Code, Security and Server Stuff
Views are my own and not my employer's
This is how I setup Certification Authority Authorization (CAA) DNS record(s) to prevent https cert issue/misuse on my domain and 1 sub domain.
Read the full article here: https://fearby.com/article/setup-a-certification-authority-authorization-caa-dns-records-to-prevent-https-cert-issue-misuse/
On February 22nd 2017 CAA’s that issue https certificates are required to check what CAA’s are allowed to issue HTTP’s certificates for a website. To limit who can create HTTP’s certificates for your site all you need to do is specify a number of DNS records.
Advertisement:
Before adding DNS CAA records ensure you have enabled DNSSEC for extra security, this is not needed to setup CAA records but it’s a good idea.
DNSSEC Explained
Read my post here on setting up DNSSEC with Cloudflare here.
Namecheap allows you do set DNSSEC with 1 click (making the above guide not required unless you use Cloudflare).
First, test DNSSEC on your website here: https://dnssec-analyzer.verisignlabs.com/ (I already have DNSSEC enabled)
I use Namecheap for buying domains and HTTP’s certs (you can buy a new domain here). Namecheap allow you to easily enable DNSSEC and CAA DNS records.
Read Namecheap’s CAA guide here.
Scott Helme tagged a great write up on CAA here.
CAA is probably the best bang for buck you’re going to get! https://t.co/pvThaQ8qFl
— Scott Helme (@Scott_Helme) March 14, 2019
Advertisement:
Go to https://dev.ssllabs.com/ssltest/ and scan your website
You will see if CAA is enabled after the https test is complete (scroll past the rating)
In my case CAA records were not detected.
I logged into Namecheap, clicked Manage domain and clicked the Advanced DNS tab
Advertisement:
Here are records for my main domain (allowing Comodo/Sectigo HTTP’s certificates only)
1 2 3 4 5 6 7 | Type, Host, Value, TTL CAA Record @ 0 issue "comodoca.com" Automatic CAA Record @ 0 issue "comodo.com" Automatic CAA Record @ 0 issue "usertrust.com" Automatic CAA Record @ 0 issue "trust-provider.com" Automatic CAA Record @ 0 issue "sectigo.com" Automatic |
Here is my record allowing a sub domain (allowing Lets Encrypt HTTP’s certificates only)
1 2 3 | Type, Host, Value, TTL CAA Record audit.fearby.com 0 issue "letsencrypt.org" Automatic |
It is also possible to setup email alerts of CAA violations where CAA’s support it. I setup a caa@fearby.com email alias.
1 2 3 4 | Type, Host, Value, TTL CAA Record audit.fearby.com 0 iodef "mailto:caa@fearby.com" Automatic CAA Record@ 0 iodef "mailto:caa@fearby.com" Automatic |
Image of my final Namecheap DNS config.
Advertisement:
I visited https://dev.ssllabs.com/ssltest/ and performed a final scan.
Pass 🙂
I do have real time remote server monitoring reporting on https presence and uptime, read the post here.
Plug(s)
I had an issue where I failed to update my DNS (and define a CAA record) for the sub domain used for Nixstat reporting. I was receiving this error.
dev.ssllabs.com was reporting the cert expired?
The awesome chat support (Vincent) over at Nixstats found out it was because I did not have CAA record for the sub domain allowing “letsencrypt.org” to generate certs.
If you manually renew a Lets Encrypt cert with the following command without a CAA record you will see an error
> certbot -q renew
Error Output
Attempting to renew cert (subdomain.fearby.com) from /etc/letsencrypt/renewal/
subdomain.fearby.com.conf produced an unexpected error: Failed authorization procedure.
subdomain.fearby.com (http-01): urn:acme:error:caa :: CAA record for
subdomain.fearby.com prevents issuance. Skipping.
All renewal attempts failed.
DNS additions and changes take a while to propagate so monitor Whats My DNS for change status
Thanks for reading.
