Using Let’s Encrypt with getssl and minimal root usage #letsencrypt

Let's Encrypt is an amazing initiative to have X.509 certificates for your website, or even your email servers, but most instructions just tell you to run (some more some less) complicated programs as root in order to run the periodic certificate renewal workflows, and that is sub-optimal as it substantially increases the number of attack vectors your already exposed system is susceptible to.

This article is just a way to enjoy the benefits of Let’s Encrypt while minimizing the need for root privileges in your system,and thus keeping it reasonably secure, and this example is doing it with getssl (don’t be scared it hasn’t changed much for some time, they’re working on the new APIv2 support).

It’s taking in account a typical CentOS/Red Hat 7 server, your mileage might vary with other systems but it should mostly be the same.

You can start setting up your environment by adding a non privileged user, let’s say… acme… who will run the renewal workflow:

# useradd acme

Then you can proceed to installing getssl and setting up directories for your files:

# curl https://raw.githubusercontent.com/srvrco/getssl/master/getssl > /usr/local/bin/getssl
# chmod 0755 /usr/local/bin/getssl
# mkdir -p /etc/letsencrypt/acme/ssl.{crt,key,pem}
# chown -R acme:acme /etc/letsencrypt/acme
# chmod -R 0755 /etc/letsencrypt
# chmod 0750 /etc/letsencrypt/acme/ssl.{key,pem}
# mkdir -p /var/www/html/letsencrypt/.well-known/acme-challenge
# chown letsencrypt:letsencrypt /var/www/html/letsencrypt/.well-known/acme-challenge
# echo 'letsencrypt yourhostname=NOPASSWD: /usr/bin/systemctl restart httpd' >> /etc/sudoers.d/letsencrypt

That last line adding a sudo rule is part of the magic and the single root command that is executed.  You can also make it restart Postfix, Dovecot, or any other service you use a certificate and that needs restarting in order to take the new certificate.

In order to let you read it all from this article, I’ll borrow the example’s from getssl’s github page and then add in my own suggestions.

Now you want to prepare the environment (as the user acme) for your domain:

getssl -c yourdomain.com

This will create a ~/.getssl/yourdomain.com directory, the main files you want are called getssl.cfg, there’s a global file on ~/.getssl/getssl.cfg and then more specific files per domain, ~/.getssl/yourdomain.com/getssl.cfg

In the main file, ~/.getssl/getssl.cfg, you’ll need to set up the values accordingly to your needs (I won’t dive into how to get an account), but  for this setup you’ll want to change the following:

RELOAD_CMD="/usr/bin/sudo systemctl restart httpd"
ACL=('/var/www/html/letsencrypt/.well-known/acme-challenge')
CA_CERT_LOCATION="/etc/letsencrypt/acme/ssl.crt/lets-encrypt-x3-cross-signed.pem
RENEW_ALLOW="30"

And that RELOAD_CMD right there is part of the magic…

Now edit  ~/.getssl/yourdomain.com/getssl.cfg and change the following:

DOMAIN_CERT_LOCATION="/etc/letsencrypt/acme/ssl.crt/yourdomain.com.crt"
DOMAIN_KEY_LOCATION="/etc/letsencrypt/acme/ssl.key/yourdomain.com.key"

Now all you need is to set up a cron job:

45 6 * * * /home/letsencrypt/getssl -u -a -q

And finally you configure Apache httpd to use the files paths for the CERTificate and its KEY:

(...)
SSLCertificateFile /etc/letsencrypt/acme/ssl.crt/blog.1407.org.crt
SSLCertificateKeyFile /etc/letsencrypt/acme/ssl.key/blog.1407.org.key
SSLCertificateChainFile /etc/letsencrypt/acme/ssl.crt/lets-encrypt-x3-cross-signed.pem
Alias /.well-known/acme-challenge /var/www/html/letsencrypt/.well-known/acme-challenge
(...)

And you’re done: the cron job will run every day, and when you reach the 30 days to renew threshold your certificate will be renewed with minimal root usage.

 

Stallman’s great talk on surveillance

When did the great Richard Stallman start using slides?

Well, I don’t mind, they’re cute and funny!

image

“Should we have more surveillance than the USSR?” is a highly recommendable talk!

