Computer Stuff

Let’s Encrypt certificates with WordPress MultiSite

by on Jan.27, 2020, under Computer Stuff, Linux

Lately, everyone seems to be moving to WordPress. It’s a rock-solid platform for publishing, with a low cost of administration. To securely allow a remote login to your WordPress site, you MUST use an SSL certificate to encrypt the login communications.
I’ve found that LetsEncrypt.org really solves that problem, and with minimal setup required. The biggest catch that I found to using LetsEncrypt.org certificates with my domains was this:
You need a DNS host that supports CAA records.  SSLMate publishes a list of those hosts here.


So first, you MAY need to move your authoritative DNS zone to a host that supports CAA records. I’ll wait.

After that, you need a CAA record for the root of your domain name.
It should look something like this:
@ CAA 6h 0 issue “letsencrypt.org”

Once your record is in place, you can validate it using DNSSpy here

Now that your DNS record is answering correctly, it’s time to address the WordPress installation. WordPress can be installed in any number of ways. I usually use Apache2, MySQL, PHP, etc.. A common Linux LAMP stack.

Traditionally, when installing multiple WordPress sites on the same web server, I’d create a separate virtual host and directory for each site. Things have changed, though, and now, I can use WordPress Multisite. This allows(requires that) all of your sites use the same virtual directory. (In most cases, that’s the main web root of your server. On most Linux OSs, that’s /var/www/html )

For a basic WordPress installation, see this link.
For a deep-dive into the WordPress Network creation and enabling Multisite, see this link.

Since Apache2 comes with a default virtual directory and a default virtual host definition that covers the root of the web server, you don’t *need* to add a virtual host directive for each site you add using WordPress Multisite, because WordPress Multisite handles requests for each site. However, if you want to take advantage of a free, auto-renewing 3-month SSL certificate from Let’s Encrypt, you need an Apache virtualhost entry for each site in WordPress Multisite.
So, we’ve just installed WordPress Multisite, and we’ve created our first site of testdomain.com.
In Apache2 on Ubuntu 18, you need to edit 2 files. They are:

/etc/apache2/sites-available/000-default.conf
/etc/apache2/sites-available/000-default-le-ssl.conf

##/etc/apache2/sites-available/000-default.conf##
(this is the default, leave it alone)
<VirtualHost *:80>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html <- same root for all sites
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

(you’re going to add this for each new site, changing the site name)
<VirtualHost *:80>
ServerAdmin webmaster@localhost
ServerName testdomain.com
ServerAlias www.testdomain.com
DocumentRoot /var/www/html <- same root for all sites
<Directory />
Options FollowSymLinks
AllowOverride All
</Directory>
<Directory /var/www/html>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Directory>
RewriteEngine on
RewriteCond %{SERVER_NAME} =testdomain.com [OR]
RewriteCond %{SERVER_NAME} =www.testdomain.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

##/etc/apache2/sites-available/000-default-le-ssl.conf##
<VirtualHost *:443>
ServerAdmin webmaster@localhost
ServerName testdomain.com
DocumentRoot /var/www/html
<Directory /var/www/html>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Directory>
</VirtualHost>

After you install and run certbot, you’ll see these lines added to the end of each virtual host in the SSL config file above:
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/testdomain.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/testdomain.com/privkey.pem

1 Comment more...

Building a linux terminal server with vncserver

by on Jun.09, 2017, under Computer Stuff, Linux

Sometimes you need to allow multiple people to login to a linux server, and run something that requires Xorg/X11/Xwhatever they’re calling it these days. (xenocara if you’re cool ;)
So, from the start. Install your OS, (I’m using Ubuntu) install gnome, xfce4, openssh-server and vncserver, and add your users.

  • Setting up your user accounts for VNCserver

Log in as your first user, and run the command: vncserver in a terminal. This will start an instance of the vncserver, and allocate an available port to you. It should look something like this:

username@laptop:/home/username$ vncserver
You will require a password to access your desktops.

