We Keep Coding

Filtering powershell output with search pattern beginning with some-pattern and ending with other-pattern

I was inspired by the bash command line in which sed outputs the search pattern beginning with "-BEGIN CERTIFICATE-" and ending with "-END CERTIFICATE-"
openssl s_client -connect www.domain.com:443 -showcerts | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'
just how do I get the filter so that it works in powershell, probably with Select-String?
Here is the output of the bash command:
$ openssl s_client -connect google.com:443 -showcerts | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'
-----BEGIN CERTIFICATE-----
MIIJVzCCCD+gAwIBAgIRANFJW61SRurECAAAAABTHOIwDQYJKoZIhvcNAQELBQAw
...cut...
jPCWTiAulvBLJJQ9nmggAgaEg7/9bs6da47V5awlyEAKzzmHGAmcNpX71Q==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIESjCCAzKgAwIBAgINAeO0mqGNiqmBJWlQuDANBgkqhkiG9w0BAQsFADBMMSAw
...cut...
USpxu6x6td0V7SvJCCosirSmIatj/9dSSVDQibet8q/7UK4v4ZUN80atnZz1yg==
-----END CERTIFICATE-----
a total of 77 lines

There's nothing builtin quite as concise as sed, but I often find the switch statement useful for parsing multi-line output with regex line-by-line:
# flag to keep track of whether we're between BEGIN/END
$inCert = $false
# suppress stderr output from openssl, assign all output from switch to `$certs`
$certs = switch -Regex ("`n`n"|openssl s_client -connect google.com:443 -showcerts 2>$null){
'-BEGIN CERTIFICATE-' {
# alright, we encountered a BEGIN line, prepare to consume following lines as a cert
$partialCert = #()
$inCert = $true
}
'-END CERTIFICATE-' {
# reach END, output the current certificate
$inCert = $false
$partialCert -join [System.Environment]::NewLine
}
default {
# ignore anything as long as we're not in between BEGIN/END
if($inCert){
$partialCert += $_
}
}
}
# $certs now contain the base64-encoded certificates

It's a pitty you didn't show us an example of the output you received from the showcerts command, but I suppose it will look something like this:
CONNECTED(00000002)
--snip--
---
Certificate chain
0 s:CN = www.openssl.org
i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
-----BEGIN CERTIFICATE-----
MIIFVTCCBD2gAwIBAgISAwk9QUiwVmoQAtcCLKybaK7yMA0GCSqGSIb3DQEBCwUA
...
mQBom1EISBOiNyu5koR6iRZcXsn6x/4kwA==
-----END CERTIFICATE-----
1 s:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
i:O = Digital Signature Trust Co., CN = DST Root CA X3
-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
...
KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
-----END CERTIFICATE-----
---
...
If you capture that in a variable, say $rawCerts you can make use of -split, -match and -replace to get an array of the actual base64 encoded certificates like below:
$certs = $rawCerts -split '(?sm)-BEGIN CERTIFICATE[-\r\n]+' | # split into textblocks
Where-Object {$_ -match '-END CERTIFICATE-'} | # take only the blocks that contain '-END CERTIFICATE-'
ForEach-Object { $_ -replace '(?sm)[\r\n-]+END CERTIFICATE.*' } # remove everything after and including '-END CERTIFICATE-'
P.S> (?sm) in the regex means Dot matches newline (s) and Characters ^ and $ match at line breaks (m)

this is the raw output without sed
CONNECTED(00000178)
---
Certificate chain
0 s:C = US, ST = California, L = Mountain View, O = Google LLC, CN = *.google.com
i:C = US, O = Google Trust Services, CN = GTS CA 1O1
-----BEGIN CERTIFICATE-----
MIIJVzCCCD+gAwIBAgIRANFJW61SRurECAAAAABTHOIwDQYJKoZIhvcNAQELBQAw
...<cut>...
jPCWTiAulvBLJJQ9nmggAgaEg7/9bs6da47V5awlyEAKzzmHGAmcNpX71Q==
-----END CERTIFICATE-----
1 s:C = US, O = Google Trust Services, CN = GTS CA 1O1
i:OU = GlobalSign Root CA - R2, O = GlobalSign, CN = GlobalSign
-----BEGIN CERTIFICATE-----
MIIESjCCAzKgAwIBAgINAeO0mqGNiqmBJWlQuDANBgkqhkiG9w0BAQsFADBMMSAw
...<cut>...
USpxu6x6td0V7SvJCCosirSmIatj/9dSSVDQibet8q/7UK4v4ZUN80atnZz1yg==
-----END CERTIFICATE-----
---
Server certificate
subject=C = US, ST = California, L = Mountain View, O = Google LLC, CN = *.google.com
issuer=C = US, O = Google Trust Services, CN = GTS CA 1O1
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3807 bytes and written 392 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 256 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
depth=2 OU = GlobalSign Root CA - R2, O = GlobalSign, CN = GlobalSign
verify return:1
depth=1 C = US, O = Google Trust Services, CN = GTS CA 1O1
verify return:1

