--- title: OpenBSD date: 2023-11-29T20:33:48+0100 lastmod: 2024-09-28T23:48:06+0000 tags: - openbsd - python - cloudlog - zsh-shell - git - rust - neovim - apache2 - mod_md - certbot #showDate: false showReadingTime: false showWordCount: false showPagination: false #showAuthor: false showBreadcrumbs: true feed_exclude: true # site_exclude: true --- These are random notes -- more or less about OpenBSD. Some may not fit here well, but they could relate to OpenBSD or similar operating systems in some way... ## Apache with wildcard certificates I often got errors when I clicked a link on my main website for example to the weather page. It was complaining about different SNI because both hosts used different certificates and I wasn't sure how I could fix that easily. I thought wildcard certs could fix that because I'd only have one cert for all the domains. ```console $ doas pkg_add certbot ``` Run and follow instructions: ```console $ doas certbot certonly --manual --preferred-challenges dns \ --server https://acme-v02.api.letsencrypt.org/directory \ --manual-public-ip-logging-ok -d '*.oe7drt.com' -d oe7drt.com [...] Successfully received certificate. Certificate is saved at: /etc/letsencrypt/live/oe7drt.com/fullchain.pem Key is saved at: /etc/letsencrypt/live/oe7drt.com/privkey.pem This certificate expires on 2024-04-25. These files will be updated when the certificate renews. NEXT STEPS: - This certificate will not be renewed automatically. Autorenewal of --manual certificates requires the use of an authentication hook script (--manual-auth-hook) but one was not provided. To renew this certificate, repeat this same certbot command before the certificate's expiry date. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - If you like Certbot, please consider supporting our work by: * Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate * Donating to EFF: https://eff.org/donate-le - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ``` Also adding my .net domain to the certs: ```console $ doas certbot certonly --manual --manual-public-ip-logging-ok \ --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory \ -d "*.oe7drt.com" -d "*.oe7drt.net" -d oe7drt.com -d oe7drt.net ``` Some changes to the apache2 configuration were made: ```apache MDMember *.oe7drt.com MDMember *.oe7drt.net MDCertificateFile /etc/letsencrypt/live/oe7drt.com/fullchain.pem MDCertificateKeyFile /etc/letsencrypt/live/oe7drt.com/privkey.pem MDChallengeDns01 /etc/apache2/dns/dns-challenge.phar -- MDCertificateAgreement accepted MDContactEmail {email_redacted} MDCAChallenges dns-01 ``` It seems Apache likes this: ![cropped output of apaches status website /md-status](./mod-status-certs.png) This is **currently testing** because I have no idea if mod_md will update these certs itself or if I should run certbot again when it's needed. In the meantime I monitor my website with [UptimeKuma](https://github.com/louislam/uptime-kuma) which alerts me on expiring certificates. The binary (`dns-challenge.phar`) that actually does the DNS Challenge is taken from [kategray/dns-challenge-cloudflare](https://github.com/kategray/dns-challenge-cloudflare). An **easier way** to obtain wildcard certificates would be the use of **Cloudflares proxy**. They would also create a second wildcard cert of another issuer in case the first one would get compromised so they would actually replace your main cert with a backup cert just with a whoooop. Certbot commands have been taken from [this article by nabbisen](https://dev.to/nabbisen/let-s-encrypt-wildcard-certificate-with-certbot-plo) at dev.to. {{< alert >}} **Update on April 25 2024** I've now seen that no certificate gets renewed automatically. {{< /alert >}} The actual certificate got renewed with the command from above (including the .net domain). The output of that command clearly states: ```console NEXT STEPS: - This certificate will not be renewed automatically. Autorenewal of --manual certificates requires the use of an authentication hook script (--manual-auth-hook) but one was not provided. To renew this certificate, repeat this same certbot command before the certificate's expiry date. ``` I will execute the same certbot command before the certificate's expiry date the next time to enhance my experience :wink: **Update**: Another interesting article can be found [there on mzonline.com](https://mzonline.com/blog/2020-11/certbot-manual-mode-script-hooks) ## Get some filesystem information ```console $ dumpfs /dev/rsd1a magic 19540119 (FFS2) time Thu Nov 16 21:14:34 2023 [...] (snip; lots of output...) ``` This can be helpful if you want to know, which filesystem