tls renewal time from the last time i did them

It was tls renewal time once again in the past so i decided to switch suppliers (my third) and go for sslmate after all i you find horrible holes in systemd then you need to be rewarded.  I had no idea what i was letting myself in for but in fact it is way better than letsencrypt (my blog) as it uses email contacts instead of some shit http server to validate.

This is paid for rather than ‘free’ and the sslmate does work nicely as a cli although dont ask it to make a postfix tls instance.  If you use microsoft windows then your not intelligent enough imho.

Once you have an account (a website job) and the software you just ask for mail10.zoo1 and it creates the csr and once validated by the carbon based unit it takes the money and deposits four files on your computer.

Being weird i use mail10.zoo1 for email tls and generally know what i am supposed to be doing but it should work as a www thing if your average.

babymemeComodo issue the certificates and most of my changes worked on the first attempt. Comodo’s new owner is an issue.

That’s basic usage for one host.  You can also specify a spending limit per day so if you have issues like that then a low amount means your get an email saying so.

I need multi host ssl for .zoo and they offer it at a most reasonable price so .zoo and mail10.zoo will all be covered with tls.  Doing this with other resellers would mean an expensive wildcard cert that would unused or two standard ssl certs and while it is not that hard i want something better.

Multi host as an experiment did not work the way i expected and the firm did not respond to my email.  However i have enough brains to work around the issue.

Generally i can do dane (my blog) and so website ssl but only on http://www.zoo not .zoo. it was not worth the extra money to add it but config wise with the extra hosts in the certificate it makes hashing of tlsa easy.

Next year i do not see much point in long term certs as things change say sha1 replaced with 256 so at some point your going to replace the cert with a new one but new hash.   Its still work.

I was able to get a cert and the chain files and adjust configs rather than be inflicted with apache configs and unknown postfix something that other things insist on fixing despite me knowing what i am doing.

Would i do it again – individual is cheaper and perhaps worth setting up say www. and *.zoo so this is not a total waste of time one i will put down to experience despite wasting http://www.mail10.zoo as an unused address.

The more complex the cli command the less intuitive it becomes and the documentation on the website is lacking but kind of guessable.

Maybe i go for a wildcard ssl next time.

Both times i got a pdf invoice.

 

Symantec leaves the ssl market

mafia run the british red cross

Symantec i read have sold there ssl interests after fucking up ssl (tls) certs with the green bars.  Quite how these security geniuses ended upon such a state is noteworthy but probably leaves many of you with bad unverified certificates rom them and there brands that will stop working.

This has happened before (my blog) so size is no guarantee of administration.  Oddly these are the same people complain bitterly about others and not there own behaviour in the past.

I do not have any Symantec brands of tls but i do not want any of there products in the zoo.

It feels like money trumps integrity.   Most of us do tls once and never have to worry about it it for a year or so but Symantec have other plans for you.

CS Academics who can’t run an email server

nugura.cs.usyd.edu.au tried to send the zoo something alas there a bit shit a mail servers.  Lets take a look….

smtpd[*]: NOQUEUE: reject: RCPT from nugura.cs.usyd.edu.au[129.78.110.124]: 504 5.5.2 : Helo command rejected: need fully-qualified hostname; from=<caa_verification@nugura.cs.usyd.edu.au> to=<abuse@zoo> proto=SMTP helo=<nugura>

Oh well it would have been interesting to see (my blog) that.but i am not that bothered.

the amusing antics of the ssl mafia

mafia run the british red cross

Bananas was reading this (not here) when the whole concept of paid tls seems like a make work scheme.

For the record the zoo has ssl, dnssec and other things but our cents for tls are the cheap ones (dv), – we also have one lets-encrypt doing something boring.

For ov and ev certs even the cert providers fail the validation test Symantec has been issuing then without these checks.  No i am not making that up these are supposed to be trust worthy oh well as long as money is handed over the mafia do not really care.

I have no problem with tls except the way it is procured and set up – for instance how many sites with ssl/tls have caa records, or tlsa.

If you have tls certs and have no fucking clue what a caa is (not regulation of aircraft) then your a problem here too.

