Other articles

  1. Getting a free SSL certificate from Letsencrypt and configuring it on Nginx with automatic renewal

    Finally Letsencrypt went to public beta and I really couldn't wait to use it on my VPS (where this blog is hosted). Until few days ago I was using a free SSL certificate from StartSSL. The service is nice and I'm grateful to them for this important resource they are providing for free, but it must be said that their renewal procedure isn't one of the most user friendly.

    For people who don't know the service yet, Letsencrypt not only gives free SSL certificates, they also provide a command line tool that people can use to request a new certificate or to renew an existing one. This means that you don't have to worry anymore if/when your certificate expires, you can set a crontab command and have the certificate automatically renewed for you.

    Client installation

    To request a SSL certificate you need to install their command line utility. Unless it has already been packaged for your distribution, for the moment it's much easier to get it from git as they explain in their installation instructions:

    ``` {.lang:sh .decode:true} git clone https://github.com/letsencrypt/letsencrypt cd letsencrypt ./letsencrypt-auto

    Getting the SSL certificate
    ---------------------------
    
    There are a few different options available to request a certificate,
    but the easiest one is to use the **--webroot** option, specifying the
    document root of your website so that the client will be able to put
    there a verification (temporary) file that will be served to the remote
    service and used as verification method. In my case I only needed this
    command:
    
    ``` {.lang:sh .decode:true}
    ./letsencrypt-auto certonly --webroot -w /var/www/andreagrandi.it/ -d www.andreagrandi.it -d andreagrandi.it --email [email protected] --renew-by-default --agree-tos
    

    Please note that I had to specify both www.andreagrandi.it and andreagrandi.it as domains, otherwise it would have been invalid when requesting just andreagrandi.it resources.

    Configuration files and certificates installation

    The command above will save all the configuration under /etc/letsencrypt/ and all the generated certificates under /etc/letsencrypt/live/www.andreagrandi.it/*.pem (all the *.pem files here are symbolic links to the current certificate). If you are using Nginx the only files you need are fullchain.pem and privkey.pem and you can set them in your Nginx configuration using these two parameters:

    ``` {.lang:default .decode:true} ssl_certificate /etc/letsencrypt/live/www.andreagrandi.it/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/www.andreagrandi.it/privkey.pem;

    In case you want to have a look at my full Nginx configuration file, as
    reference, you can find it
    here <https://gist.github.com/andreagrandi/8b194c99cd3e77fdb5a8>
    
    Automatic renewal
    -----------------
    
    The last thing to be configured is a crontab rule to call the script
    every... 2 months. Why 2 months? Letsencrypt SSL **certificates expire
    in 3 months**. Usually SSL certificates are valid at least for 1 year,
    but Letsencrypt decided to make it 3 months to incentivate the
    automation of the renewal. I set it to 2 months, so if anything goes
    wrong I still have plenty of time to do it manually. To edit crontab for
    root user execute **crontab -e** and add this line:
    
    ``` {.lang:default .decode:true}
    0 3 1 */2 * /root/letsencrypt/letsencrypt-auto certonly --webroot -w /var/www/andreagrandi.it/ -d www.andreagrandi.it -d andreagrandi.it --email [email protected] --renew-by-default --agree-tos && service nginx reload
    

    Just a final note. You may have noticed that this website presents an SSL certificate issued by COMODO. That's because I have CloudFlare in front of my website and that's how their SSL strict option works (at least for free plans).

    read more

    comments

  2. How to configure EncFS on OSX 10.10 (Yosemite)

    With EncFS it's possible to keep our data in almost any cloud (Dropbox, OneDrive, etc...), having a good level of privacy and security. Infact EncFS encrypt and decrypt our data automatically. It's available for Linux as well and using a commercial solution (that is currently unsupported) even on Windows.

    Installing EncFS

    EncFS can be installed from brew. If you don't have brew package manager installed on OSX you can install it using this command:

    ``` {.lang:sh .decode:true} ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"

    After brew, you need to install **OSXFuse** from this
    website <http://osxfuse.github.io>
    
    Finally you can install **encfs** using this command:
    
    ``` {.lang:sh .decode:true}
    brew install homebrew/fuse/encfs
    

    Configuring the encrypted folder

    Now that EncFS is installed, you can either mount an existing EncFS volume or create a new one. In both cases the command is the same:

    ``` {.lang:sh .decode:true} encfs ~/Dropbox/Private ~/Private

    If you are mounting an existing encrypted volume, you will be prompted
    for the password. If you are creating a new encrypted volume you will be
    asked some questions about EncFS parameters.
    
