Let’s Encrypt Wildcards and IIS

Let’s Encrypt Wildcards and IIS

Introduction

Late last year, Let’s Encrypt, that wonderful semi-automated free SSL certificate service, announced that they would be adding support for wildcard certificates. A standard SSL certificate only covers the specific domains and sub-domains it was issued for, and needs to be modified or adjusted to allow more sub-domains. While it’s not a big deal to make these changes, a wildcard SSL certificate is a really simple way of covering yourself for all the different sub-domains you might have, and might want down the track.

Getting the wildcard certificate (or even a “normal” certificate) from Let’s Encrypt can seem daunting at first, but with the right information, it goes smoothly most of the time.

This post is going to cover how to get a hold of a wildcard SSL certificate from Let’s Encrypt, and then how to get that SSL certificate into your Windows box to use with IIS. I’m going to gloss over the parts where the pfx file is being copied from Linux to Windows, assuming that you know how to use ssh/scp/pscp to move files about.

Ready? Right. Onwards.

Requirements

You’ll need to have access to:

  • A linux machine, where you are a sudoer (or root) (I did this with an Ubuntu 16.04LTS box).
  • Your public DNS zone for the domain you’re trying to get the certificate for.
  • Your IIS box.

Assumptions

I’m going to assume you have SSH access to your Linux machine, and that you know how to use it. Also that you know how to add TXT record to your public DNS zone.

You’ll need to move your freshly minted pfx file from the Linux machine to the Windows machine. I use PuTTY and pscp to move files to and from Linux boxes from Windows. I think you should too.

I’m also assuming you know how to change which SSL certificate a binding is using in IIS.

Let’s do this:

Most of this will be done in the Linux machine, so connect to it with PuTTY.

Download certbot-auto by running the command

wget https://dl.eff.org/certbot-auto

Then make it executable by running

chmod u+x certbot-auto

Certbot-auto is a glorious script that makes everything happen pretty much automatically. It will grab all the required dependencies, it’ll request the certificate for you, tell you what to put in your TXT record, then put the certificate in a sensible spot for you.

Let’s request that certificate for your favourite domain, *.example.com.

sudo ./certbot-auto certonly -d *.example.com --manual --preferred-challenges dns-01

As it’s your first time running certbot-auto, it will probably download and install a bunch of apt packages. Once it’s done, it will request the certificate, and assuming everything has gone well, prompt you to create the TXT record for your domain.

TXT Record

Now is the time to create the TXT record with the string provided by certbot for _acme-challenge.example.com. If you’re unsure how to do this, as your hosting provider to help. Or a friendly friend.

Once you’ve set it up, it’s time to hit Enter to finish certbot’s job. Wait for that to happen, then it’s time to move on to exporting the keys into a format Windows can handle.

Exporting

Your newly minted SSL certificate will be found in the following directory:

/etc/letsencrypt/live/example.com/

together with a README file, and three other files. That live folder is locked down, so you can only get to it as root. You can either switch to root, or you can sudo the following command from your home folder (I recommend the latter, but do the former).

So, from your home directory, run the following command:

sudo openssl pkcs12 -export -out example.com.pfx -inkey /etc/letsencrypt/live/example.com/privkey.pem -in /etc/letsencrypt/live/example.com/fullchain.pem

Enter a password when prompted, and you will have generated a PKCS #12 archive of the SSL certificate. This format is very easy to import into IIS in the next step.

Importing the key into IIS

The final two steps are to import the key into IIS, then change the binding to the newly imported certificate. I’m doing this in IIS7 on Server 2008R2, but shouldn’t be too different in newer versions.

Copy the file from your Linux box to the Windows server (most likely with PSCP), then start up the IIS manager.

Open the Server Certificates feature, then click on “Import…” under actions in the top right hand corner. Find the file, enter the password you picked, and you’re done. Change the bindings for the sites you would like to use this new SSL certificate, and you’re done.

