Behind the Eyes

Category: SSL

  • Building the VMware Workstation Modules on Ubuntu 24.04 with Secure Boot Enabled

    Hello everyone! I hope you have all been well and staying safe. Today’s blog is one that I hope you find helpful.

    So while I use KVM primarily for VM’s on my laptop and even on my servers, I still use VMware Workstation on my Laptop for quick testing. However, with the latest release (25H2 as of today), I was still running into issues where the vmmon and the vmnet modules would build, but not install properly. After looking through my logs, I found out that the reason they were not loading is because they were not signed. I use Secure Boot on my Laptop, and because of that, the kernel will not load unsigned modules into memory, thinking they are insecure. However, I have found a way to install the modules, and maintain security of the system. This blog will detail how to create a key, install the key, and sign the kernel modules after they have been compiled so that they will load properly.

    So I download and install VMware Workstation from Broadcom’s support site. It’s free now for personal use. Once you download it, I had to change the permissions so that it was executable, and then ran the installer from the terminal:

    chmod +x VMware-Workstation-Full-25H2-24995812.x86_64.bundle

sudo ./VMware-Workstation-Full-25H2-24995812.x86_64.bundle

    After the installation, the kernel modules will be build, but they will not install. When you try to run a VM, it will fail saying it couldn’t load the vmmon module. When I tried to install the modules from the CLI, I was presented with the following error:

    sudo modprobe vmmon

modprobe: ERROR: could not insert 'vmmon': Key was rejected by service

    After a little searching, I found this was becuase I am using Secure Boot and the kernel modules are not signed. So I had to do the following to sign the modules.

    First, I had to create a private key and a certificate to sign the modules. I had to create a Machine Owner Key (MOK). This also has to be added to the MOK database in Secure Boot to prove that the modules have been built and trusted by the system. I did the following to create the keys:

    openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER -out MOK.der -nodes -days 36500 -subj "/CN=My Kernel Module Signing/"

    Now I had two files in my home directory, MOK.priv, the Private Key, and MOK.der, the DER formatted Certificate.

    I now had to use the mokutil command to install the keys into the database:

    sudo mokutil --import MOK.der

    I had to create a password to install the certificate. Remember this password because when you reboot the machine, it will ask for this password to install the certificate. Do that and then log back in to the machine.

    Once logged in, open a terminal and find the path for the modules:

    modinfo -n vmmon
modinfo -n vmnet

    They will be in the /lib/modules/$(uname -r)/misc directory, however we will be using this as a variable in the next command, which is what we will use to sign the modules:

    sudo /usr/src/linux-headers-$(uname -r)/scripts/sign-file sha256 MOK.priv MOK.der $(modinfo -n vmmon)

sudo /usr/src/linux-headers-$(uname -r)/scripts/sign-file sha256 MOK.priv MOK.der $(modinfo -n vmnet)

    You can then use the modprobe command to install the modules, but I normally just reboot my laptop to have everything start correctly, and then I can open VMware Workstation normally.

    I hope this helps you, and this process can be used to sign any module that you may need to.

  • LetsEncrypt it!

    Hello, Quite a quick turnaround for blog posts and me. This one is going to be helpful for those of us that use Wildcard Certificates in our environment and found out that our SSL provider changed their policies based on industry standards, but now their certificates cost 200x more than they used to so we are moving to an opensource and free solution.

    For those of you that don’t know what the previous paragraph means, Google, and other major web site providers implemented that all communications on the Internet be secured. To do this, we use SSL or Secure Socket Layer certificates. These certificates verify and validate that the site you are on is the real one and any information that you provide on it will be encrypted and secure. SSL Certificate do this encrypting and signing to make sure everything is good. In the past, we used to have to spend $100’s, if not $1000’s (Like it did) to have this capability. LetsEncrypt came about to make this free and accessible to everyone. The downside is that the certificates are only valid for 90 days instead of a year, but you get what you pay for.

    I am moving to this model because my vendor of SSL, Digicert changed their model and now I can’t renew certificates without spending another $600 on top of the $5k I’ve already spent. So I am moving to LetsEncrypt.

    LetsEncrypt is a SSL company that uses a software package called certbot that can automatically create and install certificates that are trusted to systems.

    My DNS host provider, however, is not one of their partners. However, they do allow me to edit records on the fly, which is important since that is how LetsEncrypt verifies that you own the domain and won’t generate a certificate if you don’t. This means that I can’t automate the deployment or the generation, and I have to run the following command to update my certificates every 90 days. Some of my systems can be automated, which those, like this one that runs my web server, can. However, I do have some systems like my Virtual Center server or my Email server that use Wildcard or a single certificate to cover multiple servers. This blog will discuss how to do this, mainly so that in 90 days I can remember how to do this.

    So, on to how to do this.

    First, install certbot on a machine. Since I’m a Linux person, and I used Ubuntu, I installed this on my local machine:

    sudo apt update
sudo apt install letsencrypt

    This installs the base LetsEncrypt software with no plugins. Since my DNS provider does not have a plugin, I have to do this manually.

    I also had to add the wildcard, or “*” to my domain to prove I owned the domain, so I logged in to my DNS provider, and created an “A” record that pointed to my webserver with the *.lucaswilliams.net name. This will allow me to use this certificate on any of my server inside my lucaswilliams.net domain. Very useful for virtual server for VMware, email, and other servers that need HTTPS and SSL Certificates.

    Once I created the wildcard domain entry in my DNS record. I then went to the terminal on my Linux machine and typed the following:

    sudo certbot certonly --manual \
--preferred-challenges=dns \
--email user@domain.com \
--server https://acme-v02.api.letsencrypt.org/directory \
--agree-tos \
-d *.domain.com

    for the --server https://acme-v02.api.letsencrypt.org/directory line, you have to use this server to create the certificate as this is the only one that LetsEncrypt uses to for this requirement.

    After hitting enter to start the process, I was presented a prompt asking if I wanted to share my information and details about the certificate, which I replied “N” but if you want you can.

    The next prompt is the important one. It looks like the following:

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name:

_acme-challenge.domain.com.

with the following value:

q12yr1dyFyrh143HHRTe42HH_hf#1d7&ewftgs8H

Before continuing, verify the TXT record has been deployed. Depending on the DNS
provider, this may take some time, from a few seconds to multiple minutes. You can
check if it has finished deploying with aid of online tools, such as the Google
Admin Toolbox: https://toolbox.googleapps.com/apps/dig/#TXT/_acme-challenge.domain.com.
Look for one or more bolded line(s) below the line ';ANSWER'. It should show the
value(s) you've just added.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

    I then logged into my DNS provider and created this TXT record and then hit enter in the terminal to complete the key generation. LetsEncrypt verified the record and created my certificates in /etc/letsencrypt/live/domain.com. You will need ‘root’ access for the live directory, so I ran sudo -i to change to root user and access the certificates.

    I then copied the privekey.pem and fullchain.pem files to my servers and renamed them to what the system understands as the private key file and the certificate file.

    The biggest takeaway from this is that LetsEncrypt will let us create certificates for our systems for free, however, they only are valid for 90 days which means that we have to do this every 3 months. Some systems can be fully automated if their names don’t change or the certificate is used only for validation and verification of the site and name, but more complex certificates, like email verification and signature signing, this is the way to go for that.

    If any of you know of a better way of doing this, please let me know and I’ll share it and give you credit for the improvment!

2Shares