A Letsencrypt example

An example based on an apache server running ubuntu 18.04.

For Name-based virtual hosting

With name-based virtual hosting, the server relies on the client to report the hostname as part of the HTTP headers. Using this technique, many different hosts can share the same IP address.

Configure your DNS server to map each hostname to the correct IP address and then configure the Apache HTTP Server to recognize the different hostnames.

One way to implement SSL (TLS) certificates for named based virtual hosting is to use what is sometimes called multi-domain SAN (subject-alternative-name.).

example SAN site
https://www.digicert.com/subject-alternative-name.htm

you request multiple domains for the same certificate
example

certbot -d site1 -d site2.com -d site3.com  -d site4.com  -d site5.com -d site6.com  …..

The following example show a way to request one certificate per domain ‘set’ which should make revoking and tracking certificates easier.

An example of Named Base Virtual Hosting domains

Our example is based on DNS entries where there are 2 DNS records for each “domain”

The www version and the non www version

Example of a ‘set’ of www and non www domains

pbacloudb2019.com
http://www.pbacloudb2019.com

An example of Domains ‘sets’ pointing to the same IP address

a)
pbacloudb2019.com
http://www.pbacloudb2019.com

b)
pbacloudb2019-doctortest.com
http://www.pbacloudb2019-doctortest.com

c)
pbaclouda2019.com
http://www.pbaclouda2019.com

d)
pbaclouda2019-doctortest.com
http://www.pbaclouda2019-doctortest.com

? What how many domains have you created SSL certificates for and pointed towards the sanem IP address?

Planning for the potential for up to 600 sites pointing to the same IP.
The current setup also supports A records pointing to same ip for both the www version and the non www version

The Following examples are for folks with Shell access and root or sudo access and are for apache 2.4 on Ubuntu 18.4

 

Letsencrypt

Install certbot on you server and then

1) create an account

Example

certbot register -m youj@protonmail.com,another@domain.org –agree-tos

Notes on create an account

manage your account with Let’s Encrypt:
register        Create a Let’s Encrypt ACME account
unregister      Deactivate a Let’s Encrypt ACME account
update_account  Update a Let’s Encrypt ACME account
–agree-tos       Agree to the ACME server’s Subscriber Agreement
-m EMAIL         Email address for important account notifications

Letsencrypt id

Our CPS and Subscriber Agreement indicate that the Subscriber is whoever holds the private key for a certificate. For hosting providers, that’s the provider, not the provider’s customer. If you’re writing software that people deploy themselves, that’s whoever is deploying the software.

– Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
– We were unable to subscribe you the EFF mailing list because your
e-mail address appears to be invalid. You can try again later by
visiting https://act.eff.org.

2) Backup letsencrypt

Once you create an account, set something up makes a secure  backup of everything under

/etc/letsencrypt every time you issue the certbot or other certificate managing command

3) Create One Virtual Host config file per certificate (port 80).

Create a Virtual Hosts file for a ‘set’ of www and non www domains

  1. A) in directory /etc/apache2/sites-enabled/

Create a ‘vhost file for each ‘set’

(take the default file in the directory and rename it for whatever naming convention for you certificates you want.  I am using the non www version of the domain for the name of the conf file (when I request the certificate, the first domain I pass in will be the non www version.  The certificate file and the virtual hosts file should then share something in common.

Virtual Host file

etc/apache2/sites-enabled/pbacloudb2019.com.conf

Certificate file
Certificate Path: /etc/letsencrypt/live/pbacloudb2019.com/fullchain.pem

Examples file names

etc/apache2/sites-enabled/pbaclouda2019.com.conf
etc/apache2/sites-enabled/pbaclouda2019-doctortest.com.conf
etc/apache2/sites-enabled/pbacloudwb2019.com.conf
etc/apache2/sites-enabled/pbacloudb2019-doctortest.com.com.conf

important entries different from the default

add
ServerName pbaclouda2019.com
ServerAlias http://www.pbaclouda2019.com

I shutdown the Apache server when I place the Virtual Hosts File in the etc/apache2/sites-enabled directory.  Then I start up apache so that it will recognize the new virtual Hosts.  You keep the apache server running while you are requesting certificates. 

4) Request Certificates, one per virtual host file

a)  certbot will edit apache configuration so back it up

I just backup the *.conf files from /etc/apache/

b) stop apache (or webserver)  server

c) try a –dry-run

This entry checks to see if something are in order before requesting the certificate.

certbot certonly –apache –dry-run -d pbaclouda2019.com -d http://www.pbaclouda2019.com

d) request the certificate

certbot –apache -d pbaclouda2019.com -d http://www.pbaclouda2019.com

5) first time considerations

It will ask you

: Redirect – Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you’re confident your site works on HTTPS. You can undo this
change by editing your web server’s configuration.

