Easy Busy: (Archived) Ubuntu18-Apache-CGI-M

U18-Apache-CGI-M

Apache FastCGI with PHP-FPM is one of the best stacks to host PHP applications. This stack is not as easy as setting up a basic LAMP stack, but it is far better than the basic LAMP stack when it comes to performance. The key ingredient in this stack is FPM which stands for Fast Process Manager. In this stack, Apache will send all the PHP files for processing to FPM. It will then return the rendered output to the browser.

Hello hello how are you

Hello hello its good to see you!

I say hello, to you and all your friend.

I say hello, lets meet them together! lets play together

Lets have fun with friends.

We are all friends.

Song credit: Sing along to the Hello song from 'Something Special'. Visit http://www.bbc.co.uk/cbeebies to find even more fun games and videos for your pre-schooler in a safe child friendly environment.

https://www.interserver.net/tips/kb/apache-php-fpm-ubuntu-18-04/

Ubuntu version

lsb_release -a

service --status-all

Host name:

sudo hostnamectl

hostname

hostname -f

vi /etc/hosts

# IPv4 and IPv6 localhost aliases

127.0.0.1 node2.mg.com node2 localhost

::1 node2.mg.com node2 localhost

Installing packages

Check if the package exist: https://packages.ubuntu.com/

apt install vim

apt update

Reinstall: apt-get install --reinstall systemctl

List the full path of the files inside this package: dpkg -L systemctl

Check if any output for systemctl: apt-cache search systemctl

Using Init scripts to manage services on Ubuntu:

To start a service: /etc/init.d/ufw start

To stop a service: /etc/init.d/ufw stop

To stop a service: /etc/init.d/ufw restart

To check the status of service: /etc/init.d/ufw status

Securing your Server *:

https://www.linode.com/docs/security/securing-your-server/

Update Your System–Frequently

sudo apt update && sudo apt upgrade -y

Add a Limited User Account

$useradd tommy -m -s /bin/bash -g users -c "my comments"

$passwd tommy (change password for the mentioned user)

(Make a sudo previlage: adduser example_user sudo)

Change passwd for the root user:

To change password: (reset password)

Version OS: $ cat /etc/issue

Change password: sudo passwd root

Create an Authentication Key-pair (client pc)

See: Generating a Key pair - in SSH instruction

Upload the public key to your Server.

Test your keys are working and make a note for the pass codes.

Inside the /etc/ssh/sshd_config file:

Disallow root logins over SSH

PermitRootLogin no

Disable Password authentication

PasswordAuthentication no

sudo service sshd restart

Test: ssh mg@192.168.10.115 password login is denied by public key!

Installing Composer:

Installing Globally:

https://getcomposer.org/doc/00-intro.md

https://getcomposer.org/download/

Run as sudo user:

sudo php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');"

sudo php -r "if (hash_file('sha384', 'composer-setup.php') === 'e0012edf3e80b6978849f5eff0d4b4e4c79ff1609dd1e613307e16318854d24ae64f26d17af3ef0bf7cfb710ca74755a') { echo 'Installer verified'; } else { echo 'Installer corrupt'; unlink('composer-setup.php'); } echo PHP_EOL;"

sudo php composer-setup.php

sudo php -r "unlink('composer-setup.php');"

mg@node1:~$ sudo mv ~/composer.phar /usr/local/bin/composer

curl -sS https://getcomposer.org/installer | php

sudo mv composer.phar /usr/local/bin/composer

Changing your PATH

Check the current path settings: mg@node1:~$ echo $PATH

Simply add /place/with/the/file to the $PATH variable with the following command:

export PATH=$PATH:/place/with/the/file

Check which shell is running: echo $0

Set your PATH permanently:

A file called ~/.bash_profile, ~/.bashrc, or ~/.profile. ~/.bashrc is a good choice.

