create account

Servers 101: Setting up a Web Server part 3 - SSL by dimitrisp

View this thread on: hive.blogpeakd.comecency.com
· @dimitrisp · (edited)
$19.72
Servers 101: Setting up a Web Server part 3 - SSL
https://neurobin.org/docs/web/cpanel/installing-tls-ssl-certificate-using-cpanel/thumb0.png

You can read the previous part of the series, by [clicking here](https://steemit.com/tutorial/@dimitrisp/servers-101-setting-up-a-web-server-part-2-basic-configuration)

Other stuff in the series: 
* [Intro and getting into your server](https://steemit.com/tutorial/@dimitrisp/servers-101-intro-and-getting-into-your-server)
* [Basic Server Security](https://steemit.com/tutorial/@dimitrisp/servers-101-basic-server-security-part-1)

---

In the webserver series, we will configure a web server. We will install Apache, PHP 7.1 and MySQL, we will setup a Let's Encrypt bot, and a bandwidth monitor. We will also setup Wordpress, phpMyAdmin and we will open the needed ports on UFW. 

What we WON'T do, is to install an FTP server. When time comes, I will help you configure Filezilla to use your private key (the one we made on the 3rd part of the "Basic Server Security" series), and you will upload anything you want via this.

This series will be split into 3 or 4 parts, as it is large as well. Writing everything in one post is counter productive for me.

---

On the previous part we configured our server software (Apache, MySQL, PHP etc..) On this part we will only install a certificate and make it auto-renew with Let's Encrypt!

---

## Install Let's Encrypt's certbot:

```
sudo apt-get install python-certbot-apache
```

---

## Prepare Apache

Before we begin, we must configure a hostname on Apache default config. Go ahead and do that:

```
sudo nano /etc/apache2/sites-available/000-default.conf
```

Just above `ServerAdmin webmaster@localhost` put these lines, but change them to read your domain name:

```
    ServerName exampledomain.com
    ServerAlias www.exampledomain.com
```

*If you are just hosting a subdomain, for example this.exampledomain.com, and you don't want to add the "www." infront, just skip ServerAlias and you are good to go*

Save, exit and test your config changes

```
    sudo apache2ctl configtest
```

If you get `Syntax OK`, then you are good to go. Otherwise you've got an error. Recheck what you typed in!

---

## Generate and install a certificate!

Run this command to start Certbot

```
sudo certbot --apache
```

You will get something like this:

![](https://steemitimages.com/DQma9cZofesrWhaKDrTfcpv526VFQxC14Bhxn9EHstRvSQp/image.png)

Press 1 (or the number corresponding to the domain name you want to install a certificate for) and then Enter. 

First, we need to give an email for expiry and renewal notifications.

We also need to read the terms and confirm we agree.

Then we will get asked if we only want HTTPS access, or if it is optional.

I strongly suggest that you say "Secure" (Everything goes HTTPS), by typing 2 and then enter

---

## Autorenewing Let's Encrypt

Let's Encrypt certificates are valid for 90 days. This is something done to make sure that all certificates, especially ones maliciously generated, are expiring fast.

In order to have peace of mind, and not renewing your certificate manually every 90 days, we will setup certbot to check your certificates twice every week (on my servers, this runs every Monday and Thursday)

The renew command is this:

```
sudo certbot renew
```

If you run it, the check will run immediately and if any certificate is near its expiration date (that is, less than 30 days before expiration date), it will be renewed.

To make it automated, we will use `crontab`! `crontab` means "cron table". A table is a table (duh!), and cron is a job scheduler in Linux and other Unix-like operating systems. To start the editor, type

```
crontab -e
```

If it is the first time you run `crontab`, you will get this prompt:

>no crontab for root - using an empty one
>
>Select an editor.  To change later, run 'select-editor'.
>  1. /bin/ed
>  2. /bin/nano        <---- easiest
>  3. /usr/bin/vim.basic
>  4. /usr/bin/vim.tiny
>
>Choose 1-4 [2]:

Choose nano (input 2 and press enter), unless you prefer any of the other editors that exist in the list.

