OpenBSD

Gitolite

OpenBSD, System

You wanna host your own Git Repositories ? Have a look at Gitolite. It does all for you :)

Install GitoLite

pkg_add gitolite

Add git user

root@gitserver ~# adduser -silent
Enter username []: git
Enter full name []: git repo user
Enter shell bash csh git-shell ksh nologin sh [ksh]:
Uid [1001]:
Login group git [git]:
Login group is ``git''. Invite git into other groups: guest no
[no]:
Login class authpf bgpd daemon default pbuild staff unbound
[default]:
Enter password []:
Disable password logins for the user? (y/n) [n]: y

Name:        git
Password:    ****
Fullname:    git repo user
Uid:         1001
Gid:         1001 (git)
Groups:      git
Login Class: default
HOME:        /home/git
Shell:       /bin/ksh
OK? (y/n) [y]: y
Added user ``git''
Add another user? (y/n) [y]: n

Basic Setup

Setup Repo, add your key

OpenBSD 6.7

OpenBSD

OpenBSD 6.7 appeared today

OpenBSD has two new releases every year. historically, on 1. Mai and 1. November. With a few small execptions in the past Check Wikipedia

so, then latest OS appeared today: OpenBSD 6.7

Perform a Full Upgrade (incl. X Stuff)

sysupgrade -r

Run the Script (on your own risk !)

doas su -
mkdir /root/bin
ftp -o /root/bin/upgrade_to_67.sh https://blog.stoege.net/scripts/upgrade_to_67.sh
chmod 740 /root/bin/upgrade_to_67.sh
# /root/bin/upgrade_to_67.sh

or use some custom Script (just Xbase and not other X Stuff)

doas su -
mkdir /root/bin

cat <<'EOF' > /root/bin/upgrade_to_67.sh
#!/bin/sh

prepare () {

  echo "let's upgrade to 6.7 ..."

  userdel named
  groupdel named
  rm -rf /var/named  # backup the data if still needed

  rm -rf /usr/libdata/perl5/*/Storable \
    /usr/libdata/perl5/*/arybase.pm \
    /usr/libdata/perl5/*/auto/arybase \
    /usr/libdata/perl5/B/Debug.pm \
    /usr/libdata/perl5/Locale/{Codes,Country,Currency,Language,Script}* \
    /usr/libdata/perl5/Math/BigInt/CalcEmu.pm \
    /usr/libdata/perl5/unicore/To/_PerlWB.pl \
    /usr/libdata/perl5/unicore/lib/GCB/EB.pl \
    /usr/libdata/perl5/unicore/lib/GCB/GAZ.pl \
    /usr/share/man/man3p/B::Debug.3p \
    /usr/share/man/man3p/Locale::{Codes*,Country,Currency,Language,Script}.3p \
    /usr/share/man/man3p/Math::BigInt::CalcEmu.3p \
    /usr/share/man/man3p/arybase.3p

  rm -f /usr/sbin/{dig,host,nslookup}

}

download() {

  local _response=$(sysupgrade -n)

  if [[ $_response == *reboot ]]; then
    echo "\nInstalled! Let's reboot ...\n"
    rm /home/_sysupgrade/{comp,xf,xs}*
  else
    echo "Nothing todo ..."
  fi

}

install() {
  reboot
}

postwork() {

  echo "let's do some postwork after upgrade to 6.7 ..."

  cd /dev
  ./MAKEDEV all

  _boot=$(mount |awk -F'[/ ]' '/ on \/ / {print $3}')
  installboot ${_boot%?}

  sysmerge

  fw_update

  syspatch

  pkg_add -Vu

}

# Main
local _ver=$(uname -r)

if [ "$_ver" == "6.6" ]; then

  prepare
  download
  install

elif [ "$_ver" == "6.7" ]; then

  postwork

fi

exit 0
EOF

chmod 740 /root/bin/upgrade_to_67.sh
# /root/bin/upgrade_to_67.sh

Checks

you should do a few checks afterwards:

OpenBSD Add Storage

OpenBSD

you’ve got a maschine and you’re running out of disk space. attach a new disk like this:

