search for: dehydrate

Am 10.01.19 um 14:09 schrieb Rowland Penny via samba: > You don't ;-) > You do what the script should have done (I feel version 0.8.10 will > soon make an appearance), export the cache to use <export > KRB5CCNAME="/tmp/dhcp-dyndns.cc"> and then use '$KRB5CCNAME' wherever > '/tmp/dhcp-dyndns.cc' appears, except for: > [...] Yes, that worked.

Hai, Thank you for sharing this very apriciated. If i may, a few small suggestion, to make is little bit better to read/understand. In this line: samba-tool domain exportkeytab --principal=dehydrated-service at YOUR.DOMAIN /home/dehydrated/etc/dehydrated-service.keytab @YOUR.DOMAIN could you change this to : @YOUR.REALM Because of this. ( per example ) DNS domain = primary.dnsdomain.tld and for REALM = YOUR.REALM. ( 2 different things here dont mix them. ) YOUR.REALM is not the same as p...

...samba" <samba at lists.samba.org> wrote: > Hai, > > Thank you for sharing this very apriciated. > > If i may, a few small suggestion, to make is little bit better to > read/understand. > > In this line: > samba-tool domain exportkeytab > --principal=dehydrated-service at YOUR.DOMAIN /home/dehydrated/etc/dehydrated-service.keytab > @YOUR.DOMAIN could you change this to : @YOUR.REALM > > Because of this. ( per example ) > DNS domain = primary.dnsdomain.tld and for REALM = YOUR.REALM. ( 2 > different things here dont mix them. ) > &gt...

(@Rowland) > Whilst it is quite correct to say that the REALM isn't the same as a > DNS domain, there is a correlation between them. The REALM must be the > DNS domain in uppercase, so this: > > SAMBA_PRINCIPAL=dehydrated-service at YOUR.DOMAIN No, you can have your.primayDNSdomain.tld and have REALM = SOMEREALM.TLD Its not obligated to have REALM the same as the DnsDomain. Its also not obligated to have the realm uppercased, but in my opinion, that should be obligated because programs expect often REALM not real...

Hai Rowland, > -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Rowland Penny via samba > Verzonden: maandag 14 januari 2019 12:48 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] dehydrated hook for LetsEncrypt certs > and samba dns (was: samba-tool auth in scripts) > > On Mon, 14 Jan 2019 12:13:19 +0100 > "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote: > > > (@Rowland) > > > > > Whilst it is quite correct to say...

Just to clarify, your hook allows dehydrated to lookup DNS to an internal Samba (or Bind_DLZ) server for DNS-01 verification in certificate generation? Kris Lou klou at themusiclink.net On Tue, Jan 15, 2019 at 2:13 AM Jakob Lenfers via samba < samba at lists.samba.org> wrote: > Am 14.01.19 um 11:29 schrieb Rowland Penny via samb...

...iced that dovecot had been running since before the renewal, so I did a quick service dovecot restart which fixed everything. Should dovecot check for certs being refreshed? Or is this an artifact of my using symbolic links everywhere to point to the newest LE certs (which are themselves links the dehydrate script creates to point to the newest cert-1502534746.csr etc files? Should I just create a monthly cron to restart dovecot or is there something else? -- Apple broke AppleScripting signatures in Mail.app, so no random signatures.

...eed the certificate to be publically readable. Keeping it in separate files would add slightly more security (defense in depth), that would protect from, for example, an admin fumble or bug in the SSL library. "Michael A. Peters" <mpeters at domblogger.net> writes: >> I use dehydrated (with Cloudflare DNS challenges) and as far as I know, >> it seems to generate a new private key every time. > > Yeah that would be a problem for me because I implement DANE. It's on my to-do list, but I think you can use dehydrated in signing mode. --signcsr (-s) path/to/csr.p...

...nce before the renewal, so I did a quick service >> dovecot restart which fixed everything. >> >> Should dovecot check for certs being refreshed? Or is this an artifact of my using symbolic links everywhere to point to the >> newest LE certs (which are themselves links the dehydrate script creates to point to the newest cert-1502534746.csr etc files? > > As you're using dehydrated, I can share what I do. My hook script basically calls "run-parts /etc/dehydrated/hooks.d/" so I > can just drop hook scripts into that directory. Then in the hooks.d director...

