timmc: (Default)
2017-04-16 08:11 pm
Entry tags:

Setting up a Jabber/XMPP IM server with Let's Encrypt SSL? [public]

I have a server I use to host Jabber instant messenger for brainonfire.net. I currently use an SSL cert from StartSSL, but they're known to be sketchy and I don't know how long various IM clients will continue to trust them. I'd like to set up the server to use certs from Let's Encrypt, but it's not clear to me what the least worst way of doing this is, given that the website for that domain is hosted elsewhere.

I host www.brainonfire.net on nearlyfreespeech.net, which has a nice little utility to automatically get and install certs from Let's Encrypt. The cert files end up in a place I can SSH to. The home server I host Jabber on (named kibble) just has Jabber-related ports open, and in particular ports 80 and 443 on that IP go to a different server, named toster. Here are the options I can picture:

  • Manually copy the certs over every 30 days. (I could start with this.)
  • Have kibble automatically SSH into my web host and grab the certs periodically, then install them into Prosody. (I would be *really* leery of doing this -- that SSH environment in my web host has a ton of access, and this would require passwordless SSH keys.)
  • Point the A record for brainonfire.net to toster, which would use haproxy or nginx to forward brainonfire.net requests to kibble, which would just intercept ACME challenges and otherwise send redirects to www.brainonfire.net just like nearlyfreespeech.net would normally do. (This is awful in several ways.)
  • ETA: Have a cron job on the web host copy the keys directly to kibble, into a limited user directory, and then have a cron job on kibble pick up the keys and install them. (This... might work?)

I don't think I can manipulate brainonfire.net's DNS from any of my servers (this is a good thing) and I don't think my web site can see the cert files in order to serve them up to kibble via an authenticated request (this is probably *also* a good thing). I don't want to host my website on kibble, and I can't host Jabber at nearlyfreespeech.net. Are there any other options I've missed?

Edit 2: A coworker suggested what sounds like the right way: Generate the key on kibble, sign a CSR with it, transfer the CSR to the web host. Then periodically use the CSR for cert generation, copying the results back to kibble, as in the last idea above. Much safer!

Edit 3: Success! Here's what I did:

  1. Generate a private key and a CSR on the Jabber server:
    mkdir -p /opt/keys/prosody/brainonfire.net/
    (umask 077; openssl genrsa -out /opt/keys/prosody/brainonfire.net/privkey.pem 4096)
    openssl req -out /opt/keys/prosody/brainonfire.net/csr.pem -key /opt/keys/prosody/brainonfire.net/privkey.pem -new -sha256 -subj "/CN=brainonfire.net"
    cp /opt/keys/prosody/brainonfire.net/privkey.pem /etc/prosody/certs/brainonfire_net.NFSN-LE.key
  2. Copy the CSR to the web host.
  3. Set up the dehydrated ACME client config with an appropriate BASEDIR -- certs will go in here, as will registration.
  4. Register with Let's Encrypt: /usr/local/bin/dehydrated --register --accept-terms --config path/to/dehydrated.config
  5. Create a script (create cron job to run once a month) that will ship the certs off to the Jabber server:
    . "$CO/dehydrated.config"
    mkdir -p -- "$BASEDIR"
    /usr/local/bin/dehydrated --signcsr "$CO/brainonfire.net-csr.pem" \
                              --config "$CO/dehydrated.config" \
                              --domain brainonfire.net \
                              --full-chain \
                              > "$BASEDIR/latest-chain.pem"
    /usr/bin/scp -i /home/private/sync/cert-oracle/ID_certs-to-kibble \
      -P 8443  \
      "$BASEDIR/latest-chain.pem" \
  6. On Jabber server, create a script (set to run daily) that will install the cert and restart Prosody if it has changed:
    function install {
      hash_src=`sha256sum < "$1"`
      hash_dest=`sha256sum < "$2"`
      if [[ "$hash_src" = "$hash_dest" ]]; then
        echo "Not installing file, hasn't changed: $1 -> $2"
        return 2
      echo "Installing file: $1 -> $2"
      touch -- "$2"
      chown prosody:prosody -- "$2"
      chmod o= -- "$2"
      cat < "$1" > "$2"
      return 0
    if install "$src_dir/latest-chain.pem" "$dest_dir/brainonfire_net.NFSN-LE.chain.pem"; then
      echo "Restarting prosody"
      service prosody stop
      service prosody start
      echo "Nothing to do"
timmc: (Default)
2017-03-15 09:12 pm

What should I name my sandstorm server?

For a few months now I've been running a Sandstorm server, which effectively produces a website with an app store. Invited users can install apps and create instances of them ("grains") in a couple clicks, including dropboxes, chatrooms, concurrently-editable documents (Etherpad), and photo galleries. There are some pretty cool sharing features, with granular permissions.

I'd like to offer this as a service to my community -- friends, housemates, neighbors, maybe a couple degrees out. I still have some work to do in making the service "safe to use" (automated backups, own TLS cert, etc. -- there's a checklist.) Beyond backups, I don't think I'll be able to promise any particular level of Availability, running it on a residential internet connection, but I do want to put some work into the other two main infosec categories: Confidentiality and Integrity.

But there's also one big step remaining: Picking a domain name! Right now I'm using the free sandcats.io service because it offers wildcard DNS and TLS certs (Let's Encrypt won't work, here). I don't want to change the domain *after* offering the service around, because Sandstorm doesn't have a way to automatically redirect if called with the wrong domain name, and I don't want to set up the necessary nginx or haproxy redirect, with the concomitant cert wrangling. Gotta do it now.

I'm thinking something like https://apps.timmc.org. Sandstorm is an unusual product, so I want to communicate "this is a lot like phone apps". (Actually, a lot more secure than phone apps, since all the apps are sandboxed away from each other.) Or maybe https://community.timmc.org since it's a community offering. AT suggested https://sandstorm.timmc.org -- make it really specific. Anything else I should be thinking of?

timmc: (Default)
2014-02-09 12:03 pm

Gauging interest: Repair & Crafts Night?

I'm thinking of hosting an afternoon or evening event where people bring crafts they've been meaning to work on or items they've been meaning to repair. For instance, I have some pants to patch, a wooden tortilla press to build, and a chair whose seat needs re-caning. By holding an event, I'd like to arrange for three things:

  • If I bring together people who like building/repairing things, they will be able to pool knowledge and tools to mutually support each other's projects.
  • There would be social pressure to actually get shit done instead of getting distracted by YouTube and the like. (There's no TV in our living room, and I would ask people not to use their pocket TVs either.)
  • An excuse to have relaxed social time with friends.

So, this post is to gauge interest and work out scheduling. Here are some prompts; answer as many or as few as make sense to you.

  1. Would this be of interest to you? (What about some variation that you think would be better?)
  2. What are your scheduling preferences? (Weeknight, weekend morning/afternoon/evening.)
  3. What sorts of projects would you like to bring? What sorts would you like to help with?
  4. Are there any tools you would need that you don't have? Are there any tools you could bring that someone else might need?

This would be in the 2nd floor living room at our house in lower Allston. We also have a basement work area, complete with bandsaw of unknown usefulness and a random assortment of hand tools.

I'm also sending this out as an email, but I actually don't know either the LJ/DW names or the email addresses of many of my friends and acquaintances! So I've almost certainly left out some folks by accident -- if you know a friend who didn't get this and really should, feel free to pass it along!