Vultr

Deploying WordPress to a Vultr VM via command line

August 20, 2017 by Simon

Here is my guide on setting up WordPress on an Ubuntu server via the command line. Here is my recent guide on the wp-cli tool.

Read my guide on setting up a Vultr VM and installing NGINX web server and MySQL database. Use this link to create a Vultr account. This guide assumes you have a working Ubuntu VM with NGINX web server, MySQL, and SSL.

Consider setting up an SSL certificate (read my guide here on setting up a free SL certificate with Let’s Encrypt). Once again read my guide on Setting up a Vultr server. Also moving WordPress from CPanel to a self-managed server and securing Ubuntu in the cloud. Ensure you are backing up your server (read my guide on How to backup an Ubuntu VM in the cloud via crontab entries that trigger Bash Scripts, SSH, Rsync and email backup alerts).

Ensure MySQL is setup.

mysql --version
mysql  Ver 14.14 Distrib 5.7.19, for Linux (x86_64) using  EditLine wrapper

Ensure your server is setup, firewall enabled (port 80 and 443 enabled), NGINX is installed and working.

Check NGINX version

sudo nginx -v
nginx version: nginx/1.13.3

Check NGINX Status

service nginx status
● nginx.service - A high performance web server and a reverse proxy server
   Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled)
   Active: active (running) since Fri 2017-08-18 00:35:13 AEST; 3 days ago
 Main PID: 1276 (nginx)
    Tasks: 3
   Memory: 6.4M
      CPU: 3.218s
   CGroup: /system.slice/nginx.service
           ├─1276 nginx: master process /usr/sbin/nginx -g daemon on; master_process on
           ├─1277 nginx: worker process
           └─1278 nginx: cache manager process

Warning: Journal has been rotated since unit was started. Log output is incomplete or unavailable.

Check your PHP install status to confirm your setup, put this in a new PHP file (e.g /p.php) and load it to view PHP configuration and to verify PHP setup.

<?php
phpinfo()
?>

First I edited NGINX configuration to allow WordPress to work.

location / {
        try_files $uri $uri/ /index.php?q=$uri&$args;
        index index.php index.html index.htm;
        proxy_set_header Proxy "";
}

Mostly I added this line.

try_files $uri $uri/ /index.php?q=$uri&$args;

I restated NGINX and PHP

nginx -t
nginx -s reload
sudo /etc/init.d/nginx restart
sudo service php7.0-fpm restart

If this config change is not made WordPress will not install or run.

Database

In order to setup WordPress, we need to create a MySQL database/database user before downloading WordPress from the command line.

From an ssh terminal type (and log in with your MySQL root password)

mysql -p
password:

Create a database (choose a database name, add random text).

mysql> create database databasemena123;
Query OK, 1 row affected (0.00 sec)

Create a user and assign them to the blog (choose a username, add random text)

grant all privileges on databasname123.* to 'blogusername123'@'localhost' identified by "siple-password";
ERROR 1819 (HY000): Your password does not satisfy the current policy requirements

If your password is simple you will get this warning.

ERROR 1819 (HY000): Your password does not satisfy the current policy requirements

A 50+ char password with 10 digits and 10 numbers should be ok

mysql> grant all privileges on databasname123.* to 'blogusername123'@'localhost' identified by "xxxxxxxxxxxxxxxxxxxxxxxxremovedxxxxxxxxxxxxxxxxxxxxxxxxxxxxx";
Query OK, 0 rows affected, 1 warning (0.00 sec)

You can now apply the permissions and clear the permissions cache.

mysql> flush privileges;
Query OK, 0 rows affected (0.01 sec)
exit;
Bye

Go to your /www folder on your server and run this command to download WordPress.

sudo curl -o wordpress.zip https://wordpress.org/latest.zip

% Total % Received % Xferd Average Speed Time Time Time Current
 Dload Upload Total Spent Left Speed
100 8701k 100 8701k 0 0 6710k 0 0:00:01 0:00:01 --:--:-- 6709k

You can now move any existing temporary index files in your /www folder

mv index.html oldindex.html
mv index.php oldindex.php
p.php oldp.php

ls -al
total 8724
drwxr-xr-x  2 root root    4096 Aug 21 11:17 .
drwxr-xr-x 27 root root    4096 Aug 13 22:27 ..
-rw-r--r--  1 root root      37 Jul 31 11:51 oldindex.html
-rw-r--r--  1 root root      37 Jul 31 11:51 oldindex.php
-rw-r--r--  1 root root      19 Aug 21 11:04 oldp.php
-rw-r--r--  1 root root 8910664 Aug 21 11:16 wordpress.zip

