I’ve just written a quick and dirty guide on how to use Certbot on Debian 9 with Route 53. This is useful if you are trying to manage wildcard certificates and don’t want to, or can’t, screw around with managing the current state of the Route 53 plugin on Debian 9.
Without further ado: quay:wiki – Let’s Encrypt Usage Notes
I’ve started learning Go, so I decided I’d try to get a good IDE. It seems like there is some sort of consensus that Microsoft Visual Studio Code is the current hot thing in the Go developer world, so I figured I’d check it out.
I must say that I’m mildly impressed. It’s available for OS X, Windows, and Linux and it’s pretty simple and extensible for most small projects.
Not only this, but it turns out that the source is all available under an MIT license as well! Here I am going on about Microsoft’s latest cross-platform, open source development tool. I never thought this day would come…
I was searching for a walk through of a bit of a screwy merge I have to do in a Git repo tonight, when I came across these videos by David Mahler. It wasn’t what I needed, but this is one of the best explanations of the core Git (and revision control) concepts for a beginner.
If you’re just learning Git, or looking for a refresher, check these out.
If you’re loooking for a bit of light reading before bed, this might be just the answer: An Advanced Introduction to GnuPG.
On a mostly related note, I’m going to move all of my (admittedly trivial) secure e-mail to my ProtonMail account. If you have any reason to contact me securely, I advise you e-mail with GPG at gmobrien at protonmail dot com as of December 2018.
I’m midway through a small project to migrate some old utilities I originally wrote many, many years ago for FreeBSD and that I’ve migrated from system to system over the years with small tweaks and various cross-platform improvements. It’s been a while since I’ve done any real programming so I’ve been reading some refreshers on things like documentation best practices and I stumbled across a good article, that’s aged quite well I thought was worth sharing.
It appears to be an IBM document from back in the day when they were making a big effort to enterprise-ify Linux and improve the level of documentation and tools for developers, but somebody at Harvard saw fit to host a mirror.
Peter Seebach: The art of writing Linux utilities
No big editorial, just a note for folks who have reason to use any of my GitHub projects and read the blog…
From here on, I’ll be maintaining any public software over here: https://gitlab.com/gmobrien
I’m getting back into the Debian world after years of being pretty much a RHEL guy and I’ve bee dealing with an annoying “feature” which I was at a loss to resolve. Every time I log into the EC2 instance that this server runs on, I get a “No mail.” message which clutters up my login scripts and shouldn’t be there since I’m not receiving mail on this instance in the first place.
Today I finally decided I’d get to the bottom of it since it clearly wasn’t coming from a login script and even though it’s a minor thing it bugs me and I find it somewhat distracting!
It turns out that Debian and it’s derivatives have what is a rather elegant, if initially opaque, way of setting up the login info: it’s managed in a PAM module for the SSHD which can be found at /etc/pam.d/sshd.
Not only does PAM load a module that checks mail by default, it also does a couple of cool things with the MOTD info (this is where the kernel version info comes from when you login).
Here’s the relevant section:
# Print the message of the day upon successful login.
# This includes a dynamically generated part from /run/motd.dynamic
# and a static (admin-editable) part from /etc/motd.
session optional pam_motd.so motd=/run/motd.dynamic noupdate
session optional pam_motd.so # 
# Print the status of the user's mailbox upon successful login.
#session optional pam_mail.so standard noenv # 
As you can see I’ve commented out the mail check, I’ve decided to leave the MOTD piece, I think I’m going to play around with it. It’s the first time I’ve ever encountered the pam_motd module and I’m curious what I can do with it.
Hopefully somebody else finds this helpful, there seems to be little information about this available when I did a quick Google search.
I started to write a draft of an article about Let’s Encrypt back in November, but quite finished it to my satisfaction. In any case I would like to draw attention to the project as it gets closer to becoming live. They just posted the draft of their certificate management policy so things are starting to heat up a bit which is kind of exciting!
If you’re not familiar with the project, here’s an overview of how it works. But basically it’s an automated tool that web server administrators can install and use to generate, sign, manage, and revoke TLS certificates for sites they host. It takes most of the human factor out of things and also helps implement some of the more esoteric features of modern TLS for HTTP.
In light of the news over the past couple of years and the complete ubiquity of the Internet and WWW at this point it’s fairly obvious that proper encryption of All The Things is long overdue. There are a number of steps in that direction taking place right now (HTTP/2 standard is more or less final, 1024-bit roots have been widely superseded, OCSP stapling and HSTS are becoming much more widely deployed), but the biggest challenge I see is that, particularly for small website owners and businesses, properly implementing X.509 certificates for TLS is still enough of a pain that it’s largely avoided unless you’re somewhat savvy or paranoid.
I’ve read a few good blog posts and articles on the Let’s Encrypt project but for some reason it doesn’t seem to be getting that much mainstream coverage. At first I was a bit leery of the idea that I hand certificate management over to a 3rd party system, but the more I’ve looked at it the more the idea seems solid. Basically their assumption is that their tooling can handle certificate management better than the average web administrator can. Combined with the fact that the project has major backing from folks like Cisco, Akamai, the EFF, and Mozilla I’m hoping that it gets major traction. I know that I’m planning on adopting it early even though I have a couple of years left on the RapidSSL certs I’m currently using.
Oh and did I mention that it will be entirely free?