Essays

2018/12/26

WordPress in Docker on ReadyNAS OS VM

Abstract

This blog post describes how to setup a virtualized ReadyNAS OS. Docker is then installed and configured to run Wordpress and MySQL in this environment.

Disclaimers

THIS HOWTO IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THIS HOWTO OR THE USE OR OTHER DEALINGS IN THIS HOWTO.

Netgear states: "Access by SSH is not discouraged, but is recommended for advanced users only. As such, using SSH is at the user's own risk."

This is how it worked in the situation of the baseline described below. Use it at your own risk.

Prerequisites

PC with Windows 7 SP1 with VirtualBox installed
Terminal emulation software

Prior Knowledge

Baseline

Even-though several combinations of items with other versions may be able to utilize this setup, this has only been tested on the baseline mentioned here:

Windows 7 SP1
VirtualBox 5.2.22 r126460 (Qt5.6.2)
VMDK disk image ReadyNASOS-6.6.0-x86_64.vmdk
WordPress 5.0.2
Putty 0.63

Please note that VirtualBox 6.0 is recently released.

References

This how-to builds on great work by others. Many thanks! See the links to their respective pages.

https://en.wikipedia.org/wiki/PuTTY
https://www.virtualbox.org/
https://www.virtualbox.org/wiki/Downloads
https://www.virtualbox.org/manual/ch03.html#installation_windows
https://gilsmethod.com/how-to-edit-the-default-virtual-machine-directories-in-virtualbox
https://github.com/ReadyNAS/sdk/wiki/Setup-ReadyNAS-OS-on-VirtualBox
https://www.docker.com/why-docker
https://hub.docker.com/_/wordpress/
https://docs.docker.com/compose/wordpress/
http://powareverb.github.io/Docker-on-ReadyNAS-OS6/

Background

After spending a lot of time of setting up 2 physical ReadyNAS machines to run this website, I'm reluctant to make changes to any settings, as it can potential break current functionality. Having a VM of the ReadyNAS OS is a great alternative to be able to experiment with new settings.

Since Koken CMS seems no longer being developed further, an alternative CMS is needed. Wordpress seems to be the obvious choice here.

With some hacking, Wordpress can be installed on the native ReadyNAS OS. While doing that, some issues popped up. E.g. getting the Wordpress .htaccess (mod_rewrite) to work proved difficult. And the versions of MySQL and PHP used in ReadyNAS OS are never the latest versions, since Netgear needs to deliver a stable OS for all it's customers, I guess. Latest versions of WordPress plugins may have requirements on MySQL that cannot be met.

WordPress runs on 3 main components:

Using Docker containers allows for a free choice of make and version for these 3 components without having to make changes to the ReadyNAS OS.

Below you can find the steps to come to a setup of Wordpress in Docker on ReadyNAS OS VM. Three product are used to enable this setup:

VMM: Virtual Box (to run ReadyNAS OS in a virtual machine on Windows)
Containerization: Docker (to run WordPress inside containers on the virtualized ReadyNAS OS)
CMS: WordPress (to create and manage your website)

VirtualBox

A Hypervisor (VMM) is needed to run the ReadyNAS OS Virtual Machine. First download VirtualBox. Then follow the installation instructions.

Set your default location to a disk with ample available space, so the VM for ReadyNAS OS that we are about to create can grow in size.

Now setup the ReadyNAS OS on VirtualBox.

There are several ways to setup the network connections for the virtual machine. Here we use NAT. Make sure to configure some NAT port translation to be able to connect to the VM from your Windows applications. In the VirtualBox Manager, select Network -> Adapter 1 -> Port forwarding.
Use the + button on the right to add rules for:

SSH 22 -> 22
HTTP 80 -> 80
HTTPS 433 -> 433
MySQL 3306 -> 3306
WordPress (on Docker) 8000 -> 8000

ReadyNAS OS configuration

http://localhost/

ReadyNAS Admin Page

Authenticate with default ReadyNAS Admin username and password:
admin
password

Follow the instructions on screen as if you were setting up a physical ReadyNAS. Note the provided Hostname nas-XX-XX-XX. You might need it later on. Part of the procedure is to change your default admin password.

