How To – Page 14 – Roo's View

SSL for everybody

letsencrypt

SSL certificates are a great way to ensure that the website you’re connected to is really the one you think you’re connected to, and it also keeps the traffic between your client and the server secure. The HTTPS protocol uses SSL certificates. The main problem with the SSL infrastructure was that you needed to get one that was signed by one of the central trusted authorities – and generally if you wanted one of these you had to pay for one. There were a few places that would give you a free certificate for personal use, the other alternative was to use a self signed certificate but there were usability issues because it isn’t signed by a trusted authority.

This all changed recently with Let’s Encrypt – you can now get a free certificate with very little effort. If you maintain a website or host an app, you should check letsencrypt.org out. The remainder of this post is a cleaned up set of notes on what I did.

I started out here https://letsencrypt.org/getting-started/ – which seemed to be a good starting point. Then I figured I’d make sure my server met the criteria they had for support, the documentation had some details covering this. I was happy to see Ubuntu 12.04+ and Apache 2.x support, so this made me fairly confident my server was supported.

But.. my Ubuntu doesn’t seem to have a letsencrypt package

$ sudo apt-get install letsencrypt
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Unable to locate package letsencrypt

$ sudo apt-get install letsencrypt

Reading package lists... Done

Building dependency tree

Reading state information... Done

E: Unable to locate package letsencrypt

No problem, we’ll just follow along with https://letsencrypt.org/getting-started/

$ git clone https://github.com/letsencrypt/letsencrypt
$ cd letsencrypt
$ ./letsencrypt-auto --help

$ git clone https://github.com/letsencrypt/letsencrypt

$ cd letsencrypt

$ ./letsencrypt-auto --help

The last command, while asking for help – will do some bootstrapping of let’s encrypt. So don’t skip it. The scripts include calls to sudo, so you don’t have to be root to run them but it will ask for root access.

[Security note – it is always a little bit scary running random scripts, always worth looking at them. There is a growing trend of having “wget -O – http://randomscript.com | bash” be normal, but you should be afraid]

Some exciting updates to my server from doing just the bootstrap. My /etc/ca-certificates got updated (it was probably way overdue), it also dragged me up to date for libssl. It took a while to finish, but we finally got the help screen.

At this point, I have the let’s encrypt tools installed on my server, so time to try them out.

Hopefully the following command is going to register us and get a new certificate for my old expired one.

$ ./letsencrypt-auto --apache

1	$ ./letsencrypt-auto --apache

Well that didn’t work, it picked up some ‘other’ domains I host — but not my main lowtek.ca one. Weird, but probably due to my non-standard configuration of Apache due to years of hacking it. It was easy to bail out so no harm done. Let’s try this then:

$ ./letsencrypt-auto --apache --domains lowtek.ca

1	$ ./letsencrypt-auto --apache --domains lowtek.ca

Ok – much better, email sign up and an agreement (which yes, I took the time to read – it was only 6 pages). It seems as I don’t have a virtual host setup for lowtek.ca and needed to manually pick the apache config file (not a big deal), this was why the first try didn’t work.

Visiting https://lowtek.ca/ shows no more certificate error (woot!) and all looks good. It was really this easy.

The end of the script even suggests you visit: https://www.ssllabs.com/ssltest/analyze.html?d=lowtek.ca to check for issues. These SSL Labs tests, show that my certificate from letsencrypt will expire in just under 3 months, so I’ll want to add a cron job to do a renew. They also gave me a B rating, with lots of gorpy details on why.

To renew, I just need to run this command from time to time

$ ./letsencrypt-auto renew

1	$ ./letsencrypt-auto renew

That’s really easy to do with cron – so I added an entry to my root user crontab to run this once a month.

Adding a package to boot2docker

Docker is seeing rapid adoption among the software development world. So far it seems to me a very nice way to make software installation much less painful, but there is still plenty of room for improvement.

If you’re running Linux then you can stop reading now. Docker is an abstraction layer over Linux Containers (LXC), they’ve also created a repository where pre-defined containers can be found – you can even add your own. LXC is cool stuff, but it does mean Docker runs Linux.

Windows and OSX users need to use boot2docker, a Tiny Core Linux virtual machine that has just enough stuff to run docker. This is a fine solution but often when people ask about missing tools inside of boot2docker, the answer is to install a container that has the tools you want and run inside of that container. Things quickly start to feel like Inception.

Boot2docker is based on Tiny Core Linux, so you can use the tce-load utility to install additional components if needed. So say we wanted to run Perl:

$ tce-load -wi perl5

You can sniff around the repository to figure out what packages are available.

There is documentation on adding a persistent partition to your boot2docker setup. This is useful if you want to run the tce-load every time you run without having to type it in each time. Getting this setup is a little bit fiddly, and if we’re clever we can do something a bit cooler.