you actually use on your OpenBSD box. ## Create a Win95 FAT32 USB stick When you `fdisk -iy sd2` (for example) a USB stick, you usually create one single OpenBSD partition at the 4th position. When you then try to `newfs_msdos -F 32 -L Label sd2i` the layout is gone -- happened to me several times until I got fed up and investigated. I don't know why that happened, but I got my way to create USB sticks, that actually work with other devices like my amateur radios that need those fancy microSD cards. Delete the first bytes on the stick: ```console $ doas dd if=/dev/zero bs=1m count=1 of=/dev/rsd2c ``` Create the needed partition: ```console $ echo -n 'edit 0\n0c\n\n2048\n*\nq\n' | doas fdisk -e sd2 ``` A short explanation (`\n` is basically a newline; the Enter key): - `edit 0\n`: edit the first entry (`fdisk -iy sd2` would edit the 4th entry) - `0c\n`: selects **Win95 FAT32L** as file system format - `\n`: only hit enter and use the default _[n]_ - `2048\n`: Start of the partition - `*\n`: Special size value -- means the remainder of the disk (like `-1` on many other tools) - `q\n`: write MBR and quits the program This results in a partition table like this: ```console $ fdisk sd2 Disk: sd2 geometry: 966/255/63 [15523840 Sectors] Offset: 0 Signature: 0xAA55 Starting Ending LBA Info: #: id C H S - C H S [ start: size ] ------------------------------------------------------------------------------- 0: 0C 0 32 33 - 966 80 10 [ 2048: 15521792 ] Win95 FAT32L 1: 00 0 0 0 - 0 0 0 [ 0: 0 ] Unused 2: 00 0 0 0 - 0 0 0 [ 0: 0 ] Unused 3: 00 0 0 0 - 0 0 0 [ 0: 0 ] Unused ``` whereas a `fdisk -iy sd2` creates a table like this: ```console $ fdisk sd2 Disk: sd2 geometry: 966/255/63 [15523840 Sectors] Offset: 0 Signature: 0xAA55 Starting Ending LBA Info: #: id C H S - C H S [ start: size ] ------------------------------------------------------------------------------- 0: 00 0 0 0 - 0 0 0 [ 0: 0 ] Unused 1: 00 0 0 0 - 0 0 0 [ 0: 0 ] Unused 2: 00 0 0 0 - 0 0 0 [ 0: 0 ] Unused *3: A6 0 1 2 - 966 80 10 [ 64: 15523776 ] OpenBSD ``` Don't forget to create the file system: ```console $ doas newfs_msdos -F 32 -L 8GB_Stick sd2i ``` ## Mounting disk images ```console $ doas vnconfig /dev/vnd0c /path/to/imagefile.img $ doas mount_msdos /dev/vnd0i ~/mnt/disk ``` ## Packages / Ports ### ...because of libraries Updating dependencies before installing (switch `-U`) does help sometimes... > Can't install [package] because of libraries ```console $ doas pkg_add -uiU ``` Should fix that. ## Python ### ModuleNotFoundError Install python modules with pip. ```console $ python3 -m pip install --user --upgrade ${example_module} ``` ## Rust ### starship prompt This is usually blocked via the rust-battery crate, as there is still no progress made on issue [#19](https://github.com/svartalf/rust-battery/issues/19), which probably leads to no progress on issue [#2267](https://github.com/starship/starship/issues/2276). Though, there is a [comment](https://github.com/starship/starship/issues/2276#issuecomment-782818302) that disables the optional features (battery). So the final installation of Starship looks like: ```console $ cargo install starship --locked --no-default-features ``` The compilation took about 9½ minutes. ## Git ## Cloudlog (server) Cloudlog is a webapplication written in PHP that allows ham radio amateurs to log contacts online. I host my own instance on my server and I finally looked into why I never got satellites shown in SAT Timers. I use php-fpm and it is running as the user `www`. It is kind of jailed and it cannot read `/etc/ssl/cert.pem` -- so the https connections cannot be verified and it failes at downloading the satellites infos from other websites. I solved this by copying `/etc/ssl` to `/var/www/etc/ssl` via rsync, keeping file permissions intact. I may setup a cronjob for this maybe. ```console $ cd /var/www $ doas rsync -avhzrp /etc/ssl/ etc/ssl sending incremental file list created directory etc/ssl ./ cert.pem ikeca.cnf openssl.cnf x509v3.cnf private/ sent 155.82K bytes received 133 bytes 311.90K bytes/sec total size is 344.08K speedup is 2.21 $ doas rcctl restart php80_fpm php80_fpm(ok) php80_fpm(ok) ``` ## Cloudlog (client) Use of the online logging tool Cloudlog on my OpenBSD machine. First off, connect the TX-500 with the computer (CAT cable) and start `rigctld`: ```console $ rigctld -m 2014 -r /dev/cuaU0 -s 9600 -v ``` I use `2014` which is actually a Kenwood TS-2000 -- but on OpenBSD hamlib is currently at version 4.4 and the TX-500 is only available on [version ≥4.5](https://github.com/Hamlib/Hamlib/blob/master/NEWS#L199). For newer hamlib versions (≥4.5) use the rig 2050 