Raspberry Pi and SSL certificate using Let’s Encrypt

 

Source: https://pimylifeup.com/raspberry-pi-ssl-lets-encrypt/

Installing and Running Lets Encrypt

1. If you are running Raspbian Stretch or later you can skip down to step 5 of this tutorial as the package we be utilizing to setup SSL on our Raspberry Pi is available in the Raspbian Stretch repository.

However, if you are running Raspbian jessie you will have to follow the following four steps to install the SSL client Certbot on your Raspbian Jessie installation. That or you can upgrade from Raspbian Jessie to Stretch by following our easy guide, and skipping to step 5.

Before we get installing the Let’s Encrypt Certbot software on Raspbian Jessie we will first have to adjust our sources.list so that we can access the Jessie-Backports branch.

We need to add this as Certbot is not available on Raspbian Jessie by default, be warned though as the backports repository contain software that isn’t as thoroughly tested.

Begin editing the sources.list file by using the following command in the terminal:

sudo nano /etc/apt/sources.list

2. To the bottom of this file, add the following line, this line just tells Raspbian where to go searching for packages.

deb http://ftp.debian.org/debian jessie-backports main

Once done we can save & exit by pressing CTRL + X, then pressing Y and then pressing Enter.

3. Now since our public keys for the new packages are not available by default we will have to grab them and add them to the package manager, we can grab both public keys we need by typing in the following four commands:

gpg --keyserver pgpkeys.mit.edu --recv-key  8B48AD6246925553
gpg -a --export 8B48AD6246925553 | sudo apt-key add -
gpg --keyserver pgpkeys.mit.edu --recv-key  7638D0442B90D010
gpg -a --export 7638D0442B90D010 | sudo apt-key add -

4. With the package now added to our sources list, we will need to run an update to grab the latest package list. We can do that with the following command:

sudo apt-get update

5. Now that you are up to installing the let’s encrypt software onto your Raspberry Pi you will either have to follow the instructions for Raspbian Jessie or Raspbian Stretch.

Raspbian Stretch and Later

Apache

sudo apt-get install python-certbot-apache

Everything Else

sudo apt-get install certbot

Raspbian Jessie

Apache

sudo apt-get install python-certbot-apache -t jessie-backports

Everything Else

sudo apt-get install certbot -t jessie-backports

6. With Certbot finally installed we can proceed with grabbing a SSL certificate for our Raspberry Pi from Let’s Encrypt. There is a couple of ways of handling this.

If you are not using Apache you can skip this step. If you are using Apache then the easiest way of grabbing a certificate is by running the command shown below, this will automatically grab and install the certificate into Apache’s configuration.

Before you do that, you will first have to make sure port 80 and port 443 are port forwarded. Also, if you are using Cloudflare as your DNS provider you will need to temporarily bypass it as it hides your real IP address

certbot --apache

7. If you are not running Apache there is two different ways we can go about grabbing a certificate from Let’s Encrypt. Thanks to the certbot software, we can either grab the server using a standalone python server.

Alternatively, if you are running another web server such as NGINX we can also utilize that to grab the certificate as well. Though you will have to setup the certificate manually once it has been grabbed.

Go to step 8a if you are not running another webserver, otherwise go to step 8b.

8a. Utilizing the standalone built-in webserver is incredibly easy, though first you will have to make sure your port 80 is unblocked and forwarded. Make sure you replace example.com with the domain name you intend on utilizing.

certbot certonly --standalone -d example.com -d www.example.com

8b. Using web root requires a bit more knowledge then using the built-in webserver. Make sure /var/www/example points to a working website directory that can be reached from the internet. Also make sure to replace example.com with the domain name you are using for your website.

certbot certonly --webroot -w /var/www/example -d example.com -d www.example.com

9. After running these commands, you will be prompted to enter some details, such as your email address. This is required for Let’s Encrypt to keep track of the certificates it provides and also allow them to contact you if any issues arrive with the certificate.

Once you have filled out the required information it will proceed to grab the certificate from Let’s Encrypt.

If you run into any issues make sure you have a valid domain name pointing at your IP, make sure port 80 and port 443 are unblocked, and finally if you are using CloudFlare as your DNS provider, make sure that you have it currently set to bypass its servers.

The certificates that are grabbed by the certbot client will be stored in the following folder. Of course, swapping out example.com with your own domain name.

