Krausmueller.de

Dynamc DNS client for IPv6

Dynamic DNS is used to automatically update the DNS record of a host which IP changes often. This allows you to provide web services from a host at home behind your personal (V)DSL connection with a non-changing name. There are several providers for DDNS. I use SPDyn. The update of the DNS record is handled by a client like ddclient or directly by your router (e.g. Fritzbox). For IPv4 this is easy. The IP is always the external IP of the router which forwards ports to hosts on your local network. Since my ISP uses Dual-Stack and also provides me IPv6 I created an AAAA-record in the past pointing to the IPv6 address of my local host. When doing so I didn’t realise my ISP changes the IPv6 prefix with every reconnect. Because of this the IPv6 address of my local host changes quite regularly and the AAAA-record created got invalid. I noticed this due to an error when renewing a Let’s Encrypt certificate (post about acme-tiny).

If an AAAA-record is available Let’s Encrypt prefers it for validation of the domain (API Announcements). Because my AAAA-record was not valid anymore the renewal of the certificate threw an error:

Parsing account key...
Parsing CSR...
Registering account...
Already registered!
Verifying domain.com...
Traceback (most recent call last):
  File "acme_tiny.py", line 199, in 
    main(sys.argv[1:])
  File "acme_tiny.py", line 195, in main
    signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca)
  File "acme_tiny.py", line 150, in get_crt
    domain, challenge_status))
ValueError: domain.com challenge did not pass: {u'status': u'invalid', u'validationRecord': [{u'addressesResolved': [u'217.251.47.207', u'2003:86:2455:9c00:d1:3ff:fe81:bd3f'], u'url': u'http://domain.com/.well-known/acme-challenge/PDUNtwiHq5dncDrvs4V2NE9nSR9vLF2WhnAbX1jQ7f0', u'hostname': u'domain.com', u'addressesTried': [], u'addressUsed': u'2003:86:2455:9c00:d1:3ff:fe81:b46f', u'port': u'80'}], u'keyAuthorization': u'PDUNtwiHq5dncDrvs4V2NE9nSR9vLF2WhnAbX1jQ7f0.YW7Ac9LxjjuWvWzD542ZzSKxcFKDIdehVVzAuYA0vHI', u'uri': u'https://acme-v01.api.letsencrypt.org/acme/challenge/-yjij3RP1r4YC_TkQrUemgjhfWI17pQZSjMZ8kr-Lps/1441804350', u'token': u'PDUNtwiHq5dncDrvs4V2NE9nSR9vLF2WhnAbX1jQ7f0', u'error': {u'status': 400, u'type': u'urn:acme:error:connection', u'detail': u'Fetching http://domain.com/.well-known/acme-challenge/PDUNtwiHq5dncDrvs4V2NE9nSR9vLF2WhnAbX1jQ7f0: Timeout'}, u'type': u'http-01'}

You can see the IPv6 address is used when looking at addressUsed. Because the address is invalid a timeout is reached.

To correct this and be able to access my local host via IPv6 in addition to the A-record for IPv4 the AAAA-record for IPv6 also has to be updated.

Read more →

Intermediate certificate for acme-tiny

As mentioned in the article regarding acme-tiny you need to create a script to renew your Let’s Encrypt certificate regularly. In this script you download the intermediate certificate of Let’s Encrypt which was used to generate the certificate for your domain. Only if you include the intermediate certificate in your web server configuration the browser can get the complete chain. If you do not offer the intermediate certificate your rating at SSL Labs drops to “B”.

Read more →

Alternative client for Let’s Encrypt

As mentioned in the first blog post you have to trust the installation process which installs a whole envrionment in ~/.local/ nicht ganz durchsichtig. As an alterntive I tried acme-tiny. The only requierements are Python and OpenSSL and the source code is under 200 lines. So if you know Python you are able do see what the clietn actually does more easily.

Another advantage is the possibility to use Subject Alternative Names which helps yout o get a certificate valid for more than just one domain (as long the domains point to the same server and webspace). So you can get a certificate valid e.g. for krausmueller.de and www.krausmueller.de. The README describes all steps necessary. So I am only adding some notes to the most important ones.

Read more →

Secure Nginx with SSL and Let’s Encrypt

Hint: If you do not want to install the client and all software needed by it on your web server you can also try getting a certificate with the help of this website which leeds you through the steps to manually request a certificate.

On December 3rd, 2015 Let’s Encrypt entered Public Beta. So now you can get a SSL certificate for free without waiting period. At home I use a Cubietruck (device similar to the Raspberry Pi) as ny own personal cloud. Here I want to show how I configured Nginx with a SSL certificate from Let’s Encrypt.

At first you have to install the Let’s Encrypt client installiert. The installer downloads and installs debian packages needed and sets up an environment for the client in ~/.local/share:

hostname:~# git clone https://github.com/letsencrypt/letsencrypt
hostname:~# cd letsencrypt
hostname:~/letsencrypt# ./letsencrypt-auto

Read more →