Letsencrypt Wildcard certificate on Debian 9

Point a wildcard record to your server, install apache2

root@cluebat:~# apt-get install virtualenv apache2

and install certbot:

root@cluebat:~# wget https://dl.eff.org/certbot-auto
--2018-10-05 23:07:52--  https://dl.eff.org/certbot-auto
Resolving dl.eff.org (dl.eff.org)... 151.101.16.201, 2a04:4e42:4::201
Connecting to dl.eff.org (dl.eff.org)|151.101.16.201|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 62299 (61K) [application/octet-stream]
Saving to: ‘certbot-auto’

certbot-auto                    100%[======================================================>]  60.84K  --.-KB/s    in 0.002s  

2018-10-05 23:07:52 (34.5 MB/s) - ‘certbot-auto’ saved [62299/62299]

root@cluebat:~# chmod 755 certbot-auto 
root@cluebat:~#

Run certbot: (follow onscreen guide to create txt record)

root@cluebat:~# ./certbot-auto certonly --manual -d *.cluebat.eu --agree-tos --no-bootstrap --manual-public-ip-logging-ok --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory
Creating virtual environment...
Installing Python packages...
Installation succeeded.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for cluebat.eu

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.cluebat.eu with the following value:

etwS4yidYTkFhl441f7wul5GZEv8kdmNfQCSDqiXrU0

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/cluebat.eu/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/cluebat.eu/privkey.pem
   Your cert will expire on 2019-01-03. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again. To non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

And now enable ssl in apache:

root@cluebat:~# a2enmod ssl 
Considering dependency setenvif for ssl:
Enabling module ssl.
See /usr/share/doc/apache2/README.Debian.gz on how to configure SSL and create self-signed certificates.
To activate the new configuration, you need to run:
  systemctl restart apache2
root@cluebat:~# 

and set up the virtualhost, wildcard.conf:

<VirtualHost *:443>
        SSLEngine on
  SSLProtocol All -SSLv2 -SSLv3
  SSLHonorCipherOrder On
  SSLCipherSuite 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA'

        SSLCertificateFile /etc/letsencrypt/live/cluebat.eu/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/cluebat.eu/privkey.pem

  ServerAdmin webmaster@localhost
  ServerName wildcard.cluebat.eu
  ServerAlias *.cluebat.eu

  DocumentRoot /var/www/html

  
</VirtualHost>

Enable new site, Restart apache, and navigate to: wildcard.cluebat.eu:

root@cluebat:~# a2ensite wildcard.conf 
Enabling site wildcard.
To activate the new configuration, you need to run:
  systemctl reload apache2
root@cluebat:~# systemctl restart apache2

Noticing the “cluebat.eu” does not work, you can add secondary domains like:

 

root@cluebat:~# ./certbot-auto certonly --manual -d *.cluebat.eu -d cluebat.eu  --agree-tos --no-bootstrap --manual-public-ip-logging-ok --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
You have an existing certificate that contains a portion of the domains you
requested (ref: /etc/letsencrypt/renewal/cluebat.eu.conf)

It contains these names: *.cluebat.eu

You requested these names for the new certificate: *.cluebat.eu, cluebat.eu.

Do you want to expand and replace this existing certificate with the new
certificate?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(E)xpand/(C)ancel: e
Renewing an existing certificate
Performing the following challenges:
dns-01 challenge for cluebat.eu
dns-01 challenge for cluebat.eu

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.cluebat.eu with the following value:

etwS4yidYTkFhl441f7wul5GZEv8kdmNfQCSDqiXrU0

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.cluebat.eu with the following value:

xD428EnO8OIXpH3LdBGs6ObwoR8hOeN6obnyEvBZids

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/cluebat.eu/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/cluebat.eu/privkey.pem
   Your cert will expire on 2019-01-03. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again. To non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Adding another wildcard to the same cert goes as easy:

root@cluebat:~# ./certbot-auto certonly --manual -d *.cluebat.eu -d cluebat.eu -d housebot.dk -d *.housebot.dk --agree-tos --no-bootstrap --manual-public-ip-logging-ok --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
You have an existing certificate that contains a portion of the domains you
requested (ref: /etc/letsencrypt/renewal/cluebat.eu.conf)

It contains these names: *.cluebat.eu, cluebat.eu

You requested these names for the new certificate: *.cluebat.eu, cluebat.eu,
housebot.dk, *.housebot.dk.

