fotografeer.nl

fotografeer.nl

  • Overzicht
  • Fotografeer tips
  • Blog
  • Albums
  • Categorieën
  • Sets
  • Aanvraag
Home / Categories / Blog / Essays

Share
2018/12/26

WordPress in Docker on ReadyNAS OS VM

Abstract

This blog post describes how to setup a virtualized ReadyNAS OS. Docker is then installed and configured to run Wordpress and MySQL in this environment.

Disclaimers

THIS HOWTO IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THIS HOWTO OR THE USE OR OTHER DEALINGS IN THIS HOWTO.

Netgear states: "Access by SSH is not discouraged, but is recommended for advanced users only. As such, using SSH is at the user's own risk."

This is how it worked in the situation of the baseline described below. Use it at your own risk.

Prerequisites

  • PC with Windows 7 SP1 with VirtualBox installed
  • Terminal emulation software
Prior Knowledge
  • ReadyNAS OS 6
  • WordPress installation procedure
  • Debian Linux command line syntax

Baseline

Even-though several combinations of items with other versions may be able to utilize this setup, this has only been tested on the baseline mentioned here:

  • Windows 7 SP1
  • VirtualBox 5.2.22 r126460 (Qt5.6.2)
  • VMDK disk image ReadyNASOS-6.6.0-x86_64.vmdk
  • WordPress 5.0.2
  • Putty 0.63

Please note that VirtualBox 6.0 is recently released.

References

This how-to builds on great work by others. Many thanks! See the links to their respective pages.

https://en.wikipedia.org/wiki/PuTTY
https://www.virtualbox.org/
https://www.virtualbox.org/wiki/Downloads
https://www.virtualbox.org/manual/ch03.html#installation_windows
https://gilsmethod.com/how-to-edit-the-default-virtual-machine-directories-in-virtualbox
https://github.com/ReadyNAS/sdk/wiki/Setup-ReadyNAS-OS-on-VirtualBox
https://www.docker.com/why-docker
https://hub.docker.com/_/wordpress/
https://docs.docker.com/compose/wordpress/
http://powareverb.github.io/Docker-on-ReadyNAS-OS6/

Background

After spending a lot of time of setting up 2 physical ReadyNAS machines to run this website, I'm reluctant to make changes to any settings, as it can potential break current functionality. Having a VM of the ReadyNAS OS is a great alternative to be able to experiment with new settings.

Since Koken CMS seems no longer being developed further, an alternative CMS is needed. Wordpress seems to be the obvious choice here.

With some hacking, Wordpress can be installed on the native ReadyNAS OS. While doing that, some issues popped up. E.g. getting the Wordpress .htaccess (mod_rewrite) to work proved difficult. And the versions of MySQL and PHP used in ReadyNAS OS are never the latest versions, since Netgear needs to deliver a stable OS for all it's customers, I guess. Latest versions of WordPress plugins may have requirements on MySQL that cannot be met.

WordPress runs on 3 main components:

  • Server-side scripting language: PHP
  • Web server: Apache (NGINX)
  • Database: MySQL (MariaDB)

Using Docker containers allows for a free choice of make and version for these 3 components without having to make changes to the ReadyNAS OS.

Below you can find the steps to come to a setup of Wordpress in Docker on ReadyNAS OS VM. Three product are used to enable this setup:

  • VMM: Virtual Box (to run ReadyNAS OS in a virtual machine on Windows)
  • Containerization: Docker (to run WordPress inside containers on the virtualized ReadyNAS OS)
  • CMS: WordPress (to create and manage your website)

VirtualBox

A Hypervisor (VMM) is needed to run the ReadyNAS OS Virtual Machine. First download VirtualBox. Then follow the installation instructions.

Set your default location to a disk with ample available space, so the VM for ReadyNAS OS that we are about to create can grow in size.

Now setup the ReadyNAS OS on VirtualBox.

