SSL with multiple hostnames

I noticed today that my SNI setup in apache is not working reliably. Apparently it takes the localhost certificate no matter how I am connecting. This seems to related to the content of /etc/hosts on the server, which I don't want to mess around with just to get SNI working.

Fortunately both IE and FF support an extension allowing multiple hostnames to be specified in the certificate in addition to the CN (reportedly Java does not support this extension, will need to check). The extension (Subject Alternate Names) is described in RFC 5280.

I've done the following to generate such certificates with openssl:

First, we need to add the extension support in openssl.cnf:

(not sure this is required, supposedly there's a security risk) in the [CA_default] section add:

copy_extensions = copy

in the [req] section add:

req_extensions = v3_req

in the [v3_req] section:

subjectAltName = IP:1.2.3.4,IP:127.0.0.1,DNS:myhost.acme.com,DNS:myhost,DNS:localhost.localdomain,DNS:localhost

Now we can generate a request, careful to include the config file so the extensions are included:

openssl req -config /etc/ssl/openssl.cnf -new -out multi.csr -key server.key

And sign it, again careful to include the config file

openssl x509 -extfile /etc/ssl/openssl.cnf -extensions v3_req -req -days 365 -in /tmp/multi.csr -CA ca.crt -CAkey ca.key -set_serial x -out multi.crt

And that's about it!

Archive portage logs

Just dump the following script in /etc/cron.daily to compress old portage logs and delete ancient ones, without using logrotate or tmpwatch/tmpreaper. After a year of running lappy, my /var/log/portage dir got to almost 1GB.

#!/bin/sh

## remove really old logs (180 days)
find /var/log/portage -name '*.log*' -mtime +180 -print0 | xargs --null --no-run-if-empty rm

## compress big logs (over 10 KB)
find /var/log/portage -name '*.log' -mtime +3 -size +10k -print0 | xargs --null --no-run-if-empty gzip