mod_md is still by far the simplest way to add LetsEncrypt signed certificates to your Apache httpd server. Just add one line of configuration and you're done!

A memory safe alternative to the OpenSSL based Apache module providing https capability.

By default, Windows Server will generate a self-signed certificate for the Remote Desktop Service. Using a different certificate is not trivial, but is doable as this post shows.

Everything you need to connect to an SSH server is available in Windows!

Wanted to have a personal, self-hosted git service (ssh-only) that I can use without worrying about keys stored in the repo. Add some (not so fancy) separation using chroot so we can determine the repo paths.

Part 1 of a series demonstrating building a templated Apache httpd configuration to host multiple websites: the basics. The template uses a Define/Include structure to achieve the goal.

Objective is to create a disposable, minimal Alpine Linux install in FreeBSD bhyve that allows you to run docker containers. The storage for docker is on your FreeBSD host mounted using NFS. You should be able to rebuild the bhyve VM at any time and replace it with the latest version.

Update on how I get the telemetry from my Goodwe Photovolaic inverter to PVOutput

Many things don't have proper installation docs any longer and are only provided as Docker (or podman) images. I set out to run Docker on FreeBSD with a minimal Linux using bhyve.

Secure usage of sudo without passwords

The only IoT device in my LAN is the inverter (ca. 400V DC to 230V@50Hz AC) for my solar panels. I don't like devices that do not/can not update in my network. Now that the website I used to pull the measurement data from is changed (and thus broken) I decided to reverse what the device does and build my own service.

After switching from SpamAssassin to rspamd for spam classification I wasn't completely happy yet with the separation I had achieved. More and more I find myself splitting off functions on my server into jails and I wanted to achieve more separation of unauthenticated content processing with storage of data.

mod_md is by far the simplest way to add LetsEncrypt signed certificates to your Apache httpd server. Just add one line of configuration and you're done!

Gandi.net doesn't support DynDNS but does have a DNS API. Surely there must be a way to create a dyndns-like capability to my Gandi.net domain using the API?!? This also inluded an opportunity to learn a bit more about Python.

This should be the final and my definitive guide on using Let's Encrypt and acme-client on FreeBSD. I've written multiple posts about this but things have changed again. I believe that the LetsEncrypt service is now stable and the acme-client seems to be stable as well.

Recently on Twitter I said I was using jx to run programs in my FreeBSD jails and there were requests to create a port for them. As I think these are so basic, I decided to just create a short blogpost and host the scripts myself. Whilst doing so I discovered that over the years my scripts grew stale even though they still worked!

During the last EuroBSDCon in Belgrade I took maintainership of the OpenSSL port in FreeBSD. At the same time there were OpenSSL releases fixing vulnerabilities and emergency fixes for regressions introduced. The port had not been updated to recent ports framework and I wanted to get it in line with latest porting techniques.

Today I realized that I had actually fixed all outstanding tasks I had for "LibreBSD". It is likely be the default SSL library provider for HardenedBSD and TrueOS in the very near future.

This page describes a setup to renew LetsEncrypt certificates with the LetskEncrypt client which has LibreSSL/libtls as its only dependency, uses chroots and drops privileges.

I've used PasswordSafe for many, many years to keep my passwords safe and make it easy to use unique passwords whereever I can. Last year I adapted the Linux version (0.96) to run on FreeBSD. As I was reinstalling my laptop to run the experimental PC-BSD I thought it was about time I checked my earlier work.

HardenedBSD ran an exp-run with LibreSSL in base. This was expected to uncover a lot of issues where ports check the OPENSSL_VERSION_NUMBER to determine if a feature is available. To my surprise, it only uncovered 12 ports that failed due to these version checks.

One of the features I've been asked for repeatedly to add to MariaDB is Galera Clustering support. As of MariaDB 10.1 there's no separate Galera version, clustering support must now be added with the software from Galera. I'm just a casual user of MariaDB so I'm not running any of these advanced features myself.

Wasted a whole weekend creating an additional script to download data from Goodwe's portal and uploading it to PVOutput. This I think is the only IoT device I currently own, a solar power inverter. I already had a "Live" script and this adds a "Historic" script.

Today's update to LibreBSD is an update tested on FreeBSD 10.3-RC2 and adds libtls and the TLS capable netcat implementation from the LibreSSL distribution.

(How-to Guide) How to replace OpenSSL with LibreSSL in FreeBSD 10.3. Since replacing OpenSSL in HardenedBSD (FreeBSD 11 based) wasn't all too difficult I decided to see if I could port that back to FreeBSD 10.3-RC1. Lo, and behold! the result in this blog post. Don't worry, 'LibreBSD' is only a quip.

Part 2 of a multi/many part series on building FreeBSD base with LibreSSL as libcrypto/libssl provider, buildworld phase.

With last week's OpenSSL vulnerabilities questions came up when LibreSSL would replace OpenSSL in FreeBSD base. This was picked up by the HardenedBSD developers and they asked me if I'd be interested in adding LibreSSL as alternative libcrypto/ssl in HardenedBSD. Well SURE I do! This post describes the early stages of this project.

Something good happened for IT security, OpenSSL disabled SSLv2 by default in the latest release 1.0.2g. And then, projects started switching it back on... WHY!?!

As announdes about a week ago, today a new load of OpenSSL vulnerabilities is disclosed. Latest impact analysis: No need to scramble.

Just for fun I decided to port OpenSSL 1.1.0 pre3 (alpha) for FreeBSD. The process starts out with copying the existing OpenSSL port but I found a lot of room for simplification. The picture is just a quip...

OpenSSL 1.1.0 adds configuration options and uses saner defaults

Coming Tuesday (1 March 2016) OpenSSL will release new versions that fix multiple vulnerabilities, at least one of them rated "High". Being curious to see if I need to scramble to patch things up, I dug into the information I could find on these vulnerabilities.

I'll be speaking at BSDCan 2016 on the topic of OpenSSL and LibreSSL in FreeBSD. The talk will address SSL in base and in ports, support timelines, security issues, remoaved features and more.

MariaDB released an update for 10.0 a couple of days ago. This should be made available to all users. Time to backport the improvements made for 10.1 to the 10.0 port as well!

Last week I committed MariaDB 10.1 to ports, but it was obviously not tested well enough. Issues were detected when building on i386 and 9.3 and the OQGraph storage engine doesn't build. Time to fix all the errors!

Busy volunteering weekend ahead. Saturday Wifi info for HSLnet in Leende, Sunday Bits-of-Freedom PrivacyCafe in Helmond