For simplicity I have removed all sub domain CAA settings for records and only set global ones
Revision History
v1.2 Troubleshooting
v1.1 Plugs
v1.0 initial Post
This is how I set up a dedicated Debian subdomain (VM), Installed MySQL 14 and connected to it from a WordPress installation on a different VM
Read the full article here: https://fearby.com/article/setup-a-dedicated-debian-subdomain-vm-install-mysql-14-and-connect-to-it-from-a-wordpress-on-a-different-vm
This is how I setup DNSSEC on a Namecheap domain hosted on UpCloud using CloudFlare to setup DNS security extensions.
Read the full article here: https://fearby.com/article/setting-up-dnssec-on-a-namecheap-domain-hosted-on-upcloud-using-cloudflare/
This is how I setup DNSSEC on a Namecheap domain hosted on UpCloud using CloudFlare to setup DNS security extensions
Advertisement:
If you have not read my previous posts I have now moved my blog to the awesome UpCloud host (signup using this link to get $25 free UpCloud VM credit). I compared Digital Ocean, Vultr and UpCloud Disk IO here and UpCloud came out on top by a long way (read the blog post here). Here is my blog post on moving from Vultr to UpCloud.
About DNSSEC
Wikipedia has a great write-up on DNSSEC also read the ICANN page on DNSSEC.
Snip “DNSSEC is a set of extensions to DNS which provide to DNS clients (resolvers) origin authentication of DNS data, authenticated denial of existence, and data integrity, but not availability or confidentiality.”
https://daniellbenway.net has a great video explaining DNSSEC
Handy DNSSEC Links
Let’s view my DNSSEC status now
https://dnssec-analyzer.verisignlabs.com/ can help you check your sites DNSSEC status.
Prerequisites
This guide assumes you have already purchased a domain and set it up with say UpCloud hosting (read my setup guide here).
Buy a domain name from Namecheap here.
Read my old guide here that I created while setting up Cloudflare on the Vultr host to see how to setup Cloudflare.
Setting up DNSSEC
First I logged into My Namecheap account, selected my domain, selected Advanced DNS and enabled DNSSEC.
I can see a number of values for DNSSEC KeyType/Algorithm/Digest Type and Digest. Below are the options in the dropdowns for Algorithm and Digest Type.
DNSSEC Algorithms
DNSSEC Digest Types
I contacted NameCheap support and they said I needed to contact my UpCloud hosts to get relevant DNSSEC values.
My domain was purchased at NameCheap but by domain routers by Cloudflare DNS.
Advertisement:
By chance, I logged into my Cloudflare account and noticed they have a DNSSEC section under DNS. Nice.
I enabled DNSSEC
Cloudflare offers all the relevant DNSSEC values.
I entered these values into Namecheap under Advanced DNS on my domain.
After 5 mins re-ran the DNSSEC Analyzr tool.
Hmmm, Cloudflare seem to think something is wrong 🙁
I ran a DNS DS Lookup on my site. Everything appears ok.
I re-added the record in Namecheap and waited for 15 mins and this time Cloudflare was happy. Maybe I just needed to wait for DNS replication a little longer?
I tested my DNS serves with DNS Root Canary
I tested my site’s DNSSEC with https://zonemaster.iis.se/
Done
Skipping Cloudflare
I found that I can simply skip cloudflare by enabling Premium DNS at Namecheap
Then enabling DNSSEC
Easy (totally independant of Cloudflare)
I hope this guide helps someone.
Advertisement:
Please consider using my referral code and get $25 UpCloud VM credit for free.
https://www.upcloud.com/register/?promo=D84793
Ask a question or recommend an article
Revision History
V1.3 Namecheap DNSSEC
V1.2 ICANN DNSSEC link
V1.1 https://daniellbenway.net explainer video.
v1.0 Initial Post
Below is how I setup my OSX to use Cloudflare’s new DNS servers to speed up internet browsing and add privacy on OSX
Advertisement:
Cloudflare has launched a DNS service: https://blog.cloudflare.com/announcing-1111/
DNS Performance
You can view worldwide DNS performance by viewing https://www.dnsperf.com/#!dns-providers
I check the DNS at my router, I am using ISP provided DNS servers.