A cronjob syntax is this:

>Minute Hour DayOfMonth Month DayOfWeek Command To Execute

Filling something with an asterisk means that you want to run this on every instance of the field. For example, this:

>&ast; 1 &ast; &ast; &ast; ls /var/www

will list the contents of /var/www every minute, when it is 1 hour after midnight, every day.

So, I want to run the renew command every Monday (day 1) and every Thursday (day 4) at 3:35:

```
35 3 * * 1,4 /usr/bin/certbot renew >> /var/log/le-renew.log
```

Put this inside the crontab nano, (change the minutes/hours/days if you want to) and save it. When time comes, the check will happen. You can review the log file every now and then to make sure everything went fine by typing

```
sudo nano /var/log/le-renew.log
```

---

That's it for now! What we have left to do, is make Apache to use multiple virtual hosts and create a password protected directory where we will make `vnstati` generate some graphs to monitor our bandwidth usage easily.

Thank you for reading. If you liked my small tutorial, or have any questions, feel free to leave a comment.

* Main image courtesy of Neurobin

---

[The next part, and finale of the Web server series, is now available. Click here](https://steemit.com/tutorial/@dimitrisp/servers-101-setting-up-a-web-server-part-4-virtual-hosts-and-vnstati-graphs)


## If you need a place to host your servers consider [Vultr](http://www.vultr.com/?ref=6810357), [Digital Ocean](https://m.do.co/c/5fa6a0d4ee92) and [BuyVM](https://my.frantech.ca/aff.php?aff=2040).

These are affiliate links. If you sign up through them, you support me and I will have more free time to write more content like this. 

Also If you signup for Digital Ocean through my affiliate link, you will get $10 to try them out. *Note: to battle abusers of this offer, you'll have to make a $5 deposit via Paypal or add your credit/debit card, so they can confirm that you are a new user. I did a deposit via Paypal to test them out, and then I added my credit card so I won't have to deposit money manually every now and then.*

<a href="http://www.vultr.com/?ref=6810357" target="_blank"><img src="https://www.vultr.com/media/banner_1.png?www"></a>
 