Now I can extract wordpress.zip

First, you need to install unzip

sudo apt-get install unzip

Now Unzip wordpress.zip

unzip wordpress.zip

At this point, I decided to remove all old index files on my website

rm -R /www/old*.*

The unzipped contents are in a sub folder called “wordpress”, we need to move the WordPress contents up a folder.

ls /www/ -al
total 8716
drwxr-xr-x  3 root root    4096 Aug 21 13:22 .
drwxr-xr-x 27 root root    4096 Aug 13 22:27 ..
drwxr-xr-x  5 root root    4096 Aug  2 21:02 wordpress
-rw-r--r--  1 root root 8911367 Aug 21 11:22 wordpress.zip

“wordpress” folder contents.

ls /www/wordpress -al
total 196
drwxr-xr-x  5 root root  4096 Aug  2 21:02 .
drwxr-xr-x  3 root root  4096 Aug 21 13:22 ..
-rw-r--r--  1 root root   418 Sep 25  2013 index.php
-rw-r--r--  1 root root 19935 Jan  2  2017 license.txt
-rw-r--r--  1 root root  7413 Dec 12  2016 readme.html
-rw-r--r--  1 root root  5447 Sep 27  2016 wp-activate.php
drwxr-xr-x  9 root root  4096 Aug  2 21:02 wp-admin
-rw-r--r--  1 root root   364 Dec 19  2015 wp-blog-header.php
-rw-r--r--  1 root root  1627 Aug 29  2016 wp-comments-post.php
-rw-r--r--  1 root root  2853 Dec 16  2015 wp-config-sample.php
drwxr-xr-x  4 root root  4096 Aug  2 21:02 wp-content
-rw-r--r--  1 root root  3286 May 24  2015 wp-cron.php
drwxr-xr-x 18 root root 12288 Aug  2 21:02 wp-includes
-rw-r--r--  1 root root  2422 Nov 21  2016 wp-links-opml.php
-rw-r--r--  1 root root  3301 Oct 25  2016 wp-load.php
-rw-r--r--  1 root root 34327 May 12 17:12 wp-login.php
-rw-r--r--  1 root root  8048 Jan 11  2017 wp-mail.php
-rw-r--r--  1 root root 16200 Apr  6 18:01 wp-settings.php
-rw-r--r--  1 root root 29924 Jan 24  2017 wp-signup.php
-rw-r--r--  1 root root  4513 Oct 14  2016 wp-trackback.php
-rw-r--r--  1 root root  3065 Aug 31  2016 xmlrpc.php

Remove the wordpress.zip in /www/

rm -R /www/wordpress.zip

Move all files from the /www/wordpress/ up a folder to /www/.

sudo mv /www/wordpress/* /www/

Now we can create and upload folder

mkdir /www/wp-content/content/

Apply permissions (or you can never upload to WordPress).

chmod 755 /www/wp-content/uploads/

I think I need to apply permissions here (to allow plugins to upload/update)

chmod 755 /www/wp-content/

Edit the wp-config-sample.php

sudo nano /www/wp-config-sample.php

Add your database name to the WordPress config.

Before:

define('DB_NAME', 'database_name_here');

After:

define('DB_NAME', 'databasemena123');

Add your database username and password to the WordPress config.

Before:

/** MySQL database username */
define('DB_USER', 'username_here');

/** MySQL database password */
define('DB_PASSWORD', 'password_here');

After:

/** MySQL database username */
define('DB_USER', 'blogusername123');

/** MySQL database password */
define('DB_PASSWORD', 'xxxxxxxxxxxxxxxxxxxxxxxxremovedxxxxxxxxxxxxxxxxxxxxxxxxxxxxx');

Go to https://api.wordpress.org/secret-key/1.1/salt/ and copy the salts to your clipboard and replace this in your wp-config-sample.php

define('AUTH_KEY',         'put your unique phrase here');
define('SECURE_AUTH_KEY',  'put your unique phrase here');
define('LOGGED_IN_KEY',    'put your unique phrase here');
define('NONCE_KEY',        'put your unique phrase here');
define('AUTH_SALT',        'put your unique phrase here');
define('SECURE_AUTH_SALT', 'put your unique phrase here');
define('LOGGED_IN_SALT',   'put your unique phrase here');
define('NONCE_SALT',       'put your unique phrase here');

