OS X / Mountain Lion hides a number of files from you, to help keep things tidier, and help make sure you don't accidentally delete anything too important. Most of the time this is useful, but sometimes it would be more convenient to be able to see all files.
The view all files Finder option can be change by setting the com.apple.finder option, called, unsurprisingly AppleShowAllFiles
I have a short shell script:
#!/bin/bash
defaults write com.apple.finder AppleShowAllFiles TRUE
killall Finder
and to turn it off:
#!/bin/bash
defaults write com.apple.finder AppleShowAllFiles FALSE
killall Finder
Apple changed the behavior of DNS search list processing in Lion (OS X Lion: About search domains and name lookups).
This makes it differ from the behavior listed in RFC1536. If you need / prefer the RFC-compliant search path processing, add the -AlwaysAppendSearchDomains argument to the /usr/sbin/mDNSResponder process in /System/Library/LaunchDaemons/com.apple.mDNSResponder.plist
So:
<key>ProgramArguments</key>
<array>
<string>/usr/sbin/mDNSResponder</string>
<string>-launchd</string>
<string>-AlwaysAppendSearchDomains</string>
<string>-NoMulticastAdvertisements</string>
</array>
Quick reminder for myself on how to generate / update TLSA records.
~/local/src/swede/swede/swede create --output rfc --usage 1 -s 0 -m 1 www.kumari.net No certificate specified on the commandline, attempting to retrieve it from the server www.kumari.net. Attempting to get certificate from 198.186.192.250 M2Crypto does not support SNI: services using virtual-hosting will show the wrong certificate! Got a certificate with Subject: /serialNumber=l/YjABq5T5eemHk7J4kqJviHIR11OOkx/OU=GT03082892/OU=See www.rapidssl.com/resources/cps (c)13/OU=Domain Control Validated - RapidSSL(R)/CN=*.kumari.net _443._tcp.www.kumari.net. IN TLSA 1 0 1 8d930a464843e08660e3fd1ddce8ed4269cc0cd9cd53a8a306bce8abcf47aef5
For the IETF one (tied to a CA)
~/local/src/swede/swede/swede create --output rfc --usage 0 -s 0 -m 1 -c ~/tmp/certs/starfield.crt www.ietf.org
In order to get around
bash: /bin/rm: Argument list too long.
Find can take a
-delete
action. This goes really fast :-)
find . -type f -delete
Generate the new key
root@vimes:/etc/ssl# openssl genrsa -aes256 -out ./private/star.kumari.net-20110723.key 2048 Generating RSA private key, 2048 bit long modulus ......................................................................................................+++ .................................................................................................+++ e is 65537 (0x10001) Enter pass phrase for ./private/star.kumari.net-20110723.key: Verifying - Enter pass phrase for ./private/star.kumari.net-20110723.key:
Get the info from the old CSR
root@vimes:/etc/ssl# openssl req -in star.kumari.net.csr -noout -text
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=US, ST=Virginia, L=Sterling, O=Warren Kumari, OU=Warren Kumari, CN=*.kumari.net/emailAddress=warrenkumari.net
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:a1:a1:f4:8a:50:e3:71:ee:4e:d2:3d:51:97:2c:
[SNIP]
94:e9:1f:e7:07:e1:90:1e:ab
Exponent: 65537 (0x10001)
Attributes:
a0:00
Signature Algorithm: sha1WithRSAEncryption
71:b5:82:16:4f:7e:c9:f8:e9:3e:55:fe:86:d9:b9:e9:13:a2:
[SNIP]
23:7d:1f:68:38:5d:ca:12:f9:1e:44:3c:e4:47:a5:be:09:ac:
0b:6b
Now generate a new CSR
root@vimes:/etc/ssl# openssl req -new -key ./private/star.kumari.net-20110723.key -out star.kumari.net-20110723.csr Enter pass phrase for ./private/star.kumari.net-20110723.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [US]: State or Province Name (full name) [Virginia]: Locality Name (eg, city) [Sterling]: Organization Name (eg, company) [Warren Kumari]: Organizational Unit Name (eg, section) [Warren Kumari]: Common Name (eg, YOUR name) [Warren Kumari]:*.kumari.net Email Address [warren.at.kumari.net]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
root@vimes:/etc/ssl# ls certs openssl.cnf private star.kumari.net-20110723.csr star.kumari.net.csr wildcard.kumari.net.csr www.kumari.net_godaddy.csr
And provide the CSR to the CA
root@vimes:/etc/ssl# more star.kumari.net-20110723.csr -----BEGIN CERTIFICATE REQUEST----- MIIC4jCCAcoCAQAwgZwxCzAJBgNVBAYTAlVTMREwDwYDVQQIEwhWaXJnaW5pYTER MA8GA1UEBxMIU3RlcmxpbmcxFjAUBgNVBAoTDVdhcnJlbiBLdW1hcmkxFjAUBgNV [SNIP] e+WZXl16+MwNDk0tBQsOn2Z0ppC60O42wouMOIMJD904WS/72/NbDsxVmkmfig/Y UqrjcdnOXYfkzOfitv2TWlMwW7WtGQ== -----END CERTIFICATE REQUEST-----
Installing / using the new certificate
If you end up with a certificate that needs an intermediate certificate, there are a few options.
Apache knows how to deal with these using the SSLCACertificateFile option.
# We want SSL for this site.
SSLEngine On
# Cert and key locations
SSLCertificateFile /etc/ssl/certs/star.kumari.net-20110723.crt
# Intermediate cert.
SSLCACertificateFile /etc/ssl/certs/RapidSSL_CA_bundle.pem
# And the key...
SSLCertificateKeyFile /etc/ssl/private/star.kumari.net-20110723.key
Postfix (and others)
Some software doesn't understand handing out intermediate CA certificates, but this can sometimes be worked around by putting both the certificate and the intermediate cert in one file.
Create the combined pem file:
$ cat star.kumari.net-20110723.pem RapidSSL_CA_bundle.pem > star.kumari.net-20110723-bundle.pem
Now tell Postfix about it:
# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/star.kumari.net-20110723-bundle.pem
smtpd_tls_key_file=/etc/ssl/private/star.kumari.net-20110723.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache