Let’s Encrypt with DDNS on CentOS 7

My new A+ rating for my personal web server, with certificates from Let’s Encrypt!

A while back, I started using CentOS, with Apache, to host my own website. As I talked about here on this blog, the website is for my Piwigo server, which is a Google Photo’s alternative. My pictures from my phone are backed up to my home server automatically, and the Piwigo server acts as an interface where people with appropriate passwords can log in and see the photos. Typically, just me and my wife.

One problem that I had, however, was difficulty getting a certificate from a CA (Certificate Authority), and I had to use a self signed certificate. This worked great, to be honest, except that some browsers have a pesky “this is not secure” message that you had to accept alot. It got old if I was showing some one, either client or friend, the setup but had to acknowledge a big security warning.

So, I set out once again to try to get that fixed. I heard a lot of good things about Let’s Encrypt, the free, open source encryption method, and that they now support DDNS, so I thought I’d give it a try. So, logging into the terminal, I followed the instructions, and got this in the terminal:

[root@localhost alaskalinuxuser]# certbot --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: alaskalinuxuser.ddns.net
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for alaskalinuxuser.ddns.net
Cleaning up challenges
Unable to find a virtual host listening on port 80 which is currently needed for Certbot to prove to the CA that you control your domain. Please add a virtual host for port 80.

This was a bit confusing to me, since I could browse to my own website on port 80. But, fortunately, I found the answer here: http://tomaskalabis.com/wordpress/letsencrypt-unable-to-find-a-virtual-host-listening-on-port-80/

So, I made a new file at /etc/httpd/conf.d/alaskalinuxuser.conf and filed it in with this:

<VirtualHost *:80>  
    ServerAdmin alaskalinuxuser@fastmail.com
    ServerName alaskalinuxuser.ddns.net
    ServerAlias alaskalinuxuser.ddns.net
    DocumentRoot /var/www/html 
</VirtualHost>

After that, I exited nano and restarted the httpd daemon, and was able to re-run certbot:

[root@localhost conf.d]# certbot --apache -d alaskalinuxuser.ddns.net
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for alaskalinuxuser.ddns.net
Waiting for verification...
Cleaning up challenges
Deploying Certificate to VirtualHost /etc/httpd/conf.d/ssl.conf
Redirecting vhost in /etc/httpd/conf.d/alaskalinuxuser.conf to ssl vhost in /etc/httpd/conf.d/ssl.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://alaskalinuxuser.ddns.net

And now I have a CA vouching for my web server!

Linux – keep it simple.

Home photo server, part 1: Server Setup, SCP and FTP

While there are many, many options out there for photo storage, if you are looking for a home storage solution that does NOT involve just plugging in your phone and dumping the pictures to your hard drive, you have to get a little technical. (By the way, if that is what you have to do, there is no shame in it. It is probably a lot safer doing that than letting Google hold all of your photos.)

The first thing I needed was a server. Granted, you could use just about anything these days, and there are a lot of open source/open hardware type solutions, but I was gifted an older, generation 1 Dell PowerEdge 1950 from a friend. Granted, it was made in 2006, but it still is 64 bit, has two quad core Xeon 2 GHz processors, and I loaded it with 24 GB of ram. You can get them on eBay now for about $60. A little overkill for this sort of thing, but the price was right! As a bonus, it supported hardware raid, and I put two 2 TB drives in a mirror array, so that 2 TB of space that was backed up.

From there I loaded CentOS 7 on it per the usual installation method, and updated the system. I also purchased an APC battery backup unit, a Back-UPS 1350. This would only hold the power on for about 15 minutes, but it would help for brown outs, and frequent “blips” where the power goes out for only a second or so, which is common where I live. Later I’ll have to do a post on setting up the auto-shutdown and controls, because that was rather interesting.

So the next thing I needed, if I wanted this to work, was a domain. I needed a way to contact my home computer from my cell phone, especially while not at home. Granted, you could set all of this up so when you come home your phone would automatically back up your photos, but I wanted to be able to do this from abroad. Thus enter No-ip.com. I’ve used them before, and it is great if you are looking for a cheap, cheap solution. Because it is free.

Granted, a free account your hostname will need to be manually renewed every 30 days, but they send you an email, and all you have to do is click the link to keep it active, so it is pretty easy. After creating an account, logging in, getting a dynamic IP address, then all I had to do was install the DUC software. DUC is the Dynamic Update Client software that allows:

“Remote access your computer, DVR, webcam, security camera or any internet connected device easily. Dynamic DNS points an easy to remember hostname to your dynamic IP address.” (noip.com)

All you have to do is download the source code and compile it. It went like this:

$ cd noip-2.1.9-1/
$ make
$ sudo make install

After entering my password, it ran through an installation script and asked me for my account name, password for the account, and which DDNS I wanted to associate with this computer. It is interesting, you can have several.

From here, it then became a matter of preference on how to continue. I toyed with several options on my Android phone for how to get the photos from the phone to the computer over the internet.  One of the first methods I tried was using scp, or secure copy over ssh. So, I installed ssh on my server.

# yum install ssh-server

# cd /etc
# cd ssh/
# ls
# nano sshd_config

I then edited the sshd_config to my liking, there are a lot of guides on this on the internet, so I wont belabor the point here. I will note that I use non-standard ports as a form of extra security, however slight that may be, so you may consider doing the same, but essentially it works as is once installed. Then I opened the ports in the firewall – I list the standard ports here, for ease of following along:

# firewall-cmd
# firewall-cmd –help\
# firewall-cmd –help
# firewall-cmd –add-port=22/tcp
# firewall-cmd –add-port=22/tcp –permanent

And that worked great. Unfortunately, scp is slow and can be cumbersome from an Android phone, especially since I didn’t find any apps that would sync my directories automatically (that were open source so I knew what was really being sync’ed). However, I found several open source options that would sync automatically via FTP. So I decided to install “very Secure FTP”, or vsftp, like so:

# yum install vsftpd

# cd /etc/vsftpd/

# ls

# nano vsftpd.conf

Again, I set it up to my needs, but you can check out this guide for ideas. I also needed to punch some holes in the firewall for the service and for both active and passive mode, since several Android apps would use either.

# firewall-cmd –add-port=21/tcp
# firewall-cmd –add-port=21/tcp –permanent
# firewall-cmd –add-port=20/tcp
# firewall-cmd –add-port=20/tcp –permanent

# firewall-cmd –permanent –add-port=40000-50000/tcp

And viola! All that was left was a quick restart of the processes:

# firewall-cmd –reload

# systemctl restart vsftpd

And now I could use FTP apps on my Android phone to sync my pictures from my phone automatically to the home server! In case you are wondering, a great app for this is on F-Droid, the open source app repository of open source apps. It is called SyncTool, and it is very handy. It supports FTP sync one way, both ways, automatic scheduling or running jobs manually.
image

Wheeow, that was a long post, but now my photos were being automatically backed up. However, that’s only part of the story, because if I was convincing my wife to ditch Google Photos, I needed to also have a way to browse them online, share them, organize them, etc…. It was time for a web server. Guess we’ll cover that next.

Linux – keep it simple.