An SSL (Secure Sockets Layer) certificate is a crucial security feature for websites, ensuring encrypted communication between the browser and the server. SSL protects sensitive information like passwords, payment details, and personal data from being intercepted. Additionally, it boosts user trust by displaying a padlock icon in the browser and improves search engine rankings as search engines prioritize HTTPS-enabled websites.
Installing an SSL certificate is essential to secure your website and provide a safe experience for your users. Below are the high-level steps for installing an SSL certificate on your server.
Steps to Install an SSL Certificate
Step 1: Generate a Certificate Signing Request (CSR)
To get an SSL certificate, you first need to generate a Certificate Signing Request (CSR), which includes your website’s details:
Generate a Private Key:
Use a tool like OpenSSL to create a private key:
openssl genrsa -out private.key 2048
Store the private key securely, as it is required during SSL installation.
Important: Never share the private key.
Generate the CSR:
Use the private key to generate a CSR:
openssl req -new -key private.key -out csr.pem
Provide the requested details, including:
Common Name (the domain name to be secured)
Organization Name (for business validation)
Country, State, and City
Step 2: Purchase or Obtain an SSL Certificate
Choose a Certificate Authority (CA) or hosting provider for your SSL certificate.
Submit the CSR to the CA for verification.
Validate your domain ownership through one of the following methods:
Email Validation: Respond to an email sent to your domain’s administrative address.
DNS Validation: Add a specific DNS record to your domain.
HTTP Validation: Upload a verification file to your website.
For Extended Validation (EV) or Organization Validation (OV) certificates, additional steps like verifying your business details with the CA may be required.
Once validated, download the issued SSL certificate and intermediate certificate bundle (CA bundle).
Step 3: Install the SSL Certificate on the Server
If Using a Control Panel:
Log in to the hosting control panel (e.g., cPanel, Plesk).
Navigate to the SSL/TLS or security settings.
Upload the SSL certificate, CA bundle, and private key.
Follow the instructions to install the certificate.
If No Control Panel:
Log in to the server via SSH.
Configure the web server (e.g., Apache, Nginx) to include the certificate details:
Confirm that the certificate is valid and properly installed.
Ensure no SSL errors or warnings are displayed.
Step 5: Update Website Links
Update all internal links and references from http:// to https:// to avoid mixed content errors. Update your CMS settings (e.g., WordPress URL settings) to use HTTPS.
Step 6: Set Up HTTPS Redirects
Redirect all HTTP traffic to HTTPS by default to ensure all users access the secure version of your site.
Step 7: Monitor and Renew the SSL Certificate
Keep track of the certificate’s expiration date and renew it on time.
For free SSL certificates like Let’s Encrypt, automate the renewal process using tools like Certbot.
Periodically test your website’s SSL configuration for potential issues or updates.
WordPress is one of the most popular content management systems (CMS) in the world, powering over 40% of websites globally. Its flexibility, ease of use, and vast ecosystem of plugins and themes make it a favorite among bloggers, businesses, and developers alike.
At its core, WordPress has a simple structure:
Files: These include the WordPress core, themes, plugins, and the wp-content folder where your media files are stored.
Database: This stores all the critical information such as posts, pages, user data, and site configurations.
When migrating a WordPress site, it is essential to back up both the files and the database, as they work together to run your WordPress site seamlessly. Missing either part can cause errors or data loss. In this guide, we’ll walk you through the high-level steps of migrating your WordPress site to a new hosting provider.
Step 1: Backup Your Website Files
Backing up your WordPress files ensures that your themes, plugins, and media are safe. You can do this using the following methods:
Using an FTP Client:
Connect to your existing hosting account using an FTP client like FileZilla. Download all the WordPress files, especially the wp-content folder, which contains your themes, plugins, and uploads.
Using SCP for Secure Transfers:
If you have SSH access, use the scp command to securely copy files from your server to your local machine or another server:
Before importing the database, create a new database and user on the new hosting account:
Log in to your new hosting control panel or use SSH to access the server.
Create a new database and database user, assigning the necessary privileges.
Take note of the database name, username, and password for the next steps.
Step 4: Upload Website Files to the New Host
Use an FTP client, SCP, or File Manager to upload your WordPress files to the new hosting environment. Double-check that all files, particularly those in the wp-content folder, are uploaded correctly.
Step 5: Import the WordPress Database
Using phpMyAdmin:
Open phpMyAdmin on the new host, select the newly created database, and import the .sql file you exported earlier.
