[SSL] Let’s encrypt How to

Server stuff

https://letsencrypt.org/

I only record command steps.

Install pre-required packages


$ sudo yum install gcc libffi-devel python-devel openssl-devel git

Get letsencrypt-auto script from GitHub repo

letsencrypt git link


$ sudo git clone https://github.com/letsencrypt/letsencrypt /usr/share/letsencrypt
Cloning into 'letsencrypt'...
remote: Counting objects: 48173, done.
remote: Compressing objects: 100% (14/14), done.
remote: Total 48173 (delta 3), reused 5 (delta 1), pack-reused 48158
Receiving objects: 100% (48173/48173), 14.80 MiB | 5.65 MiB/s, done.
Resolving deltas: 100% (34468/34468), done.

Install letsencrypt certificate for your domain


$ sudo /usr/share/letsencrypt/letsencrypt-auto --apache -d chenlego.me

This command will install required rpm packages first and then ask you some questions as below:

After, you completed the questions, it will put your certificate to /etc/letsencrypt/live/ folder and help you to well configure your apache config files

<VirtualHost *:80>
    ServerName chenlego.me
    Redirect / https://chenlego.me/
    RewriteEngine on
    RewriteCond %{SERVER_NAME} =chenlego.me
    RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

<VirtualHost *:443>
    ServerName chenlego.me
    DocumentRoot /web/chenlego.me
    <Directory /web/chenlego.me>
        AllowOverride All
    </Directory>
    CustomLog /web/log/chenlego.me-access.log combined
    ErrorLog /web/log/chenlego.me-error.log
    SSLEngine On
    SSLCertificateFile /etc/letsencrypt/live/chenlego.me/cert.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/chenlego.me/privkey.pem
    SSLCertificateChainFile /etc/letsencrypt/live/chenlego.me/chain.pem
</VirtualHost>

Finally, the only one action is to restart your apache to make it effect.

Auto re-new certificate

The term of SSL certificate that provided by letsencrypt is 90 days.

So, we can add a daily cron to auto re-new it to reduce your maintain efforts.


echo '#!/bin/bash' | sudo tee /etc/cron.daily/letsencrypt.renew

echo '/usr/share/letsencrypt/letsencrypt-auto renew > /var/log/letsencrypt-renew.log' | sudo tee -a /etc/cron.daily/letsencrypt.renew

sudo chmod 755 /usr/share/letsencrypt/letsencrypt-auto

Ref

jupyter
[Python] Jupyter Server Setup

Purpose: I’d like to setup a jupyter sever that only can be edited by me and I also can share the jupyter notebooks to anyone. There are two URLs, one for admin (me) and another for share to anyone. Admin: https://jupyter-admin.chenlego.me Share(guest): https://jupyter.chenlego.me But, current jupyter server doesn’t support permission management for …

postfix
[Postfix] pipe email to your script via transport table

Postfix Concept Components : Programs/Components sendmail: this command is compatible with sendmail of Sendmail , it is used to deliver e-mail from local. postdrop: this command is designed to run with set-group ID privileges, so that it can write to the maildrop queue directory and so that it can connect …

Server stuff
How to verify which SSL/TLS Protocols are supported on the FTP Server

Today, I disabled SSLv2, SSLv3, TLSv1.0 and TLSv1.1 SSL/TLS protocols and remain TLSv1.2 only on my ProFTPd FTP Server. The configurations were configured but I still not sure if my settings are workable? So, I surveyed two ways to do that. 1. Use Python ftplib ( Preferable ) I prefer …