certbot again when it’s needed. In the meantime I monitor my website with UptimeKuma which alerts me on expiring certificates.
The binary (dns-challenge.phar
) that actually does the DNS Challenge is taken from
kategray/dns-challenge-cloudflare.
An easier way to obtain wildcard certificates would be the use of Cloudflares proxy. They would also create a second wildcard cert of another issuer in case the first one would get compromised so they would actually replace your main cert with a backup cert just with a whoooop.
Certbot commands have been taken from this article by nabbisen at dev.to.
I’ve now seen that no certificate gets renewed automatically.
The actual certificate got renewed with the command from above (including the .net domain). The output of that command clearly states:
NEXT STEPS:
- This certificate will not be renewed automatically. Autorenewal of
--manual certificates requires the use of an authentication hook script
(--manual-auth-hook) but one was not provided. To renew this certificate,
repeat this same certbot command before the certificate's expiry date.
I will execute the same certbot command before the certificate’s expiry date the next time to enhance my experience 😉
Update: Another interesting article can be found there on mzonline.com
Get some filesystem information #
$ dumpfs /dev/rsd1a
magic 19540119 (FFS2) time Thu Nov 16 21:14:34 2023
[...] (snip; lots of output...)
This can be helpful if you want to know, which filesystem you actually use on your OpenBSD box.
Create a Win95 FAT32 USB stick #
When you fdisk -iy sd2
(for example) a USB stick, you usually create
one single OpenBSD partition at the 4th position. When you then
try to newfs_msdos -F 32 -L Label sd2i
the layout is gone – happened to
me several times until I got fed up and investigated.
I don’t know why that happened, but I got my way to create USB sticks, that actually work with other devices like my amateur radios that need those fancy microSD cards.
Delete the first bytes on the stick:
$ doas dd if=/dev/zero bs=1m count=1 of=/dev/rsd2c
Create the needed partition:
$ echo -n 'edit 0\n0c\n\n2048\n*\nq\n' | doas fdisk -e sd2
A short explanation (\n
is basically a newline; the Enter key):
edit 0\n
: edit the first entry (fdisk -iy sd2
would edit the 4th entry)0c\n
: selects Win95 FAT32L as file system format\n
: only hit enter and use the default [n]2048\n
: Start of the partition*\n
: Special size value – means the remainder of the disk (like-1
on many other tools)q\n
: write MBR and quits the program
This results in a partition table like this:
$ fdisk sd2
Disk: sd2 geometry: 966/255/63 [15523840 Sectors]
Offset: 0 Signature: 0xAA55
Starting Ending LBA Info:
#: id C H S - C H S [ start: size ]
-------------------------------------------------------------------------------
0: 0C 0 32 33 - 966 80 10 [ 2048: 15521792 ] Win95 FAT32L
1: 00 0 0 0 - 0 0 0 [ 0: 0 ] Unused
2: 00 0 0 0 - 0 0 0 [ 0: 0 ] Unused
3: 00 0 0 0 - 0 0 0 [ 0: 0 ] Unused
whereas a fdisk -iy sd2
creates a table like this:
$ fdisk sd2
Disk: sd2 geometry: 966/255/63 [15523840 Sectors]
Offset: 0 Signature: 0xAA55
Starting Ending LBA Info:
#: id C H S - C H S [ start: size ]
-------------------------------------------------------------------------------
0: 00 0 0 0 - 0 0 0 [ 0: 0 ] Unused
1: 00 0 0 0 - 0 0 0 [ 0: 0 ] Unused
2: 00 0 0 0 - 0 0 0 [ 0: 0 ] Unused
*3: A6 0 1 2 - 966 80 10 [ 64: 15523776 ] OpenBSD
Don’t forget to create the file system:
$ doas newfs_msdos -F 32 -L 8GB_Stick sd2i
Mounting disk images #
$ doas vnconfig /dev/vnd0c /path/to/imagefile.img
$ doas mount_msdos /dev/vnd0i ~/mnt/disk
Packages / Ports #
…because of libraries #
Updating dependencies before installing (switch -U
) does help sometimes…
Can’t install [package] because of libraries
$ doas pkg_add -uiU
Should fix that.
Python #
ModuleNotFoundError #
Install python modules with pip.
$ python3 -m pip install --user --upgrade ${example_module}
Rust #
starship prompt #
This is usually blocked via the rust-battery crate, as there is still no progress made on issue #19, which probably leads to no progress on issue #2267.
Though, there is a comment that disables the optional features (battery).
So the final installation of Starship looks like:
$ cargo install starship --locked --no-default-features
The compilation took about 9½ minutes.
Git #
Cloudlog (server) #
Cloudlog is a webapplication written in PHP that allows ham radio amateurs to log contacts online. I host my own instance on my server and I finally looked into why I never got satellites shown in SAT Timers.
I use php-fpm and it is running as the user www
. It is kind of jailed and it
cannot read /etc/ssl/cert.pem
– so the https connections cannot be verified
and it failes at downloading the satellites infos from other websites.
I solved this by copying /etc/ssl
to /var/www/etc/ssl
via rsync, keeping file
permissions intact. I may setup a cronjob for this maybe.