...conf > and move into the main script. At least the username of the service should be configurable. And Samba could be DNS Master for additional domains. (So actually I should make it in an array. But I don't have time, I'll wait for the first to need this ;)) I would like to move it to dehydrated.conf as pdns_api does (https://github.com/silkeh/pdns_api.sh/), but I'm honestly unable to find it in the script even though I use it and it works just fine for me. > I take it this is for Windows clients securely updating their records > in AD ? I use it to create letsencrypt signed c...

...ual kinit works fine. If I want to use a special ticket cache as in your example, I cannot find an option in man samba-tool to supply that filename and the following command therefore fails (asking for password): | # init ticket if necessary | klist -c ~/tmp/ticket-cache -s || kinit -F -k -t ~/etc/dehydrated-service.keytab -c ~/tmp/ticket-cache dehydrated-service at MY.DOMAIN | # change records | samba-tool dns add barva.my.domain my.domain jakob-test TXT "TEEEST" -k yes Thanks again, Jakob

> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Rowland Penny via samba > Verzonden: maandag 14 januari 2019 13:21 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] dehydrated hook for LetsEncrypt certs > and samba dns (was: samba-tool auth in scripts) > > On Mon, 14 Jan 2019 13:03:42 +0100 > "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote: > > > Hai Rowland, > > > > > > We are talking a Samba AD D...

Hi, I created a script to add DNS entries with samba-tool (for LetsEncrypt, as a dehydrated hook.) Works fine, but I have the password for the dedicated user to do that in the script in the clear. I think I read somewhere something about doing it with kerberos, but I never used kerberos and don't know where to start. Is there any good way to be doing this? Thanks, Jakob

...t dovecot had been running since before the renewal, so I did a quick service dovecot restart which fixed everything. > >Should dovecot check for certs being refreshed? Or is this an artifact of my using symbolic links everywhere to point to the newest LE certs (which are themselves links the dehydrate script creates to point to the newest cert-1502534746.csr etc files? As you're using dehydrated, I can share what I do. My hook script basically calls "run-parts /etc/dehydrated/hooks.d/" so I can just drop hook scripts into that directory. Then in the hooks.d directory, I have th...

Hello, does local_name in TLS SNI context support regex? for example: local_name example-(foo|bar).com { ssl_cert = </var/lib/dehydrated/certs/example.com/fullchain.pem ssl_key = </var/lib/dehydrated/certs/example.com/privkey.pem } Best regards

Hey. Thanks again for your help. I took the "dovecot -n" while the StartSSL Certificate was active, so the chain.pem was correct. Finally I found the issue! :-) But I still have no idea why the problem happens with Thunderbird. I used dehydrated to fetch the certificates from Let's Encrypt and as I said, it works for most clients pretty well. (Tried: Mulberry, Claws Mail, Outlook 2010, Android (HTC), iPhone, ...) Also it works perfectly with all my HTTPS-Services Whatever, Thunderbird didn't like that cert saying "bad certif...

On 02/18/2017 10:24 PM, Robert L Mathews wrote: > On 2/17/17 1:38 PM, chaouche yacine wrote: > >> Seems wrong to me too, Robert. If you put your private key inside >> your certificate, won't it be sent to the client along with it ? > > No; any SSL software that uses the file will extract the parts it needs > from it and convert them to its internal format for future

...lically readable. Keeping it in separate > files would add slightly more security (defense in depth), that would > protect from, for example, an admin fumble or bug in the SSL library. > > "Michael A. Peters" <mpeters at domblogger.net> writes: > >>> I use dehydrated (with Cloudflare DNS challenges) and as far as I know, >>> it seems to generate a new private key every time. >> >> Yeah that would be a problem for me because I implement DANE. > > It's on my to-do list, but I think you can use dehydrated in signing > mode. &gt...

...e as in your example, I cannot find an > > option in man samba-tool to supply that filename and the following > > command therefore fails (asking for password): > > > > | # init ticket if necessary > > | klist -c ~/tmp/ticket-cache -s || kinit -F -k -t > > ~/etc/dehydrated-service.keytab -c ~/tmp/ticket-cache > > dehydrated-service at MY.DOMAIN > > | # change records > > | samba-tool dns add barva.my.domain my.domain jakob-test > TXT "TEEEST" > > -k yes > > > > You don't ;-) > You do what the script should h...

> That's one of the reasons I don't like Let's Encrypt, with one year certs it is easier to look at the certs and see what is going to expire in the coming month needing a new private key. I use dehydrated (with Cloudflare DNS challenges) and as far as I know, it seems to generate a new private key every time. All newly generated certs are generated with the timestamp in the filenames and the soft links updated to point to the latest timestamped files. I have 4 domains each with an average of 70 alt...