network (2)


Letsencrypt kung-fu

Let’s encrypt CLI client is by far the most shittiest software ever invented, there is probably no doubt about it, but sadly, it’s the only interface that is supported, and unless you want to pay money for SSL certificate you need to live with that.

First of all – yes, their client (without asking or telling you) WILL run sudo and WILL use root and most likely WILL install garbage on your server that you don’t want to have there. If you never used letsencrypt client before, run it on testing VM first, before it desecrates your favorite web server with random garbage you don’t want there.

The letsencrypt client is written for dumb people, and it is based on undocumented black magic that I will try to uncover here a bit. The client basically works with a component called “certbot” which is a software that run on your server and does something to prove that you really own the domains for which you want to generate your SSL certificate. Because letsencrypt staff doesn’t want to bother you with technicalities they created this crap of a software to deal with them for you, in their own way, like it or not. It uses so called ACME (Automatic Certificate Management Environment) protocol to verify that you are owner. This thing is not a rocket science, and in a nutshell all it does is publish some data used to prove your ownership through your webserver, usually located on webroot/.well_known, their counter-party server will try to locate these by accessing your.domain/.well_known and in order to make it possible to verify your domain without modifications to your webserver, all you need to do is to create a central webroot and then make a symlink from all domain webroots to this one (just ln -s /var/www/letsencryptshite/.well_known /var/www/your.uber.tld/.well_known).

Once you do that, always pass these 2 parameters to their “software”:

I also strongly recommend you to maintain a comma separated list of all domains for which you want to get your certificate and store it somewhere like /etc/letsencrypt/domains because you will need to provide this list very often.

Now a little cheat sheet:

Renewing all domains

This can even be in your cron

You may need to restart / reload your web server after doing this, since the certificate will be overwritten, and Apache seems to be caching it somehow.

Adding or remove a domain and regenerate certificate

Modify your /etc/letsencrypt/domains list and run

Common locations:

/etc/letsencrypt – root of this thing’s config

/etc/letsencrypt/live – symlinks to current certificates, that’s where you can find chains for your domains

Example apache config that uses letsencrypt cert

 




Is internet ready for IPv6?

No, it’s not. Why?

I did an experiment as I was curious how various internet sites and service providers are ready for IPv6 by setting up a computer which supports IPv6 only. That means all sites which were not available through IPv6 just didn’t work.

It was pretty much every site that didn’t work, with few exceptions. Google, facebook and most of linux webpages (like debian.org) work just fine. Except for these, even most major websites such as twitter don’t support IPv6 yet, being completely inaccessible without IPv4 protocol.

Here is a small list of few examples

Major websites that support IPv6:

  • wikipedia.org
  • google.com
  • facebook.com

Major websites that can’t be accessed without IPv4:

  • github.com
  • twitter.com
  • bbc.co.uk
  • microsoft.com
  • ubuntu.com

 What is IPv6 and why should servers support it? From wikipedia:

Internet Protocol version 6 (IPv6) is the most recent version of the Internet Protocol (IP), the communications protocol that provides an identification and location system for computers on networks and routes traffic across the Internet. IPv6 was developed by the Internet Engineering Task Force (IETF) to deal with the long-anticipated problem of IPv4 address exhaustion. IPv6 is intended to replace IPv4.

In a nutshell: it’s a new version of internet protocol that will replace IPv4 someday, the main reason for it is the low number of IPv4 addresses, because its protocol was invented in 1980 by engineers who never expected internet to grow up into this size. IPv4 supports less than 4,294,967,296 network addresses, which may look as enough to some, but is actually very small number, given a number of network enabled devices out there (every modern TV, mobile phone or PC).

It’s totally possible to connect many more devices to IPv4 based internet, but only as long as they are grouped behind NAT servers with shared IP addresses. This will work for regular users who don’t need much from internet, but definitely will not for advanced users who want to use internet in order to provide some services to others, or those who want their devices to be easily reachable from anywhere through internet.

Right now, public IPv4 address is something that actually has some value. You have to pay for it, if you want to have it. IPv6 addresses are so cheap that most of ISP providers would give you whole range of public IPv6 addresses for free.

That means that sooner or later various people will start up services (web servers, game servers and so on) that would be available only over IPv6 because they would need to use public address(es), but they wouldn’t want to pay for them, because they don’t have to.

These IPv6 only servers would not just be available only to people with IPv6, but they would also be only able to connect to machines (and other servers) that support only IPv6. And that is the reason why your system should be IPv6 ready.

How do I check if my website works on IPv6?

It’s easy, just run this ipv6 test

If it doesn’t, don’t worry. Anything like “switchover” to IPv6 isn’t going to happen any time soon, so there is still plenty of time. Regular users will (have to) keep using IPv4 for a very long time…