Free SSL Certificates that Automatically Renew with CertBot and LetsEncrypt


It’s been a while since I wrote a blog post (over 5 years!) and in republishing my blog, I wanted to ensure a few best-practices were in place.  One of those is ensuring that all content is served up over HTTPS.

Thankfully, we’ve come a long way in the past 5 years when it comes to providing a simple and cost free way to serve content using HTTPS – with thanks to the CA LetsEncrypt, you can now generate free SSL certificates with ease:

  1. Step 1: Head over to the CertBot from EFF
  2. Select your OS and web server
  3. Follow the step-by-step guide to install CertBot
  4. Bam!  You’re running under HTTPS

Because Certificates from LetsEncrypt are only valid for 90 days, you need to setup a cronjob to renew the certificate.  I do this on a weekly basis as follows:

letsencrypt renew --post-hook "service apache2 reload"

How-To: Redirect all requests to maintenance page with mod_rewrite

A common requirement when performing maintenance on your website is to redirect all requests to a downtime message. This can be very easily achieve using mod_rewrite and a .htaccess file. Simply create an .htaccess file with the following commands:

RewriteEngine On 

RewriteRule !^site-down\.html$ /site-down.html [L]

This will redirect all requests to the site-down.html file. Once your maintenance period is over, remove the commands above (or comment them out with a # character) and you are back up and running.

How-To: Fix “command not in docroot” suexec apache error

If you’re in the process of setting up a new server, and you want users to have the ability to execute scripts in their home directory:

http://myserver.com/~myname

You will often run into problems with suexec. suexec is an apache security construct to stop users from executing scripts outside of a known path.

I was recieving the following error in my suexec.log file:

[2008-05-02 15:45:40]: command not in
         docroot (/path/to/my/script/here/)

If your server isn’t connected to the internet, or you have strict control over who has accounts on it, it’s quite safe (in my opinion) to remove the suexec restriction and subsequently resolve the errors caused by it. To do this, remove the suexec options in conf(s) files : httpd.conf and/or extra/httpd-vhosts.conf.

For example, in Apache 2 – in all sections, comment or remove the “SuexecUserGroup xxx yyy” line.

This will remove the suexec controls, which will prompt apache to drop the security checks associated with it and allow your script to execute.

Alternatively you can re-configure Apache at compilation time without the “–enable-suexec” option.

How-To: Redirect one domain to another with mod_rewrite

Recently I needed to change the end of one of our domains from .com to .org. However we wanted to maintain any old links that pointed at the .com domain.

Using mod_rewrite you can achieve this move seamlessly for users, and keep all the parameters in tact. Simply add the following lines to your .htaccess file:

RewriteEngine On
RewriteCond %{HTTP_HOST} ^www\.example.com$
RewriteRule (.*) http://www.example.org/$1 [R=Permanent]

All requests for www.example.com will be rewritten to www.example.org. It’s that easy!

How-To: htaccess – Require a password for some IPs, not others

The following is a really useful .htaccess configuration options to allow certain IP address to access a site without a password, while requiring everyone else to enter a password:

AuthName "My Secret Page Here"
AuthUserFile /sites/apache-passwords
AuthType Basic
Require valid-user
Order deny,allow
Deny from all
Allow from 171.231.12.8
Satisfy Any

Some really handy examples are available here too.

Best Free Mac OS X Applications

OS X Logo
Recently I upgraded to a new Mac. I like to install applications from scratch when I upgrade, as it allows me to clean out all the garbage that I didn’t need in the first place. So I’ve compiled a list of all the best free applications I like to have installed on my Mac.

Must have’s:

  • Adium – ICQ/MSN/GTalk client
  • Growl – universal notification
  • Quicksilver – excellent replacement for Spotlight
  • Cyberduck – SFTP/FTP Client
  • Google Notifier – GMail notifier
  • HandBrake – DVD to MPEG converter (iPhone, Apple TV etc!)
  • DivX for Mac – Video player
  • MAMP – Apache/Mysql/PHP wrapped up in a single download!
  • NeoOffice – Sun’s Star Office for the Mac
  • RDC – Beta version of Remote Desktop from Microsoft.  Access Windows Machines remotely.
  • Skype
  • Firefox

Nice to have: