This is mostly a note to myself. #### Edit: 2018.09.08 : If you see messages like this: $ sudo gmirror insert swap /dev/da5p2 gmirror: Class not found $ gmirror list -a gmirror: Command ‘list’ not available. You probably need to do this: sudo kldload geom_mirror #### I had these drives: They are involved in this zpool: I decided to create a 6-way mirror for swap: sudo gmirror label -v -b round-robin swap diskid/DISK-653DK7WBFS9Ap2 […]
Creating a gmirror swap Read More »
This post has been replaced by a newer one. For reference, the previous post on this server is still available. The most recent change was from 3TB to 5TB drives. For future reference, this is the slocum server, which I use for various jails and services. It is mounted in the 4U chassis mentioned in this post The filesystems, well, some of them: And dmesg:
Now that I have configured my webserver to pull down any new certificates, now it’s time to configure my clients to pull certificates from the webserver. In my quest for a centralized Let’s Encrypt solution, I’ve created the FreeBSD port for acme.sh (an ACME client for Let’s Encrypt) and anvil, a tool for distributing and installing those certificates. In previous blog posts, I’ve described various steps leading up to this: Creating a TXT
cert-puller: using anvil to pull down & install new certificates, then restart services Read More »
In my Let’s Encrypt implementation, I am using a centralized acme.sh solution which generates all the certificates I use and authenticates via dns-01 challenges. I use anvil to distribute those certificates. In this post, I will describe how the website pulls the certificates down from the rsync-jail. I will assume you have read my previous post where I describe the cert-shifter process. Configuring the jail host This solution assumes that the acme.sh jail
anvil – copying the certificates to the website Read More »
I have already described how I use acme.sh to obtain SSL certificates from Let’s Encrypt. Today, I’m going to show you how I use anvil to copy those certificates from the original location to another directory, which is then used for rsync by another jail. Throughout this blog post, it is assumed that the cert-shifter will be run as the anvil user. Please adjust to suit your choices. Why shift certificates? As part
cert-shifter: copying certificates from acme.sh to a fresh directory Read More »
I’m in the end-stages of finishing off my centralized Let’s Encrypt solution and I’ve released my code as an open source project named anvil. I’ve also created a FreeBSD port. In this post, I outline the anvil tools and how I use them. In future posts, I will detail the individual components, some of which have already appeared in my blog. Why centralized After reading about the FreeBSD cluster’s use of Let’s Encrypt,
Introducing anvil – Tools for distributing ssl certificates Read More »
Last night I uploaded my collect-certs code to Gitub. Today, I discovered a problem with invoking mv on multiple files. The code in question is around lines 40-42 and I’m including some of my debugging code here: When I run this script, I see this output: Of note, that’s two errors: one from mv and the second from rmdir. Now, if I manually run that command: /bin/mv -f /var/db/certs-for-rsync/tmp/example.com/* /var/db/certs-for-rsync/certs/example.com … it works.
When mv can’t mv – Let’s Encrypt Read More »
This blog post describes my Let’s Encrypt solution which uses acme.sh and dns-01 challenges to obtain SSL certificates. If you are using HTTP challenges, this post might still be useful, but your configuration will differ slightly. Let’s Encrypt is a certificate authority which has become wildly popular since it was launched in April 2016 (just a short 14 months ago). Why so popular? It provides a secure way to offer free SSL certificates.
acme.sh: getting free SSL certificates – installation configuration on FreeBSD Read More »
What is a hidden DNS master? If you need to ask that, this is not the blog post for you. This post assumes you already know how to configure DNS and just want ideas for your own hidden master. It also assumes the networking, VPN, and firewall are pre-configured for this. This blog post is mostly about named/BIND. For the record, I am using bind99-9.9.10P1. In my previous blog post, you’ll see how
I’m in the process of designing my own centralized Let’s Encrypt solution. It was Peter Wemm’s blog post about Let’s Encrypt in the FreeBSD cluster which got me started down this road. My rough notes are this this gist. This blog post assumes you are already familiar with Let’s Encrypt and especially with the dns-01 challenge. This previous post might also be useful. In this post, I’ll show you have to generate a
Creating a TXT only nsupdate connection for Let’s Encrypt Read More »