@aral@mastodon.ar.al avatar aral , to random

🥳 Auto-Encrypt Localhost version 9.0.0 released

Bye bye, Windows.

• Windows is no longer supported as Microsoft is complicit in Israel’s genocide of the Palestinian people¹ and Small Technology Foundation² stands in solidarity with the Boycott, Divestment, and Sanctions (BDS) movement³. Windows is an ad-infested and surveillance-ridden dumpster fire of an operating system and, alongside supporting genocide, you are putting both yourself and others at risk by using it.

Enjoy!

💕

About Auto-Encrypt Localhost:

https://codeberg.org/small-tech/auto-encrypt-localhost#readme

Auto Encrypt Localhost is similar to the Go utility mkcert but with the following important differences:

  1. It’s written in pure JavaScript for Node.js.

  2. It does not require certutil to be installed.

  3. It uses a different technique to install its certificate authority in the system trust store of macOS.

  4. It uses enterprise policies on all platforms to get Firefox to include its certificate authority from the system trust store.

  5. In addition to its Command-Line Interface, it can be used programmatically to automatically handle local development certificate provisioning while creating your server.

Auto-Encrypt Localhost is licensed under AGPL version 3.0.

¹ https://www.bdsmovement.net/microsoft
² https://small-tech.org/
³ https://www.bdsmovement.net/

mhzawadi , to Selfhosted in reverse proxy over vpn without docker?
@mhzawadi@lemmy.horwood.cloud avatar

apt/yum/dnf install nginx, listen on public IP of VPS, use proxy_pass to forward to your internal IP

server {
    listen [::]:443 ssl;
    http2 on;
    server_name service.example.com;
    root /var/data/websites/holding;
    index index.php index.html index.htm;

    #SSL setting
    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
    add_header X-Clacks-Overhead "GNU Terry Pratchett";
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

    # access_log /var/log/nginx/service-access.log main;
    access_log off;

    location / {
      proxy_http_version 1.1;
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection "Upgrade";
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $remote_addr;
      proxy_set_header X-Forwarded-Proto "https";
      proxy_set_header X-SECURE-REQUEST "true";
      proxy_set_header Host $http_host;
      proxy_pass http://192.168.1.2/; #IP of the service over the VPN
    }

}
@aral@mastodon.ar.al avatar aral , to Testing

Just updated Node Pebble to support latest release version of Let’s Encrypt’s Pebble testing server.

https://codeberg.org/small-tech/node-pebble

Enjoy!

💕

@h4ckernews@mastodon.social avatar h4ckernews Bot , to random
@h4ckernews@mastodon.social avatar h4ckernews Bot , to random
mhzawadi , to Jellyfin: The Free Software Media System in Judge my shitty vibe code please
@mhzawadi@lemmy.horwood.cloud avatar

Not sure how well that will fly, does it pass a config test?

Also here is a working server block that I use and works fine everywhere

server {
    listen server IP:80;
    listen server IP:443 ssl; ## listen for ipv4; this line is default and implied
    http2 on;
    server_name jellyfin.example.com;
    root /srv/www/holding;
    index index.php index.html index.htm;
    #SSL setting
    ssl_certificate /etc/letsencrypt/live/wildcard_cert/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/wildcard_cert/privkey.pem;
    add_header Strict-Transport-Security "max-age=15768000; includeSubdomains; preload";

    # Note that Diaspora has a client side check set at 4M
    client_max_body_size 512M;
    client_body_buffer_size 256K;

    access_log /var/log/nginx/jellyfin-access.log main;

    location = / {
        return 302 https://$host/web/;
    }

    location / {
      proxy_pass http://jellyfin/;
      proxy_http_version 1.1;
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection "upgrade";
      proxy_set_header Host $http_host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;
      proxy_set_header X-Forwarded-Protocol $scheme;
      proxy_set_header X-Forwarded-Host $http_host;
      proxy_redirect http:// https://;
      proxy_buffering off;
    }