like: ```console $ rigctld -m 2050 -r /dev/cuaU0 -s 9600 -v ``` In combination with Digirig I would probably use something like this, because otherwise Digirig would instantly key the transceiver: ```console $ rigctld -m 2014 -r /dev/cuaU0 -s 9600 --set-conf=rts_state=OFF -v ``` Well, I tested this on my desk at home but never used my Laptop for doing digital modes with my TX-500 though -- but I want this to be noted here just in case I should need it someday. On another terminal start [`cloudlogbashcat.sh`](https://github.com/g0wfv/CloudlogBashCat): ```console $ cloudlogbashcat.sh ``` Now, if you open the website of your Cloudlog installation (and if you have setup your rigs) and select the radio that uses cloudlogbashcat. ![cloudlog radio selection dialog](radio-settings-cloudlog.png "You can select your pre-defined radio in the Live QSO tab") ## Z-Shell ### Where is this alias defined? I defined an alias `ls` but I forgot where it was. ```console $ PS4='+%x:%I>' zsh -i -x -c '' |& grep ls ``` There will be a lot of screen output probably. ### Renaming multiple directories ```console $ count=1; zmv -n '*' '$f[1,4]/$((count++))-$f[12,-1]' mv -- 2023-08-05-problems-with-apt-keys-on-my-hotspots 2023/51-problems-with-apt-keys-on-my-hotspots mv -- 2023-08-26-dmrhost-on-a-raspberrypi4-with-openbsd-or-freebsd 2023/52-dmrhost-on-a-raspberrypi4-with-openbsd-or-freebsd mv -- 2023-09-16-openbsd-current-built-from-source 2023/53-openbsd-current-built-from-source ``` Moves subdirectories into other folder structure with a counting variable. ```console $ count=16; zmv -Q '*(/)' '$((count++))-$f[12,-1]' mv -- 2021-08-08-win10-grub2-and-uefi 16-win10-grub2-and-uefi mv -- 2021-08-12-running-n1mm-logger-on-linux 17-running-n1mm-logger-on-linux mv -- 2021-10-03-winlink-and-vara-on-linux 18-winlink-and-vara-on-linux mv -- 2021-10-03-wordlist-generation 19-wordlist-generation mv -- 2021-10-26-processes-accessing-mountpoints 20-processes-accessing-mountpoints ``` That was the second part, counting from where we stopped from the previous directory. There was a draft post left in `2022` which I deleted, now I had to renumber the folders from `28-*` to `34-` to a number lower by 1. ```console $ for i in {29..34}; do zmv -n -W $i'*' $((--i))'*'; done mv -- 29-using-nfs-on-a-raspberry-pi 28-using-nfs-on-a-raspberry-pi mv -- 30-vpn-tunnel-into-hamnet-on-fedora-36 29-vpn-tunnel-into-hamnet-on-fedora-36 mv -- 31-winlink-on-linux-fix-invalid-handle-on-logfiles 30-winlink-on-linux-fix-invalid-handle-on-logfiles mv -- 32-hamnet-on-the-pfsense 31-hamnet-on-the-pfsense mv -- 33-changing-network-metrics-on-linux 32-changing-network-metrics-on-linux mv -- 34-change-git-submodule-url 33-change-git-submodule-url ``` So, there is still one post left that is actually a draft post and I'd like to remove the leading number from that directory. ```console $ zmv -n -W '59-*' '*' mv -- 59-pat-winlink-on-openbsd pat-winlink-on-openbsd ``` ## Neovim ### Update plugins that use `make` GNU make and BSD make are not compatible, and it is kind of annoying if people think everybody has installed the same tools to compile software on their boxes. In this example I often get some errors when I try to update plugins from withing AstroNvim, a plugin-packaged neovim confgiuration framework. - Open Neovim and initiate the update procedure (space, p, a) - Remember what folder the errors occur - Visit those folders and update the file `Makefile` (usually) - in `Makefile` replace `make` with `gmake` (you need that installed, `pkg_add gmake`) - run the update procedure again If that does not work, it is mostly a submodule. You can try to update and compile by hand. Switch to the folder, update `make` with `gmake` and finally run `gmake` in that folder. That will produce a compiled output (a library) and the updated procedure will pick that up at the next run and the submodule will usually be ignored unless the main repo has new commits in its tree. You may then stash the local changes and re-run the update procedure again. ## Concatenate sound files (.wav) ```console $ sox *.wav one-big-soundfile.wav ``` `cat *.wav > bigfile.wav` works too, but different. That would put all audio files into separate streams at the output file whereas `sox` appends one file after another in the big output file. ## Manual page sections | Section | Description | | :------ | :------------------------ | | 1 | General Commands | | 2 | System Calls | | 3 | Library Functions | | 3p | Perl Library | | 4 | Device Drivers | | 5 | File Formats | | 6 | Games | | 7 | Miscallaneous Information | | 8 | System Manager's Manual | | 9 | Kernel Developer's Manual |