Using mysql via SSH:
If you have SSH access, import the database using the following command:
mysql -u username -p database_name < backup.sql
Step 6: Update the wp-config.php File
Open the wp-config.php file in the root directory of your WordPress site on the new host. Update the database details to match the new database:
define('DB_NAME', 'your_new_database_name');
define('DB_USER', 'your_new_database_user');
define('DB_PASSWORD', 'your_new_database_password');
define('DB_HOST', 'localhost'); // Or the database host provided by your new host
Step 7: Test the Website
Update your local hosts file or use a temporary URL provided by your new host to test the site. Verify that all pages, posts, media, plugins, and themes are working correctly.
Step 8: Update DNS Records
Log in to your domain registrar and update the DNS settings to point to your new hosting server.
Typically, you will update the A record (IP address) or nameservers.
Allow up to 48 hours for DNS propagation.
Step 9: Monitor the Website Post-Migration
After the DNS propagation, thoroughly test your website again to ensure everything is functioning as expected.
Monitor for broken links, missing media, or issues with plugins or themes.
Bonus Tips for a Smooth Migration
Use plugins like All-in-One WP Migration or UpdraftPlus if you're not comfortable with manual methods.
Always check for PHP and MySQL compatibility between the old and new hosts.
Keep backups until you're certain the migration is successful.
By following these steps, you can confidently migrate your WordPress site to a new hosting provider. With proper planning and attention to detail, the transition can be smooth and hassle-free.
Managing RPM-based systems with tools like YUM (Yellowdog Updater Modified) is an integral part of provisioning and maintaining Linux servers. While YUM simplifies the process of managing package dependencies, it can sometimes lead to unintended consequences, especially when developers remove a package that has critical dependencies. In this blog, we’ll explore a common use case and demonstrate how to safeguard important packages using YUM’s package protection features.
The Problem: Accidental Removal of Critical Packages Let’s consider a scenario: You have a custom package called dep-web that automates server provisioning by installing essential components like httpd, mod_ssl, and ingest, along with scripts and cron jobs critical to your environment. When a developer installs dep-web, everything works seamlessly. However, issues arise when they attempt to test a specific version of ingest.
A typical action might be:
yum remove ingest This operation not only removes ingest but also uninstalls dep-web, since dep-web depends on ingest. Consequently, all the additional configurations, scripts, and cron jobs set up by dep-web are also removed. Even if the developer reinstalls ingest, dep-web and its functionality are not restored, leading to potential operational disruptions.
Developers may not always notice these cascading effects, causing long-term inconsistencies and errors in the environment. Clearly, there is a need to prevent the accidental removal of critical packages like dep-web.
The Solution: Protecting Packages in YUM YUM includes functionality to prevent the removal of certain packages using the /etc/yum/protected.d directory and the yum-plugin-protect-packages. By default, YUM protects itself and its dependencies (e.g., rpm, python, glibc) from being uninstalled. However, administrators can extend this protection to other packages.
Steps to Protect Critical Packages Install the YUM Plugin Ensure the yum-plugin-protect-packages is installed on your system:
yum install yum-plugin-protect-packages Create a Configuration File Add your critical package to the protected list by creating a .conf file under /etc/yum/protected.d/. For example, to protect the dep-web package:
vi /etc/yum/protected.d/dep-web.conf Add the following content:
dep-web Save and close the file.
Verify the Protection Attempt to remove the protected package to test the configuration:
yum remove dep-web YUM will block the operation and display an error message, ensuring the package remains intact:
Error: Trying to remove "dep-web", which is protected Add Additional Packages (Optional) If there are other critical packages that need protection, create or edit their respective .conf files under the same directory.
Benefits of Package Protection By implementing package protection, you can:
Prevent the accidental removal of critical packages and their dependencies. Ensure that operational scripts, configurations, and cron jobs tied to these packages are preserved. Enhance the reliability of your environment, especially in shared development and production systems.
Conclusion Managing dependencies with YUM requires careful oversight, particularly in environments where multiple developers and administrators interact with the system. Protecting critical packages using YUM’s protected.d directory and plugins like yum-plugin-protect-packages provides a robust safeguard against unintended package removal.
In the example of dep-web, protecting the package ensures that its functionality, including the custom scripts and cron jobs, remains intact. This small configuration step can save countless hours of troubleshooting and recovery in large-scale deployments.
Proactively implementing such measures demonstrates a commitment to best practices in system administration, reducing downtime and fostering a more stable infrastructure.
Managing email storage is a crucial part of maintaining efficient mail servers, especially for administrators using Dovecot. Over time, mailboxes can accumulate a massive number of emails, leading to performance issues and potential storage costs. One effective way to manage this is by automatically deleting emails older than a specific period. In this blog, we’ll discuss how to use doveadm expunge to delete old emails.
