the itjerk

my adventures with technology

Tag Archives: apache

let’s encrypt – free ssl

Let’s Encrypt is “a free, automated, and open certificate authority” from the ISRG (and now apparently the EFF), and a growing list of technology big-names. And in the sounds too good to be true department, they offer not only free ssl certificates, but an easy to use tool that configures your web server, or ACME – automated certificate management environment, in a just a few easy steps. Encrypting web traffic should be utilized not only with sites running e-commerce or email, but whenever the use of passwords is involved.

First step is to install the client via git:

sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt

Then run the config:

cd /opt/letsencrypt
./letsencrypt-auto --apache -d yoursite.com

The client will ask a few questions about the certificate you want to install. Most importantly, remember that you probably need to apply it to your default-ssl.conf. To test your new certificate, use SSLLabs website:

https://www.ssllabs.com/ssltest/analyze.html?d=yoursite.com&latest

The tutorial below even shows you how to add renewal options to cron for set and forget ease. Remember to git pull and stash to keep everything up to date. And most of all, it’s a free service!
On the web:

Let’s Encrypt – Free SSL/TLS Certificates

How To Secure Apache with Let’s Encrypt on Ubuntu 14.04

Ubuntu LTS the only way to go

When I first configured my cloud server, I was under the impression that I would just be trying it out, a test environment. It didn’t occur to me that I’d actually put it in production. Flippantly, I chose 12.10 instead of opting for 12.04 LTS, which is supported through May 2017. Well, 13.04 was already out of service by the time I got my notice that 12.10 was end-of-life, so the upgrade path was 12.10 -> 13.10 -> 14.04 LTS. Good news is that was easy enough to do. Bad news was 13.10 broke Apache’s Auth_MYSQL, which is used with AWSTATS in iRedMail. 

Like a good itjerk, I didn’t panic, went straight from 13.10 to 14.04 LTS, and would worry about the mess from there. Ends up that Auth_MYSQL isn’t supported in Apache 2.4.x, which is what 14.04LTS ships with. So I had to switch to Auth_DBD instead. Zhang at iRedMail was very helpful, and I got everything back up and working. BTW, Denyhosts is no longer supported in 14.04 LTS, that package had to be purged.

Apache2.conf needs this:

DBDriver mysql
DBDParams "host=127.0.0.1 port=3306 dbname=mail user=mail pass=xxxx

While awstats.conf needs:

AuthType Basic
AuthName "Authentication required"
AuthBasicProvider dbd
AuthDBDUserPWQuery "SELECT password FROM mailbox WHERE username=%s"
Require valid-user

Then, do this:
a2enmod auth_dbd
apt-get install libaprutil1-dbd-mysql
service apache restart

Moral of the story: Use LTS. Always.