There are several ways to setup the network connections for the virtual machine. Here we use NAT. Make sure to configure some NAT port translation to be able to connect to the VM from your Windows applications. In the VirtualBox Manager, select Network -> Adapter 1 -> Port forwarding.
Use the + button on the right to add rules for:

  • SSH 22 -> 22
  • HTTP 80 -> 80
  • HTTPS 433 -> 433
  • MySQL 3306 -> 3306
  • WordPress (on Docker) 8000 -> 8000
  • ReadyNAS OS configuration

    Browse to http://localhost/ to access the ReadyNAS Admin Page.

    Authenticate with default ReadyNAS Admin username and password:
    admin
    password

    Follow the instructions on screen as if you were setting up a physical ReadyNAS. Note the provided Hostname nas-XX-XX-XX. You might need it later on. Part of the procedure is to change your default admin password.

    Authenticate again with the admin username and (new) password.

    A pop-up window will alert you of the availability of new firmware. Upgrade to the new firmware version. When the progress bar almost reaches the far right, normally it would auto-refresh once the installation is complete. I needed to refresh the browser to see the admin page again.

    Go to "Settings" and enable "SSH".

    Docker

    Got to "Apps" -> "Available Apps".

    Click the Install button below the Docker CLI logo. Wait for the installation to finish.The Docker CLI will show up in the "Installed Apps" with the switch set to on.

    Now switch to your terminal emulator on Windows and login as root to localhost:22. In the terminal window, find the docker version and run the hello-world container to verify correct installation.You should see the text "Hello from Docker!" as part of the output.

    # docker -v
    Docker version 18.06.1-ce, build e68fc7a
    # docker run hello-world
    Unable to find image 'hello-world:latest' locally
    latest: Pulling from library/hello-world
    d1725b59e92d: Pull complete
    Digest: sha256:b3a26e22bf55e4a5232b391281fc1673f18462b75cdc76aa103e6d3a2bce5e77
    Status: Downloaded newer image for hello-world:latest
    Hello from Docker!
    This message shows that your installation appears to be working correctly.
    To generate this message, Docker took the following steps:
     1. The Docker client contacted the Docker daemon.
     2. The Docker daemon pulled the "hello-world" image from the Docker Hub.
        (amd64)
     3. The Docker daemon created a new container from that image which runs the
        executable that produces the output you are currently reading.
     4. The Docker daemon streamed that output to the Docker client, which sent it
        to your terminal.
    To try something more ambitious, you can run an Ubuntu container with:
     $ docker run -it ubuntu bash
    Share images, automate workflows, and more with a free Docker ID:
     https://hub.docker.com/
    For more examples and ideas, visit:
     https://docs.docker.com/get-started/
    

    Wordpress

    First create a location where your Docker project for Wordpress can live. In the ReadyNAS Admin page, go to the Shares tab.

    Click the "New share" button in the top right corner to create a new share called e.g. "Projects". In the terminal emulator, create the project.

    # cd /data/Projects/
    # mkdir my_wordpress_project

    The latest version of Compose can be found on https://github.com/docker/compose/releases. E.g. 1.23.2. Use this version number in the URL of the curl command. Install and test the Docker Composer.

    # curl -L "https://github.com/docker/compose/releases/download/1.23.1/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
    # chmod +x /usr/local/bin/docker-compose
    # docker-compose --version
    docker-compose version 1.23.1, build b02f1306

    Next, go to the new project folder in the "Projects" share and follow the instructions below (based on the "Quickstart: Compose and WordPress" page) to create a YAML file that can be use by Docker Compose to retrieve and start the needed containers.