    # location block for /web - This is purely for aesthetics so /web/#!/ works instead of having to go to /web/index.html/#!/
    location = /web/ {
        # Proxy main Jellyfin traffic
        proxy_pass http://jellyfin/web/index.html;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Protocol $scheme;
        proxy_set_header X-Forwarded-Host $http_host;
    }

    location /socket {
        # Proxy Jellyfin Websockets traffic
        proxy_pass http://jellyfin/;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Protocol $scheme;
        proxy_set_header X-Forwarded-Host $http_host;
    }
}
@h4ckernews@mastodon.social avatar h4ckernews Bot , to random
@piwo@fosstodon.org avatar piwo , to random Polish

🎬 SSL/TLS i walidacja certyfikatów, what could possibly go wrong?

Błażej Orzechowski opowiada o znaczeniu szyfrowania w internecie, wyjaśnia rolę HTTPS, SSL/TLS i certyfikatów w ochronie danych.

👉 PeerTube: https://tube.pol.social/w/uqcqPCEEq8dU2odbb4dA7J
👉 YouTube: https://youtu.be/DB_boLriKwA?feature=shared

@h4ckernews@mastodon.social avatar h4ckernews Bot , to random
@h4ckernews@mastodon.social avatar h4ckernews Bot , to random
@h4ckernews@mastodon.social avatar h4ckernews Bot , to random
@h4ckernews@mastodon.social avatar h4ckernews Bot , to random
@h4ckernews@mastodon.social avatar h4ckernews Bot , to random
@mirabilos@toot.mirbsd.org avatar mirabilos , to random

What the actual fuck,

Let’s Encrypt will no longer include the “TLS Client Authentication” Extended Key Usage (EKU) in our certificates beginning in 2026.

That makes them unusable for SMTP servers. Gah!

Anyone got a usable alternative that doesn’t ruin financially?

Update: I’m in communication with them, let’s hope they recognise the usefulness.

Update 2: turns out it’s Google forcing this down the throat of all CAs that want to be recognised by Chrome as valid. I’m sure Google only accidentally decided on a new policy that breaks some SMTP and probably all XMPP use cases… 🤬

mirabilos OP ,
@mirabilos@toot.mirbsd.org avatar

@rl_dane @ShinjiLE if you or someone else wants to help argue, the thread is at https://community.letsencrypt.org/t/do-not-remove-tls-client-auth-eku/237427 (Discourse, so JS webbrowser), I’m exhausted.

@LaF0rge@chaos.social avatar LaF0rge , to random

In case you haven't seen it yet, check out the analysis of the devastating state of [mostly] modern by members of haproxy at https://www.haproxy.com/blog/state-of-ssl-stacks - hard to imagine such massive performance regressions getting into mainline linux distributions unnoticed by the distributors.

@heisec@social.heise.de avatar heisec , to random German

OpenSSL 3.5.0 enthält nun Post-Quanten-Verfahren

OpenSSL fügt mit der neuen LTS-Version 3.5.0 seiner Bibliothek die Post-Quanten-Verfahren ML-KEM, ML-DSA und SLH-DSA hinzu.

https://www.heise.de/news/OpenSSL-3-5-0-enthaelt-nun-Post-Quanten-Verfahren-10345122.html?wt_mc=sm.red.ho.mastodon.mastodon.md_beitraege.md_beitraege&utm_source=mastodon

@aral@mastodon.ar.al avatar aral , to random

🚨 Let’s Encrypt at risk from Trump cuts to OTF: “Let’s Encrypt received around $800,000 in funding from the OTF”

Dear @EUCommission , get your heads out of your arses and let’s find @letsencrypt €1M/year (a rounding error in EU finances) and have them move to the EU.

If Let’s Encrypt is fucked, the web is fucked, and the Small Web is fucked too. So how about we don’t let that happen, yeah?

(In the meanwhile, if the Let’s Encrypt folks want to make a point about how essential they are, it might be an idea to refuse certificates to republican politicians. See how they like their donation systems breaking in real time…)

CC @nlnet @NGIZero

https://mastodon.social/@publictorsten/114223873439053263

kkarhan ,
@kkarhan@infosec.space avatar

@aral @EUCommission @nlnet call me weird but the developments of @letsencrypt vs. @cacert shows everything wrong with the way works.

