October 2021 - Page 2 of 2

keytools add new alias to keystor (jceks) and delete old

Posted on October 13, 2021February 25, 2023 by soban

Java Keytool is a command-line tool that is used for managing cryptographic keys, certificates, and keystores in Java-based applications. In Linux, Java Keytool is often used for managing SSL/TLS certificates and securing web applications that run on Java-based servers like Tomcat, GlassFish, and JBoss.

Some of the key features of Java Keytool in Linux include:

Generating key pairs: Java Keytool can be used to generate key pairs, which are used for encryption, decryption, and digital signatures.
Importing and exporting certificates: Java Keytool can import and export certificates, which are used for verifying the authenticity of digital signatures and ensuring secure communications.
Managing keystores: Java Keytool can create, modify, and delete keystores, which are containers for cryptographic keys and certificates.
Configuring SSL/TLS: Java Keytool can be used to configure SSL/TLS connections for Java-based web applications, which are essential for securing data communications.

Some of the most commonly used Java Keytool commands in Linux include:

keytool -genkeypair: This command is used to generate a new key pair.
keytool -import: This command is used to import a certificate into a keystore.
keytool -list: This command is used to list the contents of a keystore.
keytool -delete: This command is used to delete a key or certificate from a keystore.

Overall, Java Keytool is an important tool for managing cryptographic keys and certificates in Java-based applications in Linux, and it is essential for securing web applications and ensuring the privacy and integrity of sensitive information.

Before we begin make copy of old keystor like this:

$ cp /path/to/keystore.jceks cp /path/to/keystore.jceks.backup.$(date +%F)

1	$ cp /path/to/keystore.jceks cp /path/to/keystore.jceks.backup.$(date +%F)

and then we can remove alias:

$ /opt/java/bin/keytool -delete -alias name_alias  -keystore /path/to/keystore.jceks -storetype JCEKS

1	$ /opt/java/bin/keytool -delete -alias name_alias -keystore /path/to/keystore.jceks -storetype JCEKS

when you gonna add new alias by keytool:

$ /opt/java/bin/keytool -import -file /path/to/cert.pem  -alias mc -keystore /path/to/keystore.jceks

1	$ /opt/java/bin/keytool -import -file /path/to/cert.pem -alias mc -keystore /path/to/keystore.jceks

To be sure, you can check it and see more information like date or fingerprint:

$ /opt/java/bin/keytool -list -keystore /path/to/keystore.jceks -storetype JCEKS -v | less

1	$ /opt/java/bin/keytool -list -keystore /path/to/keystore.jceks -storetype JCEKS -v \| less

When sometings go wrong, you can also copy backup file.

Good luck!

Checking the disk for errors and bad sectors

Posted on October 12, 2021October 12, 2021 by soban

This script helps to notify me by e-mail about the condition of the disk. Remember to indicate the disk accordingly – in this case it is “/dev/sda” and change the e-mail address from “soban@soban.pl” to your own. Save the script in “/root/checkbadsector.sh“:

#!/bin/bash
date > /root/badsectortest.txt
badblocks /dev/sda -v &>> /root/badsectortest.txt
hoursworkhdd=`smartctl --all /dev/sda | grep Power_On_Hours | awk '{print $10}'`
dayworkhdd=`expr $hoursworkhdd / 24`
yesworkhdd=`expr $dayworkhdd / 366`
echo -e "Hours working hdd:" >> /root/badsectortest.txt
echo -e $hoursworkhdd >> /root/badsectortest.txt
echo -e "Days working hdd:" >> /root/badsectortest.txt
echo -e $dayworkhdd >> /root/badsectortest.txt
echo -e "Years working hdd:" >> /root/badsectortest.txt
echo -e $yesworkhdd >> /root/badsectortest.txt
date >> /root/badsectortest.txt
cat /root/badsectortest.txt | /usr/bin/mail -s "badsector - `date`" soban@soban.pl

