Lets Encrypt on Ubuntu using Apache, Nginx, or Lighttpd Cheat Sheet

If you are using Lets Encrypt (www.letsencrypt.org) certificates on your Ubuntu servers, you may find the following information useful if you work with Apache, Nginx, or Lighttpd.

Installing Lets Encrypt on Ubuntu 14.04 (or older)

Reference: https://www.vultr.com/docs/setup-lets-encrypt-with-apache-on-ubuntu-14-04

apt-get install git
git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt
/opt/letsencrypt/letsencrypt-auto

The 3rd line sets up Lets Encrypt and installs any necessary dependencies such as Python.

Ubuntu 16.04 install instructions

Reference: https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-16-04

apt-get install letsencrypt

Note: The remaining portion of this document uses /opt/letsencrypt/letsencrypt-auto and /opt/letsencrypt/certbot-auto command line tools as found when installing on Ubuntu 14.04 or older. If you are using Ubuntu 16.04 or newer, simply run the command letsencrypt and certbot without the full path or the additional -auto from the command line.

Setup your server so you can create certificates without having to stop your web server

I will not explain aliases in detail, but essentially you need to create an alias URI for /.well-known/. It can be shared among all of your virtual hosts. Lets Encrypt uses this folder to save folders and files that are used in the confirmation process for creating new and renewing existing certificates.

Create a working folder for Lets Encrypt:

mkdir -p /var/www/letsencrypt/.well-known/

Then setup your web server to use this working folder for the .well-known URI path on your server.

Apache .well-known Example

Create a file called letsencrypt.conf with the following.

Alias "/.well-known/" "/var/www/letsencrypt/.well-known/"
<Directory "/var/www/letsencrypt/.well-known">
 AllowOverride None
 Options None
 Require all granted
</Directory>

If you place this file in the conf-enabled folder (/etc/apache2/conf-enabled/letsencrypt.conf) then simply restart your Apache web server. Otherwise you will need to make a symbolic link in your conf-enabled folder to where you saved your letsencrypt.conf file.

Do not forget when ever making configuration changes to Apache to run the following before restarting your web server.

apache2ctl configtest

Nginx .well-known Example

Create a file called letsencrypt.conf with the following.

location ~ ^/\.well-known/(.*)$ {
 alias /var/www/letsencrypt/.well-known/$1;
 # No need to log these requests
 access_log off;
 add_header "X-Zone" "letsencrypt";
}

Then in your nginx.conf file near the top of the server { } add the following line:

 include /path/to/your/letsencrypt.conf;

Do not forget when ever making configuration changes to Nginx to run the following before restarting your web server.

nginx -t

Lighttpd .well-known Example

Add the following in your lighttpd.conf file. Note the += is for adding to an existing set of alias URLs. If you have no alias.url values, then simply remove the + but leave the equal. Learn more about Lighttpd aliasing here.

alias.url += ( "/.well-known/" => "/var/www/letsencrypt/.well-known/" )

Do not forget when ever making configuration changes to Lighttpd to run the following before restarting your web server.

lighttpd -t -f /etc/lighttpd/lighttpd.conf

Creating New Lets Encrypt SSL Certificates

You can now create Lets Encrypt certificates without your server having to be shut down temporarily.

/opt/letsencrypt/letsencrypt-auto certonly --webroot --manual-public-ip-logging-ok -d example.com --agree-tos -m you@example.com --text  -w /var/www/letsencrypt/

Replace example.com and you@example.com with your email address and your host name. Remember if your host name starts with www., leave off the www. as it is not necessary, a certificate without the www. also works with the www.

Renew certs

/opt/letsencrypt/certbot-auto renew

certbot-auto uses previous settings to renew the cert in the exact same way it was created so no extra parameters are necessary

Reference: http://letsencrypt.readthedocs.io/en/latest/using.html#renewing-certificates

You can create a file in the /etc/cron.weekly/ folder to renew Lets Encrypt certificates weekly. Even though it will run weekly, Lets Encrypt is smart enough not to renew certificates until there is 30 days or less remaining. This gives you plenty of overlap in case for some reason one week failed to renew.

