This is what I have run to create two certs for two subdomains.
VPNHOST="vpn-i.example.com"
APIHOST="api-i.example.com"
certbot certonly --non-interactive --agree-tos --email $EMAIL --webroot -w /var/www/letsencrypt/api -d $APIHOST -w /var/www/letsencrypt/vpn -d $VPNHOST
According to the logs it has accepted both entries and has sent and received the challenge, but it has written the certificate only for api entry.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Running pre-hook command: /sbin/iptables -I INPUT -p tcp --dport 80 -j ACCEPT
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for api-i.example.com
http-01 challenge for vpn-i.example.com
Using the webroot path /var/www/letsencrypt/vpn for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Running post-hook command: /sbin/iptables -D INPUT -p tcp --dport 80 -j ACCEPT
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/api-i.example.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/api-i.example.com/privkey.pem
Your cert will expire on 2018-05-19. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
Looking into the folder, I only see the api certificate:
ls /etc/letsencrypt/live/
api-i.example.com
Related
I am trying to use rsync to upload files to my server alongside Travis and GitHub, I have this line in a deploy.sh script rsync -avhP $f deploy#multicrew.co.uk:/var/www/test/ and whenever I try to upload the $f files I get this error:
ssh: connect to host multicrew.co.uk port 22: Cannot assign requested address
Within my .travis.yml file I have this code
addons:
ssh_known_hosts: multicrew.co.uk
before_install:
- openssl aes-256-cbc -K $encrypted_8c9513462553_key -iv $encrypted_8c9513462553_iv -in deploy/deploy_rsa.enc -out /tmp/deploy_rsa -d
- eval "$(ssh-agent -s)"
- chmod 600 /tmp/deploy_rsa
- ssh-add /tmp/deploy_rsa
- chmod +x deploy/deploy.sh
after_success: "deploy/deploy.sh"
I do not know why rsync cannot assign the requested address, I have an A name record set up within CloudFlare that forwards multicrew.co.uk to my server's IP
The error you are getting looks like it is caused by an outstanding issue with IPv6 on Travis CI.
However because, at the time of writing, your multicrew.co.uk domain is proxied by Cloudflare and Cloudflare only proxies HTTP traffic, the suggested fix of disabling IPv6 will not work.
You'll need to either create a separate non-proxied (grey cloud) hostname to use with SSH/RSYNC, change the rsync command to connect directly to the server IP address or disable Cloudflare proxying for the multiview.co.uk hostname.
Note that adding a non-proxied hostname in DNS will expose your server's IP address. You might want to restrict access on your server to just the Travis CI and Cloudflare IP ranges (e.g. with firewall rules or in the web server configuration).
I get below error while trying to connect to IBM Watson internet of things platform using client certs & mosquitto client. The same certs work fine with node.js client hence I know certs are fine, just some config in mosquitto client which is erroneous.
mosquitto_sub -h dumorg.messaging.internetofthings.ibmcloud.com -p 8883 --capath ./certs/ -t "iot-2/type/dumtype/id/dumid/cmd/+/fmt/json" -v -i g:dumorg:dumtype:dummid --cert ./client.crt --key ./client.key
Connection Refused: not authorised.
When I try to perform same connection using auth-token it goes through fine
$ mosquitto_sub -h dumorg.messaging.internetofthings.ibmcloud.com -p 8883 --capath ./certs/ -t "iot-2/type/dumtype/id/dumid/cmd/+/fmt/json" -v -i g:dumorg:dumtype:dumid -P dumpassword -u use-token-auth
I am also able to successfully connect using certs through another client. I know the certs are fine, and mosquitto command works with auth token. hence issue is some missing/incorrect config in mosquitto due to which IoT platform doesn't like certs used to connect with mosquitto?
Seems mosquitto does not support SNI which is required to connect to MQTT broker on IBM cloud. Manually inserting this patch https://github.com/eclipse/mosquitto/pull/626 and building mosquitto resolved issue. Hope this is merged in main branch in near future.
