Buy a new domain and SSL cert from NameCheap and configure it

Hello, This guide will help you buying a new domain and SSL certificate from NameCheap, a self-managed Ubuntu 16.04 Server from Digital Ocean and configuring it with NGINX Web server, SSL etc. I have older guides ( The quickest way to setup a scalable development ide and web server, Adding a commercial SSL certificate to a Digital Ocean VM etc ) but this one is updated (November 2016).

You can use this link to create a digital ocean account and get $10 free credit (enough to have a free ubuntu server for 2 months).

How to Purchasing a domain from NameCheap.

Namecheap is an awesome domain reseller, go to the registration page, search for your desired domain, add it to a cart ( tip: look for coupons ) and go to the checkout.

You will want to purchase the Whois Guard as this protects your private details from the domains public listing whois database. Also it is recommended you secure your site with PositiveSSL Certificate. If you have a good coupon you can pick up a new domain name, SSL certificate, Whois Guard for under $5 for your first year.

When you have purchased your domain you are ready to order your server from digital ocean.

Ordering a server from Digital Ocean

Use this link to create a digital ocean account and get $10 free credit (enough to have a free server for 2 months).

Digital Ocean offer very fast and flexible servers that you are in full control of. Managing your server is a #geeky way to host a web server. You will not be stuck on a slow shared CPanel server with hundreds of others users wiht poor quality web hosts. Digital Ocean do not restrict you and you can do anything you want when you want with your server (as long as it is legal).

Buying a Server Steps

Create a Digital Ocean account and login (use this referral link to get $10 free credit: https://m.do.co/c/99a5082b6de5 ).
You will need to create a SSH key to use with your account. Read this guide and learn about how to create an SSH key (required to connect to your domain’ server). Creating and adding your SSH key to your droplet is the hardest part of the whole guide but the SSH key can be used for future servers. I have more tips on creating a SSH key in my old guide.
Go here and add your SSH key to your Digital Ocean Account. Info here: Initial Server setup guide, How to setup and use SSH Keys
Click Create new Droplet ($5, Ubuntu 16.4, San Francisco region, SSH Key, Private networking (VLAN), Backups and IPV6).
Give the server a name and click create.
You get billed by the month or by the hour if you delete the server if you only need a server for a few weeks.

After a few minutes, your new server will be ready to use. The only issue is the server has no web server installed (we need to install it) so don’t try and connect to the servers IP in a web browser.

Login to Digital Ocean and click on Droplets, then Click on Access then Launch Console. This is the backup/default way into your domain.

Note we don’t have a username or password yet. Close the console and then go back to the access screen for your droplet and click Reset Root Password and this will shut down the server and setup a root password. The new root password will be emailed to you.

Note: Root passwords are generally not a good idea but we can disable this after we setup the server.

You can choose the Digital Ocean web console or a third party SSH terminal app like vSSH for iOS/Windows/OSX etc . I prefer vSSH as the Digital Ocean web console can be a tad slow.

Once you login to your server you will be forced to change your root password (remember it).

Setting the Timezone (housekeeping)

dpkg-reconfigure tzdata

I don’t like interacting with the server via command line so time to connect our server to the awesome Cloud9 IDE from www.cloud9.io)

Installing NodeJS

The first thing we need to do is install NodeJS on to our new server (as this is required by Cloud 9). The good thing about Digital Ocean is they have a guide for everything ( How To Install Node.js on Ubuntu 16.04 ). I am going to install the latest (non-stable development build of NodeJS).

sudo apt-get update
sudo apt-get upgrade
cd ~
curl -sL https://deb.nodesource.com/setup_6.x -o nodesource_setup.sh
sudo bash nodesource_setup.sh
sudo apt-get install nodejs
sudo apt-get install build-essential
sudo apt-get install python

Now run the following command to see where nodeJS is installed

which nodejs
> /usr/bin/nodejs

Signing up to Cloud 9 IDE

Ok, Cloud 9 is highly recommended because you can connect to your site, open multiple files and terminal windows in a nice IDE and close the browser tab go to a new PC and login and everything will follow you (right where you left off). I am locked into a grandfathered $9 a month Cloud 9 plan but $19 a month is well worth it as you can have connections to multiple websites making it an invaluable tool for the developer or website owner.

Signup for Cloud9 Individual plan at http://www.c9.io Getting started guide here: https://docs.c9.io/docs/

Connecting to your server with Cloud9 IDE (c9.io)

Go to the Cloud 9 settings and add your SSH key. This will allow you to connect to any Digital Ocean droplet without the root password (as long as you have added you SSH key to the digital ocean account and any new servers).

Now you can go back to your Cloud 9 dashboard and Create a New Workspace. Click Remote SSH workspace.

Use the following settings (but use your Digital Ocean droplet IP).

That’s it, you should now have a link to your Digital Ocean server saved in Cloud 9. Let’s connect to it.

The Cloud 9 IDE is very powerful. I love it for the files system tree view, drag and drop files and multiple tabs and panes.

Cloud 9 also has collaborative features so you can allow multiple team members or developer in and even share the same terminal.

At this point, you can change the root password or disable the root login.

