paulgorman.org

< ^ txt

Thu Oct 13 06:35:25 EDT 2016 Slept from ten-something to five-something. Probably could have used another hour. Decreasing clouds through the day. High of fifth-five. Goals: Work: - Reply to Lynn about hosting costs Done. - Set up backup for door access vm Not much. Got tangled up on some HR nuttiness. Looks like modern security microphones use the same power as modern security cameras (12V DC... although some are 24V AC, and some equipment supports both). A Y-cable can be used to split power for the mic from the camera's power. Security microphones are very inexpensive, like $10. Most of the cheap mics I see are 12VDC. Fifteen minute walk at lunch. Nice out. Looked at SMS for SIP phones a little. Home: - Check out acme-client on OpenBSD It looks like the letsencrypt port has vanished in OpenBSD 6.0. I understand that `acme-client` is being pulled into core, but it's not there yet! https://kristaps.bsd.lv/acme-client/ http://man.openbsd.org/acme-client.1 OK. With the old `letsencrypt` client: --- 2024 --- clyde ~ $ cat bin/renew_ssl.sh #!/bin/sh # The certs are saved under `/etc/letsencrypt/live/paulgorman.org/`. letsencrypt certonly --webroot \ -w /var/www/devilghost.com/ -d devilghost.com -d www.devilghost.com \ -w /var/www/paulgorman.org/ -d paulgorman.org -d www.paulgorman.org # Pound needs the private key and the full chain in a single PEM file: cat /etc/letsencrypt/live/paulgorman.org/privkey.pem \ /etc/letsencrypt/live/paulgorman.org/fullchain.pem > \ /etc/letsencrypt/live/paulgorman.org/privkey_fullchain.pem rcctl restart pound (It's a little scary that pound seems to need the private key in the pem file.) Wait, what am I doing here? I remember choosing pound for it's SNI support, but it looks like I'm just doing alt names/SAN in a single certificate. Why am I using pound? I also need to set /var/www/letsencrypt as the location .well-known/acme-challenge within both the two servers in httpd.conf: location "/.well-known/acme-challenge/*" { root { "/letsencrypt" strip 2 } } With the new `acme-client`, something like: #!/bin/sh # Renew Let's Encrypt SSL certificate # /etc/ssl/letsencrypt/fullchain.pem # /etc/ssl/letsencrypt/private/privkey.pem mkdir -p /etc/letsencrypt mkdir -p /etc/ssl/letsencrypt/private mkdir -p /var/www/letsencrypt acme-client -nNv paulgorman.org www.paulgorman.org devilghost.com www.devilghost.com Let's see if we can get rid of pound, and just have httpd do the ssl termination. Added to the "server" sections in `/etc/httpd.conf`: listen on $ext_addr tls port 443 tls { certificate "/etc/ssl/letsencrypt/fullchain.pem" key "/etc/ssl/letsencrypt/private/privkey.pem" } Note that the SSL key should be _outside_ httpd's chroot. Yes, that works well. Cool. This was annoying to fix, but the end result is simpler and more elegant. - Grocery Done. - Go to bed early? Eh. Before eleven, anyhow. Lovely. Now my toilet won't stop running. I emailed Huntley. Breakfast: carrots, spinach, coffee with half-and-half Lunch: chicken burrito, caffe latte Dinner: coffee cake

< ^ txt