Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




752 posts

Ultimate Geek


#250959 3-Jun-2019 01:37
Send private message

I've just purchased a .nz domain name from 1st Domains, and found out they don't support CAA (Certificate Authorization Authority) DNS records.

 

They also don't have an API to allow cert-bot or acme.sh to automagically issue and renew Let's Encrypt wildcard certificates, which is another slight annoyance, as it necessitates manual dns / TXT challenge every 3 months.

 

So - are there any NZ registrars who support CAA records and Let's Encypt wildcard automation?

 

If not, I'm thinking I'll have to transfer my .nz domain name to my other US-based provider who does offer these tools.

 

 

 

 


Create new topic
3107 posts

Uber Geek

Trusted
Lifetime subscriber

  #2250174 3-Jun-2019 06:55
Send private message

Had a look at Metaname? As they offer an API.




and


710 posts

Ultimate Geek

Subscriber

  #2250207 3-Jun-2019 10:00
Send private message

Could you just use Cloudflare name servers instead?


 
 
 
 


/dev/null
9333 posts

Uber Geek

Moderator
Trusted
Lifetime subscriber

  #2250228 3-Jun-2019 10:20
Send private message

Use Metaname - they're great. Then just use Cloudflare for your DNS records. Metaname will handle DNSSEC with Cloudflare and there is a Certbot plugin to use Letsencrypt: https://bjornjohansen.no/wildcard-certificate-letsencrypt-cloudflare

 

Another way you can then do this is use Cloudflare, set your server up to use the Origin certificates provided by Cloudflare and set your SSL settings in Cloudflare to Strict. This means Cloudflare will talk to your server via HTTPS and proxy everything and there is no need to worry about Letsencrypt. You can safely firewall off your server from this point to anything except Cloudflare (assuming you're using a modern debian based Linux):

 

#!/bin/sh

 

DIR="$(dirname $(readlink -f $0))"
cd $DIR
wget https://www.cloudflare.com/ips-v4 -O ips-v4.tmp
wget https://www.cloudflare.com/ips-v6 -O ips-v6.tmp
mv ips-v4.tmp ips-v4
mv ips-v6.tmp ips-v6

 

for cfip in `cat ips-v4`; do ufw allow from $cfip to any port https; done
for cfip in `cat ips-v6`; do ufw allow from $cfip to any port https; done

 

ufw reload > /dev/null





3107 posts

Uber Geek

Trusted
Lifetime subscriber

  #2250254 3-Jun-2019 11:27
Send private message

But don't forget by using Cloudflare you're supporting the terrorists and revenge p.rn sites across the internet.

 

While they provide a useful service, they also provide a useful service for ALL of the most vile sites on the internet.

 

Their one paragraph AUP and long history of not caring what so ever about any of the harm they cause speaks volumes about their business.





and


305 posts

Ultimate Geek


  #2250382 3-Jun-2019 14:43
Send private message

BarTender:

 

While they provide a useful service, they also provide a useful service for ALL of the most vile sites on the internet.

 

That's why you can be sure your site isn't going to just drop off the internet because some system sent an automated notice.



752 posts

Ultimate Geek


  #2250735 3-Jun-2019 22:06
Send private message

*Grumble* it turns out current provider (dynu.com) can't transfer ".org.nz" TLD's, so I've gone the Cloudflare route.

 

As I type this, I'm just waiting for the transfer to Cloudflare's name servers to kick in. Cloudflare looks to have all the nice tools (API's, DNS records etc) I could ever want.

 

Thanks for the heads up!


3107 posts

Uber Geek

Trusted
Lifetime subscriber

  #2250792 4-Jun-2019 08:23
Send private message

Tracer:
BarTender:

 

While they provide a useful service, they also provide a useful service for ALL of the most vile sites on the internet.

 

That's why you can be sure your site isn't going to just drop off the internet because some system sent an automated notice.

 

Yet somehow every other DDoS provider doesn't have the problem of protecting vile sites including revenge porn or doxing folks. Somehow having an Acceptable Use Policy means they don't tolerate it.

 

And if you are ever the victim of an attack you can be sure you know which provider is protecting the content.