6) Example files after requesting  a certificate

You should see the following in your apache virtual host file

  1. A) Virtual Host file like etc/apache2/sites-enabled/pbacloudb2019.com.conf

In our example should have the following entries

ServerName pbaclouda2019.com
Include /etc/letsencrypt/options-ssl-apache.conf
ServerAlias pbaclouda2019.com
ServerAlias http://www.pbaclouda2019.com

SSLCertificateFile /etc/letsencrypt/live/pbaclouda2019.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/pbaclouda2019.com/privkey.pem

  1. b) issue the command: certbot certificates

for Certificate pbaclouda2019.com you should see

ServerName pbaclouda2019.com
Include /etc/letsencrypt/options-ssl-apache.conf
ServerAlias pbaclouda2019.com
ServerAlias http://www.pbaclouda2019.com
SSLCertificateFile /etc/letsencrypt/live/pbaclouda2019.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/pbaclouda2019.com/privkey.pem

7) Getting help in the forums

https://community.letsencrypt.org/

Notes

SNI is a web server feature that allows multiple certificates per ip address

http-01 Challenge is an easy file based way cetbot uses to identify and authenticate you server

If the system can write files to the server you are managing for the domain you are requesting, things are good to go.  Note, there is a thing called ‘rate limiting’.  You can only request 100 certificates per day

Helpful Links and Commands

dig is a linux command line utility that shows DNS information

dig –help

Show the A records for a domain
dig http://www.pbacloudb2019-doctortest.com +short

A site with a lot of options for checking SSL and DAN information

https://check-your-website.server-daten.de

show my certificates  certbot certificates

The Maximum sites per cert is 100 (less is better).

The Number of URLs has to be Less than Maximum  – urls_per_cert (100 max , can be as low as 25)

Is there a maximum Number of Certs per_ip address?

Do you know of any SNI constraints and requirements?

Theoretical max
certs_per_ip  X urls_per_cert

Upgrading a Webserver and application

First, we updated the application to better support accessibility. https://www.w3.org/WAI/fundamentals/accessibility-intro/

Upgrading the stack from

Ubuntu 12.04.5 LTS
PHP 5.3.10
mysql Ver 14.14 Distrib 5.5.54
Codeigniter CI_VERSION’, ‘2.1.2’
jQuery 1.8 + UI + Datatables + tinymce

To

Ubuntu 18.04 LTS
Apache/2.4.29 (Ubuntu)
mysql Ver 15.1 Distrib 10.1.38-MariaDB,
Php 7.2
Codeigniter CI_VERSION = ‘3.1.10’;
jQuery 3.4.0 +UI + Datatables + ?
With name-based virtual hosting

With name-based virtual hosting, the server relies on the client to report the hostname as part of the HTTP headers. Using this technique, many different hosts can share the same IP address.

Name-based virtual hosting is usually simpler, since you need only configure your DNS server to map each hostname to the correct IP address and then configure the Apache HTTP Server to recognize the different hostnames. Name-based virtual hosting also eases the demand for scarce IP addresses. Therefore you should use name-based virtual hosting unless there is a specific reason to choose IP-based virtual hosting. Some reasons why you might consider using IP-based virtual hosting:

Next thing to do is enable SSL for a ‘LOT’ of clients.

Things I scream about.

1) I was unable to upgrade the existing Ubuntu 12 stack.
2) Under 12, I got rewrites of form urls. Not so in the new stack. Took me a while to figure that one out.
3) Our Hosting vendor does not automatically install phpMyAdmin or a server management tool like Control Panel or Webmin
4) The CI based applications I inherited does some really funky stuff to serve css, js, and image files from a non accessible location
5) .htaccess and Apache
6) There are a lot of bots scanning sites looking for vulnerabilities.

Q. What is the most used language in programming? A. Profanity

3670088415_2f7d1080bf_o

Beware the Trolls

They will try to make:
  • Nonsense into something
  • Something into nothing
  • Nothing into something

A troll is someone who deliberately tries to disrupt, attack, offend or generally cause trouble by posting certain comments, photos, videos, GIFs or some other form of online content.

I block trolls for the same reason I scrape dog shit off my shoes: not becuse I’m “afraid” of dog shit, but because dog shit has not inherent value, creates a huge mess, and makes everything smell like dog shit.

Trolls: to clarify, in this analogy, you are dog shit.