Authenticate again with the admin username and (new) password.

A pop-up window will alert you of the availability of new firmware. Upgrade to the new firmware version. When the progress bar almost reaches the far right, normally it would auto-refresh once the installation is complete. I needed to refresh the browser to see the admin page again.

Go to "Settings" and enable "SSH".

Docker

Got to "Apps" -> "Available Apps".

Click the Install button below the Docker CLI logo. Wait for the installation to finish.The Docker CLI will show up in the "Installed Apps" with the switch set to on.

Now switch to your terminal emulator on Windows and login as root to localhost:22. In the terminal window, find the docker version and run the hello-world container to verify correct installation.You should see the text "Hello from Docker!" as part of the output.

# docker -v

Docker version 18.06.1-ce, build e68fc7a

# docker run hello-world

Unable to find image 'hello-world:latest' locally
latest: Pulling from library/hello-world
d1725b59e92d: Pull complete
Digest: sha256:b3a26e22bf55e4a5232b391281fc1673f18462b75cdc76aa103e6d3a2bce5e77
Status: Downloaded newer image for hello-world:latest
Hello from Docker!
This message shows that your installation appears to be working correctly.
To generate this message, Docker took the following steps:
 1. The Docker client contacted the Docker daemon.
 2. The Docker daemon pulled the "hello-world" image from the Docker Hub.
    (amd64)
 3. The Docker daemon created a new container from that image which runs the
    executable that produces the output you are currently reading.
 4. The Docker daemon streamed that output to the Docker client, which sent it
    to your terminal.
To try something more ambitious, you can run an Ubuntu container with:
 $ docker run -it ubuntu bash
Share images, automate workflows, and more with a free Docker ID:
 https://hub.docker.com/
For more examples and ideas, visit:
 https://docs.docker.com/get-started/

Wordpress

Docker

Wordpress

ReadyNAS Admin page

Click the "New share" button in the top right corner to create a new share called e.g. "Projects". In the terminal emulator, create the project.

# cd /data/Projects/
# mkdir my_wordpress_project

The latest version of Compose can be found on https://github.com/docker/compose/releases. E.g. 1.23.2. Use this version number in the URL of the curl command. Install and test the Docker Composer.

# curl -L "https://github.com/docker/compose/releases/download/1.23.1/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose

# chmod +x /usr/local/bin/docker-compose
# docker-compose --version

docker-compose version 1.23.1, build b02f1306

Next, go to the new project folder in the "Projects" share and follow the instructions below (based on the "Quickstart: Compose and WordPress" page) to create a YAML file that can be use by Docker Compose to retrieve and start the needed containers.

# cd my_wordpress_project/

# vi docker-compose.yml

version: '3.3'
services:
   db:
     image: mysql:5.7
     volumes:
       - db_data:/var/lib/mysql
     restart: always
     environment:
       MYSQL_ROOT_PASSWORD: somewordpress
       MYSQL_DATABASE: wordpress
       MYSQL_USER: wordpress
       MYSQL_PASSWORD: wordpress
   wordpress:
     depends_on:
       - db
     image: wordpress:latest
     ports:
       - "8000:80"
     restart: always
     environment:
       WORDPRESS_DB_HOST: db:3306
       WORDPRESS_DB_USER: wordpress
       WORDPRESS_DB_PASSWORD: wordpress
volumes:
    db_data: {}

