We use cookies on this page to better serve you. You can find more information about cookies here.

Latest posts

Nginx Proxy Manager Setup
by

Nginx Proxy Manager (NPM) is an open-source Docker image that lets you run a reverse proxy and can even handle SSL certificates for you using Let’s Encrypt. It’s great when you can’t use a Cloudflare Tunnel or an Entra App Proxy. I’ve been using Nginx Proxy Manager for a while now, and it’s been perfect for what I need.

In this post, I will show you step-by-step how to setup Nginx Proxy Manager with Docker and configure a Proxy Host, Redirection Host, 404 Host, add a custom SSL certificate, and enable SSL.

Prerequisites

  • Access to the DNS for the domains you want to use.
  • Access to create port forwards for port 80 and 443.
  • Docker host.

Initial Setup

  • Make a folder to store your configurations for Nginx Proxy Manager.
  • Make a new docker-compose.yml file.

Your docker-compose.yml file should look something like this.

services:
  app:
    image: 'jc21/nginx-proxy-manager:latest'
    restart: unless-stopped
    ports:
      # These ports are in format <host-port>:<container-port>
      - '80:80' # Public HTTP Port
      - '443:443' # Public HTTPS Port
      - '81:81' # Admin Web Port
    volumes:
      - ./data:/data
      - ./letsencrypt:/etc/letsencryptCode language: YAML (yaml)

The docker compose file will create a folder named data in the location where the docker-compose.yml file is. The data folder holds the SQLite database for NPM, log files and other configuration files. A folder named letsencrypt will also be created, where your Let’s Encrypt data is stored.

  • Run the following command to start the Nginx Proxy Manager docker container docker compose up -d
  • Go to the address of your Docker host on port 81 to access the NPM admin interface.
  • Login with the default admin user.
Email: [email protected]
Password: changemeCode language: plaintext (plaintext)

You will be forced to change it on the first login.

  • Change the user details as needed.
  • Change the password.
Read more
IT
CertificatesDockerHow ToLet's Encryptopen-sourceProxySelf-hostedSSLWeb App

Install Debian 12 Bookworm
by

Debian is a solid Linux distribution I’ve been using for a while. It is my default Linux OS of choice. Many popular Linux distros are actually based on Debian, such as Ubuntu, Proxmox, Kali Linux, TrueNAS SCALE, SONiC, Raspberry Pi OS, SteamOS and many more.

In this post, I will show you step-by-step how to install Debian 12, aka Bookworm.

The Process

  • Download the Debian ISO from Debian.org (I tend to use the small installation image, aka netinst, as it has everything I need out of the box, and anything else I can download as needed)

When you boot up the Debian installation media, you are presented with the option of a graphical version of the installation or a text-only version. It doesn’t matter which option you select. The end result is the same.

  • Select if you want to use the graphical (aka GTK) or text-based install (aka newt).

I tend to use the text-based installation more as I can complete it slightly faster.

  • Select your language.

The language you select will be used for the installation process and will be the default language for the Debian install.

I will select English.

  • Select your location.

I will select Canada.

  • Select the keyboard layout you use.

I will select American English.

  • Enter the hostname for the Debian system.

I will use the hostnames DXT-DEB01 and DXT-DEB02

  • Enter the domain name if the Debian system is on a domain network. If not, just leave it blank.
Read more
IT
DebianHow ToInstallLinux

Palo Alto Certificate Chain Fix
by

An issue I’ve run into on Palo Alto Networks firewalls is that everything seems to work when importing a certificate (usually a PFX). Until you start using the certificate, then after a validation or a commit, there’s a warning that the certificate chain is not correctly formed.

Warning: certificate chain not correctly formed in certificate wild_thedxt_ca
(Module: device)

Certificate chain issues are commonly caused when the certificate chain is out of order. You can read more about certificate chains in my blog post, Certificate Chain. If you want to read more about what can cause broken certificate chains, my blog post, Broken Certificate Chain, goes into more detail.

An incorrect certificate chain can cause issues with a few items on a Palo Alto firewall. One of them can be GlobalProtect when the option FULLCHAINCERTVERIFY="yes" is used during the GlobalProtect install or when the registry value named full-chain-cert-verify is set to yes in the registry path HKLM:\SOFTWARE\Palo Alto Networks\GlobalProtect\Settings

GlobalProtect malformed certificate error

In this post, I will show you step-by-step how to fix a certificate chain on a Palo Alto Networks firewall.

