News items for tag computersarebetterat - Koos van den Hout

One of my oldest certificate signing request files was still using a sha1 hash and LetsEncrypt started rejecting it. As soon as I realized it used the old hash I redid it and wondered why it was still accepted in 2022.

This also mean the private key of this service is showing age. Maybe time to regenerate it.

The announcement is at Rejecting SHA-1 CSRs and validation using TLS 1.0 / 1.1 URLs - API Announcements - Let's Encrypt Community Support.

I recently almost had an expired certificate for a public service because I did some fiddling with the file and ended up with a file modified time which had no relationship to the certificate request time.

Time to use the -checkend option I noticed in openssl x509 to test the actual certificates for upcoming expiry. So I redid the cronjob around dehydrated to do just that and had a cleanup. A candidate list of certificates to renew is created from certificates that are about to expire, certificates that have a changed certificate signing request and certificates for which there is only a signing request. That list is sorted and deduplicated and fed to calls to dehydrated.

It's now one script for both certificates that are renewed via the http-01 method and for certificates that are renewed via dns-01. By now both methods work fine for me, it depends on the use of the name which is fitting.

With all the automated updates of certificates as described in Enabling Server Name Indication (SNI) on my webserver and Automating Let's Encrypt certificates further I wondered about what would happen when some things got corrupt, most likely as a result of a full disk. And a simple test showed out that the checkcert utility would happily say two empty files are a match because the sha256sum of two empty public keys is the same.

Solution, do something with the errorlevel from openssl. New version of checkcert:

#!/bin/sh

# check ssl private key 1 with ssl pem encoded x509 certificate 2 public key

SUMPRIVPUBKEY=`openssl pkey -in $1 -pubout -outform pem || echo privkey | sha256sum`
SUMCERTPUBKEY=`openssl x509 -in $2 -noout -pubkey -outform pem || echo pubkey | sha256sum`

if [ "${SUMPRIVPUBKEY}" = "${SUMCERTPUBKEY}" ]; then
        exit 0
else
        exit 1
fi

And now:

koos@gosper:~$ /usr/local/bin/checkcert /dev/null /dev/null
unable to load key
139636148224064:error:0906D06C:PEM routines:PEM_read_bio:no start line:../crypto/pem/pem_lib.c:686:Expecting: ANY PRIVATE KEY
unable to load certificate
139678825668672:error:0906D06C:PEM routines:PEM_read_bio:no start line:../crypto/pem/pem_lib.c:686:Expecting: TRUSTED CERTIFICATE
koos@gosper:~$ echo $?
1

After thoroughly automating Let's Encrypt certificate renewal and installation I wanted to get the same level of automation for systems that do not expose an http service to the outside world. So that means the DNS-01 challenge within the ACME protocol has to be used.

I found out dehydrated Let's Encrypt certificate management supports DNS-01 and I found a sample on how to do this with bind9 at Example hook script using Dynamic DNS update utility for dns-01 challenge which looks like it can do the job.

It took me a few failed tries to find out that if I want a certificate for the name turing.idefix.net that it will request the TXT record for _acme-challenge.turing.idefix.net to make me prove that I have control over the right bit of DNS. I first assumed something in _acme-challenge.idefix.net which turned out wrong. So the bind9 config in /etc/bind/named.conf.local has:

zone "_acme-challenge.turing.idefix.net" {
        type master;
        file "/var/cache/bind/_acme-challenge.turing.idefix.net-zone";
        masterfile-format text;
        allow-update { key "acmekey-turing"; };
        allow-query { any; };
        allow-transfer {
                localnetwork;
        };
};

And in the idefix.net zone there is just one delegation:

_acme-challenge.turing  IN      NS      ns2

I created and used a dnskey with something like:

# dnssec-keygen -r /dev/random -a hmac-sha512 -b 128 -n HOST acmekey-turing
Kacmekey-turing.+157+53887

This gives 2 files, both with the right secret:

# ls Kacmekey-turing.+157+53887.*
Kacmekey-turing.+157+53887.key  Kacmekey-turing.+157+53887.private
# cat Kacmekey-turing.+157+53887.key
acmekey-turing. IN KEY 512 3 157 c2V0ZWMgYXN0cm9ub215

and configured it in /etc/bind/named.conf.options:

key "acmekey-turing" {
        algorithm hmac-md5;
        secret "c2V0ZWMgYXN0cm9ub215";
};

And now I can request a key for turing.idefix.net and use it to generate sendmail certificates. And the net result:

        (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256          
        verify=OK)                                                              

SMTP between systems with TLS working and good certificates.

Over two years ago I started using Let's Encrypt certificates. Recently I wanted to automate this a step further and found dehydrated automated certificate renewal which helps a lot in automating certificate renewal with minimal hassle.

First thing I fixed was http-based verification. The webserver has been set up to make all .well-known/acme-challenge directories end up in one place on the filesystem and it turns out this works great with dehydrated.

I created a separate user for dehydrated, gave that user write permissions for the /home/httpd/html/.well-known/acme-challenge directory. It also needs write access to /etc/dehydrated for its own state. I changed /etc/dehydrated/config with:

CHALLENGETYPE="http-01"
WELLKNOWN="/home/httpd/html/.well-known/acme-challenge"

Now it was possible to request certificates based on a .csr file. I used this to get a new certificate for the home webserver, and it turned out to be easier than the previous setup based on letsencrypt-nosudo.

I wanted to project a videofile with a black screen before and after, with no visible controls on the screen where the video plays, with manual control of when the video starts and with the video starting on the second monitor.

