What I’m working on now: Poor man’s version of Speedtest.net

Intro
Now that I have a dual-band router I wanted to run some tests to see if 5 GHz is really faster and more stable than 2.4 GHz, as my intuition was telling me. But my only 5 GHz device where I had a chance to measure was my amazon Fired HD tablet, and wouldn’t you know that it’s incapable of running speedtest (speedtest.net). The web site forced it to a mobile app version, but amazon’s app store, being limited in its offerings, doesn’t have a speedtest app!

Anyway speedtest.net runs ads pretty aggressively, which I don’t like.

So I decided to try to write my own.

This turned out to be very hard to do. It turns out I suck at Javascript.

Some details
Normally I show all my false starts in the hopes that others can learn frmo my mistakes, but my Javascript blunders are just too painful and I never did sort them out. When I use javascript methods to set page timers I got completely inconsistent and hence unreliable results. So I settled on this simplistic PHP approach to gauge download speed:

<html>
<head>
</head>
<body>
<?php
// - DrJ 3/2017
// the weakness of this method is that it is a single stream
echo "Date: " . date('h:i:s') . "<br>\n";
$starttime = microtime(true);
for ($x = 0; $x < 750000; $x++) {
  $string .= mt_rand(1000000,9999999);
}
 
echo "<!-- $string -->\n";
//start again
//echo date('h:i:s');
echo "<div id='bottomtest'></div>\n";
$endtime = microtime(true);
$timediff = $endtime - $starttime;
$timediff = $timediff;
//echo "php timer: starttime: " . $starttime . " endtime: " . $endtime . " diff: " . $timediff . "<br>\n";
echo "Page load time: " . $timediff . " s<br>\n";
// 1.04 is observed overhead of IP + tcp. try ip -s link show eth0 before and after running curl
$dataset = 1.04*(strlen($string) + 200)/1000000.0;
$mbps = $dataset*8.0/$timediff;
echo "Mbytes downloaded in test: " . $dataset . " Mbytes<br>\n";
echo "Bandwidth: " . $mbps ." mbps<br>\n";
?>
<br><br>
<form>
<input type="submit" value="Test Again">
</form>
</html>

I called the file index.php and put it on my server in a directory of my choosing, let’s say, downloadtimer, and run it. The results look like this:

Date: 07:30:33
Page load time: 6.9666068553925 s
Mbytes downloaded in test: 5.460208 Mbytes
Bandwidth: 6.270149142432 mbps
 
Test again

To be continued…
References and related
Meanwhile a friend pointed out a couple superior speed test web sites. At&t’s Speedtest is a good choice. There are few if any ads, and it runs on my Fire HD tablet and it’s fun to watch. speedtest.att.com

This one seems only slightly less aggressive than speedtest.net: Internet Frog. Internet Frog works on my tablet but with limited functionality and a non-flashy interface.

Posted in Web Site Technologies | Tagged | Leave a comment

White web page: maximizes your backlight with no invasion of privacy

Intro
Maybe it’s just me, but I’ve always had some issues getting my flashlight app to work on my phones. First there’s the issue of finding one from a trusted source (many contain spyware: access to my contacts?? for a flashlight?? I don’t think so…). So I trusted Swiss Army Knife, but then I had to launch that, then drill down to the flashlight, blah, blah. And the flashlight app on the Windows phone also looks a little seedy. And anyway sometimes you don’t want to overwhelm with your camera’s LED. Maybe just a simple glow from the backlight of your screen is enough to guide you down the hallway int he dark… I know I found myself using both my Fire HD tablet and my Windows phone in exactly that way.

Then I decided to scan a slide, using the backlight of my tablet to permit the scanner to see the colors, etc. That did not work out, by the way. It sounds like a good idea, though, doesn’t it? i guess the backlight is not sufficiently bright. maybe if I play with screen brightness…

Anyway, for all the above reasons I realized I could use a white backlight app. Rather than pay $0.99 for another dodgy app, I decided to write a web page that displays an all-white background. Then i could bookmark it and use it on both my Windows phone and my tablet!

White backlight web page
This is really complicated – don’t try this for yourself. Ha, ha just kidding. This is about as simple as it gets. Falls into the catgeory of “wish I had thought of it sooner,” or “Duh.”

White backlight web page

The HTML code
Want to put this on your own web server? Here is the code.