The Process

  • Click on the Device tab.
  • Click on Certificate Management > Certificates.
  • Select the certificate that is not correctly formed and click on Export Certificate.

In my example, the certificate named wild_thedxt_ca is the one I need to fix.

Read more
IT
CertificatesFirewallFixGlobalProtectHow ToNetworkingPalo Alto NetworksPAN-OSSSL

Convert PEM to PFX Certificate
by

Sometimes, you have a certificate in PEM format as a CRT file (also called a CER file) with a key file (also called a PEM file), and you need to combine and convert them into a PFX certificate.

In this post, I will show you step-by-step how to convert a PEM certificate into a PFX file.

Prerequisites

  • OpenSSL binary installed. You can find the OpenSSL binaries on the OpenSSL wiki.
  • Private key file
  • SSL Certificate

The Process

  • Place everything in a working directory.

I will be using C:\SSL as my working directory.

  • Open the command line. You can use Linux or Windows. The commands are all the same regardless of which OS you are using.

I will be using Microsoft Windows with Windows Terminal and PowerShell.

To convert the certificate using OpenSSL, we will need to use a few options to create our command.

  • The options we will use are
    • pkcs12 to tell OpenSSL that we will be working with a PKCS#12 file. PKCS#12 is another name for a PFX file.
    • inkey to tell OpenSSL which private key to use.
    • in to tell OpenSSL which certificate file to use.
    • export to tell OpenSSL we want to export a PKCS#12 file.
    • out to tell OpenSSL where to save the converted certificate.
Read more
IT
CertificatesConvertHow ToLinuxOpenSSLSSLWindows

Generate CSR with OpenSSL
by

There are many ways to generate a CSR (Certificate Signing Request). In this post, I will show you step-by-step how to generate a CSR using OpenSSL.

Prerequisites

  • OpenSSL binary installed. You can find the OpenSSL binaries on the OpenSSL wiki.

The Process

  • Create a working directory.

I will be using C:\SSL as my working directory.

  • Open command line. You can use Linux or Windows. The commands are all the same regardless of which OS you are using.

I will be using Microsoft Windows with Windows Terminal and PowerShell.

  • We will use the following options to create our OpenSSL command.
    • req to let OpenSSL know that we want to make a CSR.
    • newkey to tell Open SSL that we want a new private key.
    • rsa:2048 to tell Open SSL we want the private key encoded with RSA and 2048 bits.
    • keyout to tell OpenSSL where to save the private key.
    • out to tell OpenSSL where to save the CSR.
  • Using those options, we can create the OpenSSL command to generate a new private key and create the CSR. Replace PATH_TO_KEY and PATH_TO_CSR with the location where you want the private key and CSR saved. openssl req -newkey rsa:2048 -keyout PATH_TO_KEY -out PATH_TO_CSR

In my example, I will name my private key private.key, and my CSR will be named csr. The command for me will look like openssl req -newkey rsa:2048 -keyout private.key -out csr

Read more
IT
CertificatesHow ToLinuxOpenSSLSSLWindows

Entra Application Proxy
by

There are a few ways to grant external access to an internal application without doing any port forwarding. The way to do this in Microsoft’s world is through an Entra Application Proxy.

The name is a bit of a mess, as Microsoft renamed the Microsoft Entra application proxy program to Microsoft Entra private network connector. The Microsoft Entra private network connector is part of Microsoft Entra Private Access, which is part of Microsoft Global Secure Access.

Basically, Microsoft Entra Enterprise Applications can be configured with an Application Proxy, which will use the Microsoft Entra private network connector to proxy the connection.

In this post, I will show you step-by-step how to set up a Microsoft Entra private network connector, configure an internal web application to use an Entra Enterprise application proxy, and add authentication before access is granted to the web application.

Prerequisites

  • Microsoft Entra ID P1 or higher license.
  • External domain added to Microsoft 365.
  • Windows Server for the Private Network Connector.
  • Internal DNS name for the application.
  • Access to the external DNS records.
  • SSL certificate in PFX format with a password.

