Thursday, October 10, 2013

TLS Authentication for Munin with easy-rsa

Munin is cool. However, by default, it sends everything in plaintext, and relies on silly schemes like subnet whitelisting for authentication. However, it can use TLS.

Most of the info is here: Read that first.

The munin wiki assumes you know how to make openssl certs, though, which I don't. Here's the cheat-sheet for that (this all assumes you are using tls paranoid):

First, set up 'vars' file the way you want. This should be in any fairly standard easy-rsa tutorial. I set mine up to use a non-standard 'keys' directory, because I already had OpenVPN keys in the default one. I have my munin-specific easy-rsa vars file in 'vars-munin':

$ . vars-munin
$ ./clean-all # this creates index.txt
# default answers to everything:
$ ./build-ca
# default answers, then sign=yes, commit=yes
$ ./build-key $munin_master
$ ./build-key-server $munin_node

The key is that the you use build-key (a "client" certificate) for the master, and build-key-server (a "server" certificate) for the node.

You can check which one a given cert is with:

$  openssl x509 -in some-cert-name.crt  -text -noout | grep -A 1 "Netscape Cert Type:"

(The difference is the value of nsCertType, I believe. I know very, very little about this. There is some explanation here.)

If things aren't working, see the instructions on for debugging a single plugin on a single host -- that will let you test the TLS authentication in a simpler, faster way.

[Addendum: I see, according to these debconf13 slides, munin 2.0 introduces ssh as a transport. That would have been way better. D'oh! Well, munin 2.0 isn't in ubuntu 12.04 anyway, so I learned something.]

Wednesday, October 9, 2013

Online translator for phonetic (NATO/FAA) alphabet

I couldn't find any simple, quick translators for the NATO Phonetic Alphabet (you know, "Alpha! Bravo! Charlie!"), so I wrote last night. (Yes, I tried, but it was taken.)

You can use the form, or you can use nice short URLs like

It's not fancy, but it appears to mostly work. It's as much an excuse to learn Go on AppEngine and use a little Bootstrap 3 as it is an actual webapp. Code is on GitHub.