How to renew a LetsEncrypt certificate

So, I received a message by email saying that my LetsEncrypt certificate for this blog is about to expire:

Your certificate (or certificates) for the names listed below will expire in xx days

Now, in order to renew it, I opened the terminal and used this command:

sudo certbot renew

But this one can be used as well:

sudo letsencrypt renew

The message I got was this:

Processing /etc/letsencrypt/renewal/nicolaemarinescu.com.conf
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
Cert not yet due for renewal
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
The following certs are not due for renewal yet:
/etc/letsencrypt/live/nicolaemarinescu.com/fullchain.pem expires on 2019-01-21 (skipped)
No renewals were attempted.

That means I need to try again in a couple of weeks using the same command.

Configure Static IP Addresses on Ubuntu 18.04 LTS Server

The way to configure a static IP in Ubuntu 18 is a bit different that the one in Ubuntu 16 and the previous versions. The file that needs to be modified is called 50-cloud-init.yaml and is located here: /etc/netplan. We will edit it.

sudo nano /etc/netplan/50-cloud-init.yaml

Originally, the file looks like this:

We need to add a couple of lines, but – very important – we should not change the indentation. I’ve struggled with some error messages when applying settings just because I’ve used TAB instead of SPACE, or because the indentation was off.

After modifications, the file should look like this:

We apply the new configuration using this command:

sudo netplan apply

NOTE: My netmask is 255.255.240.0, and that translates to 20 bits. If you have the more common netmask in your network, 255.255.255.0, then use 24 bits. Otherwise, use this table to find the number of bits required for you specific configuration:


Installing WordPress on Ubuntu 18.04 LTS

In this post, we will deploy a server with Ubuntu 18.04 LTS and install WordPress on it.

The installation of Ubuntu Server is straightforward. The only step we need to pay attention to, is the static IP. It will make the things easier later.

Once Ubuntu is installed, we need to run the two simple, yet important commands:

sudo apt update
sudo apt upgrade

Once this is done, we will install the Apache web server:

sudo apt install apache2

If everything went well, we should see the Apache default configuration page on our browser:

Next, we will install the MySQL database engine, and secure the installation (we will choose a password for the MySQL root user during this step):

sudo apt install mysql-server
sudo mysql_secure_installation

Then, we will install php and some additional modules:

sudo apt install php libapache2-mod-php php-mysql

Once this is done, we will restart and enable Apache:

sudo systemctl restart apache2
sudo systemctl enable apache2

Next, we are going to create a MySQL database for WordPress:

sudo mysql -u root -p
create database wordpress;
GRANT ALL ON wordpress.* TO ‘wordpressuser’@’localhost’ IDENTIFIED BY ‘password’;
flush privileges;
exit

Next, edit the Apache configuration file:

sudo nano /etc/apache2/apache2.conf

Copy and paste the following block of text at the end of the file:

<Directory /var/www/html/>
AllowOverride All
</Directory>

Ctrl-O to save the changes, and Ctrl-X to close the file.
Next step is to enable mod_rewrite module:

sudo a2enmod rewrite
sudo systemctl restart apache2

Now comes the beautiful part of installing WordPress:

wget -c http://wordpress.org/latest.tar.gz
tar -xzvf latest.tar.gz

After downloading and unzipping the files, we will copy everything in the web directory:

sudo rsync -av wordpress/* /var/www/html/

Give the right permissions for the web directory:

sudo chown -R www-data:www-data /var/www/html/
sudo chmod -R 755 /var/www/html/

We need to rename the sample configuration file and edit it:

cd  /var/www/html
sudo mv wp-config-sample.php wp-config.php
sudo nano /var/www/html/wp-config.php

Put the values that you choose earlier for your database_name, db_user and db-password. Leave everything else as it is.

Save and close the file.

One more thing: remove the index.html file from the web directory, since wordpress uses an index.php to run.

sudo rm index.html

Reboot.

After reboot, open the IP address of your server in a browser, fill out the required fields, click on Install WordPress and start blogging !

Note: If we want this WordPress installation to be available on the internet, by forwarding port 80 to the IP address of the server and add a domain to it, it is a good practice to add a SSL certificate to our server. Check my post about adding free ssl certificate in ubuntu with let’s encrypt

Use Task Scheduler to reboot a PC every day at specific time

This task is very useful when you have a computer that does a job unattended, like running a machine in a warehouse. Windows needs to be rebooted from time to time, in order to free up memory, clean temporary files, run updates or whatever reason you may find.