#!/bin/bash

date > /root/badsectortest.txt

badblocks /dev/sda -v &>> /root/badsectortest.txt

hoursworkhdd=`smartctl --all /dev/sda | grep Power_On_Hours | awk '{print $10}'`

dayworkhdd=`expr $hoursworkhdd / 24`

yesworkhdd=`expr $dayworkhdd / 366`

echo -e "Hours working hdd:" >> /root/badsectortest.txt

echo -e $hoursworkhdd >> /root/badsectortest.txt

echo -e "Days working hdd:" >> /root/badsectortest.txt

echo -e $dayworkhdd >> /root/badsectortest.txt

echo -e "Years working hdd:" >> /root/badsectortest.txt

echo -e $yesworkhdd >> /root/badsectortest.txt

date >> /root/badsectortest.txt

cat /root/badsectortest.txt | /usr/bin/mail -s "badsector - `date`" soban@soban.pl

You can also download it from https://soban.pl/bash/checkbadsector.sh:

# cd
# wget https://soban.pl/bash/checkbadsector.sh

1 2	# cd # wget https://soban.pl/bash/checkbadsector.sh

Remember to grant permission to perform it:

# chmod +x /root/checkbadsector.sh

1	# chmod +x /root/checkbadsector.sh

On my server I added it once a month so that it would be performed periodically in the crontab:

# crontab -l | grep checkbadsector
30 17 20 * * /root/checkbadsector.sh > /dev/null 2>&1

1 2	# crontab -l \| grep checkbadsector 30 17 20 * * /root/checkbadsector.sh > /dev/null 2>&1

You should receive an email similar to the one below:

Good luck and I wish you no errors!

Error on Oracle Linux 7 rpmdb: BDB0113

Posted on October 12, 2021October 12, 2021 by soban

Sometimes on Oracle Linux there is problem, when you try use “yum” and get error like this:

# yum update

error: rpmdb: BDB0113 Thread/process 16934/140571185240320 failed: BDB1507 Thread died in Berkeley DB library

error: db5 error(-30973) from dbenv->failchk: BDB0087 DB_RUNRECOVERY: Fatal error, run database recovery

error: cannot open Packages index using db5 -  (-30973)

error: cannot open Packages database in /var/lib/rpm

CRITICAL:yum.main:

 

Error: rpmdb open failed

# yum update

error: rpmdb: BDB0113 Thread/process 16934/140571185240320 failed: BDB1507 Thread died in Berkeley DB library

error: db5 error(-30973) from dbenv->failchk: BDB0087 DB_RUNRECOVERY: Fatal error, run database recovery

error: cannot open Packages index using db5 - (-30973)

error: cannot open Packages database in /var/lib/rpm

CRITICAL:yum.main:

Error: rpmdb open failed

The fixing of this problem, you can try rebuild db:

# rpm --rebuilddb

1	# rpm --rebuilddb

And then should work:

# yum update

1	# yum update

That’s all!

Check DNS and more information about domain

Posted on October 12, 2021October 12, 2021 by soban

The best way to check information about domain and DNS configuration is “whois” and “dig”. This tools can provide a lot of informations. Lets try use it. First we must check that package is installed.
I have already installed “dig”:

# which dig
/usr/bin/dig

1 2	# which dig /usr/bin/dig

In debian, you can use “dpkg -S”

# dpkg -S /usr/bin/dig
dnsutils: /usr/bin/dig

1 2	# dpkg -S /usr/bin/dig dnsutils: /usr/bin/dig

if you don’t have it then you should install:

# apt install dnsutils

1	# apt install dnsutils

Now we can check “dig” in “soban.pl” domain:

The same case in “whois”:

# which dig
/usr/bin/dig

1 2	# which dig /usr/bin/dig

Check what package provide:

# dpkg -S /usr/bin/whois
whois: /usr/bin/whois

1 2	# dpkg -S /usr/bin/whois whois: /usr/bin/whois

And if you don’t have it, then install:

# which dig
/usr/bin/dig

1 2	# which dig /usr/bin/dig

In debian, you can use “dpkg -S”

# dpkg -S /usr/bin/dig
dnsutils: /usr/bin/dig

1 2	# dpkg -S /usr/bin/dig dnsutils: /usr/bin/dig

if you don’t have it then you should install:

# apt install dnsutils

1	# apt install dnsutils

Now we can check “dig” on “soban.pl” domain:

The same case in “whois”:

# which dig
/usr/bin/dig

1 2	# which dig /usr/bin/dig

Check what package provide:

# dpkg -S /usr/bin/whois
whois: /usr/bin/whois

1 2	# dpkg -S /usr/bin/whois whois: /usr/bin/whois

And if you don’t have it, then install:

# apt install whois

1	# apt install whois

As you can see, the domain “soban.pl” is currently using cloudflare DNS – which I highly recommend.