Understanding the Basics Dovecot’s doveadm expunge command is a powerful utility for deleting emails based on specified criteria. Here’s a quick overview of the command syntax:
doveadm expunge -u mailbox '' -u: Specifies the user mailbox. mailbox '': Specifies the folder, such as INBOX, INBOX.Spam, etc. : Defines the filter for emails to be deleted, e.g., before 1w (one week) or before 2w (two weeks).
Use Cases 1. List Existing Mailboxes Before deleting emails, identify the folders within a specific mailbox. Use the following command:
doveadm mailbox list -u user@example.com Sample output:
INBOX INBOX.Spam INBOX.Drafts INBOX.Trash INBOX.Sent 2. Delete Emails Older Than 2 Weeks in All Folders To remove all emails older than two weeks in all folders for a specific mailbox:
doveadm expunge -u user@example.com mailbox '*' before 2w 3. Exclude INBOX Folder While Deleting If you want to delete old emails from all folders except INBOX, use:
doveadm expunge -u user@example.com mailbox INBOX.'*' before 2w 4. Delete All Emails in a Mailbox To delete all emails from all folders within a specific mailbox:
doveadm expunge -u user@example.com mailbox '*' all Bulk Removal of Old Emails When managing multiple accounts, you may need to automate the process for all mailboxes on a server. Here’s how to approach this on Plesk and cPanel.
Step 1: Generate a List of Mailboxes For Plesk: Run the following command to get a list of all active mailboxes:
plesk db -Ne "select concat(m.mail_name,'@',d.name) as mailbox, m.postbox from domains d, mail m, accounts a where m.dom_id=d.id and m.account_id=a.id and m.postbox='true'" | awk '{print $1}' >mbox.txt For cPanel: Generate a list of all mailboxes with:
for i in $(awk '{print $2}' /etc/trueuserdomains); do uapi --user=$i Email list_pops | egrep "\s+email:" ; done | awk '{print $2}' >mbox.txt Step 2: Automate Deletion with a Script Create a shell script (mailbox-doveadm-expunge.sh) to process the mailboxes:
#!/bin/bash# Script to delete emails older than 2 weeks from all mailboxesMAILBOX_FILE="mbox.txt"if[ ! -f "$MAILBOX_FILE"]; thenecho"Mailbox list file $MAILBOX_FILE not found!"exit 1
fifor mailbox in $(cat $MAILBOX_FILE); doecho"Processing mailbox: $mailbox"
doveadm expunge -u $mailbox mailbox 'INBOX' before 2w
doveadm expunge -u $mailbox mailbox 'INBOX.*' before 2w
doveadm expunge -u $mailbox mailbox 'Sent' before 2w
doveadm expunge -u $mailbox mailbox 'Trash' before 2w
doveadm expunge -u $mailbox mailbox 'Drafts' before 2w
doveadm expunge -u $mailbox mailbox 'Spam' before 2w
done
Save the script and ensure it has executable permissions:
chmod +x mailbox-doveadm-expunge.sh Run the script:
./mailbox-doveadm-expunge.sh
Best Practices 1. Backup Emails: Before performing a mass deletion, create a backup of your mail directories. 2. Test on a Single Mailbox: Verify your deletion criteria by testing on a single mailbox before applying changes in bulk. 3. Monitor Logs: After running doveadm expunge, check Dovecot logs for errors or warnings.
Conclusion Using doveadm expunge simplifies email management and helps prevent mail server overload by automatically removing old emails. Whether you’re working with individual accounts or hundreds of mailboxes, this approach can save significant time and effort. Integrate this cleanup process into your routine server maintenance to keep your mail system optimized.
Managing Network Configurations in Ubuntu with Netplan
Managing Network Configurations in Ubuntu with Netplan
Netplan has simplified network configuration management in Ubuntu. This tutorial will guide you through setting up multiple IP addresses on a single network interface using Netplan.
Prerequisites
An Ubuntu 24.04 system with Netplan installed (default in Ubuntu installations).
Administrative (root) privileges or sudo access.
A network interface name (e.g., ens192).
Step-by-Step Configuration
1. Edit the Netplan Configuration File
Create or modify a Netplan configuration file, typically located in `/etc/netplan/`. Here, we’ll use `00-Public_network.yaml`.
These are the DNS servers provided by your hosting provider.
If the provider does not specify DNS servers, you can use public options such as:
Google: 8.8.8.8, 8.8.4.4
Cloudflare: 1.1.1.1, 1.0.0.1
OpenDNS: 208.67.222.222, 208.67.220.220
Default Gateway
The default gateway routes traffic from your system to other networks, such as the internet.
In the configuration:
routes:
- to: default
via: 10.255.255.1
on-link: true
`via 10.255.255.1`: The gateway IP provided by the server/hosting provider.
`on-link: true`: Indicates the gateway is directly reachable on the local link.