$ cd /var/www
$ doas rsync -avhzrp /etc/ssl/ etc/ssl
sending incremental file list
created directory etc/ssl
./
cert.pem
ikeca.cnf
openssl.cnf
x509v3.cnf
private/
sent 155.82K bytes received 133 bytes 311.90K bytes/sec
total size is 344.08K speedup is 2.21
$ doas rcctl restart php80_fpm
php80_fpm(ok)
php80_fpm(ok)
Cloudlog (client) #
Use of the online logging tool Cloudlog on my OpenBSD machine.
First off, connect the TX-500 with the computer (CAT cable) and
start rigctld
:
$ rigctld -m 2014 -r /dev/cuaU0 -s 9600 -v
I use 2014
which is actually a Kenwood TS-2000 – but on OpenBSD hamlib is currently
at version 4.4 and the TX-500 is only available on
version ≥4.5.
For newer hamlib versions (≥4.5) use the rig 2050 like:
$ rigctld -m 2050 -r /dev/cuaU0 -s 9600 -v
In combination with Digirig I would probably use something like this, because otherwise Digirig would instantly key the transceiver:
$ rigctld -m 2014 -r /dev/cuaU0 -s 9600 --set-conf=rts_state=OFF -v
Well, I tested this on my desk at home but never used my Laptop for doing digital modes with my TX-500 though – but I want this to be noted here just in case I should need it someday.
On another terminal start cloudlogbashcat.sh
:
$ cloudlogbashcat.sh
Now, if you open the website of your Cloudlog installation (and if you have setup your rigs) and select the radio that uses cloudlogbashcat.
Z-Shell #
Where is this alias defined? #
I defined an alias ls
but I forgot where it was.
$ PS4='+%x:%I>' zsh -i -x -c '' |& grep ls
There will be a lot of screen output probably.
Renaming multiple directories #
$ count=1; zmv -n '*' '$f[1,4]/$((count++))-$f[12,-1]'
mv -- 2023-08-05-problems-with-apt-keys-on-my-hotspots 2023/51-problems-with-apt-keys-on-my-hotspots
mv -- 2023-08-26-dmrhost-on-a-raspberrypi4-with-openbsd-or-freebsd 2023/52-dmrhost-on-a-raspberrypi4-with-openbsd-or-freebsd
mv -- 2023-09-16-openbsd-current-built-from-source 2023/53-openbsd-current-built-from-source
Moves subdirectories into other folder structure with a counting variable.
$ count=16; zmv -Q '*(/)' '$((count++))-$f[12,-1]'
mv -- 2021-08-08-win10-grub2-and-uefi 16-win10-grub2-and-uefi
mv -- 2021-08-12-running-n1mm-logger-on-linux 17-running-n1mm-logger-on-linux
mv -- 2021-10-03-winlink-and-vara-on-linux 18-winlink-and-vara-on-linux
mv -- 2021-10-03-wordlist-generation 19-wordlist-generation
mv -- 2021-10-26-processes-accessing-mountpoints 20-processes-accessing-mountpoints
That was the second part, counting from where we stopped from the previous directory.
There was a draft post left in 2022
which I deleted, now I had to renumber the folders
from 28-*
to 34-
to a number lower by 1.
$ for i in {29..34}; do zmv -n -W $i'*' $((--i))'*'; done
mv -- 29-using-nfs-on-a-raspberry-pi 28-using-nfs-on-a-raspberry-pi
mv -- 30-vpn-tunnel-into-hamnet-on-fedora-36 29-vpn-tunnel-into-hamnet-on-fedora-36
mv -- 31-winlink-on-linux-fix-invalid-handle-on-logfiles 30-winlink-on-linux-fix-invalid-handle-on-logfiles
mv -- 32-hamnet-on-the-pfsense 31-hamnet-on-the-pfsense
mv -- 33-changing-network-metrics-on-linux 32-changing-network-metrics-on-linux
mv -- 34-change-git-submodule-url 33-change-git-submodule-url
So, there is still one post left that is actually a draft post and I’d like to remove the leading number from that directory.
$ zmv -n -W '59-*' '*'
mv -- 59-pat-winlink-on-openbsd pat-winlink-on-openbsd
Neovim #
Update plugins that use make
#
GNU make and BSD make are not compatible, and it is kind of annoying if people think everybody has installed the same tools to compile software on their boxes.
In this example I often get some errors when I try to update plugins from withing AstroNvim, a plugin-packaged neovim confgiuration framework.
- Open Neovim and initiate the update procedure (space, p, a)
- Remember what folder the errors occur
- Visit those folders and update the file
Makefile
(usually) - in
Makefile
replacemake
withgmake
(you need that installed,pkg_add gmake
) - run the update procedure again
If that does not work, it is mostly a submodule. You can try to update and compile by hand.
Switch to the folder, update make
with gmake
and finally run gmake
in that folder.
That will produce a compiled output (a library) and the updated procedure will pick that up
at the next run and the submodule will usually be ignored unless the main repo has new commits
in its tree. You may then stash the local changes and re-run the update procedure again.
Concatenate sound files (.wav) #
$ sox *.wav one-big-soundfile.wav
cat *.wav > bigfile.wav
works too, but different. That would put all
audio files into separate streams at the output file whereas sox
appends one file after another in the big output file.
Manual page sections #
Section | Description |
---|---|
1 | General Commands |
2 | System Calls |
3 | Library Functions |
3p | Perl Library |
4 | Device Drivers |
5 | File Formats |
6 | Games |
7 | Miscallaneous Information |
8 | System Manager’s Manual |
9 | Kernel Developer’s Manual |