Kubernetes create 5 year certificate for kubeapi

While creating the kubernetes cluster using kubeadm in Centos 7, its creating one year kubeapi certificate. For me this is short time for the cluster. How can I create 5 year certificate during cluster setup?
* SSL connection using TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
* Server certificate:
* subject: CN=kube-apiserver
* start date: Dec 20 14:32:00 2017 GMT
* expire date: Dec 20 14:32:00 2018 GMT
* common name: kube-apiserver
* issuer: CN=kubernetes
I tried this didn't work:
openssl genrsa -out ca.key 2048
export MASTER_IP=192.168.16.171
openssl req -x509 -new -nodes -key ca.key -subj "/CN=${MASTER_IP}" -days 10000 -out ca.crt
kubeadm reset
rm -rf /etc/kubernetes
mkdir -p /etc/kubernetes/ca/pki
cp ca.key ca.crt /etc/kubernetes/ca/pki/
kubeadm init
curl -k -v https://localhost:6443
Server certificate:
* subject: CN=kube-apiserver
* start date: Apr 15 21:07:24 2018 GMT
* expire date: Apr 15 21:07:25 2019 GMT
* common name: kube-apiserver
* issuer: CN=kubernetes
Thanks
SR

Follow the Kubernetes documentation on certificates to the CA certificate.
If you choose openssl or easyrsa use --days=1825, if you are going with cfssl then in ca-config.json specify 5y for .signing.default.expiry.
Put the resulting ca.crt and ca.key in /etc/kubernetes/ca/pki. When you run kubeadm init it will detect those files and will not overwrite them; it will use that CA key & certificate to sign the other certificates needed.

After looking at the code, there is no option to change the API certificate expire date. It set to 1 year in the code.
https://github.com/kubernetes/client-go/blob/master/util/cert/cert.go
// NewSelfSignedCACert creates a CA certificate
func NewSelfSignedCACert(cfg Config, key *rsa.PrivateKey) (*x509.Certificate, error) {
now := time.Now()
tmpl := x509.Certificate{
SerialNumber: new(big.Int).SetInt64(0),
Subject: pkix.Name{
CommonName: cfg.CommonName,
Organization: cfg.Organization,
},
NotBefore: now.UTC(),
NotAfter: now.Add(duration365d * 10).UTC(),
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
BasicConstraintsValid: true,
IsCA: true,
}
certDERBytes, err := x509.CreateCertificate(cryptorand.Reader, &tmpl, &tmpl, key.Public(), key)
if err != nil {
return nil, err
}
return x509.ParseCertificate(certDERBytes)
}

