Yep, you could easily achieve that (and much more) using zkCli.sh (Zookeeper client):
Connecting to localhost:2181
Welcome to ZooKeeper!
JLine support is enabled
WatchedEvent state:SyncConnected type:None path:null
[zk: localhost:2181(CONNECTED) 0] help
ZooKeeper -server host:port cmd args
get path [watch]
ls path [watch]
set path data [version]
delquota [-n|-b] path
create [-s] [-e] path data acl
stat path [watch]
ls2 path [watch]
setAcl path acl
addauth scheme auth
delete path [version]
setquota -n|-b val path
Issue “rmr” (to remove recursively) or “delete” to remove a znode.
Otherwise (quoting RFC6797):
If an HTTP response is received over insecure transport, the UA MUST ignore any present STS header field(s).
That means SSL certificate on your server must be valid, i.e. no errors or warnings when you open a page from a browser over https.
It wasn’t obvious to me until I tried to run netcat utility (aka nc) on Ubuntu 10.04 (lucid) release to check Zookeeper’s status:
echo "stat" | nc zookeer_server_name 2181
zookeer_server_name: forward host lookup failed: No address associated with name
It wouldn’t have been a problem had Zookeeper server used IPv4 address but it was configured with IPv6. So tools that used gethostbyname2(), e.g. getent, were still ok, and only those with gethostbyname() were failing me. Luckily, netcat and other important libraries had newer versions I could use. Once again, if you are on an old and rusty Linux distro be aware that gethostbyname*() and gethostbyaddr*() functions are obsolete
As Anton mentioned in his comment below, getaddrinfo() had its own gotchas, which, if I got it right, were caused by AI_ADDRCONFIG flag. There is a good summary page which goes in more details regarding AI_ADDRCONFIG and the peculiarities pertaining to its current implementation in glibc.
Seems I’ve been living under a rock for far too log. From RFC2818:
Although the use of the Common Name is existing practice, it is deprecated and Certification Authorities are encouraged to use the dNSName instead.
So in today’s world CN is only evaluated when subjectAltName is not present and if it’s set all host names, IPs, emails, etc. must be specified in subjectAltName.
As a bonus, below is a one-liner to generate CSR with subjectAltName:
openssl req -new -newkey rsa:2048 -keyout example.com.key -sha256 -nodes -days 36500 -out example.com.csr -subj "/C=US/ST=IL/L=Chicago/O=Fortune500/OU=IT/CN=example.com" -reqexts v3_req -config <(cat /etc/pki/tls/openssl.cnf <(printf "[ v3_req ]\nsubjectAltName = DNS:example.com,DNS:www.example.com"))
If you need to find the percentile in Python do that correctly. Which means is by following one of the following receipts: