Let’s Encrypt has recently started supporting wildcard certificates using its new ACME2 protocol. This means that you can have a single wildcard certificate like *.asknetsec.com and use it on all the other sub-domains like blog.askenetsec.com, email.asknetsec.com.
This makes is very easy to manage certificates for different sub-domains. Until now each sub-domain needed its own certificate generated for the specific sub-domain.
Certbot is not available in the default ubuntu repository. Run the below command to add ppa repository.
sudo add-apt-repository ppa:certbot/certbot
This will add the repository from where certbot can be installed
sudo add-apt-repository ppa:certbot/certbot This is the PPA for packages prepared by Debian Let’s Encrypt Team and backported for Ubuntu(s). More info: https://launchpad.net/~certbot/+archive/ubuntu/certbot Press [ENTER] to continue or ctrl-c to cancel adding it
gpg: keyring `/tmp/tmp1hyvak__/secring.gpg’ created gpg: keyring `/tmp/tmp1hyvak__/pubring.gpg’ created gpg: requesting key 75BCA694 from hkp server keyserver.ubuntu.com gpg: /tmp/tmp1hyvak__/trustdb.gpg: trustdb created gpg: key 75BCA694: public key “Launchpad PPA for certbot” imported gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1) OK
sudo apt update
Run below command to install certbot
sudo apt install certbot
Make sure that you are using Certbot version 0.22 or above. Certbot before the version 0.22 does not support wildcard certificate.
Replace *.asknetsec.com with your domain name for example *.yourdomainname.com. Once you run this command it will generate a text DNS value.
The command output will be similar to the one below
debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator manual, Installer None Enter email address (used for urgent renewal and security notices) (Enter ‘c’ to cancel): firstname.lastname@example.org Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
——————————————————————————- Would you be willing to share your email address with the Electronic Frontier Foundation, a founding partner of the Let’s Encrypt project and the non-profit organization that develops Certbot? We’d like to send you email about EFF and our work to encrypt the web, protect its users and defend digital rights. ——————————————————————————- (Y)es/(N)o: N Starting new HTTPS connection (1): supporters.eff.org Obtaining a new certificate Performing the following challenges: dns-01 challenge for asknetsec.com
——————————————————————————- Please deploy a DNS TXT record under the name _acme-challenge.asknetsec.com with the following value:
Before continuing, verify the record is deployed.
——————————————————————————- Press Enter to Continue
Create a text DNS record for the sub-domain _acme-challenge.yourdomainname.com with the value generated by certbot when the above command is run. In my case the value was AVOwxVcSTfASueHcoOosBFF4sxEFZuso5ip6w63GrMs.
You will have to wait for some time for the new DNS record to propagate over the internet. I waited for 10 minutes and pressed enter.
Press Enter to Continue Waiting for verification… Cleaning up challenges
IMPORTANT NOTES: – Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/asknetsec.com-0001/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/asknetsec.com-0001/privkey.pem Your cert will expire on 2018-06-21. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run “certbot renew” – If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
Congratulations!! The wildcard certificate is generated. You can use this wildcard certificate with any sub-domain you create for your domain name.
WPA2 is used to secure the wireless communication between the clients and access point. It was considered as unbreakable untill this vulnerability is discovered. Here are the key things you should know about this vulnerability.
This vulnerability cannot be exploited remotely. The attacker or his device must be close enough to connect to the targeted wireless network to run the attack. This limits the effect of this vulnerability significantly.
There has been no reports of this vulnerability being exploited in the wild, yet.
This only enables the attacker to decrypt the wireless frames and expose the payload. Is the communication is over HTTPS/TLS the attacker can still not decrypt the payload and all of your communication data is still safe.
The vulnerability was discovered many months ago and was communicated to many vendors whose products are vulnerable. So the patches will be available soon.
This vulnerability effects every client device that uses wireless as the vulnerability is in the WPA2 standard.
There are no patches available to fix it at this moment so till the time the device vendor releases a patch the wireless communication is prone to this attack.
This enables the attacker to get private information over wireless communication if the payload is sent over plain text/http protocol.
Though the HTTPS communication is safe from this attack, it still exposes your DNS traffic which is in clear text.
The attacker can modify the DNS traffic and can redirect you to a malicious website.
Things you should do to keep yourself safe from this attack.
Keep an eye on any update released by your device vendor, patch the device as soon as an update is available.
Do not send any private information like Username/Password, account login, Payment information, personal details over unencrypted connection. Always check of the website you are submitting the details is using HTTPS for encrypting all the communication related to private information.
Ensuring this green lock button on the browser is even more important now as the attacker can modify DNS traffic and redirect you to a malicious website. If that is the case you will get a certificate error on the browser. Do not proceed if your web browser warns you about any problems with the website certificate.
If possible always use VPN when connected over wireless, so that all the communication over wireless is protected by an extra layer of VPN encryption.
For the paranoids, keep yourself from using wireless at all until this vulnerability is patched.
This command runs DNS query and show the resolved ip address. The dns query to myip.opendns.com. using the resolver1.opendns.com DNS resolver outputs the public IP address from where the DNS query is generated.
Please note the period (.) at the end of the myip.opendns.com., this makes sure that the DNS suffix is not added to the query and query is absolute.