Welcome to my blog

qr-code for this page's url

This is my personal blog. Don't expect frequent updates so consider subscribing to any of the feeds (there is a general one and each tag has its own feed as well).

2016-11-28 Using LetsEncrypt

So far I had used StartCom for free website certificates. But they have apparently messed up their security so badly that browsers will stop accepting their certificates soon. So it's time to find a new certificate provider.

LetEncrypt is the cool new kid on the block for this. I had a look at it a while ago and chose not to jump on the bandwagon back then — you had to run their script on your server and certificates were only valid for a few months. But with the impending loss of my StartCom certificates it was time to have another look.

It turns out that in the meantime there is a plethora of options to get certificates from them. Many of these don't need to run on the remote server and don't even require root privileges. After some cursory look at the available options I semi-randomly picked getssl.

cd Private/Certs/
mkdir LetsEncrypt
cd LetsEncrypt

# Generate the LetsEncrypt user key:
openssl genrsa 4096 > LetsEncrypt/user.key
openssl rsa -in LetsEncrypt/user.key -pubout > LetsEncrypt/user.pub
chmod 400 LetsEncrypt/*

getssl -c hdurer.net
# Edit ~/.getssl/getssl.cfg for common options and ~/.getssl/hdurer.net/getssl.cfg for the one specific to the hdurer.net certificate

# If you have more domain you can just say
getssl -c some.other-domain.com
# and change the relevant bits in the getssl.cfg in the new subdirectory.

The tool allows you to use DNS as a verification mechanism which is useful as it allows me to verify the domain(s) without having to place files onto a webserver running under that domain (and in fact, issue separate certificates for domains that don't have a webserver serving content). My DNS hoster has an API to manage DNS entries and there is a Python library to access that API, so all I needed was a little helper script (see below). The only issue I found is that I need to use almost excessive waiting delays to ensure that LetsEncrypt will reliably see the changed DNS entries.

The relevant section from my getssl.cfg file reads:

# Use the following 3 variables if you want to validate via DNS
VALIDATE_VIA_DNS="true"
DNS_ADD_COMMAND="/path/to/DNSHelper add"
DNS_DEL_COMMAND="/path/to/DNSHelper remove"
DNS_WAIT=15
DNS_EXTRA_WAIT=500

And the helper script itself is: (excuse the hacky Python, I couldn't even be bothered to properly parse the arguments)

import pynfsn

nfsn = pynfsn.NFSN('...username...', '...api key...')

op, fulldomain, token=sys.argv[1:]

domain_parts = fulldomain.split('.')
# Figure out the root domain (always the last two components for my domains):
domain='.'.join(domain_parts[-2:])

if len(domain_parts) > 2:
    # for subdomain foo.hdurer.net, the record is _acme-challenge.foo'
    record_name='_acme-challenge.' + '.'.join(domain_parts[:-2])
else:
    record_name='_acme-challenge'

dns = nfsn.dns(domain)
if op=='add':
    dns.addRR(record_name, 'TXT', token, '200')
elif op=='remove':
    dns.removeRR(record_name, 'TXT', token)
else:
    print "Don't know how to", op

You can try different config settings and fiddle with the script as much as you want while the getssl config points to the staging server (the default value). Once you get it to work well, change the config to use the real server and just getssl -a to have all configured certificates issued. Don't switch too early as the production server has a (not very severe) rate limit and you could lock yourself out of certificate generating for a week.

The tools places the certificates in the relevant subdirectories but you can also configure it to place copies elsewhere (e.g. per scp to the remote server itself). But once you have the certificates, the rest is easy. Just remember to regenerate them (just run getssl -a again) before they expire. If you have everything set up properly you could make that a cronjob…

2016-06-15 A new server

Our old family server was getting a bit long in the tooth, had a few random reboots and was running out of disk space anyway (plus it had an old 32-bit Atom CPU so that we could not even run Docker etc.). So in the end I broke down and ordered a new one. After a bit of searching around on the web I went with QuietPC.com and picked a much beefier machine this time than what we had before (back then I was going for size and very low engery consumption but in the end we paid for it with no upgradability and very slow speed). The machine arrived recently and looks fine. So far I am happy but it's too early to say much yet, I'll write up my experiences in a while.