<html><head><body bgcolor="white"></htnml>

Conclusion
No banners, no ads, no intrusive permissions: this is a web page that maximizes the soft glow of your device’s backlight. You could play with your screen brightness to possibly make it still brighter, adjust the length it glows for, etc. For convenience to pull it up in a jiffy I’ve bookmarked my White backlight web page.


References and related

White backlight web page.

Posted in Consumer Tech, Web Site Technologies | Leave a comment

Bluecoat ProxySG and DNS using edns seem incompatible

Intro
Imagine your DNS server had this behaviour when queried using dig:

$ dig drjohnstechtalk.com @146.201.145.30

; <<>> DiG 9.9.2-P2 <<>> drjohnstechtalk.com @10.201.145.30
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: FORMERR, id: 48905
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
 
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;drjohnstechtalk.com.           IN      A
 
;; Query time: 1 msec
;; SERVER: 10.201.145.30#53(146.201.145.30)
;; WHEN: Fri Feb 24 12:16:42 2017
;; MSG SIZE  rcvd: 48

That would be pretty disturbing, right? The only way to get dig to behave is to turn off edns like this:

$ dig +noedns drjohnstechtalk.com @146.201.145.30

; <<>> DiG 9.9.2-P2 <<>> +noedns drjohnstechtalk.com @10.201.145.30
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31299
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
 
;; QUESTION SECTION:
;drjohnstechtalk.com.           IN      A
 
;; ANSWER SECTION:
drjohnstechtalk.com.    3277    IN      A       50.17.188.196
 
;; Query time: 3 msec
;; SERVER: 10.201.145.30#53(146.201.145.30)
;; WHEN: Fri Feb 24 12:17:00 2017
;; MSG SIZE  rcvd: 53

Nslookup works. But who uses nslookup anyway?

Furthermore, imagine that DNS client and server are on the same subnet, so there is no firewall intermediating their traffic. so we know we can’t blame firewall cutting off large DNS packets, unlike the suggestions made in the references section.

Well, this is exactly the situation in a large company where I consult. The DNS server is unusual: a Bluecoat ProxySG, which can conveniently combine replies from nameservers from two different namespaces.

There does not seem to be an option to handle edns queries correctly on a Bluecoat device.

The client is running SLES version 11. The real question is how will applications behave? Which type of query will they make?

Bluecoat Response
Bluecoat does not support eDNS and gives a response permitted by RFC2671. RFC2671 also encourages clients to account for error responses and drop the use of eDNS in a retry.

References and related
EDNS: What is it all about? is a really good explanation of edns and how it came about, how it’s supposed to work, etc.
This post suggests some scenarios where edns may not work, though it does not address the Bluecoat issue: http://blog.fpweb.net/strange-dns-issues-better-check-out-edns/#.WLBmw3dvDkk
RFC 2671

Posted in Admin, DNS, Network Technologies | Tagged , , | Leave a comment

The latest on handling of SHA-1 certificates by the major browsers

Intro
A certain organization is still using SHA-1 certificates internally, in spite of years of warnings, as I write this in February, 2017. But in the security world lack of action = eventual weakness. Ignorance is not bliss and putting your head in the sand is not a viable security strategy. So cracks in their approach are starting to appear, especially with the Chrome browser, the latest version of which is showing their internal SSL sites as not secure.

I found these security blog links in the references section below very helpful in getting a feel for what the major browsers take on all this is. A colleague brought them to my attention.

Solutions
The obvious solution is for them to switch to a PKI based on SHA-256 (also known as SHA-2 for short). But apparently it is like turning an aircraft carrier, or maybe pushing a planet into a different orbit, as bureaucratic inertia keeps progress on this front at the level of barely perceptible.

Here’s an image of that part of Chrome that shows the result of an https Intranet site access:

References and related
These are all from the October – November 2016 time frame.
Google security blog: SHA-1 certificates in Chrome
Mozilla security blog: Phasing Out SHA-1 on the Public Web
Microsoft Edge Developer: SHA-1 deprecation countdown

Posted in Security | Tagged , , , , | Leave a comment

Use Raspberry Pi to explore mDNS

Intro
I am confounded by the Bonjour field on my d-Link DCS-931L IP webcam. I should be able to use it to se my desired hostname, but it doesn’t take. Why?

The details
Having a Raspberry Pi on the same network I realized I could at least learn definitively whether or not my new name was being taken, or what the old name was.

