Profile Details

Toggle Sidebar
Recent updates
  • Nuke
    Nuke replied to a discussion, let's encrypt client upgrade request.

    Nick Howitt wrote:

    A renewal check takes place every night. Have a look in /var/log/letsencrypt/. Actual renewals are attempted nightly from 30 days to expiry. If you have set up any test/dummy certificates then deleted them, I believe you will still get renewal e-mails from Let's Encrypt and you have to ignore them. You can see the expiry dates of any current manager in the Webconfig let's Encrypt landing page.


    Hmmm.

    The log says no renewal necessary.

    2019-03-14 04:15:09,863:DEBUG:certbot.main:certbot version: 0.31.0
    2019-03-14 04:15:09,863:DEBUG:certbot.main:Arguments: ['--standalone', '--preferred-challenges', 'http-01']
    2019-03-14 04:15:09,863:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
    2019-03-14 04:15:12,621:DEBUG:certbot.log:Root logging level set at 20
    2019-03-14 04:15:12,621:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
    2019-03-14 04:15:12,667:DEBUG:certbot.plugins.selection:Requested authenticator standalone and installer <certbot.cli._Default object at 0x7f30652e1310>
    2019-03-14 04:15:12,667:DEBUG:certbot.cli:Var pref_challs=http-01 (set by user).
    2019-03-14 04:15:12,668:DEBUG:certbot.cli:Var authenticator=standalone (set by user).
    2019-03-14 04:15:12,679:INFO:certbot.renewal:Cert not yet due for renewal
    2019-03-14 04:15:12,679:DEBUG:certbot.plugins.selection:Requested authenticator standalone and installer None
    2019-03-14 04:15:12,683:DEBUG:certbot.cli:Var pref_challs=http-01 (set by user).
    2019-03-14 04:15:12,683:DEBUG:certbot.cli:Var authenticator=standalone (set by user).
    2019-03-14 04:15:12,702:INFO:certbot.renewal:Cert not yet due for renewal
    2019-03-14 04:15:12,703:DEBUG:certbot.plugins.selection:Requested authenticator standalone and installer None
    2019-03-14 04:15:12,703:DEBUG:certbot.renewal:no renewal failures


    Strange that I got an email for a renewal but the log says no renewal necessary. I went back 3 days (covers off when the renewl email came in) but no notice of actual renewal happening. <confused>

  • Nuke
    Nuke replied to a discussion, let's encrypt client upgrade request.

    Nick Howitt wrote:

    It looks like the community version went to certbot 0.31 in the last few days anyway. I don't know when the Business version will follow.


    I noticed that too.

    BTW, today I got the reminder from Let's Encrypt.

    Your certificate (or certificates) for the names listed below will expire in 19 days (on 02 Apr 19 16:00 +0000). Please make sure to renew your certificate before then, or visitors to your website will encounter errors.

    We recommend renewing certificates automatically when they have a third of their
    total lifetime left. For Let's Encrypt's current 90-day certificates, that means
    renewing 30 days before expiration. See
    https://letsencrypt.org/docs/integration-guide/ for details.


    Do you have an idea when the renewal is to take place? I can't find an option in the GUI and haven't looked at the config files yet. But now it's on my list of things to check.

  • Nuke
    Nuke replied to a discussion, let's encrypt client upgrade request.

    Nick Howitt wrote:

    @Nuke,
    One of my certificates renewed successfully last night. Have yours renewed OK yet?


    Hi Nick,

    sorry for the long delay in answering. I did a full reinstall and created new certificates and they haven't gotten around to renew so far. I think it will be OK. I'll let you know when it updates.

  • Nuke
    Nuke replied to a discussion, let's encrypt client upgrade request.

    Hi Nick.

    I added the HTTP-01 line.

    Since I'm now using the Let's Encrypt application, how do you restart it to take into account the new config file?

    I can't find a service that is enabled for Let's Encrypt ... but that could be due to a PEBCAK. :-)

  • Nuke
    Nuke replied to a discussion, let's encrypt client upgrade request.

    Nick Howitt wrote:

    This is weird as my logs "seem" to0.29 indicate that although tls-sni-01 is allowed, http-01 is being used. Do you even have a pref_challs line in your conf file?


    Nick,
    When I got the email I followed the instructions on link How to stop using tls-sni-01

    and ran

    I believe this completely removed the line "pref_challs" from the conf file. That is likely why I don't have one anymore.

    In any case, I still got the warning after doing these changes and the notice that Feb 13 all code prior to 0.28 is end of life and won't work. :(

  • Nuke
    Nuke replied to a discussion, let's encrypt client upgrade request.

    Nick Howitt wrote:

    Hi Nuke,
    Can I ask where you are seeing the message?