We would've had a superior alternative to if weren't able or even allowed to cockblock by refusing to import it's ROOT-CA, whilst every commercial gets their keys imported, no matter how shit they are or that they are essentially a hostile state actor!

@aral@mastodon.ar.al avatar aral , to random

New releases

• Kitten (rolling release)
@small-tech/https version 5.3.2
• Auto Encrypt version 4.1.3

OCSP support has been reinstated in the server so existing sites with Let’s Encrypt certificates provisioned prior to the removal of the OCSP stapling requirement will not fail to load in Firefox.

Kitten servers in production will automatically update to this version in a few hours. You can also sign in to the Kitten settings page on your server and do a manual update to update Kitten immediately.

Thanks to @stefan and @s1r83r for bringing this to my attention. (https://mastodon.ar.al/@aral/113969540950647873)

@aral@mastodon.ar.al avatar aral , to random

New Kitten¹ release

• Fixes : Strips superflous <p> tags added by Markdown parser around Kitten components used in Markdown pages³

Enjoy!

:kitten:💕

¹ https://kitten.small-web.org
² https://codeberg.org/kitten/app/issues/227
³ https://kitten.small-web.org/reference/#markdown-pages-page-md-files

aral OP , (edited )
@aral@mastodon.ar.al avatar

@s1r83r @stefan Thanks for the heads up, folks.

So, here’s what’s happened:

  1. Let’s Encrypt removed OCSP support and started rejecting certificate requests that require OCSP stapling (a privacy feature that Kitten inherited from my Auto Encrypt module) for new server requests and will reject certificate renewal requests starting in May.

  2. So I went ahead and removed the OCSP stapling requirement from the certificate requests Auto Encrypt makes to Let’s Encrypt.

  3. I also removed OCSP support from the server.

Makes sense, right?

Sure does, until you consider what happens to servers with already-provisioned Let’s Encrypt certificates that have certificates that require OCSP stapling. (kitten.small-web.org’s certificate got renewed four days ago, before I’d released the updates.)

Doh! 🤦‍♂️

Seems Safari and Chrom(ium) are fine with letting it pass. However, Firefox, (and correctly too, I might add), refuses to load the site.

So I’m off to update Auto Encrypt to re-enable OCSP support with a note to disable it in May (by which time all certificates will have renewed anyway without the stapling requirement) and then issue new builds of @small-web/https and Kitten.

Kitten servers should automatically upgrade and start working in Firefox in several hours. And you can also manually update them if you want to before then after I’ve announced the releases.

Thanks again for letting me know.

:kitten:💕

@aral@mastodon.ar.al avatar aral , to random

Auto Encrypt version 4.1.0 released

• Removes OCSP stapling, as Let’s Encrypt is removing OCSP support.

If you’re already using Auto Encrypt upgrade before May or your certificate renewals will start to fail. Upgrade now if you want to get certificates for new domains as new certificate requests are already failing.

https://codeberg.org/small-tech/auto-encrypt#readme

Auto Encrypt automatically provisions and renews Let’s Encrypt TLS certificates on Node.js https servers (including Kitten¹, Polka, Express.js, etc.)

Regular Node.js HTTPS server (without Let’s Encrypt certificates):

import https from 'node:https'  
const server = https.createServer(…)

Auto Encrypt https server with automatic Let’s Encrypt certificates:

import AutoEncrypt from '@small-tech/auto-encrypt'  
const server = AutoEncrypt.https.createServer(…)

(Certificates are provisioned on first hit and automatically renewed 30 days before expiry.)

¹ https://kitten.small-web.org

aral OP ,
@aral@mastodon.ar.al avatar

Auto Encrypt version 4.1.1 released

Fixed:

• User agent string now includes the correct Auto Encrypt version (and the name fragment “auto-encrypt” instead of “acme”).