The 'why' is simple: I want to use a videoprojector which has no option to turn the screen black itself and I want the smoothest videoplay possible with no visible controls.

The how was a bit more work, but vlc has enough command line options. I could not find a guess online so I did an estimated count myself:

$ vlc -H --advanced | grep -ce '--'
VLC media player 2.2.2 Weatherwax (revision 2.2.2-0-g6259d80)
1525

This shows 1525 commandline options. So I had to find the right options. Not too much of a problem either:

vlc --image-duration -1 --no-qt-fs-controller --qt-fullscreen-screennumber 1 --no-video-title-show --qt-notification 0 -f --disable-screensaver Downloads/black.png Downloads/VID_20161210_104822.mp4 Downloads/black.png

This lets me use the vlc controls in the systray, starts playing fullscreen on the right screen, plays the static black image until I select 'next', leaves out all the indicators and ends with the other static black image.

The only thing left is the fact that the audio has to select the right audio device too. It turns out vlc plays audio via the alsa emulation in pulseaudio, and I need to change that preference via the pavucontrol program.

I had a look at creating a simpler QSL card which I could print with my own printer. I still want 4 cards per page. The earlier qsl card designs are nice and an inspiration for when I get around to having cards printed. But I want a few things different, like a mention of my amateur radio website http://pd4kh.idefix.net/, on the card. And space for notes about contacts. And when I use my own printer and heavy enough paper I want to print 4 cards per A4 page. Having 4 the same cards on one page meant wanting to use \LaTeX and a \newcommand so I define the card once and use it four times all of them on the same printer page. I found A QSL card backside made in LaTeX - DJ1YFK's Ham Radio Stuff which has a nice QSL card design in \LaTeX which I could use with some adjustments. This \LaTeX file defines the page size as 14cm*9cm landscape, the official size of a QSL card. I first tried changing this to an a4 page with 4 14cm*9cm \fbox in it, but this didn't give me the right result. I now create 4 pages of 14cm*9cm and create an A4 page from this with:

$ pstops -pa4 "4:0L@1.0(30cm,0)+1L@1.0(30cm,14.85cm)+2L@1.0(40cm,0)+3L@1.0(40cm,14.85cm)" qsl.ps qsl-4.ps

Which has about the right result: 4 cards on one page. No frames around the cards yet.

I use the coloured Veron logo, but it prints fine in grayscale on my black and white printer.

When documenting something I have to look up the full path of some file and have it ready for cut-and-paste. I found out the easy way to canonicalize a filename:

koos@greenblatt:~$ readlink -f ../../etc/radvd.conf
/etc/radvd.conf

The fact I can't get status information from the fritz.box such as linespeed in a way I can use in scripts annoy me, especially since the linespeed changed tonight (to 22381 down 1402 up). I'd like to at least have access to those statistics for my pretty graphs again. I did find Universal Plug and Play How to get Status-Information from the FRITZ!Box which uses the Perl Net::UPnP::ControlPoint module. The downside is this module wants to discover upnp devices by itself via multicast. So I need to setup a specific route for 224.0.0.0/4 from the server. It does discover the Fritz!Box, but thinks it has no further information:

$ ./get_upnp_info.mcast .
Device = FRITZ!Box Fon WLAN 7360

No possible actions. Digging a bit into the code reveals the problem is probably in the XML parsing bit. Changing the xml parser to search in namespace urn:dslforum-org:service-1-0 gives a tiny bit more:

$ ./get_upnp_info.mcast .
Device = FRITZ!Box Fon WLAN 7360
URL = http://192.168.178.1:49000/l2tpv3SCPD.xml
urn:any-com:serviceId:l2tpv31::GetInfo:ServerInstanceId = 0000001F8BF6F4502F99CFB2F71DC374ECD623A957E08803247CDC9AD3856FF4DDA943C535C22E937DE07643AB2A6BBFEC45DED2FBF0E95AC5C2B3B28699F07
urn:any-com:serviceId:l2tpv31::GetInfo:ServerIP = 192.168.178.1
urn:any-com:serviceId:l2tpv31::GetInfo:RemoteEndIds = fritz.box:guest

But no DSL upstream and downstream yet.

The wonderful thing about standards:

$ date "+%u %w %U %V %W"
1 1 52 01 52

And the explanations:

%u day of week (1..7); 1 is Monday

%w day of week (0..6); 0 is Sunday

%U week number of year, with Sunday as first day of week (00..53)

%V ISO week number, with Monday as first day of week (01..53)

%W week number of year, with Monday as first day of week (00..53)

And it's easy to find days with 3 different week numbers:

31 dec 1990 is 52 01 53
03 jan 1993 is 01 53 00
02 jan 1994 is 01 52 00
01 jan 1995 is 01 52 00
30 dec 1996 is 52 01 53
31 dec 1996 is 52 01 53
03 jan 1999 is 01 53 00
02 jan 2000 is 01 52 00
02 jan 2005 is 01 53 00
01 jan 2006 is 01 52 00
31 dec 2007 is 52 01 53
03 jan 2010 is 01 53 00
02 jan 2011 is 01 52 00
01 jan 2012 is 01 52 00
03 jan 2016 is 01 53 00
01 jan 2017 is 01 52 00
31 dec 2018 is 52 01 53
03 jan 2021 is 01 53 00
02 jan 2022 is 01 52 00
01 jan 2023 is 01 52 00
30 dec 2024 is 52 01 53
31 dec 2024 is 52 01 53
03 jan 2027 is 01 53 00
02 jan 2028 is 01 52 00
31 dec 2029 is 52 01 53

Calendering software, including the one from a software developer quite known for not following standards has converged on the ISO week number.