Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




740 posts

Ultimate Geek
+1 received by user: 130


# 250959 3-Jun-2019 01:37
Send private message quote this post

I've just purchased a .nz domain name from 1st Domains, and found out they don't support CAA (Certificate Authorization Authority) DNS records.

 

They also don't have an API to allow cert-bot or acme.sh to automagically issue and renew Let's Encrypt wildcard certificates, which is another slight annoyance, as it necessitates manual dns / TXT challenge every 3 months.

 

So - are there any NZ registrars who support CAA records and Let's Encypt wildcard automation?

 

If not, I'm thinking I'll have to transfer my .nz domain name to my other US-based provider who does offer these tools.

 

 

 

 


Create new topic
2738 posts

Uber Geek
+1 received by user: 1245

Trusted
Lifetime subscriber

  # 2250174 3-Jun-2019 06:55
Send private message quote this post

Had a look at Metaname? As they offer an API.





630 posts

Ultimate Geek
+1 received by user: 234

Subscriber

  # 2250207 3-Jun-2019 10:00
Send private message quote this post

Could you just use Cloudflare name servers instead?


 
 
 
 


Mr Snotty
8726 posts

Uber Geek
+1 received by user: 4632

Moderator
Trusted
Lifetime subscriber

  # 2250228 3-Jun-2019 10:20
2 people support this post
Send private message quote this post

Use Metaname - they're great. Then just use Cloudflare for your DNS records. Metaname will handle DNSSEC with Cloudflare and there is a Certbot plugin to use Letsencrypt: https://bjornjohansen.no/wildcard-certificate-letsencrypt-cloudflare

 

Another way you can then do this is use Cloudflare, set your server up to use the Origin certificates provided by Cloudflare and set your SSL settings in Cloudflare to Strict. This means Cloudflare will talk to your server via HTTPS and proxy everything and there is no need to worry about Letsencrypt. You can safely firewall off your server from this point to anything except Cloudflare (assuming you're using a modern debian based Linux):

 

#!/bin/sh

 

DIR="$(dirname $(readlink -f $0))"
cd $DIR
wget https://www.cloudflare.com/ips-v4 -O ips-v4.tmp
wget https://www.cloudflare.com/ips-v6 -O ips-v6.tmp
mv ips-v4.tmp ips-v4
mv ips-v6.tmp ips-v6

 

for cfip in `cat ips-v4`; do ufw allow from $cfip to any port https; done
for cfip in `cat ips-v6`; do ufw allow from $cfip to any port https; done

 

ufw reload > /dev/null





2738 posts

Uber Geek
+1 received by user: 1245

Trusted
Lifetime subscriber

  # 2250254 3-Jun-2019 11:27
One person supports this post
Send private message quote this post

But don't forget by using Cloudflare you're supporting the terrorists and revenge p.rn sites across the internet.

 

While they provide a useful service, they also provide a useful service for ALL of the most vile sites on the internet.

 

Their one paragraph AUP and long history of not caring what so ever about any of the harm they cause speaks volumes about their business.






191 posts

Master Geek
+1 received by user: 78


  # 2250382 3-Jun-2019 14:43
One person supports this post
Send private message quote this post

BarTender:

 

While they provide a useful service, they also provide a useful service for ALL of the most vile sites on the internet.

 

That's why you can be sure your site isn't going to just drop off the internet because some system sent an automated notice.



740 posts

Ultimate Geek
+1 received by user: 130


  # 2250735 3-Jun-2019 22:06
Send private message quote this post

*Grumble* it turns out current provider (dynu.com) can't transfer ".org.nz" TLD's, so I've gone the Cloudflare route.

 

As I type this, I'm just waiting for the transfer to Cloudflare's name servers to kick in. Cloudflare looks to have all the nice tools (API's, DNS records etc) I could ever want.

 

Thanks for the heads up!


2738 posts

Uber Geek
+1 received by user: 1245

Trusted
Lifetime subscriber

  # 2250792 4-Jun-2019 08:23
One person supports this post
Send private message quote this post

Tracer:
BarTender:

 

While they provide a useful service, they also provide a useful service for ALL of the most vile sites on the internet.

 

That's why you can be sure your site isn't going to just drop off the internet because some system sent an automated notice.

 

Yet somehow every other DDoS provider doesn't have the problem of protecting vile sites including revenge porn or doxing folks. Somehow having an Acceptable Use Policy means they don't tolerate it.

 

And if you are ever the victim of an attack you can be sure you know which provider is protecting the content.