You install avahi-discover to do that:

$ sudo apt-get update avahi-discover

Those who follow my blog will realize I am big on Linux command-line, not so much on GUIs. I mention it because unfortunately avahi-discover only works in the GUI. Not having a console I actually had to fire up vncserver and use my vncviewer on my PC! Then I could launch avahi-discover from a terminal window running on the GUI.

The extra fuss was just a few steps anyway, and well worth it.

avahi-discover broke down my home network and all the discovered devices in a very orderly fashion, e.g., the webcam appeared under web servers.

And what did I learn? Indeed, my name had not “taken” for some reason. So the system-supplied name was there instead. For the record that is

dcs931le1a6.local

And testing it:

$ ping dcs931le1a6.local

did indeed show me that it was rsolvable by that name form my local network. My PC could reach it by that name as well. I tied to name it DCS-931L-BALL, and I know someone else who did this successfully, and I had even done it in the past, but it was just not taking it this time.

References and related
mDNS is multicast DNS. It’s designed for home networks. It’s pretty common from wjhat I see, yet largely unknown since It people do not encounter it in enterprise environments. As usual Wikipedia has a good article on it.
Superimposing crosshairs on a webcam image.

Posted in Admin, Network Technologies, Raspberry Pi | Tagged , | Leave a comment

A few thoughts on Universal Basic Income

Intro
I think the time has come to do some large-scale experimentation with this idea for guaranteeing a basic income for all. We’ll need something as our jobs begin to get eliminated by robots, automation and AI!

Some experiments both government-funded and private are ongoing now. Out of Silican Valley’s idealism emerged givedirectly.org, which is providing a modest UBI to all residents of some undisclosed villages in Kenya for 12 years. They are then going to apply metrics to see what difference the UBI has made for these very poor residents.

References and related
Out of this year’s World Economic Forum came this paper which gives a good and cogent argument in favor of Universal Basic Income (UBI).

This ConsenSys paper combines two favorite topics: universal basic income and Blockchain. It also introduced me to Ethereum, an alternative blockchain to bitcoin. My only insight here is based on pragmatic observation. If the ideas proposed are so compelling, why aren’t they already in adoption in failed states with no effective currency, namely Venezuela? I think the idea is that each and everyone should generate their own currency units, say 1000 units per month, and arrange an equivalent exchange rate so that my unit has the same value as yours, and circles of trust so that my village’s exchange rate is equal to your village’s, etc. But I would love to see a long-form critical review from a subject matter expert.

I looked a tiny bit at ethereum, but it looks pretty Windows-based and I’m not too keen on anything I can’t run on my AWS CentOS server so I gave up for the time being. Ethereum is interesting because it’s open source and it’s specifically mentioned as the basis for the ideas in the ConsenSys paper. I would like to know its capabilities better. ethereum.org

To contribute to one of these efforts which are in the experimentation phase, you can go to givedirectly.org, which was recently featured in a New York Times Magazine article. They are applying some science to these efforts in attempting to measure their effects.

Posted in Uncategorized | Tagged , , | Leave a comment

Tips for creating a PayPal Donate button for not-not-for-profits

Intro
I am treating my blog as a public service, so I thought it would be appropriate to have a Donation link even though I have not incorporated as a 501c3 non-profit. Is it even possible? Can I keep my anonymity? These were concerns I raised in my head and ones for which there is no good guidance. Short answer: Yes and Yes.

The details
The link to PayPal’s Donate button creation page is pretty well documented. That’s here. Needless to say, you need a PayPal account first!

The PayPal site walks you through a few options. Since Donate is so often associated with not-for-profits I wanted a different word on the button, like Contribute. But customizing the wording was not one of their offered options.

And this is important: you don’t seem to be able to get out of revealing your PayPal email address. It will appear on your Donation page. So what to do?

Well your PayPal account can have up to eight email addresses associated with it. So in my case where the DNS for drjohnstechtalk.com is hosted by GoDaddy (not the web site, mind you, just the DNS), I simply need to set up an arbitrary address like drjohn At drjohnstechtalk DOT com and have it forward to my personal Gmail account. That’s simple enough with GoDaddy’s service, and they don’t even charge extra! Then back to PayPal where you add that address to your account, receive a confirmatory email that they generate, and confirm using their emailed link.

That’s about it. Now you can go back to the button creation page, call it a Donate button, put in your anonymous email address, and let it generate the HTML code. The HTML code is pretty simple and it can be pasted right into a WordPress page if you use or switch to HTML editing.

