| systemdlete | I'm not too good at ssl and encryption at large (but I'm trying to learn these as I go). I would like to create a certificate for a website so I can use https, but From what I've read, I may need to drop a few bucks--isn't there a self-signed certificate option I can use? | 01:00 |
|---|---|---|
| systemdlete | Keep in mind that this "web server" will only be used here at home; I'm not opening it up to the world. | 01:01 |
| systemdlete | And this is not served by apache, nginx, etc. It is a built-in web server. | 01:01 |
| gnarface | systemdlete: yes, you can make a perfectly secure local certificate authority with the stock openssl package in the repos | 01:02 |
| systemdlete | What I need to know is whether a self-signed certificate will work for me | 01:02 |
| gnarface | finding instructions on how is increasingly difficult, but it's doable | 01:02 |
| rrq | you get free certs from letsencrypt | 01:02 |
| gnarface | you don't need to trust a 3rd party | 01:02 |
| gnarface | if it's for personal use, there's no reason not to use a local CA except for lack of expertise | 01:02 |
| systemdlete | ok, thanks, that's what I thought. Years ago, one very unusual fellow in the centos channel helped me create a self-signed cert, but I think that was 15 years ago. | 01:03 |
| onefang | Um, doesn't OpenSSL automatically create a self signed cert on installation, or was that Courier I'm recalling? | 01:03 |
| gnarface | i think several things use openssl to create a self-signed cert | 01:03 |
| gnarface | but you can do it by hand manually | 01:03 |
| gnarface | you can make the whole certificate authority in fact | 01:04 |
| systemdlete | I vaguely recall having to go through many iterations, gyrations, and mutations to create one. | 01:04 |
| gnarface | it's a few steps, but it's not rocket science | 01:04 |
| systemdlete | oh good | 01:04 |
| systemdlete | my head is already hurting just contemplating doing this | 01:04 |
| gnarface | not much about the process has changed either, other than the location of good data, and the location on the filesystem you copy your public key to | 01:05 |
| systemdlete | does devuan (or maybe debian) have a SHORT 1-2-3 do list | 01:05 |
| systemdlete | how to list | 01:05 |
| gnarface | i don't know of any devuan or debian specific howtos, but there seem to be a lot of 3rd party ones if you just search for: openssl local CA | 01:06 |
| systemdlete | I promise to write it down this time. | 01:06 |
| gnarface | a long time ago i had a real good one but i can't find it anymore | 01:06 |
| systemdlete | hmm. I suppose openssl project might | 01:06 |
| rrq | ad-free afaict: https://www.ibm.com/docs/en/api-connect/10.0.x?topic=profile-generating-self-signed-certificate-using-openssl | 01:06 |
| gnarface | well, to be clear there's two actual paths | 01:07 |
| gnarface | you can create a self-signed certificate and just use it, or you can create a self-signed certificate then use that to create your own certificate authority, then you can tell your whole install to trust that certificate authority, then you can use said certificate authority to sign as many keys as you want | 01:08 |
| gnarface | the latter path is more work but will raise fewer red flags in different contexts | 01:08 |
| gnarface | it kinda depends on how much you plan on doing this | 01:09 |
| systemdlete | probably not often. | 01:09 |
| gnarface | either way i recommend keeping notes | 01:09 |
| systemdlete | Yep. | 01:09 |
| systemdlete | I use elog for my notes. | 01:10 |
| systemdlete | But I only started doing this in earnest a few years ago. | 01:10 |
| gnarface | i've forgotten and re-learned the same task several times now just because so much time passes between when i need it | 01:10 |
| systemdlete | (and that's "elog" not elogd or elogind) | 01:10 |
| systemdlete | gnarface, yeah, that's how it goes for me all the time also. And why I have become much more diligent about writing stuff down. It has bailed me out a few times already. | 01:11 |
| systemdlete | well, thanks guys. | 01:12 |
| systemdlete | Why is it that distros don't provide a self-signed certificate for general use by the admin, and maybe a CA? It could be generated automatically at install time, right? | 01:13 |