    **Note:** if it's important for you to keep compatibility with
    **[BoxCryptor Classic](https://www.boxcryptor.com/en/classic)** (in case
    you want to use the same volume under Windows), please refer to this
    other article I
    wrote: <https://www.andreagrandi.it/2014/09/12/create-an-encfs-volume-compatible-with-boxcryptor-classic/>
    
    Mount the encrypted volume on startup
    -------------------------------------
    
    First of all you need to save the volume's password inside the OSX
    keychain. Open the app **Keychain Access** and create a new entry with
    name **encfs** and account value **encfs**, then write your **password**
    and click **Add**:
    
    [![encfs\_keychain\_access](https://www.andreagrandi.it/wp-content/uploads/2015/10/encfs_keychain_access.png){.aligncenter
    .size-full .wp-image-1052 width="428"
    height="397"}](https://www.andreagrandi.it/wp-content/uploads/2015/10/encfs_keychain_access.png)
    
    Once the password is saved, **open a text editor** and paste this script
    and save it as **encfs\_mount.sh** inside your **\$HOME** folder:
    
    ``` {.lang:sh .decode:true}
    #!/bin/bash
    # Secure EncFS Dropbox mounter by Daniel Widerin <[email protected]>
    
    SOURCE=~/Dropbox/Private
    TARGET=~/Private
    VOLUME_TITLE=Private
    KEYCHAIN_PASSWORD='encfs'
    ENCFS=/usr/local/bin/encfs
    
    mount | grep $TARGET >/dev/null
    [[ "$?" -eq "0" ]] && /usr/sbin/diskutil unmount $TARGET
    
    if [ ! -d $TARGET ]; then
     echo "Create new mountpoint $TARGET"
     mkdir $TARGET
     chmod 0700 $TARGET
    fi
    
    $ENCFS $SOURCE $TARGET --extpass="security 2>&1 >/dev/null find-generic-password -gl '$KEYCHAIN_PASSWORD' |grep password|cut -d \\\" -f 2" -ovolname=$VOLUME_TITLE
    

    Make it executable:

    ``` {.lang:sh .decode:true} chmod +x ~/encfs_mount.sh

    Open **AppleScript** editor and paste this text inside and save as an
    app in the \$HOME folder:
    
    [![Screenshot 2015-10-11
    19.27.14](https://www.andreagrandi.it/wp-content/uploads/2015/10/Screenshot-2015-10-11-19.27.14.png){.aligncenter
    .size-full .wp-image-1055 width="484"
    height="392"}](https://www.andreagrandi.it/wp-content/uploads/2015/10/Screenshot-2015-10-11-19.27.14.png)
    
    ``` {.lang:sh .decode:true}
    do shell script "$HOME/encfs_mount.sh"
    

    Finally, open "System Preferences" -> "Users & Groups" and add the previously saved application.

    Screenshot 2015-10-11
19.27.44{.aligncenter .size-full .wp-image-1056 width="463" height="380"}

    Final notes

    At this point encfs is configured to be mounted at startup and to save the encrypted files inside Dropbox. Please note: do not save anything directly on \~/Dropbox/Private, only read and save your files from \~/Private

    References

    read more

    comments

  3. How to fix encfs installation on OSX 10.9 (Mavericks) and brew

    After upgrading from OSX 10.8.x to 10.9 (Mavericks), encfs recipe is broken. First of all you have to fix a problem with a library header:

    sudo ln -s /usr/include/sys/_endian.h /usr/include/sys/endian.h
    

    then you can install encfs using this remote brew recipe:

    brew reinstall https://gist.github.com/ghibble/7297078/raw/cae1ff000a5e1cfc670f5b7a611279ed494b63af/encfs.rb
    

    It's also possible that you have to fix fuse4x installation before being able to use encfs (I had to do it):

    sudo /bin/cp -rfX /usr/local/Cellar/fuse4x-kext/0.9.2/Library/Extensions/fuse4x.kext /Library/Extensions
    sudo chmod +s /Library/Extensions/fuse4x.kext/Support/load_fuse4x
    

    That's it! Please note that this is just a workaround (thanks to Giovanni Bajo for suggesting me the symlink fix). Please also note that this recipe uses fuse4x library and not the most updated osxfuse (but it works, anyway). Some other users reported me that there is a fix for the original brew recipe, and this one uses osxfuse. You can find it here https://gist.github.com/defunctzombie/7324625 but I haven't tested it yet.

    Update: to fully integrate encfs with OSX, I also suggest to follow this nice guide http://www.maketecheasier.com/install-encfs-mac/

    read more

    comments

Page 1 / 1

social