Apache mod_md revisited, now with dns-01 19 jul 2024
mod_md
is still by far the simplest way to add LetsEncrypt signed certificates to your Apache httpd server. Just add one line of configuration and you're done!
Memory safe TLS with Apache on FreeBSD 06 jul 2024
A memory safe alternative to the OpenSSL based Apache module providing https capability.
Changing Remote Desktop service certificate 12 jan 2024 | Last updated: 05 apr 2024 00:00
By default, Windows Server will generate a self-signed certificate for the Remote Desktop Service. Using a different certificate is not trivial, but is doable as this post shows.
Using SSH on Windows 29 dec 2023 | Last updated: 29 dec 2023 00:00
Everything you need to connect to an SSH server is available in Windows!
Your private git server in a chroot 06 aug 2023 | Last updated: 06 aug 2023 00:00
Wanted to have a personal, self-hosted git service (ssh-only) that I can use without worrying about keys stored in the repo. Add some (not so fancy) separation using chroot so we can determine the repo paths.
Templated Apache httpd config 03 jun 2023
Part 1 of a series demonstrating building a templated Apache httpd configuration to host multiple websites: the basics. The template uses a Define
/Include
structure to achieve the goal.
Automating bootstrap of Alpine Linux in a bhyve VM 08 mar 2023
Objective is to create a disposable, minimal Alpine Linux install in FreeBSD bhyve that allows you to run docker containers. The storage for docker is on your FreeBSD host mounted using NFS. You should be able to rebuild the bhyve VM at any time and replace it with the latest version.
Recent issues with Goodwe's SEMSportal 18 feb 2023
Update on how I get the telemetry from my Goodwe Photovolaic inverter to PVOutput
Immutable Alpine Linux in bhyve 11 feb 2023 | Last updated: 11 feb 2023 16:18
Many things don't have proper installation docs any longer and are only provided as Docker (or podman) images. I set out to run Docker on FreeBSD with a minimal Linux using bhyve.
Secure sudo without password 19 sep 2021 | Last updated: 29 dec 2023 00:00
Secure usage of sudo without passwords
Killing the "Internet of shiT" 23 mar 2019
The only IoT device in my LAN is the inverter (ca. 400V DC to 230V@50Hz AC) for my solar panels. I don't like devices that do not/can not update in my network. Now that the website I used to pull the measurement data from is changed (and thus broken) I decided to reverse what the device does and build my own service.
Improving my mail server setup 27 may 2018 | Last updated: 27 may 2018 00:00
After switching from SpamAssassin to rspamd for spam classification I wasn't completely happy yet with the separation I had achieved. More and more I find myself splitting off functions on my server into jails and I wanted to achieve more separation of unauthenticated content processing with storage of data.
The simplest LetsEncrypt for Apache 10 sep 2017
mod_md
is by far the simplest way to add LetsEncrypt signed certificates to your Apache httpd server. Just add one line of configuration and you're done!
Adding DynDNS to Gandi.net 17 feb 2017
Gandi.net doesn't support DynDNS but does have a DNS API. Surely there must be a way to create a dyndns-like capability to my Gandi.net domain using the API?!? This also inluded an opportunity to learn a bit more about Python.
acme-client 30 dec 2016 | Last updated: 15 dec 2017 00:00
This should be the final and my definitive guide on using Let's Encrypt and acme-client on FreeBSD. I've written multiple posts about this but things have changed again. I believe that the LetsEncrypt service is now stable and the acme-client seems to be stable as well.
Using your jails easier 11 dec 2016 | Last updated: 11 dec 2016 00:00
Recently on Twitter I said I was using jx
to run programs in my FreeBSD jails and there were requests to create a port for them. As I think these are so basic, I decided to just create a short blogpost and host the scripts myself. Whilst doing so I discovered that over the years my scripts grew stale even though they still worked!
Modernizing the OpenSSL port 02 oct 2016 | Last updated: 02 oct 2016 00:00
During the last EuroBSDCon in Belgrade I took maintainership of the OpenSSL port in FreeBSD. At the same time there were OpenSSL releases fixing vulnerabilities and emergency fixes for regressions introduced. The port had not been updated to recent ports framework and I wanted to get it in line with latest porting techniques.
LibreBSD project "done" 17 aug 2016
Today I realized that I had actually fixed all outstanding tasks I had for "LibreBSD". It is likely be the default SSL library provider for HardenedBSD and TrueOS in the very near future.
LetsKencrypt 18 jun 2016 | Last updated: 08 aug 2016 00:00
This page describes a setup to renew LetsEncrypt certificates with the LetskEncrypt client which has LibreSSL/libtls as its only dependency, uses chroots and drops privileges.