| * systemdlete hopes that was not an imbecilic question, but we shall see... | 01:14 | |
| gnarface | i'm not sure they don't | 01:14 |
| gnarface | /usr/lib/ssl/misc/CA.pl | 01:14 |
| gnarface | you're looking for tutorials on how to use this script | 01:14 |
| systemdlete | I wasn't but maybe I should be... | 01:15 |
| gnarface | that script and the openssl binary itself | 01:15 |
| systemdlete | openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 365 | 01:15 |
| gnarface | sometimes on certain distros CA is a shell script not a perl script, but they seem to work the same | 01:15 |
| systemdlete | from a SO page | 01:15 |
| gnarface | yea, that looks like a quick&dirty self-signed cert, with no CA setup to sign it | 01:16 |
| gnarface | might still work depending on what you're doing, but some stuff will complain just about it being self-signed | 01:16 |
| systemdlete | "no... you have to PAY for it..." | 01:16 |
| gnarface | most software has a way to silence such complaints anyway, but i've seen bugs in thunderbird... | 01:17 |
| systemdlete | (bugs in Tbird? What? Naaaah. gnarface must be imagining things) | 01:17 |
| gnarface | heh | 01:17 |
| onefang | Just don't ask which end of the bird the thunder comes out of. | 01:18 |
| systemdlete | I hate what they have done to the UI in the past 2 or 3 years. All of it unnecessary and not helpful. | 01:18 |
| systemdlete | onefang, lol | 01:18 |
| gnarface | i have it on good authority that the most annoying changes to thunderbird over the past couple years have been specifically to spite me personally. they don't think the rest of you matter because they think you are all NPCs.\ | 01:19 |
| onefang | lol | 01:19 |
| systemdlete | and here I thought it was me... | 01:19 |
| gnarface | i'm not joking, and there's at least one other person here who knows i'm telling the truth, though i doubt he'll confess | 01:20 |
| systemdlete | There ought to be a rule. Pull requests for security get highest priority, then bugs, then new features and window dressing. | 01:20 |
| systemdlete | I mean, is it REALLY necessary to display the calendar upon startup? Especially if you last had the mail tab open last? | 01:21 |
| gnarface | i found a way to turn that off... though i was annoyed at it having gotten enabled by default in the first place | 01:21 |
| systemdlete | do share! | 01:22 |
| systemdlete | I looked high and low | 01:22 |
| systemdlete | something in about:config? | 01:22 |
| gnarface | oh, i did, but i think part of it was just not having put any entries | 01:22 |
| gnarface | if you don't have any actual entries, it'll just stay closed if you close it | 01:22 |
| gnarface | i think that's what i remember finding out anyway | 01:23 |
| systemdlete | Idk. Here every instance of tbird ALWAYS opens in calendar tab, even if I have no entries | 01:23 |
| gnarface | do you see an X in the top right corner of that pane? | 01:23 |
| systemdlete | you mean the calendar tab? | 01:23 |
| gnarface | it's like the whole right side of the window when it's open, it's not exactly a tab | 01:24 |
| systemdlete | I can shut it, but the next time I open tbird, the calendar is opened again. | 01:24 |
| gnarface | hmm | 01:24 |
| gnarface | i swear i just deleted all the entries then it stayed closed | 01:25 |
| gnarface | i don't remember having to do anything in about:config | 01:25 |
| systemdlete | most of the tbird configs I use do not have entries in calendar | 01:25 |
| systemdlete | I only use calendar in, like, 3 of them. | 01:25 |
| gnarface | do you have any separate calendar extensions installed? | 01:25 |
| systemdlete | but I'm taking about an entirely different system where I do not use calendar entries at all! | 01:26 |
| systemdlete | no | 01:26 |
| gnarface | hmm, weird | 01:26 |
| systemdlete | maybe there is a randomizer in the algorithm. If user name matches "suchandsuch*" then pull this nasty trick on them, otherwise, do these annoying things... | 01:27 |
| systemdlete | The changes these guys are making are pointless, so I am guessing they just don't have anything else to do | 01:27 |