..with paste over whatever you generated (e.g)

define('AUTH_KEY',         '/[email protected];#Tr#6Tz6z^[LUdOvpNREUYT[|SmAN%%V% cyWk]-I%}E+t$#4c5n6vvp');
define('SECURE_AUTH_KEY',  'q_z-F-V#[[Lf<%_4,w#L_nyG|[email protected], YK0GR)R<Lk!.zqH< [email protected],vXmMzG');
define('LOGGED_IN_KEY',    'o}c^Vb$ fyh,J6v9PyF)mdt4(Q_J}`FNOJ9.ag^i+UAUS?lmzwGzp<tV7W(wbb#:');
define('NONCE_KEY',        '<y3&QvdAz;48ZFJBAdsRmC~ejXWiOw{dTWF_)p?^E%D&GdtK2LHGZ|.^rvRF-l$m');
define('AUTH_SALT',        ',e{|+H`i6}[email protected]`kvkF??^?IC&?6W~9SHkqSxvX~z,fR Xn:[email protected]_X^');
define('SECURE_AUTH_SALT', '|g2(y}8olAv_b]>|^jR|-.VU_E[P~PoWprwTKu-mM9-:NEc#2HikST~84ad-Ksyx');
define('LOGGED_IN_SALT',   'sd1:-|ai{<Ferj,|$2+ <ietEFT9 xEe89$[8%{[email protected]{FC(?[pF$oJ[[email protected]]');
define('NONCE_SALT',       '0D]kv-x.?_o^pwKtZI:g}~64vDb.Gdy1cBPQA{?;g(AE|0D)g:=1BrUbKF>T1oIv');

Now save changes to wp-config-sample.php

Rename the sample config file (to make it live)

sudo mv wp-config-sample.php wp-config.php

You can now load your website ( https://www.yourserver.com ) and finish the setup in the WordPress GUI.

WordPress should now be installed and you can log in.

Don’t forget to update your options – /wp-admin/options-general.php

I would recommend you review the options to prevent comment spam – /wp-admin/options-discussion.php

Also if you are using the twentyseventeen theme consider updating your header image (remove the pot plant) 0 /wp-admin/customize.php?theme=twentyseventeen&return=%2Fwp-admin%2Fthemes.php

Signup for a Vulr server here for as low as $2.5 a month or a Digital Ocean server ($10 free credit/2 months, signup for G Suite email on google here and read my guide here.

Read this guide on using the wp-cli tool to automate post-install.

I hope this helps.

Donate and make this blog better

Ask a question or recommend an article
[contact-form-7 id=”30″ title=”Ask a Question”]

v1.1 added wp-cli tool

Securing Ubuntu in the cloud

August 9, 2017 by Simon

It is easy to deploy servers to the cloud within a few minutes, you can have a cloud-based server that you (or others can use). ubuntu has a great guide on setting up basic security issues but what do you need to do.

If you do not secure your server expects it to be hacked into. Below are tips on securing your cloud server.

First, read more on scanning your server with Lynis security scan.

Always use up to date software

Always use update software, malicious users can detect what software you use with sites like shodan.io (or use port scan tools) and then look for weaknesses from well-published lists (e.g WordPress, Windows, MySQL, node, LifeRay, Oracle etc). People can even use Google to search for login pages or sites with passwords in HTML (yes that simple). Once a system is identified by a malicious user they can send automated bots to break into your site (trying millions of passwords a day) or use tools to bypass existing defences (Security researcher Troy Hunt found out it’s child’s play).

Portscan sites like https://mxtoolbox.com/SuperTool.aspx?action=scan are good for knowing what you have exposed.

You can also use local programs like nmap to view open ports

Instal nmap

sudo apt-get install nmap

Find open ports

nmap -v -sT localhost

Starting Nmap 7.01 ( https://nmap.org ) at 2017-08-08 23:57 AEST
Initiating Connect Scan at 23:57
Scanning localhost (127.0.0.1) [1000 ports]
Discovered open port 80/tcp on 127.0.0.1
Discovered open port 3306/tcp on 127.0.0.1
Discovered open port 22/tcp on 127.0.0.1
Discovered open port 9101/tcp on 127.0.0.1
Discovered open port 9102/tcp on 127.0.0.1
Discovered open port 9103/tcp on 127.0.0.1
Completed Connect Scan at 23:57, 0.05s elapsed (1000 total ports)
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00020s latency).
Not shown: 994 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
3306/tcp open  mysql
9101/tcp open  jetdirect
9102/tcp open  jetdirect
9103/tcp open  jetdirect

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.17 seconds
           Raw packets sent: 0 (0B) | Rcvd: 0 (0B)

Limit ssh connections

Moving a CPanel domain with email to a self managed VPS and Gmail

August 3, 2017 by Simon

Below is my guide for moving away from NetRegistry CPanel domain to a self-managed server and GSuite email.