2015-12-06 Perfect forward secrecy for your website

For a while now I had SSL and Speedy on this site. Having SSL isn't very hard. StartCom will give you a free certificate for your server (and also S/Mime email certificates for your email accounts) if you are willing to navigate and endure their terrible UI. There is an easy option of letting them create the key and certificate, but I encourage you do do the proper thing of creating your own key pair so that you know that only you have the private key. I found these instructions quite useful.

But setting things up so you don't just have SSL but have good and secure SSL settings is trickier. I found a good article which walks you through the steps to set options and ciphers so that the SSL checker will give you an A rating.

2015-07-03 Ads and analytics are gone again

Just a quick note that after a bit more than a year I have again removed the ads and Google Analytics from this site. I no longer need to learn about these things and they are not really useful for a low-traffic site like this anyway, so why bother?

2015-01-09 The first few weeks with a Google Wear Watch

For quite some time I have had a Pebble smart watch now and was quite happy with it. Certainly, had it died some unexpected death I would have happily bought a new one. But for this Christmas I was given a new shiny toy — an LG G Watch (the original, not the new, round R model):

2015-01-05--LG-watch.jpg

It looks just as unstylish and nerdy as the Pebble but the wristband at least is slightly nicer (and also a standard size so you can replace it easily with something less offensive should you be bothered). I got the white model (the only other option is the black model) but that only refers to the wrist band and the back side of the watch which you don't see; basically it's a black watch with a white wrist band.

Battery life is better than expected thanks mainly to having had very low expectations. After a full day (~16h of use) it still has between around 50% of power, so you get more than 24h of usage but still have to charge it every day. This is still better than my phone but sadly that is a very low hurdle to take.

The display is good enough and I find it easier to read than the Pebble's display where my ageing eyes frequently struggled to read more than the headline of any message displayed. When you are not using it the display dims and turns grey scale only (all to save energy I assume). This works surprisingly well for me. At night or in the cinema you can also activate a cinema mode where the screen is completely off when not used.

The interface takes some getting used to — there is a very short tutorial but usually searching the internet tends to tell you quickly what you want to know. It all works ok for me. Sometimes I wish there were buttons for some common actions as the swipe actions don't always work for me when done casually but this is not a big problem for me so far.

Initial setup felt more like using a Windows system — the Android Wear app on my phone crashed right after pairing and the watch spent the first few minutes downloading updates and rebooting various times. I walked away during this but it felt like around 10 minutes between powering up and actually being able to do anything with the thing.

The watch faces that come built-in are a bit boring for my taste but there are nice ones you can install. (Installing watch faces and apps means installing them on your phone and then they'll just automagically show up on the watch.) I am currently using InstaWeather for Android Wear and am quite happy with that. (Over Christmas I managed to amuse the family by showing the Santa watch face that came with Google Santa tracker app).

Besides that I only use the Google Keep app which allows me to tick off items from my shopping list without taking out and unlocking my phone and very occasionally the UK Trains for Wear app to check on train times. To start these apps, the Wear Mini Launcher seems to be the tool of choice and works reasonably well for me.

The real advantage of the Android Wear over the Pebble is that you can not only read notifications but also dismiss them on the phone. Initially I found this irritating but now appreciate it as it actually reduces the urge to idly click on the notifications once you take out your phone. One does have to make sure however to not dismiss things that should be handled soon lest one forgets all about it.

The whole voice thing has not proven useful for me so far. The voice commands don't work for me in German (my phone is set to German and the watch copies these settings) and while searches do work mostly I find little occasion where actually talking to my watch is not socially awkward or even annoying to those around me. My one attempt to impress my friends was a total failure so I left it at that.

In conclusion I am quite happy with my new watch although the delta to the Pebble isn't big enough that I'd spend any money to replace an existing Pebble. So, if you are happy to buy into the Android world (and risk turning your smart watch into a door stop should you chose to change phone platform) this might well be a watch for you (and of course there are prettier Wear devices).

See all posts.