Here’s a screen shot of my donate page with its PayPal donate button.

OK, I lied. You probably also want a Thank you page in case someone actually does contribute! So build a Thank you page on your blog and record the URL. In WordPress I see you can create this as a hidden page – not appearing in any menu yet still using your theme. Here is my hidden thank you page as an example. Now you really have everything you need to build your Paypal button – one of the requested fields is the URL for your thank you page which we now have.

But is it appropriate?

Well, if like me you only expect the occasional, rare contribution, it’s probably akin to finding yourself in public short of money and asking for a few bucks to take the subway, or whatever… If you’re expecting to get thousands a year you’d better incorporate as a 501c3! As a courtesy I remind people that their contribution is not tax deductible. I guess for low volume stuff it can be treated the way gifts are treated for tax purposes.

Conclusion
drjohnstechtalk.com I hope serves as an example of “paying it forward.” I have benefitted from some good advice on the Internet (and suffered from some terrible advice as well), so I hope to benefit others by providing some clear guidance on topics where I can contribute. But I don’t see that as a barrier to asking for a modest contribution to help defray operational and research costs. In this post I show how I did it. It turns out to be simple, but not well documented on balance.

References and related
PayPal’s Donate Button creation web page with step-by-step instructions.
Care to donate to drjohnstechtalk.com? Here’s my donate page.
My thank you page.

Posted in Admin, Web Site Technologies | Tagged , | Leave a comment

Switch home router to DD-WRT: FAIL

Intro
I am having problems with my home router, a Cisco E1200, especially with the wireless connections. I thought it might be interesting to try to run it using the open source routing code DD-WRT. Since I am a Linux geek DD-WRT had some attraction for me and I figured it really couldn’t make matters worse. Boy was I wrong.

The details
Dropped connections, slow response, degradation over time – that is all par for the course for my E-1200. Again, mostly affecting WiFi.

Starting from this bare-bones installation write-up, http://www.dd-wrt.com/wiki/index.php/Linksys_E1200v2, I did indeed manage to upgrade the firmware to DD-WRT.

Things they don’t tell you that you probably want to know

Initial login password is blank, and the username is root, not admin.

I wanted to have the SSID I had been using preserved with the same password as well, so that, ideally, I would not have to revisit my devices to get them to learn about a new SSID setup. This was especially important to me due to a wireless Canon 3600 series printer which is particularly difficult to set up. You do it once, fumbling around until it works, and hope to never have to do it again.

And…yes, it auto-created that SSID and I saw client logged into it, so I guess it preserved the password as well. I don’t really know the characteristics that a client uses to decide this is the same SSID as before. The MAC address may be part of that decision. But since this was the same hardware the MAC address was preserved as well.

The results
My hard-wired connection worked pretty well. But WiFi, if you can believe it, was even worse than before! My Office Dell PC just would not pick up an IP address although it did connect to it. When you run ipconfig and only see an address beginning with 169.254. you are in trouble, and that’s what I had. My Dell 2-in-1 laptop could connect OK. But sometimes it worked, sometimes not, over WiFi, and worse than before.

And although some of the Linuxy type things looked somewhat familiar, like bridging with a br0 interface, I didn’t want to invest a lot of time debugging my issues. And the web GUI was a little slow.

ssh was disabled by default. No idea how to turn it on. Do I didn’t have the usual comfort of a Linux command line in working with it.

Issuing commands via the web GUI was just too painfully slow.

Also, come to think of it, it did not grab an IP over its WAN connection. Now I have an unusual ISP that permits me two valid Internet addresses. My Cisco Meraki takes the other address. But rebooting cable modem, Cisco router, etc in any combination just did not permit me to get that 2nd IP address I had been using. Eventually I knocked my Meraki offline. I wasn’t expecting that as it normally runs flawlessly and I hadn’t touched it.

So needless to say I was pretty disgusted and gave up. Question is, could I go back to the Cisco firmware??

Back to Cisco’s embrace
Well it turns out you can go back. Cisco meanwhile had released a newer version of firmware for it and made it available for download over the Internet.

