OpnSense & ACME & NSUpdate (bind9 journal problem)

If you need to use ACME plugin to register certificate (by using nsupdate (RFC2136)), you could be faced on the problem below

Nov  6 07:58:24 Sagitarius named[121]: client @0x7f68640c70d0 10.20.3.1#50544/key opnsense: signer "opnsense" approved
Nov  6 07:58:24 Sagitarius named[121]: client @0x7f68640c70d0 10.20.3.1#50544/key opnsense: updating zone 'clucas.fr/IN': adding an RR at '_acme-challenge.cloud-home.clucas.fr' TXT "-_UEEMEIYvUxwoHWhBbdxiSzil62dgNoHCBfZJCzIiE"
Nov  6 07:58:24 Sagitarius named[121]: /etc/bind/clucas.fr.zone.jnl: create: permission denied
Nov  6 07:58:24 Sagitarius named[121]: client @0x7f68640c70d0 10.20.3.1#50544/key opnsense: updating zone 'clucas.fr/IN': error: journal open failed: unexpected error

You can try to ‘touch’ this file, here “clucas.fr.zone.jnl”. Even if you change owner, permission (even 777), you will not ble able to make it work. You will be face this time on :

Nov  6 11:55:25 Sagitarius named[121]: client @0x7f68640d5860 10.20.3.1#59062/key opnsense: signer "opnsense" approved
Nov  6 11:55:25 Sagitarius named[121]: client @0x7f68640d5860 10.20.3.1#59062/key opnsense: updating zone 'clucas.fr/IN': adding an RR at '_acme-challenge.cloud-home.clucas.fr' TXT "eOTvsiOSI0I0eenYb2hfiD0KAAf2kXSPZjDo_5IY1yQ"
Nov  6 11:55:25 Sagitarius named[121]: client @0x7f68640d5860 10.20.3.1#59062/key opnsense: updating zone 'clucas.fr/IN': error: journal open failed: no more

I have read lot of blog posts, reddit post, and so on. The only solution I found is to change directory of journal file by means if :

include "/etc/bind/keys/opnsense.key";
[...]
zone "clucas.fr" {
       type master;
       file "/etc/bind/clucas.fr.zone";
       journal "/var/lib/bind/clucas.fr.jnl";
       also-notify { 217.169.242.186 port 53; 51.222.24.32 port 53; };
       allow-transfer { 217.169.242.186; 51.222.24.32;};
       notify yes;
       allow-update {
              key "opnsense";
       };
};

From an OpnSense point of view you will be have something like this :

  1. A Let’s Encrypt account in my case ;
  2. A challenge type : configured to use NSUPDATE ;
  3. A certificate generated by using the two above ;

 

In my case, even if as you could probably have seen I have a master bind9 and this one notify two slaves bind9 server, I have configured a 5 minutes (300 seconds) sleep time to be sure DNS propagation is OK.

 

 

When you will (re)cert you will normally see this :

xrv9k-full, qemu, AMD Ryzen

If as me you have EVE-NG (2.0.3) and lab some Cisco XRV9K-Full on a virtualized box running AMD Ryzen processor, you have probably encountered problem to start the image. After reading lot of website, it seems the answer is change the command line.

My original command line is :

-enable-kvm -smbios type=1,manufacturer="cisco",product=\"Cisco IOS XRv 9000\",uuid=[...] -cpu host

I correct to :

-enable-kvm -smbios type=1,manufacturer="cisco",product="Cisco IOS XRv 9000",uuid=[...] -cpu qemu64,+ssse3,+sse4.1,+sse4.2

Bind9 as master DNS server, NSD as backup with TSIG.

Perhaps it seems easy for you, but it was not for me at begining even if I am running bind9 master/bind9 slave already.

We will begin with TSIG key, on your master DNS server :

root@Sagitarius:~# tsig-keygen mykey > /etc/bind/keys/mykey.key
root@Sagitarius:~# cat /etc/bind/keys/mykey.key
key "mykey" {
        algorithm hmac-sha256;
        secret "+OyXk+FYgsnE6Lei59Qi2LPsctRHPaqcYRpftG4YXKk=";
};
root@Sagitarius:~# 

Now we will configure this on my “named.conf.local” file as :

root@Sagitarius:/etc/bind# cat named.conf.local 
[...]
//On indique la clé à utiliser et son algorithme de chiffrement
include "/etc/bind/keys/mykey.key";

//On indique l'adresse IP du serveur "Esclave"
server 192.168.1.81
{
        keys { mykey; };
};
[...]
zone "my-blah-zone.fr" {
       type master;
       file "/etc/bind/my-blah-zone.fr.zone";
       allow-transfer { 192.168.1.81; key mykey; };
       notify yes;
};
[...]