#path adding

PATH=$PATH:/home/mg/composer.phar

after that your run: composer --version

Set also these for composer(if not required):

The COMPOSER_HOME var allows you to change the Composer home directory. This is a hidden, global (per-user on the machine) directory that is shared between all projects.

echo $COMPOSER_HOME

echo $COMPOSER_BIN_DIR

To update Composer itself

composer self-update

Uninstall composer?

https://askubuntu.com/questions/640899/how-do-i-uninstall-mysql-completely

Installing Elasticsearch

https://easybusyforyou.blogspot.com/2020/06/install-elasticsearch-inside-ubuntu-1804.html

MySQL 5.7 in Ubuntu server 19:

Uninstall MySQL completely?

https://askubuntu.com/questions/640899/how-do-i-uninstall-mysql-completely

sudo -i

service mysql stop

killall -KILL mysql mysqld_safe mysqld

apt-get --yes purge mysql-server mysql-client

apt-get --yes autoremove --purge

apt-get autoclean

deluser --remove-home mysql

delgroup mysql

rm -rf /etc/apparmor.d/abstractions/mysql /etc/apparmor.d/cache/usr.sbin.mysqld /etc/mysql /var/lib/mysql /var/log/mysql* /var/log/upstart/mysql.log* /var/run/mysqld

updatedb

exit

Install MySQL 5.7 or later:

sudo apt-get update && sudo apt-get upgrade -y

sudo apt update && sudo apt upgrade -y

sudo apt-get install curl nano git

It is important to specify the version of mysql, e.g. apt-get --yes purge mysql-server-5.7 mysql-client-5.7.

https://support.rackspace.com/how-to/installing-mysql-server-on-ubuntu/

sudo apt-cache search mysql | grep client

sudo apt-cache search php- | less

sudo apt-get install mysql-server-5.7 mysql-client-5.7 -y

[

/usr/bin/mysql -u root -p

***

mysql> quit;

]

Do not write mysql -u root, Just write "sudo mysql", In Ubuntu systems running MySQL 5.7 (and later), the root user is authenticated by the auth_socket plugin by default.

(For version MySQL 5.7 and later, enter the following command in the mysql shell, replacing password with your new password:)

mysql restart

sudo mysql_secure_installation utility

Answer them all with ...y

sudo systemctl start mysql

sudo systemctl enable mysql (Launch at reboot)

sudo systemctl restart mysql

Create a new database, user, and to grant privileges for the database to the user /revoke.

https://linuxize.com/post/how-to-create-mysql-user-accounts-and-grant-privileges/

Start: create user and database;

sudo mysql

REVOKE ALL PRIVILEGES ON fres_onln_mage.* TO 'fres_onln_mage'@'localhost';

DROP database fres_onln_mage;

DROP USER 'fres_onln_mage'@'localhost';

CREATE DATABASE fres_onln_mage;

CREATE USER 'fres_onln_mage'@'localhost' IDENTIFIED BY '%^gtT53grHR$%rTid*7W';

GRANT ALL PRIVILEGES ON fres_onln_mage.* TO 'fres_onln_mage'@'localhost' IDENTIFIED BY '%^gtT53grHR$%rTid*7W';

FLUSH PRIVILEGES;

\qEnd:

Views:

mysql> SELECT User, Host, authentication_string FROM mysql.user;

mysql> show databases;

mysql> DROP database dumbschool;

Display MySQL User Account Privileges:

SHOW GRANTS FOR 'user1'@'localhost';

Revoke Privileges from a MySQL User Account

mysql> REVOKE ALL PRIVILEGES ON database_name.* TO 'database_user'@'localhost';

Remove an Existing MySQL User Account

mysql> DROP USER 'user'@'localhost'

Import a Database

mysql -u username -p database_name < FILE.sql

sudo nano /etc/mysql/my.cnf

sudo systemctl restart mysql

Firewall Settings UFW

https://linuxize.com/post/how-to-setup-a-firewall-with-ufw-on-ubuntu-18-04

https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-with-ufw-on-ubuntu-18-04

Got connection refused! plz check bellow.

apt-get install ufw

sudo ufw app list

sudo ufw status verbose

sudo ufw status

Let us look into the “Apache Full” profile. To do so, run:

sudo ufw app info 'Apache Full'