/etc/letsencrypt/live/example.com/

You will find both the fullchain file (fullchain.pem) and the certificate’s private key file (privkey.pem) within these folders. Make sure you don’t allow others to access these files as they are what keep your SSL connection secure and identify it as a legitimate connection.

With the files now successfully grabbed you can proceed to set up any piece of software you need to use them. For instance, if you wanted to setup NGINX to utilize the SSL certificates then follow our Raspberry Pi SSL Nginx guide below.

Using your new SSL Certificate with NGINX

1. Begin by opening your NGINX configuration file. These are typically stored in /etc/nginx/ or /etc/nginx/sites-available/

Once you have found your configuration file, open it up using your favourite text editor, mine for instance is nano. Once you are within the file search for a text block like what is display below. Make sure you swap out our example.com with the domain name that you are using.

server {
        listen 80 default_server;
        listen [::]:80 default_server;

        root /usr/share/nginx/html;
        index index.html index.htm;

        server_name example.com;

        location / {
                try_files $uri $uri/ =404;
        }
}

2. To this block of code, we will need to make some changes. Follow our steps and read our explanations on why we are making the change below.

Find

listen [::]:80 default_server

Add Below

listen 443 ssl;

This change basically tells NGINX to start listening on port 443. Port 443 is important as it is the port that handles HTTPS/SSL traffic, and will be the port web browsers try to connect over when using https://.

Find

server_name example.com;

Add Below

ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

This change tells NGINX where to find our certificate files. It will use these to setup the SSL/HTTPS connection.

The private key is what secures the actual connection only your server can read and see this file, and this file should be kept secure otherwise people could potentially intercept and decrypt your traffic.

The fullchain contains all the information needed to talk with the server over the HTTPS connection as well as the information needed to verify it is a legitimately signed SSL file.

3. With all those changes done, you should end up with something similar to what is displayed below. Of course make sure you replaced example.com with your own domain name.

Once you are satisfied that you have entered the new data correctly. You can save and quit out of the file and then restart NGINX so it loads in the new configuration.

server {
        listen 80 default_server;
        listen [::]:80 default_server

        listen 443 ssl;

        root /usr/share/nginx/html;
        index index.html index.htm;

        server_name example.com;

        ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

        location / {
                try_files $uri $uri/ =404;
        }
}

4. You should now have a fully operational HTTPS connection for your NGINX web server utilizing the certificate we generated with Let’s Encrypt.

You should now hopefully have a fully validated SSL certificate that is provided to you from Let’s Encrypt! You will find this tutorial pretty handy across a wide range of projects, especially the server based Raspberry Pi projects.

 

 

Now, you will need to renew the certificates periodically. The best way I have found for this is to make a cron-job like so:
00 0 * * 1 /opt/letsencrypt/letsencrypt-auto renew >> /var/log/letsencrypt-renew.log
followed by a line to reload whatever is using the certificate. If that’s nginx, then you could do:
05 0 * * 1 /etc/init.d/nginx reload

Trick: Create elevated shortcut to skip UAC prompt in Windows 10

source: https://winaero.com/blog/create-elevated-shortcut-to-skip-uac-prompt-in-windows-10/

Create elevated shortcut to skip UAC prompt in Windows 10

User Account Control, or just UAC is a part of the Windows security system which prevents apps from making unwanted changes on your PC. When some software tries to change system-related parts of the Registry or the file system, Windows 10 shows an UAC confirmation dialog, where the user should confirm if he really wants to make those changes. Usually, the apps that require elevation are related to the management of Windows or your computer in general. A good example would be the Registry Editor app. If the application you are using frequently requires a UAC request every time you start it, confirming the prompt on every launch can get a bit annoying. In this article, we will see how to create a shortcut to run apps elevated without a UAC prompt in Windows 10.

To skip the UAC prompt and start an app elevated, you need to create a special task in the Windows Task Scheduler which allows executing apps with admin privileges. The Task Scheduler has a graphical MMC version (taskschd.msc) which we will use.

In the tutorial below, I will show you how to make Regedit run elevated without a UAC prompt showing up. You can use these steps for any app you want to launch elevated.

