Crossed-signed chain

cat GandiStandardSSLCA2.pem USERTrustRSAAddTrustCA.crt >

Let’s Encrypt

$ sudo apt-get install certbot -t jessie-backports
$ certbot certonly -w /var/www/ -d --config-dir ~/letsencrypt/etc --work-dir ~/letsencrypt/lib --logs-dir ~/letsencrypt/log
$ cat /etc/nginx/sites-available/ | grep ssl         ssl_certificate ~/letsencrypt/etc/live/;         ssl_certificate_key ~/letsencrypt/etc/live/;
$ certbot renew --dry-run --config-dir ~/letsencrypt/etc --work-dir ~/letsencrypt/lib --logs-dir ~/letsencrypt/log


fail2ban on freebsd with pf

% sudo pkg install py27-fail2ban

% sudo vim /usr/local/etc/fail2ban/jail.local

enabled = true
filter = sshd
action = pf
logpath = /var/log/auth.log

% sudo vim /usr/local/etc/fail2ban/action.d/pf.conf

actionstart =
actionstop =
actioncheck =
actionban = /sbin/pfctl -t <tablename> -T add /32
actionunban = /sbin/pfctl -t <tablename> -T delete /32

tablename = fail2ban

% sudo vim /etc/pf.conf

table <fail2ban> persist
block in on $ext_if from <fail2ban>

% sudo vim /etc/rc.conf


% sudo service pf reload
% sudo service fail2ban restart

% sudo pfctl -t fail2ban -T show

Windows Server 2008 self-signed certificate expires

A self-signed certificate is issued for web services (IIS) and it has a default validity period of 2 years. After that time, users of web services will be prompted with a dialog box asking if they still want to access a service that uses an outdated certificate. Outlook users could also be prompted with this dialog box. This box will appear every time a new connection is made.

To prevent this, we need to reissue another certificate to replace the old one. Self-signed certificates cannot be renewed.

We can easily do this using the “Fix my network” wizard. On SBS 2008, it can be accessed under Network => Connectivity in the SBS console. I think we can use this same wizard to reissue a certificate up to a month before the old one expires.


login to unix remote with rsa key pair from windows

On Windows client, we need:

  • PuTTY
  • PuTTYgen
  • Pageant

Use PuTTYgen to make key pair, save private key to file and copy public key to clipboard. Add key to Pageant.

On Unix remote, edit ~/.ssh/authorized_keys and add public key from Windows clipboard (one-line).

Use PuTTY to login to remote. WinSCP also uses Pageant when possible.