Security

Using mtqq to create a notification network: mosquitto, mqttwarn, hare, and hared

Leave a Comment / MQTT, Open Source, Security / By /

As you read this post, keep in mind that my particular use case of notification on ssh login is not for everyone. It may not appeal to you. In fact, you might find this to be an absolutely ridiculous thing to do. I respect that. I suggest that somewhere within your network there is at least one type of error condition, one urgent situation, one thing that you would like pushed to your […]

Using mtqq to create a notification network: mosquitto, mqttwarn, hare, and hared Read More »

No more certificate fingerprints – only sasl auth instead

Leave a Comment / Let's Encrypt, Postfix / By /

Today I gave up on my attempt to allow relay via SSL certificate fingerprints. Instead, I will use sasl auth. Yesterday I wrote about my SMTP deliver test which broke when an SSL certificate was updated. Later that day, I finished writing scripts which delivered that fingerprint file to all hosts which needed it. Today, I abandoned that approach in favor of sasl. From the time I decided to use sasl to my

No more certificate fingerprints – only sasl auth instead Read More »

Postfix suddenly starts rejecting email it had been accepting

Leave a Comment / Let's Encrypt, Mail, Postfix / By /

Let’s Encrypt is an easy way to get free SSL certificates in an automated manner. You may never have to manually do another cert renewal again. Last night, I received this email: From: Cron Daemon To: dan@langille.org Subject: Cron /usr/local/bin/cert-puller Date: Fri, 23 Feb 2018 23:57:00 +0000 (UTC) /etc/rc.conf: 3: not found /etc/rc.conf: yr: not found /etc/rc.conf: 3: not found /etc/rc.conf: yr: not found Little did I know when I tweeted about it,

Postfix suddenly starts rejecting email it had been accepting Read More »

Getting acme.sh to renew certs via cronjob on FreeBSD

Leave a Comment / DNS, Let's Encrypt, Security / By /

In the past, I’ve written about using acme.sh to automatically generate SSL certificates and distribute them to the required locations. I do this in a single central location, and the websites and mail servers grab their new certs from a webserver. At the time of writing, I was using FreeBSD 11.1 and acme.sh 2.7.4, supplied by the FreeBSD port, in a jail. Nagios warned me that one of my Let’s Encrypt certificates was

Getting acme.sh to renew certs via cronjob on FreeBSD Read More »

subversion via ssh passphrase-less key

Leave a Comment / Security, ssh, subversion / By /

In general, passphrase-less ssh keys are a security nightmare. It is similar to leaving the key to your front door in the lock. Anyone stumbling across it has access to your house. Similarly, if someone gets your ssh key, and there is no passphrase on it, they can use that key for anything which grants access to that key. Side note: How can you tell if a given ssh key has a passphrase?

subversion via ssh passphrase-less key Read More »

cert-puller: using anvil to pull down & install new certificates, then restart services

Leave a Comment / anvil, Let's Encrypt / By /

Now that I have configured my webserver to pull down any new certificates, now it’s time to configure my clients to pull certificates from the webserver. In my quest for a centralized Let’s Encrypt solution, I’ve created the FreeBSD port for acme.sh (an ACME client for Let’s Encrypt) and anvil, a tool for distributing and installing those certificates. In previous blog posts, I’ve described various steps leading up to this: Creating a TXT

cert-puller: using anvil to pull down & install new certificates, then restart services Read More »

anvil – copying the certificates to the website

Leave a Comment / anvil, Let's Encrypt / By /

In my Let’s Encrypt implementation, I am using a centralized acme.sh solution which generates all the certificates I use and authenticates via dns-01 challenges. I use anvil to distribute those certificates. In this post, I will describe how the website pulls the certificates down from the rsync-jail. I will assume you have read my previous post where I describe the cert-shifter process. Configuring the jail host This solution assumes that the acme.sh jail

anvil – copying the certificates to the website Read More »

cert-shifter: copying certificates from acme.sh to a fresh directory

Leave a Comment / anvil, Let's Encrypt / By /

I have already described how I use acme.sh to obtain SSL certificates from Let’s Encrypt. Today, I’m going to show you how I use anvil to copy those certificates from the original location to another directory, which is then used for rsync by another jail. Throughout this blog post, it is assumed that the cert-shifter will be run as the anvil user. Please adjust to suit your choices. Why shift certificates? As part

cert-shifter: copying certificates from acme.sh to a fresh directory Read More »

Introducing anvil – Tools for distributing ssl certificates

Leave a Comment / anvil, Let's Encrypt / By /

I’m in the end-stages of finishing off my centralized Let’s Encrypt solution and I’ve released my code as an open source project named anvil. I’ve also created a FreeBSD port. In this post, I outline the anvil tools and how I use them. In future posts, I will detail the individual components, some of which have already appeared in my blog. Why centralized After reading about the FreeBSD cluster’s use of Let’s Encrypt,

Introducing anvil – Tools for distributing ssl certificates Read More »

When mv can’t mv – Let’s Encrypt

Leave a Comment / Let's Encrypt / By /

Last night I uploaded my collect-certs code to Gitub. Today, I discovered a problem with invoking mv on multiple files. The code in question is around lines 40-42 and I’m including some of my debugging code here: When I run this script, I see this output: Of note, that’s two errors: one from mv and the second from rmdir. Now, if I manually run that command: /bin/mv -f /var/db/certs-for-rsync/tmp/example.com/* /var/db/certs-for-rsync/certs/example.com … it works.

When mv can’t mv – Let’s Encrypt Read More »

Scroll to Top