Lets Encrypt on Ubuntu using Apache, Nginx, or Lighttpd Cheat Sheet

If you are using Lets Encrypt (www.letsencrypt.org) certificates on your Ubuntu servers, you may find the following information useful if you work with Apache, Nginx, or Lighttpd.

Installing Lets Encrypt on Ubuntu 14.04 (or older)

Reference: https://www.vultr.com/docs/setup-lets-encrypt-with-apache-on-ubuntu-14-04

apt-get install git
git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt
/opt/letsencrypt/letsencrypt-auto

The 3rd line sets up Lets Encrypt and installs any necessary dependencies such as Python.

Ubuntu 16.04 install instructions

Reference: https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-16-04

apt-get install letsencrypt

Note: The remaining portion of this document uses /opt/letsencrypt/letsencrypt-auto and /opt/letsencrypt/certbot-auto command line tools as found when installing on Ubuntu 14.04 or older. If you are using Ubuntu 16.04 or newer, simply run the command letsencrypt and certbot without the full path or the additional -auto from the command line.

Setup your server so you can create certificates without having to stop your web server

I will not explain aliases in detail, but essentially you need to create an alias URI for /.well-known/. It can be shared among all of your virtual hosts. Lets Encrypt uses this folder to save folders and files that are used in the confirmation process for creating new and renewing existing certificates.

Create a working folder for Lets Encrypt:

mkdir -p /var/www/letsencrypt/.well-known/

Then setup your web server to use this working folder for the .well-known URI path on your server.

Apache .well-known Example

Create a file called letsencrypt.conf with the following.

Alias "/.well-known/" "/var/www/letsencrypt/.well-known/"
<Directory "/var/www/letsencrypt/.well-known">
 AllowOverride None
 Options None
 Require all granted
</Directory>

If you place this file in the conf-enabled folder (/etc/apache2/conf-enabled/letsencrypt.conf) then simply restart your Apache web server. Otherwise you will need to make a symbolic link in your conf-enabled folder to where you saved your letsencrypt.conf file.

Do not forget when ever making configuration changes to Apache to run the following before restarting your web server.

apache2ctl configtest

Nginx .well-known Example

Create a file called letsencrypt.conf with the following.

location ~ ^/\.well-known/(.*)$ {
 alias /var/www/letsencrypt/.well-known/$1;
 # No need to log these requests
 access_log off;
 add_header "X-Zone" "letsencrypt";
}

Then in your nginx.conf file near the top of the server { } add the following line:

 include /path/to/your/letsencrypt.conf;

Do not forget when ever making configuration changes to Nginx to run the following before restarting your web server.

nginx -t

Lighttpd .well-known Example

Add the following in your lighttpd.conf file. Note the += is for adding to an existing set of alias URLs. If you have no alias.url values, then simply remove the + but leave the equal. Learn more about Lighttpd aliasing here.

alias.url += ( "/.well-known/" => "/var/www/letsencrypt/.well-known/" )

Do not forget when ever making configuration changes to Lighttpd to run the following before restarting your web server.

lighttpd -t -f /etc/lighttpd/lighttpd.conf

Creating New Lets Encrypt SSL Certificates

You can now create Lets Encrypt certificates without your server having to be shut down temporarily.

/opt/letsencrypt/letsencrypt-auto certonly --webroot --manual-public-ip-logging-ok -d example.com --agree-tos -m you@example.com --text  -w /var/www/letsencrypt/

Replace example.com and you@example.com with your email address and your host name. Remember if your host name starts with www., leave off the www. as it is not necessary, a certificate without the www. also works with the www.

Renew certs

/opt/letsencrypt/certbot-auto renew

certbot-auto uses previous settings to renew the cert in the exact same way it was created so no extra parameters are necessary

Reference: http://letsencrypt.readthedocs.io/en/latest/using.html#renewing-certificates

You can create a file in the /etc/cron.weekly/ folder to renew Lets Encrypt certificates weekly. Even though it will run weekly, Lets Encrypt is smart enough not to renew certificates until there is 30 days or less remaining. This gives you plenty of overlap in case for some reason one week failed to renew.

Example bash file /etc/cron.weekly/letsencrypt

#!/bin/bash
/opt/letsencrypt/certbot-auto renew
You may want to use the > /dev/null 2>&1 trick at the end of the command line to surpress errors from coming from your cron tasks via email.