The Process

The process will be broken up into the following sections.

Private Network Connector

We need to set up the Entra private network connector as the Entra application proxy will proxy its connections via the private network connector.

  • Log in to the Microsoft Entra Admin Center
  • Click on Global Secure Access

If needed, click on Activate to Activate Global Secure Access for your tenant.

  • Under Global Secure Access, click on Connect > Connectors.
Read more
IT
CertificatesEntra IDEntra Private AccessGlobal Secure AccessHow ToIdPMicrosoftMicrosoft 365ProxySelf-hostedSSLSSOWeb App

Reset Windows Password
by

Certain situations can arise where you no longer know a Windows user account password and need to reset it or make a new one. Third-party tools can assist, but in my experience, many of them have been hit-and-miss.

In this post, I will show you step-by-step how to reset a Windows password using Windows install media with the help of Utilman and cmd. I will also show you a way to prevent this.

Utilman is the executable name for the Utility Manager in Windows. Utility Manager allows for easy access to accessibility features in Windows. You can call Utility Manager right from Windows by pressing the Windows key and the letter U simultaneously.

On the Windows login screen, you can invoke Utilman by clicking on the Ease of access or the Accessibility icon in the bottom right beside the network icon.

Utility Manager running on the Windows login screen.

If we make Utilman launch CMD instead, we can get a command prompt window running with system-level permissions.

Prerequisites

  • Physical access to the system.
  • Bootable Windows install media.

The Process

  • Boot off of the Windows install media.

It doesn’t matter if the Windows install media matches the target OS.

  • Click on Repair your computer.
  • Select Troubleshoot.
  • Select Command Prompt.
Read more
IT
BitLockercommandsHardeningHow TopasswordsWindowsWindows 10Windows 11Windows Server

Net User and Net Group
by

The net user and group commands are very powerful tools for managing local and domain users and groups.

In this post, I will show you how to use the net user command locally and on a domain to create a user account, reset a user account password, and view general info about a user account. I will also show you how to use the net group and net localgroup commands to manage local groups and domain groups, and how to view group members.

Net User

Create User Account

  • Open CMD as admin or as an account that can create a domain user account.

New Local User

  • Enter the following command to create a new local user account and replace USERNAME_HERE and PASSWORD_HERE with the username and password you would like to use net user USERNAME_HERE PASSWORD_HERE /add

For example, if I want to make a new local account named NewUser with a password of NewP@ssword1, the command will be net user NewUser NewP@ssword1 /add

New Domain User

  • Enter the following command to create a new domain user account and replace USERNAME_HERE and PASSWORD_HERE with the username and password you would like to use net user USERNAME_HERE PASSWORD_HERE /add /domain

For example, if I want to make a new domain user account named NewUser1 with a password of NewP@ssword1, the command will be net user NewUser1 NewP@ssword1 /add /domain

Change User Password

  • Open CMD as admin or as an account that can change a domain user password.

Change Local User Password

  • Enter the following command to change a local user account’s password and replace USERNAME_HERE and PASSWORD_HERE with the username and password you would like to use net user USERNAME_HERE PASSWORD_HERE

For example, if I want to change the password of the local account named NewUser to the password of NewP@ssword2, the command will be net user NewUser NewP@ssword2

Change Domain User Password

  • Enter the following command to change a domain user account’s password and replace USERNAME_HERE and PASSWORD_HERE with the username and password you would like to use net user USERNAME_HERE PASSWORD_HERE /domain

For example, if I want to change the password of a domain account named NewUser1 to the password of NewP@ssword2, the command will be net user NewUser1 NewP@ssword2 /domain

Read more
IT
Active DirectorycommandsHow ToWindows

Shlink with Docker and Cloudflare Tunnel
by

I write a lot of PowerShell scripts for application installations, and many download the install files from a URL. Because the URL is hardcoded in the scripts, if the URL changes, I need to update all the scripts. This exact issue happened to me a few years ago, and my solution at the time was to write a Python script to update the PowerShell scripts. You can read about that solution in my blog post, Script to make Scripts.

However, if my scripts had used a URL shortener instead, I could’ve edited the short URL to resolve the issue. The problem with most URL shorteners is that you can make short URLs all day long, but you can’t edit them, and if they let you edit them, it’s a paid feature, and they also start limiting how many hits your short URL can get. I am not a fan of any of that.