Cloudflare DNS
On April Fools 2018 Cloudflare Released a DNS server service.
Snip from here: “DNS: Internet’s Directory Nearly everything on the Internet starts with a DNS request. DNS is the Internet’s directory. Click on a link, open an app, send an email and the first thing your device does is ask the directory: Where can I find this? Unfortunately, by default, DNS is usually slow and insecure. Your ISP, and anyone else listening in on the Internet, can see every site you visit and every app you use — even if their content is encrypted. Creepily, some DNS providers sell data about your Internet activity or use it target you with ads.”
Set Cloudflare Nameservers using OSX
Open the Apple System Preferences, click Network, click on your Network (Wifi or ethernet), Click Advanced then DNS and add 1.1.1.1 and 1.0.0.1
Alternatively, you can manually set your DNS servers in OSX by editing the /etc/resolv.conf, by default SX will inherit DNS settings from our router.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 | cat /etc/resolv.conf # # macOS Notice # # This file is not consulted for DNS hostname resolution, address # resolution, or the DNS query routing mechanism used by most # processes on this system. # # To view the DNS configuration used by this system, use: # scutil --dns # # SEE ALSO # dns-sd(1), scutil(8) # # This file is automatically generated. # domain home nameserver 1.1.1.1 nameserver 1.0.0.1 |
Troubleshooting: Clear DNS Cache
1 | sudo killall -HUP mDNSResponder |
Debug DNS Data
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 | scutil --dns DNS configuration resolver #1 search domain[0] : home nameserver[0] : 1.1.1.1 nameserver[1] : 1.0.0.1 flags : Request A records reach : 0x00000002 (Reachable) resolver #2 domain : local options : mdns timeout : 5 flags : Request A records reach : 0x00000000 (Not Reachable) order : 300000 resolver #3 domain : 254.169.in-addr.arpa options : mdns timeout : 5 flags : Request A records reach : 0x00000000 (Not Reachable) order : 300200 resolver #4 domain : 8.e.f.ip6.arpa options : mdns timeout : 5 flags : Request A records reach : 0x00000000 (Not Reachable) order : 300400 resolver #5 domain : 9.e.f.ip6.arpa options : mdns timeout : 5 flags : Request A records reach : 0x00000000 (Not Reachable) order : 300600 resolver #6 domain : a.e.f.ip6.arpa options : mdns timeout : 5 flags : Request A records reach : 0x00000000 (Not Reachable) order : 300800 resolver #7 domain : b.e.f.ip6.arpa options : mdns timeout : 5 flags : Request A records reach : 0x00000000 (Not Reachable) order : 301000 DNS configuration (for scoped queries) resolver #1 search domain[0] : home nameserver[0] : 1.1.1.1 nameserver[1] : 1.0.0.1 if_index : 7 (en0) flags : Scoped, Request A records reach : 0x00000002 (Reachable) |
Confirm Cloudflare DNS from the OSX Comand line
1 2 3 4 5 6 7 8 9 | nslookup www.fearby.com Server: 1.1.1.1 Address: 1.1.1.1#53 Non-authoritative answer: Name: www.fearby.com Address: 104.27.154.69 Name: www.fearby.com Address: 104.27.155.69 |
Privacy
I am not sure if Cloudflare is any more private than using ISP DNS but I’ll happily use it.
Several people have asked me about Cloudflare’s new 1.1.1.1 privacy DNS service. To be clear: it DOES NOT stop your ISPs from collecting your browsing history. ISPs can still see the sites you’re connecting to — even if the site is over HTTPS. You will still send a hostname.
— Zack Whittaker (@zackwhittaker) April 2, 2018
Speed
I can’t tell if DNS is faster, I did ping my ISP DNS before switching and it was about the same (sub 25ms), time will tell.
Conclusion
I have used https://www.opendns.com/ before and loved the dashboards, I hope Cloudflare add dashboard options too.
I hope this guide helps someone.
