Archive Page 2

Using Let’s encrypt for non-web servers

I think I don’t need to explain Let’s encrypt anymore. But what many people are struggling with is to use Let’s encrypt certificates for other services like SMTP, IMAP, IRC, etc.

Using certbot this is quiet easy (See https://certbot.eff.org for installation instructions).

When certbot is installed you can use it in standalone mode. This means it starts a built-in webserver which is used for the authentication process and gets stopped again a few seconds later.

To make it short here is an example command to create a new certificate for your mail server:

./certbot-auto certonly --standalone -d smtp.yourdomain.com -d imap.yourdomain.com

Of course the standalone webserver must be reachable from the internet, so ensure that no firewall is blocking port 443 (https). In my case I have a firewall running, so I need to temporary enable https. Certbot also supports this by using the options pre-hook and post-hook.

./certbot-auto certonly --standalone --pre-hook /root/enable_https --post-hook /root/disable_https -d smtp.domain.com -d imap.domain.com

The example hook scripts insert a firewall rule for https and remove it again. This again are just examples that you need to adapt to your needs.

enable_https:

#!/bin/bash
IPTABLES=/sbin/iptables
$IPTABLES -I INPUT 8 -i eth0 -p tcp -m conntrack --ctstate NEW -m tcp --dport 443 -j ACCEPT

disable_https:

#!/bin/bash
IPTABLES=/sbin/iptables
$IPTABLES -D INPUT -i eth0 -p tcp -m conntrack --ctstate NEW -m tcp --dport 443 -j ACCEPT

See man(8) iptables for more information on this.

Renewing is also easy. By default the “certbot-auto renew” command will renew all certificates with the same options. Only the hooks must be give again at the command line.

./certbot-auto renew --pre-hook /root/enable_https --post-hook /root/disable_https

It is recommended to call this twice a day. Certbot will only really renew it when the certificate is about to expire. To automate this process you can create a cronjob.

I used the template which gets created when installing certbot using Debian Jessie.

/etc/cron.d/certbot:

# /etc/cron.d/certbot: crontab entries for the certbot package
#
# Upstream recommends attempting renewal twice a day
#
# Eventually, this will be an opportunity to validate certificates
# haven't been revoked, etc.  Renewal will only occur if expiration
# is within 30 days.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# twice a day
0 */12 * * * root test -x /root/certbot-auto && perl -e 'sleep int(rand(3600))' && /root/certbot-auto -q renew --pre-hook /root/enable_https --post-hook /root/disable_https

Finally you need to update your mail server configuration to use the new certificates. Let’s encrypt stores the currently active certificate in /etc/letsencrypt/live/<your domain>/. This folder contains only symlinks to /etc/letsencrypt/archive/<your domain>/ with the real certificate files and keys, chains, etc.

In my case I simply edited /etc/postfix/main.cf and /etc/imapd.conf to use these new files.
Cyrus was no able to access the files by default, because the default file permissions prevented it to access the folders of “Let’s Encrypt”.
I fixed this by giving cyrus readonly access using the ssl-cert group.

chgrp -R ssl-cert /etc/letsencrypt/live /etc/letsencrypt/archive
chmod 750 /etc/letsencrypt/live /etc/letsencrypt/archive
usermod -a -G ssl-cert cyrus

Building MinGW Cross-Compilation Toolchain using CrossDev

This is mainly a note to myself. Maybe it’s useful for you too.

Actually building cross-compiler toolchains using crossdev is easy, but there are some pitfalls.

  • Remove any compiler environment variables before building, or the build will fail
  • For building MinGW toolchains the openmp useflag must not be set
  • If you have built already a toolchain partially with wrong settings, remove it completely before trying it again

Simple Build Instructions for building mingw32 and gdb:

# become root
su
# clear env (clearing CXX should not be necessary, but it doesn't hurt)
export CC=
export CXX=
export CFLAGS=
export CXXFLAGS=
export LDFLAGS=
# build using crossdev
crossdev --ex-gdb -t i686-pc-mingw32

For 64bit toolchain use x86_64-w64-mingw32 instead of i686-pc-mingw32.

Uninstall: crossdev -C i686-pc-mingw32

See https://wiki.gentoo.org/wiki/Mingw for more information.

Another Update of my #Vim wombat256 colorscheme

Just updated my #Vim config and wombat256 colorscheme to show a nice
color column area with a decent non-distracting background color.

This is how it looks like (click to enlarge):

wombat257

Wombat256 for #Vim has now an own Git Repo

I just moved my wombat256 colorscheme for console #Vim to a separate Git repository.
This makes it easier for you guys to use it simply by using pathogen & Co.
I also updated my Vim repo to make use of this separate repo.

Checkout it out on https://github.com/gergap/wombat256

Vim Section Navigation

Normally #Vim uses easy to remember mnemonics like d2w (delete two words).
But when it comes to section navigation using ‘[[‘, ‘]]’, ‘[]’, and ‘][‘ it looks weired.
At least if you expect, that the opening and closing brackets are somehow matching opening
and closing braces.

(In C like languages function scopes {…} are sections so you can easily jump
to the next or previous function.)

I tried to figure out the system behind so that this is easy to remember for me.
Most of the time you want to jump to the start of function, so to a ‘{‘.
Vim tries to make typing easy, and because pressing a key twice is easier than pressing two different keys,
Vim uses ‘[[‘ to jump to the previous ‘{‘ and ‘]]’ for jumping to the next ‘{‘.
The first bracket gives the direction. By repeating the key you say “jump to an opening brace”.

For the case that you want to jump to a closing ‘}’ just use the other key. The first direction key stays the same.
So ‘[]’ jumps to the previous ‘}’ and ‘][‘ goes to the next ‘}’.

Summary:

  • The direction is obvious and easy to remember
  • Jump to a opening brace: repeat key
  • Jump to a closing brace: use the other key

If you are new to Vim, please check out also ‘{‘, ‘}’, ‘(‘, ‘)’, ‘%’, w, b for navigation.
Every Vim user should know these keys.
Use “:help <key>” to get help for it.

Updated Wombat256 Colorscheme

After working a while with the Solarized colorscheme I came back to my wombat256 colorscheme, which is based on the original wombat for gvim from Lars H. Nielsen.
Yesterday I improved it a little bit to fix some issues that I didn’t like:

  • Fix background color of NonText
  • Add new hilight groups for the ShowMarks plugin to make the signs column look nice and consistent with the rest of the theme.

You find it here:
https://github.com/gergap/vim/blob/master/colors/wombat256.vim

This is how it looks like (click to enlarge):
wombat256

CMake uninstall

CMake is a great tool when building cross-plattform software. It offers also install target so you can build and install software this way:


# create of-of-source build directory
mkdir bld
cd bld
# run CMake to generate a Makefile
ccmake ..
# Build in 4 cores
make -j 4
# Install into CMAKE_INSTALL_PREFIX (default is /usr/local)
sudo make install

However there is no uninstall target.
But this is no problem as long as you have a shell and the xargs command (part of GNU findutils).

CMake creates a file called install_manifest.txt when executing the install target. This contains a list of all installed files. So for removing them you simply need to execute this command:


# uninstall
xargs rm < install_manifest.txt