Upgrade to Fedora 30 Complete!

The last couple days there has been some extended downtime on this site. That is because I’ve been working on migrating my blog from Ubuntu 16.04 to Fedora 30. I’m switching for lots of reasons. Some of the php packages I need for WordPress have been getting a bit out of date on Ubuntu 16.04 and I wanted to have the most up-to-date stable release of php without needing to add a third party repository and Fedora 30 comes with php7.3 by default which is what is recommended by the good people at wordpress dot org (https://wordpress.org/about/requirements/).

Why make the switch from Ubuntu to Fedora? The biggest reason is that these days I’m more comfortable working in Red Hat space, and I like some of the features in Fedora 30 like the new module framework (https://docs.pagure.org/modularity/) that allows multiple versions of programming languages, and databases to be installed on the same server without conflicting with each other. Also I still live under the delusion that, someday, I will port all or some of this site into containers and I want to try Podman (https://podman.io). It’s also because the database server behind this site has been running on Fedora since just a few months after the Fedora 29 release, and after a flawless upgrade from 29 to 30 I decided that I wanted to have a consistent OS layer between the web server and the database. This is not a rebuke of Ubuntu or Debian based systems. I think they are great, they make great servers, they make great desktops, I’ve just grown more comfortable with some of the RPM based distributions, and I like that Fedora seems to be able to walk the line between stability, and keeping up with some of the newest packages available.

Lesson’s learned

SELinux – check the audit log

Moving the site was fairly easy. I just archived my web root directory and copied it over to the new server, unpacked in the same directory on the new server and that was pretty much it.

However, if you have SELinux enabled on your web server, and I recommend that you do, then you will need to flip a few sebools to allow the web server to connect to the database, and be able to install themes/updates

sudo setsebool -P httpd_can_network_connect_db 1

That setting will allow you to connect to a remote database. If you are running WordPress with the database on your web server then you don’t have to worry about that one. The next one is important if you want to allow WordPress to install plugins/themes/updates

setsebool -P httpd_can_network_connect 1

I figured this out after spending way too much time trying to figure out why my site couldn’t talk to to the database server. I knew I could hit the database port after running an nmap which meant that I didn’t have any firewall issues, and I could connect to the database with WordPress credentials. I could’ve figured it out much faster had I checked the audit log

sudo sealert -a /var/log/audit/audit.log

Checking the audit log would’ve saved me a bunch of time because it basically tells you what you need to do:

*****  Plugin catchall_boolean (47.5 confidence) suggests   ******************

If you want to allow httpd to can network connect
Then you must tell SELinux about this by enabling the 'httpd_can_network_connect' boolean.

Do
setsebool -P httpd_can_network_connect 1

I may end up doing a whole post for how to navigate the ins and outs of SELinux related to WordPress. These aren’t the only settings you will want to change. You need to be able to make sure that apache can read and write to a few directories which selinux will block by default, at least on Fedora 30.

Lesson learned…. read the logs first.

Free SSL Certificate with Let’s Encrypt

Free SSL Certificate with Let’s Encrypt

If you have ever installed an SSL certificate you know that it can be a tedious process. Let’s Encrypt makes this easy. Just call the letsencrypt command from the terminal and point it at your domain.

letsencryptlogo

Securing your website with a valid ssl certificate from a recognized and trusted vendor shows your website visitors that information transmitted between your site and their browser is encrypted. Now thanks to “Let’s Encrypt”, and the “Internet Security Research Group (ISRG)” obtaining a certificate has never been easier or more affordable… can’t get cheaper than free.

Prerequisites

  • Ubuntu 16.04 (Previous versions may work as well but I haven’t tested it. If you try it on 14.04 and it works let me know.)
  • Apache – with a virtual host configured. See this post if you’re not sure how to set up Apache 2 with virtual hosts on Ubuntu.
  • A domain name
  • Root access to the web server

Install Let’s Encrypt Automated Tools

The best thing about Let’s Encrypt is that it provides fully automated tools that make setting up your secure site as easy as possible. No need to learn about openssl commands or obtaining CA certificates.

Install python-letsencrypt-apache

sudo apt update
sudo apt install python-letsencrypt-apache

This will ask to install quite a few python libraries and tools, accept the installation by pressing “y” when prompted.

Configure your site for SSL

httpsIf you have ever installed an SSL certificate you know that it can be a tedious process. Let’s Encrypt makes this easy, just call the letsencrypt command from the terminal and point it at your domain. (Replace example.com with your own domain).

sudo letsencrypt --apache -d example.com -d www.example.com

The -d option specifies which domain or domains that you want to request an ssl certificate for.

At this point, you will be prompted to select the domain from the list of sites that are configured in the /etc/apache2/sites-enabled/ directory. If you already set up a virtual host you should see your site listed. Often letsencrypt will automatically detect your site based on the “ServerName” field in the virtual host configuration file.

Select your domain, chose https only or both http and https. I always choose https only since I don’t have any real need for http, but you have the option to use both.

Let's Encrypt security options

Your SSL Certificate will be valid for 90 days, and can be easily renewed as follows.

sudo letsencrypt renew

You can run that now and it’s output should tell you that you have no certificates that need to be renewed. Let’s Encrypt recommends that you renew every 60 days.

Automate SSL Renewal with Cron

Automatically renewing your ssl can be done with a cron job. We will create a file in cron.weekly so that Let’s Encrypt will check once a week for sites that have a renewal available.

sudo vi /etc/cron.weekly/le-autorenew

Add the following to this file:

#!/bin/bash
#
#renew letsencrypt certificate and create log
/usr/bin/letsencrypt renew >> /var/log/ssl-renew.log

If you are interested in learning more about Let’s Encrypt or some of their sponsors (which includes big names like Mozilla, Facebook, Cisco, and many more) you can visit them here: https://letsencrypt.org

Ubuntu 14.04 Web Server

If you are developing websites or web applications one of the first things you are going to want to do is set up a development environment. This post will serve as a howto for setting up an Apache web server on Ubuntu 14.04.

We will be setting up the web server to run several websites so that you can easily separate your projects, and run multiple sites on the same system. This is known as a virtual host Continue reading “Ubuntu 14.04 Web Server”