Bonus – Installing Certificate into UniFi

sudo keytool -importkeystore -deststorepass aircontrolenterprise -destkeypass aircontrolenterprise -destkeystore /var/lib/unifi/keystore -srckeystore path-to-your-exported-pfx -srcstoretype PKCS12

Pi Hole Update

Pi Hole Update

A while ago I wrote a guide on how to configure a Pi Hole on an Orange Pi tiny computer.  See here: Filtering Ads and Stuff

This was a bit of a mistake. The Orange Pi wasn’t reliable, and failed on Friday, just about two months since it went in.

I’ve since rebuilt it on a Raspberry Pi and I imagine that it will be significantly more reliable if the other ones I have around the house are anything to go by.

Pictured is the Pi 3 in a Lego (inspired) case, currently running Pi Hole and Squeezelite.

Squeezelite is a distributed music playing system, which I will post about soon.

Riding + Technology

Riding + Technology

I love information. Or maybe it’s that I, more specifically, love data. For a information/data-phile like me, having a device in your pocket (and on your wrist) that can collect, collate, and visualise the information for you is pretty amazing. With that information I can track improvement, decline, progress, and stagnation.

I like it.

I have been using Strava for a long time to collect information about my running and cycling. You get a cool summary for the month, comparing you against the previous month. You can track your heart-rate, average and top speeds, amongst many other things. Recently I’ve linked Strava to a service called Relive, which gives you cool little videos of your logged activities.

Those things are all very cool.

Add, now, to this a video camera, and I can get a really good visual representation of the whole ride, too. And if something interesting happens along the way, I have that information.

Below is my first video, which is the descent from around Cleland along Long Ride and Winter Track to Waterfall Gully Road. I got rid of all the sound because the thrum of my knobbly tires is exhausting. You can add your own soundtrack by playing your favourite song while watching the video. ¯\_(ツ)_/¯

Organising my life with an app

Organising my life with an app

It feels a bit hypocritical to post about an app so soon after I posted about managing a screen addiction. But not very. I guess the point of my other post wasn’t that I didn’t want to use my phone. I wanted the interraction with my phone to be meaningful, and valuable.

In the last few years I’ve found myself to be very easily distracted, and I forget what I need to get done. Not big picture stuff, so much, but with smaller things. I’ve tried paper lists. I really, really wanted to be able to do paper lists with neat handwriting and big flourishes when I got to cross things off as done. Unfortunately it’s become clear that it just doesn’t work for me in the long term. On my phone, I’d tried Trello, and Evernote. Both seemed like they would do the job, but neither of them did.

I needed to try something else.

The next thing I found was Todoist. So far it is really working. I’ve been using the premium version for a couple of months now, and it is really excellent. I’m going to avoid sounding too much like an ad here, but with Todoist, you can add items to your list using natural language for categories, priorities, due dates, and recurring items. For example: “Take Out Bins every tuesday at 1900 #chores p1” will set a repeating item called “Take Out Bins” every Tuesday at 7pm, categorised as “chores” with a high priority. The desktop app is good too, for setting up your recurring events and doing all the things that are tedious to take care of on your phone.

I’ve added my standard house chores to it, spread out a bit over the week as repeating items. Basic stuff – vacuuming, dusting, laundry, mopping, cleaning bathrooms. A lot of chores are in there. Then I have some one-offs in there that come and go.

“If it’s your job to eat a frog, it’s best to do it first thing in the morning. And if it’s your job to eat two frogs, it’s best to eat the biggest one first.” – Mark Twain (allegedly)

I still put things off. I still have things that are long overdue on my list. Those frogs don’t always get eaten first thing, but there are gentle reminders that I still need to do them. So, in the end, they do get done rather than fall off the todo list and finally forgotten.

The developers at Todoist have also gamified your todo list. It’s not important to me. Or not very important, at least. But having a few graphs showing a rough approximation of my productivity over the last week is nice. The app would be just as good without it, but it’s a bit of a bonus feel-good.

So, in essence, since getting Todoist, I have a cleaner house and less frustration because of forgotten tasks, and I like it.

I also have points. Nearly 5,000.

 

How I’m dealing with screen addiction.

