A Letsencrypt example

An example based on an apache server running ubuntu 18.04.

For Name-based virtual hosting

With name-based virtual hosting, the server relies on the client to report the hostname as part of the HTTP headers. Using this technique, many different hosts can share the same IP address.

Configure your DNS server to map each hostname to the correct IP address and then configure the Apache HTTP Server to recognize the different hostnames.

One way to implement SSL (TLS) certificates for named based virtual hosting is to use what is sometimes called multi-domain SAN (subject-alternative-name.).

example SAN site
https://www.digicert.com/subject-alternative-name.htm

you request multiple domains for the same certificate
example

certbot -d site1 -d site2.com -d site3.com  -d site4.com  -d site5.com -d site6.com  …..

The following example show a way to request one certificate per domain ‘set’ which should make revoking and tracking certificates easier.

An example of Named Base Virtual Hosting domains

Our example is based on DNS entries where there are 2 DNS records for each “domain”

The www version and the non www version

Example of a ‘set’ of www and non www domains

pbacloudb2019.com
http://www.pbacloudb2019.com

An example of Domains ‘sets’ pointing to the same IP address

a)
pbacloudb2019.com
http://www.pbacloudb2019.com

b)
pbacloudb2019-doctortest.com
http://www.pbacloudb2019-doctortest.com

c)
pbaclouda2019.com
http://www.pbaclouda2019.com

d)
pbaclouda2019-doctortest.com
http://www.pbaclouda2019-doctortest.com

? What how many domains have you created SSL certificates for and pointed towards the sanem IP address?

Planning for the potential for up to 600 sites pointing to the same IP.
The current setup also supports A records pointing to same ip for both the www version and the non www version

The Following examples are for folks with Shell access and root or sudo access and are for apache 2.4 on Ubuntu 18.4

 

Letsencrypt

Install certbot on you server and then

1) create an account

Example

certbot register -m youj@protonmail.com,another@domain.org –agree-tos

Notes on create an account

manage your account with Let’s Encrypt:
register        Create a Let’s Encrypt ACME account
unregister      Deactivate a Let’s Encrypt ACME account
update_account  Update a Let’s Encrypt ACME account
–agree-tos       Agree to the ACME server’s Subscriber Agreement
-m EMAIL         Email address for important account notifications

Letsencrypt id

Our CPS and Subscriber Agreement indicate that the Subscriber is whoever holds the private key for a certificate. For hosting providers, that’s the provider, not the provider’s customer. If you’re writing software that people deploy themselves, that’s whoever is deploying the software.

– Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
– We were unable to subscribe you the EFF mailing list because your
e-mail address appears to be invalid. You can try again later by
visiting https://act.eff.org.

2) Backup letsencrypt

Once you create an account, set something up makes a secure  backup of everything under

/etc/letsencrypt every time you issue the certbot or other certificate managing command

3) Create One Virtual Host config file per certificate (port 80).

Create a Virtual Hosts file for a ‘set’ of www and non www domains

  1. A) in directory /etc/apache2/sites-enabled/

Create a ‘vhost file for each ‘set’

(take the default file in the directory and rename it for whatever naming convention for you certificates you want.  I am using the non www version of the domain for the name of the conf file (when I request the certificate, the first domain I pass in will be the non www version.  The certificate file and the virtual hosts file should then share something in common.

Virtual Host file

etc/apache2/sites-enabled/pbacloudb2019.com.conf

Certificate file
Certificate Path: /etc/letsencrypt/live/pbacloudb2019.com/fullchain.pem

Examples file names

etc/apache2/sites-enabled/pbaclouda2019.com.conf
etc/apache2/sites-enabled/pbaclouda2019-doctortest.com.conf
etc/apache2/sites-enabled/pbacloudwb2019.com.conf
etc/apache2/sites-enabled/pbacloudb2019-doctortest.com.com.conf

important entries different from the default

add
ServerName pbaclouda2019.com
ServerAlias http://www.pbaclouda2019.com

I shutdown the Apache server when I place the Virtual Hosts File in the etc/apache2/sites-enabled directory.  Then I start up apache so that it will recognize the new virtual Hosts.  You keep the apache server running while you are requesting certificates. 