I got the initial Cisco-looking page but had a really tough time logging in! None of the default of previous username/password combinations worked!! root/(blank), admin/admin, (blank)/root, admin/1234, admin/previous_password, none of it let me in! I tried a reset. No go. I read different directions on how to reset. Someone mentioned a 30/30/30 rule. No go. (I guess that was 30 seconds reset, 30 seconds wait, 30 seconds without power). The more official recommendation seemed to be 10 seconds reset. Eventually one of those resets did work – I think the 10 second one, and the default admin/admin got me in. That was a relief!

I figured if my SSID carried over to DD-WRT, surely it would carry over going back to Cisco. But, strangely, it did not. The name was similar, but not the same. Old name: Cisco76538. New: Linksys76538. No way to change it. Thanks Cisco, that was really helpful. CORRECTION. You know how you get used to certain settings? I had WPS enabled. For some reason you enable it in two places. Well, the one place, if you turn it off, allows you to change the SSID! But I need WPS (WiFi protected setup) for some basic Canon printers I have. So I don’t think this is an out.

So I had to visit all my clients one-by-one to re-enter the WiFi info, I still haven’t gotten to that one printer though! And my Wink Hub was no fun to re-configure either.

And performance is inconsistent once again, but much better than under DD-WRT. It’s too early to tell if it is an improvement over the older firmware.

And I gave up on using a 2nd IP address at home. I just channel everything through the Meraki.

Some more thoughts on why the office computer did not get an IP address though it was connected to the DD-WRT network
I’ve seen this problem just this week with a different DHCP server. I think you may only get a 169.254… address if your DHCP server already has your MAC address in its table, so it decides you don’t need another IP, or something like that. But things didn’t seem to get any better after a reboot of the router. So I don’t know.

Some more thoughts on why WiFi performs better through Meraki
The Cisco E1200 is a cheap, 2.4 GHz-band router. It can be set to auto-hop if one of the channels gets interference – that’s one of the WPS buttons. I’m beginning to suspect that is what is happening as I do see the neighbor’s SSIDs. Meraki is dual band, 5 GHz + 2.4 gHz and has the intelligence to use both as needed. I think it has MIMO as well. So it’s almost always going to do better than a cheap home router.

What I ended up doing
In the end I bought a dual-band router: Linksys AC1200 for $91 from Amazon. Turns out my Dell computers do not support 5 gHz. who knew?

Conclusion
Upgrade firmware to DD-WRT? Maybe with enough effort I could have gotten DD-WRT to work. It allows more control than Cisco’s firmware. But with the minimal configuration I was willing to do it was basically useless – very inconsistent and just not working with some devices.

References and related
Very brief DD-WRT install instructions for an E1200: http://www.dd-wrt.com/wiki/index.php/Linksys_E1200v2
Official E1200 download site: http://www.linksys.com/us/support-article?articleNum=148523

Posted in Linux, Network Technologies | Tagged , , | Leave a comment

Free DNS services

Intro
I stumbled upon freenom.com, which offers free DNS domain names. So I tested it and successfully registered drjohnstechtalk.ml. .ml is Mali’s top level domain. I’ve heard it’s the only African country to open up its domains for free registration. There are a few other choices like .tk and .gq which are even more obscure.

As far as I can see this is a no strings service. It’s possible that they will share your registration data with third parties, but I don’t think this is the case since freenom is from the Netherlands where privacy tends to be stricter than in the US.

Limitations
Creating an address record is easy enough, but no other kind of resource record seems available to free users. That can be pretty limiting.

References and related
www.freenom.com. In the search field just put the domain name without the extension, e.g., drjohnstechalk. It will tell you which extensions are available for free.
How about putting a free certificate on your free domain? Let’s Encrypt makes it possible.

Posted in DNS, Hosting Service | Leave a comment

What I’m working on now: saving $69 a year on my certificate costs

Intro
I recently turned off my GoDaddy web site certificate and implemented one that cost me nothing. This will save me $69 per year.

I wrote up my experience in this article: Idea for free web server certificates: Let’s Encrypt

When I originally wrote that article it was a theoretical concept, but since then I’ve encountered web sites using those certificates so I realized that their CA must be widely accepted now and I decided to try for myself. The ACME (automated certificate management environment) environment was something completely new to me and the terminology a little confusing (as a user I don’t “issue” certificates, so whose perspective does the description take anyway?), but I got it to work in the end with the help of a command-line-based utility called acme.sh. I am actually more comfortable with command-line than with GUI programs. You get greater control and greater understanding.

Example of issuing a certificate using the manual DNS method
If you have full control over DNS but not the web server this approach is a good one.