| gnarface | it wouldn't really suprise me | 01:27 |
| systemdlete | Maybe inject some malware while they're at it | 01:27 |
| gnarface | well, i know (from the same source as the other hint) that they are in fact actually sandbagging performance on purpose, supposedly "to make it easier present users with artificial performance gains in conjunction to some future as-yet-undetermined release" | 01:29 |
| gnarface | (and they're doing that in firefox as well_ | 01:29 |
| gnarface | ) | 01:29 |
| gnarface | the whole mozilla org is well overdue for a complete fork, not just of software but of maintenance staff | 01:30 |
| gnarface | this is starting to get more editorial than actually about support though, so we should take it to offtopic | 01:30 |
| systemdlete | maybe later. Thanks for the help again. | 01:31 |
| systemdlete | as always | 01:31 |
| gnarface | no problem, good luck with it | 01:31 |
| temp64 | mission failed, IT told me to cut the shit and encrypt everything with LUKS instead of putting on the BIOS HDD password | 20:25 |
| temp64 | now I have to figure out how to install Devuan with LUKS AND F2FS on top of it | 20:26 |
| mason | temp64: LUKS should be pretty easy. Don't forget to allow discards to pass through or F2FS will probably be less happy. | 20:30 |
| mason | temp64: Might make sense to set up your disk(s) and then debootstrap(1) into them. | 20:31 |
| temp64 | oh, didn't know it doesn't forward discards to SSD by default | 20:32 |
| temp64 | if Devuan packages a recent enough version of cryptsetup, I'll probably go for Opal-only encryption | 20:34 |
| temp64 | not sure how much overheard there is to LUKS volumes, considering x86 CPUs have a dedicated AES instructions nowadays, but it should be a bit easier on the CPU if I defer all encryption to the drive itself | 20:35 |
| mason | temp64: I tend to think the overhead disappears against actual accesses, but this is my own observation and not backed by data. | 20:36 |
| mason | Reading about OPAL is kind of interesting. Thanks for mentioning it. I expect I'll stick with LUKS here, but OPAL does seem neat. | 20:39 |
| fsmithred | I used luks on a 1200MHz Athlon many years ago. I didn't notice any slowness because of it. | 20:52 |
| fsmithred | temp64, you could pre-format and manually install or you could pre-format and use the cli version of the live installer with some manual intervention. | 20:54 |
| fsmithred | Instructions here: https://dev1galaxy.org/viewtopic.php?id=2323 | 20:55 |
| fsmithred | Two changes: you can give your mapper names a number at the end and you can use luks type 2 for the root partition. | 20:55 |
| dongle | i appear to have to inet addresses on eth0. isn't that not normal? https://paste.debian.net/1324880/ | 21:02 |
| mason | temp64: Random other note: you might want --pbkdf argon2id if you go with LUKS. Background: https://mjg59.dreamwidth.org/66429.html | 21:14 |
| mason | temp64: I've upgraded all my local systems and I deploy with that out of the box now. | 21:15 |
| dongle | ok. i had installed network-manager for the reason that i could have 'nmtui'. i removed it and rebooted and the 2nd inet is gone now. | 21:18 |
| Xenguy | dongle, Has anyone mentioned ifupdown ? | 21:22 |
| Xenguy | I mean as an alternative to NM | 21:24 |
| dongle | Xenguy i think ifupdown is default installed no? | 21:24 |
| dongle | i only wanted nmtui for wifi if i need which i dont really need | 21:25 |
| Xenguy | dongle, I've been mentioning to people about being able to avoid NM for public wifi by using these instructions: https://www.devuan.org/os/documentation/install-guides/daedalus/network-configuration.html | 21:26 |
| Xenguy | Once it is set up (i.e. 2 files configured and 'wpa_gui' installed), it does the same job for me that 'wicd' used to do. | 21:27 |
| dongle | thaks i'll have a look | 21:27 |
| Xenguy | dongle, np, I'm really happy I don't have to deal with NM or connman, now that wicd is no longer available... | 21:28 |
| Xenguy | Let me know if a sample of my config files would help at any point. | 21:29 |
| dongle | sure thx | 21:29 |
| dongle | Xenguy: if i use allow-hotplug wlan0 what command starts wlan0? | 21:39 |
| dongle | oh wpa_gui | 21:46 |