    # cd my_wordpress_project/
    # vi docker-compose.yml
    version: '3.3'
    services:
       db:
         image: mysql:5.7
         volumes:
           - db_data:/var/lib/mysql
         restart: always
         environment:
           MYSQL_ROOT_PASSWORD: somewordpress
           MYSQL_DATABASE: wordpress
           MYSQL_USER: wordpress
           MYSQL_PASSWORD: wordpress
       wordpress:
         depends_on:
           - db
         image: wordpress:latest
         ports:
           - "8000:80"
         restart: always
         environment:
           WORDPRESS_DB_HOST: db:3306
           WORDPRESS_DB_USER: wordpress
           WORDPRESS_DB_PASSWORD: wordpress
    volumes:
        db_data: {}
    # docker-compose up -d
    Creating network "my_first_project_default" with the default driver
    Creating volume "my_first_project_db_data" with default driver
    Pulling db (mysql:5.7)...
    5.7: Pulling from library/mysql
    a5a6f2f73cd8: Pull complete
    936836019e67: Pull complete
    283fa4c95fb4: Pull complete
    1f212fb371f9: Pull complete
    e2ae0d063e89: Pull complete
    5ed0ae805b65: Pull complete
    0283dc49ef4e: Pull complete
    a7905d9fbbea: Pull complete
    cd2a65837235: Pull complete
    5f906b8da5fe: Pull complete
    e81e51815567: Pull complete
    Pulling wordpress (wordpress:latest)...
    latest: Pulling from library/wordpress
    a5a6f2f73cd8: Already exists
    633e0d1cd2a3: Pull complete
    fcdfdf7118ba: Pull complete
    4e7dc76b1769: Pull complete
    c425447c8835: Pull complete
    75780b7b9977: Pull complete
    33ed51bc30e8: Pull complete
    7c4215700bc4: Pull complete
    d4f613c1e621: Pull complete
    de5465a3fde0: Pull complete
    6d373ffaf200: Pull complete
    991bff14f001: Pull complete
    d0a8c1ecf326: Pull complete
    aa3627a535bb: Pull complete
    a36be75bb622: Pull complete
    98ebddb8e6ca: Pull complete
    ed6e19b74de1: Pull complete
    18b9cc4a2286: Pull complete
    dfe625c958ac: Pull complete
    Creating my_first_project_db_1_d278ded39132 ... done
    Creating my_first_project_wordpress_1_e65d5f77183a ... done
    
    # docker ps
    CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS              PORTS                  NAMES
    993c01433ea9        wordpress:latest    "docker-entrypoint.s…"   5 minutes ago       Up 5 minutes        0.0.0.0:8000->80/tcp   my_first_project_wordpress_1_2762b868a024
    f9ba1041050d        mysql:5.7           "docker-entrypoint.s…"   5 minutes ago       Up 5 minutes        3306/tcp, 33060/tcp    my_first_project_db_1_923ac948ded6
    


    Browse to http://localhost:8000 to see the WordPress setup pages. Follow the instructions on screen.

    On the "Success!" page, select the "Log In" button. This will take you to the Wordpress Dashboard.

    Browse to http://localhost:8000/ to see the "My First Project" pages.

    Your setup is now ready and you are running WordPress in Docker on ReadyNAS OS VM!

Read more in Blog

Share
2018/05/17

Digitaal Tijdperk

Analoog of digitaal?

Toen in het begin van deze eeuw de digitale camera's in opmars waren moest er een afweging gemaakt worden of ik verder wilde met fotorolletjes of zou overstappen naar een digitale camera. Mijn Nikon F-801s is een prima camera maar niet digitaal.

Nikon F-801S

De ver doorontwikkelde kwaliteit van film leverde destijds nog betere resultaten dan digitale camera's. Daarnaast had ik in de loop der jaren al een behoorlijk archief met negatieven en dia's opgebouwd. Ook mijn ouders hadden nog een aardige stapel 120 (6 x 6 cm) en 135 (24 x 36 mm) negatieven liggen.

Scanner

Uiteindelijk maar besloten om een gulden middenweg te kiezen. Door de aanschaf van een high-end negatief scanner kon ik de F-801s langer blijven gebruiken en de beelden toch digitaal maken en op Internet gebruiken.