Example bash file /etc/cron.weekly/letsencrypt

#!/bin/bash
/opt/letsencrypt/certbot-auto renew
You may want to use the > /dev/null 2>&1 trick at the end of the command line to surpress errors from coming from your cron tasks via email.

Deleting SSL Certificates

When we no longer wish to maintain SSL for a host name, we need to delete the renewal config file.
rm /etc/letsencrypt/renewal/example.com.conf
This file includes information where the SSL certs are located and the options used when the SSL cert was first created.
This is not the same as revoking an SSL certificate. This simply no longer renewing the certificate every 2-3 months.
SSL Cert files are saved in the following path by folder for each host
/etc/letsencrypt/live/
Specific SSL files are located within the host name folder
/etc/letsencrypt/live/example.com/
Important reference to the pem files:
cert = /etc/letsencrypt/live/geeknewscentral.com/cert.pem
privkey = /etc/letsencrypt/live/geeknewscentral.com/privkey.pem
chain = /etc/letsencrypt/live/geeknewscentral.com/chain.pem
fullchain = /etc/letsencrypt/live/geeknewscentral.com/fullchain.pem

Note: “chain” is specifically for Apache and the SSLCertificateChainFile  setting, which is now obsolete as of 2.4.8. This is a good thing as now Nginx and Apache use the same fullchain and privkey files. Lighttpd is still not as simple, see note below.

Though all files are saved in the pem format, other systems and platforms use different file extensions rather than filenames to identify the differnet files. Here is a quick cheatsheet in case you need to map previous files to new files.

type (explanation) - letsencrypt - other examples
cert (public key) - cert.pem - example.com.crt, example.com.public.key
privkey (private key) - privkey.pem - example.com.key, example.com.private.key
chain - (chain key) chain.pem - gd_bundle.crt, alphasslroot.crt, etc...
fullchain (concatenation of cert + chain) - fullchain.pem - fullchain.crt

Pem files and their use on Apache, Nginx, and Lighttpd

Apache 2.4.8 and newer

SSLCertificateFile /etc/letsencrypt/live/example.com/privkey.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/fullchain.pem

Note that there is no SSLCertificateChainFile option, it now uses the fullchain.pem which combines the cert.pem with chain.pem.

Apache 2.4.7 and older

SSLCertificateFile /etc/letsencrypt/live/example.com/privkey.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/cert.pem
SSLCertificateChainFile /etc/letsencrypt/live/example.com/chain.pem

Note that we are not using the fullchain.pem, instead we are linking to the cert.pem and chain.pem on 2 separate configuration lines.

Nginx

ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

Lighttpd

Lighttpd Note: The cert and privkey need to be combined for Lighttpd

cd /etc/letsencrypt/live/example.com/
cat privkey.pem cert.pem > ssl.pem

Then link to the certificates in your lighttpd config settings.

ssl.pemfile = /etc/letsencrypt/live/example.com/ssl.pem
ssl.ca-file = /etc/letsencrypt/live/example.com/chain.pem

If you are automating Lighttpd renewals, you will need to add an extra step that concatenates the privkey.pem with the cert.pem before restarting/reloading Lighttpd

While searching the Internet for examples of setting up Lighttpd, I found some examples show using the ssl.ca-file using the fullchain.pem. Though this will also work, that is not technically correct as the ssl.pem already houses the cert.pem
Please feel free to leave a comment if you find an error and/or have additional notes which may be helpful for others.

True meaning of meta robots content equals = noodp

I see a lot of misunderstandings of the “noodp” found in meta tags with name “robots”.

<meta name=”robots” content=”noodp” />

Not all content values for a meta robots HTML tag are bad. Most robots content values do not block search engines from indexing pages. The noodp is one of those examples.

The equivalent to the above meta tag would be…

<meta name="robots" content="index, follow, noodp"/>

It is implied that by not stating “noindex, nofollow” that the page in question is to be indexed and followed.

What does noodp mean in a robots meta tag?

You are telling search engines to NEVER use the description for your webpage from the Open Directory Project, www.dmoz.org.