Do you want to expand and replace this existing certificate with the new
certificate?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(E)xpand/(C)ancel: e
Renewing an existing certificate
Performing the following challenges:
dns-01 challenge for cluebat.eu
dns-01 challenge for cluebat.eu
dns-01 challenge for housebot.dk
dns-01 challenge for housebot.dk

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.cluebat.eu with the following value:

etwS4yidYTkFhl441f7wul5GZEv8kdmNfQCSDqiXrU0

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.cluebat.eu with the following value:

xD428EnO8OIXpH3LdBGs6ObwoR8hOeN6obnyEvBZids

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.housebot.dk with the following value:

5_IQHWzUVroRwk_AH8Qe2ztg3rMYuWHIiHX9TvH3t1Y

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.housebot.dk with the following value:

5CSRERvy-uXp9gO33gaCzJdM4UBb84sspJDJ1UO9AII

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/cluebat.eu/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/cluebat.eu/privkey.pem
   Your cert will expire on 2019-01-03. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again. To non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Restart apache, and test:

root@cluebat:~# systemctl restart apache2
root@cluebat:~# 

 

Udgivet i Apache, Kryptering, Letsencrypt | Skriv en kommentar

Manually deleting movies and pictures from OnePlus 5

When you delete the content of the DCIM folder on the phone the space, for some reason, does not gets released. This is because the phone stores the files in  /Android/data/com.oneplus.gallery/files/recyclebin instead of just deleting them .. *sigh*

Udgivet i Android | Skriv en kommentar

Adding SSH Keys to CloneZilla disk-image

Create working-directory in root’s homdir:

root@Voyager:~# mkdir my-clonezilla
root@Voyager:~# cd my-clonezilla/
root@Voyager:~/my-clonezilla# 

Generate SSH Keys:

root@Voyager:~/my-clonezilla# ssh-keygen -t rsa -f ./id_rsa
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in ./id_rsa.
Your public key has been saved in ./id_rsa.pub.
The key fingerprint is:
SHA256:YcOXhcGKgm8MPQWPqdY7FzgLvn1/B+CaFn9Az+WOTgU root@Voyager
The key's randomart image is:
+---[RSA 2048]----+
|    ..   ..o.    |
|     +..  oo     |
|   oo...=.E      |
|  oo+...++ ..    |
|  +++o.oS+ o.    |
| o .++..o +..    |
|  ..+ .= ..+     |
|   o o= ..+ o    |
|  . .o ..+..     |
+----[SHA256]-----+
root@Voyager:~/my-clonezilla#

Mount USB Stick, copy image and unsquash it:

root@Voyager:~/my-clonezilla# mount /dev/sdc1 /mnt/usb/
root@Voyager:~/my-clonezilla# cp /mnt/usb/live/filesystem.squashfs .
root@Voyager:~/my-clonezilla# unsquashfs filesystem.squashfs 
Parallel unsquashfs: Using 4 processors
29605 inodes (29764 blocks) to write

[=================================================================\] 29764/29764 100%

created 25458 files
created 4104 directories
created 4115 symlinks
created 9 devices
created 0 fifos

Add your keys to the images homedir skeleton:

root@Voyager:~/my-clonezilla# mkdir squashfs-root/etc/skel/.ssh
root@Voyager:~/my-clonezilla# cp id_rsa* squashfs-root/etc/skel/.ssh/

Repack then squashfs:

root@Voyager:~/my-clonezilla# mksquashfs squashfs-root filesystem-new.squashfs -b 1024k -comp xz -Xbcj x86 -e boot 
Parallel mksquashfs: Using 4 processors
Creating 4.0 filesystem on filesystem-new.squashfs, block size 1048576.
[=========================================================================================/] 25641/25641 100%

Exportable Squashfs 4.0 filesystem, xz compressed, data block size 1048576
  compressed data, compressed metadata, compressed fragments, compressed xattrs
  duplicates are removed
Filesystem size 205942.03 Kbytes (201.12 Mbytes)
  23.13% of uncompressed filesystem size (890527.03 Kbytes)
Inode table size 262474 bytes (256.32 Kbytes)
  23.50% of uncompressed inode table size (1117024 bytes)
Directory table size 293876 bytes (286.99 Kbytes)
  41.90% of uncompressed directory table size (701431 bytes)
Xattr table size 78 bytes (0.08 Kbytes)
  97.50% of uncompressed xattr table size (80 bytes)
Number of duplicate files found 1938
Number of inodes 33688
Number of files 25459
Number of fragments 609
Number of symbolic links  4115
Number of device nodes 9
Number of fifo nodes 0
Number of socket nodes 0
Number of directories 4105
Number of ids (unique uids + gids) 16
Number of uids 4
  root (0)
  syslog (104)
  www-data (33)
  messagebus (106)
Number of gids 14
  root (0)
  dip (30)
  adm (4)
  shadow (42)
  nogroup (65534)
  utmp (43)
  tty (5)
  crontab (107)
  messagebus (110)
  syslog (108)
  staff (50)
  uuidd (111)
  www-data (33)
  mail (8)

Copy the new image in place, and unmount the image:

root@Voyager:~/my-clonezilla# cp filesystem-new.squashfs /mnt/usb/live/filesystem.squashfs 
root@Voyager:~/my-clonezilla# umount /mnt/usb 

 

Udgivet i Linux | Skriv en kommentar

Writing a simple bash filter

To write a simple bash filter application, start by declaring
your filter as a bash script with #!/usr/bin/env bash.
This informs your shell what interpreter to use when running the script.

The trick to writing a filter is to read lines from a filename if supplied
${1},
or from /dev/stdin
if no filename is supplied.

