Category Archives: SysAdmin

Automating Let’s Encrypt Wildcard Certificates with the Namecheap API

1 Reply

I’m a big fan of Let’s Encrypt but when I recently found out about TLS Certificate Transparency Logs and how easy they made searching for otherwise unpublished subdomains, I decided that it might be a good idea to look into using wildcard TLS certificates.

A minor complication was that to validate a wildcard certificate Let’s Encrypt needs to create a TXT DNS record for your domain with a validation code. This is known as the DNS-01 challenge. I happen to use Namecheap as the registrar for most of my domains and luckily there is a Python library to access their API and automatically create this DNS record.

I’ve written a quick Python script which works as a manual authentication hook for Let’s Encrypt’s certbot and helps to automate the process of issuing / renewing a certificate using the DNS-01 challenge.

Usage:

  1. Obtain API credentials for Namecheap as detailed here
  2. Download the script and edit to add the API credentials to the appropriate variables
    N.B. Bad Things could happen if these credentials become public, please take appropriate precautions to keep them secure.
  3. To issue / renew a wildcard certificate for your domain run certbot something like this: 
    sudo certbot certonly \
     --non-interactive \
     --manual \
     --manual-public-ip-logging-ok \
     -d <*.domain> \
     --email <email@address> \
     --manual-auth-hook <path/to/the/script>
A USB cable lies unplugged next to a laptop

Virtually unplug USB devices under Linux

2 Replies

My laptop has a built-in webcam which I don’t normally want enabled. The immediately obvious solution to this would be to blacklist the usb webcam kernel module (uvcvideo). However, I sometimes want to plug in an external USB webcam and use that. So how do you unplug/disable a built-in USB device under Linux?

After a bit of poking about it turns out to be possible to do via sysfs, but it’s a bit fiddly. So I wrote a script that I can run from rc.local to disable (or enable) a device with a specific vendor and product id.

Example usage:

$ lsusb
[...]
Bus 003 Device 005: ID 04ca:7034 Lite-On Technology Corp. 
[...]
usbEnableDisable.sh 04ca 7034 disable

Removing a disk from a RAID 1 array

Leave a Reply

I’m in the process of building a new NAS server to replace our existing one which is getting a bit long in the tooth. As usual I’ve opted to install Ubuntu Server LTS as the OS. In my current NAS I’ve got the system partition RAID 1’d across all the drives, this means that should one fail I’ve still got 4 copies.

Setting up the new NAS I’ve put the system partition on a separate SSD from the main data drives. I’ve currently only got the one SSD but I wanted the option of RAID 1’ing the system drive for redundancy should I decide to get another SSD in future.

The Ubuntu installer will quite happily let you create a RAID 1 MD device with 2 disks but only select a single drive to belong to it. This would be the equivalent of the following mdadm command:

mdadm --create /dev/md2 --level=1 --raid-devices=2 /dev/loop1 missing

However, when you boot the OS will consider that array degraded:

mdadm -D /dev/md2
/dev/md2:
Version : 1.2
Creation Time : Fri Jan 16 21:24:44 2015
Raid Level : raid1
Array Size : 32704 (31.94 MiB 33.49 MB)
Used Dev Size : 32704 (31.94 MiB 33.49 MB)
Raid Devices : 2
Total Devices : 1
Persistence : Superblock is persistent

Update Time : Fri Jan 16 21:26:58 2015
State : clean, degraded
Active Devices : 1
Working Devices : 1
Failed Devices : 0
Spare Devices : 0

Name : lupin:2 (local to host lupin)
UUID : eccabf13:879f4196:1c47de11:3059e0b8
Events : 6

Number Major Minor RaidDevice State
0 7 1 0 active sync /dev/loop1
1 0 0 1 removed

It seems that you can’t remove the “missing” disk from the array even with

mdadm /dev/md2 -r detached

I eventually found the solution to this problem. It seems (counter-intuitively) that to remove a device from the array you have to “grow” that array as follows:

mdadm /dev/md2 --grow --force --raid-devices=1

This resulted in the missing / removed / non-existent device being removed from the array and it being considered clean:

mdadm -D /dev/md2
/dev/md2:
Version : 1.2
Creation Time : Fri Jan 16 21:24:44 2015
Raid Level : raid1
Array Size : 32704 (31.94 MiB 33.49 MB)
Used Dev Size : 32704 (31.94 MiB 33.49 MB)
Raid Devices : 1
Total Devices : 1
Persistence : Superblock is persistent

Update Time : Fri Jan 16 21:32:17 2015
State : clean
Active Devices : 1
Working Devices : 1
Failed Devices : 0
Spare Devices : 0

Name : lupin:2 (local to host lupin)
UUID : eccabf13:879f4196:1c47de11:3059e0b8
Events : 11

Number Major Minor RaidDevice State
0 7 1 0 active sync /dev/loop1

This took me a while to figure out so I hope this might help someone else out there who’s trying to achieve the same thing.

Dropbox on Ubuntu Server

Leave a Reply

I’ve been using the Dropbox Linux client on my server for a while now, it’s very handy for sync’ing files to & from my various systems.

I recently installed a new server and hit the problem that following the usual instructions:


cd ~ && wget -O - "https://www.dropbox.com/download?plat=lnx.x86_64" | tar xzf -
~/.dropbox-dist/dropboxd

resulted in Dropbox not starting.

The problem (according to its crash log) was that it was trying to link against libgtk which I didn’t have installed on my (headless) Ubuntu Server 14.04 installation.

After a bit of messing around I realized that the problem was that I had enabled ForwardX11 on my PuTTY sessions and so dropboxd thought that I had an X11 session available. When I disabled X11 forwarding the problem went away & dropboxd ran as normal.