Run the following command to allow incoming HTTP and HTTPS traffic for this profile:

sudo ufw allow 'Apache Full'

sudo ufw allow 'OpenSSH'

sudo ufw allow 10000/tcp

Configure Your Firewall:

sudo ufw disable

sudo ufw enable

ufw reset ( turn off UFW completely and delete all the rules)

sudo ufw status numbered

ufw delete *2

ufw delete allow http123

Anything actually listening on port 80 :

netstat -lpn | grep :80

Shorewall

https://www.youtube.com/watch?v=ZbjKMJQq6Z0&t=2s

https://code.tutsplus.com/tutorials/how-to-set-up-a-dedicated-web-server-for-free--net-2043

iptables

https://github.com/ChrisTitusTech/firewallsetup/blob/master/firewall

https://www.youtube.com/watch?v=qPEA6J9pjG8

chkconfig iptables

iptables -L -v -n --line-number

sudo lsof -n -sTCP:LISTEN -i:80

sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT

Then to prevent it from losing the iptables configuration on restart, use:

sudo apt install iptables-persistent

sudo /etc/init.d/netfilter-persistent save

./firewall-reload

iptables-save > /etc/iptables/iptables.rules

reboot now

netplan (ubuntu 18*)

ip a

ip route

nslookup google.com

ifconfig

netplan generate

netplan apply

1. Install Apache2

https://code.tutsplus.com/tutorials/how-to-set-up-a-dedicated-web-server-for-free--net-2043

https://geekflare.com/apache-web-server-hardening-security/

sudo apt-get update && sudo apt-get upgrade -y

root@fd5f382eba05:/# apt update && apt upgrade -y

sudo apt-get install curl nano git wget vim -y

sudo apt-cache search apache2 | grep ver

sudo apt-get install apache2 -y

apache2 -version

Install FastCGI:

(CGI like FastCGI processes are persistent and they can handle more than one requests per processes.)

sudo apt-cache search apache2 | grep libapache2-mod-fcgi

Note: sudo apt-get install libapache2-mod-fcgi (not working now. 2019)

apt install wget

cd /tmp && wget https://mirrors.edge.kernel.org/ubuntu/pool/multiverse/liba/libapache-mod-fastcgi/libapache2-mod-fastcgi_2.4.7~0910052141-1.2_amd64.deb

sudo dpkg -i libapache2-mod-fastcgi_2.4.7~0910052141-1.2_amd64.deb

Start: sudo systemctl start apache2.service

sudo systemctl start apache2

service apache2 start

Status: sudo systemctl status apache2

service apache2 status

(Shift + q)

Restart: sudo systemctl restart apache2.service

sudo systemctl restart apache2

service apache2 restart

Reload: sudo systemctl reload apache2.service

service apache2 reload

Enable on Startup: sudo systemctl enable apache2 *

Stop: sudo systemctl stop apache2.service

Configuration files:

/etc/apache2/apache2.conf – This is the main Apache configuration file and controls everything Apache does on your system. Changes here affect all the websites hosted on this machine.

/etc/apache2/ports.conf – The port configuration file. You can customize the ports Apache monitors using this file. By default, Port 80 is configured for Http traffic.

/etc/apache2/sites-available – Storage for virtual host files. A virtual host is a record of one of the websites hosted on the server.

/etc/apache2/sites-enabled – This directory holds websites that are ready to serve clients. The a2ensite command is used on a virtual host file in the sites-available directory to add sites to this location.

default: /var/www/html/

*** Checking the inbound rules from the EC2 dashboard, from below we can see that only the “PORT 22” is open, which is only for “SSH“.

See the ufw firewall section.

PHP 7.2 (fpm, fast process manager.) *2*

Installation:

sudo apt update && sudo apt upgrade -y

sudo apt-cache search php7.2 | grep php

(- sudo apt-get install php7.2)

php -v

For General PHP-fpm install:

$ sudo apt-get install php7.2-fpm php7.2-mysql php7.2-mbstring php7.2-curl php7.2-dom -y

For Magento General PHP install with req modules: (replace the php7.2 with the phpfpm one)

$ sudo apt-get install php7.2 libapache2-mod-php7.2 php7.2-common php7.2-gd php7.2-mysql php7.2-curl php7.2-intl php7.2-xsl php7.2-mbstring php7.2-zip php7.2-bcmath php7.2-iconv php7.2-soap -y

For Magento wiht FPM only

$ sudo apt-get install php7.2-fpm libapache2-mod-php7.2 php7.2-common php7.2-gd php7.2-mysql php7.2-curl php7.2-intl php7.2-xsl php7.2-mbstring php7.2-zip php7.2-bcmath php7.2-iconv php7.2-soap -y

php -v

Verify that all required PHP extensions were installed: (https://devdocs.magento.com/guides/v2.3/install-gde/prereq/php-centos-ubuntu.html)

sudo php -me

Visit: http://ejamuna.com/index.php

and check "Server API Apache 2.0 Handler" that is PHP-FPM is not configured yet!