Pointing DNS to a different IP address

Posted on October 11, 2021October 11, 2021 by soban

Sometimes it is necessary to change the DNS name indication to a different IP address. As you can see in the example below, google.com currently points to:

To change google.com indication to, for example – 37.187.101.239, edit the file: “/etc/resolv.conf” as root:

# cat /etc/resolv.conf
google.com 37.187.101.239

1 2	# cat /etc/resolv.conf google.com 37.187.101.239

After making this change, the effect is as follows:

Windows as you see there is similar situation:

File must be edited as administrator “C:\Windows\System32\drivers\etc\hosts”:

After saving the file, the effect is as follows:

Automatic update of the Debian Linux test environment

Posted on October 8, 2021October 8, 2021 by soban

A convenient way to maintain the test environment is automatic updating.
However, remember to set the backup, e.g. the day before – I always set it like that in proxmoxe.
The script that updates the Debian system looks like this:

# cat /root/update.sh
#!/bin/bash
apt-get update
apt-get upgrade -q -y
apt-get autoremove -y -q
rm -rf /var/cache/apt/archives/*.deb

# cat /root/update.sh

#!/bin/bash

apt-get update

apt-get upgrade -q -y

apt-get autoremove -y -q

rm -rf /var/cache/apt/archives/*.deb

You can download the script from:

$ cd /root/
$ wget https://soban.pl/bash/update.sh

1 2	$ cd /root/ $ wget https://soban.pl/bash/update.sh

The script cleans unnecessary deb files after the update.
Keep in mind the permissions and capabilities of the script:

# chmod +x /root/update.sh

1	# chmod +x /root/update.sh

In crontab, I set the day after automatic backup in proxmoxe:

10 4 * * 3 /root/update.sh > /dev/null 2>&1

1	10 4 * * 3 /root/update.sh > /dev/null 2>&1

Of course, the script can be added in the production environment, but it should not be added to the crontab.

E-mail notification about new updates Proxmox

Posted on October 8, 2021October 8, 2021 by soban

This script send you e-mail notification about new updates:

# cat /root/check_update.sh
#!/bin/bash
email=soban@soban.pl
hostnam=`hostname`
apt-get update
# sometimes change number of lines (for example proxmox 4.4 - 4; proxmox 5 - 5)
if [ `apt-get --just-print upgrade | wc -l` != 5 ]
then
        apt-get --just-print upgrade |  mail -s "Update checker $hostnam" $email
fi

# cat /root/check_update.sh

#!/bin/bash

email=soban@soban.pl

hostnam=`hostname`

apt-get update

# sometimes change number of lines (for example proxmox 4.4 - 4; proxmox 5 - 5)

if [ `apt-get --just-print upgrade | wc -l` != 5 ]

then

apt-get --just-print upgrade | mail -s "Update checker $hostnam" $email

You can download the script from:

$ cd /root/
$ wget https://soban.pl/bash/check_update.sh

1 2	$ cd /root/ $ wget https://soban.pl/bash/check_update.sh

You should set the correct e-mail address in the script, for now it is soban@soban.pl
Notification it’s looks something like that:

Should the script be executed:

# chmod +x /root/check_update.sh

1	# chmod +x /root/check_update.sh

Also added to the crontab, every day to extend a new update:

00 06 * * * /root/check_update.sh > /dev/null 2>&1

1	00 06 * * * /root/check_update.sh > /dev/null 2>&1

Remember don’t to upgrade your system on Friday! Good luck!

Upgrade Debian GNU/Linux 10 (buster) to 11 (bullseye)

Posted on October 1, 2021October 12, 2021 by soban

Before we start upgrading the Debian system version, please make a snapshot or a possible backup of the system. Such a change entails significant changes that can damage the system. Of course, before you upgrade the system in production, it is best to upgrade to the testing environment first. The upgrade process affects the entire system. Services may not be available at this time. If the system is doing the hosting for your website then it may not be available!

Always bear in mind that the production environment is different from test environment, so I recommend that you do it carefully. A good practice is to keep a time interval between the upgrade of test and production environment, in my case it is a week. Remember not to make changes to production on Friday!