I have had www.fearby.com since 1999 on three CPanel hosts (superwerbhost in the US, Jumba in Australia, Uber in Australia (NetRegistry have acquired Uber and performance at the time of writing is terrible)). I was never informed by Uber of the sale but my admin portal was moved from one host to another and each time performance degraded. I tried to speed up WordPress by optimizing images, installing cache plugins but nothing worked, pages were loading in around 24 seconds on https://www.webpagetest.org.

Buy a domain name from Namecheap here.

I had issues with a CPanel domain on the hosts (Uber/Netregistry) as they were migrating domains and the NetRegstry chat rep said I needed to phone Uber for support. No thanks, I’m going self-managed and saving a dollar.

I decided to take ownership of my slow domain and setup my own VM and direct web traffic to it and redirect email to GMail (I have done this before). I have setup Digital Ocean VM’s (Ubuntu and Centos), Vultr VM’s and AWS VM’s.

I have also had enough of Resource Limit Reached messages with CPanel and I can’t wait to…

not have a slow WordPress.
setup my own server (not a slow hosts server).
spend $5 less (we currently pay $25 for a CPanel website with 20GB storage total)
get a faster website (sub 24 seconds load time).
larger email mailboxes (30GB each).
Generate my own “SSL Labs A+ rated” certificate for $10 a year instead of $150 a year for an “SSL Labs C rated” SSL certificate from my existing hosts.

Backup

I have about 10 email accounts on my CPanel domain (using 14GB) and 2x WordPress sites. I want to backup my emails with (Outlook Export and Thunderbird Profile backup) and backup my domain file(s) a few times before I do anything. Once DNS is set in motion no server waits.

The Plan

Once everything is backed up I intend to setup a $5 a month Vulr VM and redirect all mail to Google G Suite (I have redirected mail before).

I will setup a Vultr web server in Sydney (following my guide here), buy an SSL certificate from Namecheap and move my WordPress sites.

Rough Plan

Reduce email accounts from 10x to 3x
Backup emails (twice with ThunderBird and Outlook).
Setup A Ubuntu V on Vultr.
Signup for Google G Suite Trial.
Transfer my domain to Namecheap.
Link to domain DNS to Vultr
Link to domain MX records to Google Email.
Transfer website.
Setup emails on google.
Restore WordPress.
Go live.
Downgrade to personal G Suite before the trial expires
Close down the old server.

Signing up for Google G Suite

I visited https://gsuite.google.com/ and started creating an account.

Get 20% off your first year by signing up for Google G Suite using this link: https://goo.gl/6vpuMm

I created a link between G Suite and an existing GMail account.

Now I can create the admin account.

Tip: Don’t use any emails that are linked as secondary emails with any Google services (this won’t be allowed). It’s s a well-known issue that you cannot add users emails who are linked to Google services (even as backup emails for Gmail, detach the email before adding it). Read more here.

Final setup steps.

Now I can add email accounts to G Suite.

Adding email users to G Suite.

The next thing I had to do was upload a file to my domain to verify I own the domain (DNS verification is also an option).

I must say the setup and verify steps are quite easy to follow on G Suite.

Time to backup our existing CPanel site.

Backup Step 1 (hopefully I won’t need this)

I decided to grab a complete copy of my CPanel domain with domains, databases and email accounts. This took 24 hours.

Backup Step 2 (hopefully I won’t need this)

I download all mail via IMAP in Outlook and Mozilla Thunderbird and export it (Outlook Export and Thunderbird Profile backup). Google have IMAP instructions here.

DNS Changes at Namecheap

I obtained my domain EPP code from my CPanel hosts and transferred the domain name to Namecheap.

Namecheap was even nice enough to set my DNS point to my existing domain so I did not have to rush a move before DNS propagation.

P.S The Namecheap Chat Staff and Namecheap Mobile App is awesome.

Having backed up everything I logged into Namecheap and set my DNS to “NameCheap BasicDNS” and then went “Advanced DNS” and set appropriate DNS records for my domain. This assumes you have setup a VM with IPV4 and IPV6 (follow my guide here).

