News archive July 2018 - Koos van den Hout

Archive by year: 1999 | 2000 | 2001 | 2002 | 2003 | 2004 | 2005 | 2006 | 2007 | 2008 | 2009 | 2010 | 2011 | 2012 | 2013 | 2014 | 2015 | 2016 | 2017 | 2018 | 2019 | 2020

2018-07-27 Automating Let's Encrypt certificates with DNS-01 protocol 1 year ago
Encrypt all the things meme After thoroughly automating Let's Encrypt certificate renewal and installation I wanted to get the same level of automation for systems that do not expose an http service to the outside world. So that means the DNS-01 challenge within the ACME protocol has to be used.

I found out dehydrated Let's Encrypt certificate management supports DNS-01 and I found a sample on how to do this with bind9 at Example hook script using Dynamic DNS update utility for dns-01 challenge which looks like it can do the job.

It took me a few failed tries to find out that if I want a certificate for the name turing.idefix.net that it will request the TXT record for _acme-challenge.turing.idefix.net to make me prove that I have control over the right bit of DNS. I first assumed something in _acme-challenge.idefix.net which turned out wrong. So the bind9 config in /etc/bind/named.conf.local has: 
zone "_acme-challenge.turing.idefix.net" {
        type master;
        file "/var/cache/bind/_acme-challenge.turing.idefix.net-zone";
        masterfile-format text;
        allow-update { key "acmekey-turing"; };
        allow-query { any; };
        allow-transfer {
                localnetwork;
        };
};
And in the idefix.net zone there is just one delegation: 
_acme-challenge.turing  IN      NS      ns2
I created and used a dnskey with something like: 
# dnssec-keygen -r /dev/random -a hmac-sha512 -b 128 -n HOST acmekey-turing
Kacmekey-turing.+157+53887
This gives 2 files, both with the right secret: 
# ls Kacmekey-turing.+157+53887.*
Kacmekey-turing.+157+53887.key  Kacmekey-turing.+157+53887.private
# cat Kacmekey-turing.+157+53887.key
acmekey-turing. IN KEY 512 3 157 c2V0ZWMgYXN0cm9ub215
and configured it in /etc/bind/named.conf.options: 
key "acmekey-turing" {
        algorithm hmac-md5;
        secret "c2V0ZWMgYXN0cm9ub215";
};
And now I can request a key for turing.idefix.net and use it to generate sendmail certificates. And the net result: 
        (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256          
        verify=OK)
SMTP between systems with TLS working and good certificates.
Tags: , , ,
2018-07-19 Configuring sendmail authentication like imaps access to allow secondary passwords 1 year ago
I needed to configure sendmail authenticated access because I want a strict SPF record for idefix.net which means I always have to make outgoing mail originate from the right server.

For the sendmail authenticated smtp bit I used How to setup and test SMTP AUTH within Sendmail with some configuration details from Setting up SMTP AUTH with sendmail and Cyrus-SASL. To get this running saslauthd is needed to get authentication at all and I decided to let it use the pam authentication mechanism. The relevant part of sendmail.mc: 
include(`/etc/mail/sasl/sasl.m4')dnl
define(`confAUTH_OPTIONS', `A p')dnl
define(`confAUTH_MECHANISMS', `LOGIN PLAIN')dnl
TRUST_AUTH_MECH(`LOGIN PLAIN')dnl
And now I can login to sendmail only in an encrypted session. And due to sendmail and other services now having valid certificates I can set up all devices to fully check the certificate so I make it difficult to intercept this password.

