Setting Up an SSL Certificate With Certbot

Vince IarusciDevOps, LearningLeave a Comment

Certbot is an easy-to-use automatic client that fetches and deploys SSL/TLS certificates for your webserver. Certbot was developed by EFF and others as a client for Let’s Encrypt and was previously known as “the official Let’s Encrypt client” or “the Let’s Encrypt Python client.” Certbot will also work with any other CAs that support the ACME protocol.

Webserver

To enable HTTPS on your website, you’ll need to lookup what webserver and OS you’re running on your server.

To lookup the server version, run the following command:

root@server:~# cat /etc/*release
PRETTY_NAME="Debian GNU/Linux 8 (jessie)"
NAME="Debian GNU/Linux"
VERSION_ID="8"
VERSION="8 (jessie)"
ID=debian
HOME_URL="http://www.debian.org/"
SUPPORT_URL="http://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"

Install

To get the instructions on installing the HTTPS certificates, go to the Certbot site (https://certbot.eff.org/) and select the web server and OS for the required certificate.  In our case, we are using the Apache web server on the Debian OS.

Download Certbot

Run the following command on your server to download an up-to-date copy of the Cerbot software:

root@server:~# wget https://dl.eff.org/certbot-auto
root@server:~# chmod a+x certbot-auto

Auto Install of Certificate with Apache Configuration

Certbot has an Apache plugin and automates certificate installation. Running this command will get a certificate for you and have Certbot edit your Apache configuration automatically to serve it.  Use this approach if you are doing a fresh install on a new server with one domain.

root@server:~# sudo ./path/to/certbot-auto --apache

Follow the instructions on the screen.  Enter the domain names for your site as follows:

Please enter in your domain name(s) (comma and/or space separated)  (Enter 'c' to cancel): 
www.yoursite.com, yoursite.com

Auto Install of Certificate Only (Manual Apache Configuration Needed)

Install the Certificate

Running this command will get a certificate for you but will not configure Apache. When using the certonly option, a manual configuration of Apache for each of the website domains is needed.   An example would be if you are installing new websites on a server that already has other websites with ssl certificates installed.

root@server:~# sudo ./path/to/certbot-auto --apache certonly

Follow the instructions on the screen.  Enter the info as follows when prompted for the domain names:

Please enter in your domain name(s) (comma and/or space separated)  (Enter 'c' to cancel): 
www.yoursite.com, yoursite.com
Configure Apache

Download a copy of the yoursite-ssl.conf file here and open it with a text editor.  Replace all instances of <yousite> with the name of your site domain.

The conf file for yoursite then needs to be added to the following locations:

etc/apache2/sites-available
etc/apache2/sites-enabled

Use the scp command or an ftp client like Filezilla to upload the conf file to the locations

Automating the Certificate Renewal

Certbot can be configured to renew your certificates automatically before they expire. Since Let’s Encrypt certificates last for 90 days, it’s highly advisable to take advantage of this feature.

Create a new folder for the cert renewal script.

root@server:~#: cd /srv 
root@server:~#: mkdir cert_renewal

Add the following code to a new file and save it as cert_renewal.sh.  Save it into the /srv/cert_renewal folder on the server.

#!/bin/bash
# Runs the renewal check for the Certbot Let's Encrypt ssl certs
cd /srv/cert_renewal
./certbot-auto renew 

Configure the Cron Task

root@server:~# crontab -e

Configure the file so that it looks like the following…

SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
# For details see man 4 crontabs
# Example of job definition:
# .---------------- minute (0 - 59)
# |  .------------- hour (0 - 23)
# |  |  .---------- day of month (1 - 31)
# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...
# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# |  |  |  |  |
# *  *  *  *  * user-name  command to be executed
# run Certbot Renewal (Run daily at 2:00am)
*  2  *  *  *  /srv/cert_renewal/cert_renewal.sh

The cron entry image above shows that the schedule for the cert_renewal.sh runs each  day at 2:00am

Additional documentation – Configuring Cron Tasks

Let’s Encrypt Logs

You will find the log that shows the renewal events in the /var/log/letsencrypt location.  Here is a screenshot…

Backing Up and Restoring WordPress Sites – OVH

Vince IarusciDevOps, LearningLeave a Comment

Backing Up the OVH Website Server(s)

In our company, we host multiple WordPress sites on the same OVH VPS host.  This has it’s advantages however if the there are issues with our server we could have 3 sites down at the same time.  To avoid any downtime for our websites, we came up with this 2 tiered approach to backing up our WordPress sites on an OVH VPS server host.