---

## Also, I am running a witness server. Please consider <a href="https://steemit.com/~witnesses" target="_blank">voting me for a witness</a>.
[You can read my witness declaration here](https://steemit.com/witness-category/@dimitrisp/witness-declaration-of-dimitrisp)
👍  , , , , , , , , , , ,
properties (23)
authordimitrisp
permlinkservers-101-setting-up-a-web-server-part-3-ssl
categorytutorial
json_metadata{"tags":["tutorial","linux","howto","servers","webserver"],"image":["https://neurobin.org/docs/web/cpanel/installing-tls-ssl-certificate-using-cpanel/thumb0.png","https://steemitimages.com/DQma9cZofesrWhaKDrTfcpv526VFQxC14Bhxn9EHstRvSQp/image.png","https://www.vultr.com/media/banner_1.png?www"],"links":["https://steemit.com/tutorial/@dimitrisp/servers-101-setting-up-a-web-server-part-2-basic-configuration","https://steemit.com/tutorial/@dimitrisp/servers-101-intro-and-getting-into-your-server","https://steemit.com/tutorial/@dimitrisp/servers-101-basic-server-security-part-1","https://steemit.com/tutorial/@dimitrisp/servers-101-setting-up-a-web-server-part-4-virtual-hosts-and-vnstati-graphs","http://www.vultr.com/?ref=6810357","https://m.do.co/c/5fa6a0d4ee92","https://my.frantech.ca/aff.php?aff=2040","https://steemit.com/~witnesses","https://steemit.com/witness-category/@dimitrisp/witness-declaration-of-dimitrisp"],"app":"steemit/0.1","format":"markdown"}
created2017-07-16 07:34:21
last_update2017-07-17 07:35:06
depth0
children21
last_payout2017-07-23 07:34:21
cashout_time1969-12-31 23:59:59
total_payout_value15.010 HBD
curator_payout_value4.706 HBD
pending_payout_value0.000 HBD
promoted0.000 HBD
body_length6,540
author_reputation75,800,974,934,104
root_title"Servers 101: Setting up a Web Server part 3 - SSL"
beneficiaries[]
max_accepted_payout1,000,000.000 HBD
percent_hbd10,000
post_id8,646,542
net_rshares4,072,890,180,865
author_curate_reward""
vote details (12)
@gk01 ·
some might find this website useful for installing certbot: https://certbot.eff.org/#ubuntuxenial-apache
properties (22)
authorgk01
permlinkre-dimitrisp-servers-101-setting-up-a-web-server-part-3-ssl-20170814t222058566z
categorytutorial
json_metadata{"tags":["tutorial"],"links":["https://certbot.eff.org/#ubuntuxenial-apache"],"app":"steemit/0.1"}
created2017-08-14 22:20:57
last_update2017-08-14 22:20:57
depth1
children0
last_payout2017-08-21 22:20:57
cashout_time1969-12-31 23:59:59
total_payout_value0.000 HBD
curator_payout_value0.000 HBD
pending_payout_value0.000 HBD
promoted0.000 HBD
body_length104
author_reputation0
root_title"Servers 101: Setting up a Web Server part 3 - SSL"
beneficiaries[]
max_accepted_payout1,000,000.000 HBD
percent_hbd10,000
post_id11,820,517
net_rshares0
@gk01 ·
apparently you need to setup the DNS A records for your domains, so that the sites obviously don't timeout upon request, before you can get certificates for them
properties (22)
authorgk01
permlinkre-dimitrisp-servers-101-setting-up-a-web-server-part-3-ssl-20170814t222452471z
categorytutorial
json_metadata{"tags":["tutorial"],"app":"steemit/0.1"}
created2017-08-14 22:24:51
last_update2017-08-14 22:24:51
depth1
children13
last_payout2017-08-21 22:24:51
cashout_time1969-12-31 23:59:59
total_payout_value0.000 HBD
curator_payout_value0.000 HBD
pending_payout_value0.000 HBD
promoted0.000 HBD
body_length161
author_reputation0
root_title"Servers 101: Setting up a Web Server part 3 - SSL"
beneficiaries[]
max_accepted_payout1,000,000.000 HBD
percent_hbd10,000
post_id11,820,746
net_rshares0
@dimitrisp ·
This is done from your domain registrar. There are thousands domain registrars and managers, so I can't help you there. If you tell me where did you register your domain, I could look it up
properties (22)
authordimitrisp
permlinkre-gk01-re-dimitrisp-servers-101-setting-up-a-web-server-part-3-ssl-20170815t055508207z
categorytutorial
json_metadata{"tags":["tutorial"],"app":"steemit/0.1"}
created2017-08-15 05:55:12
last_update2017-08-15 05:55:12
depth2
children12
last_payout2017-08-22 05:55:12
cashout_time1969-12-31 23:59:59
total_payout_value0.000 HBD
curator_payout_value0.000 HBD
pending_payout_value0.000 HBD
promoted0.000 HBD
body_length189
author_reputation75,800,974,934,104
root_title"Servers 101: Setting up a Web Server part 3 - SSL"
beneficiaries[]
max_accepted_payout1,000,000.000 HBD
percent_hbd10,000
post_id11,847,478
net_rshares0
@gk01 · (edited)
Goddady is the registrar of the domain I'm using to test this.

I've already set the A record on there to my public IP address. However, it doesn't seem to be directing queries to the test website I have on my server.