This is how we check the version of the system:

And now, we going to update OS, but before we do that – we will make copy of:

cp /etc/apt/sources.list /root/sources.list_buster

1	cp /etc/apt/sources.list /root/sources.list_buster

There is sorces setup for buster:

# cat /etc/apt/sources.list
deb http://ftp.debian.org/debian buster main contrib
deb http://ftp.debian.org/debian buster-updates main contrib
deb http://security.debian.org buster/updates main contrib
deb http://nginx.org/packages/debian/ buster nginx
deb-src http://nginx.org/packages/debian/ buster nginx

# cat /etc/apt/sources.list

deb http://ftp.debian.org/debian buster main contrib

deb http://ftp.debian.org/debian buster-updates main contrib

deb http://security.debian.org buster/updates main contrib

deb http://nginx.org/packages/debian/ buster nginx

deb-src http://nginx.org/packages/debian/ buster nginx

Before we upgrade the debian system version to 11, we need to do a full upgrade:

# apt update && apt upgrade -q -y && apt dist-upgrade -q -y && apt autoremove -y -q

1	# apt update && apt upgrade -q -y && apt dist-upgrade -q -y && apt autoremove -y -q

Then we use sed to replace “buster” on “bullseye”:

# sed -i 's/buster/bullseye/g' /etc/apt/sources.list

1	# sed -i 's/buster/bullseye/g' /etc/apt/sources.list

There here’s the effect:

# cat /etc/apt/sources.list

1	# cat /etc/apt/sources.list

To be sure, we will do a comparison of the backed up file:

And then we can do update:

# apt update && apt upgrade -q -y && apt dist-upgrade -q -y && apt autoremove -y -q

1	# apt update && apt upgrade -q -y && apt dist-upgrade -q -y && apt autoremove -y -q

So that it is not too easy, to start the task in the form of:

Specifically about this error:

Err:5 http://security.debian.org bullseye/updates Release
  404  Not Found [IP: 199.232.150.132 80]
Reading package lists... Done
E: The repository 'http://security.debian.org bullseye/updates Release' does not have a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

Err:5 http://security.debian.org bullseye/updates Release

404 Not Found [IP: 199.232.150.132 80]

Reading package lists... Done

E: The repository 'http://security.debian.org bullseye/updates Release' does not have a Release file.

N: Updating from such a repository can't be done securely, and is therefore disabled by default.

N: See apt-secure(8) manpage for repository creation and user configuration details.

To fix it, use any editor on the file (vi in my case):

# vi /etc/apt/sources.list

1	# vi /etc/apt/sources.list

We remove line 4 – “deb http://security.debian.org buster/updates main contrib” as you can see, we go out and save :

Of course, any other editor like nano is also good for this case.
The contents of the /etc/apt/sources.list file now looks like this:

# cat /etc/apt/sources.list
deb http://ftp.debian.org/debian bullseye main contrib
deb http://ftp.debian.org/debian bullseye-updates main contrib
deb http://nginx.org/packages/debian/ bullseye nginx
deb-src http://nginx.org/packages/debian/ bullseye nginx

# cat /etc/apt/sources.list

deb http://ftp.debian.org/debian bullseye main contrib

deb http://ftp.debian.org/debian bullseye-updates main contrib

deb http://nginx.org/packages/debian/ bullseye nginx

deb-src http://nginx.org/packages/debian/ bullseye nginx

We can try to update the system again:

# apt update && apt upgrade -q -y && apt dist-upgrade -q -y && apt autoremove -y -q

1	# apt update && apt upgrade -q -y && apt dist-upgrade -q -y && apt autoremove -y -q

Now you need get some the system upgrade process has started. You can go for a coffee, or not 😉
There will be questions.
And more information, albout apt listchanges:

Just press ‘q’ and enter.

In this case we press enter.

Services to restart:

Enter agien.

This is question, about ssh deamon configuration:

In my case, I press enter because I don’t want to make changes to its configuration.

If all went well, we can reboot the system:

# reboot

# reboot

Now check the system:

Congratulations, we are on the new version of the system!
At this point, we can verify all services, for example whether the website is working properly. If it is OK, upgrade the production environment.

