Operating Systems

Nginx and Let’s Encrypt

by WK Wallace | Jun 13, 2019 | CentOS, Security, Web Applications

For those using a virtual server service like Vultr (this guide), Linode, DigitalOcean etc…

Let’s Encrypt is a new Certificate Authority (CA) that provides an easy way to obtain and install free TLS/SSL certificates, thereby enabling encrypted HTTPS on web servers. It simplifies the process by providing a software client, Certbot, that attempts to automate most (if not all) of the required steps. Currently, the entire process of obtaining and installing a certificate is fully automated on both Apache and Nginx web servers.

In this tutorial, we will show you how to use the certbot Let’s Encrypt client to obtain a free SSL certificate and use it with Nginx on CentOS 7. We will also show you how to automatically renew your SSL certificate.

Prerequisites

Before following this tutorial, you’ll need a few things.

A CentOS 7 server with a non-root user who has sudo privileges. You can learn how to set up such a user account by following steps 1-3 in our initial server setup for CentOS 7 tutorial.
You must own or control the registered domain name that you wish to use the certificate with. If you do not already have a registered domain name, you may register one with one of the many domain name registrars out there (e.g. Namecheap, GoDaddy, etc.).
A DNS A Record that points your domain to the public IP address of your server. This is required because of how Let’s Encrypt validates that you own the domain it is issuing a certificate for. For example, if you want to obtain a certificate for example.com, that domain must resolve to your server for the validation process to work. Our setup will use example.com and www.example.com as the domain names, so both DNS records are required.

Once you have all of the prerequisites out of the way, let’s move on to installing the Let’s Encrypt client software.

Step 1 — Installing the Certbot Let’s Encrypt Client

The first step to using Let’s Encrypt to obtain an SSL certificate is to install the certbot software on your server. Currently, the best way to install this is through the EPEL repository.

Enable access to the EPEL repository on your server by typing:

sudo yum install epel-release

Once the repository has been enabled, you can obtain the certbot-nginx package by typing:

sudo yum install certbot-nginx

The certbot Let’s Encrypt client is now installed and ready to use.

Step 2 — Setting up Nginx

If you haven’t installed Nginx yet, you can do so now. The EPEL repository should already be enabled from the previous section, so you can install Nginx by typing:

sudo yum install nginx

Then, start Nginx using systemctl:

sudo systemctl start nginx

Certbot can automatically configure SSL for Nginx, but it needs to be able to find the correct server block in your config. It does this by looking for a server_name directive that matches the domain you’re requesting a certificate for. If you’re starting out with a fresh Nginx install, you can update the default config file:

sudo vi /etc/nginx/nginx.conf

Find the existing server_name line:

/etc/nginx/sites-available/default

server_name _;

Replace the _ underscore with your domain name:

/etc/nginx/nginx.conf

server_name example.com www.example.com;

Save the file and quit your editor. Verify the syntax of your configuration edits with:

sudo nginx -t

If that runs with no errors, reload Nginx to load the new configuration:

sudo systemctl reload nginx

Certbot will now be able to find the correct server block and update it. Now we’ll update our firewall to allow HTTPS traffic.

Step 3 — Updating the Firewall

If you have a firewall enabled, make sure port 80 and 443 are open to incoming traffic. If you are not running a firewall, you can skip ahead.

If you have a firewalld firewall running, you can open these ports by typing:

sudo firewall-cmd –add-service=http
sudo firewall-cmd –add-service=https
sudo firewall-cmd –runtime-to-permanent

If have an iptables firewall running, the commands you need to run are highly dependent on your current rule set. For a basic rule set, you can add HTTP and HTTPS access by typing:

sudo iptables -I INPUT -p tcp -m tcp –dport 80 -j ACCEPT
sudo iptables -I INPUT -p tcp -m tcp –dport 443 -j ACCEPT

We’re now ready to run Certbot and fetch our certificates.

Step 4 — Obtaining a Certificate

Certbot provides a variety of ways to obtain SSL certificates, through various plugins. The Nginx plugin will take care of reconfiguring Nginx and reloading the config whenever necessary:

sudo certbot –nginx -d example.com -d www.example.com

This runs certbot with the --nginx plugin, using -d to specify the names we’d like the certificate to be valid for.

If this is your first time running certbot, you will be prompted to enter an email address and agree to the terms of service. After doing so, certbot will communicate with the Let’s Encrypt server, then run a challenge to verify that you control the domain you’re requesting a certificate for.