Notably, I set up a DHCP reservation for my PC's internal IP, and also set up dynamic DNS for my router via noip.com since my router is assigning internal IPs dynamically and my ISP is, I believe, assigning dynamic IPs externally. So one of my questions is: I should be using the dynamic DNS address (i.e. myhostname.ddns.net), right?

Don't I need to change the name server addresses on Godaddy too?

I don't know why it's not redirecting to my website :/
properties (22)
authorgk01
permlinkre-dimitrisp-re-gk01-re-dimitrisp-servers-101-setting-up-a-web-server-part-3-ssl-20170815t073227278z
categorytutorial
json_metadata{"tags":["tutorial"],"app":"steemit/0.1"}
created2017-08-15 07:32:27
last_update2017-08-15 07:33:12
depth3
children11
last_payout2017-08-22 07:32:27
cashout_time1969-12-31 23:59:59
total_payout_value0.000 HBD
curator_payout_value0.000 HBD
pending_payout_value0.000 HBD
promoted0.000 HBD
body_length675
author_reputation0
root_title"Servers 101: Setting up a Web Server part 3 - SSL"
beneficiaries[]
max_accepted_payout1,000,000.000 HBD
percent_hbd10,000
post_id11,853,128
net_rshares0
@ironmanmatt ·
I honestly know little about servers. What would be some of the benefits of setting up your own encrypted server? How easy is it to monetize an encrypted server?
properties (22)
authorironmanmatt
permlinkre-dimitrisp-2017716t161839512z
categorytutorial
json_metadata{"tags":"tutorial","app":"esteem/1.4.7","format":"markdown+html","community":"esteem"}
created2017-07-16 08:18:45
last_update2017-07-16 08:18:45
depth1
children2
last_payout2017-07-23 08:18:45
cashout_time1969-12-31 23:59:59
total_payout_value0.000 HBD
curator_payout_value0.000 HBD
pending_payout_value0.000 HBD
promoted0.000 HBD
body_length161
author_reputation489,360,389,311
root_title"Servers 101: Setting up a Web Server part 3 - SSL"
beneficiaries
0.
accountesteemapp
weight500
max_accepted_payout1,000,000.000 HBD
percent_hbd10,000
post_id8,648,862
net_rshares0
@dimitrisp ·
Setting up your own server (encrypted or not) helps your site or your application to be as far away as possible from "noisy neighbors" (sites that have a huge amount of traffic or using a huge amount of the server's CPU). Your site will have a great boost in speed (especially if you use a provider with great uplinks and a powerfull server).

Also, if you are on a shared hosting account, the provider hasn't secured the server enough, and one of the other sites becomes a target, your site would go down as well in case of a nullroute (fancy term for "Suspending you server's internet connection forever or until the attack has passed")

Also, if you know what you are doing, and you manage yourself, you can actually bring costs down, by hosting all your apps and sites in one server (if the server can hold all of them of course!)

As for monetisation, that's an irrelevant question, unless you plan to start a web hosting service. If this is not something you would think to do, monetisation has to do with the content or apps you will host.