# fdisk -i sd1  Note: Substitue sd1 for your disk. ...
# disklabel -E sd1
> p m
> a a
> quit
# newfs sd1a
# mkdir /data
# mount /dev/sd1a /data/

and make permament in /etc/fstab
Any Comments ?

sha256: 56abce0047522e2a79b987cb878a8ef2a8e27ae9aa9e6e2266d58d8afd254793

Sqlite

OpenBSD

Do you like SQLite ?

just started using it a bit more often … https://www.sqlitetutorial.net/

Query

sqlite3 /path/to/db “select date,time,ip from table where ip=‘1.2.3.4’ limit 100;

.schema

show the database schema and indexes

sqlite> .schema
CREATE TABLE attack(
  "date" TEXT,
  "time" TEXT,
  "ip" TEXT,
  "asnr" TEXT,
  "ascountry" TEXT,
  "asdesc" TEXT,
  "port" TEXT,
  "proto" TEXT,
  "server" TEXT,
  "type" TEXT,
  "method" TEXT,
  "pass" TEXT,
  "user" TEXT,
  "ver" TEXT
);
CREATE UNIQUE INDEX id on attack(date,time,ip,user,pass);

Insert

INSERT INTO table (column1,column2 ,..)
VALUES( value1, value2 ,...);

Update

 update attack set asnr='$asnr', ascountry='$ascountry', asdesc='$asdesc' where ip='$ip';

Delete

delete from attack where ip='$ip';

Transfer one Table from one host to another

ssh remotehost "sqlite3 /var/db/egal.sqlite '.dump table'" |sqlite3 mydb.sqlite

HamsterDB Cleanup

sqlite3 /var/db/runden.db
delete from runden where datum like '%2020-%';
vacuum;
Any Comments ?

sha256: f9dddde1c1140ca0a8fecf1baf3a673ecfadc7d29b2c7a9ee6e33f3c52c6fd1b

Cron & Environment

OpenBSD

Sometimes you run into problem because you’re not aware of the environment of cron.

So, let’s dump and check the environment.

Add Cronjob

*       *       *       *       *       env > /tmp/env.log

Dump Content

puffy200# cat /tmp/env.log
LOGNAME=root
HOME=/var/log
PWD=/var/log
PATH=/bin:/sbin:/usr/bin:/usr/sbin
SHELL=/bin/sh
USER=root
Any Comments ?

sha256: 6e5d4767a577cc5673505edd19b29f931ce23de7f97a9088c3137945206730a3

OpenBSD Current

OpenBSD

OpenBSD Current

Active OpenBSD development is known as the -current branch. These sources are frequently compiled into releases known as snapshots FAQ

Assuming, you can’t wait for the next release, or you wanna test features, find bugs and so participate on the community, this little script will help you:

Upgrade to Current

and remove game*,comp*,xf* and xs* Packages before reboot

cat << 'EOF' > upgrade_to_current.sh
#!/bin/sh

echo "let's check for news ..."

local _response=$(sysupgrade -n -s)

if [[ $_response == *reboot ]]; then
  echo "\nInstalled! Let's reboot ...\n"
  rm /home/_sysupgrade/{game,comp,xf,xs}*
  reboot
else
  echo "Nothing todo ..."
fi

exit 0
EOF

chmod 755 upgrade_to_current.sh
Any Comments ?

sha256: c6eb0b5142102775f26c373f1d16c378ade7683af62ca77bb3d088fdbb52c603

Doas

Linux, OpenBSD

doas, an alternative to sudo

Everybody knows sudo … right ? but the openbsd guys hacked a small and secure replacement called doas …

simple, secure and clever

here a good and quick tutorial

An introduction on Vultr, the Source Code on Github and the Man Page

Installation OpenBSD

On OpenBSD, it’s already in the Base System and no need to install anything.

