Maximum Allowed HTTPS Certificate Validity

When creating self-signed certificates I ran into the issue that especially Safari did not accept the certificate with a rather unspecific “Certificate not standards compliant” message. It turns out, the maximum allowed validity was reduced over time by the different web browser vendors. Shortest times are apparently used by Apple’s Safari.

Current (mid 2021) limits are the following:

For any certificate that is signed by an certification authority, for which the root certificate is supplied with the operating system, the maximum allowed validity is 398 days (for all certificates created after Sept. 1, 2020).

For self-signed certificates, i.e. if you create your own CA certificate and assign the trust yourself (or your organization), the maximum allowed validity is 825 days.

Background

Certification authorities need to provide a way to revoke certificates before the end of their validity, e.g. when a certificate was issued by mistake or if the private key was exposed to the public. Often these revocations are still handled by revocation lists (although mechanism like OCSP/OCSP stapling provide more elegant solutions).

If those lists become long, it may require a long time to download the referred to list, which becomes a problem for the user experience, because the requested web page cannot be displayed before the certificate validity is checked.

This can especially become a problem, when mass revocations become necessary. Such mass revocations occurred in the past, e.g. when a frequently used library potentially exposed the private key or when a commonly used random number generator did not produce sufficient randomness, which allowed guessing private keys.

References

ipmitool stopped working on Dell iDRAC over LAN

Modern servers come with a basement management controller (BMC), a little extra computer that allows remote console access, provides all kinds of hardware status information and even allows power control (i.e. turning the server on and off). Dell’s implementation is called iDRAC.

IPMI is a commonly used protocol to access this functionality, even over the network.

I remembered using ipmitool over the network to access the iDRAC in the past. The more I was surprised that suddenly it only gave me an error message:

$ ipmitool -H server-mgmt -U root mc info
Password:
Get Session Challenge command failed
Error: Unable to establish LAN session
Get Device ID command failedCode language: plaintext (plaintext)

I found the solution in .pQd’s log:

Apparently recent firmware versions (in 2016) stopped supporting the default protocol and only continued to support the lanplus protocol, which can be selected with the -I lanplus option. I’m not sure, if I saw this documented somewhere, but it seems, that’s what Dell always intended to use. So the proper command is:

ipmitool -H server-mgmt -I lanplus -U root mc infoCode language: Bash (bash)

If you are using OpenIPMI, the proper option is –driver-type=LAN_2_0, so e.g. for reading sensor values you can use:

ipmi-sensors -h server-mgmt -u root -P --driver-type=LAN_2_0Code language: Bash (bash)

MiKTeX being slow

A colleague recently complained that MiKTeX (a LaTeX distribution for Window) runs much lower on his full-featured workstation than on his less powerful
laptop.

It was not just a minor difference: Compilation took several minutes on the Workstation, but only a few seconds on the laptop.

The only difference that we found was the way that MiKTeX was installed. When he ran the installer on the workstation, he thought that there would be enough space to make a full install with all included packages. On the laptop the space was rather limited, so he chose a standard install.

Apparently the full package database is processed every time, the compilation process is started. So installing a smaller number of packages not only reduced the necessary space, but also massively improved the runtime.

Enabling XFS quota

I recently needed to enable quotas on a larger XFS file system. This is quite easy, because everything you have to do is setting the proper mount options and then mount the file system again. XFS will automatically index all files and update all quota associations while mounting:

Typeenforcednot enforced
User quotauquotauqnoenforce
Group quotagquotagqnoenforce
Project quotapquotapqnoenforce
Quota parameters

But: Depending on how full the file system is, this update process may take a long time. This means, you should not try this while booting because modern Linux distributions (like RHEL7) will have a timeout detection and may thus interrupt the process.

So when enabling quota on an existing file system:

  1. edit fstab
  2. unmount the file system
  3. mount it again
  4. wait for the quota log update to finish