Let’s Encrypt on EC2

You can get free and valid SSL certificate from Let’s Encrypt. In this article, I will go through the steps to install Let’s Encrypt SSL certificate on Apache running on Amazon Linux.

Things you should know about Let’s Encrypt:
1. Let’s Encrypt’s certificates last for 90 days old.
2. Let’s Encrypt does not offer wild-card certificates.

Requirements:
1. An email address.
2. The domain pointing to a directory on the server, that’s accessible on the Internet. Let’s Encrypt servers will access a file on http://yourwebsite.com/some_secret_file_name to validate that you own the domain.

Installation steps:

1. Install some requirements for the following steps.

yum install python27-devel git

2. Clone the letsencrypt repository and run the installer.

git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt
/opt/letsencrypt/letsencrypt-auto –debug

3. Create a config file that will be used for new certificates and renewals. It contains the private key size and your email address.

echo “rsa-key-size = 4096” >> /etc/letsencrypt/config.ini
echo “email = email@example.com” >> /etc/letsencrypt/config.ini

4. Request a certificate for your domain and it’s www subdomain. You must also specify the root directory of the domain.

/opt/letsencrypt/letsencrypt-auto certonly –webroot -w /var/www/yourdomainroot -d yourdomain.com -d http://www.yourdomain.com –config /etc/letsencrypt/config.ini –agree-tos

5. Remove the directory that was used for validation. This step is optional.

rmdir /var/www/yourdomainroot/.well-known

6. The certificates are located at /etc/letsencrypt/live/ and the last thing is to update your webserver’s configuration. For apache it will look like this:

Listen 443
<VirtualHost *:443>
ServerName yourdomain.com
DocumentRoot “/var/www/yourdomainroot”
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/yourdomain.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/yourdomain.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/yourdomain.com/chain.pem
SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite “EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS”
</VirtualHost>

7. Be sure to add the renew command in a crontab. Refresing your webserver command should also be here.

/opt/letsencrypt/letsencrypt-auto renew –config /etc/letsencrypt/config.ini –agree-tos && apachectl graceful

 

This article is taken and modified from:
https://ivopetkov.com/b/let-s-encrypt-on-ec2/

Advertisements

How do I assign a static hostname to a private Amazon EC2 instance running RHEL 7 or Centos 7?

Amazon EC2 instance hostnames are derived from the IP address that is dynamically assigned to the instance at startup. Although you can change the hostname of a private instance of EC2 Linux by using the hostname command, if you reboot or stop/start the instance it will revert to using a hostname derived from the IP address assigned to the instance

For a hostname to be static on RHEL 7 or CentOS 7, you have to perform the below steps.

  1. Edit /etc/hostname and replace the value with the hostname that you want.
  2. Update /etc/hosts file. Change the entry beginning with 127.0.0.1 to include your hostname
  3. Edit /etc/sysconfig/network and append HOSTNAME=xxxxxxx with your hostname
  4. Edit /etc/cloud/cloud.cfg and append the following line at the end of the file without the quotes: “preserve_hostname: true”
  5. Change hostname using hostnamectl command

Your hostname change will be persistent across reboots now.

For more information:
https://aws.amazon.com/premiumsupport/knowledge-center/linux-static-hostname-rhel7-centos7/

Apache Log Format for Web Servers Behind Load Balancer

If you are using a load balancer to balance the load to two or more web servers, usually only the IP address of the load balancer will be logged in the web logs instead of the visitor’s IP address.

To log visitor’s IP address, just create a custom log format with a new name , e.g. “lb_log” and used it in all the virtual host configured in Apache. Please always backup your original httpd.conf before you make any changes.

 
# The following directives define some format nicknames for use with
# a CustomLog directive (see below).
LogFormat “%{X-Forwarded-For}i %l %u %t \”%r\” %>s %b \”%{Referer}i\” \”%{User-Agent}i\”” lg_log
#….
# START_HOST example.com
<virtualhost *:80>
    ServerName example.com
    DocumentRoot “/var/www/example.com/html”
    <directory “/var/www/example.com/html”>
        Options Includes FollowSymLinks  
        AllowOverride All
        Order allow,deny
        Allow from all
    </directory>
    CustomLog /var/www/logs/example.com/access_log lb_log
    ErrorLog /var/www/logs/example.com/error_log
</virtualhost>
# END_HOST example.com

Before you make any changes to httpd.conf please go through Apache log module .

 

Reference:
http://www.imthi.com/blog/linux/apache-log-format-for-amazon-ec2-with-elastic-load-balancer.php

Apache Redirection

There are times we need to do a redirect on the server side.
301 redirect is a preferred way of redirect for SEO sake.
I will show you 2 ways of configuring Apache HTTP Server to do redirect by modifying httpd.conf or .htaccess file:

1. Using mod_alias

Redirect permanent / http://www.your-new-website.com

2. Using mod_rewriteRewriteEngine on

RewriteCond %{HTTP_HOST} ^www.your-old-website.com
RewriteRule ^(.*)$ http://www.your-new-website.com$1 [R=permanent,L,NE]

Please remember to reload or restart Apache after that.