 

Just raising awareness that they are an utterly vile company with no morals to speak of. If you are happy with that then you share Cloudflares lack of morals.





and


 
 
 
 




752 posts

Ultimate Geek


  #2250900 4-Jun-2019 09:55
Send private message

I don't wish to moderate my own thread to keep it OT....

As an update, as I wish to use my own Let's Encrypt certs, I had to disable Cloudflare's built in cert. My site then wouldn't load, but I think that's because it takes several minutes for the changes to propagate as after about ten minutes all was working again.

In my excitement to reissue Let's Encrypt certs. I then ended out exceeding the number of reissues, so now have to wait a week.

Good times, good learning.

Anyway, thanks again for the direction to Cloudflare. I'm quite happy to maintain the DNS registration with 1st Domains on this shared basis.

/dev/null
9333 posts

Uber Geek

Moderator
Trusted
Lifetime subscriber

  #2250924 4-Jun-2019 10:37
Send private message

@sultanoswing If this is just standard HTTPS then use Cloudflares cert and then load an Origin certificate on your webserver (which is generated from the Cloudflare UI). I find this great as Cloudflare then adds a layer of security on your app and you never have to worry about LetsEncrypt. Just ensure that your SSL setting is set to Strict:

 

Click to see full size

 

On that same page create an Origin Certificate and load this on your webserver.

 

Then ensure that you've "Orange Clouded" your app to ensure it works via Cloudflare. There are other options on that page also but really, unless if you're using something that requires LetsEncrypt you now have the power to avoid LetsEncrypt and just use a Cloudflare cert.

 

If you do not select Full (strict) as your SSL option then Cloudflare will attempt to communicate via Port 80 (HTTP). It is something I keep forgetting then sites time out in the progress.







752 posts

Ultimate Geek


  #2250945 4-Jun-2019 10:54
Send private message

Thanks mm - I also use this as a tinkering / learning project, so that's part of the desire to use Let's Encrypt. It's also fun checking out the Cloudflare tools.

 

I do also use Let's Encrypt to sign my intranet https pages (a UniFi controller & pfSense), as I hate the "Not Secure" red icon in my browsers' address bars :)

 

So, I do "need" my own properly signed certificates, and it's hard to beat the price of the LE certs.

 

 

 

 




752 posts

Ultimate Geek


  #2254945 9-Jun-2019 19:53
Send private message

As a final update:

 

After the 5 day grace period, I transferred my domain name to metaname due to their DNSSEC integration with Cloudflare (which worked seamlessly once I'd figured out how/where to input the DS Record credentials into metaname's site.

 

Today, once my Let's Encrypt rate limit ban was over (that'll teach me to forget about the --test parameter!), I've now got everything up and running perfectly and securely with LE certs on my raspberry pi, with an attached HD as the NAS. Good times.


Create new topic



Twitter and LinkedIn »



Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

OPPO Find X2 Lite brings flagship features to mid-range 5G smartphone
Posted 29-May-2020 12:52


Sony introduces the digital camera ZV-1 for content creators
Posted 27-May-2020 12:47


Samsung Announces 2020 QLED TV Range
Posted 20-May-2020 16:29


D-Link A/NZ launches AI-Powered body temperature measuring system
Posted 20-May-2020 16:22


NortonLifeLock Online Banking Protection now available for New Zealand banks
Posted 20-May-2020 16:14


SD Express delivers new gigabyte speeds for SD memory cards
Posted 20-May-2020 15:00


D-Link A/NZ launches Nuclias cloud managed network solution hosted in Australia
Posted 11-May-2020 17:53


Logitech introduces new video streaming solution for home studios
Posted 11-May-2020 17:48


Next generation Volvo cars to be powered by Luminar LiDAR technology
Posted 7-May-2020 13:56


D-Link A/NZ launches Wi-Fi Certified EasyMesh system
Posted 7-May-2020 13:51


Spark teams up with Microsoft to bring Xbox All Access to New Zealand
Posted 7-May-2020 13:01


Microsoft plans to establish its first datacenter region in New Zealand
Posted 6-May-2020 11:35


Genesis School-gen has joined forces with Mind Lab Kids
Posted 1-May-2020 12:53


Malwarebytes expands into privacy with fast, frictionless VPN
Posted 30-Apr-2020 16:06


Kordia to donate TV airtime on Channel 200 to community groups
Posted 30-Apr-2020 16:00



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.