Password: (enter password)

Verify: (verify password)

xauth: file /home/username/.Xauthority does not exist

New 'laptop:1 (username)' desktop is laptop:1

Creating default startup script /home/username/.vnc/xstartup

Starting applications specified in /home/username/.vnc/xstartup

Log file is /home/username/.vnc/laptop:1.log

Immediately after this, you’ll want to kill the server with:

username@laptop:/home/username$ vncserver -kill :1

You’ll want to do that for each user account, so later, we can use their passwd file to start the vncserver as a system service, so it will run the vncserver every time the server boots up. The next user you add and run vncserver for should get port :2 (or, 5902)

We can see that this was the first instance of vncserver to run on this server, because we were assigned port :1 (technically, port 5901)
This will also create the .vnc folder in your home dir. In my case, this is ‘/home/username/.vnc’.  Inside this hidden folder, you’ll find the passwd file you created when setting your password for vncserver, and the xstartup file that is created by default.

It doesn’t tend to be extremely useful out of the box, so we’ll replace the contents of it with this for a Gnome desktop in your vnc session:

#!/bin/sh
[ -x /etc/vnc/xstartup ] && exec /etc/vnc/xstartup
[ -r $HOME/.Xresources ] && xrdb $HOME/.Xresources
xsetroot -solid grey
x-terminal-emulator -geometry 80x24+10+10 -ls -title "$VNCDESKTOP Desktop" &
x-window-manager &
gnome-session &
gnome-panel &
gnome-settings-daemon &
metacity &
nautilus &

Replace it with this for an xfce4 desktop in your vnc session:

#!/bin/sh
unset SESSION_MANAGER

unset DBUS_SESSION_BUS_ADDRESS

startxfce4 &

[ -x /etc/vnc/xstartup ] && exec /etc/vnc/xstartup

[ -r $HOME/.Xresources ] && xrdb $HOME/.Xresources

xsetroot -solid grey &

One you’ve got your xstartup configured the way you want it, run vncserver once more, and make sure that you get the desktop you expect when connecting.

Immediately after this, you’ll want to kill the server with:

username@laptop:/home/username$ vncserver -kill :1

  • Configure vncserver as a system service for each user

As of right now, each user would need to first ssh to the server, and start their instance of vncserver manually to take over an X desktop. This is not what we want. We want their individual vncserver instances to run every time the server boots, and this way, we can restart the vncserver instance for each individual user, rather than having to kill the entire server to reset one connection.

For that, we need to install some init scripts in /etc/init.d/ You need to be root to do this, or able to use sudo.

(at this point I wonder if I should outline how to edit files.. I feel like if you’ve read this far, you already know, or are googling it as I speak.. )

username@laptop:/home/username# vi /etc/init.d/vncserver-username

Insert the following into the newly created file:

#!/bin/sh -e
### BEGIN INIT INFO
# Provides: vncserver:1
# Required-Start: networking
# Required-Stop:
# Default-Start: S
# Default-Stop: 0 6
### END INIT INFO

# The Username:Group that will run VNCserver
export USER=”username”
#${RUNAS}

# The display that VNC will use
DISPLAY=”1″

# Color depth (between 8 and 32)
DEPTH=”16″

# The name that the VNC Desktop will have.
NAME=”username on Laptop”

. /lib/lsb/init-functions

case “$1” in
start)
log_action_begin_msg “Starting vncserver for user ‘$USER’ on localhost:$DISPLAY”
su username -c “/usr/bin/vncserver :1 -geometry 1920×1080 -geometry 1280×1024 -geometry 1024×768 -f ~/.vnc/passwd”
;;

stop)
log_action_begin_msg “Stoping vncserver for user ‘$USER’ on localhost:$DISPLAY”
su username -c “/usr/bin/vncserver -kill :1”
;;

restart)
$0 stop
$0 start
;;
esac


exit 0

IMPORTANT: To add another service for another user, you’ll need to copy /etc/init.d/vncserver-username to /etc/init.d/vncserver-newuser, and then edit the file for the new username and port info. Especially important is the “Provides: vncserver:1” line, as this is the name that the system uses to identify the service, and it must be unique for each instance of the service that you want to run. Name each user’s service for the port that they were assigned when they first ran vncserver. So, assuming that newuser got port :2, you’d replace ALL of the “username” with “newuser” and all of the “:1” with “:2”. Read carefully. ;)

Save and exit this file, and then make it executable:
chmod +x /etc/init.d/vncserver-username

Anytime you make a change to the init scripts, you have to tell the system:
systemctl daemon-reload

Now, update the runlevels:
update-rc.d vncserver-username defaults 99

Last, start your system service:
/etc/init.d/vncserver-username start

Comments Off on Building a linux terminal server with vncserver more...