Configure Apache with PHP-FPM on Ubuntu 18.04 - 19: (https://www.interserver.net/tips/kb/apache-php-fpm-ubuntu-18-04/)

Right now, Our Apache web server and PHP-FPM are configured and can work individually. But we still have to tell our Apache web server to pass PHP requests to PHP fast process manager.

To enable PHP 7.2 FPM in Apache2 do (after php7.2-fpm installed): [If disable the older version of PHP (a2dismod [oldversion])]

(to enable /disable mod: https://askubuntu.com/questions/1148129/how-do-i-enable-php-7-3-in-apache2)

sudo cat /etc/apache2/conf-available/php7.2-fpm.conf

sudo cp /etc/apache2/conf-available/php7.2-fpm.conf /etc/apache2/conf-available/php7.2-fpm.conf.orginal

sudo vi /etc/apache2/conf-available/php7.2-fpm.conf

AddHandler php7-fcgi .php

Action php7-fcgi /php7-fcgi

Alias /php7-fcgi /usr/lib/cgi-bin/php7-fcgi

FastCgiExternalServer /usr/lib/cgi-bin/php7-fcgi -socket /var/run/php/php7.2-fpm.sock -pass-header Authorization -idle-timeout 60

Require all granted

</Directory>

</IfModule>

Test conf script for errors:

sudo apache2ctl configtest

Enable mod and conf:

sudo a2enmod proxy_fcgi setenvif

sudo a2enconf php7.2-fpm

sudo a2enmod actions

(OK, a2enmod is a script that enables the specified module within the apache2 configuration.

The module proxy_fcgi provides support for the FastCGI protocol. The associated setenvif sets the variables sent to the FastCGI.

The a2enconf script enables the specified configuration file within apache2, in this case php7.0-fpm)

sudo service php7.2-fpm start

sudo service php7.2-fpm restart && service apache2 restart

sudo systemctl restart php7.2-fpm apache2

Making a site with a new domain:

sudo mkdir -p /var/www/dumbschool.com

Then assign the ownership of the directory to Apache2 through the following commands:

Is apache running as www-data? ps axu | grep -E 'apache|www-data|http'

sudo chown -R www-data:www-data /var/www/ejamuna.com

sudo chmod -R 755 /var/www/ejamuna.com *

Test if Apache is running our domain name:

echo "ejamuna!" > /var/www/ejamuna.com/index.php

sudo vi /var/www/ejamuna.com/j.php

<h1>eJamuna!</h1>

<?php

phpinfo();

If you want to change Apache to serve php files rather than others, move index.php to first position in the dir.conf file as shown below:

sudo vi /etc/apache2/mods-enabled/dir.conf

Add following in you virtual host config file i.e: in,

[

sudo cp /etc/apache2/sites-available/000-default.conf /etc/apache2/sites-available/000-default.conf.orginal

sudo vi /etc/apache2/sites-available/000-default.conf

sudo cp /etc/apache2/sites-available/default-ssl.conf /etc/apache2/sites-available/default-ssl.conf.orginal

sudo vi /etc/apache2/sites-available/default-ssl.conf

(same to default-ssl.conf)

]

SetHandler "proxy:unix:/var/run/php/php7.2-fpm.sock|fcgi://localhost/"

</FilesMatch>

- sudo cp /etc/apache2/mods-enabled/fastcgi.conf /etc/apache2/mods-enabled/fastcgi.conf.backup

Apache needs a virtual host file to serve the contents of your domain from the server.

sudo vi /etc/apache2/sites-available/ejamuna.com.conf

ServerAdmin admin@dumbschool.com

ServerName dumbschool.com

ServerAlias www.dumbschool.com

DocumentRoot /var/www/dumbschool.com

SetHandler "proxy:unix:/var/run/php/php7.2-fpm.sock|fcgi://localhost/"