A Record @ IPV4_OF_MY_VULTR_SERVER
A Record www IPV4_OF_MY_VULTR_SERVER
A Record ftp IPV4_OF_MY_VULTR_SERVER
AAAA Record @ IPV6_OF_MY_VULTR_SERVER
AAAA Record www IPV6_OF_MY_VULTR_SERVER
AAAA Record ftp IPV6_OF_MY_VULTR_SERVER
C Name www fearby.com

The Google G Suite also asked me to add these following MX records to the DNS records.

MX Record @ ASPMX.L.GOOGLE.COM. 1
MX Record @ ASPMX1.L.GOOGLE.COM. 5
MX Record @ ASPMX2.L.GOOGLE.COM. 5
MX Record @ ASPMX3.L.GOOGLE.COM. 10
MX Record @ ASPMX4.L.GOOGLE.COM. 10

Then it was a matter of telling Google DNS changes were made (once DNS has replicated across the US).

My advice is to set DNS changes before bed as it can take 12 hours.

Sites like https://www.whatsmydns.net/ are great for keeping track of DNS replication.

Transferring WordPress

I logged into the CPanel and exported my WordPress Database (34MB SQL file).

I had to make the following PHP.ini changes to allow the larger file size restore uploads with the Adminer utility (default is 2mb). I could not get the server side adminer.sls.gz option to restore the database?

post_max_size = 50M
upload_max_filesize = 50M

# do change back to 2MB after you restore the files to prevent DOS attacks.

I had to make the following changes to nginx.conf (to prevent 404 errors on the database upload)

client_max_body_size 50M;
# client_max_body_size 2M; Reset when done

I also had to make these changes to NGINX (sites-available/default) to allow WordPress to work

# Add index.php to the list if you are using PHP
	index index.php index.html index.htm;

location / {
        # try_files $uri $uri/ =404;
        try_files $uri $uri/ /index.php?q=$uri&$args;
        index index.php index.html index.htm;
        proxy
}

I had a working MySQL (I followed my guide here).

Adminer is the best PHP MySQL management utility (beats PhpMyAdmin hands down).

Restart NGINX and PHP

nginx -t
nginx -s reload
sudo /etc/init.d/nginx restart
sudo service php7.0-fpm restart

I had an error on database import, a non-descript error in script line 1 (error hint here).

A simple search and replace in the SQL fixed it.

Once I had increased PHP uploads to 50M and Nginx I was able to upload my database backup with Adminer (just remember to import to the created database that matches. the wp-config.php. Also, ensure your WordPress content is in place too.

The only other problem I had was WordPress gave an “Error 500” so moved few plugins an all was good.

Importing Old Email

I was able to use the Google G Suite tools to import my old Mail (CPanel IMAP to Google IMAP).

I love root access on my own server now, goodbye CPanel “Usage Limit Exceeded” errors (I only had light traffic on my site).

My self-hosted WordPress is a lot snappier now, my server has plenty of space (and only costs $0.007c and hour for 1x CPU, 1GB ram, 25GB SSD storage and 1000GB data transfer quota). I use the htop command to view system processor and disk space usage.

I can now have more space for content and not be restricted by tight hosts disk quotas or slow shared servers. I use the pydf command to view dis space.

pydf
Filesystem Size  Used

Avail

 Use%                                                    Mounted on
/dev/vda1   25G 3289M

20G

 13.1 [######..........................................] /
/www/wp-content#

I use ncdu to view folder usage.

Installing ncdu

sudo apt-get install ncdu
Reading package lists... Done
Building dependency tree
Reading state information... Done
ncdu is already the newest version (1.11-1build1).
0 upgraded, 0 newly installed, 0 to remove and 58 not upgraded.

Type ncdu in the folder you want to browse under.

ncdu

You can arrow up and down folder structures and view folder/file usage.

SSL Certificate

I am setting up a new multi year SS cert now, I will update this guide later. I had to read my SSL guide with Digital Ocean here.