Always use the gateway provided by your hosting provider.
Troubleshooting
If changes are not applied, check the configuration syntax:
sudo netplan generate
Look for error messages in `/var/log/syslog` for additional details.
Conclusion
Using Netplan, you can easily assign multiple IP addresses to a single network interface in Ubuntu 24.04. This setup is ideal for scenarios like hosting multiple websites or services requiring distinct public IPs. Ensure you use the nameservers and default gateway provided by your hosting provider for proper network connectivity. Public DNS servers can be used as an alternative if needed.
SSH (Secure Shell) relies on public-key cryptography for secure logins. But how can you be sure your public and private key pair are actually linked? This blog post will guide you through a simple method to verify their authenticity in Linux and macOS.
Understanding the Key Pair:
Imagine a lock and key. Your public key acts like the widely distributed lock – anyone can see it. The private key is the unique counterpart, kept secret, that unlocks the metaphorical door (your server) for SSH access.
Using ssh-keygen
This method leverages the ssh-keygen tool, already available on most Linux and macOS systems.
1. Locate the keys :Open a terminal and use cd to navigate to the directory where your private key resides (e.g., cd ~/.ssh). 2. Use the command ‘ls -al’ to list all files in the directory, and locate your private/public keypair you wish to check.
Example:
ababwaha@ababwaha-mac.ssh % ls -al
total 32
drwx------6 ababwaha staff 192 Jun 2416:04 .
drwxr-x---+68 ababwaha staff 2176 Jun 2416:04 ..
-rw-------1 ababwaha staff 411 Jun 2416:04 id_ed25519
-rw-r--r--1 ababwaha staff 103 Jun 2416:04 id_ed25519.pub
-rw-------1 ababwaha staff 3389 Jun 2416:04 id_rsa
-rw-r--r--1 ababwaha staff 747 Jun 2416:04 id_rsa.pub
3. Verify the Key Pair: Run the following command, replacing with the actual path to your private key file (e.g., ssh-keygen -lf ~/.ssh/id_rsa):
ssh-keygen -lf ssh-keygen -lf
This command displays fingerprint information about your key pair.
4. Match the Fingerprints: Compare the fingerprint displayed by ssh-keygen with the beginning of the text in your public key file. If they match, congratulations! Your public and private keys are a verified pair.
Remember:
Security: Always keep your private key secure. Avoid storing it on publicly accessible locations.
Permissions: Ensure your private key file has appropriate permissions (usually 600) to prevent unauthorized access.
By following this method, you can easily verify the authenticity of your public and private SSH key pair, ensuring a secure connection to your server.
Maintaining a secure system involves monitoring file system activity, especially tracking file deletions, creations, and other modifications. This blog post explores how to leverage two powerful tools, auditd and process accounting with /usr/sbin/accton (provided by the psacct package), to gain a more comprehensive understanding of these events in Linux.
Introduction
Tracking file deletions in a Linux environment can be challenging. Traditional file monitoring tools often lack the capability to provide detailed information about who performed the deletion, when it occurred, and which process was responsible. This gap in visibility can be problematic for system administrators and security professionals who need to maintain a secure and compliant system.
To address this challenge, we can combine auditd, which provides detailed auditing capabilities, with process accounting (psacct), which tracks process activity. By integrating these tools, we can gain a more comprehensive view of file deletions and the processes that cause them.
What We’ll Cover:
1. Understanding auditd and Process Accounting 2. Installing and Configuring psacct 3. Enabling Audit Tracking and Process Accounting 4. Setting Up Audit Rules with auditctl 5. Simulating File Deletion 6. Analyzing Audit Logs with ausearch 7. Linking Process ID to Process Name using psacct 8. Understanding Limitations and Best Practices
Prerequisites:
1. Basic understanding of Linux commands 2. Root or sudo privileges 3. Auditd package installed (installed by default on most of the distros)
1. Understanding the Tools
auditd: The Linux audit daemon logs security-relevant events, including file system modifications. It allows you to track who is accessing the system, what they are doing, and the outcome of their actions.
Process Accounting: Linux keeps track of resource usage for processes. By analyzing process IDs (PIDs) obtained from auditd logs and utilizing tools like /usr/sbin/accton and dump-acct (provided by psacct), we can potentially identify the process responsible for file system activity. However, it’s important to understand that process accounting data itself doesn’t directly track file deletions.
2. Installing and Configuring psacct
First, install the psacct package using your distribution’s package manager if it’s not already present:
# For Debian/Ubuntu based systems sudo apt install acct
# For Red Hat/CentOS based systems sudo yum install psacct
3. Enabling Audit Tracking and Process Accounting
Ensure auditd is running by checking its service status:
This will start saving the process information in the log file /var/log/account/pacct.