</FilesMatch>

ErrorLog ${APACHE_LOG_DIR}/dumbschool.com-error.log

CustomLog ${APACHE_LOG_DIR}/dumbschool.com-access.log combined

</VirtualHost>

Test for errors:

sudo apache2ctl configtest

Enable the domain configuration file:

sudo a2ensite ejamuna.com.conf

a2ensite 000-default.conf

a2ensite default-ssl.conf

To disable a website dis the conf:

sudo a2dissite 000-default.conf

sudo systemctl reload apache2

sudo service apache2 reload

SSL

(Secure Apache with Let's Encrypt on Ubuntu 18.04) 19

How To Set Up Apache Virtual Hosts on Ubuntu 18.04

https://linuxize.com/post/how-to-set-up-apache-virtual-hosts-on-ubuntu-18-04/

https://community.letsencrypt.org/t/certbot-unable-to-pass-challenge-dns-a-aaaa-records-not-present-for-domain/34121/2

Add Certbot PPA:

sudo apt-get update

sudo apt-get install software-properties-common

sudo add-apt-repository universe

sudo add-apt-repository ppa:certbot/certbot

sudo apt-get update

Install Certbot:

sudo apt install certbot python-certbot-apache

When installing it, make sure the version number matches the version of certbot. You can find this with the following command:

certbot --version

My version of certbot was 0.22.2.

-pip install certbot_dns_route53==0.22.2

NB: Next step: Made with root previlage:

[

Route 53 only

For: route53

Install correct DNS plugin

-sudo apt install python3-certbot-dns-<PLUGIN>

sudo apt install python3-certbot-dns-route53

Manual

Set up credentials: certbot-dns-route53

https://certbot-dns-route53.readthedocs.io/en/stable/

The access keys for an account with these permissions must be supplied in one of the following ways, which are discussed in more detail in the Boto3 library’s documentation about configuring credentials.

Install AWS CLI 2 in ubuntu 18: https://youtu.be/fwYkj5CUdvY

Configuring the credentials: Youtube: https://youtu.be/SvaTF6nN4n8

Examples:

certbot certonly \

--dns-route53 \

--dns-route53-propagation-seconds 30 \

-d example.com \

-d www.example.com

]

[

Without route53

https://linuxize.com/post/secure-apache-with-let-s-encrypt-on-ubuntu-18-04/

Generate Strong Dh (Diffie-Hellman) Group

sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

sudo mkdir -p /var/lib/letsencrypt/

sudo chgrp www-data /var/lib/letsencrypt

sudo chmod g+s /var/lib/letsencrypt

sudo mkdir -p /var/lib/letsencrypt/.well-known/acme-challenge/

sudo chmod -R 775 /var/lib/letsencrypt

(Setting directories g+s makes all new files created in said directory have their group set to the directory's group.)

https://linuxconfig.org/how-to-use-special-permissions-the-setuid-setgid-and-sticky-bits

https://youtu.be/pBgWPaPWv6c

When used on a directory, instead, the setgid bit alters the standard behavior so that the group of the files created inside said directory, will not be that of the user who created them, but that of the parent directory itself. This is often used to ease the sharing of files (files will be modifiable by all the users that are part of said group).

This can actually be really handy for collaborative purposes if you have the umask set so that files have group write by default.

(add the mg user to the www-data)

https://upcloud.com/community/tutorials/install-lets-encrypt-apache/

sudo vi /etc/apache2/conf-available/letsencrypt.conf

Alias /.well-known/acme-challenge/ "/var/lib/letsencrypt/.well-known/acme-challenge/"

AllowOverride None

Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec

Require method GET POST OPTIONS

</Directory>

sudo vi /etc/apache2/conf-available/ssl-params.conf

SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH

SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1

SSLHonorCipherOrder On

Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"

Header always set X-Frame-Options DENY

Header always set X-Content-Type-Options nosniff

# Requires Apache >= 2.4

SSLCompression off

SSLUseStapling on

SSLStaplingCache "shmcb:logs/stapling-cache(150000)"

# Requires Apache >= 2.4.11

SSLSessionTickets Off

SSLOpenSSLConfCmd DHParameters "/etc/ssl/certs/dhparam.pem"

Test for errors:

sudo apache2ctl configtest

Enable these mods:

sudo a2enmod ssl headers

Enable these scripts:

sudo a2enconf letsencrypt ssl-params

Enable this mod:

sudo a2enmod http2

Reload Apache2:

sudo systemctl reload apache2

sudo service apache2 reload

Status:

sudo systemctl status apache2

( in short form

sudo a2enmod ssl headers

sudo a2enconf letsencrypt ssl-params

sudo a2enmod http2

sudo service apache2 reload

sudo systemctl status apache2

)

Testing:

sudo echo -n "Testing acme-challenge" > /var/lib/letsencrypt/.well-known/acme-challenge/test

sudo curl -ikL http://www.ejamuna.com/.well-known/acme-challenge/test

sudo curl -ikL http://www.haanz.online/.well-known/acme-challenge/test

It will show the text in the browser "Testing acme-challenge"

If test pass OK! then go for to obtain a certificate.