# docker-compose up -d

Creating network "my_first_project_default" with the default driver
Creating volume "my_first_project_db_data" with default driver
Pulling db (mysql:5.7)...
5.7: Pulling from library/mysql
a5a6f2f73cd8: Pull complete
936836019e67: Pull complete
283fa4c95fb4: Pull complete
1f212fb371f9: Pull complete
e2ae0d063e89: Pull complete
5ed0ae805b65: Pull complete
0283dc49ef4e: Pull complete
a7905d9fbbea: Pull complete
cd2a65837235: Pull complete
5f906b8da5fe: Pull complete
e81e51815567: Pull complete
Pulling wordpress (wordpress:latest)...
latest: Pulling from library/wordpress
a5a6f2f73cd8: Already exists
633e0d1cd2a3: Pull complete
fcdfdf7118ba: Pull complete
4e7dc76b1769: Pull complete
c425447c8835: Pull complete
75780b7b9977: Pull complete
33ed51bc30e8: Pull complete
7c4215700bc4: Pull complete
d4f613c1e621: Pull complete
de5465a3fde0: Pull complete
6d373ffaf200: Pull complete
991bff14f001: Pull complete
d0a8c1ecf326: Pull complete
aa3627a535bb: Pull complete
a36be75bb622: Pull complete
98ebddb8e6ca: Pull complete
ed6e19b74de1: Pull complete
18b9cc4a2286: Pull complete
dfe625c958ac: Pull complete
Creating my_first_project_db_1_d278ded39132 ... done
Creating my_first_project_wordpress_1_e65d5f77183a ... done

# docker ps

CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS              PORTS                  NAMES
993c01433ea9        wordpress:latest    "docker-entrypoint.s…"   5 minutes ago       Up 5 minutes        0.0.0.0:8000->80/tcp   my_first_project_wordpress_1_2762b868a024
f9ba1041050d        mysql:5.7           "docker-entrypoint.s…"   5 minutes ago       Up 5 minutes        3306/tcp, 33060/tcp    my_first_project_db_1_923ac948ded6

Browse to http://localhost:8000 to see the WordPress setup pages. Follow the instructions on screen.

On the "Success!" page, select the "Log In" button. This will take you to the Wordpress Dashboard.

Browse to http://localhost:8000/ to see the "My First Project" pages.

Your setup is now ready and you are running WordPress in Docker on ReadyNAS OS VM!

Read more in Blog

2018/05/17

Digitaal Tijdperk

Analoog of digitaal?

Toen in het begin van deze eeuw de digitale camera's in opmars waren moest er een afweging gemaakt worden of ik verder wilde met fotorolletjes of zou overstappen naar een digitale camera. Mijn Nikon F-801s is een prima camera maar niet digitaal.

De ver doorontwikkelde kwaliteit van film leverde destijds nog betere resultaten dan digitale camera's. Daarnaast had ik in de loop der jaren al een behoorlijk archief met negatieven en dia's opgebouwd. Ook mijn ouders hadden nog een aardige stapel 120 (6 x 6 cm) en 135 (24 x 36 mm) negatieven liggen.

Scanner

Uiteindelijk maar besloten om een gulden middenweg te kiezen. Door de aanschaf van een high-end negatief scanner kon ik de F-801s langer blijven gebruiken en de beelden toch digitaal maken en op Internet gebruiken.

Na ontwikkeling van een fotorolletje via de fotospeciaalzaak werd onmiddelijk alles gescand op hoge resolutie. Toen begon ook de taak om alle oude negatieven te scannen. In de loop der jaren werd hieraan waar mogelijk tijd besteed.

Na meer dan 15 jaar, twee onderhouds beurten en een reparatie van de scanner is het dan eindelijk zover. Meer dan 15.000 negatieven en dia's gescand die bijna 600 GB aan data oplevert. Eindelijk volledig digitaal!

Analoog beeld materiaal in digitaal tijdperk

Hierdoor wordt het mogelijk om oude familie-foto's te delen.

Terug te kijken op foto opdrachten van de 1e fotocursus.

Oude portretten nogmaals gebruiken.

En recent analoog werk online te zetten.

Camera

Nu de kwaliteit van de huidige digitale camera's sterk is verbeterd en het nauwelijks meer mogelijk is om een fotorolletje ontwikkeld te krijgen, heeft de onvermijdelijke overstap naar een digitale camera enkele jaren geleden plaats gevonden. Ook omdat het publiceren van digitale foto's vele malen sneller is en je meteen resultaat kan controleren.