 

Just raising awareness that they are an utterly vile company with no morals to speak of. If you are happy with that then you share Cloudflares lack of morals.






 
 
 
 




740 posts

Ultimate Geek
+1 received by user: 130


  # 2250900 4-Jun-2019 09:55
Send private message quote this post

I don't wish to moderate my own thread to keep it OT....

As an update, as I wish to use my own Let's Encrypt certs, I had to disable Cloudflare's built in cert. My site then wouldn't load, but I think that's because it takes several minutes for the changes to propagate as after about ten minutes all was working again.

In my excitement to reissue Let's Encrypt certs. I then ended out exceeding the number of reissues, so now have to wait a week.

Good times, good learning.

Anyway, thanks again for the direction to Cloudflare. I'm quite happy to maintain the DNS registration with 1st Domains on this shared basis.

Mr Snotty
8726 posts

Uber Geek
+1 received by user: 4632

Moderator
Trusted
Lifetime subscriber

  # 2250924 4-Jun-2019 10:37
Send private message quote this post

@sultanoswing If this is just standard HTTPS then use Cloudflares cert and then load an Origin certificate on your webserver (which is generated from the Cloudflare UI). I find this great as Cloudflare then adds a layer of security on your app and you never have to worry about LetsEncrypt. Just ensure that your SSL setting is set to Strict:

 

Click to see full size

 

On that same page create an Origin Certificate and load this on your webserver.

 

Then ensure that you've "Orange Clouded" your app to ensure it works via Cloudflare. There are other options on that page also but really, unless if you're using something that requires LetsEncrypt you now have the power to avoid LetsEncrypt and just use a Cloudflare cert.

 

If you do not select Full (strict) as your SSL option then Cloudflare will attempt to communicate via Port 80 (HTTP). It is something I keep forgetting then sites time out in the progress.







740 posts

Ultimate Geek
+1 received by user: 130


  # 2250945 4-Jun-2019 10:54
Send private message quote this post

Thanks mm - I also use this as a tinkering / learning project, so that's part of the desire to use Let's Encrypt. It's also fun checking out the Cloudflare tools.

 

I do also use Let's Encrypt to sign my intranet https pages (a UniFi controller & pfSense), as I hate the "Not Secure" red icon in my browsers' address bars :)

 

So, I do "need" my own properly signed certificates, and it's hard to beat the price of the LE certs.

 

 

 

 




740 posts

Ultimate Geek
+1 received by user: 130


  # 2254945 9-Jun-2019 19:53
Send private message quote this post

As a final update:

 

After the 5 day grace period, I transferred my domain name to metaname due to their DNSSEC integration with Cloudflare (which worked seamlessly once I'd figured out how/where to input the DS Record credentials into metaname's site.

 

Today, once my Let's Encrypt rate limit ban was over (that'll teach me to forget about the --test parameter!), I've now got everything up and running perfectly and securely with LE certs on my raspberry pi, with an attached HD as the NAS. Good times.


Create new topic



Twitter and LinkedIn »



Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Dunedin selects Telensa to deliver smart street lighting for 15,000 LEDs
Posted 18-Jul-2019 10:21


Sprint announces a connected wallet card with built-in IoT support
Posted 18-Jul-2019 08:36


Educational tool developed at Otago makes international launch
Posted 17-Jul-2019 21:57


Symantec introduces cloud access security solution
Posted 17-Jul-2019 21:48


New Zealand government unveils new digital service to make business easier
Posted 16-Jul-2019 17:35


Scientists unveil image of quantum entanglement
Posted 13-Jul-2019 06:00


Hackers to be challenged at University of Waikato
Posted 12-Jul-2019 21:34


OPPO Reno Z now available in New Zealand
Posted 12-Jul-2019 21:28


Sony introduces WF-1000XM3 wireless headphones with noise cancellation
Posted 8-Jul-2019 16:56


Xero announces new smarter tools, push into the North American market
Posted 19-Jun-2019 17:20


New report by Unisys shows New Zealanders want action by social platform companies and police to monitor social media sites
Posted 19-Jun-2019 17:09


ASB adds Google Pay option to contactless payments
Posted 19-Jun-2019 17:05


New Zealand PC Market declines on the back of high channel inventory, IDC reports
Posted 18-Jun-2019 17:35


Air New Zealand uses drones to inspect aircraft
Posted 17-Jun-2019 15:39


TCL Electronics launches its first-ever 8K TV
Posted 17-Jun-2019 15:18



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.