I’ll update this post later with more photos.

#ilovefs – I 💕 Free Software

#ilovefs

Hey, it’s that time of the year when some megafuck dudes drop the strongest advertisement campaigns for selling chocolates, perfumes and flowers to your sweetheart!

But never fear! As usual in the world of Free Software, we like to turn things around 180º to turn around the evil powers into good powers and give a much better meaning to things.

As the GNU GPL and the copyleft movement have used copyright’s powers to bestow upon us the wonders of software freedom, let’s now turn this horrid day into a day of celebration of our love for Free Software.

Thank you all Free Software developers out there! I love your work and hope to be able to stand on your giant shoulders.

Love ya! 🙂

pam_ipahbac (and why not pam_hbac)

ipahbacThose implementing FreeIPA (possibly in the enterprise ready version called Red Hat Identity Management) in a hybrid environment (meaning… not just recent GNU/Linux operating systems but particularly including AIX and Solaris) may have noticed the lack of support of an essential component in AIX and Solaris: Host Based Access Control (HBAC).

Without HBAC support, when you join a server to a real every single enabled user will be able to login into that server, which just might not be what you want, specially in more “”””enterprise“””” (please do notice the several quotes) environments with different servers having different access roles (developers can go into development servers but not into application life-cycle, operations people not having to logon to developement servers, system administration teams, security officers, etc…).

Some applications sort of implement HBAC by letting you restrict the users that can log into them, but that is definitely not elegant as it defeats the purpose of HBAC: a centralized place where one can define such access rules.

Being a PAM module it needed to have a few features:

  1. KISS: it doesn’t have to do much more than get the rules, give success on the first match or just deny for any other reason
  2. be secure: be not fancy, worry not about UNICODE, do not worry about supporting the kitchen sink, etc. This means:
    1. most AIX and Solaris environments do not have special characters like ç or ó or µ, and actually user logins are short in length, so a design strategy was to make this module extremely restrictive about the character set it allows, UNICODE is awesome but it’s also a sea of unexpected security issues;
    2. do not over-engineer in libraries and sub-files, just implement the PAM groups it needs, do a simple ldap query, navigate through the results, reply to PAM with allowed or denied
    3. I definitely do not mean to imply pam_hbac is not secure, only that it’s a critical focus on pam_ipahbac

If in the future such fancy use cases that need these things come up, then it can be re-evaluated. It’s not set in stone. Just not the focus. Priorities and such.

And this is why pam_ipahbac was born rather than working with pam_hbac.

I believe jhrozek’s module to be much more advanced, but I also believe in the above principles, and the primary focus of this module is to work in AIX and Solaris so those plagued with those systems can at least use the awesome Free Software that FreeIPA is.

Also, because it’s fun to father some code.

Happy hacking!

Giving up on pump.io

For years I’ve been bravely maintaining a pump.io instance residing at https://p.1407.org/ even though the project has some unhealthy red flags, the most important of which are no development community and definitely not even great involvement from its own father.

I think Evan is an awesome guy, but sadly pump did not gain traction. I’m afraid of running web software that is so unmaintained.

I don’t believe it is secure, no software is, specially secure enough to go on for almost an year without patches (and let’s not dwelve on how few there had been previously):

Screenshot from 2015-05-03 14:59:27

It’s not lightly that I do this, and it’s actually with a lot of sorrow that I’m retiring it.

It’s html5 web interface means it’s very hard to make a static version, and I’ve never shared anything so significant in it that I’ll be sad to let it go.

I’ll keep a backup but, I’m sad to say, I simply can’t take it anymore and it’s time for much due housekeeping. 🙁

Mind your webserver’s timeout! #owncloud

When Owncloud 7.0.0 came out I tried to upgrade my 6.0.4 instance and failed miserably and silently.

When 7.0.1 came out, the same thing happened, but this time I happened to notice the HTTP Result Code 502, timout… that was happenning in the frontend and not in the instance, for some reason I didn’t think of looking there first (maybe because I only did it very late both times).

So I increased Apache’s TimeOut directive to a safe 900 seconds and now everything went fine.