I have read several tutorials and topics and I did everything as described, but still I am not able to register device.
I have been trying to use MQTTlens and mosquitto but same problem, not authorised
Bellow is command for mosquitto
mosquitto_pub -h xwc8vm.messaging.internetofthings.ibmcloud.com -u use-token-auth -P 'YpSP?P98Wwe0pYGXPj' -i 'd:xwc8vm:devicetype:mydevice' -t /iot/x -m '{"d":"heloo"}'
This are devices data
Organization ID xwc8vm
Device Type devicetype
Device ID mydevice
Authentication Method token
Authentication Token XXXXXXXXXX
I have used host
xwc8vm.messaging.internetofthings.ibmcloud.com
and client
d:xwc8vm:devicetype:mydevice
I even tried using http://mqtt-helper.mybluemix.net/?cm_sp=dw-bluemix--nospace--answers, but got this error
(23:42:45.044)Failed to connect to xwc8vm.messaging.internetofthings.ibmcloud.com:1883. Code: 1, Message: AMQJSC0001E Connect timed out.
Everything is configured as here http://heidloff.net/article/useful-mqtt-tools-ibm-watson-iot-bluemix?cm_mc_uid=27677244132415055778021&cm_mc_sid_50200000=1505944109
You can check your TLS security setting in your dashboard under the security tab. New IoT services by default require TLS. If you are not using TLS then try setting it to optional to see if that resolves the problem.
The mosquito command is not complete, you need to specify the port 8883, and the connection is secure by default and you need to specify the server certificate that can be downloaded from below:
https://github.com/ibm-watson-iot/iot-python/blob/master/src/ibmiotf/messaging.pem
So the command should look like:
mosquitto_pub -h xwc8vm.messaging.internetofthings.ibmcloud.com -p 8883 -u "use-token-auth" -P "xxxxxxxxx" -i "d:xwc8vm:device-type:my-device" -t "iot-2/evt/x/fmt/json" -m {"d":"hello"} --cafile messaging.pem -d
messaging.pem file needs to be in the same location as mosquitto_pub file or you can pass the path to it
Note: Please mind the topic format:
"iot-2/evt/x/fmt/json" >>>>> iot-2/evt/event/fmt/event_format
Very important, please edit your post and remove or mask the authentication token
Sorry for the vague title, but my issue is a bit complicated to explain.
I have written a "captive portal" for a WLAN access point in cherrypy, which is just a server that blocks MAC addresses from accessing the internet before they have registered at at certain page. For this purpose, I wrote some iptables rules that redirect all HTTP traffic to me
sudo iptables -t mangle -N internet
sudo iptables -t mangle -A PREROUTING -i $DEV_IN -p tcp -m tcp --dport 80 -j internet
sudo iptables -t mangle -A internet -j MARK --set-mark 99
sudo iptables -t nat -A PREROUTING -i wlan0 -p tcp -m mark --mark 99 -m tcp --dport 80 -j DNAT --to-destination 10.0.0.1
(the specifics of this setup are not really important for my question, just note that an "internet" chain is created which redirects HTTP to port 80 on the access point)
At port 80 on the AP, a cherrypy server serves a static landing page with a "register" button that issues a POST request to http://10.0.0.1/agree . To process this request, I have created a method like this:
#cherrypy.expose
def agree(self, **kwargs):
#retrieve MAC address of client by checking ARP table
ip = cherrypy.request.remote.ip
mac = str(os.popen("arp -a " + str(ip) + " | awk '{ print $4 }' ").read())
mac = mac.rstrip('\r\n')
#add an iptables rule to whitelist the client, rmtrack to remove previous connection information
os.popen("sudo iptables -I internet 1 -t mangle -m mac --mac-source %s -j RETURN" %mac)
os.popen("sudo rmtrack %s" %ip)
return open('welcome.html')
So this method retrieves the client's MAC address from the arp table, then adds an iptables exception to remove that specific MAC from the "internet" chain that redirects traffic to the portal.