If that’s successful, certbot will ask how you’d like to configure your HTTPS settings:

Output

Please choose whether HTTPS access is required or optional.
-------------------------------------------------------------------------------
1: Easy - Allow both HTTP and HTTPS access to these sites
2: Secure - Make all requests redirect to secure HTTPS access
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):

Select your choice then hit ENTER. The configuration will be updated, and Nginx will reload to pick up the new settings. certbot will wrap up with a message telling you the process was successful and where your certificates are stored:

Output

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/example.com/fullchain.pem. Your cert will
   expire on 2017-10-23. To obtain a new or tweaked version of this
   certificate in the future, simply run certbot again with the
   "certonly" option. To non-interactively renew *all* of your
   certificates, run "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Your certificates are downloaded, installed, and loaded. Try reloading your website using https:// and notice your browser’s security indicator. It should represent that the site is properly secured, usually with a green lock icon.

Step 5 — Updating Diffie-Hellman Parameters

If you test your server using the SSL Labs Server Test now, it will only get a B grade due to weak Diffie-Hellman parameters. This effects the security of the initial key exchange between our server and its users. We can fix this by creating a new dhparam.pem file and adding it to our server block.

Create the file using openssl:

sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

This will take a while, up to a few minutes. When it’s done, open up the Nginx config file that contains your server block. In our example, it’s the default config file:

sudo vi /etc/nginx/nginx.conf

Paste the following line anywhere within the server block:

/etc/nginx/nginx.conf

. . .
ssl_dhparam /etc/ssl/certs/dhparam.pem;

Save the file and quit your editor, then verify the configuration:

sudo nginx -t

If you have no errors, reload Nginx:

sudo systemctl reload nginx

Your site is now more secure, and should receive an A rating.

Step 6 — Setting Up Auto Renewal

Let’s Encrypt’s certificates are only valid for ninety days. This is to encourage users to automate their certificate renewal process. We’ll need to set up a regularly run command to check for expiring certificates and renew them automatically.

To run the renewal check daily, we will use cron, a standard system service for running periodic jobs. We tell cron what to do by opening and editing a file called a crontab.

sudo crontab -e

Your text editor will open the default crontab which is an empty text file at this point. Paste in the following line, then save and close it:

crontab

. . .
15 3 * * * /usr/bin/certbot renew --quiet

The 15 3 * * * part of this line means “run the following command at 3:15 am, every day”. You may choose any time.

The renew command for Certbot will check all certificates installed on the system and update any that are set to expire in less than thirty days. --quiet tells Certbot not to output information or wait for user input.

cron will now run this command daily. All installed certificates will be automatically renewed and reloaded when they have thirty days or less before they expire.

Proofpoint Essentials and Azure AD registration

by WK Wallace | Jun 13, 2019 | Azure Server, Email, Security, Services

The instructions found on their website for setting up Proofpoint Essentials and connecting to Azure needs updating. Microsoft no longer allows users to access the “App Registration (legacy)” in order to get a KEY without a special character that isn’t supported by Proofpoint. You may have to generate dozens of keys to get one that Proofpoint will accept. Microsoft has also changed the name from Azure Active Directory to Microsoft Graph for setting domain read permissions.

The user profile service failed the logon. User profile cannot be loaded.

by WK Wallace | Aug 20, 2015 | Windows 10, Windows 7, Windows 8

When logging on to a Windows machine the user may get the error message like “The user profile service failed the logon. User profile cannot be loaded” in Windows 7 or Vista. Once enter the user name and password it will give this error message and the user can’t login but other user can login to the system without any problem.

How to Fix the “The user profile service failed the logon” error?

Click Start, type regedit in the Run box. Press Enter key.
In Registry Editor, navigate to the location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
In the navigation pane, locate the folder that begins with S-1-5 (SID key) followed by a long number.
Click each S-1-5 folder, locate the ProfileImagePath entry in the details pane, and then double-click to make sure that this is the user account profile that has the error.
Option 1: If you have only one folder starting with S-1-5 that is followed by long numbers and ends with .bak. Right-click the folder, and then click Rename. Remove .bak at the end of the folder name, and then press Enter.Option 2: If you have two folders starting with S-1-5 followed by some long numbers and one of them ended with .bak, you have to rename the .bak folder. To do this, follow these steps:

1) Right-click the folder without .bak, and then click Rename. Type .ba, and then press Enter.
2) Right-click the folder that is named .bak, and then click Rename. Remove .bak at the end of the folder name, and then press Enter.
3) Right-click the folder that is named .ba, and then click Rename. Change the .ba to .bak at the end of the folder name, and then press Enter.
Double-click the folder without .bak in the details pane, double-click RefCount, type 0, and then click OK.
Click the folder without .bak, in the details pane, double-click State, type 0, and then click OK.
Close Registry Editor.

