Let’s Encrypt

acm.esh key ’/var/db/acme/certs.int.unixathome.org.key’ is unreadable

Leave a Comment / Let's Encrypt, Security / By /

Today, while mucking about with a new cronjob and log file for acme.sh, I stumbled across these error messages: Why was I stumbling around? This email arrived after the daily cert renewal: Three skips. Three error messages. Let’s look at that file: [18:37 certs dan ~] % sudo ls -l /var/db/acme/certs.int.unixathome.org.key -rw-r—– 1 root acme 116 Oct 6 20:21 /var/db/acme/certs.int.unixathome.org.key That should be readable. I checked some ZFS snapshots from earlier this week. […]

acm.esh key ’/var/db/acme/certs.int.unixathome.org.key’ is unreadable Read More »

Use of K* file pairs for HMAC is deprecated – acme.sh

Leave a Comment / DNS, Let's Encrypt, named, nsupdate, Security / By /

On Wednesday Oct 6th, I was greeted by these log messages: This is the output from the cronjob run by the acme user in my jail called certs. This is the daily run to renew any certificates which are soon to expire. This is the job in question: [19:36 certs dan ~] % sudo crontab -l -u acme 44 16 * * * /usr/local/sbin/acme.sh –cron –home /var/db/acme/.acme.sh > /dev/null [19:44 certs dan ~]

Use of K* file pairs for HMAC is deprecated – acme.sh Read More »

Today I faced the first consequences of my TXT & Let’s Encrypt strict policy

Leave a Comment / DNS, Let's Encrypt, named, Open Source, Security / By /

Today I faced the first implications of deciding to tightly restrict the use of nsupdate keys for modifying TXT records for dns-01 challenges with Let’s Encrypt. Context This section should be on news.freshports.org and you can skip it to get to the real stuff. Today I’m working on a mostly automated FreshPorts node deployment. A FreshPorts node consists of: host server – A FreeBSD host which contains the other nodes database – holds

Today I faced the first consequences of my TXT & Let’s Encrypt strict policy Read More »

Creating a very specific TXT only nsupdate connection for Let’s Encrypt

Leave a Comment / DNS, Let's Encrypt, named, Security / By /

In the interests of maintaining Michael W Lucas in the lifestyle to which he has become accustomed, I am creating this blog post. Although Mr Lucas was the first to post, he is not solely to blame for my burdensome workload. Jan-Piet Mens and Evan Hunt also have much to answer for. Their misdeeds include mentioning newer BIND tools which necessitated an update to an older blog post. The worst of them all,

Creating a very specific TXT only nsupdate connection for Let’s Encrypt Read More »

ACME domain alias mode

Leave a Comment / Let's Encrypt / By /

I recently became aware that ACME DNS validation can be accomplished via proxy. By proxy, I mean you can update the DNS records of another domain, not the domain for which the certificate is being issued. Why would you do this (as taken from acme.sh DNS Alias Mode): Your DNS provider does not provide API access; you can’t update the domain easily. You are concerned about the security implications. That is, a third-party

ACME domain alias mode Read More »

No more certificate fingerprints – only sasl auth instead

Leave a Comment / Let's Encrypt, Postfix / By /

Today I gave up on my attempt to allow relay via SSL certificate fingerprints. Instead, I will use sasl auth. Yesterday I wrote about my SMTP deliver test which broke when an SSL certificate was updated. Later that day, I finished writing scripts which delivered that fingerprint file to all hosts which needed it. Today, I abandoned that approach in favor of sasl. From the time I decided to use sasl to my

No more certificate fingerprints – only sasl auth instead Read More »

Postfix suddenly starts rejecting email it had been accepting

Leave a Comment / Let's Encrypt, Mail, Postfix / By /

Let’s Encrypt is an easy way to get free SSL certificates in an automated manner. You may never have to manually do another cert renewal again. Last night, I received this email: From: Cron Daemon To: dan@langille.org Subject: Cron /usr/local/bin/cert-puller Date: Fri, 23 Feb 2018 23:57:00 +0000 (UTC) /etc/rc.conf: 3: not found /etc/rc.conf: yr: not found /etc/rc.conf: 3: not found /etc/rc.conf: yr: not found Little did I know when I tweeted about it,

Postfix suddenly starts rejecting email it had been accepting Read More »

Getting acme.sh to renew certs via cronjob on FreeBSD

Leave a Comment / DNS, Let's Encrypt, Security / By /

In the past, I’ve written about using acme.sh to automatically generate SSL certificates and distribute them to the required locations. I do this in a single central location, and the websites and mail servers grab their new certs from a webserver. At the time of writing, I was using FreeBSD 11.1 and acme.sh 2.7.4, supplied by the FreeBSD port, in a jail. Nagios warned me that one of my Let’s Encrypt certificates was

Getting acme.sh to renew certs via cronjob on FreeBSD Read More »

cert-puller: using anvil to pull down & install new certificates, then restart services

Leave a Comment / anvil, Let's Encrypt / By /

Now that I have configured my webserver to pull down any new certificates, now it’s time to configure my clients to pull certificates from the webserver. In my quest for a centralized Let’s Encrypt solution, I’ve created the FreeBSD port for acme.sh (an ACME client for Let’s Encrypt) and anvil, a tool for distributing and installing those certificates. In previous blog posts, I’ve described various steps leading up to this: Creating a TXT

cert-puller: using anvil to pull down & install new certificates, then restart services Read More »

anvil – copying the certificates to the website

Leave a Comment / anvil, Let's Encrypt / By /

In my Let’s Encrypt implementation, I am using a centralized acme.sh solution which generates all the certificates I use and authenticates via dns-01 challenges. I use anvil to distribute those certificates. In this post, I will describe how the website pulls the certificates down from the rsync-jail. I will assume you have read my previous post where I describe the cert-shifter process. Configuring the jail host This solution assumes that the acme.sh jail

anvil – copying the certificates to the website Read More »

Scroll to Top