| temp64 | I'm still not sure what the difference is between allow-hotplug and auto | 21:49 |
| gnarface | allow-hotplug is supposed to be friendlier with USB devices, so like it won't throw an error if the device isn't present | 21:50 |
| gnarface | but it's also supposed to be fine to use with devices that aren't USB, and that hasn't always been the case in my experience, so after they changed the default from auto to allow-hotplug, many times i've had to change it back | 21:51 |
| fsmithred | allow-hotplug uses udev, auto uses ifupdown | 22:00 |
| Xenguy | Yes, 'auto' starts the interface automatically, and 'allow-hotplug' is event-driven. I tend to just use 'auto', but when I'm switching from eth0 or wlan0 for example, I make sure I ifdown the former before bringing up the latter. I also typically preserve my laptop sessions so that I don't have to reboot every time. | 22:01 |
| Xenguy | I'm not sure if there are some use cases where 'auto' would cause issues switching from ethernet cable to wifi and vice versa | 22:02 |
| fsmithred | should have said /etc/init.d/networking for auto | 22:03 |
| fsmithred | I have sometimes been able to use wired and wireless interfaces at the same time | 22:04 |
| Xenguy | I think maybe I tried 'allow-hotplug' in there one time, but wasn't convinced it was working well (as gnarface mentioned earlier) | 22:04 |
| Xenguy | "in there" = /etc/network/interfaces | 22:05 |
| fsmithred | here's a better explananion (from Ralph) https://dev1galaxy.org/viewtopic.php?id=1688 | 22:05 |
| dongle | with wpa_gui i have a wifi connection but i cant browse | 22:06 |
| Xenguy | fsmithred, BTW as an aside, I seem to recall noting that /etc/init.d/networking was deprecated these days (use ifupdown instead?), which I found a bit bizarre | 22:06 |
| Xenguy | dongle, When I first started using this method, I found it a bit finicky until I became more familiar with using it, FWIW | 22:07 |
| dongle | Xenguy: thanks yeah i will need to practice at it | 22:07 |
| Xenguy | I don't know if it matters, but I always 'ifdown eth0' before I initiate wpa_gui to bring up the wlan0 wireless interface | 22:08 |
| Xenguy | dongle, You have the user in the 'netdev' group, yes? | 22:09 |
| dongle | yes | 22:09 |
| Xenguy | Well rest assured it should work fine once you get the hang of it. | 22:10 |
| gnarface | usually the issue is just that the network stack leaves your default route on the first device that was upped | 22:11 |
| gnarface | unless you down it first, of course | 22:12 |
| Xenguy | That seems consistent with my current ifdown eth0/ifup wlan0 sequence then, IIUC | 22:13 |
| dongle | it now works. | 22:16 |
| Xenguy | Yay! | 22:17 |
| dongle | yes! | 22:17 |
| dongle | heh | 22:18 |
| Xenguy | Group membership in 'netdev' is needed for wpa_gui to be able to modify /etc/wpa_supplicant/wpa_supplicant.conf ... | 22:19 |
| Xenguy | But I *think* it will leave the file with '644' permissions? If you have any passwords in there that you want to be private, it's best to chmod 600 the file (as root) I expect | 22:20 |
| dongle | cool | 22:21 |
| fsmithred | Xenguy, /etc/init.d/networking has been claiming that it's deprecated for a long time. Maybe since squeeze or wheezy. | 22:25 |
| fsmithred | I think it's more a warning that not all interfaces might be configure to use it. | 22:25 |
| Xenguy | That was my impression, that it will work the majority of the time | 22:26 |
| rrq | afaik /etc/init.d/networking comes from the ifupdown package, and all claims it's deprecated is merely by dev's wanting to plug other methods of configuring interfaces. | 23:33 |
| rrq | it doesn't come with a gui of course but has rich and detailed man pages | 23:36 |
| rrq | it also implements a highly modularized network management system, which means that it does not provide all-in-one but rather offers easy ways to plug-in subfunction implementations, such as dhcp, wifi, bridge and whatnot (e.g rrqnet) | 23:42 |
| * rrq obviously is an ifupdown fanboi :) | 23:44 | |
| fsmithred | almost a gui -> Ceni - Curses /etc/network/interfaces | 23:58 |
Generated by irclog2html.py 2.17.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!