Today I faced the first implications of deciding to tightly restrict the use of nsupdate keys for modifying TXT records for dns-01 challenges with Let’s Encrypt. Context This section should be on news.freshports.org and you can skip it to get to the real stuff. Today I’m working on a mostly automated FreshPorts node deployment. A …
Today I faced the first consequences of my TXT & Let’s Encrypt strict policy Read More »
In the interests of maintaining Michael W Lucas in the lifestyle to which he has become accustomed, I am creating this blog post. Although Mr Lucas was the first to post, he is not solely to blame for my burdensome workload. Jan-Piet Mens and Evan Hunt also have much to answer for. Their misdeeds include …
Creating a very specific TXT only nsupdate connection for Let’s Encrypt Read More »
2FA has its critics: It’s so unreliable! Phones are so easily hijacked It’s not a lot of added security etc Some of these make assumptions not necessarily in evidence. In this post: FreeBSD 12.1 pam_google_authenticator-1.08 Most of the 2FA I use is time-based one-off passwords (TOTP), as opposed to text messages. These are often 6-digit …
Today I found out about a vuln in net/py-urllib3. Nagios told me: Checking for security vulnerabilities in base (userland & kernel): Host system: Database fetched: Tue Nov 26 18:23:32 UTC 2019 py36-urllib3-1.22,1 I logged into that host and ran a pkg upgrade py36-urllib3. What other hosts have that installed? There. That’s the hosts I have …
Which hosts have this vuln package installed? SamDrucker knows. Read More »
I have scripts for monitoring vulns in FreeBSD jails. They use third-party scripts. All I wrote was the Nagios part of the solution. I was preparing slides for my Why I prefer thick jails over thin jails talk at EuroBSDCon 2019. There is still time to register and attend. I was explaining my scripts and …
I recently became aware that ACME DNS validation can be accomplished via proxy. By proxy, I mean you can update the DNS records of another domain, not the domain for which the certificate is being issued. Why would you do this (as taken from acme.sh DNS Alias Mode): Your DNS provider does not provide API …
As you read this post, keep in mind that my particular use case of notification on ssh login is not for everyone. It may not appeal to you. In fact, you might find this to be an absolutely ridiculous thing to do. I respect that. I suggest that somewhere within your network there is at …
Using mtqq to create a notification network: mosquitto, mqttwarn, hare, and hared Read More »
Today I gave up on my attempt to allow relay via SSL certificate fingerprints. Instead, I will use sasl auth. Yesterday I wrote about my SMTP deliver test which broke when an SSL certificate was updated. Later that day, I finished writing scripts which delivered that fingerprint file to all hosts which needed it. Today, …
No more certificate fingerprints – only sasl auth instead Read More »
Let’s Encrypt is an easy way to get free SSL certificates in an automated manner. You may never have to manually do another cert renewal again. Last night, I received this email: From: Cron Daemon To: dan@langille.org Subject: Cron /usr/local/bin/cert-puller Date: Fri, 23 Feb 2018 23:57:00 +0000 (UTC) /etc/rc.conf: 3: not found /etc/rc.conf: yr: not …
Postfix suddenly starts rejecting email it had been accepting Read More »
In the past, I’ve written about using acme.sh to automatically generate SSL certificates and distribute them to the required locations. I do this in a single central location, and the websites and mail servers grab their new certs from a webserver. At the time of writing, I was using FreeBSD 11.1 and acme.sh 2.7.4, supplied …
Getting acme.sh to renew certs via cronjob on FreeBSD Read More »