Read more in Blog

coolscan

2017/10/27

Problem with Tomcat, ImageIO and ServletOutputStream

During testing a Java Servlet on Tomcat that uses ImageIO and ServletOutputStream to display several guitar chord diagrams, I ran into a strange problem, that I can't explain or solve. The pattern used was found in several locations on the Internet. It creates a BufferedImage that is written to the ServletOutputStream:

// Set PNG content type
response.setContentType("image/png");
// Construct a diagram creator for the provided chord name
DiagramCreator diagramCreator = new DiagramCreator(chordName);
// Create the image of a chord diagram.
BufferedImage diagram = diagramCreator.createImage(width, height, notes);
// Write the image to the output stream
ServletOutputStream out = response.getOutputStream();
ImageIO.write(diagram, "PNG", out);
out.close();

As long as the servlet "diagram.png" is called only once per HTML page, there are no issues and the correct image is rendered on the page. The problem starts when multiple calls to the same servlet are made on the same page. Simplified HTML example:

<img src="diagram.png?n=Cmaj&notes=E4/1/0,G3/3/0,C3/5/3">
E4/1/0,G3/3/0,C3/5/3
<img src="diagram.png?n=Cmaj&notes=E4/1/0,C4/2/1,G3/3/0,C3/5/3">
E4/1/0,C4/2/1,G3/3/0,C3/5/3
<img src="diagram.png?n=Cmaj&notes=G4/1/3,E3/4/2,C3/5/3">
G4/1/3,E3/4/2,C3/5/3

The images are rendered in the HTML page, but repeatedly calling the same page will render different images each time. The text below the image should always match the text inside the image. The red circled ones don't. There the diagram image belongs to another chord pattern. So the wrong image is rendered, indicating to me that somewhere there is a buffering or thread-safety issue.

There is some debate if ImageIO is thread-safe. Also Tomcat is using a ServletOutputStream pool where a stream might be used simultaneously by multiple browser threads? Using .isReady() didn't provide a solution either. Whatever the root cause, it's blocking further development of the application :(

Reference material:

The dangers of Javas ImageIO
I'm using the Java ImageIO to dynamically serve images and get strange Exceptions from time to time. Is this a bug in Tomcat?
Java Code Examples for javax.servlet.ServletOutputStream
ServletOutputStream.isReady() returns true while it is not yet ready
Should I close the servlet outputstream?
temp imageio files in Tomcat gnerated by botBinFormat ?
Broken Pipe when writing bytes in ServletOutputStream
Problem with multiple images in a JSP (Connection reset by peer)

Read more in Blog

2017/01/15

Nikon Coolscan & Nikon Scan 4.0 on Windows 7/8

We now live in a digital age where every smart-phone has a camera and images can be posted on-line almost immediately. The older generation of photographers can still remember a time when photography involved loading film into a camera and having it developed. It usually toke several days before the photographs were ready.

Even if one has switched to digital photography since, large archives of images on film still exist. To allow these old images on film to become usable in the digital age, you need a way to scan them. Investing in a high-end film scanner (e.g Nikon Coolscan LS-8000 ED) made sense in the early days of digital cameras with low resolution. It allowed for extended use of investments in analog camera equipment and produced better results than the digital cameras at that time. A lot has changed since then and high-end cameras now offer resolution that rivals film.

On the downside, computer hardware and operating systems have become obsolete making it harder to use this scanning equipment. E.g. the Nikon Scan driver and software were not updated to work after Windows XP. Even parts are getting scares and it might not be very long before Nikon stops servicing Nikon Coolscans.

A while ago I found an article "Nikon Coolscan and Nikon Scan 4.0: Driver for Windows Vista 64 bit, Windows 7 64 bit and Windows 8 64 bit" online, that describes how get the Nikon Scan 4.0 driver working on Windows 7/8. After applying the steps I can now use the Nikon Coolscan and Nikon Scan 4.0 on Windows 7, giving it a new lease on live.