Creating a shortcut to run apps elevated without a UAC prompt in Windows 10

  1. Open Control Panel. (note Johan: you can do this in Autohotkey by running – without quotes: “Run ::{21ec2020-3aea-1069-a2dd-08002b30309d}”)
  2. Go to Control Panel \ System and Security \ Administrative Tools.
  3. In the newly opened window, double-click the shortcut “Task Scheduler”: Windows 10 administrative tools
  4. In the left pane, click the item “Task Scheduler Library”: Windows 10 Task Scheduler Library
  5. In the right pane, click on the link “Create task”: Windows 10 Create Task link
  6. A new window titled “Create Task” will be opened. On the “General” tab, specify the name of the task. Pick an easily recognizable name like “App name – elevated”. In my case, I will use “Regedit – elevated”.
    You can also fill in the description if you want.
    Windows 10 Create Task window name task
  7. Now tick the checkbox named “Run with highest privileges”: Windows 10 Create Task window run elevated checkbox
  8. Switch to the “Actions” tab. There, click the “New…” button:
    Windows 10 Create Task window Actions tab Windows 10 Create Task window Actions tab new button
  9. The “New Action” window will be opened. There, you can specify the path to the executable (.exe file) of the app you are trying to run elevated without a UAC prompt. In my case, I will enter
    c:\windows\regedit.exe

    See the following screenshot:
    Windows 10 Create Task window new action dialog
    Note: by default, apps started by tasks like the one we just created will start with no focus. Their windows might appear in background.
    If you are not happy with this issue, then use the following trick:
    – In “Program/Script”, enter the following:

    C:\windows\system32\cmd.exe

    In “Add agruments”, type the following:

    /c start "" program.exe [program arguments if required]

    In my example with Regedit it will look as follows:
    Windows 10 Create Task window new action dialog cmd

  10. Click “OK” in the “New Action” dialog to apply your settings and close it.
  11. Switch to the “Conditions” tab:
    Windows 10 Create Task window Conditions tab
    Untick options
    – Stop if the computer switches to battery power
    – Start the task only if the computer is on AC power
    See the following screenshot:
    Windows 10 Create Task window Conditions unticked
  12. Now, click “OK” to close the “Create Task” window. Now that you’ve created the task, it’s a good time to test it. Right click it and select “Run” from the context menu. It should open the app you specified:
    Windows 10 Task Scheduler run context menu Windows 10 task started
  13. Now, to create a new shortcut to launch the app from your Desktop.
    Right click the empty space on your Desktop and select New -> Shortcut:
    Windows 10 desktop new shortcut
  14. In the location of the item, enter the following:
    schtasks /run /tn "your task name"

    In my case, it should be the following command:

    schtasks /run /tn "Regedit - elevated"

    Windows 10 schtasks shortcut target

  15. Name your shortcut however you like: Windows 10 schtasks shortcut name
  16. Finally, pick an appropriate icon for the shortcut you have created and you are done:
    Windows 10 schtasks shortcut icon

Watch the following video to see all steps in action:

That’s it. As you can see, creating elevated shortcuts involves a lot of actions and a notable amount of time.

Autohotkey: Global Media Keys

Requirements

Installation

  1. copy/paste the code from the script below into a new file
  2. save that new file in a new folder (you can name it whatever you want)
  3. run the script
  4. done

Usage

  1. manually run the script once, it stays active unless you manually close it (if you use it frequently, you might want to consider adding it to your computers startup)
  2. done

Script

app_name = GlobalMediaKeys
app_ver = 0.01
app_author = Johan Klos

/*
Not every keyboard has media-keys. With this plugin you have default global media keys (CTRL-WIN-ALT up/left/right). 
If the script is Run as Admin (line 16: "runasadmin = 1") the hotkeys will work even if a program has focus that is running as admin.
If the script is not Run as Admin (line 16: "runasadmin = 0"), the hotkeys will not work when a program has focus that is running as admin.
*/

#NoEnv  ; Recommended for performance and compatibility with future AutoHotkey releases.
; #Warn  ; Enable warnings to assist with detecting common errors.
SendMode Input  ; Recommended for new scripts due to its superior speed and reliability.
SetWorkingDir %A_ScriptDir%  ; Ensures a consistent starting directory.

runasadmin = 0

if runasadmin = 1 
{
	full_command_line := DllCall("GetCommandLine", "str")

	if not (A_IsAdmin or RegExMatch(full_command_line, " /restart(?!\S)"))
	{
		try
		{
			if A_IsCompiled
				Run *RunAs "%A_ScriptFullPath%" /restart
			else
				Run *RunAs "%A_AhkPath%" /restart "%A_ScriptFullPath%"
		}
		ExitApp
	}
}

