blip zip blog

• PorkBun have a (n archived) [GitHub repo] (https://github.com/porkbundomains/certbun) with a few examples. I've forked it and I'll look around.
• I've downloaded the cert/key, and pfsense is now using it. I've got static DNS entries for now.
• First few attempts were rejected – pfsense has a detection for DNS rebinding attacks. I hadn't configured pfsense's hostname (forgot exactly where it's done) to be pfsense.blip.zip. I'm guessing that the Host header in the request was checked, didn't match, and it spat out the DNS rebinding warning.
• TODO – Go and read up on DNS rebinding. Not an attack vector I know much about.
• Took the cert/key, stored it on the Raspberry Pi that's my monitoring server, and configured Prometheus to use it. It's now alive and listening on the WireGuard WG110 network.
• Others to do: deluge/nginx, alertmanager, the blog this eventually ends up using.

• It urns out that Porkbun have an API that can be used to issue a wildcard cert from LetsEncrypt for root domains that are registered with them.
• The API is really straightforward. Key and secret for auth, and a single endpoint that returns they cert chain and key
• I'll script something to run monthly to pull a new cert and deploy it where it's needed. Not sure how that'll work in reality; even if I can dump the files into the right directories, there will probably be some services that need restarting. That'll need root access, so might need to be root/docker/some other privileged user.

I've found that I've forgotten loads of the learning that I've done over the past x months, so I've decided to keep this as a journal/microblog.

As much as anything, being able to keep track of progress feels like a good move.