How I’m dealing with screen addiction.

I resisted calling this title something like “Man, nearly 39, installed a Morse Code keyboard on his phone. You won’t believe what happened next…”. Only just.

Because I did install a Morse Code keyboard on my phone. But a bit more on that later.

I love technology. I love controlling technology might be an even better way to put it. There are so many cool things you can do with a few cheap bits of tech. What I don’t love is being controlled by technology, and that’s what was finding was happening to me more and more.

Some people refer to it as FOMO – Fear Of Missing Out. I don’t know what I would call it, but the desire to check my phone for Twitter, Instagram, Facebook, messages, updates, emails (everything BUT a dreaded actual phone call) was there all the time. All the time. Can’t sleep? Phone. Waiting for someone? Phone. Toilet? Phone. (Ew, but we all do it). Eating alone? Phone. Watching TV? Phone.

I saw an ad for the Light Phone 2 recently. A phone that doesn’t do much. It has a monochrome e-ink display. It makes phone calls, sends text messages, gives you directions, handles contacts and a calendar and that’s about it. It’s a phone that’s designed to be used as infrequently as possible. It got me thinking about what I could do to reduce the amount I use my phone. My phone is a bit like food – I can’t cold turkey to deal with an addiction like you can with a lot of things. I need my phone for work and to be in touch with friends and family.

What’s the second best thing? Make my phone as unpleasant to use as possible.

In Android (and probably iPhones, too) you can, with a few screen-presses, change the screen to be grey scale. No more colourful eyecandy dopamine hits when I unlock my phone.

The second thing is to make it hard to idly punch in messages all the time. Along comes a new keyboard, called DotDash. And yes. It’s a Morse Code based keyboard, with 5 buttons. One for dots. One for dashes. A shift key. A space bar. And a frequently used backspace key. If you need a hint, you can swipe up from the bottom of the screen to get a Cheat Sheet. I still need it, but much less. It’s actually surprisingly fun to use, and is really easy to use without looking at the screen.

The last thing that I need is to somehow measure what sort of improvement (or change) I’m seeing in my behaviour. I could probably load another app that shows me how many hours of the day my phone is active, but that doesn’t take into consideration mindless scrolling time vs. thoughtful, unavoidable use. So I’ve decided to use battery life as a metric.

I usually need to charge my phone in the evening when I plonk down on the couch. Battery is usually at around 10-15%. Last night it was on 47%. Now, on day 2 of this experiment, at 1615, it’s at 66%.

The other thing, which is slightly related, that I’ve stopped doing, is to have headphones in wherever I go. I have used headphones as a way of dealing with two years of on-and-off very stressful situations, but it’s become a crutch. One that I’ve decided I need to be free of. Fewer vices is better.

There are some annoyances with having your phone set to greyscale, and that is that you don’t quite know what your photos look like. It feels like I get a greyscale thumbnail (or a contact print, even) of the photo, that I can later see in full glorious colour when I sit down with my computer.

And colour never looks so good!

I realise I’m only two days in to this experiment, but it feels like it’s the right thing to do. I’ll try to remember to post an update soon.

Thank you to @fernandogros on the Twitters for the chats about this subject, and his blog post on the same subject.

Filtering Ads and Other Things with Pi-hole

Filtering Ads and Other Things with Pi-hole

UPDATE, 2018/04/15: It turns out the Orange Pi wasn’t reliable. I will re-write this for Raspberry Pi instructions shortly. It won’t be very different, but a couple of things change.

Downloads

Required

Optional (but helpful)

Background

Right. I was googling about ideas for how to do a system-wide ad-block, and realised that it could probably be used to filter other things from the net as well. As is nearly always the case with these things, someone has already done all of the hard work, and all we need to do is assemble the right pieces of the jigsaw. I’m basing this on an Orange Pi computer, but it should be easily adaptable if you want to use a Raspberry Pi instead.