When you do not have “noodp” set it is up to the search engine to decide to use your meta description, snippets from your page, or the description from the Open Directory Project.

If your webpage is not listed in the Open Directory Project, then this tag does not matter.

If your webpage is listed on the Open Directory Project, including this tag guarantees that search engines will not use the directory’s description over your meta description or content from your webpage.

More than likely the search engine will use your meta description or snippets from your page over the Open Directory Project’s description, but search engines in the past and more than likely will into the future arbitrary decide which description is better and use it.

By including the “noodp” value for your meta robots tag, you are guaranteeing that the description the search engine uses will more than likely (but not guaranteed) come from your meta description tag or from content from within the page itself.

More Details on noodp and the Open Directory Project

Please continue reading if the above triggered more questions.

What is the Open Directory Project

The Open Directory Project is a website that manages a directory of websites open to the public. Anyone can submit a website to the open directory and anyone can use the open directory, including individuals, businesses and search engines. Directory volunteers maintain the directory.

Why you may not want Open Directory Project website descriptions

You may not have wrote the description! It is possible that an editor wrote a description for your webpage and that description may not be correct, flattering, or have the message you are trying to say for your webpage.

Who uses the Open Directory Project webpage descriptions?

Search engines like Google and Microsoft’s Bing can! If your page is in the Open Directory Project’s database, search engines like Google’s may use the description from the directory rather than yours if it thinks it is a better description for the search at hand.

Don’t believe me? Take a look at the post Review your page titles and snippets from Google on the subject, they clearly state they can use the description from the Open Directory Project.

Why does Google use descriptions from the Open Directory Project?

The descriptions are written by a 3rd party to describe the page in question. This is useful for a search engine if it is looking to provide a description to the search user that is the most relevant.

I would personally call the Open Directory Project descriptions a good alternative to guessing a page description. Maybe the description is better than the one on your website, or at least the search algorithm thinks that. What ever the reason, maybe its a good thing but for those of us who spend a lot of time writing our descriptions, in general this is not desirable.

Is this a widespread problem?

Not really, for the most part it’s an exception. For a blogger, more than likely this may only be an issue once or twice for older blog posts that were submitted to the Open Directory Project over the years. Static pages and homepages however are more susceptible to being listed on the Open Directory Project, thus opening the possibility of these descriptions being used in search results rather than your descriptions.

Why doesn’t search engines always use my meta descriptions?

Good question, I do not have a good answer for that one. Moz.com has a good write up on why Google will not use meta descriptions as well as Yoast’s details on My meta descriptions aren’t showing up in the search result pages which may be helpful.

My theory though is it comes to what’s best for the search. If the search someone made is very specific, perhaps a snippet from the meat of my page is better as a description than my page’s description. I will leave it up to Google to decide that.

Why do I always use noodp robots tag

Insurance! This eliminates the possibility of a description from the Open Directory Project being used as my description in search results. Referring to Google’s post linked above, this means that Google will now either use my meta description or create rich snippets based on markup in them page itself.

Podcast Movement 2016 – Hosting Session on Podcasting with WordPress and IAB Metrics Panel

I will be hosting a Question and Answer session at Podcast Movement 2016 on Podcasting with WordPress. If you are attending Podcast Movement this July and have questions about podcasting with WordPress, please come to the Solutions Stage room on Friday, July 10th, from 2:30-3:15pm.

I will be part of a panel discussion on IAB podcast metrics. I am a member of the IAB subcommittee tasked at defining technical guidelines for podcast measurement representing the Blubrry Podcast Community and parent company RawVoice. The panel discussion will take place on Friday, July 10th from 10:30-11:15am.

WordPress GlotPress translate management confusing and is unscalable

Plugins and themes have translators we trust 100%, we’ve forged relationships with these translators over the years. I’m now finding myself telling my friends and colleagues “I trust you, but for some reason WordPress doesn’t trust me with my plugin”. This all stems from the confusing process that is in place now which can be easily fixed giving the plugin and theme owner direct control of their translators.

