SSL for everybody

April 28th, 2016

letsencrypt

SSL certificates are a great way to ensure that the website you’re connected to is really the one you think you’re connected to, and it also keeps the traffic between your client and the server secure. The HTTPS protocol uses SSL certificates. The main problem with the SSL infrastructure was that you needed to get one that was signed by one of the central trusted authorities – and generally if you wanted one of these you had to pay for one. There were a few places that would give you a free certificate for personal use, the other alternative was to use a self signed certificate but there were usability issues because it isn’t signed by a trusted authority.

This all changed recently with Let’s Encrypt – you can now get a free certificate with very little effort. If you maintain a website or host an app, you should check letsencrypt.org out. The remainder of this post is a cleaned up set of notes on what I did.

I started out here https://letsencrypt.org/getting-started/ – which seemed to be a good starting point. Then I figured I’d make sure my server met the criteria they had for support, the documentation had some details covering this. I was happy to see Ubuntu 12.04+ and Apache 2.x support, so this made me fairly confident my server was supported.

But.. my Ubuntu doesn’t seem to have a letsencrypt package

No problem, we’ll just follow along with https://letsencrypt.org/getting-started/

The last command, while asking for help – will do some bootstrapping of let’s encrypt. So don’t skip it. The scripts include calls to sudo, so you don’t have to be root to run them but it will ask for root access.

[Security note – it is always a little bit scary running random scripts, always worth looking at them. There is a growing trend of having “wget -O –  http://randomscript.com | bash” be normal, but you should be afraid]

Some exciting updates to my server from doing just the bootstrap. My /etc/ca-certificates got updated (it was probably way overdue), it also dragged me up to date for libssl. It took a while to finish, but we finally got the help screen.

At this point, I have the let’s encrypt tools installed on my server, so time to try them out.

Hopefully the following command is going to register us and get a new certificate for my old expired one.

Well that didn’t work, it picked up some ‘other’ domains I host — but not my main lowtek.ca one. Weird, but probably due to my non-standard configuration of Apache due to years of hacking it. It was easy to bail out so no harm done. Let’s try this then:

Ok – much better, email sign up and an agreement (which yes, I took the time to read – it was only 6 pages).  It seems as I don’t have a virtual host setup for lowtek.ca and needed to manually pick the apache config file (not a big deal), this was why the first try didn’t work.

Visiting https://lowtek.ca/ shows no more certificate error (woot!) and all looks good. It was really this easy.

The end of the script even suggests you visit: https://www.ssllabs.com/ssltest/analyze.html?d=lowtek.ca to check for issues.  These SSL Labs tests, show that my certificate from letsencrypt will expire in just under 3 months, so I’ll want to add a cron job to do a renew. They also gave me a B rating, with lots of gorpy details on why.

To renew, I just need to run this command from time to time

That’s really easy to do with cron – so I added an entry to my root user crontab to run this once a month.

Arduboy Developer Kit

October 14th, 2015

arduboy

When I saw Arduboy on KickStarter I knew I had to get a couple. Micro-controllers & retro-gaming in a teeny-tiny package. The KickStarter rewards haven’t shipped yet, but when I saw that there were going to be Dev kits available on tindie I leapt at the chance to get my hands on some hardware. I’m really glad they decided to make more Dev kits than were needed to fulfil the Kickstarter.

While the device can be run on a CR 2016 battery, it will also power up via micro-USB cable. The device ships with a breakout game (ArduBreakout) installed, so you just have to power it on to have some black & white retro gaming fun.

So now what? Well, of course we want to get setup to write some code and run it on this thing. Luckily there is a community site with instructions.

My desktop is Ubuntu, so here’s what I needed to do:

Then you’ll want to go to GitHub to grab the Arduboy library and some examples.