Fortunately, a URL shortener named Shlink exists. Shlink is a self-hosted open-source URL shortener. With Shlink, you can do whatever you want with your short URL, including editing them.

Once I got Shlink set up, I re-wrote my PowerShell scripts to use my Shlink short URLs. Now, if an install URL changes, I can edit the Shlink short URL, and I don’t need to update my PowerShell scripts.

In this post, I will show you step-by-step how to set up Shlink with Docker and Cloudflare Tunnels.

The Shlink setup will use a Cloudflare tunnel for external access and a MariaDB database for the Shlink database. I selected MariaDB as I am more familiar with it. However, Shlink does support other databases. We will also use the Shlink web client as a UI to easily manage the short links.

Prerequisites

  • Domain for the short links.
  • DNS for the domain hosted in Cloudflare.
  • Docker host.

The Process

  • Make a folder to store your docker configurations for Shlink.

I’ll call mine shlink.

.env Setup

  • Copy the sample.env file as a new .env file.
  • You will need to define the variables in the .env file.
  • The variables are:
    • CONTAINER_NAME is the name of your Shlink stack. There will be 4 containers spawned.
      • The one with _app appended to it is the Shlink application image that runs all of Shlink.
      • The one with _db appended to it is the MariaDB image for Shlink to store all the configurations.
      • The one with _web_client append to it is the Shlink web client image that gives you a nice UI to manage your short URLs.
      • The one with _cf appended to it is the Cloudflare tunnel image for the Shlink application.
    • DB_NAME is the name of the MariaDB database that Shlink will use.
    • DB_ROOT_PWD is the MariaDB root password.
    • DB_USER is the database user that Shlink will use.
    • DB_USER_PWD is the password for the database user that Shlink will use.
    • SHORT_DOMAIN is the domain you will be using for your short URLs. (only include the FQDN (Fully Qualified Domain Name))
    • REDIRECT_DOMAIN is where invalid short links, direct visits to the short domain, or 404 pages will be sent. (this needs to start with https://)
    • APP_PORT is the port that the Shlink application will run on and the port you will use with the Cloudflare tunnel.
    • ADMIN_API is the initial API key that will be used to configure your Shlink and will be preloaded to the Shlink Web Client.
    • WEB_CLIENT_PORT is the port the Shlink web client will use.
    • CF_TUNNEL is the Base64 of your Cloudflare tunnel for Shlink.

For example, I will use the domain dxt.zip as the primary domain for Shlink. I will be redirecting all non-short URL traffic to my blog, thedxt.ca. I will use port 8788 for the Shlink application and port 8787 for the Shlink web client to manage Shlink.

Read more
IT
CloudflareCloudflare TunnelDockerHome LabHow Toopen-sourcePowerShellSelf-hostedShlinkWeb App

Windows Server 2025 Changes
by

Microsoft Windows Server 2025 has just reached general availability. I decided to install it and see what’s changed compared to Windows Server 2022.

Right off the bat, the installer loading screen is slightly different.

Windows Server installer loading

With Windows Server 2025, there are two setups the new setup UI, which is the default, and the previous setup UI, which I will call the old setup UI, as it is very much like the Windows setup UI we are all used to.

In this post, I will compare the install screens from Windows Server 2022 with the Windows Server 2025 new setup UI and the Windows Server 2025 old setup UI to see what’s different, along with the initial changes I noticed once Windows Server 2025 was installed.

With the Windows Server 2022 setup UI, the first screen is the language, time format, and keyboard selection. In the Windows Server 2025 new setup UI, the whole screen has been redesigned, and the language selection is its own screen, followed by the keyboard settings. Using Windows Server 2025 with the old setup UI is essentially the same as the Windows Server 2022 setup UI.

Windows Server initial settings screen

The next screen is the install or repair screen. With the new setup UI on Windows Server 2025, the repair option is much more prominently featured, along with a new required option to select I agree everything will be deleted including files, apps, and settings. This screen also allows you to switch back to the old setup UI.

Windows Server install screen.
Read more
IT
MicrosoftWindowsWindows Server
theDXT on GitHub
theDXT on X (Twitter)
theDXT on YouTube