• Tests now send Connection: close header so they’re not tripped up by the default keep-alive introduced in Node 19.

https://www.npmjs.com/package/@small-tech/auto-encrypt

aral OP , (edited )
@aral@mastodon.ar.al avatar

@small-tech/https version 5.3.0 released

• Uses Auto Encrypt 4.1.1 (removes OCSP stapling support because Let]s Encrypt has removed OCSP support).

https://www.npmjs.com/package/@small-tech/https

This module is a drop in replacement for Node HTTPS module that automatically handles TLS certificate provisioning and renewal both at localhost (via Auto Encrypt Localhost¹) and at hostname (via Auto Encrypt with Let’s Encrypt certificates²).

So, this is how you create a HTTPS server in Node.js that uses this module and automatically handles TLS certificate provisioning and renewal for you both at localhost (during development) and at hostname (during production):

import https from '@small-tech/https'

const server = https.createServer((request, response) =&gt; {  
 response.end('Hello, world!')  
})

server.listen(443, () =&gt; {  
 console.log(' 🎉 Server running at https://localhost.')  
})

(Yes, that’s it! I wrote a metric shit-tonne of meticulously-tested code so you don’t have to.) :)

💡 Note that the localhost certificate support via Auto Encrypt Localhost is 100% JavaScript and does NOT rely on an external binary like mkcert or certutil.

Needless to say, Kitten³ uses this module under the hood and it’s a big part of why Domain⁴ can deploy servers so easily that don’t require any day-to-day maintenance.

In case you’re wondering why I’m spending so much time releasing all these modules, it’s because I believe in sharing every brick of the house I’m building so others can easily build different houses if they want to. I’m not saying that what I’m building with Kitten, Domain, and Place⁵ will be the end all be all of the Small Web⁶ (the peer-to-peer web). And I want others to be able to experiment by building their own tools without having to go through the grueling development process I’ve had to in the past six years to build basic infrastructure.

Enjoy!

💕

¹ https://codeberg.org/small-tech/auto-encrypt-localhost
² https://codeberg.org/small-tech/auto-encrypt
³ https://kitten.small-web.org
https://codeberg.org/domain/app
https://codeberg.org/place/app
https://ar.al/2024/06/24/small-web-computer-science-colloquium-at-university-of-groningen/

@aral@mastodon.ar.al avatar aral , to random

Just released Node Pebble version 5.1.1

• Updated to Pebble version 2.7.0.

• Now also supports macOS and arm64 (because Pebble itself does).

https://codeberg.org/small-tech/node-pebble

Node Pebble is a Node.js wrapper for Let’s Encrypt’s¹ Pebble² that:

• Downloads the correct Pebble binary for your platform.

• Launches and manages a single Pebble process.

• Returns a reference to the same process on future calls (safe to include in multiple unit tests where order of tests is undetermined)

• Automatically patches Node.js’s TLS module to accept Pebble server’s test certificate as well as its dynamically-generated root and intermediary CA certificates.

¹ https://letsencrypt.org

² “A miniature version of Boulder, Pebble is a small RFC 8555 ACME test server not suited for a production certificate authority.” https://github.com/letsencrypt/pebble

@aral@mastodon.ar.al avatar aral , to random

So I guess Let’s Encrypt has decided what I’ll be working on today then…

https://letsencrypt.org/2024/12/05/ending-ocsp/

(They’re ending OCSP stapling support. I’ll be updating Auto Encrypt¹ to remove OCSP support and then update @small-tech/https, which uses it, along with Auto Encrypt Localhost² to provide seamless TLS support regardless of whether you’re working in development or in production, and then update Site.js³ – deprecated but still used to serve some of our own sites at Small Technology Foundation⁴ – and Kitten⁵, with the latest @small-tech/https.)

¹ https://codeberg.org/small-tech/auto-encrypt
² https://codeberg.org/small-tech/auto-encrypt-localhost
³ https://codeberg.org/small-tech/https
https://small-tech.org
https://kitten.small-web.org