4. Setting Up Audit Rules with auditctl
To ensure audit rules persist across reboots, add the rule to the audit configuration file. The location of this file may vary based on the distribution:
For Debian/Ubuntu, use /etc/audit/rules.d/audit.rules For Red Hat/CentOS, use /etc/audit/audit.rules Open the appropriate file in a text editor with root privileges and add the following line to monitor deletions within a sample directory:
-w /var/tmp -p wa -k sample_file_deletion Explanation:
-w: Specifies the directory to watch (/path/to/your/sample_directory: /var/tmp) -p wa: Monitors both write (w) and attribute (a) changes (deletion modifies attributes) -k sample_file_deletion: Assigns a unique key for easy identification in logs
After adding the rule, restart the auditd service to apply the changes:
sudo systemctl restart auditd
5. Simulating File Deletion
Create a test file in the sample directory and delete it:
touch /var/tmp/test_file rm /var/tmp/test_file
6. Analyzing Audit Logs with ausearch
Use ausearch to search audit logs for the deletion event:
sudo ausearch -k sample_file_deletion This command will display audit records related to the deletion you simulated. Look for entries indicating a “delete” operation within your sample directory and not down the the process id for the action.
As you can see in the above log, the user root(uid=0) deleted(exe=”/usr/bin/rm”) the file /var/tmp/test_file. Note down the the ppid=2358 pid=2606 as well. If the file is deleted by a script or cron, you would need these to track the script or cron.
7. Linking Process ID to Process Name using psacct
The audit logs will contain a process ID (PID) associated with the deletion. Utilize this PID to identify the potentially responsible process:
Process Information from dump-acct
After stopping process accounting recording with sudo /usr/sbin/accton off, analyze the captured data:
sudo dump-acct /var/log/account/pacct This output shows various process details, including PIDs, command names, and timestamps. However, due to the nature of process accounting, it might not directly pinpoint the culprit. Processes might have terminated after the deletion, making it challenging to definitively identify the responsible one. You can grep the ppid or pid we received from audit log against the output of the dump-acct command.
In some cases, you can try lastcomm to potentially retrieve the command associated with the PID, even if the process has ended. However, its effectiveness depends on system configuration and might not always be reliable.
Important Note
While combining auditd with process accounting can provide insights, it’s crucial to understand the limitations. Process accounting data offers a broader picture of resource usage but doesn’t directly correlate to specific file deletions. Additionally, processes might terminate quickly, making it difficult to trace back to a specific action.
Best Practices
1. Regular Monitoring: Regularly monitor and analyze audit logs to stay ahead of potential security breaches. 2. Comprehensive Logging: Ensure comprehensive logging by setting appropriate audit rules and keeping process accounting enabled. 3. Timely Responses: Respond quickly to any suspicious activity by investigating audit logs and process accounting data promptly.
By combining the capabilities of auditd and process accounting, you can enhance your ability to track and understand file system activity, thereby strengthening your system’s security posture.
SSH (Secure Shell) is a fundamental tool for securely connecting to remote servers. While traditional password authentication works, it can be vulnerable to brute-force attacks. SSH keys offer a more robust and convenient solution for secure access.
This blog post will guide you through the world of SSH keys, explaining their types, generation process, and how to manage them for secure remote connections and how to configure SSH key authentication.
Understanding SSH Keys: An Analogy Imagine your home has two locks:
Combination Lock (Password): Anyone can access your home if they guess the correct combination.
High-Security Lock (SSH Key): Only someone with a specific physical key (your private key) can unlock the door.
Similarly, SSH keys work in pairs:
Private Key: A securely stored key on your local machine. You never share this.
Public Key: A unique identifier you share with the server you want to access. The server verifies the public key against your private key when you attempt to connect. This verification ensures only authorized users with the matching private key can access the server.
Types of SSH Keys There are many types of SSH keys, we are discussing the two main ones:
RSA (Rivest–Shamir–Adleman): The traditional and widely supported option. It offers a good balance of security and performance. Ed25519 (Edwards-curve Digital Signature Algorithm): A newer, faster, and potentially more secure option gaining popularity.
RSA vs. Ed25519 Keys:
Security: Both are considered secure, but Ed25519 might offer slightly better theoretical resistance against certain attacks.
Performance: Ed25519 is generally faster for both key generation and signing/verification compared to RSA. This can be beneficial for slower connections or resource-constrained devices.
Key Size: RSA keys are typically 2048 or 4096 bits, while Ed25519 keys are 256 bits. Despite the smaller size, Ed25519 offers comparable security due to the underlying mathematical concepts.
Compatibility: RSA is widely supported by all SSH servers. Ed25519 is gaining popularity but might not be universally supported on older servers.