Nikon Super Coolscan 8000 ED

Na ontwikkeling van een fotorolletje via de fotospeciaalzaak werd onmiddelijk alles gescand op hoge resolutie. Toen begon ook de taak om alle oude negatieven te scannen. In de loop der jaren werd hieraan waar mogelijk tijd besteed.

Na meer dan 15 jaar, twee onderhouds beurten en een reparatie van de scanner is het dan eindelijk zover. Meer dan 15.000 negatieven en dia's gescand die bijna 600 GB aan data oplevert. Eindelijk volledig digitaal!

Analoog beeld materiaal in digitaal tijdperk

Hierdoor wordt het mogelijk om oude familie-foto's te delen.

Terug te kijken op foto opdrachten van de 1e fotocursus.

Oude portretten nogmaals gebruiken.

En recent analoog werk online te zetten.

Canton Tower

Camera

Nu de kwaliteit van de huidige digitale camera's sterk is verbeterd en het nauwelijks meer mogelijk is om een fotorolletje ontwikkeld te krijgen, heeft de onvermijdelijke overstap naar een digitale camera enkele jaren geleden plaats gevonden. Ook omdat het publiceren van digitale foto's vele malen sneller is en je meteen resultaat kan controleren.

Read more in Blog

coolscan

Share
2017/10/27

Problem with Tomcat, ImageIO and ServletOutputStream

During testing a Java Servlet on Tomcat that uses ImageIO and ServletOutputStream to display several guitar chord diagrams, I ran into a strange problem, that I can't explain or solve. The pattern used was found in several locations on the Internet. It creates a BufferedImage that is written to the ServletOutputStream:

// Set PNG content type
response.setContentType("image/png");
// Construct a diagram creator for the provided chord name
DiagramCreator diagramCreator = new DiagramCreator(chordName); // Create the image of a chord diagram. BufferedImage diagram = diagramCreator.createImage(width, height, notes); // Write the image to the output stream ServletOutputStream out = response.getOutputStream(); ImageIO.write(diagram, "PNG", out); out.close();

As long as the servlet "diagram.png" is called only once per HTML page, there are no issues and the correct image is rendered on the page. The problem starts when multiple calls to the same servlet are made on the same page. Simplified HTML example:

<img src="diagram.png?n=Cmaj&notes=E4/1/0,G3/3/0,C3/5/3">
E4/1/0,G3/3/0,C3/5/3
<img src="diagram.png?n=Cmaj&notes=E4/1/0,C4/2/1,G3/3/0,C3/5/3">
E4/1/0,C4/2/1,G3/3/0,C3/5/3
<img src="diagram.png?n=Cmaj&notes=G4/1/3,E3/4/2,C3/5/3">
G4/1/3,E3/4/2,C3/5/3 

The images are rendered in the HTML page, but repeatedly calling the same page will render different images each time. The text below the image should always match the text inside the image. The red circled ones don't. There the diagram image belongs to another chord pattern. So the wrong image is rendered, indicating to me that somewhere there is a buffering or thread-safety issue.

There is some debate if ImageIO is thread-safe. Also Tomcat is using a ServletOutputStream pool where a stream might be used simultaneously by multiple browser threads? Using .isReady() didn't provide a solution either. Whatever the root cause, it's blocking further development of the application :(

Reference material:

The dangers of Javas ImageIO
I'm using the Java ImageIO to dynamically serve images and get strange Exceptions from time to time. Is this a bug in Tomcat?
Java Code Examples for javax.servlet.ServletOutputStream
ServletOutputStream.isReady() returns true while it is not yet ready
Should I close the servlet outputstream?
temp imageio files in Tomcat gnerated by botBinFormat ?
Broken Pipe when writing bytes in ServletOutputStream
Problem with multiple images in a JSP (Connection reset by peer)

Read more in Blog

Share
2017/01/15

Nikon Coolscan & Nikon Scan 4.0 on Windows 7/8/10

We now live in a digital age where every smart-phone has a camera and images can be posted on-line almost immediately. The older generation of photographers can still remember a time when photography involved loading film into a camera and having it developed. It usually toke several days before the photographs were ready.