Installation Linux

On Linux, for Example, you have to add the Package

OpenBSD with IPSEC -> GIF -> OSFP

OpenBSD

Intro

Stage two Machines, puffy206 and puffy207 Both Maschines needs static IP Adresses

puffy206

Loopback & Gif

doas su -
cat << 'EOF' > /etc/hostname.lo1
inet 10.0.0.6/32
up
EOF

cat << 'EOF' > /etc/hostname.gif0
description "Point2Point Interface for OSPF"
mtu 1420
10.10.10.6 10.10.10.7 netmask 255.255.255.255
tunnel 192.168.108.206 192.168.108.207
EOF

Enable IPSEC & IP Forwarding

cat << 'EOF' >> /etc/sysctl.conf
net.inet.ip.forwarding=1
net.inet.gre.allow=1
EOF

rcctl enable ipsec isakmpd
rcctl set isakmpd flags -K

Create Tunnel Endpoint

cat << 'EOF' > /etc/ipsec.conf
ike active esp transport from 192.168.108.206 to 192.168.108.207 peer 192.168.108.207 \
main auth "hmac-sha2-256" enc "aes-128" group modp3072 \
quick enc "aes-128-gcm" group modp3072 \
srcid 192.168.108.206 \
psk "my-tunnel-is-private"
EOF

chmod 600 /etc/ipsec.conf

Create ospfd.conf

cat << 'EOF' > /etc/ospfd.conf
# macros
id="192.168.108.206"

# global configuration
router-id id
fib-update yes
stub router yes
spf-delay 1
spf-holdtime 5

# areas
area 0.0.0.0 {
  interface gif0
  interface lo1 {}
}
EOF

chmod 600 /etc/ospfd.conf
rcctl enable ospfd

Reboot and Check

reboot
gnuwatch "ipsecctl -s all"

puffy207

Loopback & Gif

doas su -
cat << 'EOF' > /etc/hostname.lo1
inet 10.0.0.7/32
up
EOF

cat << 'EOF' > /etc/hostname.gif0
description "Point2Point Interface for OSPF"
mtu 1420
10.10.10.7 10.10.10.6 netmask 255.255.255.255
tunnel 192.168.108.207 192.168.108.206
EOF

Enable IPSEC & IP Forwarding

cat << 'EOF' >> /etc/sysctl.conf
net.inet.ip.forwarding=1
net.inet.gre.allow=1
EOF

rcctl enable ipsec isakmpd
rcctl set isakmpd flags -K

Create Tunnel Endpoint

cat << 'EOF' > /etc/ipsec.conf
ike active esp transport from 192.168.108.207 to 192.168.108.206 peer 192.168.108.206 \
main auth "hmac-sha2-256" enc "aes-128" group modp3072 \
quick enc "aes-128-gcm" group modp3072 \
srcid 192.168.108.207 \
psk "my-tunnel-is-private"
EOF

chmod 600 /etc/ipsec.conf

Create ospfd.conf

cat << 'EOF' > /etc/ospfd.conf
# macros
id="192.168.108.207"

# global configuration
router-id $id
fib-update yes
stub router yes
spf-delay 1
spf-holdtime 5

# areas
area 0.0.0.0 {
  interface gif0
  interface lo1 {}
}
EOF

chmod 600 /etc/ospfd.conf
rcctl enable ospfd

Reboot and Check

reboot
gnuwatch "ipsecctl -s all"

Test

ifconfig gif
ipsecctl -s all
route -n show -inet
ospfctl show nei

Throughput Test

root@client2 ~# tcpbench 10.0.0.7
  elapsed_ms          bytes         mbps   bwidth
        1000        2801664       22.413  100.00%
Conn:   1 Mbps:       22.413 Peak Mbps:       22.413 Avg Mbps:       22.413
        2009        2775672       22.007  100.00%
Conn:   1 Mbps:       22.007 Peak Mbps:       22.413 Avg Mbps:       22.007
        3014        3173760       25.264  100.00%
Conn:   1 Mbps:       25.264 Peak Mbps:       25.264 Avg Mbps:       25.264
        4021        3192912       25.391  100.00%
Conn:   1 Mbps:       25.391 Peak Mbps:       25.391 Avg Mbps:       25.391
Any Comments ?