$ sudo acme.sh ‐‐issue ‐‐dns ‐d www2.drjohnstechtalk.com

[Thu Feb 23 11:55:52 EST 2017] Single domain='www2.drjohnstechtalk.com'
[Thu Feb 23 11:55:52 EST 2017] Getting domain auth token for each domain
[Thu Feb 23 11:55:52 EST 2017] Getting webroot for domain='www2.drjohnstechtalk.com'
[Thu Feb 23 11:55:52 EST 2017] _w='dns'
[Thu Feb 23 11:55:52 EST 2017] Getting new-authz for domain='www2.drjohnstechtalk.com'                                     [Thu Feb 23 11:55:54 EST 2017] The new-authz request is ok.
[Thu Feb 23 11:55:54 EST 2017] Add the following TXT record:
[Thu Feb 23 11:55:54 EST 2017] Domain: '_acme-challenge.www2.drjohnstechtalk.com'
[Thu Feb 23 11:55:54 EST 2017] TXT value: '7kU6pGgcNRtrPKuN2Wu1TIGS7YZDBhuiumLb9aEJwqc'
[Thu Feb 23 11:55:54 EST 2017] Please be aware that you prepend _acme-challenge. before your domain
[Thu Feb 23 11:55:54 EST 2017] so the resulting subdomain will be: _acme-challenge.www2.drjohnstechtalk.com
[Thu Feb 23 11:55:54 EST 2017] Please add the TXT records to the domains, and retry again.
[Thu Feb 23 11:55:54 EST 2017] Please add '--debug' or '--log' to check more details.
[Thu Feb 23 11:55:54 EST 2017] See: https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.s/drjohnstechtalk.com/drjohnstechtalk.com/g

Make the requested DNS entry in the zone file (do not include the quotes around the TXT value). Verify your entry with a command like this:

$ dig txt www2.drjohnstechtalk.com

Then run acme.sh again like this
$ sudo acme.sh ‐‐renew ‐d www2.drjohnstechtalk.com

