How to correctly setup google domains et google cloud DNS to get certbot (Let’s Encrypt) running

I have a small server at home running TrueNas with a couple of jails. I created a jail to host the reverse proxy, nginx, to reach one of my jails, git, from the outside. I am trying to follow this tutorial and I do want to implement https. However, certbot doesn’t work with Google Domain directly but with the Google Cloud DNS API. After trying different things, I am missing the correct setup on both Google Domain and Google Cloud DNS to make certbot work and deliver the https certificates.

I own the domain name scheltienne.net through google domain. I am trying to make my jail git running gitea accessible to the address git.scheltienne.net.

On Google Cloud, I created a project, a service account with the correct permissions for certbot, and a DNS zone. Under Google Cloud DNS the created zone is:

google cloud dns

On Google Domain, I have disabled DNSSEC and set the name servers to custom name servers, matching the name servers of the zone in Google Cloud DNS.

ns-cloud-c1.googledomains.com
ns-cloud-c2.googledomains.com
ns-cloud-c3.googledomains.com
ns-cloud-c4.googledomains.com

I believe that up to this point, I did not make a mistake. Show me how wrong I am 😉

Now, I am very confused as to which step I should take from here. I thought I have to create a record of some type under the zone to map the address git.scheltienne.net to my nginx jail, but I can’t figure out the type of record and the IP address to provide.

Moreover, the second confusing point for me is the Dynamic DNS. My home network has a dynamic IP address. On Google Domain, I have a Synthetic record created with a subdomain (e.g. test.scheltienne.net) which gave me credentials to plug into the client service on TrueNas to communicate my IP address to Google. 1. Is this DynamicDNS Synthetic record still working despite having the name server changed to the custom name servers; 2. How can I set records pointing to the dynamic address instead of a static IPv4 address (record A)?

Thank you for the guidance, I am very lost..

How to encrypt an existing BIP-39 mnemonic with a password without changing the seed?

I know that you can create a Mnemonic + PW to encode a seed to derive keys. What I want is to encrypt an existing mnemonic with a password that generates the same seed as the unencrypted mnemonic.

Background is, that I have an existing seed sentence that I want to encrypt into an new mnemonic without changing the underlying entorpy.So I can replace my existing paper copy with an encrypted one.

Is this possible already? Or any reasons why it does not make sense at all?

debian – Website does not load after SSL (Let’s encrypt + Nginx)

I just set up an SSL certificate with Let’s Encrypt and when I change the port from 80 to 443 in nginx.conf. but after nginx restart, the website does not load and the browser gives me the ERR_TIMED_OUT error.

Nginx logs do not say anything and the config is correct. If I revert the config with port 80, the website works again.

My config:

server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
root /var/www/html;
index  index.php index.html index.htm;
server_name  domain.com;

ssl_certificate /etc/letsencrypt/live/domain.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/domain.com/privkey.pem; # managed by Certbot
ssl_verify_client off;

ssl_protocols TLSv1.2 TLSv1.3;

ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 TLS-CHACHA20-POLY1305-SHA256 TLS-AES-256-GCM-SHA384 TLS-AES-128-GCM-SHA256 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";

client_max_body_size 100M;

error_log  /var/log/nginx/nginx_error.log;

location / {
try_files $uri $uri/ /index.php?$query_string;
     }

location ~ .php$ {
     include snippets/fastcgi-php.conf;
     fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
     fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
     include fastcgi_params;
}

 location ^~ /data {
     deny all;
  }

}

I use a Debian 10 VPS and I’m setting up a mail server with postfix and dovecot.
How can I solve it? Thanks :]

linux – TDE error when attempting to encrypt a datafile

I’m encountering error

ORA-28374: typed master key not found in wallet

when attempting to run

alter database datafile '+DATA/testdb/datafile/users.2514.1233355332' encrypt;

against an 11g database on Linux. Basically it’s not possible to encrypt any datafile.
The sqlnet.ora file is correct and pointing to the vault.
If anyone could please direct me to a check list of what could be wrong it would be greatly appreciated.

Also (just guessing) if the original primary was encrypted but not the standby and then the standby became the primary and the old primary dropped. Could that lead to the error above? How could such a situation be rectified? Is it just a case of deleting the old endpoints in the key vault? Thank you.

Added Let’s Encrypt SSL and pages with Views stopped loading

I added a Let’s Encrypt certificate to my Drupal 8 site and now pages that display Views won’t load. All other pages work with HTTPS, but not views. I think there may be a separate setting that needs to be configured for Views? I can’t find any mention of this on StackExchange.

