Profile cover photo
Profile photo
Hans de Rooij
About
Hans's posts

Post has attachment
Alvast vrolijke Paasdagen 🐔🍳

Post has attachment
Zaterdag nog geen kampioen geworden (wel nog volop in de race) maar wel een mooie actie foto
Photo

Post has attachment
Pi3 (Part XVII)

Install SSL client certificate in Chrome browser

Chrome indicates that self-signed certificate is not secure.

https://www.dropbox.com/s/rzpyxsoyv4de00f/ScreenShot%202017-01-30%20204456.png?dl=0

Chose continue to site, web page is now available

https://www.dropbox.com/s/j1ew3joqrrs9k6m/ScreenShot%202017-01-30%20204727.png?dl=0

Verified client location not available without client certificate

https://www.dropbox.com/s/ixzyg88r80z2l44/ScreenShot%202017-01-30%20205023.png?dl=0

Add the CA certificate

https://www.dropbox.com/s/3z0lpzf3eyism3h/ScreenShot%202017-01-30%20205514.png?dl=0

https://www.dropbox.com/s/09l0ztyzw59ev7v/ScreenShot%202017-01-30%20205907.png?dl=0

https://www.dropbox.com/s/zb0czl0l7s0td2g/ScreenShot%202017-01-30%20205941.png?dl=0

https://www.dropbox.com/s/qyhiifl5ufx2qws/ScreenShot%202017-01-30%20205955.png?dl=0

https://www.dropbox.com/s/cwr5s08rcd8uzcf/ScreenShot%202017-01-30%20210031.png?dl=0

https://www.dropbox.com/s/f29rvvkvs0evz2l/ScreenShot%202017-01-30%20210053.png?dl=0

https://www.dropbox.com/s/fehm656bcx42src/ScreenShot%202017-01-30%20210106.png?dl=0

Add the client certificate

https://www.dropbox.com/s/vx8e6yyvle4by5u/ScreenShot%202017-01-30%20210217.png?dl=0

https://www.dropbox.com/s/lip7jg6vx54d0gg/ScreenShot%202017-01-30%20210224.png?dl=0

https://www.dropbox.com/s/tjet3mdix4fw5n1/ScreenShot%202017-01-30%20210239.png?dl=0

https://www.dropbox.com/s/wy4g7oxs2o6s3tm/ScreenShot%202017-01-30%20210258.png?dl=0

https://www.dropbox.com/s/kaj6h07je8rsa04/ScreenShot%202017-01-30%20210304.png?dl=0

https://www.dropbox.com/s/7aeuf02wi880wv2/ScreenShot%202017-01-30%20210309.png?dl=0

https://www.dropbox.com/s/gs67a5kk1ute7cx/ScreenShot%202017-01-30%20210317.png?dl=0

https://www.dropbox.com/s/xmf11jz0gm61un3/ScreenShot%202017-01-30%20210400.png?dl=0


Post has attachment

Post has attachment
Pi3 (Part XV)

I had been experimenting before with SSL on the Pi (https://goo.gl/9b8jft & https://goo.gl/9xW8y6). Now I wanted to work with client certificates as well. I found this article http://theheat.dk/blog/?p=1023 on the Internet and thought I'd give it a go.

For starters I did some ground work in the OpenSSL directory which I had created before;

$ cd ~
$ cd OpenSSL
$ mkdir Pi3Certs && cd $_
$ mkdir certs csr newcerts private
$ cp /etc/ssl/openssl.cnf ./
$ echo 00 > serial
$ echo 00 > crlnumber
$ touch index.txt

Made only one minor alteration to the OpenSSL configuration file;

$ vim openssl.cnf

dir = ./


I then created the key and the certificate needed to be my own certification authority;

Please note formatting by Google+

$ openssl genrsa des3 -passout pass:qwerty -out private/HdrPi3CertAuth.key 2048
$ openssl rsa -passin pass:qwerty -in private/HdrPi3CertAuth.key -out private/HdrPi3CertAuth.key
$ openssl req -config openssl.cnf -new -x509 -subj '/C=NL/L=Delft/O=HdrPi3CertAuth/CN=hdr.is-a-geek.com' -days 999 -key private/HdrPi3CertAuth.key -out certs/HdrPi3CertAuth.crt