Choosing Between RSA and Ed25519:
For most users, Ed25519 is a great choice due to its speed and security. However, if compatibility with older servers is a critical concern, RSA remains a reliable option.
Generating SSH Keys with ssh-keygen Here’s how to generate your SSH key pair using the ssh-keygen command:
Open your terminal.
Run the following command, replacing with your desired name for the key pair:
-b 4096: Specifies the key size (4096 bits is recommended for strong security).
-C “<your_email@example.com”>: Adds a comment to your key (optional).
You’ll be prompted to enter a secure passphrase for your private key. Choose a strong passphrase and remember it well (it’s not mandatory, but highly recommended for added security).
The command will generate two files:
<key_name>>.pub: The public key file (you’ll add this to the server). <key_name>>: The private key file (keep this secure on your local machine).
Important Note: Never share your private key with anyone!
Adding Your Public Key to the Server’s authorized_keys File
Access the remote server you want to connect to (through a different method if you haven’t set up key-based authentication yet).
Locate the ~/.ssh/authorized_keys file on the server (the ~ represents your home directory). You might need to create the .ssh directory if it doesn’t exist.
Open the authorized_keys file with a text editor.
Paste the contents of your public key file (.pub) into the authorized_keys file on the server.
Save the authorized_keys file on the server.
Permissions:
Ensure the authorized_keys file has permissions set to 600 (read and write access only for the owner).
Connecting with SSH Keys Once you’ve added your public key to the server, you can connect using your private key:
ssh <username>@<server_address>
You’ll be prompted for your private key passphrase (if you set one) during the connection. That’s it! You’re now securely connected to the server without needing a password.
Benefits of SSH Keys:
Enhanced Security: More secure than password authentication, making brute-force attacks ineffective.
Convenience: No need to remember complex passwords for multiple servers.
Faster Logins: SSH key-based authentication is often faster than password authentication.
By implementing SSH keys, you can significantly improve the security and convenience of your remote server connections. Remember to choose strong passwords and keep your private key secure for optimal protection.
cPanel and WHM (WebHost Manager) is a popular web hosting control panels that allow server administrators to manage web hosting services efficiently. Among their many features, cPanel offers a handy tool called AutoSSL, which provides free SSL certificates for added security. In this guide, I will show you how to use AutoSSL to secure your server’s hostname.
Step 1: The checkallsslcerts Script
The checkallsslcerts Script is used by cPanel to issue SSL certificates for server hostname. It’s important to note that checkallsslcerts runs as part of the nightly update checks performed on your system. These updates include cPanel’s own update script, upcp (cPanel update script).
Step 2: When to Manually Run AutoSSL
In most cases, checkallsslcerts will take care of securing your server’s hostname during the nightly updates. However, there may be instances when you want to update the SSL certificate manually. This is especially useful if you’ve recently changed your server’s hostname and want to ensure the SSL certificate is updated immediately.
Step 3: Understanding the checkallsslcerts Script
The `/usr/local/cpanel/bin/checkallsslcerts` script is responsible for checking and installing SSL certificates for your server’s hostname. Here’s what the script does:
– It creates a Domain Control Validation (DCV) file. – It performs a DNS lookup for your hostname’s IP address. – It checks the DCV file using HTTP validation (for cPanel & WHM servers). – If needed, it sends a request to Sectigo to issue a new SSL certificate. – It logs the Sectigo requests for validation.
You can learn more about the checkallsslcerts script and it’s usage in this article from cPanel:
Step 4: How to Manually Execute the Script
To manually run the script, use the following command:
/usr/local/cpanel/bin/checkallsslcerts [options]
You can use options like `–allow-retry` and `–verbose` as needed.
Step 5: Troubleshooting and Tips
If you encounter issues with the SSL certificate installation, the script will provide helpful output to troubleshoot the problem. Ensure that your server’s firewall allows access from Sectigo’s IP addresses mentioned in the guide.
Common Issue: Unable to obtain a free hostname certificate due to 404 when DCV check runs in /usr/local/cpanel/bin/checkallsslcerts
After running the /usr/local/cpanel/bin/checkallsslcerts script via SSH, you may see errors similar to the following:
FAILED: Cpanel::Exception/(XID bj6m2k) The system queried for a temporary file at “http://hostname.domain.tld/.well-known/pki-validation/B65E7F11E8FBB1F598817B68746BCDDC.txt”, but the web server responded with the following error: 404 (Not Found). A DNS (Domain Name System) or web server misconfiguration may exist.
[WARN] The system failed to acquire a signed certificate from the cPanel Store because of the following error: Neither HTTP nor DNS DCV preflight checks succeeded!