The strategy includes creating a snapshot to save the latest installation of the OS, Apache2, Wordpress and the MySql database software.  Any other configurations are also be captured. e.g. ssl certificates

System configuration changes are not as frequent as the changes made in the website domains.  Website content and the associated database changes are done daily and these changes include updates to content, plugins, themes, uploads, database and other files. These domain changes are backed up weekly using the schedule in the UpDraftPlus Wordpress plugin.

Using the 2 tiered strategy will shorten the time it takes to restore a website or the entire system when there are server problems or malicious attacks.

VPS Snapshots

Snapshots are enabled for the VPS environments.  Currently, snapshots on each vps server need to be done manually. Reminders should be set-up for the admin to manually run the snapshot when needed.

The current strategy will be to create the snapshots before and after a software update or migration. In the event of a failed update, the server will be rolled back to the last restoration point of the snapshot. When the software update is successful, an additional new snapshot will be taken of the os/code version so that there’s a backup until the next update. Using this strategy allows you to do a “redo” if something goes wrong between updates.

Create a Snapshot

Only one snapshot can exist at a time. To create a new snapshot, you need to select the “Delete The Snapshot” option and delete the existing snapshot. You will then have the option to create a new snapshot of the server to capture the latest changes.

Restore a Snapshot

To restore the server to the last saved snapshot, you will select the “Restore the Snapshot” option from the user console.  Note that restoring a snapshot will overwrite any changes made since the last snapshot was taken.

Image of OVH Console

UpdraftPlus Backups

UpdraftPlus is a Wordpress plugin used to backup each website’s database and content. Backup into the cloud directly to Dropbox, Google Drive, Amazon S3 (or compatible), UpdraftVault, Rackspace Cloud, FTP, DreamObjects, Openstack Swift, and email. The paid version also backs up to Microsoft OneDrive, Microsoft Azure, Google Cloud Storage, Backblaze B2, SFTP, SCP, and WebDAV.

The following steps must be done for each installed Wordpress website.

Setting up The Backup

Scheduling the Backup

Select the Settings tab and set the files and database frequency.  In our case, we set the files backup schedule to weekly with a retention of 2 backups.  (goes back 2 weeks).  Change yourschedule to daily when content is updated more frequently

 

Set the remote backup location

Saving to Google Drive

Note that the save location must have the sufficient space to save the required backups.

Settings
Google Drive Folder: UpdraftPlus
Include in Files Backup: Select Plugins, Themes & Uploads.  Check - "Any other directories found inside wp-content"

Click Save Changes.  This will prompt you to select and sign into the Google Account.  Once you have authenticated to the Google account, the set-up is complete.


Restoring the Website Server(s)

Steps to restore are:

  1. Identify the issue for the failure.
  2. Restore the VPS Snapshot (If Needed)
  3. Restore the UpdraftPlus backup for the affects website domain(s).

Identify the Failure

It’s important to identify the root cause of the issue so that any failed software or hardware configurations are fixed properly or any malicious attacks are avoided by hardening the server to eliminate vulnerabilities.

If a migration or upgrade of the system has made the server unresponsive, it’s important to identify the components that have caused the failure so that the errors can be avoided on the reinstall.  If the server has been hacked, the hack method, (sql injection, security breach, password exploit etc,) must be identified and fixed. Failing to do this will only invite the same hack.

Restore the VPS Snapshot (If Needed)

Snapshots are enabled for the OVH VPS environments.  The current strategy involves creating the snapshots before and after a software update or migration. In the event of a the failed update, the server is rolled back to the last restoration point of the snapshot. If the software update is successful, an additional new snapshot will be taken of the os/code version so that there is a backup until the next update.  Using this strategy allows you to do a “redo” if something goes wrong between updates.

Restoration of the snapshot is not necessary when the restore is limited to the recovery of the website content only.

Restore a Snapshot

To restore the server to the last saved snapshot, you will select the “Restore the Snapshot” option from the user console.  Note that restoring a snapshot will overwrite any changes made since the last snapshot was taken.

Image of OVH Console

UpdraftPlus Backup Restore

UpdraftPlus is a Wordpress plugin used to backup each website’s database and content.

Follow these steps for each installed Wordpress website when restoring with the VPS Snapshot.  If you only need to restore the content for a specific domain, restore only the UpdraftPlus backup for that Wordpress domain.

Restoring The Website Backup

Select the Backup/Restore tab and select the Restore button for the backup that you want to restore.

Select the components that you want to restore.