 

For your consideration: Trolls are posting that the song: “Baby, It’s Cold Outside” is about rape. https://www.rollingstone.com/culture/culture-news/baby-its-cold-outside-controversy-holiday-song-history-768183/

What will be next?

There is no antidote for idiocy or extremism.  

Man’s most valuable trait is a judicious sense of what not to believe. -Euripides

Patience has its limits. Take it too far, and it’s cowardice. -George Jackson

Love all, trust a few, do wrong to none. -Shakespeare

Political language–and with variations this is true of all political parties, from Conservatives to Anarchists–is designed to make lies sound truthful and murder respectable, and to give an appearance of solidity to pure wind. -George Orwell

If words are to enter men’s minds and bear fruit, they must be the right words shaped cunningly to pass men’s defenses and explode silently and effectually within their minds. -J.B. Phillips

The illiterate of the 21st century will not be those who cannot read and write, but those who cannot learn, unlearn, and relearn. -Alvin Toffler

An education isn’t how much you have committed to memory, or even how much you know. It’s being able to differentiate between what you know and what you don’t. -Anatole France

It is difficult to get a man to understand something when his salary depends upon his not understanding it. -Upton Sinclair


Propaganda

What occurs to me in reading their book is that the new American approach to social control is so much more sophisticated and pervasive that it really deserves a new name. It isn’t just propaganda any more, it’s ‘prop-agenda’. It’s not so much the control of what we think, but the control of what we think about. When our governments want to sell us a course of action, they do it by making sure it’s the only thing on the agenda, the only thing everyone’s talking about. And they pre-load the ensuing discussion with highly selected images, devious and prejudicial language, dubious linkages, weak or false ‘intelligence’ and selected ‘leaks’.
Brian Eno on Sheldon Rampton and John Stauber’s “Weapons of Mass Deception”

Getting Started with WordPress

If you can use a word processor, know what styles are and have put images and charts and tables and such in a document, you can probably set up a passable WordPress site.

Go here https://wordpress.com/free, sign up for a free site and create one.

There are thousands of themes and and widgets.  To start, pick a free theme, then create a page, then create a post.  Add some graphics to your pages and posts, and add some widgets to sidebars.  Don’t go crazy searching for a theme.  You can change your theme for a simple site without much trouble.  Look at the footer, get used to the Visual Editor and the Dashboard.  Fiddle with some settings and Bob’s your uncle.   Of course, that is for getting started.  It is the equivalent of creating a vinegar and baking soda rocket as the first step to NASA, but we all have to start somewhere.  You will have a WordPress site, you will know something about what it takes to create and maintain and add content to a site.  Go for it.

Some Beginner Tips:

https://www.wpexplorer.com/easy-tips-wordpress-beginners
https://www.copyblogger.com/new-to-wordpress

Some things are not applicable to free WordPress Sites.  You can’t upload video or audio files to a free wordpress site or add small bits of Code to Add Features.  Read on to the “One thing you can’t do...” section below for how to link to a video or audio file.

WordPress is due for a major new release in 2018, WordPress 5.0.  The tentative release date is set for November 19. One of the big changes will be “Gutenberg”,  the new editor.  It is a major overhaul of the current visual editor.  For more see:


Before venturing into the world of publishing on the web, I would read this.  Multiple email accounts can be useful.  https://garyjohnson53.wordpress.com/2017/01/26/a-smart-thing-to-do-for-with-your-email


One thing you can’t do with a free WordPress site is create an embedded video.  You can use a picture as a link to a YouTube video, which in some cases works better and is free as well.  Example, click on the picture below (View a video …) to go to a Youtube video.

gimbel
View a video about the BEST SMARTPHONE GIMBAL of 2017.

Watch the Video

It does not hurt to show another link to your content (see Watch the Video above).  As of September 28, 2018, to create a picture as link:

  1. Insert the picture onto the page.
  2. Click on the image, then click on the “create link” or “insert or edit” icon in the editor toolbar.
  3. Put the url you want to link in the popup.