To get how all of this works, you need to have a basic understanding how your network works at home. Fortunately it isn’t that complicated, and if you use some familiar concepts as analogies (phone numbers and phone books) it’s easy to grasp. I’m going to write this from a perspective of getting the filtering up and running on a simple home network that has a modem/router and a few devices connected to it, via Ethernet and Wifi.

Oh, and for now I will assume a Windows based environment for setting all of this up. The only thing that is different, though, is that on Mac or Linux you don’t need Win32DiskImager or Putty – there are commands available natively (dd and ssh) that do the same thing.

IP Addresses

Think of an IP address as your device’s phone number. Your device can either have its IP address assigned automatically (usually by your router) by something called DHCP, or you can assign an IP address manually. When you assign an IP address manually you have to specify at least four things for your internet to work. The address, the netmask (let’s not get in to this right now!), the gateway address (the IP of your router), and the IP address of your DNS server (this is where the magic is going to happen a bit later!).

DHCP

I don’t think there’s any benefit in going in to detail about DHCP beyond the fact that it’s what hands out your IP addresses with all of the correct details automatically. The DHCP server keeps track of all the devices that have been given an IP address, when that happened, and the name of the device. It does all this based on MAC addresses. You don’t really need to know anything about MAC addresses other than that they’re supposed to be unique for every networking device that has ever been made and will be made. MAC addressing is a 48-bit space, so there are 281,474,976,710,656 possible MAC addresses. Should last a while.

DNS

Right. This is where the magic that ties together the whole Internet happens. Without DNS, we probably wouldn’t have the modern Internet. Think of DNS like a big, dynamic phone book. Every site on the Internet that you can get to has an IP address. But remembering IP addresses is difficult. It’s way easier to have a phone book where you can look up the IP address of karloskar.org and get the answer 103.9.170.230. And because of some smart people in 1984, DNS happens automatically and quietly in the background for you.

I probably need some sort of tangent warning. Maybe italics to signify things you can skip. There aren’t many IPv4 addresses left – there were only 4,294,967,296 in the first place, give or take. Thanks to DNS, we can have multiple websites sharing the same IP address. So while, this website points to 103.9.170.230, so do many others. There are some smarts in the server that looks at the domain name that’s been entered, and then shunts the user to the right web page on the server.

Hardware Required

To do this, you need a computer with an Ethernet port. I like Raspberry Pi computers, but they’re not as cheap as they seem (thanks to exchange rates and freight). Don’t get me wrong – they’re amazing at around $50 for the board, but we can go cheaper.

I installed Pi-hole on a small system called the Orange Pi Zero. Shipping is a bit of a killer on this one, too, but at US$17.79 with shipping and a case, we’re at around half the price of the Raspberry Pi (exchange rates are variable, so this might not always be true).

I’m not suggesting that the Orange Pi Zero is an equivalent machine to a Raspberry Pi 3. They are very different beasts, but in this situation, we don’t need the more expensive, more feature-filled Raspberry Pi.

You also need a decent quality micro USB power cable and transformer, and a micro SD card – these are around the $10-15 mark each, depending what you get. So we’re at around the $45-55 mark now. You also need a network cable, but these are easy to get very cheap – $3-4 for a short Cat6 cable. You probably have one around the place.

Right. You’re ready to go now. You’ve downloaded the Orange Pi image and used 7-zip to decompress it until you have a .img file somewhere sensible. You’ve installed Fing and Win32DiskImager. Downloaded Putty and put the program on your desktop (you don’t need to install Putty – it just runs). Let’s do it.

Pop your SD card into your computer and pay close attention to the drive letter it gets assigned.

Open Win32DiskImager and click the folder to the right of Image File. Make sure the Device is set to your SD card (in my PC it’s the F drive) and click on Write. While it’s writing to the card, it’s a good time to get a feel for your network. This is where Fing comes in.

Fing

We can use Fing to scan for all the devices currently connected to your network.

Open a command prompt. In Windows 10, right click the start icon in the bottom right, and click either Command Prompt or Powershell in the menu that appears. In Windows 7, the easiest thing to do is to click the start menu and typing cmd. Command prompt will appear in the list. Click on it.