I have allowed time for DNS to update. I have cleared site cache and the Views cache several times. I have tried different browsers, incognito mode and different machines.

Has anyone run into this problem or have ideas as to how to fix it?

bash – How to supply both passphrase and string to encrypt to GnuPG using command line?

Considering using echo -n "passphrase" | gpg --batch --passphrase-fd 0 ... inside of Bash script (which should mitigate leaking passphrase to process list given echo is a built-in command, right?).

I need to know passphrase to create shares of it using Shamir Secret Sharing later in the script.

How can I supply string to encrypt to GnuPG? I usually use stdin for that.

Edit: following script appears to achieve what I want, but is it secure*?

*Passphrase and string are not leaked to other users nor written to file system and passphrase is cleared from memory once script exits.

All feedback is welcomed as I might be naively considering an insecure approach.

#! /bin/bash

printf "%sn" "Please type passphrase and press enter "

read -s passphrase

echo -n "bar" | gpg --batch --passphrase-fd 3 --s2k-mode 3 --s2k-count 65011712 --s2k-digest-algo sha512 --cipher-algo AES256 --symmetric --armor 3<<<"$passphrase"

According to ps ax, above script doesn’t leak passphrase to other users.

linux – Configuring CouchDB with Lets Encrypt SSL certificate

I basically have exactly the same issue as configure CouchDB with Lets Encrypt SSL certificate, so have followed this answer. But it’s still not working.

I’ve started with the Bitnami CouchDB VM on Azure, so CouchDB 3.3.1 is already set up (on Debian 10) and working fine over HTTP on port 5984. I’m using certbot to obtain the certificates and have set up the post-renewal hook to copy them and change the owner to couchdb. I’ve updated CouchDB’s local.ini file to configure support for SSL:

(httpd)
bind_address = 0.0.0.0

(daemons)
httpsd = {couch_httpd, start_link, (https)}

(ssl)
enable = true
cert_file = /opt/bitnami/couchdb/etc/certs/cert.pem
key_file = /opt/bitnami/couchdb/etc/certs/privkey.pem
cacert_file = /opt/bitnami/couchdb/etc/certs/fullchain.pem

Once the CouchDB service is restarted, I can see

(info) 2021-03-25T21:25:38.726431Z couchdb@127.0.0.1 <0.239.0> -------- Apache CouchDB has started on https://0.0.0.0:6984/

in the logs, so it looks like CouchDB is happy with the setup.

Using netstat -tulnp, I see:

Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:5984            0.0.0.0:*               LISTEN      990/beam.smp
tcp        0      0 0.0.0.0:6984            0.0.0.0:*               LISTEN      990/beam.smp
tcp        0      0 0.0.0.0:9100            0.0.0.0:*               LISTEN      990/beam.smp

so it looks like the port is open and being listened to (PID 990 is CouchDB). I’ve also made sure that the Azure network security group has an inbound rule set up for port 6984.

But it’s still not connecting – openssl s_client -connect <server_domain>:6984 -servername <server_domain> displays:

CONNECTED(00000004)
write:errno=0
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 321 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

ufw doesn’t appear to be installed (so the other answer in that question isn’t relevant) and there are no errors in the CouchDB logs when I try to connect. I’ve even tried replacing the certificates temporarily with self-signed ones as per Bitnami’s docs, but get the same error.

So what else should I be checking?

encryption – How much data can we encrypt using AES 256 before changing the key?

Although this question has been answered in this link(After How Much Data Encryption (AES-256) we should change key?), I am not satisfied with the answers because the Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM)and GMAC(https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38d.pdf) has a different view on this. It says enter image description here. Now 2^32 block ciphers, means 2^32 * 16 bytes of data, which is approximately 68 Gbs. So do I need to change keys after 68 Gbs?
I am confused because I am very new to the field and I would be very thankful for any help or suggestion in this regard.
Thanking you all in advance!!

How Do I Encrypt My Periodic Hard Drive Backup to One Drive with Veracrypt

Your privacy

By clicking “Accept all cookies”, you agree Stack Exchange can store cookies on your device and disclose information in accordance with our Cookie Policy.




anki – How do I encrypt a particular folder using Veracrypt?

I am using Fedora.

I want to encrypt a folder.

The path for that folder is /home/user/.local/share/Anki2.

Why doesn’t it encrypt the folder when I press format and show

“Is a directory: /home/user/.local/share/Anki2

Veracrypt::File::Open:232″ instead?

Thanks.

This image shows what I am talking about.