home - Dave's Blog

Search
My timeline on Mastodon

Let's Encrypt NearlyFreeSpeech.net Update

2016 Nov 5, 8:59

Since I had last posted about using Let's Encrypt with NearlyFreeSpeech, NFS has changed their process for setting TLS info. Instead of putting the various files in /home/protected/ssl and submitting an assistance request, now there is a command to submit the certificate info and a webpage for submitting the certificate info.

The webpage is https://members.nearlyfreespeech.net/{username}/sites/{sitename}/add_tls and has a textbox for you to paste in all the cert info in PEM form into the textbox. The domain key, the domain certificate, and the Let's Encrypt intermediate cert must be pasted into the textbox and submitted.

Alternatively, that same info may be provided as standard input to nfsn -i set-tls

To renew my certificate with the updated NFS process I followed the commands from Andrei Damian-Fekete's script which depends on acme_tiny.py:

python acme_tiny.py --account-key account.key --csr domain.csr --acme-dir /home/public/.well-known/acme-challenge/ > signed.crt
wget -O - https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem > intermediate.pem
cat domain.key signed.crt intermediate.pem > chained.pem
nfsn -i set-tls < chained.pem
Because my certificate had already expired I needed to comment out the section in acme_tiny.py that validates the challenge file. The filenames in the above map to the following:
  • signed.crt is the Let's Encrypt provided certificate
  • account.key is the user private key registered with LE
  • domain.csr is the cert request
  • domain.key is the key for the domain cert
PermalinkCommentscertificate lets-encrypt nearlyfreespeech.net

Let's Encrypt NearlyFreeSpeech.net Setup

2016 Feb 4, 2:48

2016-Nov-5: Updated post on using Let's Encrypt with NearlyFreeSpeech.net

I use NearlyFreeSpeech.net for my webhosting for my personal website and I've just finished setting up TLS via Let's Encrypt. The process was slightly more complicated than what you'd like from Let's Encrypt. So for those interested in doing the same on NearlyFreeSpeech.net, I've taken the following notes.

The standard Let's Encrypt client requires su/sudo access which is not available on NearlyFreeSpeech.net's servers. Additionally NFSN's webserver doesn't have any Let's Encrypt plugins installed. So I used the Let's Encrypt Without Sudo client. I followed the instructions listed on the tool's page with the addition of providing the "--file-based" parameter to sign_csr.py.

One thing the script doesn't produce is the chain file. But this topic "Let's Encrypt - Quick HOWTO for NSFN" covers how to obtain that:

curl -o domain.chn https://letsencrypt.org/certs/lets-encrypt-x1-cross-signed.pem

Now that you have all the required files, on your NFSN server make the directory /home/protected/ssl and copy your files into it. This is described in the NFSN topic provide certificates to NFSN. After copying the files and setting their permissions as described in the previous link you submit an assistance request. For me it was only 15 minutes later that everything was setup.

After enabling HTTPS I wanted to have all HTTP requests redirect to HTTPS. The normal Apache documentation on how to do this doesn't work on NFSN servers. Instead the NFSN FAQ describes it in "redirect http to https and HSTS". You use the X-Forwarded-Proto instead of the HTTPS variable because of how NFSN's virtual hosting is setup.

RewriteEngine on
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [L,R=301]

Turning on HSTS is as simple as adding the HSTS HTTP header. However, the description in the above link didn't work because my site's NFSN realm isn't on the latest Apache yet. Instead I added the following to my .htaccess. After I'm comfortable with everything working well for a few days I'll start turning up the max-age to the recommended minimum value of 180 days.

Header set Strict-Transport-Security "max-age=3600;" 

Finally, to turn on CSP I started up Fiddler with my CSP Fiddler extension. It allows me to determine the most restrictive CSP rules I could apply and still have all resources on my page load. From there I found and removed inline script and some content loaded via http and otherwise continued tweaking my site and CSP rules.

After I was done I checked out my site on SSL Lab's SSL Test to see what I might have done wrong or needed improving. The first time I went through these steps I hadn't included the chain file which the SSL Test told me about. I was able to add that file to the same files I had already previously generated from the Let's Encrypt client and do another NFSN assistance request and 15 minutes later the SSL Test had upgraded me from 'B' to 'A'.

PermalinkCommentscertificate csp hsts https lets-encrypt nearlyfreespeech.net

Tweet from David_Risney

2015 Oct 23, 2:15
Considering replacing my very aged home WAPs & router. Recommendations? This looks enticing: http://arstechnica.com/gadgets/2015/10/review-ubiquiti-unifi-made-me-realize-how-terrible-consumer-wi-fi-gear-is/ …
PermalinkComments

Image Manipulation in PowerShell - Windows PowerShell Blog - Site Home - MSDN Blogs

2015 Jan 5, 1:20

Great blog post and set of powershell scripts for manipulating images.

PermalinkCommentsprogramming coding powershell

Image Manipulation in PowerShell - Windows PowerShell Blog - Site Home - MSDN Blogs

2015 Jan 5, 1:20

Great blog post and set of powershell scripts for manipulating images.