Even if one has switched to digital photography since, large archives of images on film still exist. To allow these old images on film to become usable in the digital age, you need a way to scan them. Investing in a high-end film scanner (e.g Nikon Coolscan LS-8000 ED) made sense in the early days of digital cameras with low resolution. It allowed for extended use of investments in analog camera equipment and produced better results than the digital cameras at that time. A lot has changed since then and high-end cameras now offer resolution that rivals and exceeds film.

On the downside, computer hardware and operating systems have become obsolete making it harder to use this scanning equipment. E.g. the Nikon Scan driver and software were not updated to work after Windows XP. Even parts are getting scares and it might not be very long before Nikon stops servicing Nikon Coolscans.

A while ago I found an article "Nikon Coolscan and Nikon Scan 4.0: Driver for Windows Vista 64 bit, Windows 7 64 bit and Windows 8 64 bit" online, that describes how get the Nikon Scan 4.0 driver working on Windows 7/8. After applying the steps I can now use the Nikon Coolscan and Nikon Scan 4.0 on Windows 7, giving it a new lease on live. And after upgrading to Windows 10, this still works.

Update 2021-05-09

When trying to scan after a few years (and several Windows 10 updates), I ran into an issue with the Nikon Scan 4.0.3 driver. The Nikon Scan 4.0 software showed a message "Nikon Scan was unable to find any active devices".

When I checked the device manager, the Nikon SUPER COOLSCAN 8000 ED was listed under Other Devices, while it should be under Imaging Devices (cameras and scanners). The driver is not digitally signed and was therefore not accepted by Windows any more. So my problem was related to the "the third-party INF does not contain digital signature information" issue that old drivers sometimes pose in Windows 10. To install the driver anyway I needed to temporarlily circumvent the digital signature enforcement. Found instructions online and executed the following:

1) Select the Start button in the lower left corner of your screen.
2) Select Settings -> Update & security
3) Select System Recovery
4) Below Advanced Startup Options, select Restart
5) After restart, the Choose an option screen is displayed
6) Select Troubleshoot -> Advanced options -> Startup Settings -> Restart
7) After restart, in the Startup Settings menu, select 7 (or F7). This triggers the 7) Disable driver signature enforcement option
8) Your computer will restart once more and (temporarily) disable the digital signature enforcement.
9) Start the Device Manager
10) Find the Nikon SUPER COOLSCAN 8000 ED entry below Other Devices
11) Right-click Nikon SUPER COOLSCAN 8000 ED and select Update Driver Software
12) Select Browse my computer for driver software
Note: I have an already updated Nks1394.INF file (see instructions above) in C:\Program Files (x86)\Common Files\Nikon\Driver\Scan1394 and will use that
13) Select the correct location of your driver via the Browse button
14) Select OK
15) Back in the Update Driver Software window, select Next to install the driver
16) When all goes well, your scanner should now be listed below Imaging Devices (cameras and scanners).

17) Don't forget to restart again to re-enable the digital signature enforcement.
18) Then start the Nikon Scan software and your scanner will be recoginzed again. The normal scan options should appear and scanning can resume.

Reference material:

Nikon Coolscan and Nikon Scan 4.0: Driver for Windows Vista 64 bit, Windows 7 64 bit and Windows 8 64 bit
Unoffical Vista X64 driver of LS-8000ED/9000ED for Nikon Scan 4.03
http://imaging.nikon.com/lineup/scanner/scoolscan_8000_ed/
https://en.wikipedia.org/wiki/Nikon#Film_scanners
http://blog.controlspace.org/2010/05/nikon-scan-on-windows-7-and-vista-64.html
Hoe kan ik stuurprogramma's installeren die niet digitaal ondertekend zijn?
Find safe mode and other startup settings in Windows 10
https://petapixel.com/2015/04/24/12-reasons-photographers-still-choose-to-shoot-film-over-digital/
https://petapixel.com/2016/08/19/film-photography-making-stunning-comeback/

Read more in Blog

coolscan

Share
2016/06/19

Koken CMS on HTTPS

Abstract

This blog post describes how to use Let's Encrypt and enable HTTPS for Koken CMS on ReadyNAS OS 6.