[Thu Feb 23 12:02:18 EST 2017] Renew: 'www2.drjohnstechtalk.com'
[Thu Feb 23 12:02:18 EST 2017] Single domain='www2.drjohnstechtalk.com'
[Thu Feb 23 12:02:18 EST 2017] Getting domain auth token for each domain
[Thu Feb 23 12:02:19 EST 2017] Verifying:www2.drjohnstechtalk.com
[Thu Feb 23 12:02:22 EST 2017] Success
[Thu Feb 23 12:02:22 EST 2017] Verify finished, start to sign.
[Thu Feb 23 12:02:23 EST 2017] Cert success.
-----BEGIN CERTIFICATE-----
MIIFDjCCA/agAwIBAgISAzFs92uVHvnQCId6qFoaui9gMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNzAyMjMxNjAyMDBaFw0x
NzA1MjQxNjAyMDBaMCAxHjAcBgNVBAMTFXd3dzIucmVmaW5pc2guYmFzZi51czCC
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALa9QjcqPSZxXrJmt7kxV9ii
AAI7W0fQdWIk6aDHLfkhsSt55eASOAe05oxnZNqEmcJgXd+2+xUUmm8T5F92l4co
TFiIcMIQ5Jr7Gwg61RnDUe87vI4gctechhhnGcE//4iaJ8Va19exg8HD19dfpdGg
9J2DVnUBqKh4pvItUVe3h8KZOmftQZlLy1QXnEfwEyTj4kGo3phBgOIqh2x15/8Q
tKtM9yr4TKO8clgKLeyXV90ftg4t7kjCdtPx6oRIIq27CO3nwzFq/vFqg6HprE4b
RziUv1yajjw7aHkyhsjWmxdXBlIrokxK3EBrNUo3FUzlLHGGFT2RM1rkbhdaHB0C
AwEAAaOCAhYwggISMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcD
AQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUCvxAhkhpo5Elmge/
3fz5asbprXEwHwYDVR0jBBgwFoAUqEpqYwR93brm0Tm3pkVl7/Oo7KEwcAYIKwYB
BQUHAQEEZDBiMC8GCCsGAQUFBzABhiNodHRwOi8vb2NzcC5pbnQteDMubGV0c2Vu
Y3J5cHQub3JnLzAvBggrBgEFBQcwAoYjaHR0cdrjo2NlcnQuaW50LXgzLmxldHNl
bmNyeXB0Lm9yZy8wIAYDVR0RBBkwF4IVd3d3Mi5yZWZpbmlzaC5iYXNmLnVzMIH+
BgNVHSAEgfYwgfMwCAYGZ4EMAQIBMIHmBgsrBgEEAYLfEwEBATCB1jAmBggrBgEF
BQcCARYaaHR0cDovL2Nwcy5sZXRzZW5jcnlwdC5vcmcwgasGCCsGAQUFBwICMIGe
DIGbVGhpcyBDZXJ0aWZpY2F0ZSBtYXkgb25seSBiZSByZWxpZWQgdXBvbiBieSBS
ZWx5aW5nIFBhcnRpZXMgYW5kIG9ubHkgaW4gYWNjb3JkYW5jZSB3aXRoIHRoZSBD
ZXJ0aWZpY2F0ZSBQb2xpY3kgZm91bmQgYXQgaHR0cHM6Ly9sZXRzZW5jcnlwdC5v
cmcvcmVwb3NpdG9yeS8wDQYJKoZIhvcNAQELBQADggEBADHFgJ3O8v/0zdG48Y1D
ci4wSQqZQSRtalknubVLRC12cr8ct1m0nZ7bxxQnZ/bSFShhcjepFowOfjfdY2ar
GzKP9IRgWavwm259WX5gM5FKUeN/Pjcz++vwUB8ci2+DpZu1tBf0eZcZ6JKsehij
A3lSPb4Ttq/GqDodumeJmvH4/FjCsjIqCJfQQYlz42QdZsLcA2l3oQ8smX0ZK8gh
sIm0SX4RggfiNGuNjw/tkfeC4xfjVNUSjKepUqgsVe63F6gRNjjm+/zsIlPLTdw3
AXGxE71Ww68avev7vRCvp+zPa43DQfVfV98v5M4i0M1/bT0Qh/4hLECma9wBBXb8
jXM=
-----END CERTIFICATE-----
[Thu Feb 23 12:02:23 EST 2017] Your cert is in  /root/.acme.sh/www2.drjohnstechtalk.com/www2.drjohnstechtalk.com.cer
[Thu Feb 23 12:02:23 EST 2017] Your cert key is in  /root/.acme.sh/www2.drjohnstechtalk.com/www2.drjohnstechtalk.com.key
[Thu Feb 23 12:02:23 EST 2017] The intermediate CA cert is in  /root/.acme.sh/www2.drjohnstechtalk.com/ca.cer
[Thu Feb 23 12:02:23 EST 2017] And the full chain certs is there:  /root/.acme.sh/www2.drjohnstechtalk.com/fullchain.cer

More complex example of issuing a SAN certificate using the manual DNS approach

$ ./acme.sh ‐‐issue ‐d johnstechtalk.mobi ‐‐dns ‐d www.johnstechtalk.mobi ‐d drjohnstechtalk.mobi ‐d www.drjohnstechtalk.mobi