Description: Encountering errors like “404 Not Found” during the DCV check when running /usr/local/cpanel/bin/checkallsslcerts via SSH? This issue typically arises when the shared IP address doesn’t match the main IP. To resolve it, ensure both IPs match and that the A record for the server’s hostname points to the main/shared IP. Here’s a workaround:
Workaround:
1. Confirm that the main IP and shared IP are identical. 2. Make sure the A record for the server’s hostname points to the main/shared IP. 3. To change the shared IP: Log in to WHM as the ‘root’ user.
Navigate to “Home » Server Configuration » Basic WebHost Manager® Setup.”
Update “The IPv4 address (only one address) to use to set up shared IPv4 virtual hosts” to match the main IP.
Click “Save Changes” and then execute the following via SSH or Terminal in WHM:
This will help resolve issues with obtaining a free hostname certificate in cPanel/WHM.
Conclusion
Securing your cPanel/WHM server’s hostname with a free SSL certificate from AutoSSL is essential for a secure web hosting environment. By following these steps, you can ensure that your server’s hostname is protected with a valid SSL certificate.
Remember to regularly check your SSL certificates to ensure they remain up-to-date and secure.
nopCommerce is an open-source e-commerce platform that allows users to create and manage their online stores. It is built on the ASP.NET Core framework and supports multiple database systems, including MySQL, Microsoft SQL Server, and PostgreSQL as it’s backend. The platform is highly customizable and offers a wide range of features, including product management, order processing, shipping, payment integration, and customer management. nopCommerce is a popular choice for businesses of all sizes because of its flexibility, scalability, and user-friendly interface. In this tutorial, we will guide you through the process of installing nopCommerce on Ubuntu Linux with Nginx reverse proxy and SSL.
Register Microsoft key and feed To register the Microsoft key and feed, launch the terminal and execute these commands:
1. Download the packages-microsoft-prod.deb file by running the command:
To determine the appropriate version of the .NET runtime to install, you should refer to the documentation provided by nopCommerce, which takes into account both the version of nopCommerce you are using and the Ubuntu OS version. Refer to the link below:
3. Verify the installed .Net Core runtimes by running the command:
dotnet --list-runtimes
4. Install the libgdiplus library:
sudo apt-get install libgdiplus
libgdiplus is an open-source implementation of the GDI+ API that provides access to graphic-related functions in nopCommerce and is required for running nopCommerce on Linux.
Install MySql Server Latest nopCommerce support latest MySQL and MariaDB versions. We will install the latest MariaDB 10.6.
1. To install mariadb-server for nopCommerce, execute the following command in the terminal:
sudo apt-get install mariadb-server
2. After installing MariaDB Server, you need to set the root password. Execute the following command in the terminal to set the root password:
sudo /usr/bin/mysql_secure_installation
This will start a prompt to guide you through the process of securing your MySQL installation and setting the root password.
3. Create a database and User. We will use these details while installing nopCommerce. Replace the names of the database and the database user accordingly.
mysql -u root -p
create database nopCommerceDB;
grant all on nopCommerceDB.* to nopCommerceuser@localhost identified by 'P@ssW0rD';
Please replace the database name, username and password accordingly.
4. Reload privilege tables and exit the database.
flush privileges;
quit;
Install nginx
1. To install Nginx, run the following command:
sudo apt-get install nginx
2. After installing Nginx, start the service by running:
sudo systemctl start nginx
3. You can verify the status of the service using the following command:
sudo systemctl status nginx
4. Nginx Reverse proxy configuration To configure Nginx as a reverse proxy for your nopCommerce application, you’ll need to modify the default Nginx configuration file located at /etc/nginx/sites-available/nopcommerce.linuxwebhostingsupport.in. Open the file in a text editor and replace its contents with the following:
You need to replace nopcommerce.linuxwebhostingsupport.in with your domain name 5. Enable the virtual host configuration file: Enable the server block by creating a symbolic link in the /etc/nginx/sites-enabled directory: sudo ln -s /etc/nginx/sites-available/nopcommerce.linuxwebhostingsupport.in /etc/nginx/sites-enabled/
6. Reload Nginx for the changes to take effect:
sudo systemctl reload Nginx
Install NopCommerce
In this example, we’ll use /var/www/nopCommerce for storing the files.
