Continuing my security certificate mission, I’ve set my SSL sites on Security Onion. The certs are stored here: /etc/pki/ adding, renaming, and symlinking a few files here was most of the work. then update url_base.
I made that and some other changes to:
/opt/so/saltstack/local/pillar/global.sls
I’ve been automating SSL renewals for almost as long as i’ve been deploying them. for the most part, it is very smooth and easy to do. (thanks mostly to certbot and the hard work over at let’s encrypt) The trouble comes up with non publicly addressable servers and other custom setups. cough cough. . . Unifi. . . cough cough.
I recently discovered a tool that makes all those complicated setups as easy as the original certbot installs. acme.sh is that tool. two lines! not since screen have i regret any time i spent not using such a tool.
./acme.sh –renew -d “unifi.domain.com”
./acme.sh –deploy -d “unifi.domain.com” –deploy-hook unifi
all the ssl blacklists are updates. we can return to thinking we are safe. Apple included the patches in a Security Update, Firefox updated to 6.0.2. Jailbroken iOS users can update or install “sslfix” in Cydia to get the protections that apple has yet to release.
After watching Moxie’s BlackHat talk, we seriously need to fix SSL. It is holding up too many technologies to be this insecure.
here is a link (i hope): be3n.com/1
After hours of trying to make my zen cart work again with google checkout. I finally threw it away for a simple wordpress plugin. Now i take credit cards again! Super easy solution for anyone thinking of building a simple web store.
plugin site: http://www.jasoncapshaw.com/blog/simple-google-checkout-cart-wordpress-plugin/
(although, somehow his blog has shifted from the geeky)
We bedded down in Tucson where they have “A” Mountain. Wow, i’m so glad we came. After a bit of blogging and email, we’re off to Nogales to cross over in to Mexicaña.