UPDATE: After speaking with team members on slack about the process, I’ve now learned that the terms used for translation have changed. These new terms are used by the polyglots team but have not been updated on the documentation, hence the confusion. First some terms to clear up…

Translator Editors != Translators – The plan is to let anyone be translators, but only editors could moderate and approve translations.

Translators != Validators – Same as above, translators can make translation recommendations, only validators can also make translations and approve translations.

The new latest process WordPress.org has in place to manage translations for themes and plugins is two fold. First there are “Translation Recommendations”, then there is “Translation Recommendations with Validations”.

Translation Recommendations

If a plugin or theme owner would like users to “recommend translations”, all the user has to do is create an account on wordpress.org. Anyone with an account on WordPress.org has permission to “recommend” translations for WordPress core, as well as any theme or plugin. I am sure this will not last long, once malicious users get their hands on this the WP.org team will be forced to chance this policy. I like the spirit of this though, but they do not make this clear in the documentation. The way it is written currently and the terms used “translator” and “translator editor” implied to me that once the user created an account they still had to be added as a “translator editor”, but that is why they’ve changed the terms.

Translation Recommendations are placed in a queue to be confirmed or marked fuzzy by translation moderators (Translation Editors or Validators). Plugin and theme developers can request specific users to be validators for specific locales.

Translation Recommendations with Validations

If a theme or plugin owner wants specific users to “translate and validate” translations in particular locales, a request must be made in this comment thread (must include the word “request” in the tag field otherwise your requests go into a black hole) and request users to be “validators” for specific locales for your plugin/theme. Specifically you need to include the following in your posting:

Your @WP.org-user-name
locale code (en or en_US) – @WP.org-User-Name – slug name of your plugin

As of current, plugin/theme owners can only request validator users and must wait for the users to be approved. There is no simple add option like that for adding committers to your project. It appears they are approving all requests, but the process is taking very long to do so. As I understand it, they are not rejecting requests, plugin and theme owners can rest assured they have control of their translations if they request it.

How Translation should be for themes and plugins

Plugin and theme owners should have control who can translate their plugin/theme, which languages can be translated, and be able to add remove translators. Plugin and theme owners should be able to add themselves as validators for any or all locales as well.

Plugin and theme owners should have the ability to decide if a translator has “full translation control” (translator and validator) or if their translations should be moderated by someone else (other valdiators). I like the idea of anyone making translation recommendations, but there should be management screen with setting in a grid view where we as plugin/theme owners can decide if  locale can or cannot be translated as well as enable/disable if translation recommendations are from anyone, or allow fur adding specific users. A grid where the columns are “locale”, “enable/disable (enabled by default”, “Allow anyone to recommend translations”, “recommend translators”, and “translation validators”. Each row would have the locale. The cells within the “recommend translators” and “translation validators” would have a textbox with an add button to add validators, as well as list the current validators with a button to remove them.

These proposed options above would allow a theme or plugin owner to add someone as a translator exclusively, they will not have to be distracted by anyone on WordPress.org making recommendations. The plugin author can also decide if a particular locale should be available or not for their plugin. Defaults though should follow what WordPress.org has in place now which encourages anyone to contribute.

The idea that plugin and theme developers cannot control the process, and that translations happen without the interaction of the theme/plugin developer in my mind violates GPL and certainly creates issues for copyrights. Luckily, this is not the case. Currently the polyglots team is changing “terms” for translation management which lies the confusion.

Why do Theme and Plugin Developers need to be moderators of their translations?

As creators of a product, albeit free and open source, there are situations where words, phrases cannot or should not be translated. For example, a website name (not the URL), plugin author should be able to decide if it remains as-is in some languages but can be translated in others. Many of these terms are copyrighted and in other cases, are technology terms that if translated, may cause more confusion. It should be up to the plugin/theme owner to have final say.

There is a way in the code to prevent some parts of strings to not be translated, but it does not control this down to the specific locales.

Another problem comes with companies who have translators on staff and can do translations. Our company has to add our employees (which can change over time) to have access to translate. What was a simple here’s the po file go to work operation has now turned into “I have to wait for WordPress.org to approve our  our employee fluent in French to be a validator for our plugin”.