PermalinkCommentsprogramming coding powershell

Debugging LoadLibrary Failures - Junfeng Zhang's Windows Programming Notes - Site Home - MSDN Blogs

2014 Feb 25, 2:22

How to turn on debug logging for LoadLibrary to diagnose failures. For example, see where in the dependency graph of a DLL LoadLibrary ran into issues.

PermalinkCommentstechnical win32 windows debugging loadlibrary

Windows Remote Desktop via Internet

2012 Dec 7, 2:04
To setup my home Windows dev box to be accessible from outside I followed two main steps:
Last time I had to do this there was a service named dynamicdns.org which seems to still exist but no longer appears to be free. Instead I used dnsdynamic.org which is free and has a web API as well as links to and instructions for setting up native tools to dynamically update my IP address.
PermalinkComments

The frequent fliers who flew too much - latimes.com

2012 May 6, 10:24

“Both men bought tickets that gave them unlimited first-class travel for life on American Airlines. “

“He was airborne almost every other day. If a friend mentioned a new exhibit at the Louvre, Rothstein thought nothing of jetting from his Chicago home to San Francisco to pick her up and then fly to Paris together.”

“She pulled years of flight records for Rothstein and Vroom and calculated that each was costing American more than $1 million a year.”

PermalinkCommentshumor airline american-airlines travel

Privacy through Obscurity

2012 Mar 9, 3:30

With Facebook changing its privacy policy and settings so frequently and just generally the huge amount of social sites out there, for many of us it is far too late to ensure our name doesn't show up with unfortunate results in web searches. Information is too easily copyable and archive-able to make removing these results a viable option, so clearly the solution is to create more data.

Create fake profiles on Facebook using your name but with a different photo, different date of birth, and different hometown. Create enough doppelgangers to add noise to the search results for your name. And have them share embarrassing stories on their blogs. The goal is to ensure that the din of your alternates drowns out anything embarrassing showing up for you.

Although it will look suspicious if you're the only name on Google with such chaff. So clearly you must also do this for your friends and family. Really you'll be doing them a favor.

PermalinkCommentstechnical facebook stupid internet privacy

Coding in Marble - Rico Mariani's Performance Tidbits - Site Home - MSDN Blogs

2012 Feb 6, 8:47

In short: excessive use of promises leads to a ton of short lived objects and resulting poorer pref.

PermalinkCommentsperf technical javascript promise async

(via Celebrity Sleepovers, Comedian Crashes at Celebrity Homes)

2012 Jan 26, 4:57


(via Celebrity Sleepovers, Comedian Crashes at Celebrity Homes)

PermalinkCommentshumor la celebrity video

My Hometown Is Better Than Yours « Rottin' in Denmark

2012 Jan 6, 6:20

FTA: “Three mountain ranges, four lakes and a fucking Sound. That’s a geographical feature your hometown hasn’t even heard of.”

PermalinkCommentshumor via-ericlaw seattle

Patterns for using the InitOnce functions - The Old New Thing - Site Home - MSDN Blogs

2011 Apr 8, 2:32"Since writing lock-free code is issuch a headache-inducer,you're probably best off making some other people suffer the headachesfor you. And those other people are the kernel folks, who have developedquite a few lock-free building blocks so you don't have to. For example, there's a collection of functions for manipulatinginterlocked lists.But today we're going to look at theone-time initialization functions."PermalinkCommentstechnical windows programming raymond-chen lock thread-safety

1996 HULU

2011 Apr 3, 11:32Hulu's would-be homepage from 1996 April 1st. Includes X-Files slow loading 256 color gifs!PermalinkCommentsaprilfools humor hulu video technology history web

IE9 on Windows Phone - IEBlog - Site Home - MSDN Blogs

2011 Feb 14, 6:57PermalinkCommentswindows ie mobile ie9 technical

IE9 RC Minor Changes List - EricLaw's IEInternals - Site Home - MSDN Blogs

2011 Feb 11, 5:37PermalinkCommentsie9 development technical ie browser web eric-lawrence

Managing the browser viewport in Windows Phone 7 - IE for Windows Phone Team Weblog - Site Home - MSDN Blogs

2011 Jan 23, 4:44PermalinkCommentsmobile windows ie wp7 windows-phone-7 blog technical browser html viewport

Meme-ify Your Home With These 10 Internet Wall Hangings Currently for Sale on Etsy

2010 Oct 22, 1:30PermalinkCommentscrafting DIY Etsy haters gonna hate home decor keyboard cat lolcats memes needlepoint pedobear Xzibit technical

MSDN content is also available as a Web service - The Old New Thing - Site Home - MSDN Blogs

2010 Jul 26, 6:56"But in addition to all the views, you can go directly to the back-end that drives all the data: The MSDN/TechNet Publish System (MTPS) Content Service. With that interface, you can request the back-end data and format it any way you like."PermalinkCommentsmsdn web microsoft reference webservice technical

Millions of routers vulnerable to new version of old attack

2010 Jul 20, 6:45Hack based on DNS rebinding plus home router's web front end.PermalinkCommentssecurity technical web router dns dns-rebinding hack
Older Entries Creative Commons License Some rights reserved.