Free SSL Certificates that Automatically Renew with CertBot and LetsEncrypt


It’s been a while since I wrote a blog post (over 5 years!) and in republishing my blog, I wanted to ensure a few best-practices were in place.  One of those is ensuring that all content is served up over HTTPS.

Thankfully, we’ve come a long way in the past 5 years when it comes to providing a simple and cost free way to serve content using HTTPS – with thanks to the CA LetsEncrypt, you can now generate free SSL certificates with ease:

  1. Step 1: Head over to the CertBot from EFF
  2. Select your OS and web server
  3. Follow the step-by-step guide to install CertBot
  4. Bam!  You’re running under HTTPS

Because Certificates from LetsEncrypt are only valid for 90 days, you need to setup a cronjob to renew the certificate.  I do this on a weekly basis as follows:

letsencrypt renew --post-hook "service apache2 reload"

How-To: Check root DNS settings for domain

Using “dig” you can determine what IP address or CNAME your domain is pointing to quite easily. However what I didn’t know was that you can actually check what the root server thinks your domain is pointing at, so you can check if its set correctly when you are migrating to a new IP address.

To do this, simply type:

dig domaintolookup.com +trace

How-To: Recursively remove .svn folders

Okay, so you’ve accidentally adding a bunch of files to SVN.  Or, you need to copy a bunch of files but you don’t want to take the .svn folders with you.  How to get rid of these?  On any *nix machine (Mac included) you can run the following command:

rm -rf `find . -type d -name .svn`

yum fails: Fixing Fedora Core 5 yum repositories

Fedora Core 5 is currently EOL – it’s not supported any more.  As a result, you might find you can’t use yum to install packages any more – you get an error message about this file not existing:

http://download.fedora.redhat.com/pub/fedora/linux/core/5/i386/os/repodata/repomd.xml

This is because the repositories that yum uses aren’t there anymore.  However you can modify the repositories in /etc/yum/repos.d/ and add these to fix the problem:

http://archive.fedoraproject.org/pub/archive/fedora/linux/core/6/i386/os/
http://archive.fedoraproject.org/pub/archive/fedora/linux/core/6/i386/debug/
http://archive.fedoraproject.org/pub/archive/fedora/linux/core/6/source/SRPMS/

http://archive.fedoraproject.org/pub/archive/fedora/linux/core/updates/6/i386/
http://archive.fedoraproject.org/pub/archive/fedora/linux/core/updates/6/i386/debug/
http://archive.fedoraproject.org/pub/archive/fedora/linux/core/updates/6/SRPMS/

http://archive.fedoraproject.org/pub/archive/fedora/linux/extras/6/i386/

An example change would be to the /etc/yum/repos.d/fedora-core.repo file:

[core]
name=Fedora Core $releasever – $basearch
#baseurl=http://download.fedora.redhat.com/pub/fedora/linux/core/$releasever/$basearch/os/
baseurl=http://archive.fedoraproject.org/pub/archive/fedora/linux/core/5/i386/os/
[core]
name=Fedora Core $releasever - $basearch
baseurl=http://archive.fedoraproject.org/pub/archive/fedora/linux/core/5/i386/os/

How-To: Remotely monitor your server with monit

moint is a fantastic utility that can be installed on Linux or Mac OS X and provides the ability to monitor services running on your server.  These could be apache, mysql, bind or any other service you need to be up and running.  After installing monit, you create a config file containing information about the services you want to monitor.  Monit with then dutifully monitor the service, and email you if they go down.  You can even configure it to restart the service if it fails.

Running on top of monit is m/monit, which is a web based service which pools information from all your servers running monit and provides information in a easily accessable format on a web page.  You can use this as your monitoring station for your website for instance, as it also includes information such as load average, disk usage and uptime – in addition to the services you are monitoring.

Highly recommended.

How-To: Check a Reverse DNS Record Lookup (PTR Record) and Solve Email Delivery Issues

More and more mail servers are starting to reject email if your outgoing mail server doesn’t have a reverse DNS record or PTR record. You can check if you have one by issuing the following command:

dig -x 127.0.0.1

Obviously, replace the 127.0.0.1 address with the relevant IP address of your mail server. You should receive a response like this:

; <<>> DiG 9.4.1-P1 <<>> -x 67.192.127.21
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17269
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;21.127.192.67.in-addr.arpa.	IN	PTR

;; ANSWER SECTION:
21.127.192.67.in-addr.arpa. 3600 IN	PTR	myserver.mydomain.com.

;; Query time: 217 msec
;; SERVER: 203.50.2.71#53(203.50.2.71)
;; WHEN: Thu Jul 10 11:09:58 2008
;; MSG SIZE  rcvd: 79

If you don't have one setup, you won't get a response in the ANSWER SECTION - so contact your host and ask them to set one up for you. It can help save a lot of headaches when you get bounce-back messages such as:

Could not deliver the message in the time limit specified.  Please
retry or contact your administrator.

How-To Fix: make: yacc: Command not found

I have been getting the following error when trying to compile monit for my CentOS server:

make: *** [y.tab.c] Error 127

To resolve it, I simply installed bison:

yum install bison

Then run configure again:

./configure
make && make install

And that fixed the problem!  Hope that helps someone.

Handy RPM Search Utility – rpm.pbone.net

If you are looking for an easy way to find RPMs for your favourite linux distribution, there are many options out there.  However none seem to have the easy of use and search capabilites of rpm.pbone.net.  The service is easy to use and covers all the major distributions and version.  Very handy.

How-To: Configure Postfix to Relay based on Domain

We use Postfix as a dropin replacement for Sendmail on our servers.  We wanted to configure postfix to relay email via our internal mail server for internal email addresses, and send directly if the email address was external.

To do this, follow these steps:

  1. Edit the /etc/postfix/transport file and add the following line:
  2. myinternaldomain.com   smtp:[ipaddress]:25
  3. Edit the /etc/postfix/main.cf file and add the following line to the end:
  4. transport_maps = hash:/etc/postfix/transport
  5. Run the following commands at the prompt:
  6. [root@triton postfix]# postfix /etc/postfix/transport
    
    [root@triton postfix]# service postfix restart
    

And you should be done!

Centralized storage of prototype.js with Google AJAX Libraries API

Google has just announced that it now provides a free, hosted copy of a many common AJAX Javascript libraries through Google AJAX Libraries API.  This has huge implications for speed and caching for users hitting sites which utilise these libraries:

  • Google automatically serves them up in Gzip format (if your browser supports this)
  • Caching is done by Google – you only have to load a copy once, and it can be used at many sites!
  • The servers are really quick
  • The servers are physically “close” to users (utilising the Google network)
  • They are minified

This is very exciting development, as I use many of these libraries in my applications – and the speed they load direct impacts all users of the software I develop.