PasswordSafe on FreeBSD 29 apr 2016
I've used PasswordSafe for many, many years to keep my passwords safe and make it easy to use unique passwords whereever I can. Last year I adapted the Linux version (0.96) to run on FreeBSD. As I was reinstalling my laptop to run the experimental PC-BSD I thought it was about time I checked my earlier work.
Fixing failing ports for Hardened/LibreBSD 17 apr 2016
HardenedBSD ran an exp-run
with LibreSSL in base. This was expected to uncover a lot of issues where ports check the OPENSSL_VERSION_NUMBER
to determine if a feature is available. To my surprise, it only uncovered 12 ports that failed due to these version checks.
Enabling Galera clustering for MariaDB 10.1 27 mar 2016
One of the features I've been asked for repeatedly to add to MariaDB is Galera Clustering support. As of MariaDB 10.1 there's no separate Galera version, clustering support must now be added with the software from Galera. I'm just a casual user of MariaDB so I'm not running any of these advanced features myself.
Goodwe logging to PVoutput 13 mar 2016
Wasted a whole weekend creating an additional script to download data from Goodwe's portal and uploading it to PVOutput. This I think is the only IoT device I currently own, a solar power inverter. I already had a "Live" script and this adds a "Historic" script.
LibreBSD 10.3-RC2 adds libtls and netcat 11 mar 2016
Today's update to LibreBSD is an update tested on FreeBSD 10.3-RC2 and adds libtls and the TLS capable netcat implementation from the LibreSSL distribution.
Replace OpenSSL with LibreSSL in FreeBSD 10.3 (guide) 08 mar 2016 | Last updated: 10 mar 2016 21:55
(How-to Guide) How to replace OpenSSL with LibreSSL in FreeBSD 10.3. Since replacing OpenSSL in HardenedBSD (FreeBSD 11 based) wasn't all too difficult I decided to see if I could port that back to FreeBSD 10.3-RC1. Lo, and behold! the result in this blog post. Don't worry, 'LibreBSD' is only a quip.
LibreSSL in HardenedBSD base Part II 06 mar 2016 | Last updated: 06 mar 2016 00:00
Part 2 of a multi/many part series on building FreeBSD base with LibreSSL as libcrypto/libssl provider, buildworld phase.
LibreSSL in HardenedBSD base Part I 05 mar 2016 | Last updated: 05 mar 2016 19:51
With last week's OpenSSL vulnerabilities questions came up when LibreSSL would replace OpenSSL in FreeBSD base. This was picked up by the HardenedBSD developers and they asked me if I'd be interested in adding LibreSSL as alternative libcrypto/ssl in HardenedBSD. Well SURE I do! This post describes the early stages of this project.
The sorry state of IT security and operations 04 mar 2016 | Last updated: 28 feb 2016 14:04
Something good happened for IT security, OpenSSL disabled SSLv2 by default in the latest release 1.0.2g. And then, projects started switching it back on... WHY!?!
Impact of new OpenSSL vulnerabilties on LibreSSL 01 mar 2016 | Last updated: 01 mar 2016 16:17
As announdes about a week ago, today a new load of OpenSSL vulnerabilities is disclosed. Latest impact analysis: No need to scramble.
Porting OpenSSL 1.1.0 28 feb 2016 | Last updated: 28 feb 2016 14:04
Just for fun I decided to port OpenSSL 1.1.0 pre3 (alpha) for FreeBSD. The process starts out with copying the existing OpenSSL port but I found a lot of room for simplification. The picture is just a quip...
OpenSSL 1.1.0 improvements 27 feb 2016 | Last updated: 27 feb 2016 00:01
OpenSSL 1.1.0 adds configuration options and uses saner defaults
Upcoming OpenSSL vulnerabilities 27 feb 2016 | Last updated: 27 feb 2016 12:44
Coming Tuesday (1 March 2016) OpenSSL will release new versions that fix multiple vulnerabilities, at least one of them rated "High". Being curious to see if I need to scramble to patch things up, I dug into the information I could find on these vulnerabilities.
Going to Canada 26 feb 2016
I'll be speaking at BSDCan 2016 on the topic of OpenSSL and LibreSSL in FreeBSD. The talk will address SSL in base and in ports, support timelines, security issues, remoaved features and more.
Update MariaDB 10.0 port to 10.0.24 21 feb 2016
MariaDB released an update for 10.0 a couple of days ago. This should be made available to all users. Time to backport the improvements made for 10.1 to the 10.0 port as well!
Fixing the MariaDB 10.1 port 20 feb 2016
Last week I committed MariaDB 10.1 to ports, but it was obviously not tested well enough. Issues were detected when building on i386 and 9.3 and the OQGraph storage engine doesn't build. Time to fix all the errors!
Volunteering Februari 2016 20 feb 2016
Busy volunteering weekend ahead. Saturday Wifi info for HSLnet in Leende, Sunday Bits-of-Freedom PrivacyCafe in Helmond