4) Request Certificates, one per virtual host file

a)  certbot will edit apache configuration so back it up

I just backup the *.conf files from /etc/apache/

b) stop apache (or webserver)  server

c) try a –dry-run

This entry checks to see if something are in order before requesting the certificate.

certbot certonly –apache –dry-run -d pbaclouda2019.com -d http://www.pbaclouda2019.com

d) request the certificate

certbot –apache -d pbaclouda2019.com -d http://www.pbaclouda2019.com

5) first time considerations

It will ask you

: Redirect – Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you’re confident your site works on HTTPS. You can undo this
change by editing your web server’s configuration.

6) Example files after requesting  a certificate

You should see the following in your apache virtual host file

  1. A) Virtual Host file like etc/apache2/sites-enabled/pbacloudb2019.com.conf

In our example should have the following entries

ServerName pbaclouda2019.com
Include /etc/letsencrypt/options-ssl-apache.conf
ServerAlias pbaclouda2019.com
ServerAlias http://www.pbaclouda2019.com

SSLCertificateFile /etc/letsencrypt/live/pbaclouda2019.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/pbaclouda2019.com/privkey.pem

  1. b) issue the command: certbot certificates

for Certificate pbaclouda2019.com you should see

ServerName pbaclouda2019.com
Include /etc/letsencrypt/options-ssl-apache.conf
ServerAlias pbaclouda2019.com
ServerAlias http://www.pbaclouda2019.com
SSLCertificateFile /etc/letsencrypt/live/pbaclouda2019.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/pbaclouda2019.com/privkey.pem

7) Getting help in the forums

https://community.letsencrypt.org/

Notes

SNI is a web server feature that allows multiple certificates per ip address

http-01 Challenge is an easy file based way cetbot uses to identify and authenticate you server

If the system can write files to the server you are managing for the domain you are requesting, things are good to go.  Note, there is a thing called ‘rate limiting’.  You can only request 100 certificates per day

Helpful Links and Commands

dig is a linux command line utility that shows DNS information

dig –help

Show the A records for a domain
dig http://www.pbacloudb2019-doctortest.com +short

A site with a lot of options for checking SSL and DAN information

https://check-your-website.server-daten.de

show my certificates  certbot certificates

The Maximum sites per cert is 100 (less is better).

The Number of URLs has to be Less than Maximum  – urls_per_cert (100 max , can be as low as 25)

Is there a maximum Number of Certs per_ip address?

Do you know of any SNI constraints and requirements?

Theoretical max
certs_per_ip  X urls_per_cert

Upgrading a Webserver and application

First, we updated the application to better support accessibility. https://www.w3.org/WAI/fundamentals/accessibility-intro/

Upgrading the stack from

Ubuntu 12.04.5 LTS
PHP 5.3.10
mysql Ver 14.14 Distrib 5.5.54
Codeigniter CI_VERSION’, ‘2.1.2’
jQuery 1.8 + UI + Datatables + tinymce

To

Ubuntu 18.04 LTS
Apache/2.4.29 (Ubuntu)
mysql Ver 15.1 Distrib 10.1.38-MariaDB,
Php 7.2
Codeigniter CI_VERSION = ‘3.1.10’;
jQuery 3.4.0 +UI + Datatables + ?
With name-based virtual hosting

With name-based virtual hosting, the server relies on the client to report the hostname as part of the HTTP headers. Using this technique, many different hosts can share the same IP address.

Name-based virtual hosting is usually simpler, since you need only configure your DNS server to map each hostname to the correct IP address and then configure the Apache HTTP Server to recognize the different hostnames. Name-based virtual hosting also eases the demand for scarce IP addresses. Therefore you should use name-based virtual hosting unless there is a specific reason to choose IP-based virtual hosting. Some reasons why you might consider using IP-based virtual hosting:

Next thing to do is enable SSL for a ‘LOT’ of clients.

Things I scream about.

1) I was unable to upgrade the existing Ubuntu 12 stack.
2) Under 12, I got rewrites of form urls. Not so in the new stack. Took me a while to figure that one out.
3) Our Hosting vendor does not automatically install phpMyAdmin or a server management tool like Control Panel or Webmin
4) The CI based applications I inherited does some really funky stuff to serve css, js, and image files from a non accessible location
5) .htaccess and Apache
6) There are a lot of bots scanning sites looking for vulnerabilities.