An example script lowercase

#!/usr/bin/env bash

while read line; do
    echo ${line,,}
done < "${1:-/dev/stdin}"

This script can then be utilized in a pipeline, e.g. cat file | lowercase
or by feeding it a filename,

lowercase file
.

 

Udgivet i Programmering, Shellscript | Skriv en kommentar

Screenshot script for Ubuntu 18.04

This script will take a screenshot, upload it to a server and copy the URL into your clipboard and finaly play a sound to tell you that it’s done, first install xclip:

apt-get install xclip

Create screenshot.sh

#!/bin/bash
filename='Screenshot_from_'`date +%Y-%m-%d_%H-%M-%S`'.png'
echo $filename
gnome-screenshot --area --file=`eval echo ~`/Pictures/$filename
scp ~/Pictures/$filename user@website.dk:/var/www/website.dk/htdocs-ssl/screenshots/$filename               
echo -n https://website.dk/screenshots/$filename|xclip
aplay ~/screenshot.wav

You must setup ssh-keys to allow the scp transfer to go through without password.

Now open Ubuntu Settings (The gear and wrench icon), select “Devices” and “Keyboard” scroll to the bottom and click the plus-sign (+) and fill it out as following:

And finaly you need to find a wave file you want to play afterwards, i use one of a camera shutter i found on a creative commons website – which i unfortunateley lost the link to … if you have a good link, please submit it and i will post it.

Udgivet i Linux, Workstation | Skriv en kommentar

WM independant shortcuts with xbindkeys

First install:

apt-get install xbindkeys

And create a config file, /home/user/.xbindkeysrc:

"/home/user/scripts.sh"
    Control + Alt + P 

And run xbindkeys -p

Udgivet i Linux, Workstation | Skriv en kommentar

Installing Vagrant and host-manager with LXC on Ubuntu 18.04

This took me quite a while and failed tries to figure out:

apt-get update
apt-get install lxc
wget https://releases.hashicorp.com/vagrant/2.1.2/vagrant_2.1.2_x86_64.deb
dpkg -i vagrant_2.1.2_x86_64.deb
vagrant plugin install vagrant-lxc
vagrant plugin install vagrant-hostmanager

You should probably check if a newer version has been released, if you miss any dependencies try to install the vagrant-lxc packages from Ubuntu before the .deb package.

Create a project folder containing the following Vagrantfile:

Vagrant.configure("2") do |config|
   config.vm.box = "debian/stretch64"
   config.hostmanager.enabled = true
   config.hostmanager.manage_host = true
   config.hostmanager.manage_guest = true

   config.vm.define "ns1" do |ns1|
     ns1.vm.hostname = "ns1.local"
   end

   config.vm.define "ns2" do |ns2|
     ns2.vm.hostname = "ns2.local"
   end

end

Now run

vagrant up

To bring the environment online, and verify name-resolving and connectivity:

# ping ns1.local -c 4
PING ns1.local (10.0.3.14) 56(84) bytes of data.
64 bytes from ns1.local (10.0.3.14): icmp_seq=1 ttl=64 time=0.052 ms
64 bytes from ns1.local (10.0.3.14): icmp_seq=2 ttl=64 time=0.065 ms
64 bytes from ns1.local (10.0.3.14): icmp_seq=3 ttl=64 time=0.066 ms
64 bytes from ns1.local (10.0.3.14): icmp_seq=4 ttl=64 time=0.081 ms

--- ns1.leandns.com ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 2999ms
rtt min/avg/max/mdev = 0.052/0.066/0.081/0.010 ms

Connect to one of the machines with:

# vagrant ssh ns1

Enjoy 😉

Udgivet i Development, Linux, Vagrant, Workstation | Skriv en kommentar

Installing Vagrant with KVM on Ubuntu 18.04

Start by installing necessary packages:

apt-get install nfs-kernel-server qemu-kvm libvirt-daemon libvirt-daemon-system virtinst bridge-utils vagrant-libvirt

Create an ordinary user and add it to the sudo and the libvirt group:

adduser mike
usermod -G libvirt,sudo mike

Now you should be able to switch into this user and give Vagrant a spin:

su - mike
mkdir testmachine
cd testmachine
vagrant init debian/stretch64
vagrant up

 

Udgivet i KVM, Links, Programmering, Vagrant | Skriv en kommentar

Inotify, Run (Python) script once it changes

This is sadly Linux Only, start by installing inotify-tools:

# apt-get install inotify-tools

and create the following script:

#!/bin/sh
clear
echo Waiting for filechange ...
inotifywait -q -m -e close_write,moved_to --format %e/%f . |
while IFS=/ read -r events file; do
    if [ "$file" = "script.py" ]; then
        clear
        python ./script.py
    fi
done

this actually watches the directory, because Vim writes files by writing your alterations to a temporary file and moving it in place of the old one, however this aproach also works with normal write.

Udgivet i Linux, Vim | Skriv en kommentar

Ubuntu 18.04 LTS Default video player totem wont play mp4 files

Took me a while to figure out, but for some reason the gstreamer1.0-vaapi needs to be uninstalled.

Udgivet i Workstation | Skriv en kommentar