]

Obtain a certificate for a specific domain, pzl run certbot:

# website ref. bloger example:

# https://medium.com/prog-code/lets-encrypt-wildcard-certificate-configuration-with-aws-route-53-9c15adb936a7

# https://certbot.eff.org/docs/using.html#getting-certificates-and-choosing-plugins

certbot certonly \

-d example.com \

-d *.example.com \

--dns-route53 \

--logs-dir /home/username/letsencrypt/log/ \

--config-dir /home/username/letsencrypt/config/ \

--work-dir /home/username/letsencrypt/work/ \

-m email@example.com \

--agree-tos \

--server https://acme-v02.api.letsencrypt.org/directory

# Website bloger: renew example:

certbot renew --dns-route53 \

--logs-dir /home/username/letsencrypt/log/ \

--config-dir /home/username/letsencrypt/config/ \

--work-dir /home/username/letsencrypt/work/ \

--server https://acme-v02.api.letsencrypt.org/directory \

--post-hook "sudo service nginx reload"

# dns-route53 plugin: certbot website

sudo certbot certonly \

-i apache \

--dns-route53 \

--dns-route53-propagation-seconds 30 \

-d dumbschool.com \

-d www.dumbschool.com \

--agree-tos \

--email bdjunayed@gmail.com

# Webroot: authunticator plugin (Single domain)

sudo certbot certonly \

-i apache \

-a webroot \

-w /var/www/haanz.online/ \

-w /var/lib/letsencrypt/ \

-d haanz.online \

-d www.haanz.online \

--email bdjunayed@gmail.com \

--agree-tos \

--server https://acme-v02.api.letsencrypt.org/directory

# Webroot: authunticator plugin (to obtain a single certificate for munliple domain)

To use the webroot plugin, your server must be configured to serve files from /.well-known

sudo certbot certonly \

--webroot \

-w /var/www/d1.com \

-d d1.com \

-w /var/www/d2.com \

-d d2.com

--agree-tos \

--email bdjunayed@gmail.com \

# Manual: kind of web root plugin but manual.

sudo certbot certonly \

--preferred-challenges=dns \

--manual

-d example.com \

-d www.example.com \

# Maunal: (CrazyDomain dont allow the TXT record)

sudo certbot certonly \

--preferred-challenges=http \

--manual \

-d saustralasia.online \

-d www.saustralasia.online \

--email bdjunayed@gmail.com \

--agree-tos \

--server https://acme-v02.api.letsencrypt.org/directory

root@node1:~# sudo certbot certonly --webroot -w /var/www/saustralasia.online/ -d saustralasia.online -d www.saustralasia.online --email bdjunayed@gmail.com --agree-tos --server https://acme-v02.api.letsencrypt.org/directory

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Plugins selected: Authenticator webroot, Installer None

Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.

(ref: /etc/letsencrypt/renewal/saustralasia.online.conf)

What would you like to do?

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

1: Keep the existing certificate for now

2: Renew & replace the cert (limit ~5 per 7 days)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2

Renewing an existing certificate

IMPORTANT NOTES:

- Congratulations! Your certificate and chain have been saved at:

/etc/letsencrypt/live/saustralasia.online/fullchain.pem

Your key file has been saved at:

/etc/letsencrypt/live/saustralasia.online/privkey.pem

Your cert will expire on 2020-03-30. To obtain a new or tweaked

version of this certificate in the future, simply run certbot

again. To non-interactively renew *all* of your certificates, run

"certbot renew"

- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate

Donating to EFF: https://eff.org/donate-le

root@node1:~#

Now that you have the certificate files, edit your domain virtual host configuration as follows:

sudo a2enmod ssl rewrite headers

sudo vi /etc/apache2/sites-available/000-default.conf

ServerName gcrecruitment.site

ServerAlias www.gcrecruitment.site

ServerAdmin admin@gcrecruitment.site

DocumentRoot /var/www/gcrecruitment.site

SetHandler "proxy:unix:/var/run/php/php7.2-fpm.sock|fcgi://localhost/"