Ok. last command :

root@Sagitarius:~# rndc reload
root@Sagitarius:~#

Ok good, now let’s see how it is configured on NSD host.
It’s really easy :

clucas@slave:/etc/nsd$ cat /etc/nsd/nsd.conf.d/secondaries/my-blah-zone.fr.conf 
key:
  name: "mykey"
  algorithm: hmac-sha256
  secret: "+OyXk+FYgsnE6Lei59Qi2LPsctRHPaqcYRpftG4YXKk="


zone:
        # this server is secondary,  is master.
        name: my-blah-zone.fr
        allow-notify: 192.168.1.43 mykey
        request-xfr:  192.168.1.43 mykey

Now :

nsd-checkconf /etc/nsd/nsd.conf
nsd-control reload
nsd-control status

It seems easy, but I have take long time to see that all these items bellow must be identical :

  • name of the key
  • algorithm
  • secret

Easy as hell !

PS : All this can be controlled by Ansible, but it is another story.

Some bashblog tests.

For now I will not move from this blog motor, but I have tested bashblog because I have made some search of my really old blog post and it make me think about nanoblogger which is not ever maintained now. So I search only for curiosity if there is now this kind of project. Bashblog is this kind of work. Only some bash and a quick result.

It is simple, just configure EDITOR variable and let’s go :

clucas@eris:~/public_html/blog-test$ ./bb.sh list
1 Bashblog tests November 13, 2021
2 First post to test bashlog November 13, 2021
clucas@eris:~/public_html/blog-test$

To create a new blog post :

clucas@eris:~/public_html/blog-test$ ./bb.sh post

Really simple 🙂

You could check it here : http://eris.clucas.fr/~clucas/blog-test/

It make me think about my original post, when m blog posts was written with only “vi” in static HTML. It was in 2005

http://eris.clucas.fr/~clucas/blog_old/blog.html

FRR Routing v8.0 is out and happy to see SR

Hey,

For (perhaps) futur projet I read different documentations around Bird, FRR Routing, … and I am really happy to see in FRR Routing v8.0 the new ‘pathd‘ daemon, which implement SR (Segment Routing). It is really cool to see this.

There is others new feature which have been implemented in this release and are major IMHO.

  • TI-LFA for OSPF and IS-IS (great too for SR) ;
  • VRF for OSPFv3 ;
  • EVPN full-implementation.

It is really great work !!!

More information there : https://frrouting.org/release/8.0/

See you soon 🙂

NextCloud and Memcached-APCu

For those of you which update your personal cloud to the lastest stable version of Nextcloud due to CVE (https://www.cert.ssi.gouv.fr/avis/CERTFR-2021-AVI-543/), you could encountered this error :

An unhandled exception has been thrown:
OC\HintException: [0]: Memcache \OC\Memcache\APCu not available for local cache (Is the matching PHP module installed and enabled?)

You could solve the issue :

echo 'apc.enable_cli=1' >> /etc/php/7.x/mods-available/apcu.ini

Have fun.

Alix.1C et son gruik VGA

Ca fait un bon moment que j’essaie de prendre du temps pour étendre un peu mon réseau Wifi à la maison. En effet, les murs sont un petit peu trop épais pour qu’un simple point d’accès puisse desservir toute ma maison.
Pour remédier à cela et avoir une machine depuis mon accès ADSL classique grand publique, je veux mettre un AP/Machine sous Linux afin d’y accéder depuis l’internet publique.
Ceci va être fait via une carte ALIX.1C (Oui bien 1C, le lien ci-contre est pour la version 1D) et une carte radio SR2.

Pour ceux qui se casserait la tête pour savoir pourquoi votre OS chéri ne boote pas sans câble VGA et clavier, cela provient du port VGA.
Pour que votre machine démarre correctement, il faut que vous shuntiez le pin 6 avec le pin 12 tel que :

Ce qui donne une rustine du type :

L’outil magique : le trombone