How to setup certificate renewal using FreeBSD, crontab, uacme and mini_httpd with Let’s Encrypt CA

If you are hosting your own services (like smtpd, httpd or any other) – there is a high chance you’ll need TLS certificate 🙂

If this post, we’ll setup very simple flow, to acquire and renew certificate for your server – using FreeBSD.

  1. I assume you have basic knowledge about FreeBSD and your domain has IN A record setup already 🙂
  2. Those commands needs to be run as root user 🙂
  3. Update packages – pkg update
  4. Install needed software – pkg install uacme mini_httpd
  5. Setup mini_httpd
    1. mkdir -p /usr/local/www/.well-known/acme-challenge – directory for our www root
    2. chown -R www:www /usr/local/www/ – make it owned by www user/group only
    3. sysrc mini_httpd_enable=”YES” – enable mini_httpd on system boot
    4. sysrc mini_httpd_flags=”-d /usr/local/www -u www -r” – serve files from our www root, chroot and run as www user
    5. service mini_httpd start – after this you should be able to access your machine using non-secure http://
  6. Now uacme:
    1. mkdir /usr/local/etc/uacme – here we will store our secrets
    2. uacme -v -c /usr/local/etc/uacme new – setup new account
    3. cp /usr/local/share/examples/uacme/uacme.sh /usr/local/etc/uacme/ – copy web challenge hook script that we will use
    4. edit this file and change one of the first lines to be like CHALLENGE_PATH=”/usr/local/www/.well-known/acme-challenge” – this need to match path from where mini_httpd is serving content
    5. crontab -e – lets add entry to crontab, that will issue/renew our certificate to keep it valid, change hour/minute to something else not to stress CA servers 🙂
    6. 3 42 * * * /usr/local/bin/uacme -c /usr/local/etc/uacme -h /usr/local/etc/uacme/uacme.sh issue your.domain
    7. save it and either wait one day or run the command directly (you can add -v to have more verbose output)
    8. your PEM file should be it /usr/local/etc/uacme/your.domain/cert.pem

More to read:

That’s it, now you can setup secure httpd/smtpd/other services that require valid TLS certificate.

Recover “lost” CRM encryption key

Have you ever had “Data encryption can’t be activated because the encryption key doesn’t match the source encryption key used to encrypt the data” error when trying to activate/change encryption key on organization that was imported or upgraded from previous CRM version?
If you’re on on-prem and you have MSCRM_CONFIG database of source organization, you can recover your key – that told if you don’t have backed it up 🙂

First, let’s retrieve it from database:

SELECT ColumnName, VarBinaryColumn FROM OrganizationProperties
WHERE Id IN (SELECT Id FROM Organization WHERE UniqueName = '<OrgUniqName>')
AND (ColumnName = 'SymmetricKeySource')

It will look like “0xABCDEF”, looks like hexstring, let’s decode:

var sb = new StringBuilder();
var str = "0x37323A303A3130313A303A3130383A303A3130383A303A3131313A303A33323A303A38343A303A3130343A303A3130353A303A3131353A303A33323A303A37333A303A3131353A303A33323A303A3131323A303A39373A303A3131353A303A3131353A303A36343A303A3131393A303A3131313A303A3131343A303A3130303A303A34393A303A33323A303A3130323A303A3131343A303A3131313A303A3130393A303A33323A303A36373A303A38323A303A37373A30";
for (int i = 2; i < str.Length; i += 2)
{
var b1 = byte.Parse(str.Substring(i, 2), NumberStyles.HexNumber);

var part = ASCIIEncoding.ASCII.GetString(new byte[] { b1 });

sb.Append(part);
}
Console.WriteLine(sb);

Now it should look like this:

72:0:101:0:108:0:108:0:111:0:32:0:84:0:104:0:105:0:115:0:32:0:73:0:115:0:32:0:112:0:97:0:115:0:115:0:64:0:119:0:111:0:114:0:100:0:49:0:32:0:102:0:114:0:111:0:109:0:32:0:67:0:82:0:77:0

As you know, password can be Unicode, so here we go again:

var parts = sb.ToString().Split(':');
sb.Clear();
for (int i = 0; i < parts.Length; i += 2)
{
var b1 = byte.Parse(parts[i]);
var b2 = byte.Parse(parts[i + 1]);
var part = UnicodeEncoding.Unicode.GetString(new byte[] { b1, b2 });
sb.Append(part);
}
Console.WriteLine(sb);

And we have our password: Hello This Is pass@word1 from CRM.

Compare this with CRM to be sure:
CRM Encryption Key

Hope this will help someone.

Installing Microsoft Dynamics CRM 2016 on Windows Server 2016

Running Out-of-the-box Windows 2016 Technical Preview 4, when trying to install Microsoft Dynamics 2016, I’ve run into this error (Action Microsoft.Crm.Setup.Common.InstallWindowsSearchAction failed):

CRM 2016 Installation Error

Checking for Windows Search Service, it looks like it’s installed:

Windows Search

Checking under “services.msc” – it was disabled. Simple changeing to “Manual”,  hitting “Retry” and installation continued without any further problems.