• chevron_right

      Banish OEM self-signed certs forever and roll your own private LetsEncrypt

      news.movim.eu / ArsTechnica · Friday, 15 March - 10:45 · 1 minute

    Banish OEM self-signed certs forever and roll your own private LetsEncrypt

    Enlarge (credit: Aurich Lawson | Getty Images)

    Previously, on "Weekend Projects for Homelab Admins With Control Issues," we created our own dynamically updating DNS and DHCP setup with bind and dhcpd. We laughed. We cried. We hurled. Bonds were forged, never to be broken. And I hope we all took a little something special away from the journey—namely, a dynamically updating DNS and DHCP setup. Which we're now going to put to use!

    If you're joining us fresh, without having gone through the previous part and wanting to follow this tutorial, howdy! There might be some parts that are more difficult to complete without a local instance of bind (or other authoritative resolver compatible with nsupdate ). We'll talk more about this when we get there, but just know that if you want to pause and go do part one first , you may have an easier time following along.

    The quick version: A LetsEncrypt of our own

    This article will walk through the process of installing step-ca , a standalone certificate authority-in-a-box. We'll then configure step-ca with an ACME provisioner—that's Automatic Certificate Management Environment , the technology that underpins LetsEncrypt and facilitates the automatic provisioning, renewal, and revocation of SSL/TLS certificates.

    Read 118 remaining paragraphs | Comments

    • chevron_right

      Windows feature that resets system clocks based on random data is wreaking havoc

      news.movim.eu / ArsTechnica · Wednesday, 16 August, 2023 - 17:23 · 1 minute

    Windows feature that resets system clocks based on random data is wreaking havoc

    Enlarge

    A few months ago, an engineer in a data center in Norway encountered some perplexing errors that caused a Windows server to suddenly reset its system clock to 55 days in the future. The engineer relied on the server to maintain a routing table that tracked cell phone numbers in real time as they were being moved from one carrier to the other. A jump of eight weeks had dire consequences because it caused numbers that had yet to be transferred to be listed as having already been moved and numbers that had already been transferred to be reported as pending.

    “With these updated routing tables, a lot of people were unable to make calls, as we didn't have a correct state!” the engineer, who asked to be identified only by his first name, Simen, wrote in an email. “We would route incoming and outgoing calls to the wrong operators! This meant, e.g., children could not reach their parents and vice versa.”

    A show-stopping issue

    Simen had experienced a similar error last August when a machine running Windows Server 2019 reset its clock to January 2023 and then changed it back a short time later. Troubleshooting the cause of that mysterious reset was hampered because the engineers didn’t discover it until after event logs had been purged. The newer jump of 55 days, on a machine running Windows Server 2016, prompted him to once again search for a cause, and this time, he found it.

    Read 31 remaining paragraphs | Comments

    • chevron_right

      Authenticating Icinga 2 API Users with TLS Client Certificates

      pubsub.slavino.sk / icinga · Wednesday, 16 November, 2022 - 10:34 edit

    When interacting with the Icinga 2 API, the client is commonly authenticated using a password provided via HTTP basic auth. Icinga 2 also support a second authentication mechanism: TLS client certificates. This is a feature of TLS that also allows the client to send a certificate, just like the server does, allowing the server to […]

    The post Authenticating Icinga 2 API Users with TLS Client Certificates appeared first on Icinga .

    Značky: #certificates, #Network, #TLS, #API, #How-tos, #icinga2

    • chevron_right

      acme.sh

      pubsub.slavino.sk / warlord0blog · Wednesday, 14 April, 2021 - 21:24 edit

    We’ve been using certbot and Let’s Encrypt for years. But we have some legacy systems hidden in the bowels and darkest corners or our data centre that are no longer supported by certbot. Certbot uses python, on some creaky old systems we just can’t upgrade them to continue using certbot. This is where acme.sh comes &ellipsisRead the full post »

    Značky: #Linux, #certificates

    • chevron_right

      step-ca and ACME

      pubsub.slavino.sk / warlord0blog · Friday, 15 January, 2021 - 12:18 edit

    We have a couple of hundred certs with Let’s Encrypt and it is a great service. Right now though we need to issue certs to internal systems and thought it would be great to use the same ACME method to do so. Add to that we’d like to issue some user certificates to use for &ellipsisRead the full post »

    Značky: #nginx, #Web, #Linux, #certificates

    • chevron_right

      Auto Select Client Certificate

      pubsub.slavino.sk / warlord0blog · Friday, 23 October, 2020 - 07:00 edit

    When you visit a site requiring a client certificate you’ll be presented with a dialog to select a certificate to use. This is awkward in a kiosk scenario where a user may not be present to select the certificate or can’t select the certificate because it is on a second screen. To make it happen &ellipsisRead the full post »

    Značky: #Linux, #Web, #certificates

    • chevron_right

      Nginx SSL Certificate Error

      pubsub.slavino.sk / warlord0blog · Wednesday, 14 October, 2020 - 20:00 edit

    We’re using client side certificates on an Nginx host to ensure the credentials of the connecting users and haven’t used the site for a while. I tried to logon with a known good client certificate and know that nothing on the site config has changed and all I get in return is a 400 error &ellipsisRead the full post »

    Značky: #certificates, #nginx, #Linux, #Web

    • chevron_right

      SMTP Ciphers

      Warlord · pubsub.slavino.sk / warlord0blog · Thursday, 16 July, 2020 - 15:30 edit

    What ciphers are used by your smtp server? Well that’s a question I got asked today. Take a look at this testssl.sh – it spawned a whole report about my SMTP server that included ciphers and a whole lot more: https://github.com/drwetter/testssl.sh Not output from one of our servers – just a random smtp server.

    Značky: #Linux, #certificates, #security, #ssl, #Linux