Deleting SSL Certificates

When we no longer wish to maintain SSL for a host name, we need to delete the renewal config file.
rm /etc/letsencrypt/renewal/example.com.conf
This file includes information where the SSL certs are located and the options used when the SSL cert was first created.
This is not the same as revoking an SSL certificate. This simply no longer renewing the certificate every 2-3 months.
SSL Cert files are saved in the following path by folder for each host
/etc/letsencrypt/live/
Specific SSL files are located within the host name folder
/etc/letsencrypt/live/example.com/
Important reference to the pem files:
cert = /etc/letsencrypt/live/geeknewscentral.com/cert.pem
privkey = /etc/letsencrypt/live/geeknewscentral.com/privkey.pem
chain = /etc/letsencrypt/live/geeknewscentral.com/chain.pem
fullchain = /etc/letsencrypt/live/geeknewscentral.com/fullchain.pem

Note: “chain” is specifically for Apache and the SSLCertificateChainFile  setting, which is now obsolete as of 2.4.8. This is a good thing as now Nginx and Apache use the same fullchain and privkey files. Lighttpd is still not as simple, see note below.

Though all files are saved in the pem format, other systems and platforms use different file extensions rather than filenames to identify the differnet files. Here is a quick cheatsheet in case you need to map previous files to new files.

type (explanation) - letsencrypt - other examples
cert (public key) - cert.pem - example.com.crt, example.com.public.key
privkey (private key) - privkey.pem - example.com.key, example.com.private.key
chain - (chain key) chain.pem - gd_bundle.crt, alphasslroot.crt, etc...
fullchain (concatenation of cert + chain) - fullchain.pem - fullchain.crt

Pem files and their use on Apache, Nginx, and Lighttpd

Apache 2.4.8 and newer

SSLCertificateFile /etc/letsencrypt/live/example.com/privkey.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/fullchain.pem

Note that there is no SSLCertificateChainFile option, it now uses the fullchain.pem which combines the cert.pem with chain.pem.

Apache 2.4.7 and older

SSLCertificateFile /etc/letsencrypt/live/example.com/privkey.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/cert.pem
SSLCertificateChainFile /etc/letsencrypt/live/example.com/chain.pem

Note that we are not using the fullchain.pem, instead we are linking to the cert.pem and chain.pem on 2 separate configuration lines.

Nginx

ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

Lighttpd

Lighttpd Note: The cert and privkey need to be combined for Lighttpd

cd /etc/letsencrypt/live/example.com/
cat privkey.pem cert.pem > ssl.pem

Then link to the certificates in your lighttpd config settings.

ssl.pemfile = /etc/letsencrypt/live/example.com/ssl.pem
ssl.ca-file = /etc/letsencrypt/live/example.com/chain.pem

If you are automating Lighttpd renewals, you will need to add an extra step that concatenates the privkey.pem with the cert.pem before restarting/reloading Lighttpd

While searching the Internet for examples of setting up Lighttpd, I found some examples show using the ssl.ca-file using the fullchain.pem. Though this will also work, that is not technically correct as the ssl.pem already houses the cert.pem
Please feel free to leave a comment if you find an error and/or have additional notes which may be helpful for others.

The Web is getting Sloppy, Why is it a Problem and Who’s Fault is it?

Lately I’ve observed a few web sites that have been “re-launched”. Web sites vary from a small time blogger, a popular car forum, a very large automotive vendor and even Google!

First, let me define what I mean by “The web is getting sloppy”. Essentially the Internet is organized by domain names, for example www.google.com. Each domain name or web site is then organized by paths and files. Between the latest additions of domain name combinations (e.g. example.cc) and the past couple years of sloppy organized paths and files on these web sites, the web is becoming a really big mess.

Google.com

So how does this effect you? Well lets start from the top down and discuss Google’s latest sloppy web site changes. The new iGoogle start pages are now available, they have a fresh new look to them to make them easier to use. The problem is, they did not copy or replicate the past behavior. For example, with the old iGoogle pages, you could middle click on the Inbox link for the iGoogle Gmail widget and it would open your Gmail account in a new tab in your web browser. The new iGoogle Gmail widget doesn’t do this. Why is this sloppy you ask? Because when I do middle click, it opens a new window with JavaScript error. Google should know better. they could even add JavaScript logic to capture the middle click and cancel it, the 1 line of code looks like this: event.preventDefault(); Sloppy!

For Google to make such a simple mistake, it really shows that anyone is susceptible to web sloppiness.

