WriteFreely Reader

How to issue 7 days certificate with Lets Encrypt and Certbot

LinuxPizza — Tue, 03 Feb 2026 07:30:55 +0000

It is actually pretty simple, for example with NGINX:

certbot --nginx --required-profile shortlived

As you can see, use the option --required-profile shortlived. It can also be used with DNS-validation, the Apache plugin and so on. Example, wildcard cert with the Bunny.Net plugin with ECC-certificates:

certbot certonly --key-type ecdsa --required-profile shortlived --authenticator dns-bunny --dns-bunny-credentials /var/lib/private/bunny.ini -d *.linux.pizza -d linux.pizza

Have fun!

#linux #certbot #letsencrypt

Secure your API with Client-certificate authenatication in NGINX

LinuxPizza — Sat, 15 Nov 2025 20:32:09 +0000

After a few hours trying to make it work with my current CA, where the Root is stored offline, AIA, OCSP, CRL and all that stuff is done by the book – I gave up. Somehow, the Open Source variant of Nginx does not really like my OCSP setup, no idea why and I have no idea how to troubleshoot that.

Solution? KISS-principle!

I'll write this down, quick and dirty. But hopefully it helps someone.

Lets start with create the private key for the CA that we will create:

openssl genpkey -algorithm RSA -out CA_ROOT.key -aes256

With this command, we have created a private key with AES256. You will be prompted to give a password – write that down. And the following command will create a certificate from the private key, valid for 10 years.

openssl req -x509 -new -nodes -key CA_ROOT.key -sha256 -days 3650 -out CA_ROOT.crt

Fill in the information that the above command wants of you, like country-code, and so on. After that, your CA is done. The crude, ugly and honestly boring CA. But it'll work for this usecase.

Let's create the client-certificate!

First, will start by creating the private.key, and the .csr:

openssl genpkey -algorithm RSA -out client-cert.key
openssl req -new -key client.key -out client-cert.csr

And again, fill out the information wanted by openssl that will populate the .csr. Make it looks pretty. Ideally, the commands shall be run on the client only, so the private-key never leaves the client. The .csr is what the CA will need to sign and create a valid certificate.

Bring the .csr to the CA, and sign it:

openssl x509 -req -in client-cert.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client-cert.crt -days 365 -sha256

This will give you a signed certificate for your client named “client-cert.crt” – you may bring that to the client-machine and install it.

Firefox wants a .pfx:

In order to import the certificate into Firefox, you'll need to convert it to p12/pfx format:

openssl pkcs12 -export -out client-cert.pfx -inkey client-cert.key -in client-cert.crt -certfile CA_ROOT.crt

Please note, that you'll need the CA_ROOT.crt file too that you created.

Configure NGINX to do client-certificate authentication

Navigate to the virtualhost you want to enable client-certificate authentication on, and add the following:

    ssl_client_certificate /etc/ssl/private/CA_ROOT.crt;
    ssl_verify_client on;
    ssl_verify_depth 2;

Please note, that you have to place the CA_ROOT.crt file in /etc/ssl/private/

Restart NGINX and try to visit the site. You'll probably be asked for permission to use client-certificate authentication.

#linux #openssl #nginx #pki

Linux.Pizza Matrix-server is (re)launching

LinuxPizza — Sat, 04 Jan 2025 23:17:35 +0000

After 5 years, the Linux.Pizza Matrix-server is relauching. Last time, we housed over 3k active accounts.

We achieve this by just enabling social.linux.pizza as a OIDC-provider on the matrix-server – the same functionality that already is being used when you authenticate your mobile application.

In order to login with your social.linux.pizza account. Just used the Matrix-client you prefer (Element(X), SchlidiChat/SchlidiChat Next, Cinny or even Thunderbird) – set “synapse.linux.pizza” as your “Homeserver”, and the option to login with social.linux.pizza should appear.

Worth noting, is that this service will launch as a Beta-service, so every tester is welcome :)

Enable SNMP on Cisco SG350XG-2F10

LinuxPizza — Tue, 09 Apr 2024 07:27:38 +0000

Writing this down, so people and myself can easily find this solution

The Cisco docs is incomplete, this is the correct way of enabling SNMP on the SG350 series:

configure term
snmp-server community public RO
snmp-server community private RW
snmp-server server
snmp-server location hackerspace

Thanks to @fedops@fosstodon.org for telling me about the “snmp-server server” step.

#cisco #networking #switching #snmp #observium

Replace the default certificate on a Unifi Dream Router with your own

LinuxPizza — Sun, 24 Mar 2024 15:51:35 +0000

I dont claim responsibility for anything being done on your router. This short TODO is written for myself – dont follow if you are not familiar with certificates and PKI.

1 SSH into your machine 2. Navigate to /data/unifi-core/config 3. Replace unifi-core.key with your private key 4. Replace unifi-core.crt with your TLS-certificate 5. Restart Unifi Core:

systemctl restart unifi-core

Done!

#linux #pki #certificates #unifi

Backing up my AST Advantage! 611s BIOS with a T48 Universal programmer

yeold — Mon, 05 Dec 2022 19:52:33 +0000

The AST Advantage 611s, the first computer my family got. With a whopping 8MB of RAM and an IBM 5x86 CPU clocked at 100MHz.

We recently managed to get it working again, and came to the conclusion that it would be a good idea to make a backup of the BIOS on the motherboard, since there may not exist too many backups out there.

I ordered a XGecu T48 Universal Programmer with the appropriate adapters for the flash chip for 59$ If you want to check it out you can find it here: https://xgecu.myshopify.com/products/xgecu-new-t48-tl866-3g-programmer-support-28000-ics-for-spi-nor-nand-flash-emmc-bga-tsop-sop-plcc-9-parts

The T48 is also called TL866-3G and is of course the successor to the popular TL866 universal programmer.

Removing the chip and identifying the model number

Taking a look in the computer, the BIOS flash is located in the PLCC44 socket, but it's a bit hard to reach so the ISA riser card needs to be removed.

A closer look at the chip shows a sticker and a serial number that points back to 94.

Removing the chip was easy because of the included chip removal tool. Just place the hooks in the slots in the corners and press until it pops out.

Now I needed to find out what type of flash chip it really was. But I'd rather not ruin the sticker. So I used a scalpel blade to carefully remove the sticker so I could read the model number. (Pardon for the out of focus photo)

A quick google search told me that it was an Intel N28F001BX-T150 1Mbit (128KB) Boot block flash memory.

Reading the flash using Xgpro

The program used for the T48 is the Xgpro. The first thing I did was to make sure the right IC was selected by clicking “Select IC” in the upper left corner.

After marking the correct IC and clicking “Select” I clicked on “READ” in the upper toolbar. Now a new window appeared with a picture on how to seat the chip in the adapter and the ZIF socket. After connecting it according to the picture I clicked “Read” and the “BACK”

Now I could see the data from the chip. Scrolling down a bit, I could find some readable text like a Copyright from 1984 and an AST Research Copyright from 1995. Cool!

After confirming that I got some data from the chip I saved it to a .bin file using the “SAVE” button on the top left.

My plan is to upload the bin file to a site like The Retro Web, this page in particular: https://theretroweb.com/motherboards/s/ast-advantage!-610-611-486-202728-101 So people can find a copy of the BIOS and easily flash a new one if they ever need to do that.