Read this article on adding alternative non-root users and disabling the root user here (scroll down to step 5).

sudo nano /etc/ssh/sshd_config
PasswordAuthentication no

Then..

sudo systemctl reload sshd

Configuring NGINX Web Server

Now we need to install a web server following this guide. You can run these commands in the C9 IDE instead of the console or SSH application.

sudo apt-get install nginx

You can then check your web server by loading your digital ocean IP (e.g http://123.123.123.123 ).

I won’t lock down the firewall but will install curl.

sudo apt-get install curl

I can check my public IP.

curl -4 icanhazip.com
> 123.123.123.123

In the Cloud 9 files system tree view, I located the “/var/www/html” folder and then right clicked on it and set it as a Favourite. This will move the folder to the top of the tree view. I edited the “/var/www/html/index.nginx-debian.html” while I was there.

fyi: The NGINX config file is located at “/etc/nginx/nginx.conf” and the sites file is located at “/etc/nginx/sites-available/default”.

Tip: Add the Nginx folder your Cloud 9 favorites.

Now we can link the Domain name to the digital ocean server IP.

Linking the new domain name to the digital ocean server.

First, we need to login to Namecheap and sent any DNS requests for yournewdomain.com (this is not my domain (just a random name)) to go to Digital Ocean DNS servers. Login to your NameCheap account and open your domain list. Add the following custom DNS entries and save.

Next to your domain Droplet click More then Add a Domain.

Type your domain name then select the droplet then click Create. Then click the domain in the list below.

Make the following A and CNAME record changes. The IPV4 and IPV6 details can be obtained from the Digital Ocean Droplet settings.

Depending on where you are in the world the changes we made at Digital Ocean and Namecheap may take 48 hours but for me, I can see the domain on my mobile phones network but not my ADSL2 network. Here is a good site for tracking DNS replication around the world: https://www.whatsmydns.net/#A/fearby.com

Also, this handy tool can be installed to add whois query abilities to your VM.

sudo apt-get install whois
whois yournewdomainname.com
> ... the whois record for your web server will be displayed here.

Also flushing your DNS records of your laptop can help. As soon as I flushed my DNS I was abe to see my domain.

Flush DNS on macOS Sierra:

sudo killall -HUP mDNSResponder

Flush DNS on other systems.

Adding SSL

I do have an older guide here on setting up SSL on a digital ocean VM.

Namecheap’s domain and SSL order confirmation mentions this about SSL certificates.

SSL Certificates: 

If you've purchased an SSL certificate, you'll want to visit your Account Panel soon to enter your CSR and activate the certificate. 

Our Knowledgebase( https://www.namecheap.com/support/knowledgebase/category.aspx/14/ ) contains instructions on how to create a CSR 
and install the certificate on your server.

This namecheap guide will tell you how to activate a new certificate and how to generate a CSR file. Note: The guide to the left will generate a 2048 bit key and this will cap you SSL certificates security to a B at http://www.sslabs.com/ssltest so I recommend you generate an 4096 bit csr key and 4096 bit Diffie Hellmann key.

Confession: I was an idiot and created a 2048 bit key (below) and re-edited this guide for 4096 bit. If you do this you just reissue the certificate at Namecheap and follow the steps again. Reissuing only takes 15 minutes. There are sites where you can download freshly generated DH primes that can save you time generating stronger DH keys.

This is what a SSLLabs SSL report looks like if you don’t generate a fresh 2048or 4096 DH key.

To generate a stronger 4096 bit DH key login into a terminal on the Digital Ocean server and run these commands.

cd /etc/nginx/
mkdir ssl4096
cd ssl4096
openssl dhparam -out dhparams4096.pem 4096

Note: This may take a few hours to generate but it essential to have an A+ rated SSLLabs certificate. If you stick with a weak DH key it is only a matter of time before hackers can exploit it and get into your site. You could generate a 2048 DH key but 4096 is better in the long run.

Creating the SSL Certificate

Log into the Namecheap dashboard (click on the SSL Product lists page ).
Click Activate next to Positive SSL (Comodo SSL Certificate).

I created the CSR files on the Droplet terminal. (IMPORTANT: The Common name is the name of the server, don’t add your name).

cd ~/
mkdir sslcsrmaster4096
cd sslcsrmaster4096/
openssl req -new -newkey rsa:4096 -nodes -keyout server.key -out server.csr

Generating a 4096 bit RSA private key
.............................................................+++
......
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:AU
State or Province Name (full name) [Some-State]:New South Wales
Locality Name (eg, city) []:Tamworth
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Fearby.com Software
Organizational Unit Name (eg, section) []:Development
Common Name (e.g. server FQDN or YOUR name) []:www.yournewdomain.com
Email Address []:[email protected]

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:*********************************
An optional company name []:
// Completed the wizard questions

This outputted two files.

drwxr-xr-x 2 root root 4096 Nov  5 10:54 .
drwx------ 8 root root 4096 Nov  5 10:53 ..
-rw-r--r-- 1 root root 1106 Nov  5 10:54 server.csr
-rw-r--r-- 1 root root 1704 Nov  5 10:54 server.key