^#!UP::Media_Play_Pause
^#!RIGHT::Media_Next
^#!LEFT::Media_Prev

return

 

Autohotkey: updating portable software

Requirements

Installation

  1. copy/paste the code from the script below into a new file
  2. save that new file in a new folder (you can name it whatever you want)
  3. edit line 1 of the script to list the programs you want to use (by default: “ccleaner,speccy,defraggler,recuva”)
  4. run update_piriform.ahk (it will download unzip.exe if it doesn’t already exist in the same folder and start downloading/unzipping the files that are listed in the programs line)
  5. done

Usage

  1. manually run the script when you want to update the files listed on line 1
  2. done

Script

programs = ccleaner,speccy,defraggler,recuva

app_name = Piriform downloader
app_ver = 0.04
app_author = Johan Klos

/*
I use piriforms free tools to do some maintenance. 
Every so often I run this script to update the portable versions of those programs.
https://www.piriform.com/%program%/download/portable

it keeps the user informed using tooltips
*/

#NoEnv  ; Recommended for performance and compatibility with future AutoHotkey releases.
; #Warn  ; Enable warnings to assist with detecting common errors.
SendMode Input  ; Recommended for new scripts due to its superior speed and reliability.
SetWorkingDir %A_ScriptDir%  ; Ensures a consistent starting directory.
#SingleInstance force ; skips the dialog box and replaces the old instance automatically, which is similar in effect to the Reload command.

tooltip %app_name% v%app_ver%`nStarting program

; check if commandline unzip.exe program is present, if not, download it	
ifnotexist unzip.exe
{
	tooltip %app_name% v%app_ver%`nunzip.exe missing: downloading it now
	UrlDownloadToFile, http://www.kloscomputing.co.uk/public/unzip.exe, unzip.exe
}
	
loop, parse, programs, `,
{
	if ( A_LoopField <> "" )
	{
		download(A_LoopField)
	}
}
count = 3
loop, 3
{
	tooltip %app_name% v%app_ver%`nAll done: terminating program in %count% seconds.
	count--
	sleep 1000
}
exitapp

download(program)
{
	global app_name, app_ver
	
	; create an URL to download the program in question
	url := "https://www.piriform.com/" . program . "/download/portable/downloadfile"
	
	tooltip %app_name% v%app_ver%`n%program% downloading
	; download the zip file
	UrlDownloadToFile, %URL%, %A_Temp%\%program%.zip
	
	tooltip %app_name% v%app_ver%`n%program% unzipping
	runwait, unzip.exe -u "%A_Temp%\%program%.zip" -d "%A_ScriptDir%\%program%",, hide	

	tooltip %app_name% v%app_ver%`n%program% clean up files we won't need any more
	; do some cleanup work, remove the 
	FileDelete, %A_Temp%\%program%.zip
	return
}

 

 

Autohotkey: What is it?

From autohotkey.com:

AutoHotkey is a free, open-source scripting language for Windows that allows users to easily create small to complex scripts for all kinds of tasks such as: form fillers, auto-clicking, macros, etc.

Basically, it is a way to do a lot of different things a lot quicker.

Personally, I use it to make my life easier, for instance:

  • by updating portable software,
  • making hotkeys to do certain things such as media play/pause/next,
  • type passwords in games that don’t allow for pasting.

 

Each script is basically a tekst file with a .ahk extension. The .ahk file is then run (or executed) by Autohotkey.exe, which you can download from here

If you run into issues or have questions, the Autohotkey community is very active on forums and irc

A good editor that I use is Notepad ++

Site Security: Check website for vulnerabilities

 

 

 

Site Security: install a DANE TLSA DNS Record

Source: https://joscor.com/blog/dane-tlsa-tutorial/

How to configure DANE TLSA

If you have a DNS host that supports DNS-based Authentication of Named Entities (DANE) TLSA records, you might as well upgrade your DNSSEC (you are using DNSSEC, right?). Generating a TLSA hash and adding the DNS TLSA RR is pretty easy so let’s get started. Note – If you DON’T have a DNS host that supports TLSA (currently as of this writing – GoDaddy and Dyn DNS Standard do not support TLSA) – I’d suggest either Dyn DNS Managed Express or DNS4.PRO (which is free, btw).