Thank you for your comment, and sorry for the long reply! Things got out of hand while writing this! :)
properties (22)
authordimitrisp
permlinkre-ironmanmatt-re-dimitrisp-2017716t161839512z-20170716t084023252z
categorytutorial
json_metadata{"tags":["tutorial"],"app":"steemit/0.1"}
created2017-07-16 08:40:24
last_update2017-07-16 08:40:24
depth2
children1
last_payout2017-07-23 08:40:24
cashout_time1969-12-31 23:59:59
total_payout_value0.000 HBD
curator_payout_value0.000 HBD
pending_payout_value0.000 HBD
promoted0.000 HBD
body_length1,151
author_reputation75,800,974,934,104
root_title"Servers 101: Setting up a Web Server part 3 - SSL"
beneficiaries[]
max_accepted_payout1,000,000.000 HBD
percent_hbd10,000
post_id8,650,042
net_rshares0
@gk01 ·
do you have any tutorial on setting up DNS because running executing certbot --apache obviously will not work otherwise
properties (22)
authorgk01
permlinkre-dimitrisp-re-ironmanmatt-re-dimitrisp-2017716t161839512z-20170814t223211401z
categorytutorial
json_metadata{"tags":["tutorial"],"app":"steemit/0.1"}
created2017-08-14 22:32:12
last_update2017-08-14 22:32:12
depth3
children0
last_payout2017-08-21 22:32:12
cashout_time1969-12-31 23:59:59
total_payout_value0.000 HBD
curator_payout_value0.000 HBD
pending_payout_value0.000 HBD
promoted0.000 HBD
body_length119
author_reputation0
root_title"Servers 101: Setting up a Web Server part 3 - SSL"
beneficiaries[]
max_accepted_payout1,000,000.000 HBD
percent_hbd10,000
post_id11,821,142
net_rshares0
@orodrummer ·
Thanks for the great tutorial! I specifically needed the auto renew command for my Google hosted server setup. Do you recommend configuring HSTS for  my SSL websites?
properties (22)
authororodrummer
permlinkre-dimitrisp-servers-101-setting-up-a-web-server-part-3-ssl-20180120t174351666z
categorytutorial
json_metadata{"tags":["tutorial"],"app":"steemit/0.1"}
created2018-01-20 17:43:51
last_update2018-01-20 17:43:51
depth1
children2
last_payout2018-01-27 17:43:51
cashout_time1969-12-31 23:59:59
total_payout_value0.000 HBD
curator_payout_value0.000 HBD
pending_payout_value0.000 HBD
promoted0.000 HBD
body_length166
author_reputation142,944,109,766
root_title"Servers 101: Setting up a Web Server part 3 - SSL"
beneficiaries[]
max_accepted_payout1,000,000.000 HBD
percent_hbd10,000
post_id30,915,995
net_rshares0
@dimitrisp ·
If you have data that you can't afford to leak, then yes. Make sure you sign up your website on HSTS Preload Lists in this case, for an extra layer of data security!
properties (22)
authordimitrisp
permlinkre-orodrummer-re-dimitrisp-servers-101-setting-up-a-web-server-part-3-ssl-20180123t115607497z
categorytutorial
json_metadata{"tags":["tutorial"],"app":"steemit/0.1"}
created2018-01-23 11:56:06
last_update2018-01-23 11:56:06
depth2
children1
last_payout2018-01-30 11:56:06
cashout_time1969-12-31 23:59:59
total_payout_value0.000 HBD
curator_payout_value0.000 HBD
pending_payout_value0.000 HBD
promoted0.000 HBD
body_length165
author_reputation75,800,974,934,104
root_title"Servers 101: Setting up a Web Server part 3 - SSL"
beneficiaries[]
max_accepted_payout1,000,000.000 HBD
percent_hbd10,000
post_id31,630,393
net_rshares0
@orodrummer ·
Thanks for the input. Now I just need to figure out how to get alerts on Steemit so I can respond to people in a timely manner.
properties (22)
authororodrummer
permlinkre-dimitrisp-re-orodrummer-re-dimitrisp-servers-101-setting-up-a-web-server-part-3-ssl-20180201t033704394z
categorytutorial
json_metadata{"tags":["tutorial"],"app":"steemit/0.1"}
created2018-02-01 03:37:00
last_update2018-02-01 03:37:00
depth3
children0
last_payout2018-02-08 03:37:00
cashout_time1969-12-31 23:59:59
total_payout_value0.000 HBD
curator_payout_value0.000 HBD
pending_payout_value0.000 HBD
promoted0.000 HBD
body_length127
author_reputation142,944,109,766
root_title"Servers 101: Setting up a Web Server part 3 - SSL"
beneficiaries[]
max_accepted_payout1,000,000.000 HBD
percent_hbd10,000
post_id34,022,004
net_rshares0