Let’s build a custom boot2docker.iso file! The build process is nicely documented. We can use a Dockerfile to create our own iso with the packages we want.

Before we start, you will want to make sure that your boot2docker is running with enough resources. The default should be 2048MB which should work, you will also need enough disk space on /var/lib/docker/aufs inside boot2docker. If you have problems consider changing your configuration.

Create a Dockerfile with the following contents:

FROM boot2docker/boot2docker

# Append indicator this is modified image RUN echo "\nMy modified boot2docker.iso\n" >> $ROOTFS/etc/motd

# Install perl5 RUN curl -L -o /tmp/perl5.tcz $TCL_REPO_BASE/tcz/perl5.tcz && \ unsquashfs -f -d $ROOTFS /tmp/perl5.tcz && \ rm -rf /tmp/perl5.tcz

# build the iso RUN /make_iso.sh CMD ["cat", "boot2docker.iso"]

Then follow the boot2docker.iso build process.

$ sudo docker build -t my-boot2docker-img . $ sudo docker run --rm my-boot2docker-img > boot2docker.iso

The FROM is used to declare the base image we want to start from. We’re building our new container on this base.

The RUN directive is executed against the current image at build time. In this case we can’t use tce-load since we’re not actually running Tiny Core Linux at this point, we’re running against the docker image we are building. This is why we’re doing the installation of perl manually. I based the installation from the boot2docker DockerFile.

The last two steps “build the iso” are lifted directly from the same boot2docker Dockerfile, these are the steps required to actually create the iso file.

Figuring out how to run the boot2docker.iso I’ll leave as an exercise for the reader.

Low cost APC UPS RBC33 replacement

A couple of weeks ago my APC Back-UPS 1200 XS started beeping at me, the battery light was flashing, a clear sign the battery has packed it in. I wasn’t overly surprised as the unit is quite old (I’m guessing 8 years? I can’t recall exactly when I got it) – you should only really count on a battery to last 3 to 5 years so it’s done well for me.

While I don’t remember exactly when I bought the UPS, I do remember price matching FutureShop against BestBuy, the price difference was only $20 but it still made me laugh to do it as they are both owned by the same parent company – that and the price match gave me an additional 10% off of the difference in savings (yup, a whole $2). The manual says I should buy a RBC33 battery pack, these are nearly the same price I paid for the entire UPS ($99 + tax).

I looked locally and on the web for a reasonably good deal for a replacement battery pack. The prices had quite a range and I could have opted to go for a RBC32 which is cheaper but still nearly the cost of original UPS. In the end I opted to go for the DIY route and just buy compatible batteries and do a swap – ebay had the best prices, but amazon.ca had a vendor that was almost the same price and I thought I’d go that route as shipping would be quicker.

The batteries arrived fairly quickly (about a week), faster than I’d expect from any shipment from the US. The two batteries are an identical size match to the pair that form the APC battery pack. The original battery pack has a wiring harness and the two batteries are stacked with one inverted.

The procedure was very simple, it took me under 10 minutes and I was stopping to take pictures as I went along. Start by peeling away the sticker from the side with the cable sticking out – put it aside if it still is sticky enough to re-use. Fold the batteries so they are side by side. Remove the cables from one battery, then remove the sticker on the other side and separate the batteries. Last remove the harness from the remaining battery.

Reassembly is a matter of working in reverse. I suggest taking pictures as you go as it is a great way to reference which wire went where, but my photos are a reasonable guide as well. You could also watch this youtube video which covers the battery swap.

My completed battery pack looks a lot like a stock RBC33. If the original stickers don’t have any stick left, a little duct tape should work well.

The batteries in the original pack were 9Ah and my replacements are only 8Ah, this will affect the runtime of my UPS – for my needs a few minutes of backup are enough to protect the system, the new battery pack should give me nearly 30 minutes. Generally the power is good in my neighbourhood, and if it is an extended black out we’re without power for hours.

I’ve seen a few battery packs from systems at work where the batteries have bulged and are clearly bad, mine actually looked fine so I may try to restore them later. I did also consider upgrading to sealed marine deep cycle batteries, but the cost was significant and I’m not convinced of the safety of the solution.

One footnote, I have the UPS plugged into my server and use apcupsd to monitor the status. When the old battery had failed and the UPS was beeping my logs filled with the following:

2013-04-07 23:20:49 -0400 Battery reattached. 2013-04-07 23:20:11 -0400 Battery disconnected. 2013-04-07 23:20:11 -0400 Battery reattached. 2013-04-07 23:19:07 -0400 Battery disconnected.

Occasionally the beeping would stop (and I assume the logging) but in a short while it would resume beeping (and logging).