Security

No more certificate fingerprints – only sasl auth instead

Today I gave up on my attempt to allow relay via SSL certificate fingerprints. Instead, I will use sasl auth. Yesterday I wrote about my SMTP deliver test which broke when an SSL certificate was updated. Later that day, I finished writing scripts which delivered that fingerprint file to all hosts which needed it. Today, […]

No more certificate fingerprints – only sasl auth instead Read More »

Postfix suddenly starts rejecting email it had been accepting

Let’s Encrypt is an easy way to get free SSL certificates in an automated manner. You may never have to manually do another cert renewal again. Last night, I received this email: From: Cron Daemon To: dan@langille.org Subject: Cron /usr/local/bin/cert-puller Date: Fri, 23 Feb 2018 23:57:00 +0000 (UTC) /etc/rc.conf: 3: not found /etc/rc.conf: yr: not

Postfix suddenly starts rejecting email it had been accepting Read More »

Getting acme.sh to renew certs via cronjob on FreeBSD

In the past, I’ve written about using acme.sh to automatically generate SSL certificates and distribute them to the required locations. I do this in a single central location, and the websites and mail servers grab their new certs from a webserver. At the time of writing, I was using FreeBSD 11.1 and acme.sh 2.7.4, supplied

Getting acme.sh to renew certs via cronjob on FreeBSD Read More »

cert-puller: using anvil to pull down & install new certificates, then restart services

Now that I have configured my webserver to pull down any new certificates, now it’s time to configure my clients to pull certificates from the webserver. In my quest for a centralized Let’s Encrypt solution, I’ve created the FreeBSD port for acme.sh (an ACME client for Let’s Encrypt) and anvil, a tool for distributing and

cert-puller: using anvil to pull down & install new certificates, then restart services Read More »

anvil – copying the certificates to the website

In my Let’s Encrypt implementation, I am using a centralized acme.sh solution which generates all the certificates I use and authenticates via dns-01 challenges. I use anvil to distribute those certificates. In this post, I will describe how the website pulls the certificates down from the rsync-jail. I will assume you have read my previous

anvil – copying the certificates to the website Read More »

cert-shifter: copying certificates from acme.sh to a fresh directory

I have already described how I use acme.sh to obtain SSL certificates from Let’s Encrypt. Today, I’m going to show you how I use anvil to copy those certificates from the original location to another directory, which is then used for rsync by another jail. Throughout this blog post, it is assumed that the cert-shifter

cert-shifter: copying certificates from acme.sh to a fresh directory Read More »

Introducing anvil – Tools for distributing ssl certificates

I’m in the end-stages of finishing off my centralized Let’s Encrypt solution and I’ve released my code as an open source project named anvil. I’ve also created a FreeBSD port. In this post, I outline the anvil tools and how I use them. In future posts, I will detail the individual components, some of which

Introducing anvil – Tools for distributing ssl certificates Read More »

acme.sh: getting free SSL certificates – installation configuration on FreeBSD

This blog post describes my Let’s Encrypt solution which uses acme.sh and dns-01 challenges to obtain SSL certificates. If you are using HTTP challenges, this post might still be useful, but your configuration will differ slightly. Let’s Encrypt is a certificate authority which has become wildly popular since it was launched in April 2016 (just

acme.sh: getting free SSL certificates – installation configuration on FreeBSD Read More »

Scroll to Top