Simple File sharing...

[Scarpozzi]

I am trying to configure some Linux clients that are locked images. I hit a snag because the kiosks are requiring Firefox to import root certificates to view the sites I'm using. The certificate authority is only sharing root certificates through Salesforce so I need a simple http server to host them.

Just about every solution my organization uses won't work because the links resolve a downloader app. Our primary web server is using a CMS application that won't accept anything other than HTML code.

I thought about you SharePoint or Google drive, but I think they have similar issues as above. Anyone know of a good file host that's free and indefinite? I probably have a few base 64s and pems that need to be parked.

 

[ultimatebob]

Can't you just upload the .pem files to the http server and pull them using a script with wget commands on the kiosks to put them in whatever directory they need to go to? I mean, Firefox must store them somewhere.

 

[[DHT]Osiris]

You should have some kind of configuration management system (chef, puppet, etc) to deliver the certs to the system's store, doing this through web garbage is just going to lead to a headache.

Quit using a screwdriver as a hammer.

 

[Scarpozzi]

I'm going to flip these systems to windows probably....then hand them off to out IT Dept. Just trying to fix a problem for now. I realized I have access to a remote server I can use...just not working.

 

[ultimatebob]

You should have some kind of configuration management system (chef, puppet, etc) to deliver the certs to the system's store, doing this through web garbage is just going to lead to a headache.

Quit using a screwdriver as a hammer.

Depending on how hard he locked them down, installing something like the Chef client might not be an option. But, yeah, that would be ideal.

 

[[DHT]Osiris]

Depending on how hard he locked them down, installing something like the Chef client might not be an option. But, yeah, that would be ideal.

In that case, and assuming this is as temporary as he claims, I'd just do it manually. It sucks but hand jamming 50 computers might be faster.

 

[Red Squirrel]

So if you host a local HTTP server and try to go to it, it does not work? I wonder if they are using some kind of proxy or doing some stuff with DNS so computer hostnames don't actually resolve to the computer. At my work they do this weird thing where computer host names do not resolve to the computer's IP, so if you need to access a computer directly you need to type the IP, but the proxy does not allow direct IP access, so you need to make an exception in the browser for IP ranges to not use the proxy. I just put 10.1.1.1/8 as an exception, since as long as it does not need to leave the corporate network it won't need to go through the proxy anyway. If it has to leave the corporate network then yeah it will be blocked because you have to go through proxy.

My workplace is a shit show when it comes to certificates, some apps have expired certs, some apps for whatever reason keep changing the cert etc... so you constantly need to deal with browser warnings. There is this one app that for half of us does not even work at all because if you accept the certificate then it's invalid and the browser just refuses to load it. And once you click yes it's too late, you can't go back. I've brought that up many times where they should just setup a local CA and put the root cert in the browser, but it falls on deaf ears. At the very least, they should just make self signed certs that have a 100 year expiry or something.

 

[ultimatebob]

So if you host a local HTTP server and try to go to it, it does not work? I wonder if they are using some kind of proxy or doing some stuff with DNS so computer hostnames don't actually resolve to the computer. At my work they do this weird thing where computer host names do not resolve to the computer's IP, so if you need to access a computer directly you need to type the IP, but the proxy does not allow direct IP access, so you need to make an exception in the browser for IP ranges to not use the proxy. I just put 10.1.1.1/8 as an exception, since as long as it does not need to leave the corporate network it won't need to go through the proxy anyway. If it has to leave the corporate network then yeah it will be blocked because you have to go through proxy.

My workplace is a shit show when it comes to certificates, some apps have expired certs, some apps for whatever reason keep changing the cert etc... so you constantly need to deal with browser warnings. There is this one app that for half of us does not even work at all because if you accept the certificate then it's invalid and the browser just refuses to load it. And once you click yes it's too late, you can't go back. I've brought that up many times where they should just setup a local CA and put the root cert in the browser, but it falls on deaf ears. At the very least, they should just make self signed certs that have a 100 year expiry or something.

I don't know about where you work, but my office is has a bunch of compliance policies that require us to renew our certs annually.

 

[Scarpozzi]

I used to serve as a VP for Info Tech for a nonprofit. I still had access to the hosted site we used and was able to shuffle a cert chain pem up to the site. That solved the problem I was having so I could continue troubleshooting. That allowed me to find a bad rule in my config files that was keeping the SSL from working to start with on the client. I was able to fix the problem and then abandon the http site.

