caa records the hardish way

Sisyphus is still a role model

Sisyphus is still a role model

Caa* records are a bit rare and unless you run a very new dns server version many of these records will be tossed out as too new since it is either not supported either by the name server or dnssec wrapper.

To do caa records in an ‘older’ server i had to use rfc 3597 syntax which does look like voodoo compared to normal dns records its not the kind of thing the bbc think is not worth reporting on (my blog).  It is some kind of machine readable format of which i have not delved in to but looks a bit like atps.

mafia run the british red cross

the ssl mafia

Not all ca’s (not a typo) support caa for since when i write this gandi don’t, but letsencrypt do so if your shopping for tls its another limiter.

So two zoo domains do have caa records from two suppliers. But two do not. As many dns things like tlsa (my blog) are not checked by browsers i doubt they will be doing caa checks anytime soon.

So I will keep the two records i have and see how maintainable they are. Stay tuned for updates!

It will be doubtful the zoo will purchase gandi ssl (tls) again

*nothing to do with aircraft

the unscheduled lets encrypt renewal by 21 days

are-you-serious-wtf-meme-baby-faceLets encrypt is a free tls thing and a bit of a game for me to do email in tls i had to make a web site just to get the bloody tls that assumedly lasts three months and then i have to redo my tlsa records for dane.

I wrote down the date but 21 days early it got renewed all on its own, i only know this since i got an email about this fucked up renewal as the tlsa recrds where wrong.  How the fuck did 90 days become 69.  That’s with the zoo doing some pruning of lets encrypt cron jobs and me not knowing precisely what calls the update in debian (not me).

I renewed my tlsa records (my blog) but its process to call for updates and inform you is something i have to figure out and that’s even looking at the logs in /var/log/letsencrypt which is a joy to read due to stack traces.

Grr

 

Letsencrypt finally figured out (meh)

leOne afternoon i was bored on a bank holiday and decided to go figure out letsencrypt of which my previous attempt left much to be desired (my blog).

The domain was using self signed certs for email and i had no www, and being slightly drunk certainly made it a game of it after all this has got to work somehow.

This is from debian backports, i guess i might end compiling everything if compiled from source. Since i use debian lets try and keep it the debian way.

I had to do some www config work, listening on 80 and 443 in apache, i also did some dns redirect diversions a day earlier

gets worse

gets worse

Nit pick – the man page for certbot really sucks in formatting you have to be in FULL SCREEN mode or other the formatting is shit. I smell a gnome developer.

With my config i then experimented until i hit the right command to use with apache since i have a host that does more than just one website which is where crappy website hosting will assume that you only have only one.

I used

certbot certonly –webroot -w /var/www/<host>/ -d <host>

Which picked up the config rather than assume i have only one ip address.

Anyhow i eventually got a working certificate (nice not to get a useless www. is a plus point) after some apache config work and restarts but guessing where the certs where was the next issue – a google discovered the /etc/letsencrypt/live/<host>/*.pem was the ticket.  Never trusted or knew about the automatic apache config mode of which i have no idea if that is for the 2.2 or 2.4 release.

Reconfiguring apache could be big job for me if it fucks up as we host more than one website here in the zoo on one computer.   I really do not trust certbot to configure things and i like to know how it works rather than some stuff i did not set up.

For dane (my blog)  i had to hash the cert.pem – i only really want it for that not apache, why i cant use email to approve this shit like paid certs do is beyond me, if they want a apache config i am willing to oblige it but this is me pushing the average user envelope.

Most people probably reading this probably cannot use tls in email – say gandi clients, or have dkim signed mail unless you buy a high end xen instance and configure it yourself.  tls encryption was a no in the cheapest gandi* offering when i looked.

Letsencrypt works in postfix too once you set cert,ca chain,and private key,  tlsa hashing was successful too a benefit of doing the apache ssl config.

These certs only last three months and so expect a lot of crap in /var./log/lersencrypt from python dumps which is easier said to trackdown what generates them even with cron jobs turned off although the renewal directory files appears to be adjusted by what i have no idea on.

I have now got to write a index html page and a404 explaining the reason for this bizarre oddity.  It’s a make work scheme although it will work the default index.html we all know and love..

Then your renewal – you have to setup a cron entry, in three months time i then have to hash cert.pem once again and change to dns records.

The cron scheduling may or may not be available with basic or average hosting.

I suppose it is better than self signed.

babymemeThis i suppose it not how your average website would usually get an tls cert but the monkey house is not constrained like you lot with one ip address, a virgin domain name and a strange version of dns,email and hosting.

Works here though setting hsts (my blog)  to three months is deemed ‘bad’ by some.

*gandi is a hosting firm not an indian

giving up on the mysteries of hpkp

Sisyphus is still a role model

Sisyphus is still a role model

I have written about hpkp (my blog) before but find it lacking in useable documentation, quite how you specify a backup cert in say apache i leave as a question to guru’s, buying a cert to not use it seems strange, and how that would affect caa records if say from another supplier is a  mystery it seems i will not bother to figure out for it is bollocks to common sense.  Could one be deemed a fake cert issue that gets the ca removed from say firefox is a problem i foresee if hpkp takes off.

I suppose it could be done but then if the hostname does not match your still going to get grief from firefox about host mismatch problems, forget self signing ssl.  Add the cost of ev certs in too, or the problem a cert with multiple addresses then you still have no backup hpkp.

I think hpkp is a retarded mans dnssec (which the zoo has) but hpkp  still has a cost with the backup certificate which i guess makes the ssl mafia happy financially and who cares if it gets used or not.  they do not.

As i am no hpkp guru, or feel the need to become one and ask the question why is it only for webservers say but not email too,other ports can be utilised too but you get my gripe.

So  i have commented it out of the apache config for if i cannot figure it out then i doubt many others can use it either.

