Monthly Archives: August 2016

about time , ssl and other things …

To see the certification information from linux cli (k is optional for without verification)

curl –vvIk https://<FQDN>or<IP&gt;

To read the certificate file human readable (you can use -inform parameter to change the output format)

openssl x509 -in <your_certificate_file_name_maybe_txt_pem_whatever>

Sometimes you can have broken/corrupted pem or certificate files could be ! maybe wrong copy past , windows to linux copy , ftp copy issues that time using “curl” for only debug could not help pls try more tool to double check for example “wget”

I faced Socket error: [X509] PEM lib (_ssl.c:2751) and couldn’t find any solution and wget helped me, wget show us some of certifications files are not readable.

Another option is using openssl with s_client parameter

openssl s_client -host FQDN -port 443 -quiet

tzdata = time zone database

Sometime people are mixing UTC and GMT , GMT is time zone and UTC is time standard but both of them share same current time practice. No any country or territory use UTC as a local time.

Debian change time zone 

dpkg-reconfigure tzdata

or

sudo cp /usr/share/zoneinfo/xxx/xxx /etc/localtime

About how ntp work , what is stratum, what is reference clock pls check the links below. Generally reference clock is stratum-0 and its atomic time(cesium clock) some more levels there startum-1 , 2 up to 16 and looks like we are querying time from mostly  startum-2 servers.

https://ntpserver.wordpress.com/2008/09/10/ntp-server-stratum-levels-explained/

http://www.ntp.org/ntpfaq/NTP-s-algo.htm

To update time with date command perfect article from nixCraft http://www.cyberciti.biz/faq/howto-set-date-time-from-linux-command-prompt/

I mostly needed this one

date +%T -s “10:13:13”

To password less sudo privileges  

sudo su

echo “noroot ALL=(ALL) NOPASSWD: ALL” >> /etc/sudoers

sslvpnd can cause ha sync /Webinterface unresponsive issue? -another Fortinet story-

Today we faced Fortinet web interface become unresponsive,  we find out some articles and expect that killing/restarting httpd will be enough but we faced policy load issues for example try to list rules but we have empty response and after some time its gone and need to restart httpd to access webui again.

Then after some investigation we saw that cluster checksum is not consistent (command:diagnose sys ha cluster-csum)

Tried to sync ha config but not succeed (command:exec ha synchronize start) (for more pls check)

Then somehow we maybe did not prioritise  but cluster member which web interface is working but first snmp service stop response and then sslvpn connections are start to not work ! in this time what i remember we changed the password of sslvpn user but i don’t think that this help us but when we kill the sslvpnd magically non-responsive fortinet box become to run , after all checked ha csum its worked and snmp also start to work !

Actually if we did not try this (also vendor said that related firmware have a bug) we have to restart nodes and this will cause some downtime  . Version is 5.2.6

Some good link for debugging ha http://kb.fortinet.com/kb/documentLink.do?externalID=FD36494

diag  debug enable
diagnose  debug  console  timestamp enable
diag debug application hasync -1
diag debug application hatalk -1
execute ha synchronize start

When you can not kill process gently -another Fortinet story-

I expect that you know the pid but if its not you have two ways

Option 1

Walter (global) # diag test app snmpd 1

snmpd pid = 161

Option 2 (somehow related commands are not return some processes pids, then start to use fnsysctl )

List pid files then get pid id from related file

Walter (global) # fnsysctl ls /var/run/

Walter (global) # fnsysctl cat /var/run/snmpd.pid

161

Then execute (somehow diag sys kill 11 <pid_id> do not kill related pid)

Walter (global) # fnsysctl kill -9 161

thats it !