acme.sh is the ultimate DNS/SSL toolset! i have wasted my life!

I’ve been automating SSL renewals for almost as long as i’ve been deploying them.  for the most part, it is very smooth and easy to do.  (thanks mostly to certbot and the hard work over at let’s encrypt)  The trouble comes up with non publicly addressable servers and other custom setups. cough cough. . . Unifi. . . cough cough.

I recently discovered a tool that makes all those complicated setups as easy as the original certbot installs. acme.sh is that tool.  two lines!  not since screen have i regret any time i spent not using such a tool.

./acme.sh –renew -d “unifi.domain.com”

./acme.sh –deploy -d “unifi.domain.com” –deploy-hook unifi

Status update:

I’m back in Vegas for Defcon and it’s going swimmingly. so much so that i might get some actual swimming in.

Patrick Wardle Speaking at Defcon 27Thanks to the late night help of Professor Franklin i have improved and redeployed the Defcam!be3n at defcon 27 with defcam streaming hat?

New security updates overtake jailbreak advantages.

There are just so many privilege escalation fixes in the latest iOS 12.2 update. I finally removed the jailbreak from my primary device and updated.  Privilege escalation is when an unprivileged or user process (like an app from the app store or even a web page*) gets root or even kernel authority.  This is when bad turns to worse because it can do and see anything with any of the device’s data or sensors.   Since even the big trusted apps have been caught tracking or stealing data, I simply couldn’t leave myself unprotected any longer.

I’ll still of course keep a development device jailbroken on 12.1.2 for all of the reasons. It was a wonderful experience, only slightly beta. I appreciate all the hard work by everyone in the scene. I think i am going hate seeing the home bar again the most.

* web pages are often sandboxed separately from the app itself. Some might argue that a webpage would first have to escape the sandbox before it could escalate privileges. this is true, but i would respond that sandbox escape is just another form of privilege escalation, only one level down. There are also over a dozen webkit fixes in this update.

Pilgrimage to the Internet Archive

Internet Archive

The offering I brought was nearly 100 lbs of technology from my childhood.  I met some amazing staff and volunteers (they even archive their employees). Even visited the blinking lights of their servers.  They archive even more then I knew.  More then web, old software and films, they even archive music and have an impressive collection (i found several rare or out of print artists and albums in their archive).

Amiga Offering to Internet Archive


Continue reading “Pilgrimage to the Internet Archive”

Hosted Unifi controller with Let’s Encrypt SSL take 2!

Unifi Dashboard with SSL

UPDATE 11-09-21:  Discovered the amazing acme.sh toolcheck it out!

I visited this idea months ago, but for anyone who implemented it, it has been a nightmare.  Each subsequent Unifi controller update broke the https in new and exciting ways.  After remaining a very squeaky wheel with Ubiquity support, they’ve pushed out a version that should permanently resolve the problems. They even made promises of native Let’s Encrypt support.  All this will prove true of false with time, but for now i wanted to share my working procedure for Unifi controller version 5.9.32.

This solution required me to become more familiar with Java’s keytool then i would have otherwise.  Unifi has a hardcoded keytool path and password, don’t change that (thanks Corey F @ubnt). i don’t think alias matter, but they must be consistent.  I used mykey.  We start by generating a key and a code signing request for our domain.  For permissions reasons, we will want to do this as root. . .
cd /var/lib/unifi
keytool -genkeypair -alias mykey -keyalg RSA -keysize 2048 -keystore keystore -dname "CN=custom.domain.name" -storepass aircontrolenterprise

Now we export the csr file we will give to Let’s Encrypt.
keytool -certreq -alias mykey -keystore keystore -file custom.domain.name.csr -ext san=dns:custom.domain.name -storepass aircontrolenterprise

Now we run the interactive certbot script to prove the domain is actually yours before they hand out a cert.  Follow the instructions you can use DNS or hosting a file to verify.
certbot certonly --manual --csr custom.domain.name.csr

Continue reading “Hosted Unifi controller with Let’s Encrypt SSL take 2!”