And after I got that working I decided I wanted 'secondary passwords' just like I configured extra passwords for IMAPS access so I set up /etc/pam.d/smtp to allow other passwords than the unix password and restrict access to the right class of users. 
auth    required    pam_succeed_if.so quiet user ingroup users
auth    [success=1 default=ignore]      pam_unix.so nullok_secure
auth    sufficient  pam_userdb.so db=/etc/courier/extrausers crypt=crypt use_first_pass
# here's the fallback if no module succeeds
auth    requisite                       pam_deny.so
Now I can set up my devices that insist on saving the password for outgoing smtp and if it ever gets compromised I just have to change that password without it biting me too hard.
Read the rest of Configuring sendmail authentication like imaps access to allow secondary passwords
Tags: , , ,
2018-07-19 (Wat is een radiozendamateur? Waar houdt een radiozendamateur zich mee bezig? Lees daarover in het Electron...) 1 year ago
Google+Koos van den Hout : Goed initiatief van binnen de Veron: twee keer per jaar het blad online gratis beschikbaar. Daarmee kunnen we de radiohobby zichtbaarder en toegankelijker maken
2018-07-10 Found the original article about Steven K. Roberts and his recumbent bicycle Behemoth 1 year ago
Steven K. Roberts on Behemoth II I noticed the Nomadic Research Labs site was cleaned up a bit more, so I searched again for the article that I read in August 1995 about Steven K. Roberts and his recumbent bicycle Behemoth: "Big Electronic Human-Energised Machine ... Only Too Heavy".

The scans are at BEHEMOTH in Kijk – Dutch Magazine. Interesting detail is that the top left text refers to a picture of a Challenge recumbent. I recently ordered a new Challenge recumbent! Maybe I should find out whether I can find that page of that magazine.

Several things can be related to seeing this article: buying the book Computing Across America, selecting a recumbent bicycle later in life and this idea in the back of my head of future recumbent cycling trips.
Tags: , , , ,
2018-07-08 Automating Let's Encrypt certificates further 1 year ago
Encrypt all the things meme Over two years ago I started using Let's Encrypt certificates. Recently I wanted to automate this a step further and found dehydrated automated certificate renewal which helps a lot in automating certificate renewal with minimal hassle.

First thing I fixed was http-based verification. The webserver has been set up to make all .well-known/acme-challenge directories end up in one place on the filesystem and it turns out this works great with dehydrated.

I created a separate user for dehydrated, gave that user write permissions for the /home/httpd/html/.well-known/acme-challenge directory. It also needs write access to /etc/dehydrated for its own state. I changed /etc/dehydrated/config with: 
CHALLENGETYPE="http-01"
WELLKNOWN="/home/httpd/html/.well-known/acme-challenge"
Now it was possible to request certificates based on a .csr file. I used this to get a new certificate for the home webserver, and it turned out to be easier than the previous setup based on letsencrypt-nosudo.
Read the rest of Automating Let's Encrypt certificates further
Tags: , , , ,
2018-07-05 Future cycling goals... 1 year ago
I had a serious case of 'ooooh shiny' today. I browsed a bit of Northern Canada news from CBC and found the article Dempster Highway drivers flock to new destination — the Arctic coast about the new Inuvik Tuktoyaktuk Highway which connects the Dempster Highway all the way to Tuktoyaktuk on the northern arctic coast.

So I started wondering whether people are cycling the Dempster Highway. Yes, they are. I found several travel stories, Cycling the Dempster Highway to Inuvik, Cycling the Dempster Highway Part 1: Hungrier than the bears - Tasting Travels and Dempster Highway to the Arctic about one cyclist who cycled from Vancouver to Inuvik on a recumbent.

I may have found some future cycling ideas there. Those ideas aren't really new, from time to time I get back to thinking about Computing Across America and Steven K. Roberts.
Tags: , , ,
, reachable as koos+website@idefix.net. PGP encrypted e-mail preferred.

PGP key 5BA9 368B E6F3 34E4 local copy PGP key 5BA9 368B E6F3 34E4 via keyservers pgp key statistics for 0x5BA9368BE6F334E4 Koos van den Hout
RSS
Other webprojects: Camp Wireless, wireless Internet access at campsites, The Virtual Bookcase, book reviews
This page generated by $Id: morenews.cgi,v 1.46 2019/10/20 15:42:02 koos Exp $ in 0.012935 seconds.