Disclaimers

THIS HOWTO IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THIS HOWTO OR THE USE OR OTHER DEALINGS IN THIS HOWTO.

Netgear states: "Access by SSH is not discouraged, but is recommended for advanced users only. As such, using SSH is at the user's own risk."

This is how it worked in the situation of the baseline described below. Use it at your own risk.

Improvements

Please post concerns, comments and improvements for this blog on related Netgear Community "How to run Koken on https?" post to help improve it.

Background

The Koken Content Management System that is available as a ReadyNAS App from the RN Admin Pages' Apps section, will be installed to run on HTTP by default. It features a password protected Koken Admin Page.

Koken also boasts an optional plugin to allow for password protected private albums and a Cart plugin that can be used to sell photos.

It is never a good idea to send password or purchase information as cleartext (unencrypted) over HTTP. It has long since become common practice on the Internet to use HTTPS for such sites. Therefore you want to use HTTPS for a Koken driven website. Self-signed certificates cause browsers to issue warnings or disallow access to the site, so they cannot be used. You need certificates from a Certificate Authority (CA). Letsencrypt is a CA that offers a free, automated and open way to get certificates that you need to enable HTTPS.

Baseline

  • RN312 or RN516
  • ReadyNAS OS 6.5.0, 6.5.1 or 6.5.2 (Debian GNU/Linux 7 (wheezy))
  • Still works after upgrade to 6.6.0, 6.6.1, 6.7.1, 6.7.4, 6.7.5, 6.8.0, 6.8.1, 6.9.0, 6.9.1, 6.9.2, 6.9.3, 6.9.4, 6.9.5, 6.10.0, 6.10.1, 6.10.2, 6.10.3, 6.10.4 (Debian GNU/Linux 8 (jessie))

(Note: this how-to might also work on other RN models or OS versions, but that has not been tested.)

Prerequisites

  • MySQL and Koken installed on ReadyNas OS 6.5.0, 6.5.1, 6.5.2, 6.6.0, 6.6.1, 6.7.1, 6.7.4, 6.7.5, 6.8.0, 6.8.1, 6.9.0, 6.9.1, 6.9.2, 6.9.3, 6.9.4, 6.9.5, 6.10.0, 6.10.1, 6.10.2, 6.10,3, 6.10.4.
  • Koken driven website accessible via a domain name from the Internet.
  • ReadyNAS needs outgoing Internet access to connect to Letsencrypt, retrieve downloads for the installation and periodically renew the certificate.

Preparation

You need to have a domain name connected to your Koken public web pages as the certificate process needs these names as input. If you don't have that yet, work on that first.

In this howto "yourdomain.com" and "www.yourdomain.com" need to be replaced by your own domain name. Koken (installed from RN Admin Page) runs on port 7100 by default. Make sure you have port forwarding in place on your router that point the outside port 80 to 7100 internally and outside port 443 to 7443 internally. (7443 will be added to the Apache configuration later.)

Next find your Linux and Apache version, as it influences which script and what plugins you can use from Letsencrypt and CertBot. And also which certificate files you need to add in the Apache configuration later.

Apache version

apachectl -V
Server version: Apache/2.2.31 (Debian)

These are the certificate files you will add later to your Apache config.

cert.pem

Server certificate only. This is what Apache < 2.4.8 needs for SSLCertificateFile.

chain.pem

All certificates that need to be served by the browser excluding server certificate, i.e. root and intermediate certificates only. This is what Apache < 2.4.8 needs for SSLCertificateChainFile, and what nginx >= 1.3.7 needs for ssl_trusted_certificate.

