Update An SSL Certificate

Once every year, I need to update the SSL certificate for one my domains. Somehow, I’ve never written down the instructions until now:

Step 1: Initiate the Certificate Renewal

Start by purchasing a certificate renewal from the vendor. (I use Thawte.) They’ll send an email asking for purchase approval.

Step 2: Generate a Certificate Signing Request (CSR)

At the command line, navigate to the folder where certs and keys are stored. Mine is /etc/pki/tls/, and contains folders certs, misc, and private. In my setup, it also contains the .conf file for openssl.

Type the following command:

sudo openssl genrsa -des3 -out private/your-keyname-here.key 2048

This creates a private key owned by root and stores it in the file, /etc/pki/tls/private/your-keyname-here.key.

Next, working from within the same folder as before, use this private key to create a CSR. Type:

sudo openssl req -new -key private/your-keyname-here.key -out your-keyname-here.csr

The openssl process will now ask for certain details to be included in the CSR. When requested, do not enter an email address, challenge password or an optional company name. The process creates a CSR file owned by root and stores it in, /etc/pki/tls/your-keyname-here.csr.

Now validate the CLR on this testing site. For more details about generating the CSR, check here.

Step 3: Submit the CSR

Navigate to the certificate provider’s website, sign in, then submit the CSR for approval. On success, the provider will send download and installation instructions via email.

Step 4: Install the certificate

Follow the instructions in the email to download the certificate, unzip it, and move the contained files into the appropriate target directory or directories for your setup. My latest certificate included two files, namely, ssl_certificate.crt and IntermediateCA.crt. In my setup, both files went into the /etc/pki/tls/certs/ folder. Make sure to be logged as root when creating these files, and set file permissions to 644.

For more details, visit this page.

Step 5: Update the SSL config file

Back at the command line, navigate to /etc/httpd/conf.d/ and open ssl.conf. Find the lines for the following settings:

SSLCertificateFile
SSLCertificateKeyFile
SSLCertificateChainFile

… and make sure they point to correct files and locations for each of these settings. My setup looks like this:

SSLCertificateFile /etc/pki/tls/certs/ssl_certificate.crt
SSLCertificateKeyFile /etc/pki/tls/private/mydomain.com.key
SSLCertificateChainFile /etc/pki/tls/certs/IntermediateCA.crt

Step 6: Reboot the server

Follow the instructions in the earlier article, Rebooting the MSA Server on Digital Ocean, to restart the server.

Step 7: Verify success

Once the server is back up, verify the certificate is working properly using this testing tool.


@Note on passphrases for SSL certs: if you opt for a passphrase when creating a CSR, you’ll need to provide this passphrase each time the server is rebooted. This is okay for a stable environment but becomes a pain when server restarts are frequent.

I opted to remove the passphrase on my dev server using the instructions outlined here. However, my production server still requires the passphrase.

 

Accessing the Boot Screen in Windows 10

I recently needed to install Linux alongside Windows 10, and discovered that accessing the boot screen has become a bit more involved that just punching the F1 key on startup. There are two ways to get there as described by Microsoft.

From the settings screen:

  1. Select the Start button, then choose Settings .
  2. Select Update & security > Recovery.
  3. Under Advanced startup select Restart now.
  4. After your PC restarts to the Choose an option screen, select Troubleshoot > Advanced options > Startup Settings > Restart.
  5. After your PC restarts, select a startup setting by pressing the corresponding number.

From the sign-in screen:

  1. On the sign-in screen, hold the Shift key down while you select Power > Restart (in the lower-right corner of the screen).
  2. After your PC restarts to the Choose an option screen, select Troubleshoot > Advanced options > Startup Settings > Restart.
  3. After your PC restarts, select a startup setting from the list of options by pressing the corresponding number on your keyboard.

Creating a SubDomain in Apache

I recently needed to create a subDomain for one of my websites. This subdomain points to a separate WordPress installation that is linked to from the parent domain. Here’s a quick overview of how to do this.

The directory structure on my server is similar to the following:

var/www/html/example
var/www/html/blog

Start by navigating to the /etc/apache2/sites-available directory, then create a configuration file for the new subDomain using a command structured as follows – just switch ‘example’ and ‘blog’ with your target domain and subDomain names:

$ sudo cp 000-default blog.example.com.conf

Now open blog.example.com.conf in an editor and make the following changes:

ServerName blog.example.com
ServerAdmin <your admin's email address goes here>
DocumentRoot /var/www/html/blog

If it’s been set, remove or comment out ServerAlias.

Next, enable the new subDomain as follows:

sudo a2ensite blog.example.com.conf

Now reload and restart the server:

$ sudo service reload apache2
$ sudo service restart apache2

And finally, set up a CNAME record for the subdomain in the parent domain’s DNS zone file.

That’s all! Go to blog.example.html to view the contents of the subdirectory.

Installing WordPress

Here’s a simple guide to getting a manual installation of WordPress up and running on a personal server.

1) Create a MySQL database for the installation

2) Download the latest version of WordPress at http://wordpress.org/download

3) Create a new folder on your desktop and unzip WordPress in it

4) Look for wp-config-sample.php and copy it to wp-config.php

5) Open wp-config.php and set the database access credentials as follows:

 	define(‘DB_HOST’, ‘127.0.0,1’)
 	define(‘DB_NAME’, ‘database_name’)
 	define(‘DB_USER’, ‘username’)
 	define(‘DB_PASSWORD’, ‘password’)

6) Next, scroll down and set the keys and salts to something unique, as shown here, then save the file:

define('AUTH_KEY', 'Put something unique here');
define('SECURE_AUTH_KEY', 'Put something unique here');
define('LOGGED_IN_KEY', 'Put something unique here');
define('NONCE_KEY', 'Put something unique here');
define('AUTH_SALT', 'Put something unique here');
define('SECURE_AUTH_SALT', 'Put something unique here');
define('LOGGED_IN_SALT', 'Put something unique here');
define('NONCE_SALT', 'Put something unique here');

7) Upload the entire contents of the folder to the hosting server

8) Make sure the host’s server is set to recognize the target domain, and that the domain points to the server

9) Go to yourdomain.com/wp-admin/install.php to customize and start using WordPress

Because this is being installed manually on a personal server (and not by a proprietary install script) the installation directory and files will be owned by the logged user. WordPress doesn’t like this when it comes to adding content or uploading images, or when installing plugins. To fix this permissions problem, make sure the logged user is included in the www-data group.

Monitoring Server Uptime

I operate a personal server from my office that’s gone down twice in the past month due to a power-out. Each time, it took a while before I realized there was a problem. There is a battery backup, but somehow this just doesn’t cut in quickly enough.

The quick fix was an external uptime monitoring service that notifies me immediately when something goes wrong, namely UptimeRobot.

UptimeRobot’s free plan provides up to 50 monitors and checks server status every 5 minutes. Set up is practically instant, and the dashboard is easy to use. The app’s monitors send an alert by email if a problem arises connecting with a targeted server. The paid plan includes SMS alerts and checks at 1 minute intervals.