sha256: d27ad9e5808a63352b5e5070af2abd82a9924129b713f98d1d10d4f8a8085df4

IPSEC with OpenBSD

OpenBSD

Intro

Stage a few Machines, puffy206 - 209 puffy206 has got a static ip, while puffy207 - 209 got dynamic ip addresses

Master, puffy206

Loopback

doas su -
cat << 'EOF' > /etc/hostname.lo1
inet 10.0.0.6/32
up
EOF

Enable IPSEC & IP Forwarding

cat << 'EOF' >> /etc/sysctl.conf
net.inet.ip.forwarding=1
net.inet.gre.allow=1
EOF

rcctl enable ipsec isakmpd
rcctl set isakmpd flags -K

Create Tunnel Endpoint

cat << 'EOF' > /etc/ipsec.conf
ike dynamic esp tunnel from 10.0.0.6/32 to 10.0.0.7/32 peer any \
    main group "modp1024" quick group "modp1024" \
    psk "my-tunnel-is-private"

ike dynamic esp tunnel from 10.0.0.6/32 to 10.0.0.8/32 peer any \
    main group "modp1024" quick group "modp1024" \
    psk "my-tunnel-is-private"

ike dynamic esp tunnel from 10.0.0.6/32 to 10.0.0.8/32 peer any \
    main group "modp1024" quick group "modp1024" \
    psk "my-tunnel-is-private"
EOF
chmod 600 /etc/ipsec.conf

Reboot and Check

reboot
gnuwatch "ipsecctl -s all"

Slave, puffy207

Loopback

doas su -
cat << 'EOF' > /etc/hostname.lo1
inet 10.0.0.7/32
up
EOF

Enable IPSEC & IP Forwarding

cat << 'EOF' >> /etc/sysctl.conf
net.inet.ip.forwarding=1
net.inet.gre.allow=1
EOF

rcctl enable ipsec isakmpd
rcctl set isakmpd flags -K

IPSEC

cat << 'EOF' > /etc/ipsec.conf
ike esp tunnel from 10.0.0.7/32 to 10.0.0.6/32 peer 192.168.108.206 \
    main group "modp1024" quick group "modp1024" \
    psk "my-tunnel-is-private"
EOF
chmod 600 /etc/ipsec.conf

Slave, puffy208

Loopback

doas su -
cat << 'EOF' > /etc/hostname.lo1
inet 10.0.0.8/32
up
EOF

Enable IPSEC & IP Forwarding

cat << 'EOF' >> /etc/sysctl.conf
net.inet.ip.forwarding=1
net.inet.gre.allow=1
EOF

rcctl enable ipsec isakmpd
rcctl set isakmpd flags -K

IPSEC

cat << 'EOF' > /etc/ipsec.conf
ike esp tunnel from 10.0.0.8/32 to 10.0.0.6/32 peer 192.168.108.206 \
    main group "modp1024" quick group "modp1024" \
    psk "my-tunnel-is-private"
EOF
chmod 600 /etc/ipsec.conf

Slave, puffy209

Loopback

doas su -
cat << 'EOF' > /etc/hostname.lo1
inet 10.0.0.9/32
up
EOF

Enable IPSEC & IP Forwarding

cat << 'EOF' >> /etc/sysctl.conf
net.inet.ip.forwarding=1
net.inet.gre.allow=1
EOF

rcctl enable ipsec isakmpd
rcctl set isakmpd flags -K

IPSEC

cat << 'EOF' > /etc/ipsec.conf
ike esp tunnel from 10.0.0.9/32 to 10.0.0.6/32 peer 192.168.108.206 \
    main group "modp1024" quick group "modp1024" \
    psk "my-tunnel-is-private"
EOF
chmod 600 /etc/ipsec.conf

Full IPSEC Example

cat /etc/ipsec.conf

#
# https://man.openbsd.org/ipsec.conf.5
# http://www.kernel-panic.it/openbsd/vpn/vpn3.html
# https://www.packetmischief.ca/openbsd-ipsec-tunnel-guide/
#
# ike [mode] [encap] [tmode] [proto protocol] \
    # from src [port sport] [(srcnat)] to dst [port dport] \
    # [local localip] [peer remote] \
    # [mode auth algorithm enc algorithm group group] \
    # [quick auth algorithm enc algorithm group group] \
    # [srcid string] [dstid string] \
    # [psk string] [tag string]