Linux version

cat /etc/*-release
PRETTY_NAME="ReadyNASOS 6.5.0"
NAME="Debian GNU/Linux" VERSION_ID="7"
VERSION="7 (wheezy)" ID=debian
ANSI_COLOR="1;31"
HOME_URL="http://www.debian.org/"
SUPPORT_URL="http://www.debian.org/support/"
BUG_REPORT_URL="http://bugs.debian.org/"

The OS is Debian GNU/Linux 7 (wheezy). Therefore you cannot use the "certbot" command, but have to use certbot-auto instead.

Since OS 6.5.0 features Apache 2.2, you cannot use the CertBot Apache plugin. This howto uses the webroot plugin instead.

(Note: OS 6.6.0 and upwards features Debian GNU/Linux 8 (jessie). You may now be able to use the "certbot" command, but that has not been tested.)

Create letsencrypt dir

Create a letsencrypt dir where we can store the cerbot script. In this howto we use /home/letsencrypt.

mdkir /home/letsencrypt

Install certbot-auto

cd /home/letsencrypt
wget https://dl.eff.org/certbot-auto
--2016-06-18 10:02:12--  https://dl.eff.org/certbot-auto
Resolving dl.eff.org (dl.eff.org)... 173.239.79.196
Connecting to dl.eff.org (dl.eff.org)|173.239.79.196|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 44115 (43K) [text/plain]
Saving to: ‘certbot-auto’
certbot-auto                         100%[=====================================================================>]  43.08K   286KB/s   in 0.2s
2016-06-18 10:02:14 (286 KB/s) - ‘certbot-auto’ saved [44115/44115]

Allow the downloaded script to be executable.

chmod a+x certbot-auto

Run the script to install all the needed components (e.g. python).

/home/letsencrypt/certbot-auto
Bootstrapping dependencies for Debian-based OSes...
Hit http://security.debian.org wheezy/updates InRelease
Hit http://security.debian.org wheezy/updates/main amd64 Packages
Ign http://apt.readynas.com 6.5.0 InRelease
Hit http://egnyte-cdn.egnyte.com 6.5 InRelease
Hit http://egnyte-cdn.egnyte.com 6.5/egnyte amd64 Packages
Ign http://mirrors.kernel.org wheezy InRelease 
... (lots of other lines) ...
Setting up python-pkg-resources (0.6.24-1) ...
Setting up python-setuptools (0.6.24-1) ...
Setting up python-virtualenv (1.7.1.2-2) ...
Processing triggers for libc-bin ...
Creating virtual environment...
Installing Python packages...
Installation succeeded.

During this process you might be asked to input an email address and agree to the license in a full terminal screen with blue background. Fill in your certificate administrator email address and select OK. Select Agree, if you want to accept the license.

After seeing the messages "Installation succeeded", you should be able to create the certificate.

Create certificate

/home/letsencrypt/certbot-auto certonly --webroot -w /data/koken/web -d yourdomain.com -d www.yourdomain.com
IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/yourdomain.com/fullchain.pem. Your cert
   will expire on 2016-09-15. To obtain a new or tweaked version of
   this certificate in the future, simply run certbot-auto again. To
   non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - If you lose your account credentials, you can recover through
   e-mails sent to someone@yourdomain.com.
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
Donating to EFF:                    https://eff.org/donate-le

The created certificates can be found in: /etc/letsencrypt/live/yourdomain.com. Note the symoblic links pointing to the latest version in ../../archive.

cd /etc/letsencrypt/live/yourdomain.com
ls -al
total 16
drwxr-xr-x 1 root root 82 Jun 17 17:24 .
drwx------ 1 root root 28 Jun 17 17:24 ..
lrwxrwxrwx 1 root root 38 Jun 17 17:24 cert.pem -> ../../archive/yourdomain.com/cert1.pem
lrwxrwxrwx 1 root root 39 Jun 17 17:24 chain.pem -> ../../archive/yourdomain.com/chain1.pem
lrwxrwxrwx 1 root root 43 Jun 17 17:24 fullchain.pem -> ../../archive/yourdomain.com/fullchain1.pem
lrwxrwxrwx 1 root root 41 Jun 17 17:24 privkey.pem -> ../../archive/yourdomain.com/privkey1.pem

You are now ready to start using the certificate in your Apache web server.