Meanwhile, Björn Schießle from Owncloud gave me a very nice tip, for those who control the server and can ssh into it, one can do the upgrade with:

./occ upgrade

So there you go, nice and useful tips, two in one post. 🙂

#ASUS tries to fool me about #windowsrefund #microsoft #tax strong in Portugal…

Remember when I though it was fishy that I should start the computer in order to get my wife’s laptop reimbursed on the Windows we unwillingly were forced to pay?

So ASUS insists on this unbelievable process of activating the Windows license, and when I ask for a policy document or confirmation you know what happened? The same guy confirmed his own words to me… feels like a trust me on a movie, and we always know where those famous last words lead, ie, the other party being sorry they gave trust.

Since I’m not willing to go around in a back and forth for much longer, I just demanded proof of the policy, pulling a screen shot from the Windows license where it’s explicitly said that if I don’t agree I can’t use the computer, it’s in Portuguese in the screen shot below, but it roughly translates to…

If The Customer doesn’t accept and doesn’t fulfill these terms, he won’t be able to use the software nor it’s features

IMG_20140712_155238I gave them until July 15th at 00:00 to comply, under penalty of, for all due effects, ASUS agreeing that I don’t use nor plan to use Microsoft Windows and that it will process my due reimbursement.

Finding out how to get a #windowsrefund for an #Asus laptop in #Portugal

So I’m finding out how to get a Windows refund (also known as the Microsoft Tax) for an Asus laptop in Portugal, not because it’s fun, but because we don’t want no Microsoft in our home.

We’re a Free Software home! We want our hardware Microsoft free, here, see?

I already got my Windows refund for my Samsung NP900X3C, but a couple of weeks ago my significant other’s laptop broke and we’ve been keeping an eye out for one that would be good enough, cheap enough, and so we found this Asus NoteBook F200. It’s not a power horse, but she has significantly lower spec needs, nor demands hardly as much as I do from these wee beasties.

These laptop in particular cost exactly 349 €. I got 46.03 € out of Windows 7 Home Professional on the Samsung so I expect to get quite a bit more than that for Windows 8.1. It’s only been about 6 months so it’s reasonable to expect a decent refund.

But consider this: if I got exactly the same value back, it would mean the Microsoft Tax costs 11% of the laptop. Yes, you heard me well, it would be almost exactly as expensive as a netbook while being much more powerful. Interesting… felling robbed yet?

Fortunately she’s not as geek as I am so although she’s anxious to start using it, she’s patient enough to get the Windows refund. She knows it’s possible, she witnessed it first hand in her own household, so of course she wants it too 🙂 and that gives me some leeway in the time it could take following all the cautiousness of the first steps:

  1. Buy laptop but don’t open it
  2. Call support, they’ll send me their requirements
  3. Find out that even though they spelled out my email perfectly, they misspelled it when they pressed send. hmms….
  4. Call support again, next morning, complain about 3, got fishy instructions by voice, demanded the email and finally got it.

So the email goes like this:

Dear customer.

Case number: #########

Please, reply to this email attaching a copy of the purchase receipt, copy of the first page of the warranty certificate, where there is the serial number and, as explained on the phone, after activating Windows, a screenshot of the system properties where one can verify its license number.

As soon as we receive it, we’ll begin the refund process for the value of Windows.

We’ll be waiting.

Attentiously,

ASUS Iberia.

Erms… activating it??? I did ask for clarification on the phone, because that used to be a big no-no previously, but he reassured me it’s different with Windows 8.

Well, now I have it in writing… so I’ll be letting you know.

#Infarmed tem oportunidade rara com #SoftwareLivre

Boa tarde

Chamo-me Rui Seabra e presido a direção da Associação Nacional para o Software Livre, pelo que gostaria de chamar à atenção do Infarmed este tema.

Li no Tugaleaks que o Infarmed pagou para criar um software que deve funcionar em  iPhones e iPads e em devices Android (telefones e tablets), mas é acusado lá de ter alguns problemas sérios e talvez até fora da lei.

É importante salientar que no que li no caderno de requisitos que consta a obrigação legal de cumprir a Lei das Normas Abertas e que «todo o código produzido no âmbito do presente projeto é propriedade do Infarmed». Um pequeno à parte: isto não é lei da propriedade industrial não há aqui nenhuma invenção, o que se aplica é, sim, a lei do direito de autor e direitos conexos.