Now when I test this setup, something interesting happens. Adding the exception in iptables works - i.e. the client can now access web pages without getting redirected to me. The problem is that the initial request doesn't come through to my server , i.e. the page welcome.html is never opened - instead, right after the iptables and rmtrack calls are executed, the client tries to open the "agree" path on the page they requested before the redirect to my portal.
For example, if they hit "google.com" in the address bar, then got sent to my portal and agreed, they would now try to open http://google.com/agree . As a result, they get an error after a while. It appears that the iptables or the rmtrack call changes the request to go for the original destination while it is still being processed at my server, which doesn't make any sense to me. Consequently, it doesn't matter which static page I return or which redirects I make after those terminal commands have been issued - the return value of my function isn't used by the client.
How could I fix this problem? Every piece of useful information is appreciated.
Today I managed to solve my problem, so I'm gonna put the solution here although I kinda doubt that there's a lot of people running into the same problem.
Basically, all that was needed was an absolute-path redirect somewhere during the request processing on the captive portal server. For example, in my case, the form on the index page where you agreed to my T&C was calling action /agree . This meant that the client was left believing he was accessing those paths on his original destination server (eg google.com/agree).
Using the absolute-form 10.0.0.1/agree instead, the client will follow the correct redirect after the iptables call.
I am using Curl.exe in an application to send emails. I need to support most major email servers. GMail exposes the following ports and Authentication methods.
TLS/STARTTLS (sometimes called Explicit TLS): uses port 587
SSL (sometimes called Implicit TLS): uses port 465
I have gotten the Explicit TLS to work using the following command line:
C:\>curl smtp://smtp.gmail.com:587 -v --mail-from "my.mail#gmail.com" --mail-rcpt
"your.mail#x.com" --ssl -u my.mail#gmail.com:password -T "c:\test.txt" -k --anyauth
I have tried the following to get ImplicitTLS to work, but it is not.
C:\>curl smtp://smtp.gmail.com:465 -v --mail-from "my.mail#gmail.com" --mail-rcpt
"your.mail#x.com" --ssl -u my.mail#gmail.com:password -T "c:\test.txt" -k --anyauth
What are the proper command line parameters to get SSL/Implicit TLS to work?
Use smtps:// for SMTPS (i.e. SMTP on top of an existing SSL/TLS connection).
This works:
curl smtps://smtp.gmail.com:465 -v
I would also use --ssl-reqd for the explicit STARTTLS connection to make sure SSL/TLS is used when you expect it to be (downgrade attacks would be possible otherwise).
Don't use -k either, check the server certificate: see http://curl.haxx.se/docs/sslcerts.html
well i just tried the following and it works fine:
curl smtps://smtp.gmail.com:465 -v --mail-from "xxx#gmail.com" --mail-rcpt "yyy#gmail.com" --ssl -u xxx#gmail.com:password -T "test.txt" -k --anyauth
hope it helps!
Your can try this..
curl --url "smtps://smtp.gmail.com:465" --ssl-reqd --mail-from "sender#gmail.com" --mail-rcpt "recepient#gmail.com" --upload-file /var/scripts/mail.txt --user "sender#gmail.com:senderGmailPassword"
You can test using this command:
curl -v --url "smtps://smtp.gmail.com:465" --ssl-reqd --mail-from "sender#gmail.com" --user "sender#gmail.com" --mail-rcpt "sender#gmail.com"
You will have to create a new 16 digits password specific for this application and simply change the account password to this new secure app password. Now you can create one password for each app. It will keep your account password safe and manage app passwords separately.
Login to your account to create it:
https://myaccount.google.com/apppasswords
You must enable the 2-Step Verification (https://myaccount.google.com/signinoptions/two-step-verification) to access this feature.
To help keep your account secure, from May 30, 2022, Google no
longer supports the use of third-party apps or devices which ask you
to sign in to your Google Account using only your username and
password.
https://support.google.com/accounts/answer/6010255