Recreating the Exchange 2013 Receive connectors

by on Feb.10, 2016, under Computer Stuff, Windows Info

Just in case you ever have to recreate the default receive connectors in Exchange 2013, here you go:

Default Client Front End Transport (FrontEnd Transport)
TLS, Basic, Integrated, Exchange users, port 587
Default Client Proxy (Hub Transport)
TLS, Basic, Offer Basic after TLS, Integrated, Exchange Server Auth, Exchange Servers, Exchange users, port 465
Default Front End Transport (FrontEnd Transport)
TLS, Basic, Offer Basic after TLS, Integrated, Exchange server auth, Exchange Servers, Legacy Exchange Servers, Anonymous Users, port 25
Default Hub Transport (hub transport)
TLS, Basic, Offer Basic after TLS, Integrated, Exchange Server Auth, Exchange Servers, Legacy, Exchange Users, port 2525
Default Outbound Proxy Frontend Transport (Frontend transport)
TLS, Enable domain security, Basic, Offer basic after TLS, integrated, Exchange server auth, exchange servers, anonymous, port 717

Comments Off on Recreating the Exchange 2013 Receive connectors more...

It’s finally here!! Defer Windows Updates using Group Policy!!

by on Nov.16, 2015, under Computer Stuff, Windows Info

Comments Off on It’s finally here!! Defer Windows Updates using Group Policy!! more...

Great post on User Certificate Autoenrollment

by on Oct.26, 2015, under Computer Stuff, Windows Info

If you’re setting up PKI, or 802.1x, go read this-

http://www.vkernel.ro/blog/set-up-automatic-certificate-enrollment-autoenroll

 

Comments Off on Great post on User Certificate Autoenrollment more...

R.I.P., 2003

by on Jul.16, 2015, under Windows Info

Microsoft ended support for Windows Server 2003 on July 14th, 2015

 

http://www.microsoft.com/en-us/server-cloud/products/windows-server-2003/

 

Comments Off on R.I.P., 2003 more...

CA Root services cannot start after CA Root certificate expires

by on Dec.04, 2014, under Computer Stuff, Windows Info

Since by design, you cannot recover from a CA root certificate expiring, sometimes you need to limp along, and continue to issue certs even though you cannot necessarily revoke them, because the CRL published in Active Directory is now incorrect, or offline.
While we can argue all day about the benefits/detractors of this, here it is:
To bring the CA Root back online after the Root certificate expires, issue these commands in an elevated powershell:

certutil –setreg ca\CRLFlags +CRLF_REVCHECK_IGNORE_OFFLINE
net stop certsvc && net start certsvc

Now, go back to the drawing board, and PLAN your PKI implementation, and DON’T LET YOUR CA ROOT CERTIFICATE EXPIRE!!!

Incidentally, once you’ve fixed your certificate snafu, to stop ignoring offline CRLs, do this in an elevated command prompt:

certutil –setreg ca\CRLFlags -CRLF_REVCHECK_IGNORE_OFFLINE
net stop certsvc && net start certsvc

Comments Off on CA Root services cannot start after CA Root certificate expires :, , , more...

Cannot print to an HP Laserjet 1020 using Terminal Services

by on Jul.22, 2014, under Networking, Windows Info

Terminal Services can only print to your LPT printers (with proper driver installed on the server). In order to print to network printer or USB printer,

1. Install the printer normally (connecting via TCP port or USB port) and make it a shared printer (ie. \\COMPUTERNAME\PRINTER)
2. Install ANOTHER instance of the printer, using the LPT1: (or LPT2:) port
3. Launch an administrative command prompt, and map the LPT port to the shared printer instance:

net use lpt1: \\COMPUTERNAME\PRINTER /persistent:yes

Now, you have an LPT: printer. If you set it as your default printer you can print locally, and Terminal services should now allow you to print from your TS session, as well.

Comments Off on Cannot print to an HP Laserjet 1020 using Terminal Services more...