I generated some certificate on my server

cd ~/
kdir sslcsrmaster4096
cd sslcsrmaster4096/
openssl req -new -newkey rsa:4096 -nodes -keyout domain.key -out domain.csr

Sample output for a new certificate

openssl req -new -newkey rsa:4096 -nodes -keyout dummy.key -out dummy.csr
Generating a 4096 bit RSA private key
.................................................................................................++
......++
writing new private key to 'dummy.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]: AU
State or Province Name (full name) [Some-State]: NSW
Locality Name (eg, city) []:Tamworth
Organization Name (eg, company) [Internet Widgits Pty Ltd]: Dummy Org
Organizational Unit Name (eg, section) []: Dummy Org Dept
Common Name (e.g. server FQDN or YOUR name) []: DummyOrg
Email Address []: [email protected]

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: password
An optional company name []: DummyCO
[email protected]:~/sslcsrmaster4096# cat dummy.csr
-----BEGIN CERTIFICATE REQUEST-----
MIIFAjCCAuoCAQAwgYsxCzAJBgNVBAYTAkFVMQwwCgYDVQQIDANOU1cxETAPBgNV
BAcMCFRhbXdvcnRoMRIwEAYDVQQKDAlEdW1teSBPcmcxFzAVBgNVBAsMDkR1bW15
IE9yZyBEZXB0MREwDwYDVQQDDAhEdW1teU9yZzEbMBkGCSqGSIb3DQEJARYMbWVA
ZHVtbXkub3JnMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA6PUtWkRl
+gL0Hx354YuJ5Sul2Xh+ljILSlFoHAxktKlE+OJDJAtUtVQpo3/F2rGTJWmmtef+
shortenedoutput
swrUzpBv8hjGziPoVdd8qdAA2Gh/Y5LsehQgyXV1zGgjsi2GN4A=
-----END CERTIFICATE REQUEST-----

I then uploaded the certificate to Namecheap for an SSL cert registration.

I selected DNS C Name record as a way to verify I own my domain.

I am now waiting for Namecheap to verify my domain

End of the Google G Suite Business Trial

Before the end of the 14-day trial, you will need to add billing details to keep the email working.

At this stage, you can downgrade from a $10/m business account per user to a $5/m per user account if you wish. The only loss would be storage and google app access.

Get 20% off your first year by signing up for Google G Suite using this link: https://goo.gl/6vpuMm

Before your trial ends, add your payment details and downgrade from $10/user a month business prices to $5/iser a month individual if needed.

G Suite Troubleshooting

I was able to access new G Suite email account via gmail.com but not via Outlook 2015? I reset the password, followed the google troubleshooting guide and used the official incoming and outgoing settings but nothing worked.

Google phone support suggested I enable less secure connection settings as Google firewall may be blocking Outlook. I know the IMAP RFC is many years old but I doubt Microsoft are talking to G Suite in a lazy manner.

Now I can view my messages and I can see one email that said I was blocked by the firewall. Google phone support and faqs don’t say why Outlook 2015 SSL based IMAP was blocked?

Conclusion

Thanks to my wife who put up with my continual updates over the entire domain move. Voicing the progress helped me a lot.

Donate and make this blog better

Ask a question or recommend an article
[contact-form-7 id=”30″ title=”Ask a Question”]

V1.8 added ad link

Securing an Ubuntu VM with a free LetsEncrypt SSL certificate in 1 Minute

July 29, 2017 by Simon

I visited https://letsencrypt.org/ where it said Let’s Encrypt is a free, automated, and open SSL Certificate Authority. That sounds great, time to check them out. This may not take 1 minute on your server but it did on mine (a self-managed Ubuntu 16.04/NGINX server). If you are not sure why you need an SSL cert read Life Is About to Get a Whole Lot Harder for Websites Without Https from Troy hunt.

FYI you can set up an Ubuntu Vutur VM here (my guide here) for as low as $2.5 a month or a Digital Ocean VM server here (my guide here) for $5 a month, billing is charged to the hour and is cheap as chips.

Buy a domain name from Namecheap here.

But for the best performing server read my guide on the awesome UpCloud VM hosts (get $25 free credit by signing up here). Also read my recent post on setting up Lets Encrypt on sub domains.

I clicked Get Started and read the Getting started guide. I was redirected to https://certbot.eff.org/ where it said: “Automatically enable HTTPS on your website with EFF’s Certbot, deploying Let’s Encrypt certificates.“. I was asked what web server and OS I use..

I confirmed my Linux version

lsb_release -a

Ensure your NGINX is setup (read my Vultr guide here) and you have a”server_name” specified in the “/etc/nginx/sites-available/default” file.

e.g

server_name yourdomain.com www.yourdomain.com;

I also like to set “root” to “/www” in the NGINX configuration.

e.g

root /www;

Tip: Ensure the www folder is set up first and has ownership.

mkdir /www
sudo chown -R www-data:www-data /www

Also, make and verify the contents of a /www /index.html file.

echo "Hello World..." > /www/index.html && cat /www/index.html

I then selected my environment on the site (NGINX and Ubuntu 16.04) and was redirected to the setup instructions.