Plugin and theme authors should be able to decide which languages are translated. Though I wouldn’t use such a feature, I could see a company like Facebook prevent translations for certain languages/locales until they have the language locale added to their service.

Current process does not scale

The current process at translate.wordpress.org is not going to scale to 40,000 plugins with 50+ translation possibilities each. I don’t care how many volunteers there may be helping with translations, adding a comment to a blog post it’s not going to work, we’ll see some plugins receive priority moderation (validating) over others, which will more than likely be influenced politically.

At some point a page for plugin owners wil lneed to be created that lets them pick a locale and enter a wp.org user and click ‘Add’. The faster and smoother they can make this process the less confusing it will be for all involved, and the faster new translators will start contributing.

I’m already wasted a few weeks trying to figure out how the process works, which appears is still being figured out, which also bothers me that these problems were not even discussed or thought about.

I want centralized translation to work

Do not read above and believe that I am anti WordPress or anti translation. I want this to work. To not trust the plugin / theme authors with the responsibility of controlling their translations is not only wrong, it poses the problems I describe above. This process needs to be fixed ASAP.

I would ask that you do not post comments here. Instead, I’ve opened a trac ticket requesting that this process be changed. Please comment there so WordPress translate team can read your concerns about how theme and plugin translations are currently managed. Update: My Trac ticket has been closed, feel free to comment below.

Where to find your user contributed images you’ve submitted to Amazon.com over the years

200px-Amazon.com-Logo.svgIf you’re not aware, last Summer (August 15th I believe) Amazon.com removed the “User Contributed Images” feature. If you’re like me and uploaded additional product images and wanted to find them for reference, you’re going to be searching for a very long time.

To find your uploaded images, go to amazon.com, sign-in, then navigate to your profile. (or try this link: https://www.amazon.com/gp/pdp/profile/) Once you are viewing your profile, click the “images” tab just below the “Contributions” heading. When viewing with Google Chrome the larger size images do not load. Firefox seems to not have an issue.

What is available:

  • Tiny thumbnail image
  • Title / Caption
  • In-image notes

I think this is a real bummer as many of my product reviews reference the images. I’m now in the process of writing blog posts of these product reviews with the images.

Project Trans Am – Month 35, Interior Coming Together

I’ve moved the monthly updates on Project Trans Am to my Mods and Rods.tv blog and podcast.

My latest post covering everything I’ve done last August with photos is available here: http://www.modsandrods.tv/2013/04/04/project-trans-am-for-march-2013-insulation-completed-focusing-on-the-interior-and-wiring/

Outline of Accomplishments LAST MONTH

  • Insulation Completed
  • Carpet Installed
  • Kick Panels, 1/4 Panels and Sill Plates installed
  • Oil Pressure and Water Temperature Lines Installed
  • Added a 4 Blade Fuse Block in Glove Box
  • T-top Headliner Cut and Glued

IMG_20130324_182622 IMG_20130310_200404 IMG_20130323_180652 IMG_20130323_180748

Car is finally coming together! I should have the interior back together this April. If I can stay on schedule hopefully Fathers day weekend the Trans Am will be back on the road!

Fall 2012 Home Improvements

Somehow I’ve had some time to do some home improvements over the past couple of months, mostly the past few weeks.

Pressure Washed and Painted the Fence

With the neighbors help, I got the fence painted! Nothing special, we used the same Cabot Cedar stain as before. The first coat lasted 4 years, though it could have used a coat a year ago. Pressure washing showed a lot of black staining over the years, and I repaired one broken picket, otherwise the fence looked great.

Lamp Post Replaced with Solar LED Post Light

I’ve been thinking about repairing the leaning post and replace the natural gas lamp light with a solar powered one. Last weekend the weather was finally warm enough for me to investigate. After digging around the post about 3-4″ deep, the post fell over. Quick examination I found the post completely rusted through. Fixing the lamp post turned into a replacing the lamp post project. I proceeded to dig out the hole beyond the frost line, about 34 inches deep.