YearOne.com

Lets look at a popular automotive parts vendor, YearOne.com. They recently launched a new web site, which is great! Unfortunately, no attempt was taken to route the old paths and pages to the new paths and pages. This means that years of YearOne loyal customers who have been posting links to their favorite products on YearOne.com are now wasted. Bloggers call these links “gold” for a reason, they bring new visitors to your site on a continual basis, usually in situations where traditional means of attracting those visitors is not effective (such as advertising). When the guy down the street recommended a steering wheel 3 years ago on your favorite Chevy forum, you take the recommendation seriously. Well now that YearOne.com failed to correctly redirect the old pages to the new ones, that coveted potential customer traffic is lost.

In the case of YearOne’s problem, this is something that could be solved in 1-2 days with some basic script writing and access to the old and new databases. 2 days of a programmers labor is definitely worth keeping these potential customers coming and buying your products!

Unnamed Car Enthusiast Forum

I absolutely love this site, but it recently violated a number of cardinal rules, such as moving forums to different folder paths on the server and using capital letters in URLs. The forum was moved from www.example.com/smf/ to www.example.com/SOMETHING-ELSE/ and a not so friendly message is now present on the old forum with a link to the new forum. To add insult to injury, the link is just text on a page, it’s not even surrounded with the necessary HTML to make it click-able. The owner of this site missed an opportunity when I offered to help him fix the problem for free. A simple PHP script that automatically redirects traffic from the old forum to the new one would help him keep the old traffic that would come to his site remain, while also keeping the old links on the new forum to going to the right topics on the new forum. The CAPITAL LETTER folder name is no big deal really, but if search engine optimization techniques was ever applied, the folder really should be called “forum”.

Capital letters are frown down upon in web development. When URLs are typed in manually, the possibility of error is increased when someone has to remember to hold down shift. Furthermore, on Linux and Unix based servers, you can have separate folders with the same name since the capital letter folder is recognized as different than a lower case folder.

In this case, I fixed the problem for myself by writing my own GreaseMonkey script which redirects links to the old forum automatically to the new one. My script also removes links that may appear on Google that go to print page versions of the forum to it’s normal readable versions.

Every Day Bloggers

So this is where I will definitely feel bad calling someone out specifically, and luckily the problem is so common I don’t have to anyway. The biggest thing I see is bloggers trying too hard with their sites, injecting every little widget and gadget into their pages till you can’t even tell what was written by the blogger to what is an advertisement. If you take yourself seriously as a blogger, keep your sidebar clean, limit the amount of images you put in your blog posts and don’t over-do your site navigation. And what ever you do, don’t move sites around like checkers. If you don’t have the technical knowledge how to both move a database, reconfigure settings and how to perform 301 permanent redirects, you have no business doing anything with moving sites. Hire someone who knows what they’re doing or leave it as is.

The latest generation of bloggers are unaware of the importance of their blog’s feed URL. What ever you do, treat this as the keys to the castle! If you change this URL in any way, you will have consequences, even if properly redirected it can lead to lost readership and subscribers. Think of your feed as your postal mailbox. You don’t put the mailbox in the back yard and you certainly don’t move it around your front yard either. Once you have a place for your feed, keep it there and never move it!

Who’s fault is it?

I don’t think it’s any one person’s fault. We’re now seeing a new generation of web sites lead by a new generation of web developers who are green, learning the mistakes that my generation had to learn. Unfortunately in an advertising revenue and sales commerce driven web world, even one lost web visitor could mean the difference of gaining or loosing a great customer.

I’ve been developing web sites professionally since June of 2000. If you need a web developer who takes details like these seriously, contact me at www.mandato.com.

Updating XP and Vista to support WebDAV Web Folders from Apache – Patch KB907306

If you are familiar with WebDAV or even Subversion and use Windows XP/Vista, you will appreciate this tidbit of information.

You can browse a WebDAV server in Windows XP and Vista using Windows Explorer. There is a problem though, Windows XP and Vista will try to use NTLM authentication (Active Directory) to authenticate with the server. If you configure your Apache WebDAV server with either no, basic or digest authentication, then you will hit a roadblock. Luckily Microsoft created the KB907306 patch. Unlucky for myself, other websites refer to the patch number missing the last digit ‘6’. This will drive you crazy when you know you should be able to copy/paste the KB number in Google and quickly find the download page on microsoft.com. Other documents will say to search for KB90730. You should be searching for KB907306. You can search for “Software Update for Web Folders“, but you will also get a lot of other search results that are not nearly as helpful. Hopefully this blog post will save some folks the aggravation.

Now that you’re here, there is no need to search! The patch is available from the following link: http://www.microsoft.com/downloads/details.aspx?FamilyID=17c36612-632e-4c04-9382-987622ed1d64&DisplayLang=en

Columbus PHP Meetup tonight – The Art of SQL Tuning for MySQL

If you’ve been following my Twitter (@AngeloMandato) lately, you may have herd me mention previous Columbus PHP Meetups. These meetups are great for meeting fellow PHP programmers in the Columbus area and a great way to learn about different libraries, techniques and frameworks that are available.