Ask a question or recommend an article
Revision History
v1.0 Initial post
Below is my guide for moving away from NetRegistry CPanel domain to a self-managed server and GSuite email.
Advertisement:
I have had www.fearby.com since 1999 on three CPanel hosts (superwerbhost in the US, Jumba in Australia, Uber in Australia (NetRegistry have acquired Uber and performance at the time of writing is terrible)). I was never informed by Uber of the sale but my admin portal was moved from one host to another and each time performance degraded. I tried to speed up WordPress by optimizing images, installing cache plugins but nothing worked, pages were loading in around 24 seconds on https://www.webpagetest.org.
Buy a domain name from Namecheap here.
I had issues with a CPanel domain on the hosts (Uber/Netregistry) as they were migrating domains and the NetRegstry chat rep said I needed to phone Uber for support. No thanks, I’m going self-managed and saving a dollar.
Advertisement:
I decided to take ownership of my slow domain and setup my own VM and direct web traffic to it and redirect email to GMail (I have done this before). I have setup Digital Ocean VM’s (Ubuntu and Centos), Vultr VM’s and AWS VM’s.
I have also had enough of Resource Limit Reached messages with CPanel and I can’t wait to…
Backup
I have about 10 email accounts on my CPanel domain (using 14GB) and 2x WordPress sites. I want to backup my emails with (Outlook Export and Thunderbird Profile backup) and backup my domain file(s) a few times before I do anything. Once DNS is set in motion no server waits.
The Plan
Once everything is backed up I intend to setup a $5 a month Vulr VM and redirect all mail to Google G Suite (I have redirected mail before).
I will setup a Vultr web server in Sydney (following my guide here), buy an SSL certificate from Namecheap and move my WordPress sites.
Rough Plan
Signing up for Google G Suite
I visited https://gsuite.google.com/ and started creating an account.
Get 20% off your first year by signing up for Google G Suite using this link: https://goo.gl/6vpuMm
I created a link between G Suite and an existing GMail account.
Now I can create the admin account.
Tip: Don’t use any emails that are linked as secondary emails with any Google services (this won’t be allowed). It’s s a well-known issue that you cannot add users emails who are linked to Google services (even as backup emails for Gmail, detach the email before adding it). Read more here.
Final setup steps.
Now I can add email accounts to G Suite.
Adding email users to G Suite.
The next thing I had to do was upload a file to my domain to verify I own the domain (DNS verification is also an option).
I must say the setup and verify steps are quite easy to follow on G Suite.
Time to backup our existing CPanel site.
Backup Step 1 (hopefully I won’t need this)
I decided to grab a complete copy of my CPanel domain with domains, databases and email accounts. This took 24 hours.
Backup Step 2 (hopefully I won’t need this)
I download all mail via IMAP in Outlook and Mozilla Thunderbird and export it (Outlook Export and Thunderbird Profile backup). Google have IMAP instructions here.
DNS Changes at Namecheap
I obtained my domain EPP code from my CPanel hosts and transferred the domain name to Namecheap.
Namecheap was even nice enough to set my DNS point to my existing domain so I did not have to rush a move before DNS propagation.
P.S The Namecheap Chat Staff and Namecheap Mobile App is awesome.
Having backed up everything I logged into Namecheap and set my DNS to “NameCheap BasicDNS” and then went “Advanced DNS” and set appropriate DNS records for my domain. This assumes you have setup a VM with IPV4 and IPV6 (follow my guide here).
The Google G Suite also asked me to add these following MX records to the DNS records.
Then it was a matter of telling Google DNS changes were made (once DNS has replicated across the US).
My advice is to set DNS changes before bed as it can take 12 hours.
Sites like https://www.whatsmydns.net/ are great for keeping track of DNS replication.
Transferring WordPress
I logged into the CPanel and exported my WordPress Database (34MB SQL file).
I had to make the following PHP.ini changes to allow the larger file size restore uploads with the Adminer utility (default is 2mb). I could not get the server side adminer.sls.gz option to restore the database?