Luckily, the tool to do a scheduled reboot is already available. Here’s how to use such a tool in Windows 10.

Press the WIN key, and start typing Task Scheduler until the program is displayed in the options:

Start it, and take a look at the main window:

Select Create Basic Task, on the right panel. You will be prompted to give it a name:

Then, select when the task is scheduled to run, and at what time of the day:

The next step is to specify what program will run when the task is executed:

Type shutdown, and add the /r argument in the second field. R stands for reboot.

Note: If, for whatever reason, a user is working on that computer, we need to inform him and add a delay, so he can cancel the reboot, if he wants to. We add /t and the time in seconds to delay the reboot. For example, if we want to reboot after 30 minutes, the arguments will be: /r /t 1800. In that case, the user will receive a warning and he will have half an hour to cancel the reboot. He can do that by running shutdown /a at the command prompt, or execute a batch file that contains this command. Argument /a stands for Abort. See the Addendum at the end of this post on how to create a batch file.

Select Finish to complete the task, and we’re done.

Addendum:

To create a batch file that will cancel the reboot, open Notepad, type the words shutdown /a in it, save it with the extension .bat instead of txt and place it somewhere easy to find. When the Scheduled Task triggers the reboot, the user will have 30 minutes to execute that batch file and cancel it.

Set a desktop wallpaper using Group Policy

So, we are in an Windows Active Directory environment and we want to deploy the same wallpaper for all the users in the domain.

First, we need the create a share, readable by all the users, and put the wallpaper image inside that share. The share can be on the DC itself or on another domain-joined server.

Next step, we go to the DC, open Group Policy Management, select the domain and create a new GPO:

We give a name to the GPO and save it. Next, we right click on the newly created GPO and select Edit:

In the editor, we navigate to User Configuration – Policies – Administrative Templates – Desktop – Desktop:


On the list of policies, we open the one called Desktop Wallpaper and do two things:

  1. indicate the path and the name of the image
  2. enable the policy

Click OK and we’re done.
Note that it will take a log off / log on cycle on the client pc to see the policy in action.
The policy can be further customized according to some specific needs, but the basics are here.

Have fun!

Adding free SSL certificate in Ubuntu with Let’s Encrypt

So, we have a Virtual Private Server (I prefer Digital Ocean) hosting a website or a WordPress blog, and we want to look serious by adding an SSL certificate, so the visitors could use https instead of http.

There are a couple of easy steps to do that. First, I will assume you only have one site on that VPS, so no virtual hosts are set up. First two commands are for installing certbot:

sudo add-apt-repository ppa:certbot/certbot
sudo apt update
sudo apt-get install python-certbot-apache

Next, we will obtain an SSL certificate:

sudo certbot –apache -d example.com -d www.example.com

Of course, we need to replace example.com with the actual name of the domain.

Enter your email address, then agree with the Terms of Service.

When asked if we want to redirect all http traffic to https, answer yes by choosing number 2.


Also, when asked about the virtual host, choose the second one (since we don’t have virtual hosts configured), that is the one with our domain name next to it. In my case, the virtual host file was named 000-default-le-ssl.conf

Once the certificate is successfully installed, run this:

sudo certbot renew –dry-run

If we see no errors, then the auto-renewal is enabled.

Now, there is a glitch to this: The browser might show a yellow exclamation mark, like this:

If the website already has images or other internal links on it, the URL’s that points to those images have to be changed to https://path_to_image. Yes, just by adding an s to the link, nothing else. So, it is a better practice to add the certificate before deploying the website or installing WordPress.

If all is done, the browser will give a green light. Like this:

Warning messages after installing Nextcloud server

In a previous post, we installed Nextcloud on Ubuntu Server 16.04 LTS. All good, but once we go to User  – Settings – Basic Settings we see several messages written in red, telling us we need to perform additional tasks.

Now, Nextcloud will work without those corrections, but if we want maximum responsiveness from our server, it’s better to take care of them. Let’s start with the first one:

Your data directory and your files are probably accessible from the internet. Your .htaccess files is not working.

Log in to the server and make a small change in the apache2.conf file:

sudo nano /etc/apache2/apache2.conf

Look for those lines:

<Directory /var/www/>
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>

Replace None with All. Then save and close the file and restart the apache service:

sudo service apache2 restart

The first warning message is gone. We are going to ignore the second message (Accessing site insecurely via HTTP), since our server is not public and it doesn’t have a domain name, so it doesn’t need and can’t have an SSL certificate.