Q. What is the most used language in programming? A. Profanity

3670088415_2f7d1080bf_o

Free Health Care

Single Payer, Universal Healthcare, Medicare for all, the Canadian Model, whatever you want to call it. I am for it.

Canada’s universal, publicly funded healthcare system—known as Medicare—is a source of national pride, and a model of universal health coverage. It provides relatively equitable access to physician and hospital services through 13 provincial and territorial tax-funded public insurance plans.

I think it would also be appropriate to give anyone who works in health care free parking and no tickets, ever. Going to the front of the line is under consideration.

British sarcasm ‘lost on Americans’

https://www.bbc.com/news/world-us-canada-46846467

What the British sayWhat the British meanWhat others understand
I hear what you sayI disagree and do not want to discuss it furtherHe accepts my point of view
With the greatest respect…I think you are an idiotHe is listening to me
That’s not badThat’s goodThat’s poor
That is a very brave proposalYou are insaneHe thinks I have courage
Quite goodA bit disappointingQuite good
I would suggest…Do it or be prepared to justify yourselfThink about the idea, but do what you like
Oh, incidentally/by the wayThe primary purpose of our discussion is…That is not very important
I was a bit disappointed thatI am annoyed thatIt doesn’t really matter
Very interestingThat is clearly nonsenseThey are impressed
I’ll bear it in mindI’ve forgotten it alreadyThey will probably do it
I’m sure it’s my faultIt’s your faultWhy do they think it was their fault?
You must come for dinnerIt’s not an invitation, I’m just being politeI will get an invitation soon
I almost agreeI don’t agree at allHe’s not far from agreement
I only have a few minor commentsPlease re-write completelyHe has found a few typos
Could we consider some other options?I don’t like your ideaThey have not yet decided

Beware the Trolls

They will try to make:
  • Nonsense into something
  • Something into nothing
  • Nothing into something

A troll is someone who deliberately tries to disrupt, attack, offend or generally cause trouble by posting certain comments, photos, videos, GIFs or some other form of online content.

I block trolls for the same reason I scrape dog shit off my shoes: not becuse I’m “afraid” of dog shit, but because dog shit has not inherent value, creates a huge mess, and makes everything smell like dog shit.

Trolls: to clarify, in this analogy, you are dog shit.

 

For your consideration: Trolls are posting that the song: “Baby, It’s Cold Outside” is about rape. https://www.rollingstone.com/culture/culture-news/baby-its-cold-outside-controversy-holiday-song-history-768183/

What will be next?

There is no antidote for idiocy or extremism.  

Man’s most valuable trait is a judicious sense of what not to believe. -Euripides

Patience has its limits. Take it too far, and it’s cowardice. -George Jackson

Love all, trust a few, do wrong to none. -Shakespeare

Political language–and with variations this is true of all political parties, from Conservatives to Anarchists–is designed to make lies sound truthful and murder respectable, and to give an appearance of solidity to pure wind. -George Orwell

If words are to enter men’s minds and bear fruit, they must be the right words shaped cunningly to pass men’s defenses and explode silently and effectually within their minds. -J.B. Phillips

The illiterate of the 21st century will not be those who cannot read and write, but those who cannot learn, unlearn, and relearn. -Alvin Toffler

An education isn’t how much you have committed to memory, or even how much you know. It’s being able to differentiate between what you know and what you don’t. -Anatole France

It is difficult to get a man to understand something when his salary depends upon his not understanding it. -Upton Sinclair


Propaganda

What occurs to me in reading their book is that the new American approach to social control is so much more sophisticated and pervasive that it really deserves a new name. It isn’t just propaganda any more, it’s ‘prop-agenda’. It’s not so much the control of what we think, but the control of what we think about. When our governments want to sell us a course of action, they do it by making sure it’s the only thing on the agenda, the only thing everyone’s talking about. And they pre-load the ensuing discussion with highly selected images, devious and prejudicial language, dubious linkages, weak or false ‘intelligence’ and selected ‘leaks’.
Brian Eno on Sheldon Rampton and John Stauber’s “Weapons of Mass Deception”