# mode:   active (default), passive, dynamic
# encap:  esp (default), ah
# tmode:  tunnel (default), transport
# mode:   main (default), aggressive -> this is phase 1
# quick:  -> this is phase 2


# Var

local_gw    = "MEINE-PUBLIC-IP"
local_net   = "MEIN-NETZWERK/MASK"

auth1       = "hmac-sha1"       # hmac-sha1, hmac-sha2-256, hmac-sha2-384, hmac-sha2-512
enc1        = "aes-128"         # aes-128 (=aes), aes-192, aes-256, blowfish
group1      = "modp3072"        # modp768 (g1), modp1024 (g2), modp1536 (g5), modp2048 (g14), modp3072 (g15), modp4096 (g16), modp6144 (g17), modp8192 (g18), ... (g30)
time1       = "3600"            # in Seconds, or 10m, resp 12h

auth2       = "hmac-sha2-256"   # siehe oben
enc2        = "aes-128"         # siehe oben
group2      = "modp3072"        # siehe oben
time2       = "1200"            # siehe oben


# Tunnel to Remote

remote_gw   = "DEINE-PUBLIC-IP"
remote_net  = "DEIN-NETZWERK/MASK"
key         = "super-huper-secret-key""

ike dynamic esp tunnel from $local_net to $remote_net peer $remote_gw \
main    auth $auth1   enc $enc1   group $group1   lifetime $time1 \
quick   auth $auth2   enc $enc2   group $group2   lifetime $time2 \
srcid $local_gw \
psk $key

ike dynamic esp tunnel from $remote_net to $local_net peer $remote_gw \
main    auth $auth1   enc $enc1   group $group1   lifetime $time1 \
quick   auth $auth2   enc $enc2   group $group2   lifetime $time2 \
srcid $local_gw \
psk $key

Packetmischief

Tweak Nginx Webserver with limited Client Certificate

OpenBSD

Install NGINX & PHP

pkg_add nginx php--%7.3
rcctl enable nginx php73_fpm

Edit php.ini

sed -i s'/date.timezone = UTC.*/date.timezone = Europe\/Zurich/'  /etc/php-7.3.ini
sed -i s'/short_open_tag = Off.*/short_open_tag = On/'  /etc/php-7.3.ini

nginx.conf

mkdir /var/log/nginx

cat << 'EOF' > /etc/nginx/nginx.conf
worker_processes  1;

worker_rlimit_nofile 1024;

events {
    worker_connections  800;
}

http {
    include       mime.types;
    default_type  application/octet-stream;
    index         index.php index.html index.htm;

    keepalive_timeout  65;

    server_tokens off;

    proxy_cache_valid any 0s;

    log_format  main  '$remote_addr - $ssl_client_serial - [$time_local] - "$request" - $status - $body_bytes_sent';

    map $ssl_client_serial $ssl_access {
      default 0;
      WFuDgzQBZXV740D3 1;   # Hans Muster
      EDugUslEX1Et90WX 0;   # Beat Breu
      2DF3C663741296F5 1;   # Ruedi Ruessel
    }
    #
    # HTTP -> Redirect to HTTPS
    #
    server {
        listen        80;
        server_name   localhost;
        access_log    logs/host.access.log  main;
        return 301    https://$host$request_uri;
    }
    #
    # HTTPS server
    #
    server {
        listen        443 ssl;
        server_name   localhost;
        access_log    /var/log/nginx/puffy205.log main;
        error_log     /var/log/nginx/puffy205-error.log;

        ssl_certificate             /etc/ssl/combo/host.crt;
        ssl_certificate_key         /etc/ssl/combo/host.crt;
        ssl_session_timeout         5m;
        ssl_session_cache           shared:SSL:1m;
        ssl_ciphers                 HIGH:!aNULL:!MD5:!RC4;
        ssl_prefer_server_ciphers   on;

        ssl_client_certificate      /etc/ssl/combo/root.crt;
        ssl_verify_client           optional;