</FilesMatch>

ErrorLog ${APACHE_LOG_DIR}/gcrecruitment.site-error.log

CustomLog ${APACHE_LOG_DIR}/gcrecruitment.site-access.log combined

#Redirect permanent / https://gcrecruitment.site/

RewriteEngine on

RewriteCond %{SERVER_NAME} =www.gcrecruitment.site [OR]

RewriteCond %{SERVER_NAME} =gcrecruitment.site

RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

</VirtualHost>

ServerName gcrecruitment.site

ServerAlias www.gcrecruitment.site

ServerAdmin admin@gcrecruitment.site

Protocols h2 http:/1.1

#<If "%{HTTP_HOST} == 'www.gcrecruitment.site'">

# Redirect permanent / https://gcrecruitment.site/

#</If>

DocumentRoot /var/www/gcrecruitment.site

# Apache 2.4 If you are not the administrator of the server, you depend

# on the AllowOverride Level that theses admins allows for you.

Options Indexes FollowSymLinks MultiViews

AllowOverride All

Order allow,deny

Allow from all

</Directory>

SetHandler "proxy:unix:/var/run/php/php7.2-fpm.sock|fcgi://localhost/"

</FilesMatch>

ErrorLog ${APACHE_LOG_DIR}/gcrecruitment.site-error.log

CustomLog ${APACHE_LOG_DIR}/gcrecruitment.site-access.log combined

# For most configuration files from conf-available/, which are

# enabled or disabled at a global level, it is possible to

# include a line for only one particular virtual host. For example the

# following line enables the CGI configuration for this host only

# after it has been globally disabled with "a2disconf".

#Include conf-available/serve-cgi-bin.conf

SSLEngine On

Include /etc/letsencrypt/options-ssl-apache.conf

SSLCertificateFile /etc/letsencrypt/live/gcrecruitment.site/fullchain.pem

SSLCertificateKeyFile /etc/letsencrypt/live/gcrecruitment.site/privkey.pem

# SSLCertificateFile /etc/letsencrypt/live/saustralasia.online/cert.pem

# SSLCertificateChainFile /etc/letsencrypt/live/saustralasia.online/chain.pem

Header always set Strict-Transport-Security "max-age=31536000"

Header always set Content-Security-Policy upgrade-insecure-requests

</VirtualHost>

</IfModule>

[

</VirtualHost>

Protocols h2 http:/1.1

Redirect permanent / https://ejamuna.com/

</If>

</VirtualHost>

]

With the configuration above we are forcing HTTPS and redirecting from www to non www version. Feel free to adjusts the configuration according to your needs.

Test for errors:

sudo apache2ctl configtest

Reload Apache2:

sudo service apache2 reload

Test your certificate:

https://www.ssllabs.com/ssltest/

whynopadlock.com

Auto-renewing Let’s Encrypt SSL certificate

Let’s Encrypt’s certificates are valid for 90 days. To automatically renew the certificates before they expire, the certbot package creates a cronjob which runs twice a day and will automatically renew any certificate 30 days before its expiration.

FIY, it will dry-run for all the domains already added.

Once the certificate is renewed we also have to reload the Apache service.

Append --renew-hook "systemctl reload apache2" to the /etc/cron.d/certbot file so that it looks like the following:

sudo vi /etc/cron.d/certbot

0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(3600))' && certbot -q renew --renew-hook "systemctl reload apache2"

--renew-hook "systemctl reload apache2"

Test automatic renewal

sudo certbot renew --dry-run

https://certbot.eff.org/docs/

Now go to Apache2 and step to domain folder setup.

Delete cert:

sudo certbot delete --cert-name dumbschool.com

List cert:

sudo certbot certificates

Trouble shoot:

grep -r 443 /etc/apache2

If there are no errors, it means that the renewal process was successful.

if not, plz visit test: https://check-your-website.server-daten.de/

Dismental a site:

sudo apache2ctl configtest

sudo certbot certificates

sudo certbot delete --cert-name saustralasia.online

sudo a2dissite saustralasia.online.conf

sudo service apache2 reload

sudo service apache2 status

Easy Busy

Saturday, July 5, 2025

(Archived) Ubuntu18-Apache-CGI-M

No comments:

Post a Comment