2021-08-30 Going all the way with zerossl: requesting a certificate with multiple names
I assumed the free tier of zerossl doesn't allow for certificates with multiple names but I guess I assumed wrong, because I just got issued a certificate with multiple names. After debugging my earlier issues with zerossl and finding out I forgot the CAA record this time I tried a certificate with the subjectAltName extension in use with more than one name.
$ openssl req -in httprenewable/webserver-devvirtualbookcase.csr -noout -text [..] Attributes: Requested Extensions: X509v3 Subject Alternative Name: DNS:developer.virtualbookcase.com, DNS:perl.virtualbookcase.comAnd the certificate dance went fine with dehydrated:$ ./dehydrated/dehydrated --config /etc/dehydrated/config.zerossl -s httprenewable/webserver-devvirtualbookcase.csr > tmp/certificate.crt + Requesting new certificate order from CA... + Received 2 authorizations URLs from the CA + Handling authorization for developer.virtualbookcase.com + Handling authorization for perl.virtualbookcase.com + 2 pending challenge(s) + Deploying challenge tokens... + Responding to challenge for developer.virtualbookcase.com authorization... + Challenge is valid! + Responding to challenge for perl.virtualbookcase.com authorization... + Challenge is valid! + Cleaning challenge tokens... + Requesting certificate... + Order is processing... + Checking certificate... + Done! $ openssl x509 -in tmp/certificate.crt -noout -text | less [..] X509v3 Subject Alternative Name: DNS:developer.virtualbookcase.com, DNS:perl.virtualbookcase.comThe /etc/dehydrated/config.zerossl has the EAB_KID and EAB_HMAC_KEY values set to the ones associated with my account. This means zerossl works as a complete secondary certificate issuer and I could switch over completely in case LetsEncrypt isn't available. Choice is good!
2021-08-19 Trying zerossl as backup certificate provider
Based on the recent article Here's another free CA as an alternative to Let's Encrypt! I decided to check my options for having an alternative to LetsEncrypt. Not because I have or had any problems with LetsEncrypt, but I like having a backup option. So I started with zerossl as option. Sofar I did the whole registration and certificate request dance purely with the dehydrated client, but that gives an error on a certificate request:
+ Requesting new certificate order from CA... + Received 2 authorizations URLs from the CA + Handling authorization for developer.virtualbookcase.com + Handling authorization for perl.virtualbookcase.com + 2 pending challenge(s) + Deploying challenge tokens... + Responding to challenge for developer.virtualbookcase.com authorization... + Challenge is valid! + Responding to challenge for perl.virtualbookcase.com authorization... + Challenge is valid! + Cleaning challenge tokens... + Requesting certificate... + Order is processing... ERROR: Order in status invalidCreating a zerossl account with a webbrowser and setting the EAB_KID and EAB_HMAC_KEY to the values from my zerossl account also doesn't help, that also ends with$ ./dehydrated/dehydrated --ca zerossl --config /etc/dehydrated/config.zerossl -s httprenewable/webserver-devvirtualbookcase.csr > tmp/certificate.crt + Requesting new certificate order from CA... + Received 2 authorizations URLs from the CA + Handling authorization for developer.virtualbookcase.com + Handling authorization for perl.virtualbookcase.com + 2 pending challenge(s) + Deploying challenge tokens... + Responding to challenge for developer.virtualbookcase.com authorization... + Challenge is valid! + Responding to challenge for perl.virtualbookcase.com authorization... + Challenge is valid! + Cleaning challenge tokens... + Requesting certificate... + Order is processing... ERROR: Order in status invalidI realized a certificate for multiple names isn't supported by the free tier of zerossl.Removing one of the names from the certificate still made it end up in status 'invalid'. Also re-creating the account in dehydrated after creating the zerossl account and setting the EAB_KID and EAB_HMAC_KEY variables correctly didn't solve things yet. The same request works fine with LetsEncrypt so the issue is something with dehydrated / zerossl. Update: Sharing my woes gave a suggestion: Stephen Harris on Twitter: "@khoos You have a CAA record for virtualbookcase.com that might be blocking it." / Twitter and Stephen is absolutely right: I set up CAA records ages ago for all my domains. And the zerossl CAA document I can find absolutely agrees I need to add a CAA record allowing certificates by sectigo.com. Updated: And after waiting for DNS propagation and trying again I now have a zerossl.com certificate:Certificate: Data: Version: 3 (0x2) Serial Number: 4e:7b:c8:e9:ad:fd:14:ad:5c:ae:a2:57:fe:45:d9:41 Signature Algorithm: ecdsa-with-SHA384 Issuer: C = AT, O = ZeroSSL, CN = ZeroSSL ECC Domain Secure Site CA Validity Not Before: Aug 19 00:00:00 2021 GMT Not After : Nov 17 23:59:59 2021 GMT Subject: CN = perl.virtualbookcase.com
2021-08-17 Specific categories in contests can help win
I received the results of the Canada winter contest I participated in last December and my remark In total I got 3 different Canadian stations in the log and I entered my log. It won't be the winner in the DX category, but I appreciate the fact that the Radio Amateurs of/du Canada organize this so I do my part in making the scoring possible. works out differently: I am "First Place for The Netherlands in the category Single Op Single Band 20 meter".
2021-08-13 Next bitcoin extortion scam
Yet another bitcoin extortion scammer, this time using address 1Gkg3g7GGbsKktkkbgKNfL6MMGZ1xCoGJC. The reports read like she/he has tried it in multiple languages. Until this moment no bitcoins have ended up with the scammer. Earlier items about bitcoin extortion scams: Earlier, earlier, earlier, earlier, earlier, earlier (although I think bitcoin is generally a really bad idea and a huge scam)
2021-08-05 Phishing for accounts which expire shortly is extra funny!
Yesterday I switched to a different Internet provider and now the phishing trying to convince me I need to give my account details for the old account to avoid the account being closed is extra funny! And although they all state they are the kzdoos.xs4all.nl webmail there is no such thing for the abusers to try any login credentials at.
2021-08-04 Mijn eigen "Freedom Day"
De overstap naar Freedom internet is gelukt. De verbinding met xs4all verbrak om 04:56:30 en om 04:56:46 was de verbinding weer gemaakt met Freedom Internet met de nieuwe IPv6 en IPv4 adressen. De overschakeling was daarna een kwestie van alle configuraties die ik had klaarstaan activeren en statische IPv6 thuis adressen omnummeren. Daarna nog een paar kleine dingetjes die ik vergeten was maar niets storends.