Launch the Arudino IDE and load up one of the examples (FloatyBall, a Flappy Bird game)

Before this code will compile – there are 3 things you’ll need to do

  1. Add the Arduboy library files to the Arduino IDE
    Sketch -> Import Library -> Add Library
    If you don’t do this, you’ll get an error saying Arduboy.h can’t be found.
  2. Set Leonardo as the target
    Tools->Board->Arduino Leonardo
    Using the wrong board will result in errors like: “error: ‘OCIE3A’ was not declared in this scope TIMSK3 &= ~(1 << OCIE3A);”
  3. Select the correct serial port
    Tools->Serial Port->/dev/ttyACM0
    When I hadn’t done this, the led on the board would flash like it was uploading, but then I’d get an error saying it couldn’t upload

At this point I just wanted to stay up all night hacking code..

More games can be found on the community site.

 

Bluemix Virtual Machines

July 17th, 2015

bluemix-vm-header

The Bluemix platform is expanding from being a simple Cloud Foundry (CF) based PaaS, to one with a range of runtime platforms. Today you can pick one of: app, container or virtual machine (VM). I like to think of this as a continuum, sometimes you want the simplicity of an application – or the control of a virtual machine. The decision is really based on a number of factors, but as you gain more control over the environment you also take on more responsibility for securing and maintaining the environment.

If you don’t have a Bluemix account, then you’ll need one (there is a free 30 day trial).

vmtile

From your bluemix dashboard you should see the Virtual Machine (beta) button. Click on the Run Virtual Machines tile.

This in turn will take you to a sign up page which will allow you to submit a request to be enabled for VM access. Within a few minutes you should receive an email thanking you for your interest in virtual machines on Bluemix.

Now you must be patient while the elves that run the service get things ready and then send you another email indicating “You are now ready to start creating virtual machines on Bluemix!” — once you get this you’ll be ready to go.  It’s probably worth emphasizing the point that this is a service in BETA, so getting access might take some time, patience is a virtue.

Now let’s look at what it takes to create a VM on Bluemix. Login to Bluemix and click on the Run Virtual Machines tile (same path we took to sign up for access to the service). You should arrive at this screen

createvm

 

As this will be your first time, you’ll need to add a security key. This screen capture shows my key named “BluemixVM”.  To add a key, click on the +Add Key which appears under the Security Key box. You can choose to import or create a key. The easy path is to create a key – which will trigger the download of a key in your browser. I used BluemixVM as the key name and the file that was downloaded was BluemixVM.pem.

You can also upload an existing image – but to keep things simple, let’s pick Ubuntu 14.04 from the set of images that are available.

The last thing you need is to “Name your VM group” – for this post I’ll pick RooVM. Then it’s simply a matter of pressing the Create button. There are other options for size etc, but you can play with those another time.

[Insert Jeopardy ‘think’ music here..it’ll take a couple of minutes]

runningvmSo now we have a VM running in the cloud! You can see a public IP address has been assigned and it is using our BluemixVM security key.

Now let’s login, I’ll show examples from a linux machine and leave other OSes as an exercise for the user.

So now you’ve got a ssh session into the cloud based VM.

There are a couple of things you might want to do:

Let’s run a quick update to make sure that we’ve got all the latest patches

Set the default shell for your ibmcloud user

and change the last line to look like this

Let’s also install my favourite shell mosh.

Mosh
(mobile shell)
Remote terminal application that allows roaming, supports intermittent connectivity, and provides intelligent local echo and line editing of user keystrokes.

The VM image we’re using has an iptables firewall. However, ufw is also installed and being used to manage the firewall — the nice thing about ufw is that by default it will persist our changes. Mosh uses the same ports as ssh, but it additionally uses some UDP ports.

Note: the mosh installation appears to add some rules to /etc/ufw/applications.d but I don’t understand why ufw isn’t picking those up. Manually adding them as above works fine.

Now you can use mosh to connect (assuming you have mosh installed on your local laptop)

You still might want to combine mosh with tmux or screen as mosh doesn’t provide a scroll back buffer.

Last tweak – you might have noticed that sudo is providing a warning every time you use it

This is because the /etc/hosts file is badly formed. Edit it such that your hostname appears on the second line (we could probably replace ubuntu, but this is easy and won’t break anything). Below is my modified file

Now sudo executes without warning.

Footnote: this is a BETA service, don’t be surprised if some of what I show above does change. Please provide feedback via comments to this post and I’ll update accordingly.