FYI: I will remove mention of my real domain and substitute with thesubdomain.thedomain.com for security in the output below.

I was asked to run these commands

sudo apt-get update
sudo apt-get install software-properties-common
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install python-certbot-nginx

Detailed instructions here.

Obtaining an SSL Certificate

I then ran the following command to automatically obtain and install (configure NGINX) an SSL certificate.

sudo certbot --nginx

Output

sudo certbot --nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel):Invalid email address: .
Enter email address (used for urgent renewal and security notices)  If you
really want to skip this, you can run the client with
--register-unsafely-without-email but make sure you then backup your account key
from /etc/letsencrypt/accounts   (Enter 'c' to cancel): [email protected]

-------------------------------------------------------------------------------
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf. You must agree
in order to register with the ACME server at
https://acme-v01.api.letsencrypt.org/directory
-------------------------------------------------------------------------------
(A)gree/(C)ancel: A

-------------------------------------------------------------------------------
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about EFF and
our work to encrypt the web, protect its users and defend digital rights.
-------------------------------------------------------------------------------
(Y)es/(N)o: Y

Which names would you like to activate HTTPS for?
-------------------------------------------------------------------------------
1: thesubdomain.thedomain.com
-------------------------------------------------------------------------------
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):1
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for thesubdomain.thedomain.com
Waiting for verification...
Cleaning up challenges
Deployed Certificate to VirtualHost /etc/nginx/sites-enabled/default for set(['thesubdomain.thedomain.com', 'localhost'])
Please choose whether HTTPS access is required or optional.
-------------------------------------------------------------------------------
1: Easy - Allow both HTTP and HTTPS access to these sites
2: Secure - Make all requests redirect to secure HTTPS access
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Redirecting all traffic on port 80 to ssl in /etc/nginx/sites-enabled/default

-------------------------------------------------------------------------------
Congratulations! You have successfully enabled https://thesubdomain.thedomain.com

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=thesubdomain.thedomain.com
-------------------------------------------------------------------------------

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/thesubdomain.thedomain.com/fullchain.pem. Your cert will expire on 2017-10-27. To obtain a new or tweaked version
   of this certificate in the future, simply run certbot again with
   the "certonly" option. To non-interactively renew *all* of your
   certificates, run "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

That was the easiest SSL cert generation in history.

SSL Certificate Renewal (dry run)

sudo certbot renew --dry-run

Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/thesubdomain.thedomain.com.conf
-------------------------------------------------------------------------------
Cert not due for renewal, but simulating renewal for dry run
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for thesubdomain.thedomain.com
Waiting for verification...
Cleaning up challenges

-------------------------------------------------------------------------------
new certificate deployed with reload of nginx server; fullchain is
/etc/letsencrypt/live/thesubdomain.thedomain.com/fullchain.pem
-------------------------------------------------------------------------------
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/thesubdomain.thedomain.com/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)

IMPORTANT NOTES:
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.

SSL Certificate Renewal (Live)

certbot renew

The Lets Encrypt SSL certificate is only a 90-day certificate.

Again: The Lets Encrypt SSL certificate is only a 90-day certificate.

I’ll run “certbot renew” again 2 months time to manually renew the certificate (and configure my higher security configuration (see below)).

Certbot NGINX Config renew (what did it do)

It’s nice to see forces HTTPS added to the configuration

if ($scheme != "https") {
   return 301 https://$host$request_uri;
} # managed by Certbot

Cert stuff added

    listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/thesubdomain.thedomain.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/thesubdomain.thedomain.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot

Contents of /etc/letsencrypt/options-ssl-nginx.conf

ssl_session_cache shared:le_nginx_SSL:1m;
ssl_session_timeout 1440m;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;

ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS";

This contains too many legacy cyphers for my liking.

I changed /etc/letsencrypt/options-ssl-nginx.conf to tighten ciphers and add TLS 1.3 (as my NGINX Supports it).

ssl_session_cache shared:le_nginx_SSL:1m;
ssl_session_timeout 1440m;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;

ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";

Enabling OCSP Stapling and Strict Transport Security in NGINX

I add the following to /etc/nginx/sites/available/default

# OCSP (Online Certificate Status Protocol) is a protocol for checking if a SSL certificate has been revoked
ssl_stapling on; # Requires nginx >= 1.3.7
ssl_stapling_verify on; # Requires nginx => 1.3.7
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";

Restart NGINX.

sudo nginx -t
sudo nginx -s reload
sudo /etc/init.d/nginx restart

SSL Labs SSL Score

I am happy with this.

