Let’s Encrypt, Ubuntu, Certbot and the Unifi Controller
For the sake of this post, let's assume you're running a quite minimal install of Ubuntu 18.05 Bionic Beaver and have installed your Unifi Controller with the script from Glenn Rietveld.
Install certbot
Follow the official instructions. They're good. In short, it's just the following steps:
$ sudo apt install software-properties-common
$ sudo add-apt-repository ppa:certbot/certbot
$ sudo apt update
$ sudo apt install python3-certbot-nginx
Create renew-hook for the Unifi Controller
Create the script /etc/letsencrypt/renewal-hooks/deploy/import-to-unifi
#!/bin/bash
# Make sure you only have one letsencrypt cert in this server
# If you have more than one, uncomment the following line
# and adjust to your unifi controller's domain name.
#CERTBOT_DOMAIN =unifi.some.where
LE_LIVE=/etc/letsencrypt/live
UNIFI_KEYSTORE=/var/lib/unifi/keystore
if [ ${LE_LIVE}/${CERTBOT_DOMAIN}/cert.pem -nt ${UNIFI_KEYSTORE} ]; then
WORKDIR=$(mktemp -d)
openssl pkcs12 -export -inkey ${LE_LIVE}/${CERTBOT_DOMAIN}/privkey.pem -in ${LE_LIVE}/${CERTBOT_DOMAIN}/fullchain.pem -out ${WORKDIR}/cert.p12 -name unifi -password pass:temppass
cp ${UNIFI_KEYSTORE} ${UNIFI_KEYSTORE}-$(date +%s)
keytool -importkeystore -deststorepass aircontrolenterprise -destkeypass aircontrolenterprise -destkeystore ${UNIFI_KEYSTORE} -srckeystore ${WORKDIR}/cert.p12 -srcstoretype PKCS12 -srcstorepass temppass -alias unifi -noprompt
systemctl restart unifi.service
rm ${WORKDIR}/cert.p12
rmdir ${WORKDIR}
fi
Run certbot the first time
$ certbot --nginx
# Answer the questions as needed
Verify everything worked
$ echo "" | openssl s_client -connect 127.0.0.1:8443
CONNECTED(00000005)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = unifi.some.where
verify return:1
---
[...]
Closing notes
This is mostly written as a reminder for myself. Hopefully it’ll help someone.
I haven’t tested how resilient this is when for example upgrading the unifi controller. Possibly one needs to touch /etc/letsencrypt/live/${CERTBOT_DOMAIN}/cert.pem
and run the hook manually after the upgrade for the cert to keep the keystore fresh. I’ve seen it happen in other places using keystores.
amavisd-new on Ubuntu 14.04 (trusty)
If you get anything like this in your syslog:
Dec 27 20:35:36 web2 amavis[4216]: (!!)TROUBLE in pre_loop_hook: config: no rules were found! Do you need to run 'sa-update'?
Dec 27 20:35:36 web2 amavis[4216]: (!)_DIE: Suicide () TROUBLE in pre_loop_hook: config: no rules were found! Do you need to run 'sa-update'?
Then add amavis to the clamav group and restart amavis to get it working again. Easy to see from the error log, right?
sudo adduser amavis clamav
sudo service amavis restart
Lubuntu 14.04 and nice to haves
While installing Lubuntu 14.04 on my laptop I found out the hard way of a bug in the installer regarding encrypted hard drive. To get around it you need to boot from the CD/USB and choose to try Lubuntu, open a terminal and run
# sudo swapoff -a
and then start the install. You need to do this before starting the install, since the installer remembers certain errors between runs except with a reboot in between.
PPA:s and other repos I like to add on newly installed systems:
Additionally I like to install git, guake, vim-nox and a few other tidbits.
