If you want to create certificates for OpenVPN you have to set two additional options in section usr_cert in /etc/pki/tls/openssl.cnf file:
nsCertType = server | client keyUsage = digitalSignature
of course nsCertType have to be server when you generate certificate for OpenVPN server and client for client certificates.
This options are required when you OpenVPN options ns-cert-type and remote-cert-tls.
Sources:
I had a case:
- Have a service in home local network.
- I would like to access this service from outside.
- I don't have routed IP in home.
- I have VPS with public IP, but I can't run OpenVPN on it.
As workaround you can use SSH tunnel with remote port forwarding.
In my example service is running on machine 192.168.3.28:8080 and I want to have access on port 8090.
First of all you have to add to your /etc/ssh/sshd_config file:
GatewayPorts yes
On my router (it doesn't matter, but it has address 192.168.3.3) I've run command:
ssh -R 8090:192.168.3.28:8080 me@jaqb.gda.pl
This command create a tunnel between server (jaqb.gda.pl) on port 8090 through my router (192.168.3.3) to port 8080 on host 192.168.3.28 in home network.
Now I can access it from anywhere.
In fact, my (great!) VPS provider allow me to run OpenVPN in less than 10 minutes so it wasn't necessary.
Edit /etc/pki/tls/openssl.cnf file and change in CA_default section, of course You have to adopt it, ie. change name to yours ;-):
dir = /etc/pki/CA2017 certificate = $dir/newCAcert.pem private_key = $dir/private/newCAkey.pem countryName_default = PL stateOrProvinceName_default = pomorskie localityName_default = Gdynia 0.organizationName_default = Jakub Walczak
because, I've changed default directory I have to create some files and directories:
mkdir /etc/pki/newCA
cd /etc/pki/newCA
mkdir {certs,crl,newcerts,private}
touch index.txt
echo 00 > serial
Generate self-signed CA certificate for 5 years (5*365=1825 days):
openssl req -x509 -newkey rsa:2048 -keyout private/newCAkey.pem \ -out newCAcert.pem -days 1825
It's very important to remember password! You will need them for 5 years every time you will generate certificate.
Generate first certificate:
openssl req -newkey rsa:2048 -nodes -keyout private/vpn.key \ -out vpn.csr
In most cases you have to provide only Common Name. Now you have new vpn.crs (certificate signing request) file.
Sign it:
openssl ca -in vpn.csr -out certs/vpn.pem
Of course you have to enter CA password.
You have to revoke old certificate if you want to generate new certificate with same Common Name. To revoke certificate use command:
openssl ca -revoke certs/vpn.pem
That's all.
To convert data to human readable data:
- Certificate Signing Request (CSR)
openssl req -text -noout -verify -in vpn.csr
- Private key
openssl rsa -in private/vpn.key -check
- Certificate
openssl x509 -in certs/vpn.pem -text -noout
You can use Let's encrypt certificates to secure communication with your e-mail server.
After you generate certificate for your mail server:
certbot-auto certonly --apache --non-interactive --agree-tos \ --email me@mydomian -d mail.jaqb.gda.pl
they have to be copied to new location because Postfix/CyrusIMAP cannot read them, the /etc/letsencrypt/live directory can be read only by root.
The solution is simple. I've copied them into /etc/postfix directory and change group to mail:
cp /etc/letsencrypt/live/mail.jaqb.gda.pl/cert.pem \
/etc/postfix/cert.pem
cp /etc/letsencrypt/live/mail.jaqb.gda.pl/privkey.pem \
/etc/postfix/privkey.pem
cp /etc/letsencrypt/live/mail.jaqb.gda.pl/fullchain.pem \
/etc/postfix/fullchain.pem
chgrp mail /etc/postfix/cert.pem /etc/postfix/privkey.pem \
/etc/postfix/fullchain.pem
I've added this commands to /etc/cron.monthly/letsencrypt-auto.bash file (from my last post).
Of course you have to set that appropriate options, at least in /etc/postfix/main.cf:
smtpd_tls_cert_file = /etc/postfix/cert.pem smtpd_tls_key_file = /etc/postfix/privkey.pem smtpd_tls_CAfile = /etc/postfix/fullchain.pem
and in /etc/imapd.conf:
tls_cert_file: /etc/postfix/cert.pem tls_key_file: /etc/postfix/privkey.pem tls_ca_file: /etc/postfix/fullchain.pem
After restart:
/etc/init.d/postfix restart /etc/init.d/cyrus-imapd restart
everything should work. Good luck!
If you want to create a certificate you should download certbot-auto and install them in your system:
wget "https://dl.eff.org/certbot-auto" mv certbot-auto /usr/local/sbin/ chmod u+x /usr/local/sbin/certbot-auto
Then you can request your first (test) certificate:
certbot-auto certonly --test-cert --apache \ --non-interactive --agree-tos --email me@mydomain.com \ -d www.jaqb.gda.pl
If you want to recreate certificate after tests you have to delete them, and then create again (without --test-cert option)
certbot-auto delete -d www.jaqb.gda.pl certbot-auto certonly --apache --non-interactive --agree-tos \ --email me@mydomain.com -d www.jaqb.gda.pl
Of course you can obtain more than one certificate:
certbot-auto certonly --apache --non-interactive --agree-tos \ --email me@mydomain.com -d dev.jaqb.gda.pl
All certificates are stored in /etc/letsencrypt/live directory.
The certificates are valid only for 3 months, but don't worry everything can be automated - I've added to cron (/etc/cron.monthly/letsencrypt-auto.bash):
#!/bin/bash certbot-auto renew --apache --non-interactive --agree-tos \ --email me@mydomain.com
I hope it will work... ;-)
I had a problem with Domoticz and switches.
I've ESP8266 module (with ESP Easy v.120) and relay (SSR) - it's very simple to get it work using web interface.
I would like to have some kind of switch not to have use phone to turn on the light. My solution it's not so simple I think it can be done better.
My ESPEasy module has address 192.168.1.7, SSR is connected to GPIO12 and touch sensot is connected to GPIO14. It has configured "Protocol" as "Domoticz HTTP". The "touch" switch is defined in ESPEasy as:
- Device: "Switch input"
- IDX / Var: 10 (Idx from Domoticz)
- 1st GPIO: GPIO14
- Type: "Switch"
- Switch Button Type: "Normal switch"
- Send Data: On
I didn't define relay connected to GPIO12 - it is set directly from domoticz as described below.
My domoticz has address 192.168.1.8. I defined "dummy" hardware with two "switches":
- "light" - it has defined "On action": http://192.168.1.7/tools?cmd=GPIO%2C12%2C0 and "Off action": http://192.168.1.7/tools?cmd=GPIO%2C12%2C1
- "touch" - without any settings
Next I've defined new "Event" ("Lua", "Device"):
commandArray = {}
if (devicechanged['touch']=='Off') then
if (otherdevices['light']=='Off') then
-- print ("wlaczam");
commandArray['light']='On'
else
-- print ("wylaczam");
commandArray['light']='Off'
end
end
return commandArray
Remember to set "Event active" checkbox.
Now I can use both web interface and physical switch to turn on/off the light.
Add comment