Bring up network interface with an IP address using “ip” command

Lately many linux distributions do not ship by default with

ifconfig

which is considered as old style of setting the network when we need to do it manually.
The command is simple and self-explanatory but there is a catch! Just adding the IP won’t help you to bring up the network interface of your server. In fact we need two commands to instruct the network interface to bring up with an IP and then a third command to add a default gateway.
So here are the steps and commands to bring up an interface, set IP and gateway:

STEP 1) Add the IP to the network interface with

ip addr add 192.168.0.100/24 dev eth0

Change the IP with your IP address.

STEP 2) Bring up the interface link

ip link set eth0 up

If you omit this step a network interface, which is down won’t start and the next command (in step 3) will output an error! If your interface has been up already and you just add an additional IP to it you can skip this step (and probably the one below with the default gateway, but we do not describe this case here).

STEP 3) Bring up the interface link

ip route add default via 192.168.0.1

* The all three in one place for the right way of bringing up a network interface under linux with “ip” command:

ip addr add 192.168.0.100/24 dev eth0
ip link set eth0 up
ip route add default via 192.168.0.1

* Troubleshooting

as it was said: just adding an IP to a network interface, which is in down state, would not help to set an IP, but you would not understand it and when you tried to add the default route your would see not so informative error:

srv@local ~# ip addr add 192.168.0.100/24 dev eth0
srv@local ~# ip route add default via 192.168.0.1
ip: RTNETLINK answers: Network is unreachable

Network unreachable, but why I just added an IP. It is not enough just to add the IP, the link must also be set up, it’s like the

ifconfig eth0 up

.

Check a certificate and a private key for a match

Ever wondered how to verify your private key with a certificate or CSR certificate?


All of the three server certificate, private key and CSR contain a specific value, which must be the same for the three to be sure that the private key is used for the CSR and this CSR is used to issue the server certificate. The value

public exponent

of private key and the

modulus

must have the same value.
If they differ by value you can be sure this private key cannot be used in pair with the server certificate you think! Because modulus value is really big number like:

Modulus=C8A1E76902325B4449BE964A7F1E4D16F263245A4487E24CF373631211AA719FB17A65091A8ADF4AFD174CE95A069EDAF0F2E0DA8DA7A8F2D525695BB1F1AE6C825085C60053726BD9966277FAF73179D5F0285F45271D6C728D1A8A36EA846CE20EF7188397A859FE3F2A4933EA13E3643BACA8FA9569FFAAE907CC3E416B08368E2D9297E16CC14E7B6B98A0AA0703D865152C37F089ABD2CB7FCC2C0319F8098CBBE02DAF09B4B262B5A6A7D9002A0D6275BF56B7F406FB03E169D00EADC6A20F0709B1240067AB82D5411A4535C21B0A6EB96B6D23ACC0103703F9816DF04370F4734CF75FBB206618A91245A1F975C411D3CFAE83B8AF1318E773BF9A15

We could pipe it to a md5 function to make it more human verifiable.

Here are the three simple commands to check if your private key matches the certificate or the CSR certificate:

STEP 1) check the private key

[root@srv@local ]# openssl rsa -noout -modulus -in server.key | openssl md5
(stdin)= f1fdd77a19d21999264a1267253c6acd

STEP 2) check modulus value of the certificate

[root@srv@local ]# openssl x509 -noout -modulus -in server.crt | openssl md5
(stdin)= f1fdd77a19d21999264a1267253c6acd

STEP 3) check modulus value of the CSR

[root@srv@local ]# openssl req -noout -modulus -in server.csr | openssl md5
(stdin)= f1fdd77a19d21999264a1267253c6acd

If the three values are the same, you can use this pair of private key and certificate in your web (or whatever) server. It also means you can use this CSR to issue a server certificate and then use the pair this private key and the new server certificate!

* nginx web server reports error using not matching pair of private key and certificate:

[root@srv@local ]# nginx -t
nginx: [emerg] SSL_CTX_use_PrivateKey_file("/etc/ssl/nginx/server.key") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)
nginx: configuration file /etc/nginx/nginx.conf test failed

And if you issue a restart command you’ll end up without working web server.

* Apache also reports an error in the error log (probably your ssl error log) and do not start:

[Tue Mar 06 03:37:39.378436 2014] [ssl:emerg] [pid 8182] AH02565: Certificate and private key localhost:443:0 from /etc/ssl/apache2/server.crt and /etc/ssl/apache2/server.key do not match

the default error log reports only configuration error:

AH00016: Configuration Failed

And strangely but apache2ctl reports no error!

 apache2ctl configtest
 * Checking apache2 configuration ...                                                                                          [ ok ]

SO always verify the private key and server certificate before issuing a restart of the service it depends on them!

Replace default program to open text files in Linux console

Ever wondered how to change your text editor when editing text files in Linux? Here is a newbie tip!
For example if you when you what to edit cron jobs you execute

[srv@local ~]# crontab -e

And you get in a text editor? Probably you like vim or nano or pico or some other text editor? and you want to use it whenever the system needs a text editor?
There is an environment variable EDITOR, which could be set to one of the text editors mentioned above.
Temporary you could do it from the command line for the current session to open text files with “nano”

[srv@local ~]# export EDITOR="nano"

And when you open to edit cron jobs or edit a text file in “mc” or whenever the system needs a text editor it will use “nano”. If you replace “nano” with other editor it will be used.
To make it permanent you must put it in your current .bashrc file – “/home//.bashrc” (or more accurate “~/.bashrc”). Just add the same line as above at the end of your .bashrc file:

export EDITOR="nano"

And if you check your current environment you’ll see there is a variable named EDITOR:

[srv@local ~]# env|grep EDITOR
EDITOR=nano