    Hi Nick,

    I am receiving an email to the email I set up for the account. It is very similar to what @Alonso wrote about.

    Here it is in it's entirety.

    Hello,

    Action may be required to prevent your Let's Encrypt certificate renewals
    from breaking.

    If you already received a similar e-mail, this one contains updated
    information.

    Your Let's Encrypt client used ACME TLS-SNI-01 domain validation to issue
    a certificate in the past 60 days. Below is a list of names and IP
    addresses validated (max of one per account):

    mydomain.tld (IP Address) on 2019-01-02
    mydomain.tld (IP Address) on 2019-01-02

    TLS-SNI-01 validation is reaching end-of-life. It will stop working
    temporarily on February 13th, 2019, and permanently on March 13th, 2019.
    Any certificates issued before then will continue to work for 90 days
    after their issuance date.

    You need to update your ACME client to use an alternative validation
    method (HTTP-01, DNS-01 or TLS-ALPN-01) before this date or your
    certificate renewals will break and existing certificates will start to
    expire.

    Our staging environment already has TLS-SNI-01 disabled, so if you'd like
    to test whether your system will work after February 13, you can run
    against staging: https://letsencrypt.org/docs/staging-environment/

    If you're a Certbot user, you can find more information here:
    https://community.letsencrypt.org/t/how-to-stop-using-tls-sni-01-with-certbot/83210

    Our forum has many threads on this topic. Please search to see if your
    question has been answered, then open a new thread if it has not:
    https://community.letsencrypt.org/

    For more information about the TLS-SNI-01 end-of-life please see our API
    announcement:
    https://community.letsencrypt.org/t/february-13-2019-end-of-life-for-all-tls-sni-01-validation-support/74209

    Thank you,
    Let's Encrypt Staff


    If you follow the link, you will see that everything prior to version 0.27 has an issue.

    Have you checked your conf files in /etc/letsencrypt/renewal to make sure they do not have:
    If you do have "tls-sni-01", you can run the scriptled from the post you linked to or just manually change the lines to:
    I'd appreciate it if you could post back and I will escalate to the devs accordingly. It could be that certbot-0.27 is fine and just a change to the .conf files is needed. That could be done through app-lets-encrypt.


    Neither site has . I have run the script from the let's encrypt site to remove all those in the past days. But I received the notice above again overnight.

    Nuke.

  • Nuke
    Nuke replied to a discussion, let's encrypt client upgrade request.

    Hi Nick,

    I finally got around to migrating to the COS7 version of certbot & let's encrypt. Your help was appreciated very much! The transition was easy!

    I finally was force to do the migration because I got the same message as @Alonso.

    It appears from the forum that this is an issue with certbot < 0.28.

    So I think the version of certbot in COS7 needs an update. Let's Encrypt Update Notice

    You mention that we are a few versions back. Is there a chance this can be updated by the Feb 13 expiry?

    Thanks again for all your help!

  • Nick Howitt wrote:

    What Blocked Incoming Connections are you talking about? I am not sure where you are in the webconfig.

    For your rules, I suggest you use /etc/clearos/firewall.d/local but use the "if" structure from /etc/clearos/firewall.d/custom.


    Nick, thanks for responding so quickly.

    Here is a screenshot showing the Blocked Incoming Connections in webconfig.

    I have about 100 blocks in this list and another 100 or so to add. I can't find where these blocked IPs are stored.

  • Dirk Albring wrote:

    Hmm, my custom rules are in the custom file.

    Ooophs. I think I call the list the wrong thing.

    I have been manually adding IPs to the Incoming Firewall "Blocked Incoming Connections" list at the bottom of the Firewall:Incoming Firewall list.

    I've been manually adding the IP addresses of the a-holes who try 10s of thousands of times to get through to the network via the VPN. I put those IP addresses in the "Blocked Incoming Connections" list and hoped I'd find where those were added so I could just add the 100 additional IPs manually.

    Where is the manually entered "Blocked Incoming Connections" file in /etc?

    Sorry for the confusion.

  • Nuke
    Nuke replied to a discussion, fail2ban logs stopped rotating - Help

    Nick Howitt wrote:

    Can I ask which Attack Detector jails do you have enabled and which ports do you have open in your incoming firewall? Currently the cyrus-imap jail does nothing and will not detect intrusion attempts.

    Note that unlike the IDS/IPS, Attack Detector only works on exposed ports.


    Nick,

    I have cyrus, postfix, sshd & sshd-ddos enabled. I will try the cyrus update you indicated this evening when I get home from work.

    Ports open are: 25; 80; 81; 123; 443; 465; 587; 993; 995; 1194; & 1875. All are standard use ports using for standard processes.