Read my guide on Beyond SSL with Content Security Policy, Public Key Pinning etc

Automatic SSL Certificate Renewal

There are ways to auto renew the SSL certs floating around YouTube but I’ll stick to manual issue and renewals of SSL certificates.

SSL Checker Reports

‘I checked the certificate with other SSL checking sites.

NameCheap SSL Checker – https://decoder.link/sslchecker/ (Passed). I did notice that the certificate will expire in 89 days (I was not aware of that). I guess a free 90-day certificate for a noncritical server is OK (as long as I renew it in time).

CertLogik – https://certlogik.com/ssl-checker/ (OK)

Comodo – https://sslanalyzer.comodoca.com (OK)

Lets Encrypt SSL Certificate Pros

Free.
Secure.
Easy to install.
Easy to renew.
Good for local, test or development environments.
It auto-detected my domain name (even a subdomain)

Lets Encrypt SSL Certificate Cons

The auto install process does not setup OCSP Stapling (I configured NGINX but the certificate does not support it may be to limit the Certificate Authority resources handing the certificate revocation checks).
The auto install process does not setup HSTS. (I enabled it in NGINX manually).
The auto install process does not setup HPKP. More on enabling Public Key Pinning in NGINX here.
Too many cyphers installed by default.
No TLS 1.3 installed by default by the install process in my NGINX config in the default certbot secure auto install (even though my NGINX supports it). More on enabling TLS 1.3 in NGINX here.

Read my guide on Beyond SSL with Content Security Policy, Public Key Pinning etc

I’d recommend you follow these Twitter security users

http://twitter.com/GibsonResearch

https://twitter.com/troyhunt

https://twitter.com/0xDUDE

Troubleshooting

I had one server were certbot failed to verify the SSL and said I needed a public routable IP (it was) and that the firewall needed to be disabled (it was). I checked the contents of “/etc/nginx/sites-available/default” and it appeared no additional SSL values were added (not even listening on port 443?????).

I am viewing: /var/log/letsencrypt/letsencrypt.log

Forcing Certificate Renewal

Run the following command to force a certificate to renew outside the crontab renewal window.

certbot renew --force-renew

Conclusion

Free is free but I’d still use paid certs from Namecheap for important stuff/sites, not having OCSP stapling on the CA and 90-day certs is a deal breaker for me. The Lets Encrypt certificate is only a 90-day certificate (I’d prefer a 3-year certificate).

A big thank you to Electronic Frontier Foundation for making this possible and providing a free service (please donate to them)..

Lets Encrypt does recommend you renew certs every 60 days or use auto-renew tools but rate limits are in force and Lets Encrypt admit their service is young (will they stick around)? Even Symantec SSL certs are at risk.

Happy SSL’ing.

Check out the extensive Hardening a Linux Server guide at thecloud.org.uk: https://thecloud.org.uk/wiki/index.php?title=Hardening_a_Linux_Server

fyi, I followed this guide setting up Let’s Encrypt on Ubuntu 18.04.

Read my guide on the awesome UpCloud VM hosts (get $25 free credit by signing up here).

Donate and make this blog better

Ask a question or recommend an article
[contact-form-7 id=”30″ title=”Ask a Question”]

v1.8 Force Renew Command

v1.7 Ubuntu 18.94 info

V1.62 added hardening Linux server link

Type	Protocol	Port Range	Source	Comment
HTTP	TCP	80	0.0.0.0/0	Opens a web server port for later
All ICMP	ALL	N/A	0.0.0.0/0	Allows you to ping
All traffic	ALL	All	0.0.0.0/0	Not advisable long term but OK for testing today.
SSH	TCP	22	0.0.0.0/0	Not advisable, try and limit this to known IP’s only.
HTTPS	TCP	443	0.0.0.0/0	Opens a secure web server port for later

Personal Development Blog...

Coding for fun since 1996, Learn by doing and sharing.

Buy a domain name, then create your own server (get $25 free credit)

View all of my posts.

Vultr

Deploying WordPress to a Vultr VM via command line

Moving a CPanel domain with email to a self managed VPS and Gmail

Securing an Ubuntu VM with a free LetsEncrypt SSL certificate in 1 Minute

Popular

Security

Code

Tech

Wordpress

General

Vultr

Footer

Popular

Security

Code

Tech

Wordpress

General