O Infarmed tem aqui uma oportunidade rara de sanar os problemas de que é acusado no Tugaleaks transferindo todo este código sob a licença, por exemplo, GNU GPL v3 ou superior para o SVN.GOV.PT, um projeto da Agência para a Modernização Administrativa, e assumindo o dinheiro pago como um investimento na criação de um programa livre que ainda não existia.

Estes dez mil euros poderiam ter sido investidos com o intuito de publicar os códigos fonte desta suite de aplicações e permitir que a sociedade civil participasse em desenvolvimentos futuros, melhorando a aplicação em futuras versões, talvez até sem muito mais investimento do Infarmed (naturalmente alguém deveria fazer algum Q&A das versões futuras que o Infarmed opte por utilizar).

A primeira versão pode não ser suficientemente adequada, mas pode perfeitamente ser melhorada, especialmente se todos pudéssemos ajudar.

Aceitará o Infarmed tal desfio?  Quer a nossa ajuda?

Os melhores cumprimentos,
Rui Seabra

Musings on #Heartbleed

Several thoughts have been on my mind about #heartbleed. You may have heard similar thoughts about it, but I’d like to add my own.

Ah… nothing like checking the news in the morning, feels like… ah… a bug in OpenSSL, let’s check it out… OMFG… By 10:00 I was already applying patches to vulnerable (and exposed) servers all around, processes be damned!

Is Free Software security tarnished?

Absolutely not!

Let me start by the first thing you should take in mind: you’re better off than with proprietary software and this bug proves it, few could have said as well as Sam Tuke of FSF Europe did, there are also a few words from Simon Phipps and Eric Raymond.

In a gist, there are several instances of just as serious bugs, and many much more serious, on proprietary software. Even in the field of network security. And those are just the tip of the iceberg, those that were guessed and not found.

This bug had patches available within few hours of being published available to those affected.

Several documented flaw finding studies have been made, guess who turned out better in every single one of them in average? Yes, Free Software. Proprietary software has constantly been found to have, in average, more bugs, more security bugs, more delayed patch releases, etc..

Update (2014/04/13): Also, an even such as this one prompted an independent audit review from the OpenBSD people, here’s another bug in OpenSSL that has been fixed there, proving once again how Free Software works to make software more secure:

  1. you can do independent and public audit reviews
  2. you can push fixes for what you found publicly on the Internet
  3. anyone can take advantage of those changes thus maximizing the effect

Now imagine such a bug happened in Microsoft’s crypto…

  1. you can’t do independent audit reviews
  2. you can’t push fixes for what you found publicly on the Internet
  3. nobody but Microsoft can make a fixes Microsoft crypto library

Replace Microsoft by whomever you prefer above, they’re just an easy target. 😉

Exposure

Here’s the most detailed timeline of public information on the bug that I found.

Yes, the code was there for about two years, but the exposure was not that big. It was big, about a fifth of the “secure” web. Unfortunately, lots of very popular websites were exposed, so the general recommendation is: don’t assume they’re safe, change your passwords everywhere.

Why wasn’t it bigger? Because not everyone runs the latest releases, lots of GNU/Linux distributions have more conservative approaches to running recent software. Take in point Red Hat Enterprise Linux and it’s derivate distributions.

Only since the 6.5 release, released in late November last year, did updated Red Hat (and derivatives) installations become exposed. CentOS followed a about a couple of weeks later.

Ironically, this bug affected the most efficient system administrators who had kept their systems updated 🙂

But many run their services in, for instance, Red Hat Enterprise Linux 5 (and derivatives) which is completely unaffected by this bug. Same for other software.

Even those who run the major 6.5 release could be totally unaffected, if they used NSS instead of OpenSSL with Apache, for instance.

In short: it was big, but not catastrophically big.

Also affects proprietary software!

What? How could this be? Isn’t OpenSSL Free Software? Well, yes, yes it is, but it is licensed in such a way that permits proprietary derivative versions.