[Mon Jan 23 09:21:55 EST 2017] Multi domain='DNS:www.johnstechtalk.mobi,DNS:drjohnstechtalk.mobi,DNS:www.drjohnstechtalk.mobi'
[Mon Jan 23 09:21:55 EST 2017] Getting domain auth token for each domain
[Mon Jan 23 09:21:55 EST 2017] Getting webroot for domain='johnstechtalk.mobi'
[Mon Jan 23 09:21:55 EST 2017] _w='dns'
[Mon Jan 23 09:21:55 EST 2017] Getting new-authz for domain='johnstechtalk.mobi'
[Mon Jan 23 09:21:57 EST 2017] The new-authz request is ok.
[Mon Jan 23 09:21:57 EST 2017] Getting webroot for domain='www.johnstechtalk.mobi'
[Mon Jan 23 09:21:57 EST 2017] _w='dns'
[Mon Jan 23 09:21:57 EST 2017] Getting new-authz for domain='www.johnstechtalk.mobi'
[Mon Jan 23 09:21:57 EST 2017] The new-authz request is ok.
[Mon Jan 23 09:21:57 EST 2017] Getting webroot for domain='drjohnstechtalk.mobi'
[Mon Jan 23 09:21:57 EST 2017] _w='dns'
[Mon Jan 23 09:21:57 EST 2017] Getting new-authz for domain='drjohnstechtalk.mobi'
[Mon Jan 23 09:21:58 EST 2017] The new-authz request is ok.
[Mon Jan 23 09:21:58 EST 2017] Getting webroot for domain='www.drjohnstechtalk.mobi'
[Mon Jan 23 09:21:58 EST 2017] _w='dns'
[Mon Jan 23 09:21:58 EST 2017] Getting new-authz for domain='www.drjohnstechtalk.mobi'
[Mon Jan 23 09:21:58 EST 2017] The new-authz request is ok.
[Mon Jan 23 09:21:58 EST 2017] Add the following TXT record:
[Mon Jan 23 09:21:58 EST 2017] Domain: '_acme-challenge.johnstechtalk.mobi'
[Mon Jan 23 09:21:58 EST 2017] TXT value: 'CDK_dACa_29apV30lc68Vo-mAx3e923ZOh6u-kyhXLo'
[Mon Jan 23 09:21:58 EST 2017] Please be aware that you prepend _acme-challenge. before your domain
[Mon Jan 23 09:21:58 EST 2017] so the resulting subdomain will be: _acme-challenge.johnstechtalk.mobi
[Mon Jan 23 09:21:58 EST 2017] Add the following TXT record:
[Mon Jan 23 09:21:58 EST 2017] Domain: '_acme-challenge.www.johnstechtalk.mobi'
[Mon Jan 23 09:21:58 EST 2017] TXT value: 'UC6JLg1hbXo0oRlYwSyrSRMD5nZgEKgdcIDZfhlqCrU'
[Mon Jan 23 09:21:58 EST 2017] Please be aware that you prepend _acme-challenge. before your domain
[Mon Jan 23 09:21:58 EST 2017] so the resulting subdomain will be: _acme-challenge.www.johnstechtalk.mobi
[Mon Jan 23 09:21:58 EST 2017] Add the following TXT record:
[Mon Jan 23 09:21:58 EST 2017] Domain: '_acme-challenge.drjohnstechtalk.mobi'
[Mon Jan 23 09:21:58 EST 2017] TXT value: 'y8ZCkJ-PXxGbeQFxh7RULCLGKyHH3G7FMFhKpMNF7ow'
[Mon Jan 23 09:21:58 EST 2017] Please be aware that you prepend _acme-challenge. before your domain
[Mon Jan 23 09:21:58 EST 2017] so the resulting subdomain will be: _acme-challenge.drjohnstechtalk.mobi
[Mon Jan 23 09:21:58 EST 2017] Add the following TXT record:
[Mon Jan 23 09:21:58 EST 2017] Domain: '_acme-challenge.www.drjohnstechtalk.mobi'
[Mon Jan 23 09:21:58 EST 2017] TXT value: '8nyb_V7AKaxy0U5pGTKmUejKEXgPv66VKne8yZYZMDg'
[Mon Jan 23 09:21:58 EST 2017] Please be aware that you prepend _acme-challenge. before your domain
[Mon Jan 23 09:21:58 EST 2017] so the resulting subdomain will be: _acme-challenge.www.drjohnstechtalk.mobi
[Mon Jan 23 09:21:59 EST 2017] Please add the TXT records to the domains, and retry again.
[Mon Jan 23 09:21:59 EST 2017] Please add '--debug' or '--log' to check more details.
[Mon Jan 23 09:21:59 EST 2017] See: https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.sh

Then you add the DNS records they requested in the zone file, for instance,

_acme-challenge.johnstechtalk.mobi IN TXT CDK_dACa_29apV30lc68Vo-mAx3e923ZOh6u-kyhXLo

Then you rerun acme.sh, but with the renew argument:
$ ./acme.sh ‐‐renew ‐d johnstechtalk.mobi
and you should get your SAN certificate issued to you! All the files – private key, intermediate CERT, newly-issued SAN certificate – in ~/.acme.sh/johnstechtalk.mobi/

Of course just put in your own domain names in place of mine. I don’t know how quickly you have to act to put in your TXT records for the DNS authentication challenge. I edited zone files by hand and got them in within a few minutes.

And note the order of the arguments in the original acme.sh command. Often the switch order is immaterial in Linux, but for this command it matters a bit. You have your first mentioned domain, then the dns switch, then your other domain names.


References and related

Idea for free web server certificates: Let’s Encrypt
Info about acme.sh

Posted in Admin, Web Site Technologies | Tagged | Leave a comment