Assuming you installed Fing in the default location, type:

cd “\Program Files (x86)\Overlook Fing 3.0\bin\”

Then type fing and press enter.

After a short while you’ll be greeted with a summary list that looks like this.

Keep note of all of the Hosts in that list. Once you boot up your Orange Pi there’ll be a new one in the list, and you’ll need the IP address.

Press Ctrl-C to stop Fing from scanning repeatedly.

Keep in mind that my IP range will be different from yours. Yours might start with 192, 172, or 10. It doesn’t matter for this situation, but you need to keep track of it.

While you’ve got the command prompt open, run the command “ipconfig /all”. You’ll get a list of all the network adapters in your computer, and their addresses. The information you’re looking for are the Subnet mask (probably 255.255.255.0, but maybe something else), and the gateway address. Usually it ends in a 1 or a 254.

It looks something like this. Make a note of the information.

 

 

Time to fire up the device

The SD card should now have the image written to it, and Win32DiskImager should have greeted you with a “Write Successful” notice.

Pop the SD card in the Orange Pi, connect the Orange Pi to your router via the network cable, and lastly connect the power to it. It can take up to a minute to boot, but usually it takes about 30 seconds.

Go back and run Fing again. If everything has gone according to plan, you should now have a new device in your Fing summary list. Make note of the IP address.

Start Putty and put the newly found IP address into the Host Name field and press enter. You should be greeted with a black screen that says login as:

Still assuming we’re using the Orange Pi, type orangepi for the username and press enter. The password is 1234. When it logs in, you’ll be asked to enter the old password again, then a new one. Then follow the steps to create your new username and a new password for that account too. It’s all reasonably straight forward, just read the instructions, and remember that you don’t need to fill in all the bits about phone numbers or room numbers.

Close the Putty window when you’ve created your new user.

Open a new Putty instance, and log in with your new username instead of the orangepi one.

Once you’ve logged in, you’re ready to install Pi-hole.

 

Installing Pi-hole

Installing Pi-hole is very simple. Once you’ve logged in as your newly created user, type

curl -sSL https://install.pi-hole.net | bash

And press Enter.

You’ll be asked for your password, and then it’s a few minutes of waiting for it to install. The installer is very well written, and will take you through all the required steps. The main one to look out for, however, is the IP configuration. You want to change from a dynamically assigned IP to a static one. I normally pick one next to my router’s IP. In my case that’s 192.168.254.254, so the closest available IP is 192.168.254.253. My Subnet is 255.255.255.0, and my gateway is 192.168.254.254.

The DNS server to use doesn’t really matter when it asks. Using Google’s DNS servers is probably sensible. Select it from the list.

When you’ve finished the installation Wizard, you will be given a password. Write this password down. It’s important.

Because you’ve changed IP address, you need to reboot. You can do that from the command prompt by typing

sudo reboot

While it’s rebooting, log in to your router. This is where you’re on your own a bit. You need to change the DHCP server settings in your router to distribute the IP of your Orange Pi as the DNS server.

In the Command Prompt on your PC, type:

ipconfig /renew

And you should get a new IP address (or probablyt he same one) but with updated DNS server details.

You should now be able to go to http://pi.hole

If that takes you to a web-page, everything is configured correctly, and you should not be getting any ads when you browse. It should also block ads in apps, YouTube, and everywhere else.

We just need to add a porn blocking list, too.

 

Adding a list

In the web interface, log in using the password that was generated for you.

Go to Settings, then Block Lists.

Add this one and save and update.

https://raw.githubusercontent.com/chadmayfield/my-pihole-blocklists/master/lists/pi_blocklist_porn_all.list

You’re now good to go. Check if the blocking works by visiting your favourite adult site.

I’m happy to field questions from friends about this tutorial – I can come over and help you out, or we can do a Teamviewer session to figure out what’s going on.

It was written up a day after I finished the install. One day I will tidy it up and firm up some of the details. If you feel like emailing me information about your router model and how to change the DHCP settings in your model, I will include it in the tutorial.

I’d also like feedback on how you went if you used it.