1 2 3 4 | post_max_size = 50M upload_max_filesize = 50M # do change back to 2MB after you restore the files to prevent DOS attacks. |
I had to make the following changes to nginx.conf (to prevent 404 errors on the database upload)
1 2 | client_max_body_size 50M; # client_max_body_size 2M; Reset when done |
I also had to make these changes to NGINX (sites-available/default) to allow WordPress to work
1 2 3 4 5 6 7 8 9 | # Add index.php to the list if you are using PHP index index.php index.html index.htm; location / { # try_files $uri $uri/ =404; try_files $uri $uri/ /index.php?q=$uri&$args; index index.php index.html index.htm; proxy } |
I had a working MySQL (I followed my guide here).
Adminer is the best PHP MySQL management utility (beats PhpMyAdmin hands down).
Restart NGINX and PHP
1 2 3 4 | nginx -t nginx -s reload sudo /etc/init.d/nginx restart sudo service php7.0-fpm restart |
I had an error on database import, a non-descript error in script line 1 (error hint here).
A simple search and replace in the SQL fixed it.
Once I had increased PHP uploads to 50M and Nginx I was able to upload my database backup with Adminer (just remember to import to the created database that matches. the wp-config.php. Also, ensure your WordPress content is in place too.
The only other problem I had was WordPress gave an “Error 500” so moved few plugins an all was good.
Importing Old Email
I was able to use the Google G Suite tools to import my old Mail (CPanel IMAP to Google IMAP).
I love root access on my own server now, goodbye CPanel “Usage Limit Exceeded” errors (I only had light traffic on my site).
My self-hosted WordPress is a lot snappier now, my server has plenty of space (and only costs $0.007c and hour for 1x CPU, 1GB ram, 25GB SSD storage and 1000GB data transfer quota). I use the htop command to view system processor and disk space usage.
I can now have more space for content and not be restricted by tight hosts disk quotas or slow shared servers. I use the pydf command to view dis space.
1 2 3 4 | pydf Filesystem Size Used <strong>Avail</strong> Use% Mounted on /dev/vda1 25G 3289M <strong>20G</strong> 13.1 [######..........................................] / /www/wp-content# |
I use ncdu to view folder usage.
Installing ncdu
1 2 3 4 5 6 | sudo apt-get install ncdu Reading package lists... Done Building dependency tree Reading state information... Done ncdu is already the newest version (1.11-1build1). 0 upgraded, 0 newly installed, 0 to remove and 58 not upgraded. |
Type ncdu in the folder you want to browse under.
1 | ncdu |
You can arrow up and down folder structures and view folder/file usage.
SSL Certificate
I am setting up a new multi year SS cert now, I will update this guide later. I had to read my SSL guide with Digital Ocean here.
I generated some certificate on my server
1 2 3 4 | cd ~/ kdir sslcsrmaster4096 cd sslcsrmaster4096/ openssl req -new -newkey rsa:4096 -nodes -keyout domain.key -out domain.csr |
Sample output for a new certificate
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 | openssl req -new -newkey rsa:4096 -nodes -keyout dummy.key -out dummy.csr Generating a 4096 bit RSA private key .................................................................................................++ ......++ writing new private key to 'dummy.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]: AU State or Province Name (full name) [Some-State]: NSW Locality Name (eg, city) []:Tamworth Organization Name (eg, company) [Internet Widgits Pty Ltd]: Dummy Org Organizational Unit Name (eg, section) []: Dummy Org Dept Common Name (e.g. server FQDN or YOUR name) []: DummyOrg Email Address []: me@dummy.org Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: password An optional company name []: DummyCO root@servernamehere:~/sslcsrmaster4096# cat dummy.csr -----BEGIN CERTIFICATE REQUEST----- MIIFAjCCAuoCAQAwgYsxCzAJBgNVBAYTAkFVMQwwCgYDVQQIDANOU1cxETAPBgNV BAcMCFRhbXdvcnRoMRIwEAYDVQQKDAlEdW1teSBPcmcxFzAVBgNVBAsMDkR1bW15 IE9yZyBEZXB0MREwDwYDVQQDDAhEdW1teU9yZzEbMBkGCSqGSIb3DQEJARYMbWVA ZHVtbXkub3JnMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA6PUtWkRl +gL0Hx354YuJ5Sul2Xh+ljILSlFoHAxktKlE+OJDJAtUtVQpo3/F2rGTJWmmtef+ shortenedoutput swrUzpBv8hjGziPoVdd8qdAA2Gh/Y5LsehQgyXV1zGgjsi2GN4A= -----END CERTIFICATE REQUEST----- |
I then uploaded the certificate to Namecheap for an SSL cert registration.
