Tips for Let’s Encrypt (certbot etc.)

Ubuntu 18.04 LTS (bionic), Install, Configure “certbot”

https://certbot.eff.org/lets-encrypt/ubuntubionic-apache

Other systems, use following website to find out installation and configuration process

https://certbot.eff.org/

Let Certbot edit your Apache configuration automatically to serve it, turning on HTTPS access in a single step.

sudo certbot --apache
sudo certbot certonly --apache 

Just get a certificate, make the changes to Apache configuration manually

sudo certbot certonly --apache -d contoso.com

With sub-domains

sudo certbot certonly --apache -d contoso.com -d www.contoso.com -d ftp.contoso.com

With multiple domains

sudo certbot certonly --apache -d contoso.com -d www.contoso.com -d ftp.contoso.com -d anotherfakedomain.com -d fakedomain2.com

Test with –dry-run (“–dry-run” switch can be used to Test “renew” or “certonly” without saving any certificates to disk)

sudo certbot certonly --apache -d contoso.com -d www.contoso.com -d ftp.contoso.com -d anotherfakedomain.com -d fakedomain2.com --dry-run

With multiple domains, multiple virtual hosts in different document folders

sudo certbot certonly --apache --webroot -w /var/htdocs/contoso.com/ -d contoso.com -d www.contoso.com -d ftp.contoso.com -w /var/htdocs/anotherfakedomain.com/ -d anotherfakedomain.com -w /var/htdocs/fakedomain2.com/ -d fakedomain2.com --dry-run

Test with Staging server/Environment (higher Rate Limits) (without –dry-run)

Warning: Certificates from Staging server should not be used for production

sudo certbot certonly --server https://acme-staging-v02.api.letsencrypt.org/directory -i apache --webroot -w /var/htdocs/contoso.com/ -d contoso.com -d www.contoso.com

Test with Staging server and with –dry-run

sudo certbot certonly --server https://acme-staging-v02.api.letsencrypt.org/directory -i apache --webroot -w /var/htdocs/contoso.com/ -d contoso.com -d www.contoso.com --dry-run

Test with real server with –dry-run

sudo certbot certonly --server https://acme-v02.api.letsencrypt.org/directory -i apache --webroot -w /var/htdocs/contoso.com/ -d contoso.com -d www.contoso.com --dry-run

Download certificate from real server

sudo certbot certonly --server https://acme-v02.api.letsencrypt.org/directory -i apache --webroot -w /var/htdocs/contoso.com/ -d contoso.com -d www.contoso.com

Use dns as preferred challenge with wild card domain

sudo certbot certonly --server https://acme-v02.api.letsencrypt.org/directory --manual --preferred-challenges dns -d 'contoso.com' -d '*.contoso.com'

For Ubuntu, all certificates, certificate configuration files, renal configuration files, archive, keys etc. are stored in following folder

/etc/letsencrypt

Note

If the certbot complaining about connection issue, it might be that the connection is being blocked by firewall, system firewall or Web Application Firewall (WAF) etc.

Extended Reading

  • Root Certificate for Staging Server/Environment ( https://acme-staging-v02.api.letsencrypt.org/directory )
    • The staging environment intermediate certificate (“Fake LE Intermediate X1”) is issued by a root certificate not present in browser/client trust stores. If you wish to modify a test-only client to trust the staging environment for testing purposes you can do so by adding the “Fake LE Root X1” certificate to your testing trust store. Important: Do not add the staging root or intermediate to a trust store that you use for ordinary browsing or other activities, since they are not audited or held to the same standards as our production roots, and so are not safe to use for anything other than testing.

Turn off display automatically on Ubuntu 18.04 server with text boot

Open /etc/default/grub in any text editor (e.g. sudo nano, sudo vi etc.)

Add consoleblank=0 to GRUB_CMDLINE_LINUX_DEFAULT= as parameter.

e.g.

If it is GRUB_CMDLINE_LINUX_DEFAULT="quiet splash" change to GRUB_CMDLINE_LINUX_DEFAULT="quiet splash consoleblank=0"

If it is GRUB_CMDLINE_LINUX_DEFAULT="text" change to GRUB_CMDLINE_LINUX_DEFAULT="text consoleblank=0"

Finally, do sudo update-grub then reboot.

Note: If you already boot from text mode, chance is you will have GRUB_CMDLINE_LINUX_DEFAULT=”text”

What does this change do?

Without consoleblank=0 after the server boot into text mode, after timeout, the screen will go blank with screen powered on (Dimmed screen), adding consoleblank=0 at the end of GRUB_CMDLINE_LINUX_DEFAULT=, will actually turn off the display after timeout instead of dim the display.

Alternatively, if you are running server on a laptop, the easiest way is to close the lid and still keep the server running, refer to this post: How to: Keep Ubuntu Server running on laptop with lid closed

How to: Ubuntu switch php-fpm version

Install newer php-fpm version e.g. 7.3

1. sudo apt install php7.3-fpm

2. sudo a2enconf php7.3-fpm

Notes:

a2enconf is a script that enables the specified configuration file within the apache2 configuration. It does this by creating symlinks within /etc/apache2/conf-enabled. Likewise, a2disconf disables a specific configuration part by removing those symlinks. It is not an error to enable a configuration which is already enabled, or to disable one which is already disabled.

Ubuntu Manual

a2enmod is a script that enables the specified module within the apache2 configuration. It does this by creating symlinks within /etc/apache2/mods-enabled. Likewise, a2dismod disables a module by removing those symlinks. It is not an error to enable a module which is already enabled, or to disable one which is already disabled.    – Ubuntu Manual