OpenSSL

Verify a certificate using openssl

1
2
3
$ kubectl get secret my-cert -n istio-system \
    -o 'go-template={{index .data "tls.crt"}}' \
    | base64 -d | openssl x509 -text -noout

Review TLS certificate chain given a hostname.

1
openssl x509 -text -noout -in <(openssl s_client -connect google.com:443 -servername google.com)

Curl

Force domain name resolution

1
2
3
DOMAIN=example.com
LB_IP=10.139.0.123
curl -H "HOST: ${DOMAIN}" https://${DOMAIN} --resolve ${DOMAIN}:443:${LB_IP}

This is useful in blue-green upgrades before cutting over DNS. For example, we can use this command to talk to the load balancer upstream backends without DNS.

Robust Curl

• Use -L to follow 301/302 redirects
• Use --fail to exit with non-zero code given 4xx and 5xx HTTP response.
  • By default, Curl does not consider 4xx and 5xx failure, since the HTTP request completed, but for application use cases, they almost certainly are handled as errors
• Use --retry <count> to retry request upon transient errors. Combined with --fail, --retry will also retry HTTP 4xx. Transient error means:
  • timeout
  • FTP 4xx response code
  • HTTP 5xx response code
    
• Optional. Use --retry-delay 3 turns off exponential backoff to always wait 3 seconds before retrying.
• Use --show-error to print any error message even in silent mode.
• Use -v to turn on verbose logging.

Example

1
2
3
4
5
6
7
8
9
10
11
CURL_OPTS=(
    -L
    -v
    --retry 5
    --retry-delay 5
    --fail
    --show-error
)
curl "${CURL_OPTS[@]}" \
    -H "Authorization: token ${MY_TOKEN}" \
    https://api.github.com/user/repos

Silence the progress bar

1
curl -s https://example.com/big.file -o output.file