1. Create a directory:
sudo mkdir /var/www/nopCommerce
2. Navigate to the directory where you want to store the nopCommerce files, Download and unpack nopCommerce:
1. Create a file named nopCommerce.service in the /etc/systemd/system directory with the following content:
[Unit]
Description=Example nopCommerce app running on Xubuntu
[Service]
WorkingDirectory=/var/www/nopCommerce
ExecStart=/usr/bin/dotnet /var/www/nopCommerce/Nop.Web.dll
Restart=always
# Restart service after 10 seconds if the dotnet service crashes:
RestartSec=10
KillSignal=SIGINT
SyslogIdentifier=nopCommerce-example
User=www-data
Environment=ASPNETCORE_ENVIRONMENT=Production
Environment=DOTNET_PRINT_TELEMETRY_MESSAGE=false
[Install]
WantedBy=multi-user.target
2. Start the nopCommerce service by running:
sudo systemctl start nopCommerce.service
3. To check the status of the nopCommerce service, use the following command:
sudo systemctl status nopCommerce.service
Also, check if the service is running on port 5000
sudo lsof -i:5000
4. After that, restart the nginx server:
sudo systemctl restart nginx
Now that the prerequisites are installed and configured, you can proceed to install and set up your nopCommerce store.
Install nopCommerce After completing the previous steps, you can access the website through the following URL: http://nopcommerce.linuxwebhostingsupport.in. Upon visiting the site for the first time, you will be automatically redirected to the installation page as shown below:
Provide the following information in the Store Information panel:
Admin user email: This is the email address of the first administrator for the website.
Admin user password: You must create a password for the administrator account.
Confirm password: Confirm the admin user password.
Country: Choose your country from the dropdown list. By selecting a country, you can configure your store with preinstalled language packs, preconfigured settings, shipping details, VAT settings, currencies, measures, and more.
Create sample data: Check this box if you want sample products to be created. It is recommended so that you can start working with your website before adding your own products. You can always delete or unpublish these items later.
In the Database Information panel, you will need to provide the following details:
Database: Select either Microsoft SQL Server, MySQL, or PostgreSQL. Since, we are installing nopCommerce on Linux and MariaDB, choose the MySQL.
Create database if it doesn’t exist: We recommend creating your database and database user ahead of time to ensure a successful installation. Simply create a database instance and add the database user to it. The installation process will create all the tables, stored procedures, and more. Uncheck this option since we can use the database and database user we created earlier.
Enter raw connection string (advanced): Select this option if you prefer to enter a Connection string instead of filling the connection fields. For now, leave this unchecked
Server name: This is the IP, URL, or server name of your database. Use “localhost”.
Database name: This is the name of the database used by nopCommerce. Use the database we created earlier.
Use integrated Windows authentication: Leave it unchecked
SQL Username: Enter your database user name we created earlier.
SQL Password: Use your database user password we used earlier.
Specify custom collation: Leave this advanced setting empty.
Click on the Install button to initiate the installation process. Once the installation is complete, the home page of your new site will be displayed. Access your site from the following URL: http://nopcommerce.linuxwebhostingsupport.in.
Note: You can reset a nopCommerce website to its default settings by deleting the appsettings.json file located in the App_Data folder.
Adding and Securing the nopCommerce We will be using Let’s Encrypt to add free and secure SSL certificate. Let’s Encrypt is a free, automated, and open certificate authority that allows you to obtain SSL/TLS certificates for your website. Certbot is a command-line tool that automates the process of obtaining and renewing these certificates, making it easier to secure your website with HTTPS.
Here are the steps to install SSL with Certbot Nginx plugins:
1.Install Certbot: First, make sure you have Certbot installed on your server. You can do this by running the following command:
2. Obtain SSL Certificate: Next, you need to obtain an SSL certificate for your domain. You can do this by running the following command: sudo certbot –nginx -d yourdomain.com
Replace yourdomain.com with your own domain name. This command will automatically configure Nginx to use SSL, obtain a Let’s Encrypt SSL certificate and set an automatic redirect from http to https.
3.Verify SSL Certificate: Once the certificate is installed, you can verify it by visiting your website using the https protocol. If the SSL certificate is valid, you should see a padlock icon in your browser’s address bar.
4. Automatic Renewal: Certbot SSL certificates are valid for 90 days. To automatically renew your SSL certificate before it expires, you can set up a cron job to run the following command:
sudo certbot renew --quiet
This will check if your SSL certificate is due for renewal and automatically renew it if necessary.
5. nopCommerce also recommend turning “UseProxy setting to true in the appsettings.json file located in the App_Data folder if we are using SSL. So change this value too.
nopCommerce is a popular open-source e-commerce platform that offers users a flexible and scalable solution for creating and managing online stores. In this tutorial, we provided a step-by-step guide for installing and configuring nopCommerce on Ubuntu Linux with Nginx reverse proxy and SSL. We covered the installation of Microsoft key and feed, .NET Core Runtime, MySQL server, and Nginx reverse proxy. We also discussed how to configure Nginx as a reverse proxy for the nopCommerce application. By following this tutorial, you can set up a secure and reliable nopCommerce e-commerce store on Ubuntu Linux.
