I own a Brother printer and was curious how the upload worked. Apparently, it is just screenscraping the CSRF token[0], and submitting the cert upload form[1] in the printer's admin web interface. It needs the printer's admin credentials for the upload to work.
You should have used the `--deploy-hook` on certbot. I use this to copy the cert to Synology NAS and trigger a reload of the cert on the NAS.
BTW: The easiest way to run certbot in a container is to mount a renew script (some shell script as simple as `certbot renew`) to /etc/periodic/daily/renew, then change the container's entrypoint to `crond -d6 -f`.
sigio
This got me to finally put effort into upgrading the firmware on my brother printer, which was still running stock firmware. There was only a password-entry, and that didn't let me access anything. After running Brothers updater in a VM, and sharing the usb-device, I managed to upgrade the printer.
However, still no login, and now I need to get it reconnected to my wifi, ugh.
Try entering a long wifi-password via the 1-line lcd and 2 buttons on the printer, what a nightmare. (No way to configure via usb). Oh well, I still have a couple of days before I need to print a bunch of documents, so there goes the weekend ;)
justin_oaks
I read a lot about people running things like Caddy which will automatically retrieve Lets Encrypt certificates. And I think it makes sense for publicly accessible web sites since you can use an HTTP challenge with Let's Encrypt.
For internal-use certificates, you'll have to make use of a DNS challenge with Let's Encrypt. I've been hesitant to set that up because I'm concerned about the potential compromise of a token that has permissions to edit my DNS zone. I see that the author creates exactly that kind of token and has permanently accessible to his script. For a home lab where he's the only person accessing his hardware, that's less of a concern. But what about at a company where multiple people may have access to a system?
Am I being too paranoid here? Or is there a better way to allow DNS challenges without a token that allows too much power in editing a DNS zone?
show comments
intsunny
Even before I clicked on the article, I had a strong feeling this person was using CloudFlare DNS and the related API. (They are.)
Given the immense popularity of Cloudflare DNS + API + ACME DNS-01 challenge, why are not other DNS providers stepping into this foray?
show comments
sgt
For some reason I read "Brothel Printer". Would have been funny.
show comments
yawniek
did a similar thing for reolink cameras and mikrotik devices. since i run a small k8s cluster i made it a k8s controller that picks up the certs. works really nicely
bob1029
ACME+LE is definitely the future.
I've built some custom AspNetCore middleware that completely owns the entire thing. I tried win-acme and other clients but they aren't in the same room of convenience. All I need to provide is the desired hostname to the middleware and ensure traffic destined for that FQDN winds up at the server. HTTP-01 is used to verify, so I don't have to screw with anything other than an A record. If the hostname is null, it issues an IP address certificate instead using Amazon's public IP lookup service to derive the appropriate SAN. Certs are automatically refreshed when they are within 48 hours of expiration, and the actual swap is a X509Certificate2 reference being updated. It's about as trivial as it gets.
None of the libraries/CLI tools I attempted support anything like this experience. This is what originally put me off to the ecosystem and the idea of short lived certificates. The automation can't just be "sufficient". It needs to be "fucking incredible". $12.95/yr is not that expensive to me if the alternative is getting sucked into hours and hours of someone else's idea of a good time.
lousken
why bother with tls, stick it on a separate vlan, lock down all the traffic
show comments
jijji
you could probably get away with just running nginx with certbot on the front end of that domain name and then have it proxy back to a script that talks to the brother printer on the back end of it to do printing, although I'm not sure why you'd want to print via the public internet
I own a Brother printer and was curious how the upload worked. Apparently, it is just screenscraping the CSRF token[0], and submitting the cert upload form[1] in the printer's admin web interface. It needs the printer's admin credentials for the upload to work.
[0]: https://github.com/gregtwallace/brother-cert/blob/main/pkg/p...
[1]: https://github.com/gregtwallace/brother-cert/blob/main/pkg/p...
You should have used the `--deploy-hook` on certbot. I use this to copy the cert to Synology NAS and trigger a reload of the cert on the NAS.
BTW: The easiest way to run certbot in a container is to mount a renew script (some shell script as simple as `certbot renew`) to /etc/periodic/daily/renew, then change the container's entrypoint to `crond -d6 -f`.
This got me to finally put effort into upgrading the firmware on my brother printer, which was still running stock firmware. There was only a password-entry, and that didn't let me access anything. After running Brothers updater in a VM, and sharing the usb-device, I managed to upgrade the printer. However, still no login, and now I need to get it reconnected to my wifi, ugh.
Try entering a long wifi-password via the 1-line lcd and 2 buttons on the printer, what a nightmare. (No way to configure via usb). Oh well, I still have a couple of days before I need to print a bunch of documents, so there goes the weekend ;)
I read a lot about people running things like Caddy which will automatically retrieve Lets Encrypt certificates. And I think it makes sense for publicly accessible web sites since you can use an HTTP challenge with Let's Encrypt.
For internal-use certificates, you'll have to make use of a DNS challenge with Let's Encrypt. I've been hesitant to set that up because I'm concerned about the potential compromise of a token that has permissions to edit my DNS zone. I see that the author creates exactly that kind of token and has permanently accessible to his script. For a home lab where he's the only person accessing his hardware, that's less of a concern. But what about at a company where multiple people may have access to a system?
Am I being too paranoid here? Or is there a better way to allow DNS challenges without a token that allows too much power in editing a DNS zone?
Even before I clicked on the article, I had a strong feeling this person was using CloudFlare DNS and the related API. (They are.)
Given the immense popularity of Cloudflare DNS + API + ACME DNS-01 challenge, why are not other DNS providers stepping into this foray?
For some reason I read "Brothel Printer". Would have been funny.
did a similar thing for reolink cameras and mikrotik devices. since i run a small k8s cluster i made it a k8s controller that picks up the certs. works really nicely
ACME+LE is definitely the future.
I've built some custom AspNetCore middleware that completely owns the entire thing. I tried win-acme and other clients but they aren't in the same room of convenience. All I need to provide is the desired hostname to the middleware and ensure traffic destined for that FQDN winds up at the server. HTTP-01 is used to verify, so I don't have to screw with anything other than an A record. If the hostname is null, it issues an IP address certificate instead using Amazon's public IP lookup service to derive the appropriate SAN. Certs are automatically refreshed when they are within 48 hours of expiration, and the actual swap is a X509Certificate2 reference being updated. It's about as trivial as it gets.
None of the libraries/CLI tools I attempted support anything like this experience. This is what originally put me off to the ecosystem and the idea of short lived certificates. The automation can't just be "sufficient". It needs to be "fucking incredible". $12.95/yr is not that expensive to me if the alternative is getting sucked into hours and hours of someone else's idea of a good time.
why bother with tls, stick it on a separate vlan, lock down all the traffic
you could probably get away with just running nginx with certbot on the front end of that domain name and then have it proxy back to a script that talks to the brother printer on the back end of it to do printing, although I'm not sure why you'd want to print via the public internet