Another issue with free WordPress sites is that you cannot install plugins. Plugins are extensions to WordPress. For simple sites this is not an issue, except for setting up contact forms. You can set up a simple contact form with the: “add” button “add” contact form: https://en.support.wordpress.com/forms/contact-form/, however, it does not offer advanced features like the google “Are You Human” options etc that are available with some plugins.  The alternative to setting up contact forms with anti spam features is to provide an email address on the site.  Be prepared to get hit with some spam. See https://codex.wordpress.org/Protection_From_Harvesters

This example will defeat most harvesting software. It is a simple image, I write the text and format it in word. I used the snipping tool to then make an image of it.
contactmeAnother possibility, take a picture of your business card.

gmgjBusinesscard

You can have a perfectly respectable website — and for free.    Unless your name / business is a digitally distinct name, picking a website url can be a tedious process.  I don’t mind saying my website is https://garyjohnson53.wordpress.com.  When you sign up for a free plan, your user id is used as the first part of your default website, with wordpress.com as the second part.  If in the future, you want a custom domain name, it is not difficult to set up, but it does cost money.

Are you ready to get started?  Go here https://wordpress.com/free, sign up for a free site and create one today!


Gutenberg on WordPress.com

From https://en.forums.wordpress.com/topic/information-on-gutenberg-implementation:

We are currently testing the implementation of Gutenberg on WordPress.com and working out how and when it will be enabled. Once we start rolling it out for use, there will be posts and support pages explaining how everything is going to work.

But for now I can tell you no one is going be stumbling into Gutenberg by accident, and there’s not going to be an instant switch the moment it launches in Core.

Initially Gutenberg on WordPress.com will be opt-in only, and the opt-in option will not be available for someone until we’ve added support for blocks to the theme they are using.

The classic editor should also still be available, and it should be possible to edit a Gutenberg post in the classic editor, just like it currently is in Core, and will be via the Classic Editor plugin once Gutenberg becomes the default there.

Eventually Gutenberg on WordPress.com will become opt-out rather than opt-in, but details around that are still being discussed internally.

If you’ve been keeping up with Gutenberg, as it sounds you have, you’ll know Automattic is heavily invested in it, and it’s also very important for us that it’s a success on WordPress.com, so we’re not rushing things and will make very sure the transition for WordPress.com users are as smooth as possible.

As for your questions above regarding how Gutenberg will work in WordPress 5.0, you can ask the Core team directly at https://wordpress.org/support/plugin/gutenberg.

You can also see the detailed documentation, which includes a FAQ,  at https://wordpress.org/gutenberg


About the Gary GMGJ Johnson, the author of this post:

https://cookdotcom.com/about-me/
https://www.garyjohnsoninfo.info/GJPortfolio.html

You’re reading this on my free WordPress site.  Here is a link that I use to demonstrate what I do when I develop a more advanced site: https://cookdotcom.com.

The Subtle Art of Not Giving a F….

Summaries

https://jamesclear.com/book-summaries/the-subtle-art-of-not-giving-a-fck

https://medium.com/@WilliamStefan/book-summary-1h-the-subtle-art-of-not-giving-a-fuck-17202048e120

Some important things takeaways from the book are the:

  • Recognize the “Feedback Loop from Hell”
  • The desire for a more positive experience is itself a negative experience. And, paradoxically, the acceptance of one’s negative experience is itself a positive experience.
  • It’s okay for things to suck some of the time.
  • You are responsible for everything in your Life: you may not be at fault, but, you have to take control

If your interested in improving your life, go here:

https://www.garyjohnsoninfo.info/musings/cognitivebt.html

Click on the Link for Rational Emotive Therapy.  If you don’t understand it , read the book.

Click on the Link for Definitions of Cognitive Distortions.  Read the book and under any circumstance.

 

 

Gary on Privacy

I am going to write up some of my experiences with privacy and other practices for the modern world here. Here is a basic list of topics that you should have some sort of knowledge off. https://ist.mit.edu/security/tips  Some of this is specific to MIT students, like Sophos for protective software. I use the free software for virus and malware protection by Microsoft, Windows Defender for Windows 10 and Security Essentials for Windows 7

I will be updating this:

A smart thing to do with your email and passwords

I signed up for https://plusprivacy.com/ in April of 2018. It is the European Union’s free app to help you manage your privacy. I am going to see how this works with the Ghostery https://www.ghostery.com/ extension that I use.

For all of these items there are exceptions and over rides that people need to take. You will probably have to trust, that means over ride and exempt your financial and other institutions in the privacy software that you use.

There are many more knowledgeable people and organizations than me.  I will try and give a quick overview of what I take away from some of these more knowledgeable resources.

Number 1 https://www.aarp.org/money/scams-fraud/fraud-watch-network/

Federal Trade Commission Consumer Protection Agency https://www.consumer.ftc.gov/

FBI Internet Crime Complaint Center https://www.ic3.gov/default.aspx

For Computer Professionals
One of my goto resources for over 20 years https://www.sei.cmu.edu/about/divisions/cert/index.cfm

https://epic.org/


+Privacy Whitelisting

A1) Goto Dashboard

on adblocking tab click the “filter settings” button
or
a2) click on the +P icon

If it it says adss blocked by this site. click it to say

x Ads not blocked by this site.