In my cases, I have problem PHP new version.
PHP have no persmision on nginx to user – when I try enter to page:

# tail -f /var/log/nginx/error-*.log 
unix:/var/run/php/php-fpm.sock failed (13: Permission denied)

1 2	# tail -f /var/log/nginx/error-*.log unix:/var/run/php/php-fpm.sock failed (13: Permission denied)

So we need to fix that in this way:

# service php7.4-fpm status
* php7.4-fpm.service - The PHP 7.4 FastCGI Process Manager
     Loaded: loaded (/lib/systemd/system/php7.4-fpm.service; enabled; vendor preset: enabled)
     Active: active (running) since Fri 2021-10-01 14:59:14 CEST; 3min 28s ago
       Docs: man:php-fpm7.4(8)
    Process: 289 ExecStartPost=/usr/lib/php/php-fpm-socket-helper install /run/php/php-fpm.sock /etc/php/7.4/fpm/pool.d/www.conf 74 (code=exited, status=0/S>
   Main PID: 116 (php-fpm7.4)
     Status: "Processes active: 0, idle: 2, Requests: 0, slow: 0, Traffic: 0req/sec"
        CPU: 364ms
     CGroup: /system.slice/php7.4-fpm.service
             |-116 php-fpm: master process (/etc/php/7.4/fpm/php-fpm.conf)
             |-287 php-fpm: pool www
             `-288 php-fpm: pool www

Oct 01 14:59:11 soban-pl systemd[1]: Starting The PHP 7.4 FastCGI Process Manager...
Oct 01 14:59:14 soban-pl systemd[1]: Started The PHP 7.4 FastCGI Process Manager.

# service php7.4-fpm status

* php7.4-fpm.service - The PHP 7.4 FastCGI Process Manager

Loaded: loaded (/lib/systemd/system/php7.4-fpm.service; enabled; vendor preset: enabled)

Active: active (running) since Fri 2021-10-01 14:59:14 CEST; 3min 28s ago

Docs: man:php-fpm7.4(8)

Process: 289 ExecStartPost=/usr/lib/php/php-fpm-socket-helper install /run/php/php-fpm.sock /etc/php/7.4/fpm/pool.d/www.conf 74 (code=exited, status=0/S>

Main PID: 116 (php-fpm7.4)

Status: "Processes active: 0, idle: 2, Requests: 0, slow: 0, Traffic: 0req/sec"

CPU: 364ms

CGroup: /system.slice/php7.4-fpm.service

|-116 php-fpm: master process (/etc/php/7.4/fpm/php-fpm.conf)

|-287 php-fpm: pool www

`-288 php-fpm: pool www

Oct 01 14:59:11 soban-pl systemd[1]: Starting The PHP 7.4 FastCGI Process Manager...

Oct 01 14:59:14 soban-pl systemd[1]: Started The PHP 7.4 FastCGI Process Manager.

There is something wrong with the permissions:

# grep www-data /etc/php/7.4/fpm/pool.d/www.conf
user = www-data
group = www-data
listen.owner = www-data
listen.group = www-data

# grep www-data /etc/php/7.4/fpm/pool.d/www.conf

user = www-data

group = www-data

listen.owner = www-data

listen.group = www-data

Let’s make some backup:

# cp /etc/php/7.4/fpm/pool.d/www.conf /etc/php/7.4/fpm/pool.d/www.conf.backup.$(date +%F)

1	# cp /etc/php/7.4/fpm/pool.d/www.conf /etc/php/7.4/fpm/pool.d/www.conf.backup.$(date +%F)

I will replace www-data to nginx:

# sed -i 's/www-data/nginx/g' /etc/php/7.4/fpm/pool.d/www.conf

1	# sed -i 's/www-data/nginx/g' /etc/php/7.4/fpm/pool.d/www.conf

Now it’s looks better:

# grep nginx /etc/php/7.4/fpm/pool.d/www.conf
user = nginx
group = nginx
listen.owner = nginx
listen.group = nginx

# grep nginx /etc/php/7.4/fpm/pool.d/www.conf

user = nginx

group = nginx

listen.owner = nginx

listen.group = nginx

And restart services:

# service php7.4-fpm restart

1	# service php7.4-fpm restart

Also checking status:

Another problem is that, mariadb was removed, so I install it agien:

# apt-get install mariadb-server mariadb-client -y

1	# apt-get install mariadb-server mariadb-client -y

and that resolved all my problems.

To be 100% sure, I reloaded the entire machine.