Next step was to generate the Pi3 Apache server key and certificate and self sign it (why not use the authority you have);

$ openssl genrsa -des3 -passout pass:qwerty -out private/HdrPi3Server.key 2048
$ openssl rsa -passin pass:qwerty -in private/HdrPi3Server.key -out private/HdrPi3Server.key
$ openssl req -config openssl.cnf -new -subj '/C=NL/L=Delft/O=HdrPi3Server/CN=hdr.is-a-geek.com' -key private/HdrPi3Server.key -out csr/HdrPi3Server.csr
$ openssl ca -batch -config openssl.cnf -days 999 -in csr/HdrPi3Server.csr -out certs/HdrPi3Server.crt -keyfile private/HdrPi3CertAuth.key -cert certs/HdrPi3CertAuth.crt -policy policy_anything


As a last step I created a client certificate. This was my initial motivation to embark on this journey;

$ openssl genrsa -des3 -passout pass:qwerty -out private/HdrPi3Client.key 2048
$ openssl rsa -passin pass:qwerty -in private/HdrPi3Client.key -out private/HdrPi3Client.key
$ openssl req -config openssl.cnf -new -subj '/C=NL/L=Delft/O=HdrPi3Client/CN=hdr.is-a-geek.com' -key private/HdrPi3Client.key -out csr/HdrPi3Client.csr
$ openssl ca -batch -config openssl.cnf -days 999 -in csr/HdrPi3Client.csr -out certs/HdrPi3Client.crt -keyfile private/HdrPi3CertAuth.key -cert certs/HdrPi3CertAuth.crt -policy policy_anything
$ openssl pkcs12 -export -passout pass:qwerty -in certs/HdrPi3Client.crt -inkey private/HdrPi3Client.key -certfile certs/HdrPi3CertAuth.crt -out certs/HdrPi3Client.p12


I copied the server keys and certificates to the appropriate directories on the Pi;

$ sudo cp certs/HdrPi3Server.crt /etc/ssl/certs
$ sudo cp private/HdrPi3Server.key /etc/ssl/private
$ sudo cp certs/HdrPi3CertAuth.crt /etc/ssl/certs
$ sudo cp private/HdrPi3CertAuth.key /etc/ssl/private

...and implemented the necessary changes in the SSL configuration file;

$ sudo vim /etc/apache2/sites-enabled/default-ssl.conf

SSLCertificateFile /etc/ssl/certs/HdrPi3Server.crt
SSLCertificateKeyFile /etc/ssl/private/HdrPi3Server.key

SSLCertificateChainFile /etc/ssl/certs/HdrPi3CertAuth.crt

SSLCACertificateFile /etc/ssl/certs/HdrPi3CertAuth.crt

<Location "/vc">
SSLVerifyClient require
SSLVerifyDepth 10
</Location>

With these changes the HTTPS root will be available publicly but the subdirectory vc will only be accessible to users in possession of the client certificate.


Before restarting the server I created content for the location vc;

$ mkdir /var/www/ssl/html/vc
$ vim /var/www/ssl/html/vc/index.html


I restarted the server to effectuate the changes;

$ sudo apache2ctl restart


Needed to import the client certificate in my browser but, upon completion of that step, everything worked exactly as expected.

$10 donation to the favorite charity of the first person to tell me the content of the index file in directory vc! Please be gentle on my Pi though :-)


Post has attachment
Pi3 (Part XIV)

Using https://goaccess.io/ an open source real-time web log analyzer

The code has a dependency to ncurses so;

$ sudo apt-get install libncurses5-dev libncursesw5-dev

Then download and install the application;

$ cd ~
$ mkdir goaccess
$ cd goaccess
$ wget http://tar.goaccess.io/goaccess-1.1.1.tar.gz
$ tar -xzvf goaccess-1.1.1.tar.gz
$ cd goaccess-1.1.1/
$ ./configure --enable-utf8
$ make
$ sudo make install

Edit the application configuration file;

$ sudo vim /usr/local/etc/goaccess.conf

Unremark;
#time-format %H:%M:%S
#date-format %d/%b/%Y
#log-format %h %^[%d:%t %^] "%r" %s %b