Plesk send Email TLS not available

Mail from Plesk.
But i recieve this answer
Out: 220 **DOMAIN** ESMTP Postfix (Debian/GNU)
In:  EHLO [10.33.205.183]
Out: 250-**DOMAIN**
Out: 250-PIPELINING
Out: 250-SIZE 31457280
Out: 250-ETRN
Out: 250-STARTTLS
Out: 250-AUTH DIGEST-MD5 CRAM-MD5 PLAIN LOGIN
Out: 250-ENHANCEDSTATUSCODES
Out: 250-8BITMIME
Out: 250 DSN
In:  STARTTLS
Out: 454 4.7.0 TLS not available due to local problem
In:  ???
Out: 502 5.5.2 Error: command not recognized
In:  ?????(?'??????
Out: 502 5.5.2 Error: command not recognized
In:  ????
Out: 502 5.5.2 Error: command not recognized
Out: 421 4.4.2 **DOMAIN** Error: timeout exceeded
Session aborted, reason: timeout
For other details, see the local mail logfile
Here is my main.cf:
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
readme_directory = no
# TLS parameters
smtpd_tls_cert_file = /etc/postfix/tls/httpsd.pem
smtpd_tls_key_file = $smtpd_tls_cert_file
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.
myhostname = ***DOMAIN***
alias_maps = hash:/etc/aliases, hash:/var/spool/postfix/plesk/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = localhost.startdedicated.de, localhost, localhost.localdomain
relayhost =
mynetworks = 127.0.0.0/8 [::1]/128 **IP**/32
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
virtual_mailbox_domains = $virtual_mailbox_maps, hash:/var/spool/postfix/plesk/virtual_domains
virtual_alias_maps = $virtual_maps, hash:/var/spool/postfix/plesk/virtual
virtual_mailbox_maps = , hash:/var/spool/postfix/plesk/vmailbox
transport_maps = , hash:/var/spool/postfix/plesk/transport
smtpd_tls_security_level = may
smtp_tls_security_level = may
smtp_use_tls = no
smtpd_timeout = 3600s
smtpd_proxy_timeout = 3600s
disable_vrfy_command = yes
smtpd_sender_restrictions = check_sender_access hash:/var/spool/postfix/plesk/blacklists, permit_sasl_authenticated
smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated
smtp_send_xforward_command = yes
smtpd_authorized_xforward_hosts = 127.0.0.0/8 [::1]/128
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
virtual_mailbox_base = /var/qmail/mailnames
virtual_uid_maps = static:30
virtual_gid_maps = static:31
smtpd_milters = , inet:127.0.0.1:12768
non_smtpd_milters =
sender_dependent_default_transport_maps = hash:/var/spool/postfix/plesk/sdd_transport_maps
virtual_transport = plesk_virtual
plesk_virtual_destination_recipient_limit = 1
mailman_destination_recipient_limit = 1
virtual_mailbox_limit = 0
message_size_limit = 31457280
I should say, that i not be an expert on linux and mailing!
The config file is located: /etc/postfix/main.cf
The cert /etc/postfix/tls/httpsd.pem is the servers default cert.
Thank you!

TL;TR: both bad client and bad server.
The mail server you use is configured wrong in that it believes it can to TLS (as seen in EHLO containing STARTTLS) but then fails to actually use TLS (error when client tries to use TLS). Additionally the client simply ignores the error message to the STARTTLS command and continues with the TLS handshake. This causes error messages from the server which expects proper SMTP commands but instead gets what looks like garbage (the TLS ClientHello).

Iscsi Chap for discovery, mutual for targets will not connect.