Setting a PTR record at Comcast

by on Jul.01, 2014, under Networking

To setup a reverse DNS record for a Comcast IP address, please contact the Enterprise Care Center (ECC) at 1-800-741-4141 (option 2, and then option 1).

Comments Off on Setting a PTR record at Comcast : more...

Winmail.dat issues when using an SMTP Proxy

by on Mar.17, 2014, under Computer Stuff, Windows Info

I’ve run into this a couple times recently after clients have been migrated to Office 365. Office 365 by default sends messages in the Transport Neutral Encapsulation Format (TNEF) format. This is a rich text format and some email servers aren’t able to interpret it, and will therefore replace attachments with winmail.dat files (very common with clients on Macs). The fix is to use PowerShell to change disable TNEF. There is a TechNet article that shows you how to disable TNEF for when sending to specific domains or email addresses, but in my opinion that’s not acceptable for a client because they will need to contact us to have it changed every single time they encounter someone who cannot receive attachments from them. The fix is to connect to Office 365 via PowerShell and then do one of the following…

Option 1: Disable for Specific Domain (example uses wyldehare.com as the domain you are sending to)
1. New-RemoteDomain -DomainName wyldehare.com -Name WyldeHare
2. Set-RemoteDomain -Identity WyldeHare -TNEFEnabled $false
3. Get-RemoteDomain -Identity WyldeHare| Select TNEFEnabled (This step just confirms that the change was accepted – should show you “false” for the output.)

Option 2: Disable for Specific Email Address
1. No point in doing this since the email server is usually what causes this.

Option 3: Disable Globally (recommended)
1. Set-RemoteDomain Default -TNEFEnabled $false
2. Get-RemoteDomain -Identity Default| Select TNEFEnabled (This step just confirms that the change was accepted – should show you “false” for the output.)

The change does not take immediately. I have not seen it documented anywhere, but I do know it doesn’t take place immediately. I had a client test this right after I made the change and it didn’t work, so I had them try again in the morning and it worked. I would guess at somewhere between 15 minutes and a few hours.

We’ve also run into some issues recently where users have been receiving winmail.dat attachments.  This is usually caused in cases where the client has the SMTP proxy enabled on their WatchGuard.  By default, the SMTP proxy strips some of the headers out of the email that identify it as a Rich Text Formatted email. If the email client does not have the header information needed to interpret the winmail.dat attachment, the email client cannot display the proper formatting of the email, and incorrectly displays the attachment as a winmail.dat file.  To resolve, do the following…

  1. Start Policy Manager for your XTM device.
  2. Double-click the SMTP-Proxy used for inbound email.
    Or, right-click the SMTP-proxy and select Modify Policy.
    The New/Edit Policy dialog box appears with the Policy tab selected.
  3. Adjacent to the Proxy action drop-down list, click View/Edit Proxy.
    The SMTP Proxy Action Configuration dialog box appears.
  4. From the Categories tree, select Headers.
  5. In the Pattern text box, type each of these patterns and click Add to add them to the Rules list.
    • X-MS-Has-Attach:*
    • X-MS-TNEF-Correlator:*
    • X-MimeOLE:*
  6. From the If matched drop-down list, select Allow.
  7. From the Categories tree, select Content Types.
  8. In the Pattern text box, type application/ms-tnef and click Add.
    The pattern appears in the Rules list.
  9. From the If matched drop-down list, select Allow.
  10. From the Categories tree, select Filenames.
  11. In the Pattern text box, type winmail.dat and click Remove.
    The winmail.dat pattern is removed from the Rules list.
  12. From the None matched drop-down list, select Allow.

Now, having said that, we had a client *not* using the SMTP proxy have a similar issue.  This client has Securence for SPAM filtering and there is a feature you can enable within Securence that attempts to extract the contents of Winmail.dat when necessary.  To enable, go to Settings -> Filters -> Winmail.dat Extraction.

(shamelessly ripped from an email from ChrisV, who rules.. thanks, man!)

Comments Off on Winmail.dat issues when using an SMTP Proxy more...


Looking for something?

Use the form below to search the site:

Still not finding what you're looking for? Drop a comment on a post or contact us so we can take care of it!

CryptedNets is proudly powered by

Entries (RSS) and Comments (RSS)
Register - Login

Visit our friends!

A few highly recommended friends...