Apache configuration

The Apache config for koken can be found in /apps/koken/http.conf. First create a backup so you have a working configuration to fall back on.

cp /apps/koken/http.conf /apps/koken/http.conf.ORIGINAL

Now add an HTTPS listener to http.conf. Copy the VirtualHost block for *:7100 to *:7443. Add a Rewrite rule to the *:7100 VirtualHost that will redirect all requests on HTTP to HTTPS. Add the SSL options, SSL Engine and SSL certificates to the *:7443 block.

vi /apps/koken/http.conf
Listen 7100
Listen 7443 https
<VirtualHost *:7100>
        ServerAdmin admin@localhost
DocumentRoot /apps/koken/web
        <Directory />
                Options FollowSymLinks
                AllowOverride None
        </Directory>
        <Directory /apps/koken/web/>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride None
                Order allow,deny
                allow from all
        </Directory>
        RewriteEngine on
        ReWriteCond %{SERVER_PORT} !^443$
        RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [NC,R,L]
        ErrorLog /apps/koken/error.log
        LogLevel warn
</VirtualHost>
<IfModule mod_ssl.c>
<VirtualHost *:7443>
        ServerAdmin admin@localhost
        DocumentRoot /apps/koken/web
        <Directory />
                Options FollowSymLinks
                AllowOverride None
        </Directory>
        <Directory /apps/koken/web/>
                Options Indexes FollowSymLinks MultiViews
                SSLOptions +StdEnvVars
                AllowOverride None
                Order allow,deny
                allow from all
        </Directory>
        ErrorLog /apps/koken/error.log
        LogLevel warn
        SSLEngine on
        SSLCertificateFile "/etc/letsencrypt/live/yourdomain.com/cert.pem"
        SSLCertificateKeyFile "/etc/letsencrypt/live/yourdomain.com/privkey.pem"
        SSLCertificateChainFile "/etc/letsencrypt/live/yourdomain.com/chain.pem"
</VirtualHost>
</IfModule>

Restart your Apache server

service apache2 restart

Connect your browser to your domain on HTTP. It should now redirect to HTTPS and the browser should not complain about missing or misconfigured certificates any more.

Renewal

The certificates are valid for 90 days. You may want to automate renewal. Manual renewal can be achieved with

/home/letsencrypt/certbot-auto renew
-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/yourdomain.com.conf
-------------------------------------------------------------------------------
The following certs are not due for renewal yet:
  /etc/letsencrypt/live/yourdomain.com/fullchain.pem (skipped)
No renewals were attempted.

Add the following to your crontab to run renewal once each day. (Letsencrypts recommends 2 a day). In the example, the renewal runs each day at 01:47 AM (local time) and appends the output to a log file. Letsencrypt recommends using a random value for the minute parameter. Probally to spread load for renewal requests on Letsencrypt servers.

crontab -e
47 01 * * * /home/letsencrypt/certbot-auto renew >> /home/letsencrypt/certbot.log

Reference material

https://letsencrypt.org/getting-started/
https://certbot.eff.org/docs/
http://stackoverflow.com/questions/21415181/can-i-stop-the-this-website-does-not-supply-identity-information-message

Read more in Blog

View all essays by month
View all essays by category
  1. 13

    Fotografeer tips

  2. 6

    Portret

  3. 6

    Elfia

  4. 5

    Blog

View all essays by tag
  1. 6

    elfia

  2. 2

    coolscan

Tweet
  • Overzicht
  • Fotografeer tips
  • Blog
  • Essays
  • Albums
  • Inhoud
  • Twitter
  • Facebook
© 1979-2022 Peter van Loon - fotografeer.nl | Built with Koken