I thought I could find a simple replacement lamp post at Lowes/Home Depot, but guess again, they sell more complicated posts that are way over priced. Since I don’t need a fancy post with an extra electrical socket built-in, I found a simple and affordable post at Menards, though it required a trip across town. When I got back, I just had enough time to pickup 2 bags of concrete, mix and then set the post before nightfall.

While I was disconnecting the gas line to the lamp post I went ahead and removed the line to the gas meter and capped it with a 1/4″ NPT cap.

The following Wednesday the solar powered lamp I ordered arrived. It only took 5 minutes to install. Compare that to the entire day it took to replace the post! We had to wait another day to see if it would charge and light up. Thursday night it came on when the sun fell. As expected, it put out a comparable amount of light to that of a gas lamp. Three hours later  the battery died. Luckily you can add a 2nd battery pack to extend the battery life. I knew the light from an LED solar powered lamp would not be as bright as a electric light bulb, but it is as effective as the gas lamp it replaced. If it could just last a little longer into the night then we’ll be all set. Most important though the yard looks good again!

Solar Powered LED Post Lamp

Front Door Sealed

In October I decided it was time to do something about the draft under the front door. I first replaced the bottom gasket with a one size fits all 4 blade model at Home Depot. I quickly discovered the bottom seal of the door was not designed for the gasket I had purchased. After a few days of the family struggling to open/close the door, I decided to modify the gasket by removing the first 2 blades with a utility knife. It did the trick, but it also allowed a slight draft at the corners of the door. The draft was due to the door sill plate having a slight pitch running outside (rather than flat or to the inside). This pitch is also why the newer gasket was so hard to open/close the door.

This past weekend I decided to fix the entire problem by replacing the bottom sill plate. It was not as easy a task as I thought it would be since the original door sill plate was attached to the door frame, rather than the sill plate attached to the bottom house framing. Once it was removed, it was just a slow process fitting the replacement sill plate in place. I put a small bead of silicone between the sill plate and the house framing to insulate between the two joints. I also had to add about 1/4″ of spacers to the assembly of the sill plate so the top of the sill was tight against a new 4 blade door gasket. It did the job, the door is now easy to open and close and it’s air tight!

Future Home Projects

There are a lot of things we’d like to do with the house, such as finish part of the basement, redo the master bathroom, upgrade the bathroom fixtures throughout the house, and install a wood laminate flooring on the first floor. Perhaps 2013 I’ll have something more exciting to blog about as far as home improvements are concerned.

Project Trans Am – Month 30, Focus on Interior

I’ve moved the monthly updates on Project Trans Am to my Mods and Rods.tv blog and podcast.

My latest post covering everything I’ve done last August with photos is available here: http://www.modsandrods.tv/2012/11/05/project-trans-am-month-30-interior-and-wiring/

Outline of Accomplishments

  • New Windshield Installed
  • Interior  hard plastics and metal restored (except headliner, seats and carpet)
  • Carpet and headliner material ordered
  • Inner fenders painted
  • Wiring problems assessed and added 4 relays to power windows with my own changes

Window Interior

Plans for November

  • Remove rust from floors, paint, and seal seams
  • Install sound deadener and insulation in passenger compartment
  • Install carpet, dashboard steering column and center console
  • Slowly install remaining interior while working on the motor

Hopefully I can get the interior far enough that all the necessary gauges and wiring is hooked up so I can focus on finishing and installing the new motor.

Project Trans Am – Up to October 2012

My Trans Am resto-mod project is finally coming together!

October is ending up as the interior and wiring month for the project, something I’m more comfortable working on frankly. The interior parts have been refurbished with fresh coats of interior paint applied. The electrical wiring is being evaluated currently, the plan is to reuse the existing harnesses as much as possible and only repair as necessary. Check out some pics of the freshly restored interior.

Hopefully over the next 2 weekends I will have all the wiring fixed, dash installed and sound deadener/insulation with carpet installed, which will allow me to think about installing the engine this November!

Check out the work I did last month on ModAandRods.tv blog: http://www.modsandrods.tv/2012/10/02/project-trans-am-month-29-brakes-and-ac-delete