Reference material:

Nikon Coolscan and Nikon Scan 4.0: Driver for Windows Vista 64 bit, Windows 7 64 bit and Windows 8 64 bit
http://imaging.nikon.com/lineup/scanner/scoolscan_8000_ed/
https://en.wikipedia.org/wiki/Nikon#Film_scanners
http://www.didero.nl/index.php/nikon-coolscans
https://petapixel.com/2015/04/24/12-reasons-photographers-still-choose-to-shoot-film-over-digital/
https://petapixel.com/2016/08/19/film-photography-making-stunning-comeback/
http://blog.controlspace.org/2010/05/nikon-scan-on-windows-7-and-vista-64.html

Read more in Blog

coolscan

2016/06/19

Koken CMS on HTTPS

Abstract

This blog post describes how to use Let's Encrypt and enable HTTPS for Koken CMS on ReadyNAS OS 6.

Disclaimers

Netgear states: "Access by SSH is not discouraged, but is recommended for advanced users only. As such, using SSH is at the user's own risk."

This is how it worked in the situation of the baseline described below. Use it at your own risk.

Improvements

Please post concerns, comments and improvements for this blog on related Netgear Community "How to run Koken on https?" post to help improve it.

Background

The Koken Content Management System that is available as a ReadyNAS App from the RN Admin Pages' Apps section, will be installed to run on HTTP by default. It features a password protected Koken Admin Page.

Koken also boasts an optional plugin to allow for password protected private albums and a Cart plugin that can be used to sell photos.

It is never a good idea to send password or purchase information as cleartext (unencrypted) over HTTP. It has long since become common practice on the Internet to use HTTPS for such sites. Therefore you want to use HTTPS for a Koken driven website. Self-signed certificates cause browsers to issue warnings or disallow access to the site, so they cannot be used. You need certificates from a Certificate Authority (CA). Letsencrypt is a CA that offers a free, automated and open way to get certificates that you need to enable HTTPS.

Baseline

RN312 or RN516
ReadyNAS OS 6.5.0, 6.5.1 or 6.5.2 (Debian GNU/Linux 7 (wheezy))
Still works after upgrade to 6.6.0, 6.6.1, 6.7.1, 6.7.4, 6.7.5, 6.8.0, 6.8.1, 6.9.0, 6.9.1, 6.9.2, 6.9.3, 6.9.4 and 6.9.5 (Debian GNU/Linux 8 (jessie))

(Note: this how-to might also work on other RN models or OS versions, but that has not been tested.)

Prerequisites

MySQL and Koken installed on ReadyNas OS 6.5.0, 6.5.1, 6.5.2, 6.6.0, 6.6.1, 6.7.1, 6.7.4, 6.7.5, 6.8.0, 6.8.1, 6.9.0, 6.9.1, 6.9.2, 6.9.3, 6.9.4, 6.9.5.
Koken driven website accessible via a domain name from the Internet.
ReadyNAS needs outgoing Internet access to connect to Letsencrypt, retrieve downloads for the installation and periodically renew the certificate.

Preparation

You need to have a domain name connected to your Koken public web pages as the certificate process needs these names as input. If you don't have that yet, work on that first.

In this howto "yourdomain.com" and "www.yourdomain.com" need to be replaced by your own domain name. Koken (installed from RN Admin Page) runs on port 7100 by default. Make sure you have port forwarding in place on your router that point the outside port 80 to 7100 internally and outside port 443 to 7443 internally. (7443 will be added to the Apache configuration later.)

Next find your Linux and Apache version, as it influences which script and what plugins you can use from Letsencrypt and CertBot. And also which certificate files you need to add in the Apache configuration later.