        root                        /var/www/htdocs;

        location / {
          # Block if no Cert
          if ($ssl_client_verify != SUCCESS) {
            return 403;
          }
          # Block if not whitelisted
          if ($ssl_access = 0) {
            return 403;
          }
        }

        location ~ \.php$ {
          try_files      $uri $uri/ =404;
          fastcgi_pass   unix:run/php-fpm.sock;
          fastcgi_index  index.php;
          fastcgi_param  SCRIPT_FILENAME $document_root$fastcgi_script_name;
          fastcgi_param  SSL_CLIENT_SERIAL $ssl_client_serial;
          include        fastcgi_params;
        }
    }
}
EOF

Root Cert, Server Cert

mkdir -p /etc/ssl/combo/
cat << 'EOF' > /etc/ssl/combo/host.crt
-----BEGIN CERTIFICATE-----
MIID6jCCAtKgAwIBAgIIaGXwEvomrIYwDQYJKoZIhvcNAQELBQAwWjELMAkGA1UE
BhMCQ0gxFDASBgNVBAgTC1N3aXR6ZXJsYW5kMQ8wDQYDVQQHEwZadXJpY2gxEjAQ
BgNVBAoTCVN0b2VnZSBBRzEQMA4GA1UEAxMHcm9vdCBDQTAeFw0yMDA0MDIxNTE1
MDBaFw0yMjA2MTExNTE1MDBaMGIxCzAJBgNVBAYTAkNIMRQwEgYDVQQIEwtTd2l0
emVybGFuZDEPMA0GA1UEBxMGWnVyaWNoMRIwEAYDVQQKEwlTdG9lZ2UgQUcxGDAW
BgNVBAMTD3B1ZmZ5MjA1LnBsYW5ldDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAKiWF3qZvvXDPxuwhMHE3WDIQIJvRPKmBQQsEnnn598tD+W7aeSgvnZ3
Oel3n4WRl6syNF3CLPo3EbMy8VgZrCOul8Uvjro9WLZeL7tG5CndRFZu9Erzq2Ic
KodQGxEc3jC3UxFypr4OuUAigrlWi5dRp3dhzP4/xqQ42c1axPoI/YDzIdw5O6WZ
QWZf0YfsAIbbkw3YymLBoZQxyBmhasaU6xBnIAMLuYA6IVqz3QoGHxDr8bij34y5
TRb0575TzTdAtmWhN3GE+xGOJ/KPQ6MZjaA9oz15bMVuVg1uZgUXE5K22kx6eZLk
ejhV4nxnokftPJBZfaC9LbX661B9GTUCAwEAAaOBqzCBqDAMBgNVHRMBAf8EAjAA
MB0GA1UdDgQWBBT9D1+1pNUT3SuAfeptzaeszgUivTALBgNVHQ8EBAMCBeAwEwYD
VR0lBAwwCgYIKwYBBQUHAwEwJAYDVR0RBB0wG4IPcHVmZnkyMDUucGxhbmV0gghw
dWZmeTIwNTARBglghkgBhvhCAQEEBAMCBkAwHgYJYIZIAYb4QgENBBEWD3hjYSBj
ZXJ0aWZpY2F0ZTANBgkqhkiG9w0BAQsFAAOCAQEAKfRir/cZkKdeoDWV5qN3NNw/
AWNJZjkA6KvFwuXjvMR00/vlaqTuOOBKEU5CtxnHDKhfpkjSnX7ynoJXoAQYkNag
3reSKkFZ1TX1yz/Pf/f8YLbiA3e1hx9E0E5gAENtYB6vkZh5quhRnqsHSJpJP6H6
IYaZLh7w4+RL5qvQmN1tlyKwInrJmY6jsLPhALUDFQewDPJDla/iJ6ivlHsvCtMC
MA/slsJ2iWaHbAIzCXZyBeJHR949zJvja0jJPJHVDknsKypO9WEeMclaSoY1AfVI
dGg5W8ahwxuwX2e3ygbORoG0R1Qoeqdp8+VRvOpxM4R97NPtkEq/XPgrtWnoyQ==
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEAqJYXepm+9cM/G7CEwcTdYMhAgm9E8qYFBCwSeefn3y0P5btp
...
AsoXCZvnbPzWsP8M2JokEngD0201NZN8/aBuDi0+aF1b3xA1vtKumdM=
-----END RSA PRIVATE KEY-----
EOF
chmod 440 /etc/ssl/combo/host.crt