Worst Case Scenario

If for some reason you’ve had a catastrophic failure on your server and your not able to restore from any of your backups, follow the instructions on how to Install Multiple WordPress Sites on a Single Host.

Install Multiple WordPress Sites on a Single Host

Vince IarusciDevOps, LearningLeave a Comment

Overview

WordPress (WordPress.org) is a free and open-source content management system (CMS) based on PHP and MySQL.  This article will walk you through the steps to host two or more separate WordPress instances on one VPS.  Note that this is different from setting up multisite.

In our company, we’ve successfully installed 3 sites on one VPS host.  We’re using an OVH VPS server at a cost of about $5 bucks CAD a month.  That works out to about $1.70 per site.  Based on the size and traffic to your sites, you may need to upgrade the size and storage of the VPS.

In our examples below, websites The Force (www.theforce.com domain) and The Dark Side (www.thedarkside.com domain) are installed. If you need to add more sites on the same server, just repeat all these steps for the additional server.  The steps for the installation are done from the command line but many of the steps can be done using an ftp client like Filezilla. Feel free to use an ftp client if it simplifies your install.

*Note that these websites are for demo purposes only and any reference to any existing websites or users is co-incidental. 

Our Server Environment

These instructions will work for most Linux type operating systems.

Operating System: Debian GNU/Linux 
Version: 8 (jessie) 
Hostname: server.example.com 
IP: 158.99.999.99 
VPS: vps12345.vps.ovh.ca 
Web Server: Apache2 
Database Server: MySql 5.5

Installation Steps

Download Wordpress and Extract the Package

Our first step will be to download the latest version of WordPress and unzip the package after download.

root@server:~# wget http://wordpress.org/latest.tar.gz
root@server:~# tar xzvf latest.tar.gz
Create Site Database and User

We’ll need to create a database with an assigned user for each of our sites using mysql commands.  Replace “password” with a unique secure password for each user.

mysql –u root -p 

CREATE DATABASE theforce;
CREATE USER luke@localhost; 
SET PASSWORD FOR luke@localhost= PASSWORD("password"); 
GRANT ALL PRIVILEGES ON theforce.* TO luke@localhost IDENTIFIED BY 'lukepassword';
FLUSH PRIVILEGES;
exit
CREATE DATABASE thedarkside;
CREATE USER vader@localhost;
SET PASSWORD FOR vader@localhost= PASSWORD("password");
GRANT ALL PRIVILEGES ON thedarkside.* TO vader@localhost IDENTIFIED BY 'vaderpassword';
FLUSH PRIVILEGES;
exit
Set-up Site Locations on server

The next steps create the server location in the www folder and copy the wordpress package to each of the server locations.

root@server:~# cd /var/www
root@server:~# mkdir theforce
root@server:~# mkdir thedarkside
root@server:~# cp ~/wordpress/wp-config-sample.php ~ /wordpress/wp-config.php
root@server:~# Rsync –avP ~/wordpress/ /var/www/theforce/
root@server:~# Rsync –avP ~/wordpress/ /var/www/thedarkside/
Set Ownership and Permissions

Set permissions to allow the www-data user to write to the website directory.

root@server:~# chown www-data:www-data * -R 

Configure wp-config.php

Each of the websites installs will need to connect to their respective databases. This is done by changing the settings in the wp-config.php config file for each site.

Run these commands to configure The Force website:

root@server:~# cd /var/www/theforce
root@server:~# sudo nano wp-config.php

Change the connection settings for the The Force website:

// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'theforce');
/** MySQL database username */
define('DB_USER', 'luke');
/** MySQL database password */
define('DB_PASSWORD', '<password here>');

Set the Table Prefix for theforce database.  Using fo_ that represents theforce for the table prefix. (Optional)

/**
* WordPress Database Table prefix. 
*
* You can have multiple installations in one database if you give each
* a unique prefix. Only numbers, letters, and underscores please!
*/
$table_prefix  = 'fo_';

 

Run these commands to configure The Darkside website …

root@server:~# cd /var/www/thedarkside
root@server:~# sudo nano wp-config.php

Modify the connection settings for the The Darkside website …

// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'thedarkside');
/** MySQL database username */
define('DB_USER', 'vader');
/** MySQL database password */
define('DB_PASSWORD', '<password here>');

Set the Table Prefix for thedarkside database.  Using ds_ that represents thedarkside for the table prefix. (Optional)

/**
* WordPress Database Table prefix. 
*
* You can have multiple installations in one database if you give each
* a unique prefix. Only numbers, letters, and underscores please!
*/
$table_prefix  = 'ds_';
Configure Apache Virtualhost

