ARCHIVE NOTICE

My website can still be found at industrialcuriosity.com, but I have not been posting on this blog as I've been primarily focused on therightstuff.medium.com - please head over there and take a look!

Saturday 8 January 2022

Managing site certificates with NGINX and Certbot

And removing a single domain certificate without breaking everything else

Do you operate multiple domains from the same webserver? Do you have a webserver operated by NGINX? Do you have Certbot managing your certificates? This is a set of instructions for creating your certificates correctly and removing a single domain from your configuration, after I found some confusing ones that resulted in me knocking out my server for a little while…

A note before we begin

If you’re rather in a hurry to remove a domain from a messy configuration, STOP. Re-organizing your sites and regenerating your certificates is not only pretty quick and mostly painless — and required, if you want to remove a single domain without making NGINX break down and throw a wobbly — it’s very much the same process.

Organizing your existing NGINX sites

Ensure that you know which domains are configured in which site files, in particular make sure that you do not include servers for multiple domains in the same file.

To do this, look through your enabled site files under /etc/nginx/sites-enabled to find relevant server entries. While you’re there, you might want to note any certificates which are already used by those server entries; those will be the lines starting with ssl_certificate.

If you need to reorganize your site files, remember that their actual location must be in the /etc/nginx/sites-available path. To enable a site /etc/nginx/sites-available/example, create a symlink in the /etc/nginx/sites-enabled path with

> ln -s /etc/nginx/sites-available/example.com /etc/nginx/sites-enabled/

and to disable a site, remove it from the /etc/nginx/sites-enabled path with

> rm /etc/nginx/sites-enabled/example.com

Generating certificates with Certbot

Once your sites are organized in a way that each domain has its own file, generate certificates for each domain and its subdomains with

> sudo certbot --nginx -d example.com -d www.example.com

This will generate a new certificate if needed and update the site file accordingly.

To ensure that everything is as it should be, review the updated site files and then validate them with

> sudo nginx -t

To restart NGINX once you’re ready, run

> sudo service nginx restart

Removing obsolete domains and certificates

Now that your site files and certificates are configured correctly, it’s time to remove any obsolete certificates that are no longer referenced.

Run sudo certbot certificates to list the existing certificates, paying attention to their names as well as their certificate and key paths. These paths will be registered in your NGINX site files so you can review what’s active and required and be certain that the certificate(s) you’re removing are unused.

When you’re confident that a certificate example.com is no longer in use, simply remove it by running

> sudo certbot delete --cert-name example.com 

...

Originally published at https://therightstuff.medium.com.

A VSCode extension to make your code more secure

 I recently installed Red Hat’s YAML VS Code extension to assist me with Bamboo Specs, convinced by the Bald Bearded Builder that this was the linter for me (check out its schema support!). I don’t usually appreciate extensions recommending things to me (and, to be fair, I don’t know that that’s precisely what happened), but this morning a toaster popped up suggesting that I install their Dependency Analytics extension and I am SO glad that I clicked on it!


Red Hat’s “Dependency Analytics” extension is fantastic, it’s powered by Snyk’s vulnerability database and when opening one of my projects’ dependency files* I immediately saw red and was able to click my way clear in a matter of minutes**.

* My current team has projects written in all four of the supported languages, the only thing I’m personally missing is an extension for Visual Studio “proper” for C#…

** Well, okay, one of the dependency suggestions included a breaking change, but the rest of them were trivial upgrades.

Well done, Red Hat, for making safety and security just a little bit easier!

...

Originally published at https://therightstuff.medium.com.

How to open Debian archives with 7-Zip

 I cannot believe I’m writing this, but here we are: 7-Zip is perfectly capable of opening Debian package files (which are compressed using ar), but for some inexplicable reason they’ve decided to hide the control components by default.

Fortunately, opening the files properly isn’t too complicated, even if it’s not as convenient as simply opening the file: right-click on the Debian file to access the 7-Zip context menu, then hit “Open archive” with the directional arrow and select “*”.

Simple enough, I guess... if you know what you’re looking for.

...

Originally published at https://therightstuff.medium.com.

A quick-start guide to setting up a Debian guest on VMWare WorkStation 15/16 Player

I don’t know why everything needs to be subtly non-standard, but over the course of the last twenty or so virtual machine reconstructions I’ve come up with a simple checklist for setting up a Debian guest on VMWare’s WorkStation (Windows) and I thought I’d share it here.

  1. Download your Debian .iso here (I recommend the netinst CD image)
  2. Create a new virtual machine using the downloaded .iso and check that the default configuration is satisfactory (I tend to need a little more power, usually 2 CPUs does it for me). Note that increasing the size of a hard disk is for more complicated and risky than a regular user would expect, so give yourself a healthy buffer. In my experience, it’s less painful to rebuild a bigger machine than it is to extend the disk size.
  3. Install the OS — I find the graphical installer to be just fine for my purposes. The two configuration options that are the most impactful are your choice of desktop environment, I usually choose Xfce but I’m starting to like GNOME again. It’s probably a good idea to install the ssh server as well.
  4. Once installation is complete, click the VMWare button at the bottom of the screen to signal that and restart the machine.
  5. To grant yourself the ability to use sudo, open the terminal and run either
    > su -
    or
    > su -c ‘su -’
    if the first isn’t allowed (I’m not sure how to use the correct single quotes in Medium, so note that the above apostrophes aren’t correct).
    Then run
    > usermod -aG sudo <username>
    to add yourself to the sudoers group. You will need to log out and back in for this to take effect.
  6. Install the following to be able to install VMWare Tools, which enables things like copying and pasting between host and guest machines:
    > sudo apt install -y open-vm-tools open-vm-tools-desktop linux-source

Installing VMWare Tools in WorkStation Player 16

Open the Virtual Machine Settings, select the Options tab, then select VMWare Tools: select “Sychronize guest time with host” and “Update automatically”, then restart the virtual machine.

Installing VMWare Tools in WorkStation Player 15

  1. Open the VM menu, select Install VMWare Tools.
  2. Mount the VMWare Tools CD:
    > sudo mount /dev/cdrom
  3. Extract the installer to your current directory (or maybe create a subdirectory for it) using tab auto-complete in place of the ellipse:
    > tar -xf /media/cdrom/VMWareTools…
  4. Install the required build tools:
    > sudo apt-get install -y autoconf automake binutils cpp gcc linux-headers-$(uname -r) make psmisc
  5. Try to run the .pl script in the extracted folder, expect it to fail, restart the machine anyway.

At this point you should have your VM up and running and be able to copy / paste / drag files between your machines. Now go grab yourself another cup of coffee, you deserve it! 

...

Originally published at https://therightstuff.medium.com.