2018-07-27 Automating Let's Encrypt certificates with DNS-01 protocol
After thoroughly automating Let's Encrypt certificate renewal and installation I wanted to get the same level of automation for systems that do not expose an http service to the outside world. So that means the DNS-01 challenge within the ACME protocol has to be used. I found out dehydrated Let's Encrypt certificate management supports DNS-01 and I found a sample on how to do this with bind9 at Example hook script using Dynamic DNS update utility for dns-01 challenge which looks like it can do the job. It took me a few failed tries to find out that if I want a certificate for the name turing.idefix.net that it will request the TXT record for _acme-challenge.turing.idefix.net to make me prove that I have control over the right bit of DNS. I first assumed something in _acme-challenge.idefix.net which turned out wrong. So the bind9 config in /etc/bind/named.conf.local has:
zone "_acme-challenge.turing.idefix.net" { type master; file "/var/cache/bind/_acme-challenge.turing.idefix.net-zone"; masterfile-format text; allow-update { key "acmekey-turing"; }; allow-query { any; }; allow-transfer { localnetwork; }; };And in the idefix.net zone there is just one delegation:_acme-challenge.turing IN NS ns2I created and used a dnskey with something like:# dnssec-keygen -r /dev/random -a hmac-sha512 -b 128 -n HOST acmekey-turing Kacmekey-turing.+157+53887This gives 2 files, both with the right secret:# ls Kacmekey-turing.+157+53887.* Kacmekey-turing.+157+53887.key Kacmekey-turing.+157+53887.private # cat Kacmekey-turing.+157+53887.key acmekey-turing. IN KEY 512 3 157 c2V0ZWMgYXN0cm9ub215and configured it in /etc/bind/named.conf.options:key "acmekey-turing" { algorithm hmac-md5; secret "c2V0ZWMgYXN0cm9ub215"; };And now I can request a key for turing.idefix.net and use it to generate sendmail certificates. And the net result:(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK)SMTP between systems with TLS working and good certificates.
2018-07-19 Configuring sendmail authentication like imaps access to allow secondary passwords
I needed to configure sendmail authenticated access because I want a strict SPF record for idefix.net which means I always have to make outgoing mail originate from the right server. For the sendmail authenticated smtp bit I used How to setup and test SMTP AUTH within Sendmail with some configuration details from Setting up SMTP AUTH with sendmail and Cyrus-SASL. To get this running saslauthd is needed to get authentication at all and I decided to let it use the pam authentication mechanism. The relevant part of sendmail.mc:Read the rest of Configuring sendmail authentication like imaps access to allow secondary passwordsinclude(`/etc/mail/sasl/sasl.m4')dnl define(`confAUTH_OPTIONS', `A p')dnl define(`confAUTH_MECHANISMS', `LOGIN PLAIN')dnl TRUST_AUTH_MECH(`LOGIN PLAIN')dnlAnd now I can login to sendmail only in an encrypted session. And due to sendmail and other services now having valid certificates I can set up all devices to fully check the certificate so I make it difficult to intercept this password. And after I got that working I decided I wanted 'secondary passwords' just like I configured extra passwords for IMAPS access so I set up /etc/pam.d/smtp to allow other passwords than the unix password and restrict access to the right class of users.auth required pam_succeed_if.so quiet user ingroup users auth [success=1 default=ignore] pam_unix.so nullok_secure auth sufficient pam_userdb.so db=/etc/courier/extrausers crypt=crypt use_first_pass # here's the fallback if no module succeeds auth requisite pam_deny.soNow I can set up my devices that insist on saving the password for outgoing smtp and if it ever gets compromised I just have to change that password without it biting me too hard.
2018-07-19 (Wat is een radiozendamateur? Waar houdt een radiozendamateur zich mee bezig? Lees daarover in het Electron...)
Koos van den Hout : Goed initiatief van binnen de Veron: twee keer per jaar het blad online gratis beschikbaar. Daarmee kunnen we de radiohobby zichtbaarder en toegankelijker maken
2018-07-10 Found the original article about Steven K. Roberts and his recumbent bicycle Behemoth
I noticed the Nomadic Research Labs site was cleaned up a bit more, so I searched again for the article that I read in August 1995 about Steven K. Roberts and his recumbent bicycle Behemoth: "Big Electronic Human-Energised Machine ... Only Too Heavy". The scans are at BEHEMOTH in Kijk – Dutch Magazine. Interesting detail is that the top left text refers to a picture of a Challenge recumbent. I recently ordered a new Challenge recumbent! Maybe I should find out whether I can find that page of that magazine. Several things can be related to seeing this article: buying the book Computing Across America, selecting a recumbent bicycle later in life and this idea in the back of my head of future recumbent cycling trips.
2018-07-08 Automating Let's Encrypt certificates further
Read the rest of Automating Let's Encrypt certificates furtherOver two years ago I started using Let's Encrypt certificates. Recently I wanted to automate this a step further and found dehydrated automated certificate renewal which helps a lot in automating certificate renewal with minimal hassle. First thing I fixed was http-based verification. The webserver has been set up to make all .well-known/acme-challenge directories end up in one place on the filesystem and it turns out this works great with dehydrated. I created a separate user for dehydrated, gave that user write permissions for the /home/httpd/html/.well-known/acme-challenge directory. It also needs write access to /etc/dehydrated for its own state. I changed /etc/dehydrated/config with:
CHALLENGETYPE="http-01" WELLKNOWN="/home/httpd/html/.well-known/acme-challenge"Now it was possible to request certificates based on a .csr file. I used this to get a new certificate for the home webserver, and it turned out to be easier than the previous setup based on letsencrypt-nosudo.
2018-07-05 Future cycling goals...
I had a serious case of 'ooooh shiny' today. I browsed a bit of Northern Canada news from CBC and found the article Dempster Highway drivers flock to new destination — the Arctic coast about the new Inuvik Tuktoyaktuk Highway which connects the Dempster Highway all the way to Tuktoyaktuk on the northern arctic coast. So I started wondering whether people are cycling the Dempster Highway. Yes, they are. I found several travel stories, Cycling the Dempster Highway to Inuvik, Cycling the Dempster Highway Part 1: Hungrier than the bears - Tasting Travels and Dempster Highway to the Arctic about one cyclist who cycled from Vancouver to Inuvik on a recumbent. I may have found some future cycling ideas there. Those ideas aren't really new, from time to time I get back to thinking about Computing Across America and Steven K. Roberts.