Using acme.sh for Let's Encrypt certificates on pkgsrc.org servers


September 17, 2018 posted by S.P.Zeidler

Peter Wemm's writeup about using acme.sh for FreeBSD.org served as inspiration, but I chose to do a few things different:
  • using DNS alias mode with sub-domains dedicated to ACME verification
  • delegating the sub-domains to the servers where the certificate will be needed
  • using bind on the servers where the certificate will be needed (where it was running as resolver already anyway)
  • using dns_nsupdate (i.e. dynamic DNS) to add the challenge to the ACME subzone.
Appropriately restricted, that gives the following addition to named.conf on the target server (with an update key named acme-ddns):
options {
        ....
        allow-update { localhost; };
        ....
};

zone "acme-www.pkgsrc.org" {
        type master;
        file "acme/acme-www.pkgsrc.org";
        update-policy {
                grant acme-ddns name _acme-challenge.acme-www.pkgsrc.org. TXT;
        };
};
And last but not least, deployment of certificates via make, i.e. completely independent of acme.sh.

Due to all of the above, acme.sh does not need to tentacle about in the filesystem and can run as a plain user in a chroot. It's not a tiny chroot, though (20M), since acme.sh needs a bunch of common shell tools:

  • awk basename cat chmod cp curl cut date egrep/grep head mkdir mktemp mv nsupdate od openssl printf readlink rm sed sh sleep stat tail touch tr uname, and their shared libs, /libexec/ld.elf_so and /usr/libexec/ld.elf_so;
  • under the chroot /etc a resolv.conf, the CA cert for Let's Encrypt (mozilla-rootcert-60.pem) and to make openssl complain less an empty openssl.cnf
  • and in the chroot /dev: null, random and urandom.

I call both the acme.sh --cron job and the certificate deployment make from daily.local, which adds the output to the daily mail and makes it easy to keep an eye on things. [0 comments]

 

Finishing leftover tasks from Google Summer of Code


September 03, 2018 posted by Kamil Rytarowski

Over the past month, I was coordinating and coding the remaining post-GSoC tasks. This mostly covers work around honggfuzz and sanitizers.[Read More] [0 comments]

 

NetBSD on Allwinner SoCs Update


November 08, 2017 posted by Jared McNeill

Since the last update, we've made a number of improvements to the NetBSD Allwinner port. The SUNXI kernel has grown support for 8 new SoCs, and we added many new device drivers to the source repository.

[Read More] [2 comments]

 

Porting NetBSD to Allwinner H3 SoCs


July 09, 2017 posted by Jared McNeill

A new SUNXI evbarm kernel has appeared recently in NetBSD -current with support for boards based on the Allwinner H3 system on a chip (SoC). The H3 SoC is a quad-core Cortex-A7 SoC designed primarily for set-top boxes, but has managed to find its way into many single-board computers (SBC). This is one of the first evbarm ports built from the ground up with device tree support, which helps us to use a single kernel config to support many different boards.

[Read More] [15 comments]

 

LLDB: Sanitizing the debugger's runtime


June 06, 2017 posted by Kamil Rytarowski

This month I started to work on correcting of the ptrace(2) layer, as test suites used to trigger failures on the kernel side. This finally ended up sanitizing the LLDB runtime as well, addressing LLDB and NetBSD userland bugs.[Read More] [1 comment]

 

NetBSD 7.1_RC2 available


February 24, 2017 posted by Soren Jacobsen

NetBSD 7.1_RC2 is now available, bringing numerous security fixes.[Read More] [1 comment]

 

pkgsrc 50th release interviews - Ryo ONODERA


June 08, 2016 posted by Kamil Rytarowski

The pkgsrc team has prepared the 50th release of their package management system, with the 2016Q1 version. It's infrequent event, as the 100th release will be held after 50 quarters.

The NetBSD team has prepared series of interviews with the authors. The next one is with Ryo ONODERA, a Japanese developer maintaining large C++ packages.

[Read More] [1 comment]

 

pkgsrc 50th release interviews - Jonathan Perkin


June 07, 2016 posted by Kamil Rytarowski

The pkgsrc team has prepared the 50th release of their package management system, with the 2016Q1 version. It's infrequent event, as the 100th release will be held after 50 quarters.

The NetBSD team has prepared series of interviews with the authors. The next one is with Jonathan Perkin, a developer in the Joyent team.

[Read More] [1 comment]

 

pkgsrc 50th release interviews - Benny Siegert


June 06, 2016 posted by Kamil Rytarowski

The pkgsrc team has prepared the 50th release of their package management system, with the 2016Q1 version. It's infrequent event, as the 100th release will be held after 50 quarters.

The NetBSD team has prepared series of interviews with the authors. The next one is with Benny Siegert, a developer active in the release engineering team.

[Read More] [1 comment]

 

pkgsrc 50th release interviews - Thomas Klausner


June 02, 2016 posted by Kamil Rytarowski

The pkgsrc team has prepared the 50th release of their package management system, with the 2016Q1 version. It's infrequent event, as the 100th release will be held after 50 quarters.

The NetBSD team has prepared series of interviews with the authors. The 3rd one is with Thomas Klausner, a developer well known for his maintainership of the pkgsrc-wip project.

[Read More] [1 comment]

 

pkgsrc 50th release interviews - Sevan Janiyan


June 01, 2016 posted by Kamil Rytarowski

The pkgsrc team has prepared the 50th release of their package management system, with the 2016Q1 version. It's infrequent event, as the 100th release will be held after 50 quarters.

The NetBSD team has prepared series of interviews with the authors. The 2nd one is with Sevan Janiyan, a developer well known for his bulk builds for several platforms.

[Read More] [0 comments]

 

64-bit ARM boards received from Rikomagic


September 30, 2015 posted by Martin Husemann

Rikomagic was kind enough to provide engineering samples of their RKM MK68 systems and documentation to a few NetBSD developers to assist in improving the aarch64 port.

[Read More] [0 comments]