I selected DNS C Name record as a way to verify I own my domain.
I am now waiting for Namecheap to verify my domain
End of the Google G Suite Business Trial
Before the end of the 14-day trial, you will need to add billing details to keep the email working.
At this stage, you can downgrade from a $10/m business account per user to a $5/m per user account if you wish. The only loss would be storage and google app access.
Get 20% off your first year by signing up for Google G Suite using this link: https://goo.gl/6vpuMm
Before your trial ends, add your payment details and downgrade from $10/user a month business prices to $5/iser a month individual if needed.
G Suite Troubleshooting
I was able to access new G Suite email account via gmail.com but not via Outlook 2015? I reset the password, followed the google troubleshooting guide and used the official incoming and outgoing settings but nothing worked.
Google phone support suggested I enable less secure connection settings as Google firewall may be blocking Outlook. I know the IMAP RFC is many years old but I doubt Microsoft are talking to G Suite in a lazy manner.
Now I can view my messages and I can see one email that said I was blocked by the firewall. Google phone support and faqs don’t say why Outlook 2015 SSL based IMAP was blocked?
Conclusion
Thanks to my wife who put up with my continual updates over the entire domain move. Voicing the progress helped me a lot.
Donate and make this blog better
Ask a question or recommend an article
V1.8 added ad link
This guide hopes to show you how to setup a Digital Ocean Droplet (server) as a Sub Domain on an existing AWS domain. I am setting up a Digital Ocean Domain as a sub domain (both existing) and using the sub domain (Digital Ocean server) as a self-service status page. I have setup both domains with SSL certificates and strong Content Security Policies and Public Key Pinning.
Advertisement:
Read this newer post on setting up Subdomains.
DO: Obtain the IP addresses for your Digital Ocean Droplet (that will be the sub domain). If you don’t already have a Digital Ocean Droplet click here (and get 2 months free).
Login to your AWS Console for the parent domain. I have a guide on setting up an AWS domain here and Digital Ocean Domain here.
This AWS guide was a handy start Creating a Subdomain That Uses Amazon Route 53 as the DNS Service without Migrating the Parent Domain.
From the AWS Route 53 screen, I clicked Get started now.
From here you can Create a Hosted Zone.
Create a Hosted Zone.
A sub domain can be created on AWS Route 53.
I created a route 53 A Name record and pointed it to a known Digital Ocean droplet IP address.
I created an A Name record on Digital Ocean for the droplet (e.g status.______.com).
I created an IPV6 (AAAA) record on Digital Ocean for the droplet?
I could not ping the server so I added the digital ocean name servers to the route 53 record set out of desperation.
Final Route information on AWS.
Hmm, nothing works as of yet.
https://www.whatsmydns.net is not showing movement yet.
Time to contact AWS for advice.
I tried to post an help post on the AWS forums but apparently, a user who has been paying AWS for 6 months does not have the right to post a new forum thread.
I posted a few help questions on twitter and I’ll try these out tonight.
Replies
And…
Thanks, guys, I’ll try these tonight and update this post.
I created a record set for the parent domain on AWS and A record for the Digital Ocean subdomain with no luck.
This post will be updated soon.
Read my guide on Securing an Ubuntu VM with a free LetsEncrypt SSL certificate in 1 Minute.
v1.9 added info on let’s encrypt (10:38pm 29th July 2017 AEST)
Donate and make this blog better
Ask a question or recommend an article
