Let’s Encrypt

Let’s Encrypt: Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 6

Leave a Comment / Let's Encrypt, Security / By /

Today, about a nearly two weeks after making some config changes for some Let’s Encrypt certs, today I saw new-to-me messages: In this post: FreeBSD 15.0 acme.sh-3.1.3_1 Looking up that URL, I found: Let’s see: root@certs:/var/db/acme/certs # host acme-v02.api.acmeencrypt.org Host acme-v02.api.acmeencrypt.org not found: 3(NXDOMAIN) root@certs:/var/db/acme/certs # Oh. I posted on Mastodon before proceeding. First things first. Priority matters. Then I went into /var/db/acme/certs/r720-02-pg01.example.org/r720-02-pg01.example.org.conf and made this change: In short, acmeencrypt became letsencrypt. I […]

Let’s Encrypt: Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 6 Read More »

acme.sh – Let’s Encrypt: Renewing using Le_API=https://acme.zerossl.com/v2/DV90

Leave a Comment / Let's Encrypt, Security / By /

For a few days now, the cronjob which runs acme.sh to renew my Let’s Encrypt certificates was tossing out errors for the same two certs. Today, I went looking in the logs. In this post: FreeBSD 15.0 acme.sh-3.1.3_1 hostnames have been altered to obscure those actually in use – the real reason I do this is to trigger the security by obscurity zealots The cronjob My cronjob looks like this: The logs The

acme.sh – Let’s Encrypt: Renewing using Le_API=https://acme.zerossl.com/v2/DV90 Read More »

acm.esh key ’/var/db/acme/certs.int.unixathome.org.key’ is unreadable

Leave a Comment / Let's Encrypt, Security / By /

Today, while mucking about with a new cronjob and log file for acme.sh, I stumbled across these error messages: Why was I stumbling around? This email arrived after the daily cert renewal: Three skips. Three error messages. Let’s look at that file: [18:37 certs dan ~] % sudo ls -l /var/db/acme/certs.int.unixathome.org.key -rw-r—– 1 root acme 116 Oct 6 20:21 /var/db/acme/certs.int.unixathome.org.key That should be readable. I checked some ZFS snapshots from earlier this week.

acm.esh key ’/var/db/acme/certs.int.unixathome.org.key’ is unreadable Read More »

Use of K* file pairs for HMAC is deprecated – acme.sh

Leave a Comment / DNS, Let's Encrypt, named, nsupdate, Security / By /

On Wednesday Oct 6th, I was greeted by these log messages: This is the output from the cronjob run by the acme user in my jail called certs. This is the daily run to renew any certificates which are soon to expire. This is the job in question: [19:36 certs dan ~] % sudo crontab -l -u acme 44 16 * * * /usr/local/sbin/acme.sh –cron –home /var/db/acme/.acme.sh > /dev/null [19:44 certs dan ~]

Use of K* file pairs for HMAC is deprecated – acme.sh Read More »

Today I faced the first consequences of my TXT & Let’s Encrypt strict policy

Leave a Comment / DNS, Let's Encrypt, named, Open Source, Security / By /

Today I faced the first implications of deciding to tightly restrict the use of nsupdate keys for modifying TXT records for dns-01 challenges with Let’s Encrypt. Context This section should be on news.freshports.org and you can skip it to get to the real stuff. Today I’m working on a mostly automated FreshPorts node deployment. A FreshPorts node consists of: host server – A FreeBSD host which contains the other nodes database – holds

Today I faced the first consequences of my TXT & Let’s Encrypt strict policy Read More »

Creating a very specific TXT only nsupdate connection for Let’s Encrypt

Leave a Comment / DNS, Let's Encrypt, named, Security / By /

In the interests of maintaining Michael W Lucas in the lifestyle to which he has become accustomed, I am creating this blog post. Although Mr Lucas was the first to post, he is not solely to blame for my burdensome workload. Jan-Piet Mens and Evan Hunt also have much to answer for. Their misdeeds include mentioning newer BIND tools which necessitated an update to an older blog post. The worst of them all,

Creating a very specific TXT only nsupdate connection for Let’s Encrypt Read More »

ACME domain alias mode

Leave a Comment / Let's Encrypt / By /

I recently became aware that ACME DNS validation can be accomplished via proxy. By proxy, I mean you can update the DNS records of another domain, not the domain for which the certificate is being issued. Why would you do this (as taken from acme.sh DNS Alias Mode): Your DNS provider does not provide API access; you can’t update the domain easily. You are concerned about the security implications. That is, a third-party

ACME domain alias mode Read More »

No more certificate fingerprints – only sasl auth instead

Leave a Comment / Let's Encrypt, Postfix / By /

Today I gave up on my attempt to allow relay via SSL certificate fingerprints. Instead, I will use sasl auth. Yesterday I wrote about my SMTP deliver test which broke when an SSL certificate was updated. Later that day, I finished writing scripts which delivered that fingerprint file to all hosts which needed it. Today, I abandoned that approach in favor of sasl. From the time I decided to use sasl to my

No more certificate fingerprints – only sasl auth instead Read More »

Postfix suddenly starts rejecting email it had been accepting

Leave a Comment / Let's Encrypt, Mail, Postfix / By /

Let’s Encrypt is an easy way to get free SSL certificates in an automated manner. You may never have to manually do another cert renewal again. Last night, I received this email: From: Cron Daemon To: dan@langille.org Subject: Cron /usr/local/bin/cert-puller Date: Fri, 23 Feb 2018 23:57:00 +0000 (UTC) /etc/rc.conf: 3: not found /etc/rc.conf: yr: not found /etc/rc.conf: 3: not found /etc/rc.conf: yr: not found Little did I know when I tweeted about it,

Postfix suddenly starts rejecting email it had been accepting Read More »

Getting acme.sh to renew certs via cronjob on FreeBSD

Leave a Comment / DNS, Let's Encrypt, Security / By /

In the past, I’ve written about using acme.sh to automatically generate SSL certificates and distribute them to the required locations. I do this in a single central location, and the websites and mail servers grab their new certs from a webserver. At the time of writing, I was using FreeBSD 11.1 and acme.sh 2.7.4, supplied by the FreeBSD port, in a jail. Nagios warned me that one of my Let’s Encrypt certificates was

Getting acme.sh to renew certs via cronjob on FreeBSD Read More »

Scroll to Top