You can now execute;

To see the content of the most recent log file
$ goaccess -f /var/log/apache2/access.log -a

and the archived log files including the most recent one
$ zcat -f /var/log/apache2/access.log* | goaccess

For Ubuntu use the official GoAccess repository (instructions https://goaccess.io/download). Please note, (1) no need to install ncurses, (2) I was able to compile with geo support and (3) the configuration file is /etc/goaccess.conf.

part 15

Post has attachment
Pi3 (Part XIII)

Using a non-standard port for HTTPS on my Pi

The URL for my HTTPS default page is https://hdr.is-a-geek.com:4430/ . Standard port for SSL is 443. Unfortunately this port was not available. To make the SSL encrypted information available over the Internet I had to change the Apache2 ports configuration file;

$ sudo vim /etc/apache2/ports.conf

<IfModule ssl_module>
Listen 4430
</IfModule>

and in the mod_ssl configuration file;

$ sudo vim /etc/apache2/sites-enabled/default-ssl.conf

<VirtualHost default:4430>

Then restart the server to let the changes take effect;

$ sudo apache2ctl graceful

Furthermore I had to implement a couple of settings on my routers to get the request to my Pi. How this is done is highly dependent on the hardware used.

Again, no guarantees my Pi is up-n-running.

part 13

Pi3 (Part XII)

Enable HTTPS (i.e. SSL) on the Pi. A bit of background https://www.digicert.com/ssl-cryptography.htm

First create a dedicated directory for serving encrypted content;

$ sudo mkdir /var/www/ssl
$ sudo mkdir /var/www/ssl/html

Make sure the directory/file rights are properly set;

$ sudo chown www-data:www-data /var/www/ssl/ -R
$ sudo chmod -R g+rw /var/www/ssl

Add user pi to group www-data (Apache);

$ sudo adduser pi www-data

Check the openssl version (OpenSSL 1.0.1t);

$ openssl version

Check if the mod_ssl mudule is enabled;

$ sudo apache2ctl -M

If not, execute;

$ sudo a2enmod ssl
$ sudo a2ensite default-ssl

Configure the SSL settings;

$ sudo vim /etc/apache2/sites-enabled/default-ssl.conf

Change the following directives in the file default-ssl.conf;

ServerAdmin xyz@mail.com
DocumentRoot /var/www/ssl/html
SSLCertificateFile /etc/ssl/certs/ssl-cert-hdr-pi.crt
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-hdr-pi.key

Create the RSA keys and the associated SSL certificate

$ cd ~
$ mkdir OpenSSL
$ cd OpenSSL
$ openssl genrsa -out ssl-cert-hdr-pi.key 2048
$ openssl rsa -in ssl-cert-hdr-pi.key -pubout -out ssl-cert-hdr-pi.pub.key
$ openssl req -new -key ssl-cert-hdr-pi.key -out ssl-cert-hdr-pi.csr

Fill out the requested details, dot (".") for empty, Now self-sign;

$ openssl x509 -req -days 365 -in ssl-cert-hdr-pi.csr -signkey ssl-cert-hdr-pi.key -out ssl-cert-hdr-pi.crt

Self-signing is not ideal but will do for most Pi applications. As a last step copy over the private key and the certificate;

$ sudo cp ssl-cert-hdr-pi.crt /etc/ssl/certs
$ sudo cp ssl-cert-hdr-pi.key /etc/ssl/private

Op course you need some content;

$ vim /var/www/ssl/html/index.html

So much has changed at this point I usually just reboot to make sure all settings are properly updated;

$ sudo shutdown -r now

Upon reboot you should be able to access the page. The browser will probably warn you about the fact that the certificate used is self-signed. My page is hosted at https://hdr.is-a-geek.com:4430/ . More on the port used in my next post. BTW I consider my Pi server in no way either mission critical or 24*7, it might therefore be offline.

part 12

Post has attachment

Post has attachment
Pi3 (Part XI)

Boot to command line interface. Use the command startx to get back to the GUI.

http://raspi.tv/wp-content/uploads/2016/10/boot-to-CLI.png

part 11
Wait while more posts are being loaded