Restart the computer and try to log on again with your account to see if the problem still exists. If everything goes as planned, you will be able to login to your account without any issue.

can’t add printer due to NT4 policy in effect

by WK Wallace | Jul 21, 2010 | 2003/2008 Server, Windows 7, Windows Vista, Windows XP

For some printer models, the manufacturer does not package the drivers so that they can be installed as Additional Drivers on a print server. This is the case for many of the less expensive bubble jet, inkjet and multi-function (e.g. scanner/fax/printer) models. The manufacturers deem these to be “personal” printers for use only on the computer to which they are physically connected (parallel, USB or serial port). The manufacturer often says that printing over the network is “not supported” for these models.

If you attempt to install the drivers for these models as Additional Drivers (see for example Install Additional Driver on older OS), you will get some kind of an error or a request for the driver that can not be satisfied no matter what you do. You may also get an error message stating that there is a policy in effect that doesn’t allow NT4 drivers to be installed.

Unfortunately, there are some models that can not be used over the network because the print device and printer driver have to be in bi-directional communication throughout the printing process. The manufacturer’s documentation does not always make this requirement apparent, although there may be FAQs or other documents on the manufacturer’s web site that state this.

Except for those models discussed in the previous paragraph, you can bypass this problem by adding the printer as a local printer on the client computer and associating the printer with a network printer port (i.e. re-direct it to the printer share on the print server). No harm will be done by trying this approach if it doesn’t work, so it’s usually worth a try.

Here’s how to install a printer locally and re-direct it to a network printer port. These instructions are written for Windows XP. This technique does work with Windows 7, Vista, 2008, and 2003 but the dialogs are a bit different, so you may have to read between the lines.

Logon at the client computer with a user account that has administrative rights and permissions on the client computer.
Click Start, Printers and Faxes
Right click in an empty space in the right pane and select Add Printer
Click Next
Select the Local Printer… radio button, remove the check mark from Automatically detect and install my Plug and Play printer; click Next
Select the Create a new port: radio button; from the Type of port: drop down list, select Local Port; click Next
In the Enter a port name: text box, key exactly the UNC name of the network printer (e.g. \\printservername\printersharename); click OK
Selecting the appropriate entries from the Manufacturer and Printers columns or click the Have Disk button as appropriate
Follow through the rest of the Add Printer wizard.

OWA – ‘gtLV’ is null or not an object

by WK Wallace | Jul 15, 2010 | Exchange 2007, Internet Explorer, Scripts, Web Applications

I was getting the “gtLV’ is null or not an object” message when I replied to an email using our Microsoft Online Hosted Exchange email account. Ironically enough, the problem would always occur when I replied to a new email from a Microsoft support engineer. The email would go through but I would get the “ ’gtLV’ is null or not an object” error message popup on the screen. If I replied to the email again the problem would not occur. A very similar message can be seen in the Microsoft Exchange Server forums where I also posted the provided solution.

After many emails to the very patient support tech at Microsoft (as I would reply and then send an email to let him know if the reply worked or not) we escalated the ticket and I got back the following resolution.

1. type regedit on command prompt or run
2. go to: HKCU\Software\Microsoft\Internet Explorer\Main
3. create TabProcGrowth (string or dword) and set the value to 0

This solution worked for me. From what I can see at the ie8blog this has the side effect of reducing the protectedmode protection and I think the browser tabs use the same process rather than running in seperate processes. This is a slight downside, but I doubt many users will care – they’re more than happy to have OWA working.

can’t change ie8 default search provider

by WK Wallace | Apr 15, 2010 | Internet Explorer

IE8 in some situation disallows changing the default search provider. This can happen on workgroups and domains even if the “restrict changing search provider” gpo is not configured.

Make sure IE 8 is closed then navigate to registry key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Add a new “Expandable String value” inside the above mentioned key with a value name of “AppData” and a value data of “%USERPROFILE%\Application Data”.
Reopen IE 8 and see if you still get the error message.

e sure IE 8 is closed then navigate to registry key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Add a new “Expandable String value” inside the above mentioned key with a value name of “AppData” and a value data of “%USERPROFILE%\Application Data”.
Reopen IE 8 and see if you still get the error message.

« Older Entries