1. Browse to your HTTPS-secured website and click the security icon to see security information. Click the security icon and then click the Certificate Information link.

Joscor DANE TLSA

Find the secure icon (green lock to the left of the URL in Chrome)

 

Joscor DANE TLSA

View Certificate Information

 

2. You now need to begin the process of exporting your certificate to file. Click the Copy To File… button.

Joscor DANE TLSA

Export your SSL certificate

 

3. Make sure you export the certificate with Base-64 encoding (as that’s what the TLSA RR generator expects later).

DANE TLSA

Select Base-64 encoding when exporting your SSL certificate to file

 

4. Right-click on the file you just exported and open it with Notepad (or any text editor). Copy the contents (it should start with —–BEGIN CERTIFICATE—–).

 

5. Open a web browser and head over to https://www.huque.com/bin/gen_tlsa (opens in a new window). This site has a handy TLSA RR generator that we’ll be using. Enter the contents you just copied from step #4 and paste it in the section Enter/paste PEM format X.509 certificate here

DANE TLSA Generator

Enter the certificate text in the DANE TLSA Generator

 

6. The defaults for the generator are sane so we can leave them be (SHA-256 hash, SPKI, DANE-EE). Enter your domain details at the bottom. For HTTPS TLSA just enter 443 for the port (assuming your site’s HTTPS is over 443), TCP as the Transport Protocol, and enter your domain name. Click Generate

DANE TLSA Generator

DANE TLSA Generator

 

7. The generator should have provided a TLSA RR for your use. The important sections are the first part (_443._tcp.yourdomain.com.) and the last part (<usage> <selector> <matching type> <hash>). We’ll use these two parts for actually inserting the DNS record. The last part of the tutorial will be for placing the DNS record into the DNS4.PRO hosting service, but if your DNS host provides TLSA support, the instructions should be roughly equivalent.

 

8. Now we need to take the generated record and add it to our DNS zone. Simply go to your DNS host interface, click to add a new entry, select the type of record as “TLSA”. Now you’ll need to take part of the record location (before the domain name) and put that as the zone location. For example, if the generator gave you _443._tcp.mydomain.com, you’ll use just _443._tcp . Now you’ll need to put the actual hash (and metadata) into the data portion of the DNS entry. See below for an example.

DNS4.PRO TLSA support

Adding a TLSA record to DNS4.PRO DNS host

 

Checking TLSA

There aren’t a lot of pretty web-tools to validate TLSA but there’s a couple that do a good job. My favorite is https://www.had-pilot.com/dane/danelaw.html. Just enter your domain name, switch the select-box to TLSA Record Only and see what happens. It either works or it doesn’t. ?

Another tool I’ve had good success with is one that requires you to install a browser extension and some software but it’s painless, really. https://www.dnssec-validator.cz/ not only checks for TLSA but also DNSSEC in general and it’s a passive scan so you can just leave it in the upper-right of your browser and check out how insecure the domains’ DNS you visit are.

 

Note #1: TTL 30 is equal to 5 minutes (in case your DNS Host interface is per minute/hour – as mine is).

Diensten

De diensten die ik verleen zijn met name gericht op de kleine particulier, maar kunnen toegevoegde waarde hebben voor de professional en MKB’er.

  • Website: domein- en hostregistratie, website bouwen, inclusief 1 uur instructie op lokatie voor het gebruik van de website door de redacteur;
  • Algemene computerkennis;
  • Softwarematige computerreparatie (denk aan virussen, malware);
  • APK voor computers;
  • Workshops op lokatie naar uw keuze, op uw eigen computer:
    • Microsoft Excel;
    • Microsoft Word;
    • Microsoft Powerpoint;
    • Google Sheets (inclusief Google Script)

De workshops zijn per afspraak van 1 uur, en de inhoud van de workshop is geheel op basis van uw wensen.

Ik hanteer een vast uurtarief van € 30,-.

Voor een volledige website (bouwen, hosting, domeinnaam registreren, 1 uur instructie) betaalt u een eenmalig bedrag van € 200,- per jaar.

U maakt pas extra kosten zodra we die samen expliciet zijn overeengekomen. U weet dus precies waar u aan toe bent!

 

Geïnteresseerd? Neem vooral contact op, u kunt hiervoor onderstaande formulier invullen:

 

Loading