Copy the conf file for each new site.  The existing sample 000-default.conf template file is used for the copy.  Note that the name for the sample conf file may be different depending on your install.

root@server:~# cd /etc/apache2/sites-available
root@server:~# cp 000-default.conf theforce.conf
root@server:~# cp 000-default.conf thedarkside.conf

Make Changes to the theforce.conf Virtual Host

root@server:~# sudo nano theforce.conf

<VirtualHost *:80>
  ServerAdmin webmaster@localhost
  DocumentRoot /var/www/theforce
  ServerName theforce.com
  ServerAlias theforce.com
  Redirect permanent /phpmyadmin https://vps12345.vps.ovh.ca/phpmyadmin
  <Directory />
    Options FollowSymLinks
    AllowOverride None
  </Directory>
  <Directory /var/www/theforce>
    Options FollowSymLinks
    AllowOverride All
  </Directory>
  ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
  <Directory "/usr/lib/cgi-bin">
    AllowOverride None
    Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
    Order allow,deny
    Allow from all
  </Directory>
 
  ErrorLog ${APACHE_LOG_DIR}/error.log
 
  # Possible values include: debug, info, notice, warn, error, crit,
  # alert, emerg.
  LogLevel warn
 
  CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost> 

Make Changes to the thedarkside.conf Virtual Host

root@server:~# sudo nano thedarkside.conf

<VirtualHost *:80>
  ServerAdmin webmaster@localhost
  DocumentRoot /var/www/thedarkside
  ServerName thedarkside.com
  ServerAlias www.thedarkside.com
  Redirect permanent /phpmyadmin https://vps12345.vps.ovh.ca/phpmyadmin
  <Directory />
    Options FollowSymLinks
    AllowOverride None
  </Directory>
  <Directory /var/www/thedarkside>
    Options FollowSymLinks
    AllowOverride All
  </Directory>
  ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
  <Directory "/usr/lib/cgi-bin">
    AllowOverride None
    Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
    Order allow,deny
    Allow from all
  </Directory>
 
  ErrorLog ${APACHE_LOG_DIR}/error.log
 
  # Possible values include: debug, info, notice, warn, error, crit,
  # alert, emerg.
  LogLevel warn
 
  CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost> 
Enable The Virtual Hosts Files
root@server:~# a2ensite theforce
root@server:~# a2ensite thedarkside
Configure the Hosts file

root@server:~# sudo nano /etc/hosts

Add the following lines to the bottom of the file:

158.99.999.99    www.theforce.com 
158.99.999.99    www.thedarkside.com
Reload Apache

root@server:~# service apache2 reload

Log into each new WordPress site to complete the website set-up

Open the url for each site in a browser.

www.theforce.com
www.thedarkside.com

You will be forwarded to the WordPress admin site for each domain and prompted to complete the WordPress set-up

Set-Up HTTPS on Your Websites

Setting Up an SSL Certificate with Certbot

New Extrata Features for Oct 2018

Vince IarusciExtrataLeave a Comment

It’s beem a busy month!  Below are the new features added to Extrata.

New API service connectors added to Extrata

Google AnalyticsFacebook

Export Projects to Packages

Projects can now be exported to a package that can be saved as a template and shared with others in your team.  These packages can be imported into other Extrata environments without affecting the existing content.

CLI – Command Line Interface

Tasks can now be automated and scheduled using the command line inteface. The CLI has been added to a select number of services but we’re working on adding this feature to more services.

Backup & Restore

Backup all your work into one zip file. Move your content to another workstation.

 

Extracting Stripe Transactions for Accounting Entries

Vince IarusciExtrataLeave a Comment

Stripe API LogoStripe is used every day by businesses to process payments online for the goods and services sold.  We use Stripe in our business to sell software licences for our online products.

As the transactions rolled in, our team wondered how we would capture the information needed to record the monthly accounting transactions.

After looking at the Stripe reports, we learned that getting the data needed for our reports wasn’t so simple. The Stripe dashboards and reports didn’t break down the transactions with the associated refunds, charges and balances.

We needed a tool to extract the data from Stripe in a format we could use.

In the attached video, we show you practical methods on how to use the Extrata tool with Stripe’s API to get the data in the format needed to create reports for our month end financial reporting.

The best part is that anyone can use this method…you don’t have to be a programmer or know how to code.

Watch a video on how to use Extrata to download transactions using the Stripe API connector.

Download the Exclusive Free Extrata Stripe Package