Apache version

apachectl -V

Server version: Apache/2.2.31 (Debian)

These are the certificate files you will add later to your Apache config.

cert.pem
Server certificate only. This is what Apache < 2.4.8 needs for SSLCertificateFile.
chain.pem
All certificates that need to be served by the browser excluding server certificate, i.e. root and intermediate certificates only. This is what Apache < 2.4.8 needs for SSLCertificateChainFile, and what nginx >= 1.3.7 needs for ssl_trusted_certificate.

Linux version

cat /etc/*-release

PRETTY_NAME="ReadyNASOS 6.5.0"
NAME="Debian GNU/Linux"
VERSION_ID="7"
VERSION="7 (wheezy)"
ID=debian
ANSI_COLOR="1;31"
HOME_URL="http://www.debian.org/"
SUPPORT_URL="http://www.debian.org/support/"
BUG_REPORT_URL="http://bugs.debian.org/"

The OS is Debian GNU/Linux 7 (wheezy). Therefore you cannot use the "certbot" command, but have to use certbot-auto instead.

Since OS 6.5.0 features Apache 2.2, you cannot use the CertBot Apache plugin. This howto uses the webroot plugin instead.

(Note: OS 6.6.0 and upwards features Debian GNU/Linux 8 (jessie). You may now be able to use the "certbot" command, but that has not been tested.)

Create letsencrypt dir

Create a letsencrypt dir where we can store the cerbot script. In this howto we use /home/letsencrypt.

mdkir /home/letsencrypt

Install certbot-auto

cd /home/letsencrypt
wget https://dl.eff.org/certbot-auto

--2016-06-18 10:02:12--  https://dl.eff.org/certbot-auto
Resolving dl.eff.org (dl.eff.org)... 173.239.79.196
Connecting to dl.eff.org (dl.eff.org)|173.239.79.196|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 44115 (43K) [text/plain]
Saving to: ‘certbot-auto’
certbot-auto                         100%[=====================================================================>]  43.08K   286KB/s   in 0.2s
2016-06-18 10:02:14 (286 KB/s) - ‘certbot-auto’ saved [44115/44115]

Allow the downloaded script to be executable.

chmod a+x certbot-auto

Run the script to install all the needed components (e.g. python).

/home/letsencrypt/certbot-auto

Bootstrapping dependencies for Debian-based OSes...
Hit http://security.debian.org wheezy/updates InRelease
Hit http://security.debian.org wheezy/updates/main amd64 Packages
Ign http://apt.readynas.com 6.5.0 InRelease
Hit http://egnyte-cdn.egnyte.com 6.5 InRelease
Hit http://egnyte-cdn.egnyte.com 6.5/egnyte amd64 Packages
Ign http://mirrors.kernel.org wheezy InRelease 
... (lots of other lines) ...
Setting up python-pkg-resources (0.6.24-1) ...
Setting up python-setuptools (0.6.24-1) ...
Setting up python-virtualenv (1.7.1.2-2) ...
Processing triggers for libc-bin ...
Creating virtual environment...
Installing Python packages...
Installation succeeded.

During this process you might be asked to input an email address and agree to the license in a full terminal screen with blue background. Fill in your certificate administrator email address and select OK. Select Agree, if you want to accept the license.

After seeing the messages "Installation succeeded", you should be able to create the certificate.

Create certificate

/home/letsencrypt/certbot-auto certonly --webroot -w /data/koken/web -d yourdomain.com -d www.yourdomain.com

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/yourdomain.com/fullchain.pem. Your cert
   will expire on 2016-09-15. To obtain a new or tweaked version of
   this certificate in the future, simply run certbot-auto again. To
   non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - If you lose your account credentials, you can recover through
   e-mails sent to someone@yourdomain.com.
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
Donating to EFF:                    https://eff.org/donate-le

The created certificates can be found in: /etc/letsencrypt/live/yourdomain.com. Note the symoblic links pointing to the latest version in ../../archive.