They should be safer, right? Hi Cisco and Juniper… I’m sure there are others. I wonder if they’ll be at least honest enough with us… I urge people to check their ultra-expensive and highly proprietary  Web Application Firewalls, Load Balancers, Proxies… etc…

All your keys are belong to US!

9 out of 10 SSL certificates are under indirect control of the US Government. Think Patriot, NDAA, National Security Letters, Secret Courts with Secret Interpretations, people and companies coerced under threat of being formally accused of treason if they don’t cooperate or if they talk about it.

Even if #heartbleed can really lead vulnerable  software to leak the private keys, you should renew your certificates under a non-american CA.

Really, don’t make it easy for them, they don’t deserve that, your customers don’t deserve that, your friends and family don’t deserve that.

Change management be damned!

If you ever have an axe to grind about ISO 20000, ITIL or similar brain dead efficiency killers, specially when implemented by complete and utter idiots, now you can have some revenge.

It is a bug of such seriousness that I recommend to screw the change management processes. Update now if you are affected or change your career because you either are managed by complete and utter idiots or you don’t take it seriously enough.

Places that have enough good sense will allow you to run the Emergency Change process by your ECAB after the fact for such serious situations.

Take advantage of that, this is such a case.

Conspiracy theories

Unlike some suggested, it appears to be an honest mistake that neither the developer nor his reviewers did spot, and they felt quite embarrassed:

The author of the bug, Robin Seggelmann,[78] stated that he “missed validating a variable containing a length” and denied any intention to submit a flawed implementation.[79]

Theo de Raadt, OpenBSD’s founder, said «OpenSSL is not developed by a responsible team», but I doubt they’ll bother implementing a new SSL library. I wonder what they’ll do though… but are likely making an independent review.

Prophecy come true!

Poul Henning-Kamp’s hilarious ending keynote of FOSDEM 2014 pretending to be an NSA agent speaking of Operation Orchestra, calling it a crown jewel:

  • Crown jewel: OpenSSL
  • Go-to library for crypto services
  • API is a nightmare
  • Documentation is deficient and misleading
  • Defaults are deceptive

We need to ask him where he has found spice… he certainly seemed like he had blue eyes and #Heartbleed was truly a Crow Jewel for…

…The NSA

No such agency had such a duty to find a serious bug like this one and responsibly proceed to get it fixed ASAP as it was affecting its nation like the National Security Agency had.

There are innuendos that the NSA knew about heartbleed for a long time. They certainly have the expertise and the budget to have found it, but they did deny any knowledge or exploit for years, in fact that they didn’t know about it before April.

Of course, no one can trust the NSA anymore because they have been proven invested into breaking security for everyone, so they could be lying in order to cover their asses after such a monumental fail in protecting their own country’s security.

Or they could have just been doing it for less than two years, like one year and 364 days, not yet years (plural), right?

One never can tell, and that’s symptomatic of a very botched organization.

Is Microsoft involved?

I don’t know. It’s certainly fishy that:

  • The publication date coincides with the death of Windows XP. It could be called a distraction manouver, so that people get scared of moving away from Windows XP into a GNU/Linux… it certainly has been effective at crying wolf in big media outlets
  • Codenomicon is run by a Microsoftie, well, ex Chief Security Officer of Microsoft, but those kinds of people tend to leave the companies with strong lobbying and partnership relations in their next ventures with the big mothership
  • It is documented that Microsoft has been a faithful collaborator of the NSA for many years, even to the point of maybe having a dedicated backdoor

Maybe it’s just coincidence. Maybe

OpenSSL is grossly unappreciated

They few OpenSSL developers are highly dedicated people that don’t exactly live well off of it. In fact, the importance of OpenSSL is disproportionately unappreciated, specially in a financially rewarding form.

Fortunately, the devlopers do it more out of other rewarding factors, like responsibility and pride.

Conclusions

  • It’s one of the most serious security bugs in the history of the Internet
  • Use any of the available mitigations if you’re affected (upgrade, recompile disabling the feature, downgrade, change software)
  • More people (specially corporate companies making money with OpenSSL) should donate mone to the OpenSSL Software Foundation
  • I don’t remember writing such a long post, it’s probably very flawed, I accept patches, comment below 😉