Ghostery WhiteListing

Browse to the site you want to Whitelist, click the Ghostery Icon, click trust site


+Privacy My Settings

Goto Dashboard
Ad blocking and Anti Tracking

I turned off Block Ads, some sites need advertising money.
I turned off Protect against Tracking, that’s what I use Ghostery for

At this time, I am using +Privacy to help me manage my social media settings.

Child Theme and Plugin Development Cycle

I hope someone who has a better process than this shares some of their secrets.  I am a software engineer who has been developing for WordPress for a few years. I mostly have done projects that were outside of normal WordPress Development. For example, ported a Custom CMS into WordPress. I did custom landing pages with a WordPress backend.  For I while I have been editing my plugin code in place, under wp-content.  I make some changes.  I reload the page. Where the F*(&*^ are my changes?  Oh, I forgot to clear the browser cache.  I test my changes on another site.  I clear the browser cache.  Where are my changes? Oh, I forgot to clear the WordPress cache in use.  Still after clearing both caches, I had some issues with see my updates once in a while.  If I only changed a css file or a js file, it sometimes, did not update.  Mostly on odd days of the week, even when you change what day of the week it starts on.  You really have to watch this stuff.  Sometimes its date related.  Phase of the moon. Rain and inclement weather play a part, sometimes the bit bucket needs emptying.  It is always something.  See https://garyjohnson53.wordpress.com/2016/03/21/computer-problems/  for more suggestions.

So the first thing I do is move the source, to source control. Git is the flavor of the year (previously popular flavors are Mercurial, SVN, CVS, Source Safe ..). Then I document what I think should work. Here is the cycle I use:

– code
I make changes in the hope that one of my mistakes will prove useful, and to move towards my desired effect.  gmgj is the name of my plugin (also its folder etc)

– touch gmgj.php in plugin , functions.php in child theme
Just to be clear, in this case “Touch” is a programming term, where you use a utility to update the modified time of a file, even if you have not updated. The #MeTo has a very different use for the term.

– deactivate plugin, sometimes I have had to change the theme, but not so much
– move in new code

I use a bat file, sort of like this:
@echo off

cd "C:\path to source"
rem this is the touch
copy /b gmgj.php +,,
rem this is the move
xcopy "C:\path to source\*.*" "C:\path to WorPress \wp-content\plugins\gmgj\*.*" /s /r /y /q /d /EXCLUDE:excludeus.dat

rem delete the old zip and recreate the new zip, the zip file is what you upload to new WordPress Installations to install your plugin
del /Q C:\path to source\gmgj.zip
cd "C:\up a level\"
rem this includes some file extensions, excludes others, there are better ways rem to do this.
rem Why? I keep the project html file and other utility files in the same rem directory as the project
"C:\Program Files\7-Zip\7z.exe" a "gmgj.zip" -x!gmgj\*.html -x!gmgj\*.dat -i!gmgj\*.php -i!gmgj\*.css -i!gmgj\*.js -i!gmgj\*.JPG

excludeus.dat is:
*.html
*.dat

– hit wordpress plugin “Clear Cache for Me” on the admin dashboard
– I use the FANTASTIC utility Web Developer clear cache to clear the browser cache

– activate the plugin and cross all fingers and toes.  If that does not help:

– check php error log and start Browser developer tools and check for other errors
– use php error_log() and javascript console.log()
– if problems like not updating code
– admin logout , close browser

– delete plugin and upload via zip file
– start and stop apache and mysql, restart computer, get a coffee …
– roll version numbers
– ?
swing a rubber chicken

I would be remiss if I did not point out that when I calling things like wp_enqueue_style and wp_enqueue_script, I use the version parameter like this.  Please note, I did not originally come up with this idea.  When I looked at the source for a number of projects, the following appears to be standard practice.

$gmgj_js_url = plugins_url( 'gmgj_test.js', __FILE__ ); 
$gmgj_js_path = plugin_dir_path( 'gmgj_test.js');

wp_enqueue_script(
 'gmgj-test-js',
 $gmgj_js_url,
 array( 'jquery', 'jquery-effects-core' , 'jquery-effects-explode'),
 gmgjversion_id($gmgj_js_path),
 true
 );

This the magic that makes the version stuff work

function gmgjversion_id($pluginpath) {
 return filemtime($pluginpath);
 //return '012';
 }

Updating the child theme is similar.