UniFi AP Pro and controller
I recently got myself two UniFi AP Pro's. While getting them installed, which requires a Java based controller software installed on a computer, I found a couple of problems. The foremost was that the controller didn't start. After having a look at the unifi logs (/var/log/unifi/server.log on Ubuntu 12.04) I found out that it tried to use an already allocated port (8081). I hade to change that port number both in /usr/lib/unifi/data/system.properties and /usr/lib/unifi/etc/system.properties for the changes to follow through. Sadly the server didn't understand changing the binding IP, even though changing in those two files, but rather listens on 0.0.0.0. Firewall away and debug more another day...
Installera Oracle Java 7 i Ubuntu
http://www.webupd8.org/2012/01/install-oracle-java-jdk-7-in-ubuntu-via.html
Linuxdistribution för äldre?
Som en del i projektet att få mina farföräldrar att använda en dator och (helst) Internet försöker jag hitta en linuxdistribution som är enkel att lära sig använda*. Alternativen jag tittar på just nu är EasyPeasy, som är en Ubuntuklon med ett GUI anspassat för netbooks, Linux Mint, även det en Ubuntuklon och här med ännu mer fokus på användarvänlighet än standard-Ubuntu, och till sist en vanlig Ubuntu med antingen Unity eller Gnome som fönsterhanterare.
Just nu lutar det mest åt EasyPeasy eftersom det har ett väldigt enkelt gränssnitt för att starta program (tänk IOS, men med kategoritänk istället för sidor med appar). Vi får se hur det slutar!
Ett tack till Digidel 2013 som fick mig att äntligen ta tag i det här...
* Att använda datorn är i det här fallet så "enkelt" som att använda en webbläsare för att kolla på nyheter på DNs hemsida, recept hos Arla och förhoppningsvis Gmail.
Dennis Ritchie, tack för allt!
Den 12:e oktober gick Dennis Ritchie bort efter en längre tids sjukdom. Han lever dock vidare genom C och UNIX på samma sätt som han gjort dom senaste 40 åren. Tack för allt!
Se även mitt inlägg på .SE-bloggen
6 Ways To Kill Your Servers – Learning How To Scale The Hard Way
Good article over at HighScalability.com about what happens when a coder, even an experienced one, has to scale out a web site under time pressure.
The most important lessons in my opinion are caching, tweaking configuration and stress testing.
daemontools and ucspi-tcp on Hardy Heron
I was about to install daemontools and ucspi-tcp on Hardy Heron (Ubuntu 8.04) when I found that the packages build-daemontools et al was not in the archive anymore! Instead of digging about what happened I found out that Intrepid Ibex[1] has some packages.
So what I did was download the packages daemontools, daemontools-run and ucspi-tcp, and then install them. A bit of a problem with that too, but the following steps did the trick for me.
# touch /etc/inittab
# dpkg -i daemontools
# dpkg -i daemontools-run
# dpkg -i ucspi-tcp
# echo "start on runlevel-1
start on runlevel-2
start on runlevel-3
start on runlevel-4
start on runlevel-5
start on runlevel-6stop on shutdown
respawn
exec /usr/bin/svscanboot" > /etc/event.d/svscan
# initctl start svscan
And that's it! Have fun folks!
[1] http://packages.ubuntu.com/search?keywords=daemontools&searc...
xen 3.02 on Debian Etch / AMD64
A quick walk-through of installation of Xen 3.02 on Debian Etch (AMD64):
KERNELS="linux-2.6-xen0 linux-2.6-xenU" make -j7 world
make install
make linux-2.6-xen0-config CONFIGMODE=menuconfig
make -j7 linux-2.6-xen0-build
make linux-2.6-xen0-install
make linux-2.6-xenU-config CONFIGMODE=menuconfig
make -j7 linux-2.6-xenU-build
make linux-2.6-xenU-install
vim /boot/grub/menu.lst
title Xen 3.0.2 / Debian GNU/Linux, kernel 2.6.16
root (hd0,0)
kernel /xen.gz dom0_mem=131072
module /vmlinuz-2.6-xen0 root=/dev/sda2 ro console=tty0
savedefault
Install xen-tools, xen-shell etc
update-rc.d xend defaults 20 21
update-rc.d xendomains defaults 21 20