Columbus PHP Meetup web site: http://php.meetup.com/93/

Tonights meetup topic is “The Art of SQL Tuning for MySQL” presented by Jay Pipes from MySQL. I can’t wait to attend this meetup and gain some insightful knowledge how to tune MySQL. Ever since I started my career, I’ve encountered many issues either with server loads and/or time due to poorly written queries. I think I’ve done a decent job deploying indexes, grouping like queries together, etc… but I know there is more to learn.

The past two Columbus PHP Meetups covered the Zend Framework and CakePHP. Both were great presentations.

The Zend Framework presentation from February was very informative. The Zend Framework was written in a way that the developer can decide how much he/she wants to use from the framework. This makes it possible to easily add the Zend Framework to an existing project. I think the word framework may not be the best word to describe it though, perhaps it should be called library and framework. Many parts of the Zend Framework are really just libraries to help with things like email, XML-RPC, OpenID, Flickr, Amazon, etc… I now plan on using parts of the Zend Framework in some of my projects.

I learned a lot from the CakePHP presentation from March as well. CakePHP is definitely a “framework” with all of the University taught thinking of object oriented programming and separating presentation with logic integrated. What I found interesting is CakePHP took somewhat of a Ruby on Rails like approach in managing your SQL queries. I think this type of development is fine for small to medium size projects but anything where you need full control of the queries or presentation you may find yourself feeling restricted. The presentation side of things reminds me of Smarty Template Engine, which my past experience with Smarty started out great but ended with frustration that I couldn’t add the logic I wanted at the presentation level.

I would like to learn more about CodeIgniter. CodeIgniter is the application framework that Joe used for developing the registration system for PodCamp Ohio.

PHP 5 Study GuideRelated news, I purchased a copy of the Zend PHP 5 Certification Study Guide. I own a copy of the Zend PHP 4 Certification Study Guide and loved the book till the pages started falling out. It is not just for those who want to be certified in PHP, the content is perfect for a developer who already knows how to program but just wants something to reference for the language. You should already have some background in C/C++/Java/PHP before you read this book though. I’m very pleased with this addition as well as the first one. I think I may order the Guide to Programming with Zend Framework next.

So are you attending PHP meetups in your area? If so, what sorts of things are you learning?

Line-bar graphs and Pie charts for your web application

Open Flash ChartIf you ever needed to display reports of information in a visual way in your web application then you’ll appreciate Open Flash Chart.

This flash based charting library has everything. From line graphs, bar graphs, pie charts, mixed line/bar graphs and more with the ability to add hovers, custom colors, sizes and web links. The quality of these charts is remarkable. If you have ever used Google Analytics, these charts and graphs match, if not surpass, in quality.

Source for Lighttpd mod_redirect rewrite module to use status code 302

Lighttpd web server, also known as Lighty, is an excellent web server and has potential to replace Apache completely.  I am slowly migrating web sites that use feature specific settings in Apache to use Lighty.  A few months ago I ran into a problem with Lighty’s ModRewrite alternative for rewriting URLs.  Lighty uses two separate modules to handle internal rewrites and Location: redirects.  It uses the common HTTP 301 Moved Permanently status code.  For most circumstances, this works well but in some cases the application may require that the redirect only be temporary and return the HTTP 302 Found status code.  Instead of modifying the mod_redirect.c source and changing the http_status code value from 302 to 301, I added new code to support a new url.redirect parameter url.redirect-found.

I’ve posted the source to the Lighttpd bug tracking system in hopes it will be added to a future version of Lighty.  http://trac.lighttpd.net/trac/ticket/1446

This addition should help the Lighty web server to be capable of handling the appropriate HTTP status codes for all situations that may arise for the web site in question.

Reinstall Dreamweaver 8 with different Product Key/Serial

We got upgrade copies of Dreamweaver 8 at work recently, which meant I could free up my personal copy of DW8 I installed at work. After trying to uninstall and reinstall, I quickly found there was no easy way to change the product key.

After many many attempts, I came up with a procedure in order to switch the product key in the installation.

  1. Uninstall Dreamweaver 8
  2. Delete/Rename this folder: C:Documents and SettingsAll
    UsersApplication DataMacromediaLicensingProductsDreamweaver 8.0
  3. Reinstall Dreamweaver 8

There may be an easier and quicker way to do this but I was unable to find a solution with my web searches.