In general, passphrase-less ssh keys are a security nightmare. It is similar to leaving the key to your front door in the lock. Anyone stumbling across it has access to your house. Similarly, if someone gets your ssh key, and there is no passphrase on it, they can use that key for anything which grants access to that key. Side note: How can you tell if a given ssh key has a passphrase? […]
subversion via ssh passphrase-less key Read More »
I started replacing 3TB drives with 5TB drives in a 10 drive raidz3 array on a FreeBSD 10.3 box. I was not sure which drive tray to pull, so I powered off the server, and, one by one, pulled the drive tray, photographed it, and reinserted the drive tray. No changes were made. The first reboot Upon powering up, I was greeted by this (I have typed out the text for search purposes):
After replacing 3TB drive with 5TB drive, FreeBSD 10.3 system did not reboot Read More »
This morning, I was reviewing the logs and noticed these notices in /var/log/messages: I guessed that this was directly related to the zfs replace command I had issued the day before, but I wanted to confirm that. I like to use sudo instead of becoming root. One of the many benefits to this approach is logging. Everything is logged to /var/log/auth.log for later review. However, by the time I went to look, /var/log/auth.log
Logging, backups, and newsyslog.conf on FreeBSD Read More »
In this power, the server is running FreeBSD 10.3. I am completely and unreasonably biased: ZFS is the best filesystem out there. Do not take my word for it. Ask around. Today, I started a process I’ve been waiting to do for a while. I am replacing the 3TB drives in a 10-drive raidz2 array with 5TB drives. These new drives are faster, I think perhaps cooler, and, more to the point, bigger.
Swapping 5TB in, 3TB out Read More »
These steps were carried out on FreeBSD 11.0 with PostgreSQL 9.6 (two of my favorite tools). I like logging. I like logging PostgreSQL. With logs, you can see what happened. Without, you can only guess. Setting up logging for PostgreSQL involves several parts, each of which must be completed or else I don’t get what I want. This is not a criticism of PostgreSQL. It’s a feature. I am documenting this because each
PostgreSQL – logging to a file Read More »
This is mostly a note to myself. #### Edit: 2018.09.08 : If you see messages like this: $ sudo gmirror insert swap /dev/da5p2 gmirror: Class not found $ gmirror list -a gmirror: Command ‘list’ not available. You probably need to do this: sudo kldload geom_mirror #### I had these drives: They are involved in this zpool: I decided to create a 6-way mirror for swap: sudo gmirror label -v -b round-robin swap diskid/DISK-653DK7WBFS9Ap2
Creating a gmirror swap Read More »
This post has been replaced by a newer one. For reference, the previous post on this server is still available. The most recent change was from 3TB to 5TB drives. For future reference, this is the slocum server, which I use for various jails and services. It is mounted in the 4U chassis mentioned in this post The filesystems, well, some of them: And dmesg:
Now that I have configured my webserver to pull down any new certificates, now it’s time to configure my clients to pull certificates from the webserver. In my quest for a centralized Let’s Encrypt solution, I’ve created the FreeBSD port for acme.sh (an ACME client for Let’s Encrypt) and anvil, a tool for distributing and installing those certificates. In previous blog posts, I’ve described various steps leading up to this: Creating a TXT
cert-puller: using anvil to pull down & install new certificates, then restart services Read More »
In my Let’s Encrypt implementation, I am using a centralized acme.sh solution which generates all the certificates I use and authenticates via dns-01 challenges. I use anvil to distribute those certificates. In this post, I will describe how the website pulls the certificates down from the rsync-jail. I will assume you have read my previous post where I describe the cert-shifter process. Configuring the jail host This solution assumes that the acme.sh jail
anvil – copying the certificates to the website Read More »
I have already described how I use acme.sh to obtain SSL certificates from Let’s Encrypt. Today, I’m going to show you how I use anvil to copy those certificates from the original location to another directory, which is then used for rsync by another jail. Throughout this blog post, it is assumed that the cert-shifter will be run as the anvil user. Please adjust to suit your choices. Why shift certificates? As part
cert-shifter: copying certificates from acme.sh to a fresh directory Read More »