cd /etc/letsencrypt/live/yourdomain.com
ls -al

total 16
drwxr-xr-x 1 root root 82 Jun 17 17:24 .
drwx------ 1 root root 28 Jun 17 17:24 ..
lrwxrwxrwx 1 root root 38 Jun 17 17:24 cert.pem -> ../../archive/yourdomain.com/cert1.pem
lrwxrwxrwx 1 root root 39 Jun 17 17:24 chain.pem -> ../../archive/yourdomain.com/chain1.pem
lrwxrwxrwx 1 root root 43 Jun 17 17:24 fullchain.pem -> ../../archive/yourdomain.com/fullchain1.pem
lrwxrwxrwx 1 root root 41 Jun 17 17:24 privkey.pem -> ../../archive/yourdomain.com/privkey1.pem

You are now ready to start using the certificate in your Apache web server.

Apache configuration

The Apache config for koken can be found in /apps/koken/http.conf. First create a backup so you have a working configuration to fall back on.

cp /apps/koken/http.conf /apps/koken/http.conf.ORIGINAL

Now add an HTTPS listener to http.conf. Copy the VirtualHost block for *:7100 to *:7443. Add a Rewrite rule to the *:7100 VirtualHost that will redirect all requests on HTTP to HTTPS. Add the SSL options, SSL Engine and SSL certificates to the *:7443 block.

vi /apps/koken/http.conf

Listen 7100
Listen 7443 https
<VirtualHost *:7100>
        ServerAdmin admin@localhost
DocumentRoot /apps/koken/web
        <Directory />
                Options FollowSymLinks
                AllowOverride None
        </Directory>
        <Directory /apps/koken/web/>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride None
                Order allow,deny
                allow from all
        </Directory>
        RewriteEngine on
        ReWriteCond %{SERVER_PORT} !^443$
        RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [NC,R,L]
        ErrorLog /apps/koken/error.log
        LogLevel warn
</VirtualHost>
<IfModule mod_ssl.c>
<VirtualHost *:7443>
        ServerAdmin admin@localhost
        DocumentRoot /apps/koken/web
        <Directory />
                Options FollowSymLinks
                AllowOverride None
        </Directory>
        <Directory /apps/koken/web/>
                Options Indexes FollowSymLinks MultiViews
                SSLOptions +StdEnvVars
                AllowOverride None
                Order allow,deny
                allow from all
        </Directory>
        ErrorLog /apps/koken/error.log
        LogLevel warn
        SSLEngine on
        SSLCertificateFile "/etc/letsencrypt/live/yourdomain.com/cert.pem"
        SSLCertificateKeyFile "/etc/letsencrypt/live/yourdomain.com/privkey.pem"
        SSLCertificateChainFile "/etc/letsencrypt/live/yourdomain.com/chain.pem"
</VirtualHost>
</IfModule>

Restart your Apache server

service apache2 restart

Connect your browser to your domain on HTTP. It should now redirect to HTTPS and the browser should not complain about missing or misconfigured certificates any more.

Renewal

The certificates are valid for 90 days. You may want to automate renewal. Manual renewal can be achieved with

/home/letsencrypt/certbot-auto renew

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/yourdomain.com.conf
-------------------------------------------------------------------------------
The following certs are not due for renewal yet:
  /etc/letsencrypt/live/yourdomain.com/fullchain.pem (skipped)
No renewals were attempted.

Add the following to your crontab to run renewal once each day. (Letsencrypts recommends 2 a day). In the example, the renewal runs each day at 01:47 AM (local time) and appends the output to a log file. Letsencrypt recommends using a random value for the minute parameter. Probally to spread load for renewal requests on Letsencrypt servers.

crontab -e

47 01 * * * /home/letsencrypt/certbot-auto renew >> /home/letsencrypt/certbot.log

Reference material

https://letsencrypt.org/getting-started/
https://certbot.eff.org/docs/
http://stackoverflow.com/questions/21415181/can-i-stop-the-this-website-does-not-supply-identity-information-message
http://help.koken.me/customer/portal/questions/16177649-change-entire-site-to-https

Read more in Blog