Hetzner is a very popular provider for so-called root servers and VPS (Virtual private Servers) located in Germany with data centers in Germany and Finland. They are quite affordable and have good services as well. The default installation image, sorry Hetzner, is crap (i.e. no logical volumes). The rescue system is not only a nice tool to recover from botched system configurations, but it also comes with an image installer which allows users to install a custom system. The default ….Read More
Category: Infrastructure
Renew Letsencrypt certificates for Red Hat Satellite 6 and Capsule
Letsencrypt certificates are only valid for just three months. The procedure to renew x509 certificates in Red Hat Satellite 6 is not so straight forward and its even more complex for Capsule servers. In an earlier post I was writing about how to set up a Satellite 6 and a capsule using Letsencrypt certificates. This post is a follow up on that. Be aware: You must follow this procedure before the certificate expires or the Satellite simply stops working, all ….Read More
OpenID and SAML authentication with Keycloak and FreeIPA
Not every web application can handle Kerberos SSO, but some provide OpenID and/or SAML. There is how Keycloak comes into the game. You can use Keycloak to federate users from different sources. This guide shows how to integrate Keyclock and FreeIPA to authenticate users in WordPress. On clients that are enrolled in IPA, this even works without a password, a Kerberos ticket is good enough to log in. What is Keycloak Keycloak is the upstream project for Red Hat SSO. ….Read More
Installing Red Hat Satellite 6 with Letsencrypt certificates
Red Hat Satellite 6 is a nice tool for system life cycle management. It can get complex and even installation is sometimes tricky. This article is about how to install Satellite, it does not explain the principals and concepts behind it. Requirements A valid subscription for the Satellite (and optional for the capsule). The system requirements are listed here. There is one important thing the install guide is missing: Satellite 6.4 will not work in IPv6 only environments. There must ….Read More
Using MTA-STS to enhance email transport security and privacy
Overview SMTP is broken by design. It comes from a time when communication partners trusted each other and the NSA was intercepting facsimiles and phone calls instead of internet traffic. To enhance privacy, in 2002 RFC 3208 was added to the SMTP protocol. Unfortunately STARTTLS is only optional, it is not allowed to only accept encrypted connections. The RFC states: A publicly-referenced SMTP server MUST NOT require the use of the STARTTLS extension in order to deliver mail locally. That ….Read More
Centrally manage SELinux user mapping with (Free)IPA
SELinux allows to confine users with SELinux user mappings. This article covers some basics about the confinement of users and shows how to manage them in central way with the help of (Free)IPA. It will greatly enhance your systems security. SELinux is available and enabled on all Red Hat based distributions such as RHEL, CentOS and Fedora. for the basics please have a look at article. Before proceeding with the examples in this article: ensure your system is running in ….Read More
Using modern Protocols like HTTP/2 and QUIC
First there was HTTP, then HTTP/2 and now HTTP/2 over the QUIC protocol. Lets have a look at the available HTTP Clients and Servers that support HTTP/2 and the experimental QUIC protocol. Introduction The Hypertext Transfer Protocol (HTTP) was invented in 1991. Up to 2015 then there was only little to no evolution. In 2015 the HTTP/2 protocol was defined as a standard. HTTP/2 is much more efficient that its ancestors. It features multiplexing, stream prioritization, binary transmission and much ….Read More
Upgrading Redhat Satellite 5.7 to 5.8
Couple of days ago, Redhat released its latest and last major upgrade for Satellite 5.x. Its a rather important upgrade, you are advised to upgrade soon. This upgrade contains some major improvements like stated in an earlier article Disclaimer I’m not responsible for any damage caused by the procedure provided here. Always create a backup before even thinking about upgrading a Satellite server. Preparation As always when you plan to upgrade your Satellite server to the latest version, you need ….Read More