Enable HTTPS on your Website with Let’s Encrypt

There’s no question that secure communications is critical. On the web, this is done using HTTPS. HTTPS is secure extension of the HTTP. In HTTPS, communications is encrypted using Transport Layer Security (TLS), or its deprecated predecessor, Secure Sockets Layer (SSL).

TLS uses a public key encryption scheme where you have a public and private key pair. The web server provides they public key which the web browser can use to encrypt communications with. The public key is signed to certify the identity of the web server owning the key. This gives you the public key certificate or just simply certificate.

You can self-sign (or self-certify) just so you can encrypt communications and that’s fine if your dealing with yourself or parties who trust you and your self-signed certificate (e.g. your own systems or employees). But if you deal with other parties (e.g. other systems or customers) you need a certificate from a certificate authority (CA), a trusted entity that signs keys and issues certificates. 

Let’s Encrypt is a free, automated, and open certificate authority brought to you by the non-profit Internet Security Research Group (ISRG). They provide certificates absolutely free. The certificates expire in 90 days, but they can be automatically renewed using Certbot. There’s simply no excuse not to have a secure site. And it’s so easy to boot. There are step-by-step instructions for almost every web server and operating system combination at the Certbot page.

Here are the steps for getting certificates using Ubuntu and Apache:

  1. Add the Certbot apt repository
    • sudo add-apt-repository ppa:certbot/certbot
  2. Update the repository
    • sudo apt-get update
  3. Install Certbot from the new repository with apt-get:
    • sudo apt-get install python-certbot-apache
  4. Obtain a certificate for your domain

This give your certificates for your new files and configures Apache automatically. But you should be able to find the certificate files for other purposes (see below) at /etc/letsencrypt/live/example.com

The certificate only last for 90 days. However, Certbot takes care of this problem by running certbot renew twice a day via a systemd timer or cron. We can also manually test renewal:

  • sudo certbot renew –dry-run

BONUS: If you’re using Dovecot https://www.dovecot.org/, you can also use the certificate:

  1. Edit /etc/dovecot/conf.d/10-ssl.conf:
    • ssl_cert =
    • ssl_key =
  2. Restart dovecot:
    • sudo service dovecot restart

That’s it! You now have a secure website and email server.

Setting Up Subversion

Every developer should have version control. It can be a simple process or a process supported by tools. One of the best version  control tools is Subversion or SVN. Here’s how to set up your own SVN server on a Linux box.

Install or update Subversion: If you’re using Red Hat-type Linux: yum install subversion or yum update subversion. If you’re using Debian-type Linux: apt-get install subversion or apt-get update subversion. Others Linux flavors should have something similar.

Create your repository: svnadmin create /svnroot

Configure access: vi /svnroot/conf/svnserve.conf. In the [general] section, add:

anon-access = none
auth-access = write
password-db = passwd

Add users: vi /svnroot/conf/passwd and add:

=

Start Subversion as a daemon: svnserve -d.

Open up TCP port 3690 on your Linux box’s firewall.

Connect to your SVN server with the URL svn://>/svnroot

Start using your SVN server. Here are some useful tips:

  1. How to structure your repository
  2. How to fix bugs properly
  3. How to release software properly

That’s it!

Skype on Linux

My sister needed a computer for reviewing for her medical exams so I lent her my old (ancient?) IBM Thinkpad X22 which is running Kubuntu. She needed Skype to be able to talk to her hubby who is in the US so we downloaded and installed Skype. Well, what do you know? It actually installed and ran without a hitch. Linux definitely has come a long way. If it we’re not for my games, I would have it on my Asus EEE PC 1000H. I wonder if it’s time to check out Wine, the Linux Windows Emulator, again. Hmmm.

Why Linux Sucks

There are many reasons to love Linux. But there are also many reasons to hate it. And this is one of those reasons.

I’ve been trying to refresh Selene, my Thinkpad X22, since I returned my office-issue Thinkpad T60. I figured Linux would be a good idea as it had Kubuntu before and I was reasonably fine with it. Unfortunately, the only Linux installer I have on hand is Fedora Core 4 (circa 2005). It installed without a hitch BUT I was stuck with Firefox 1.0 which doesn’t support a lot of those Web 2.0 stuff out there.

I tried automatically updating Firefox but apparently the FC4 repository is no longer being maintained. It only contained a point release. My next recourse was to manually download and install Firefox 3.0. But it flat out doesn’t work. Missing library or something. I tried updating the library but, you guessed it, the repository is no longer being maintained.

I turns out that once a new version of the distro is released, the old version’s repository is available for only about a year and then that’s that. This means you need to reinstall your OS once a year! I could probably get things manually updated and working one way or the other but it would just be too much hassle.

Now contrast this with the much older Windows 2000 Professional which installs fine, gets updates fine, and runs Firefox 3.0 just fine, thank you. Now if only I can get rid of the damn spyware that keeps infecting it.

LDAP Authentication For Squid

One of the things you want to do as you integrate your systems would be to have them authenticate from a common user base. That user base is usually an LDAP source, in my case Microsoft Active Directory (don’t say anything!!!). One of the systems you would want to use the common user base is your web proxy, Squid in my case. Here is how to integrate the two. It’s quite simple actually though, as usual, LDAP gave me a bit of a hard time.

First you need to configure Squid to use LDAP. Just add the following in your squid.conf:

auth_param basic program /usr/lib/squid/squid_ldap_auth -P -R -b “dc=your,dc=domain” -D “cn=user,cn=Users,dc=your,dc=domain” -w “password” -f “(&(objectClass=person)(sAMAccountName=%s))” yourldapserver

If you’re encountering problems add the -d parameter at the end and do a tail -f on /var/log/squid/cache.log Now that Squid can authenticate using LDAP, just add your ACLs in squid.conf:

acl youracl1 proxy_auth “/path/to/userlist”
http_access allow youracl1

That’s it!