Reference:
http://www.yolinux.com/TUTORIALS/ApacheRedirect.html

Setting up vsftpd in passive mode

If vsftpd server is behind a router, you are likely to get errors like “Server sent passive reply with unroutable address. Using server address instead.” or “500 illegal port command” on list (ls) command, this post might help. Setting passive mode configuration correctly is the trick.

Make sure port 20, 21 and few more ports, for example 4242-4252, are being forwarded to the server. We will need these extra ports for passive mode – set pasv_min_port andpasv_max_port accordingly in the configuration file. Add following to /etc/vsftpd.conf

connect_from_port_20=YES

pasv_enable=YES

pasv_addr_resolve=YES

pasv_address=myaddress.dyndns.com

pasv_min_port=4242

pasv_max_port=4252

 

Reference:

http://flukylogs.blogspot.sg/2012/01/vsftpd-behind-routerfirewall.html

How to Install Postfix on CentOS 6

Postfix Pre-Installation Steps

The first step before installing Postfix is to make sure that Sendmail is not already running on your system. You can check for this using the following command:

/sbin/service sendmail status

If sendmail is not installed, the tool will display a message similar to the following:

sendmail: unrecognized service

If sendmail is installed, but not running the following output will be displayed:

sendmail is stopped

If sendmail is running you will see the following:

sendmail (pid 2138) is running

If sendmail is running on your system it is necessary to stop it before installing and configuring Postfix. To stop sendmail run the following command as super user:

/sbin/service sendmail stop

The next step is to ensure that sendmail does not get restarted automatically when the system is rebooted. The first step is to find out which run levels will automatically start sendmail. To do this we can use the chkconfig command-line tool as follows:

/sbin/chkconfig --list | grep sendmail

The above command will typically result in output similar to:

sendmail     0:off   1:off   2:on   3:on   4:on    5:on   6:off

This means that if the system boots into runlevels 2, 3, 4 or 5 then the sendmail service will automatically start. To turn off sendmail we can once again use the chkconfig command as follows:

/sbin/chkconfig sendmail off

The chkconfig tool defaults to changing the settings for runlevels 2, 3, 4 and 5. You can configure for specific runlevels using the –levels command line option if necessary.

To verify the settings run chkconfig one more time as follows:

/sbin/chkconfig --list | grep sendmail

And check that the output is as follows:

sendmail  0:off  1:off   2:off   3:off  4:off   5:off   6:off

Sendmail is now switched off and configured so that it does not auto start when the system is booted. We can now move on to installing Postfix.

Installing Postfix on CentOS 6

By default, the CentOS 6 installation process installs Postfix for most configurations. To verify if Postfix is already installed, use the following rpm command in a Terminal window:

 
rpm -q postfix

If rpm reports that postfix is not installed, it may be installed as follows:

su -
yum install postfix

The yum tool will download and install postfix, and configure a special postfix user in the /etc/passwd file.

Configuring Postfix

The main configuration settings for Postfix are located in the /etc/postfix/main.cf file. There are many resources on the internet that provide detailed information on Postfix so this section will focus on the basic options required to get email up and running.

The key options in the main.cf file are:

myhostname = mta1.domain.com
mydomain = domain.com
myorigin = $myhostname
inet_interfaces = $myhostname

Other settings will have either been set up for you by the installation process or are not needed unless you are feeling adventurous and want to configure a more sophisticated email system.

The format of myhostname is host.domain.extension. For example if your Linux system is called MyLinuxHost and your internet domain is MyDomain.com you would set the myhostname option as:

myhostname = mylinuxhost.mydomain.com
The mydomain setting is just the domain part of the above setting. For example: 
mydomain = mydomain.com

The myorigin and inet_interfaces options use the settings we have just created so do not need to be changed (although the inet_interfaces may be commented out by default so you should remove the # at the beginning of this particular line in the main.cf file).

Starting Postfix on a CentOS 6 System

Once the /etc/postfix/main.cf file is configured with the correct settings it is now time to start up postfix. This can be achieved from the command line as follows:

/usr/sbin/postfix start

The postfix process should now start up. The best way to check that everything is working is to check your mail log. This is typically in /var/log/maillog and should now contain an entry that looks like:

Apr 29 12:57:36 mylinuxhost postfix/postfix-script[22793]: starting the Postfix mail system
Apr 29 12:57:36 mylinuxhost postfix/master[22794]: daemon started -- version 2.6.6, configuration /etc/postfix

As long as you don’t see any error messages you have successfully installed and started Postfix and you are ready to set up a mail client and start communicating with the outside world.

To configure Postfix to start automatically at system startup, run the following command in a Terminal window:

/sbin/chkconfig --level 345 postfix on

Editing PHP configuration file

Edit /etc/php.ini and change the line that contains sendmail_path with the following:

sendmail_path = /usr/sbin/sendmail.postfix -t -i

Reload Apache

/sbin/service httpd reload

Reference:

http://www.techotopia.com/index.php/Configuring_a_CentOS_6_Postfix_Email_Server
http://drupal.org/node/321857#comment-1063535