Quick & Easy Let’s Encrypt Setup on pfSense using ACME

There is a wonderful new capability in pfSense to use Let’s Encrypt to automatically and securely generate fully recognized TLS certificates.

This is a great thing because security is important. Using self-signed certs is annoying at best. You still completely control your private key when using ACME via services such as Let’s Encrypt, so there is no security downfall to using it.

How-to use Let’s Encrypt on pfSense

Under System / Package Manager / Available Packages you should find a package called acme. Click the install button and allow it to complete.

Once installed you should find Acme Certificates under the Services menu.

The first step is to create your account keys. Enter a name, select the production server if you want this to be live.
Click “Create new account key” to generate a key and insert it into the Account key box.
Finally click the Register button and Save.

The next step is to create your certificate. Under Certificates click the Add button.
Enter the details such as the name.

In the Table you will see I selected “standalone HTTP server” and in the options set the listen port to 8082. This is important because the ACME server needs to be able to access this standalone HTTP server on port 80. We will accomplish this with a port forward rule in the next step.

Under Firewall / NAT / Port Forward create a new rule that forwards port 80 HTTP to your pfSense IP address which is 192.168.1.1 by default.
This allows the ACME server to communicate with your device to verify ownership.

Of course you can use other methods, I just found this to be the simplest option assuming that you have something already running on port 80 like I do.

Now let’s go back to Acme Certificates, and click the Issue/Renew button. If the domain name you used has correctly configured DNS, you should have a freshly minted certificate available for use under System / Cert. Manager.

To use this new certificate from the pfSense webConfigurator like I am, go to System / Advanced / Admin Access and select your new certificate under the SSL Certificate drop down menu.

Onward to TLS everywhere!

Connect to FPM Socket Permission Denied after upgrade to PHP 5.5.12

If you’ve just upgraded your web server to PHP-FPM you probably noticed that your web sites went down and your Nginx logs or whatever server you are using are giving you an error message that include the following statement:

connect() to unix:/var/run/www.sock failed (13: Permission denied) while connecting to upstream

To provide some context for this problem see http://www.openwall.com/lists/oss-security/2014/04/29/5

What was happening before is that the sockets were being created with a mode (permissions) of 0666 which makes it possible in theory for any web site to connect to them. This could be a security issue for shared hosting as an example.
So the security fix was to have PHP-FPM create the sockets with a permission mode of 0660 instead.

Now the problem with most default web server configurations is that the sockets are created under the root user while nginx or apache are running as a web server such as www-data. This means the web server is not able to read the PHP socket.

The Solution

The solution is very simple which you can find at stackoverflow http://stackoverflow.com/a/23596317/1195553

You simply add the following 2 lines to your PHP-FPM web site configuration before or after you set the path to the socket itself.

listen.owner = www-data
listen.group = www-data

This causes the the socket to be created with the owner and group of www-data which allows the web frontend to access the socket without any permission issues.

Happy administration!

SSH Server And “Permission denied (publickey).”

This drove me up a wall, yet it’s so simple, and so easy to overlook.

If you ever setup a server with SSH public key authentication, and you get the following error:

Permission denied (publickey).

Make sure you do the following:

  • Make sure the permissions of the .ssh folder are 0700
  • Make sure the permissions of the authorized_keys file are 0600
  • Make sure the user owns the .ssh folder and contents (normally that’s the case but just to make sure)

For example from the home folder of the user you are trying to setup, use these commands:

sudo chown -R username:username /home/username/.ssh
sudo chmod 0700 /home/username/.ssh
sudo chmod 0600 /home/username/.ssh/authorized_keys

Especially if you’re on Amazon EC2 which uses public key authentication by default, this is very important when setting up new users. And with modern Linux distros like Ubuntu this is very easy.

Happy secure terminalling!

Dasient and Nerds On Site Partner to Offer Web Site Malware Protection

Nerds On Site and Dasient have partnered up to provide web site malware protection:

“Every day, thousands of legitimate websites are infected with malicious code, and the speed, scale, and complexity of these attacks makes it difficult for website owners to identify and address the resulting infections,” said Dr. Neil Daswani, one of Dasient’s three co-founders. “Now more than ever it’s important for site owners to deploy defenses that can operate at the scale and speed required to deal with the problem.”

Coming Soon, somanypasswords.com!

somanypasswordscom-loginComing soon to a internet connection near you! Is somanypasswords.com. Every person on the internet is plagued with a problem. We have too many passwords.
Our other problem is how do we securely keep them in a central location?

There are many software applications out there that try to help with this problem. But most of them run on your computer, do not provide high level of security, and only require one-factor authentication making it easily crackable by brute force.

SoManyPasswords.com is an attempt to solve this problem. All data is encrypted using 256bit AES. In order to access your data you need 3 factors of authentication. This includes a username, a password, and a physical key. We are using the Yubikey for this. The Yubikey is a USB key that you plug into a computer or internet device, and each time you login in creates a one-time use password that is validated against a validation server. Without this key, it is not possible to login.

As part of the service when it goes live we will be providing the physical keys to clients who signup for the service. We have not yet determined exact pricing, so if you know how much you’d pay for such a service, leave a comment below.