Anyhow not my problem.

 

fun with postfix tls and user certs

hipsterSo you have a dane (my blog) compatible dnssec setup (my blog) running on all the mx’s in the domain list which entails at least two certificate authorities so what else can you do ?

Well being a bored ape one day i decide to test user certificates in postfix not simply three extra lines to enable tls support in postfix which requires more steps with some hairy eyeballs on the postfix tls support document.

danehttpsresultIt does work although its just mentioned in the headers. Reports can be semi informative

8 Anonymous: TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)
1 Untrusted: TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)

mafia run the british red crossThat is a self certified tls with ‘Untrusted’. Signed tls (eg bought) it seems impossible to issue client certificates like you can with self signed ssl. so it seems unlikely that i will ever get ‘Trusted’.   The setiing ‘Anonymous’ is dane tls in default.

Bloody mafia (my blog).

Self certified user certs are nice if a little extra mile and something that does need a mammal at a keyboard.  So it sort of explains why it is not popular although our friends at the nsa (my blog) probably helped.

No wonder user certificates (opposed to server instances) are missing from most postfix setups and even Google get untrusted status.

Received: from mail-*.google.com (unknown [ip])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits))
(Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (not verified))
by mail2.zoo (Postfix) with ESMTPS id x

So dane will only get you so far.The mafia wont help either.

DSN’s are a handled oddly too. example

postfix/smtp[x]: xyz: to=<553@zoo>, relay=zoo[ip.addr]:25, delay=x, delays=1018/0.01/0.09/0, dsn=4.7.5, status=deferred (Server certificate not verified)

which in postfix is classed as

4.7.5: Transient failure: Security/policy status: Cryptographic failure

letsencrypt fail

The zoo runs several websites off one piece of hardware and some of you lot probably will be amazed that it is possible (my blog) and it works.

However lets encrypt is a wreck behind the scenes even run as root i failed to get past this web hoster’s botched implementation certbot

Carol Beer little britain says computer said no

Carol Beer little britain says computer said no

Problems encountered — one registration per /etc monkey.com and banana.com need two accounts

I delete one , i get further than before then i need to create directories and when i run those commands (printf) the client still says no and when dealing muiltple ip addresses then some editing of the python syntax is needed

This

:/tmp/certbot/public_html# $(command -v python2 || command -v python2.7 || command -v python2.6) -c “import BaseHTTPServer, SimpleHTTPServer; \
s = BaseHTTPServer.HTTPServer((”, 80), SimpleHTTPServer.SimpleHTTPRequestHandler); \
s.serve_forever()”

Needs to become

:/tmp/certbot/public_html# $(command -v python2 || command -v python2.7 || command -v python2.6) -c “import BaseHTTPServer, SimpleHTTPServer; \
s = BaseHTTPServer.HTTPServer((‘<ip address>’, 80), SimpleHTTPServer.SimpleHTTPRequestHandler); \
s.serve_forever()”

However a dns redirect trumps this feature so its a real pain in the arse – all i wanted was tls website for an expired tls domain – no joy and for a postfix instance a certificate which seems to demand a website which i dont want.

I also deleted my 443 config (i did make a backup) but it strikes me as very much not ready for the real world. I decided to buy ssl instead.

Perhaps my tlsa records (my blog) upset the process but when certbot does computer says no when i wanted was something along the lines of a crt, pem chain which i could figure out the rest instead i get a boiler plate 443<monkey>.com apache template somewhere in /etc.

rocketletsencrypt is too restrictive and its configuration leaves much to be desired.  OK I was working this as an in place upgrade rather than a ‘virgin’ domain which never had ssl cert before which i could test* but its not rocket science tls but the process involved is horrid.

Peace.

*to do this i would create dns zones,change dns glue records,switch on an ipv4 address and add a www thing,delete the bad account data,and then a day later try again.  No thanks.

what contact will the tls provider use game.

guessI had to do an emergency ssl renewal recently* and while approving the first contact, the second is somewhat of a guess being the admin or tech contact.  I always seem to get to assume the wrong one, but some use one but not the other.

There pretty painless mostly if you have done it before and you get a guess who game as well.

*nobody informed me

letsencrypt in debian backports

headacheIs now there (my blog kind of) but it only looks at web servers. It also appears to configure the ssl and get you a certificate. However it is a start, if a bit scary for those with working ssl sites.  Backups are probably in order until you know what it actually does and i do not need tls yet.

Pushing the envelope as ever i wanted it for email servers and that s when the plug-in got mysterious and i left it although i actually have a victim lined up.

I will continue to run self certified tls (my blog) on the mail server and look at this in the future.

What is dispiriting is that most people only bother with tls over http rather than everything else. Sigh

tlsv1.0 in the wild.

girlfriendIn 2015 and i have a dane compatible servers (my blog) running the latest and greatest in tls support which is version 1.2 and not version 1.0.  I thought i did not need the old version, they still use ssl v3 as well

I run a script and see a certain address with thousands of connects but no mail, and one day i guess they use the thing i do not have.  Grudgingly i enable tlsv1 on one mail server.

That should fix it.

Better postfix tls

Yep we all be muppets

Bananas had tls setup badly* once on a postfix mail server and decided to fix it better, it worked inbound, but i had not bothered to do outbound.

I fiddle about and set

smtp_tls_note_starttls_offer = yes smtp_tls_security_level = may
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
smtpd_tls_protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1
smtpd_tls_received_header = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, CBC3-SHA

Cipher.lst is helpfull here – As while i may have it, you cannot say 100% that everybody else can do it so enforce was out of the question due to a name mismatch on the certificate.

A Postfix upgrade (my blog) helped more.

Now you start with dnssec and dane.  No excuses now

* my blog it works but was not that usable.