pull down to refresh

105 sats \ 13 replies \ @optimism 12 Dec \ parent \ on: OpenSats canary is out of date bitcoin
Everything below is observations, not accusations.
renewing SSL certificates
We should not automate SSL renewal anyway because automating means exposing credentials somewhere. Even if you use an HSM. Please also consider to not have they key that is authorized to renew your cert on the server that contains the SSL key.
it's definitely plausible
A process execution failure is something that should be prevented in every org. As an individual, whatever, it's plausible and forgivable. For an org, we generally call this negligence, which is not in any way forgivable.
write
preview
100 sats \ 12 replies \ @ek 12 Dec
Please also consider to not have they key that is authorized to renew your cert on the server that contains the key.
Mhh, I use certbot with HTTP challenges, and I have not considered this, thank you!
But I wonder how important it is, because only root on my server can access them. How important are SSL certificates, if the server the website is running on is fully compromised?
reply
77 sats \ 8 replies \ @optimism 12 Dec
https://pastebin.com/nSDL7qxb is a quick hack to serve you a prometheus endpoint for cert expiry. Ingest with prom, then grafana or something on top and then have it send you alerts at 7 days, 3 days, 1 day, 12 hours, 6 hours, 5 hours, 4,3,2,1, 30 mins, 10 mins, and a dead letter at 0 lol
Use env.
HOSTS=www.domaina.com,domainb.com,yourotherdomain.org
reply
100 sats \ 7 replies \ @ek 20h
This is how I alert myself, lol:
function ntfy() {
  curl -H "Title: $1" -d "$2" ntfy.sh/ekzyis-id-you-would-like-to-know-was-here
}

some_command || ntfy "some_command failed" "exit code $? :("
This has served me well for a year or more! Very simple, and it's all I need, at least so far.
I used to run Grafana and Prometheus to track CPU, memory, disk I/O, network I/O of my machines, but I realized it's more cool to look at than actually useful for my needs.
Instead, I now have alerts with ntfy.sh for most things I need to respond to.
For example, this is the function I use to keep track of expiring SSL certificates:
check_ssl_expiry () {
    DOMAIN="$1"
    WARNING_THRESHOLD=30
    TIMEOUT=10

    printf "checking ssl expiry of $DOMAIN ... "

    CERT=$(echo "QUIT" | timeout $TIMEOUT openssl s_client -connect "$DOMAIN":443 2>/dev/null)
    RET=$?
    if [ $RET -eq 124 ]; then
      printf_timeout $TIMEOUT
      ntfy "ssl connect timeout" "$DOMAIN
timeout after $TIMEOUT seconds"
      return 124
    fi

    if [ ! $RET -eq 0 ]; then
      printf_color "openssl returned exit code $RET\n" "red"
      ntfy "ssl connect failed" "$DOMAIN: openssl returned exit code $RET"
      return 1
    fi

    EXPIRY=$(echo "$CERT" | openssl x509 -noout -enddate | cut -d'=' -f2)
    EXPIRY_EPOCH=$(date -d "$EXPIRY" +%s)
    NOW_EPOCH=$(date +%s)
    DAYS_LEFT=$(( ($EXPIRY_EPOCH - $NOW_EPOCH) / 86400 ))
    if [ $DAYS_LEFT -lt $WARNING_THRESHOLD ]; then
        printf_color "$DAYS_LEFT days left\n" "red"
        ntfy "ssl expiry" "$DOMAIN: $DAYS_LEFT day(s) left"
        return 1
    fi

    printf_color "$DAYS_LEFT days left\n" "green"
}
reply
50 sats \ 6 replies \ @optimism 19h
Funny how we have functionally the same solution.
I used to run Grafana and Prometheus to track CPU, memory, disk I/O, network I/O of my machines, but I realized it's more cool to look at than actually useful for my needs.
I've gone off it in the past, and had some times of vacuum between solutions before it was a thing. However all my software uses prometheus for monitoring and I don't write anything without finegrained telemetry anymore, so I just have a stable environment for this now.
reply
100 sats \ 5 replies \ @ek 16h
Funny how we have functionally the same solution.
Wdym? You mean wrt alerts?
reply
69 sats \ 4 replies \ @optimism 16h
Yes. If I would rewrite the golang script in bash it would look like yours.
reply
100 sats \ 3 replies \ @ek 16h
Ah, haha
You even also print ASCII art, I also do that if figlet is installed:
#!/usr/bin/env bash

...

command -v figlet > /dev/null
if [ $? -eq 0 ]; then
  figlet -f graffiti bark 2> /dev/null && echo -e "   your network watchdog\n"
fi

...
lol, leaked my ntfy channel id for a second, but wouldn't be a problem, since I could just create a new one
reply
44 sats \ 2 replies \ @optimism 15h
Yes. Evidence of boredom lol
view all 2 replies
77 sats \ 2 replies \ @optimism 12 Dec
Use DNS challenges. You can script the whole thing including the deployment (I do this for k8s with certbot)
reply
100 sats \ 1 reply \ @ek 20h
For a DNS challenge, doesn’t my DNS provider need to provide the correct API?
But I just looked into it again, and seems like Namecheap actually does provide the API I need. All I need is a way to set TXT records, right? For some reason, the last time I looked into it, I came to the conclusion I can't use DNS challenges with Namecheap 🤔
DNS for https://ekzy.is/ is from ISNIC though, but I think their EPP API might also be what I need for DNS challenges.
Since, as mentioned, this is stuff that is only important every few months, it's hard for me to have the discipline or motivation to properly look into it haha
reply
50 sats \ 0 replies \ @optimism 19h
All I need is a way to set TXT records, right?
Yes.
EPP API
I think this is for setting the NS records with the registrar though? I could be mistaken - never have dealt with .is domains.
Since, as mentioned, this is stuff that is only important every few months, it's hard for me to have the discipline or motivation to properly look into it.
I get that. I currently manage 20+ domains with certbot so it would be a like weekly exercise, as somehow I manage to have them diverge on expiry over time, even when sometimes I try to re-cluster them to expire on the same date.
reply