Red...my issue was just time investment. I didn't want to get into apache or other simple web server app because it would need to be persistent and I don't want to support more crap. My new office only has one active network jack, so while I was testing this client I was swapping my network cable back and forth from my workstation. I just switched jobs and inherited a bunch of stuff that the last guy did. I'm having to learn all the solutions he picked. If I had more server access, I would streamline a lot of things, but I'm not going to go down that road. I'm going to try to navigate things within the confines of my limited access and be less of an innovator....just so I don't get stuck supporting infrastructure I could build. My current workload is going to start evolving more next year because we're going to begin changing database software and try to integrate all these side systems into one big solution...the less I can do before that, the better.

One good thing came out of this. Our web cms system doesn't allow regular file uploads. They only allow a few extensions and insert all kinds of tags on files. I was able to get the configuration files for these clients loaded on the web in a css file extension. I'm able to boot to the USB stick, point the installer at my config file, burn the image on the local drive and walk away. If I need to make modifications, I just have to update the config and reboot the client. I think the last guy was compiling the USB stick to include configurations and a bunch of other nonsense that requires more time. From here on, I can just use dd to copy the iso on a USB stick for upgrades and my whole time investment will be 10 minutes + installation (5 minutes).

 

[Red Squirrel]

I don't know about where you work, but my office is has a bunch of compliance policies that require us to renew our certs annually.

Nobody at my company seems to know how to manage certificates, it's a shit show lol.

 

[[DHT]Osiris]

Nobody at my company seems to know how to manage certificates, it's a shit show lol.

A lot of people don't know how to manage certs, no excuse for them not learning though.

 

[Scarpozzi]

Nobody at my company seems to know how to manage certificates, it's a shit show lol.

It's easy to manage them in a way. Most of the CAs will send you a list of the certs that you purchase and ask for renewals. You can jump out to the management website and download new certs/intermediates/roots as needed. Then it's the bother of going around to all the systems BEFORE they expire and updating them.

What I used to do as much as possible was create some moderately secure self-signed certificates for all of my servers and give them a 5-10 year expiration. Then I'd firewall the servers with iptables and throw them on a private class B that's NAT'd and only allow access to that Network through a Load Balancer/Reverse proxy that had the shorter-lived certificates and the self-signed root cert in the trusted roots.

That meant that 90% of my servers were managed from one location. At that time, 2 year certificates were the norm. I chose a moderately secure cert (like 128bit encryption) just for speed. Encryption used to really dog slower clients and servers.

 

[Red Squirrel]

Oh I get it but I have no say in it, and there's too many cooks in the kitchen, every app is managed by a different department, so the whole thing is a mess really.

 

[Scarpozzi]

Oh I get it but I have no say in it, and there's too many cooks in the kitchen, every app is managed by a different department, so the whole thing is a mess really.

That crap is ruining a lot of organizations. The company buys product A and then some jerk gets a sales call and believes everything the salesperson says. Most of the 3rd party crap we have bought could have been provided on existing contracts/vendors, but the managers and departments pushed hard and got whatever shiny new system they were sold...even if it is more expensive or less functional.

I'm hoping we have better software sourcing policies going forward to keep that stuff from happening.

 

[Red Squirrel]

That crap is ruining a lot of organizations. The company buys product A and then some jerk gets a sales call and believes everything the salesperson says. Most of the 3rd party crap we have bought could have been provided on existing contracts/vendors, but the managers and departments pushed hard and got whatever shiny new system they were sold...even if it is more expensive or less functional.

I'm hoping we have better software sourcing policies going forward to keep that stuff from happening.

Pretty much, and once they get it working a year later they get a call from another vendor with an even better deal, so they migrate some stuff over to THAT system, but leave some stuff in the old one, so now you need both.

 

[Scarpozzi]

Pretty much, and once they get it working a year later they get a call from another vendor with an even better deal, so they migrate some stuff over to THAT system, but leave some stuff in the old one, so now you need both.

Yes. That or even worse...the person who wanted it and made sure it was procured left before it was ever implemented and no one else knew what it was supposed to fix. I can't wait to see the slate wiped clean again.