So the ssl mafia has been complaining and while i am ok with tls1.3 i do wonder if i will still need my zoo email to handle tls1.0 because some retard at our energy company has not even heard of tls 1.2.

Other shit things the ssl mafia have come up with include hkpk and the ideas continue with httpev: because https is er could mean anything apparently.

The link is an informative read about the perception of things and the desperation of the ssl mafia to differentiate and not follow there own rules while whining about things.

As the browser makers seem not inclined to do the extended bidding of the ssl mafia and people think what they think i am certainly not inclined to buy ev certs, for instance who would the average smart phone user know that the ev certified site they visited is genuine ?

These are valid concerns but the reaction of the ssl mafia is as usual screwed up.  These goodfellas are great are they not?

caa records the hardish way

Sisyphus is still a role model

Sisyphus is still a role model

Caa* records are a bit rare and unless you run a very new dns server version many of these records will be tossed out as too new since it is either not supported either by the name server or dnssec wrapper.

To do caa records in an ‘older’ server i had to use rfc 3597 syntax which does look like voodoo compared to normal dns records its not the kind of thing the bbc think is not worth reporting on (my blog).  It is some kind of machine readable format of which i have not delved in to but looks a bit like atps.

mafia run the british red cross

the ssl mafia

Not all ca’s (not a typo) support caa for since when i write this gandi don’t, but letsencrypt do so if your shopping for tls its another limiter.

So two zoo domains do have caa records from two suppliers. But two do not. As many dns things like tlsa (my blog) are not checked by browsers i doubt they will be doing caa checks anytime soon.

So I will keep the two records i have and see how maintainable they are. Stay tuned for updates!

It will be doubtful the zoo will purchase gandi ssl (tls) again

*nothing to do with aircraft

the unscheduled lets encrypt renewal by 21 days

are-you-serious-wtf-meme-baby-faceLets encrypt is a free tls thing and a bit of a game for me to do email in tls i had to make a web site just to get the bloody tls that assumedly lasts three months and then i have to redo my tlsa records for dane.

I wrote down the date but 21 days early it got renewed all on its own, i only know this since i got an email about this fucked up renewal as the tlsa recrds where wrong.  How the fuck did 90 days become 69.  That’s with the zoo doing some pruning of lets encrypt cron jobs and me not knowing precisely what calls the update in debian (not me).

I renewed my tlsa records (my blog) but its process to call for updates and inform you is something i have to figure out and that’s even looking at the logs in /var/log/letsencrypt which is a joy to read due to stack traces.

Grr

 

Letsencrypt finally figured out (meh)

leOne afternoon i was bored on a bank holiday and decided to go figure out letsencrypt of which my previous attempt left much to be desired (my blog).

The domain was using self signed certs for email and i had no www, and being slightly drunk certainly made it a game of it after all this has got to work somehow.

This is from debian backports, i guess i might end compiling everything if compiled from source. Since i use debian lets try and keep it the debian way.

I had to do some www config work, listening on 80 and 443 in apache, i also did some dns redirect diversions a day earlier

gets worse

gets worse

Nit pick – the man page for certbot really sucks in formatting you have to be in FULL SCREEN mode or other the formatting is shit. I smell a gnome developer.

With my config i then experimented until i hit the right command to use with apache since i have a host that does more than just one website which is where crappy website hosting will assume that you only have only one.

I used

certbot certonly –webroot -w /var/www/<host>/ -d <host>

Which picked up the config rather than assume i have only one ip address.

Anyhow i eventually got a working certificate (nice not to get a useless www. is a plus point) after some apache config work and restarts but guessing where the certs where was the next issue – a google discovered the /etc/letsencrypt/live/<host>/*.pem was the ticket.  Never trusted or knew about the automatic apache config mode of which i have no idea if that is for the 2.2 or 2.4 release.

Reconfiguring apache could be big job for me if it fucks up as we host more than one website here in the zoo on one computer.   I really do not trust certbot to configure things and i like to know how it works rather than some stuff i did not set up.

For dane (my blog)  i had to hash the cert.pem – i only really want it for that not apache, why i cant use email to approve this shit like paid certs do is beyond me, if they want a apache config i am willing to oblige it but this is me pushing the average user envelope.