Output the server.csr file to the terminal

cat server.csr

Paste the contents of the CSR into the Namecheap wizard and click Next

Click Next if the data from the CSR is displayed.
To verify you own the domain choose HTTP for the “DCV Method” and click Next
Enter your contacts details then click next and submit to end the activation.
In the yellow box click the “go to certificate Details page” next to HTTP validation.
Click the Edit Methods button and click download file and follow (take note of the filename and location to upload the file to). Simply save the file and drag and drop it into the favorited /var/www/html/ folder in Cloud 9 IDE.
Go back to the Namecheap, click Domain Lists, Click your domain then Click Products then next to the SSL click Manage. The status should say In Progress. This guide says the verification will take some time and when verified the appropriate files will be emailed to you.
After 15 minutes the status changed to Issued and I received two emails from Comodo.
I extracted and uploaded the two files in the zip file to ~/sslcsrmaster4096/ folder on my server.
Made the following directory /etc/nginx/ssl4096/

Now we need to combine the certificates. Goto https://certificatechain.io/ and paste in the contents of the crt file that were emailed to your from Comodo. The site will get all public intermediate certificates and combine them. The combined certificate will look like this.

Save the combined certificate to /etc/nginx/ssl4096/yournewdomain.com.chained.crt
Copy all files from ~/sslcsrmaster4096/*.* to /etc/nginx/ssl4096/

Now we can configure the NGINX configuration: /etc/nginx/sites-available/default

server {
    listen 80;
    server_name yournewdomain.com;
    rewrite ^/(.*) https://yournewdomain.com/$1 permanent;
}

server {
	
	listen 443 ssl default_server;
	listen [::]:443 ssl default_server;

	root /var/www/html;

	index index.php index.html index.htm index.nginx-debian.html;

	server_name yournewdomain.com www.yournewdomain.com localhost;
    
        ssl on;
		
	ssl_certificate /etc/nginx/ssl4096/yournewdomain.com.chained.crt;
        ssl_certificate_key /etc/nginx/ssl4096/server.key;
    
        ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
	ssl_prefer_server_ciphers on;
	ssl_dhparam /etc/nginx/ssl4096/dhparams4096.pem;
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	server_tokens off;
	ssl_session_cache shared:SSL:20m;
	keepalive_timeout 5;
	ssl_session_timeout 60m;
	ssl_session_tickets off; # Requires nginx >= 1.5.9
	
	ssl_stapling on;
	ssl_stapling_verify on;

	gzip off;

	add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
	add_header X-Frame-Options DENY;
	add_header X-Content-Type-Options nosniff;


	# Use Google DNS
	resolver 8.8.8.8 8.8.4.4 valid=60s;
	resolver_timeout 1m;

	location / {
		# First attempt to serve request as file, then as directory, then fall back to displaying a 404.
		try_files $uri $uri/ =404;
	}

	location ~ /\.ht {
		deny all;
	}
}

Restart NGINX
```
sudo service nginx restart
```
Use this page to test your SSL Certificate: https://decoder.link/sslchecker/
Test the SSL certificate for security at SSLLabs.com
If you want more security, try disabling TLS 1 in your NGINX Configuration.

I’d like to thank Vadim Kovshar on the Namecheap live chat for speeding up the reissue of the SSL cert as it stalled with Comodo because I blocked the HTTP port 80 in NGINX after I got the weaker cert working. Thanks

Installing and configuring MySQL

I will follow this guide to install phpMyAdmin

sudo apt-get install mysql-server
> Password (superstrong): ********************************************

Now time to configure MySQL

sudo mysql_secure_installation
VALIDATE PASSWORD PLUGIN: Y
PASSWORD STRENGTH = 2 (STRONG)
Remove anonymous users: Y
Disallow root login remotely: Y
Remove test database and access to it: Y
Reload privilege tables now: Y

Installing PHP and Phpfpm

Follow this guide at step 4.

sudo apt-get install php-fpm php-mysql
sudo nano /etc/php/7.0/fpm/php.ini

//Change the following line from ..
#cgi.fix_pathinfo=1

// ..to the following
cgi.fix_pathinfo=0

Restart PHP

sudo systemctl restart php7.0-fpm

If you have issues installing PHP with this method please try these methods:

purge http://serverfault.com/questions/777010/uninstall-mysql-5-7-from-ubuntu-16-04

http://www.cyberciti.biz/faq/howto-install-mysql-on-ubuntu-linux-16-04/

Installing and configuring a database management GUI

phpMyAdmin has been giving me a few issues installing this time so I decided to go with an alternative. Here is a good list of MySQL management interfaces. Also check your OS App store for native clients.

Installing and configuring MongoDB

todo

Use this link to create a digital ocean account and get $10 free credit (enough to have a free server for 2 months).

Donate and make this blog better

Ask a question or recommend an article
[contact-form-7 404 "Not Found"]

Personal Development Blog...

Coding for fun since 1996, Learn by doing and sharing.

Buy a domain name, then create your own server (get $25 free credit)

View all of my posts.

How to buy a new domain and SSL cert from NameCheap, a Server from Digital Ocean and configure it.

Popular

Security

Code

Tech

Wordpress

General

Footer