cat << 'EOF' > /etc/ssl/combo/root.crt
-----BEGIN CERTIFICATE-----
MIIDqDCCApCgAwIBAgIIe1F3tBzaragwDQYJKoZIhvcNAQEMBQAwWjELMAkGA1UE
BhMCQ0gxFDASBgNVBAgTC1N3aXR6ZXJsYW5kMQ8wDQYDVQQHEwZadXJpY2gxEjAQ
BgNVBAoTCVN0b2VnZSBBRzEQMA4GA1UEAxMHcm9vdCBDQTAeFw0xOTA2MDUyMDA0
MDBaFw0yOTA2MDUyMDA0MDBaMFoxCzAJBgNVBAYTAkNIMRQwEgYDVQQIEwtTd2l0
emVybGFuZDEPMA0GA1UEBxMGWnVyaWNoMRIwEAYDVQQKEwlTdG9lZ2UgQUcxEDAO
BgNVBAMTB3Jvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC8
kBixlR0b3tE7Db6CuFTYeKdSGbnLx2Df8zir0ueFlv6JX5rLgbWbb5rMnWOH1O1N
AmCbuh0CrXD1evl1Glyf3hmumIvW4GVfWcQNvBsq1iUfoJn24qGnTu502xX1Gv5F
TCOxq2HqdLEwsktl2Pn76/49quj1PlBSSpYLWBsvqj1NkNIXgMzUjBURF+fEtRby
SE5RLbw+fubAw1e9K3Xu5VLgItno3g9t2B4MKTApsCZsOR288kedrAUxFhyB2pD/
6L9sbyM1h5r+EMjAzyeTeUKtXXqC+AyLthkw3eB58UY/QxpoNiggQY+5yd57yzxK
Ox1QHh+kj2+8eK5b3+pFAgMBAAGjcjBwMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0O
BBYEFG8FFqfTRx/lTT0qfF/tEknHS7LSMAsGA1UdDwQEAwIBBjARBglghkgBhvhC
AQEEBAMCAAcwHgYJYIZIAYb4QgENBBEWD3hjYSBjZXJ0aWZpY2F0ZTANBgkqhkiG
9w0BAQwFAAOCAQEATzFY8H0EX+yFWEgRtGNciIp0WsQ53cjRnNxdkDsW+W2gB+cs
QdS2LBoWts5jLHXrZstJAoy1qyEhqyYvXFMf4SsfKsrXfli7fgod5figyVjhmz41
6v/Ss668kyjWOYkY3CYqPTJolxDuIpMIq/AMGurlcf6oTDdP/FPs4nvdGed16Qjp
849n7r+ugQKrbDC4VpDXcZECXlQjI3QgUeXKqly0LXcwqFXqC3+m1O6YTwyIFrLy
8ZyWjAKN4NdKd88eiczvEj3uQVXhqkbmiEyp3q5jsXcQLzblJ0aCABqppvGLgASq
Z9QeBLjqhJ3DIcgKcHqJsox+xKrDLtIvgYmaOg==
-----END CERTIFICATE-----
EOF
chmod 440 /etc/ssl/combo/root.crt

index.php

cat << 'EOF' > /var/www/htdocs/index.php
Hi <?
  $array = [
    "WFuDgzQBZXV740D3" => "Hans Muster",
    "EDugUslEX1Et90WX" => "Beat Breu",
    "2DF3C663741296F5" => "Ruedi Ruessel"
  ];
  echo $array[$_SERVER['SSL_CLIENT_SERIAL']];
?>, your Certificat Serial Number is
<?
  echo $_SERVER['SSL_CLIENT_SERIAL'];
?>
EOF

Start all stuff

rcctl restart nginx php73_fpm

Open Webpage:

puffy205