Most people probably reading this probably cannot use tls in email – say gandi clients, or have dkim signed mail unless you buy a high end xen instance and configure it yourself.  tls encryption was a no in the cheapest gandi* offering when i looked.

Letsencrypt works in postfix too once you set cert,ca chain,and private key,  tlsa hashing was successful too a benefit of doing the apache ssl config.

These certs only last three months and so expect a lot of crap in /var./log/lersencrypt from python dumps which is easier said to trackdown what generates them even with cron jobs turned off although the renewal directory files appears to be adjusted by what i have no idea on.

I have now got to write a index html page and a404 explaining the reason for this bizarre oddity.  It’s a make work scheme although it will work the default index.html we all know and love..

Then your renewal – you have to setup a cron entry, in three months time i then have to hash cert.pem once again and change to dns records.

The cron scheduling may or may not be available with basic or average hosting.

I suppose it is better than self signed.

babymemeThis i suppose it not how your average website would usually get an tls cert but the monkey house is not constrained like you lot with one ip address, a virgin domain name and a strange version of dns,email and hosting.

Works here though setting hsts (my blog)  to three months is deemed ‘bad’ by some.

*gandi is a hosting firm not an indian

giving up on the mysteries of hpkp

Sisyphus is still a role model

Sisyphus is still a role model

I have written about hpkp (my blog) before but find it lacking in useable documentation, quite how you specify a backup cert in say apache i leave as a question to guru’s, buying a cert to not use it seems strange, and how that would affect caa records if say from another supplier is a  mystery it seems i will not bother to figure out for it is bollocks to common sense.  Could one be deemed a fake cert issue that gets the ca removed from say firefox is a problem i foresee if hpkp takes off.

I suppose it could be done but then if the hostname does not match your still going to get grief from firefox about host mismatch problems, forget self signing ssl.  Add the cost of ev certs in too, or the problem a cert with multiple addresses then you still have no backup hpkp.

I think hpkp is a retarded mans dnssec (which the zoo has) but hpkp  still has a cost with the backup certificate which i guess makes the ssl mafia happy financially and who cares if it gets used or not.  they do not.

As i am no hpkp guru, or feel the need to become one and ask the question why is it only for webservers say but not email too,other ports can be utilised too but you get my gripe.

So  i have commented it out of the apache config for if i cannot figure it out then i doubt many others can use it either.

Anyhow not my problem.

 

fun with postfix tls and user certs

hipsterSo you have a dane (my blog) compatible dnssec setup (my blog) running on all the mx’s in the domain list which entails at least two certificate authorities so what else can you do ?

Well being a bored ape one day i decide to test user certificates in postfix not simply three extra lines to enable tls support in postfix which requires more steps with some hairy eyeballs on the postfix tls support document.

danehttpsresultIt does work although its just mentioned in the headers. Reports can be semi informative

8 Anonymous: TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)
1 Untrusted: TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)

mafia run the british red crossThat is a self certified tls with ‘Untrusted’. Signed tls (eg bought) it seems impossible to issue client certificates like you can with self signed ssl. so it seems unlikely that i will ever get ‘Trusted’.   The setiing ‘Anonymous’ is dane tls in default.

Bloody mafia (my blog).

Self certified user certs are nice if a little extra mile and something that does need a mammal at a keyboard.  So it sort of explains why it is not popular although our friends at the nsa (my blog) probably helped.

No wonder user certificates (opposed to server instances) are missing from most postfix setups and even Google get untrusted status.

Received: from mail-*.google.com (unknown [ip])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits))
(Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (not verified))
by mail2.zoo (Postfix) with ESMTPS id x

So dane will only get you so far.The mafia wont help either.

DSN’s are a handled oddly too. example

postfix/smtp[x]: xyz: to=<553@zoo>, relay=zoo[ip.addr]:25, delay=x, delays=1018/0.01/0.09/0, dsn=4.7.5, status=deferred (Server certificate not verified)

which in postfix is classed as

4.7.5: Transient failure: Security/policy status: Cryptographic failure