OK I have a lab setup, I have a Freenas server iscsi setup with Chap setup for discovery and mutual chap for targets.
Here are the requirements:
Implement CHAP security
One-way CHAP for discovery
Two-way (Mutual) CHAP for targets
I can connect and discover sucessfully with two esxi servers, windows 7, windows 2003, 2008, and 2012
Centos can see the discovery list, but when trying to connect with :
iscsiadm --mode node --targetname iqn.2015.lab.com:centos --portal 192.168.1.60:3260 --login
the terminal outputs:
no records found
Here is my iscsid.conf, I left the comments in on the Chap section, but removed it for the rest as it is just so large:
iscsid.startup = /etc/rc.d/init.d/iscsid force-start
node.startup = automatic
node.leading_login = No
# *************
# CHAP Settings
# *************
# To enable CHAP authentication set node.session.auth.authmethod
# to CHAP. The default is None.
node.session.auth.authmethod = CHAP
# To set a CHAP username and password for initiator
# authentication by the target(s), uncomment the following lines:
#node.session.auth.username = group7
#node.session.auth.password = passwordpassword
# To set a CHAP username and password for target(s)
# authentication by the initiator, uncomment the following lines:
node.session.auth.username_in = group7
node.session.auth.password_in = passwordpassword
# To enable CHAP authentication for a discovery session to the target
# set discovery.sendtargets.auth.authmethod to CHAP. The default is None.
discovery.sendtargets.auth.authmethod = CHAP
# To set a discovery session CHAP username and password for the initiator
# authentication by the target(s), uncomment the following lines:
discovery.sendtargets.auth.username = group7
discovery.sendtargets.auth.password = passwordpassword
# To set a discovery session CHAP username and password for target(s)
# authentication by the initiator, uncomment the following lines:
#discovery.sendtargets.auth.username_in = group7
#discovery.sendtargets.auth.password_in = passwordpassword
node.session.timeo.replacement_timeout = 120
node.conn[0].timeo.login_timeout = 15
node.conn[0].timeo.logout_timeout = 15
node.conn[0].timeo.noop_out_interval = 5
node.conn[0].timeo.noop_out_timeout = 5
node.session.err_timeo.abort_timeout = 15
node.session.err_timeo.lu_reset_timeout = 30
node.session.err_timeo.tgt_reset_timeout = 30
node.session.initial_login_retry_max = 8
node.session.cmds_max = 128
node.session.queue_depth = 32
node.session.xmit_thread_priority = -20
node.session.iscsi.InitialR2T = No
node.session.iscsi.ImmediateData = Yes
node.session.iscsi.FirstBurstLength = 262144
node.session.iscsi.MaxBurstLength = 16776192
node.conn[0].iscsi.MaxRecvDataSegmentLength = 262144
node.conn[0].iscsi.MaxXmitDataSegmentLength = 0
node.conn[0].iscsi.HeaderDigest = None
node.session.nr_sessions = 1
node.session.iscsi.FastAbort = Yes
Any help is appreciated. Thank you.

You want mutual CHAP for session setup, but in your configuration file you have commented-out the lines that define the login from initiator to target:
# To set a CHAP username and password for initiator
# authentication by the target(s), uncomment the following lines:
#node.session.auth.username = group7
#node.session.auth.password = passwordpassword

How to locate new certification using Certutil?

I need to create a new cert and then locate it to obtain the serial number (to use it later to get the public and private keys).
If I make a new certificate with makecert utility from Microsoft SDK's like this:
makecert -r -pe -a sha1 -n "CN=ElektroSoft" -b 01/01/2013 -e 01/01/2050 -ss my -$ individual
Then I suppose that cert will be stored in "my"...
..But when I try to list the "my" certificates I only get one entry, and is not my new certificate:
C:\>CERTUTIL -store my
my
================ Certificado 0 ================
Número de serie: 586a7358ebdce8854def26875f0f38ab
Emisor: CN=localhost
NotBefore: 22/02/2013 4:43
NotAfter: 22/02/2018 2:00
Sujeto: CN=localhost
La firma coincide con la clave pública
Certificado raíz: el sujeto coincide con el emisor
Plantilla:
Hash de cert(sha1): 1b 92 19 ef 19 ce d1 09 ad 87 13 73 56 0c cf 0a 57 29 cf 81
Contenedor de claves = IIS Express Development Certificate Container
Nombre de contenedor exclusivo: fad662b360941f26a1193357aab3c12d_a61f2a11-eaf9
-4c14-9a63-d3613bf3bd2c
Proveedor = Microsoft RSA SChannel Cryptographic Provider
Prueba de cifrado correcta
CertUtil: -store comando completado correctamente.
Then where is stored my new certificate?

Finally I did my code:
#Echo OFF
Setlocal enabledelayedexpansion
Set "Name=ElektroSoft"
Set "Password=Elektro"
Set "InitialDate=01/01/2013"
Set "ExpireDate=01/01/2050"
Set "SerialNumber=%Random%%Random%%Random%%Random%%Random%"
:: Make certificate
makecert -r -pe -a sha1 -n "CN=%Name%" -b "%InitialDate%" -e "%ExpireDate%" -$ individual -sr LocalMachine -ss my -cy authority -# "%SerialNumber%" "%Name%.cer"
:: Export certificate
For /F "Tokens=2 delims=:" %%# in ('certutil -store my') DO (
if "%%#" NEQ " CN=%Name%" (Set "SerialNumberHash=%%#") ELSE (
certutil -exportPFX -p "%Password%" my "!SerialNumberHash: =!" "%Name%.pfx"
Pause&Exit))
:: Check certificate
REM certutil -store my
:: Delete certificate
REM certutil -delstore MY "%Name%"