No memory cache has been configured. To enhance performance, please configure a memcache

We start by installing APCu and Redis to enable caching. That will make our server faster when displaying media files and generating thumbnails:

sudo apt-get install php-apcu redis-server php-redis
sudo nano /etc/redis/redis.conf

In the file, make the following changes:

  • port 6379 to port 0
  • uncomment the line:   unixsocket /var/run/redis/redis.sock
  • uncomment the line:   unixsocketperm 700
  • on the same line, change 700 to 770

Save and close the file, then add the apache user www-data to the redis group, then restart apache service and start the redis service:

sudo usermod -a -G redis www-data
sudo service apache2 restart
sudo service redis-server start
sudo systemctl enable redis-server

Next, we open the Nextcloud configuration file:

sudo nano /var/www/html/nextcloud/config/config.php

Add the following block of code at the end of the file, BEFORE the last closing bracket:

‘memcache.local’ => ‘\\OC\\Memcache\\Redis’,
‘memcache.locking’ => ‘\\OC\\Memcache\\Redis’,
‘filelocking.enabled’ => ‘true’,
‘redis’ =>
array (
‘host’ => ‘/var/run/redis/redis.sock’,
‘port’ => 0,
‘timeout’ => 0.0,
),

Reboot the server for the configuration to take effect.

The PHP OPcache is not properly configured

Open the php.ini configuration file:

sudo nano /etc/php/7.0/apache2/php.ini

Find each one of the following lines, un-comment them and change the settings according to the indications in the warning message. (The Ctr-W combination in the nano editor will help with the search):

opcache.enable=1
opcache.enable_cli=1
opcache.interned_strings_buffer=8
opcache.max_accelerated_files=10000
opcache.memory_consumption=128
opcache.save_comments=1
opcache.revalidate_freq=1

There is one more consideration. The maximum file size for uploads is set to 2 MB, which is way too small for a photo or a video. So let’s change that to something bigger, like 1 GB or more. In the same file, find and change those two lines:

upload_max_filesize = 1024M
post_max_size = 1050M

We put the second value a little big bigger, to avoid errors when uploading a file that is EXACTLY 1 GB in size.

One more apache2 restart and we’re done.

How to set up a VPN client in Windows 10

In this short post, we will connect to the VPN server we configured in my other post from a remote computer running Windows 10.

First, we go to Network and Sharing Center, by right-clicking on the Network icon on the desktop and selecting Properties. Next, we select Set up a new connection or network:

Select Connect to a workplace:

Enter your public IP address (or the host name, if you have a dynamic IP and are using a service like NoIP)

Once the VPN connection has been created, we need to change one setting, so we go back to Network Connections and access the properties. Select Use Extensible Authentication Protocol, and click OK.

Double click on the VPN connection, enter your credentials and you’re done.

Now, remember: this connection will only work if you followed my tutorial about setting up VPN in Windows Server 2012 R2, and used the exact same settings. If you set up the VPN server with different security settings, then you will have to set the client accordingly.

Adding VPN role in Windows Server 2012 R2

In this post, we will enable and configure VPN role in Windows Server 2012 R2.

It is a good practice to do that in an Active Directory domain, preferably on a dedicated machine that is a member server, but not a domain controller.

First step is to add the role in Server Manager:



Enable the Remote Access role:

Leave the Features as they are and click Next:

Follow the wizard using the default settings.
Once finished, go back to Server Manager – Tools – Routing and Remote Access. Right click on the name of the server, and select Configure and Enable Routing and Remote Access:

Select Custom configuration and enable the VPN Access service:

Follow the wizard until the end. Then, click on the server name and select Properties:

Navigate to Security tab, and click on Authentication Methods:

Make sure to select the EAP Protocol and MS-CHAP version 2:

Next, we need to enable the PPTP Passthrough (also known as GRE) in the router, and also forward the 1723 TCP port to the IP address of the VPN server.

Last thing to do is allow the two protocols thru the server’s firewall:

Every user that is allowed to connect to that VPN needs to have the Dial-In feature in Active Directory set to Allow access:

This is the most simple setup for a Windows VPN. You can play further with settings to increase security, but the basics are here. Have fun !

Check out my other post about setting up a VPN client in Windows 10.