Tutorial-How to use letsencrypt public beta to get a new SSL certificate

December 6, 2015 by ·

New information:
Requesting a certificate for your domains on an apache webserver running on Debian server is extremely easy.
Install certbot, a utility to help request letsencrypt certificates:

apt-get install python-certbot-apache -t jessie-backports

Now run it:

certbot --apache

This will start a curses interface to select sites whose certificates you want to renew.
This works very well and worked when the certicate module of webmin was botched up.

Older post:
This tutorial describes how to create a new SSL certificate using Let’s Encrypt (Public beta as of 06/12/2015).

Let’s Encrypt doku is at: http://letsencrypt.readthedocs.org/en/latest/using.html#installation

Let’s create a new droplet at Digitalocean to test Let’s Encrypt.
Now login via ssh to the server:

Install git, an editor (I prefer emacs) and letsencrypt:

apt-get install git emacs
git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt

To install and run the client you just need to type:

./letsencrypt-auto certonly --webroot -w /var/www/virtual/maindomain.com/mydomain.in/htdocs/ -d www.mydomain.in -d mydomain.in

IMPORTANT NOTES:
– If you lose your account credentials, you can recover through
e-mails sent to [email protected]
– Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/www.mydomain.in/fullchain.pem. Your cert will
expire on 2016-03-05. To obtain a new version of the certificate in
the future, simply run Let’s Encrypt again.
– Your account credentials have been saved in your Let’s Encrypt
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Let’s
Encrypt so making regular backups of this folder is ideal.
– If like Let’s Encrypt, please consider supporting our work by:

Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

Automatically installing letsencrypt certificates for a server running i-mscp control panel:
Once you’ve generated certificates as mentioned above, login to i-mscp,
Go to https://yourcpsite.com:2087/client/domains_manage.php
Next to your domain, click on “Add/Edit SSL Certificate”

Use the contents of the following file for each text box:

Private key -> /etc/letsencrypt/live/www.elephant.in/privkey.pem
Certificate -> /etc/letsencrypt/live/www.elephant.in/cert.pem
Intermediate certificate(s) -> /etc/letsencrypt/live/www.elephant.in/chain.pem

Manually installing letsencrypt certificates for a server running i-mscp control panel:
The following additional information pertains to manually installing these certificates for a server running i-mscp:

So, you’ve generated a certificate for the site www.elephant.in. The files created are at /etc/letsencrypt/live/www.elephant.in/ and are as followings:

lrwxrwxrwx 1 root root   36 Dec  6 09:12 cert.pem -> ../../archive/www.elephant.in/cert1.pem
lrwxrwxrwx 1 root root   37 Dec  6 09:12 chain.pem -> ../../archive/www.elephant.in/chain1.pem
lrwxrwxrwx 1 root root   41 Dec  6 09:12 fullchain.pem -> ../../archive/www.elephant.in/fullchain1.pem
lrwxrwxrwx 1 root root   39 Dec  6 09:12 privkey.pem -> ../../archive/www.elephant.in/privkey1.pem

Copy these as follows:

cp /etc/letsencrypt/live/www.elephant.in/privkey.pem /var/www/imscp/gui/data/certs/elephant.in.privkey.pem
cp /etc/letsencrypt/live/www.elephant.in/cert.pem /var/www/imscp/gui/data/certs/elephant.in.cert.pem
cp /etc/letsencrypt/live/www.elephant.in/chain.pem /var/www/imscp/gui/data/certs/elephant.in.chain.pem

Now edit the file /etc/apache2/sites-enabled/elephant.in_ssl.conf:

Add/Edit the following directives:

SSLEngine On
SSLCertificateFile /var/www/imscp/gui/data/certs/elephant.in.cert.pem
SSLCertificateChainFile /var/www/imscp/gui/data/certs/elephant.in.chain.pem
SSLCertificateKeyFile /var/www/imscp/gui/data/certs/elephant.in.privkey.pem

Restart apache2:

service apache2 restart

Now reload your website, and you will see the following certificate information:

SSLEngine On
SSLCertificateFile /var/www/imscp/gui/data/certs/elephant.in.cert.pem
SSLCertificateChainFile /var/www/imscp/gui/data/certs/elephant.in.chain.pem
SSLCertificateKeyFile /var/www/imscp/gui/data/certs/elephant.in.privkey.pem

If your site shows invalid issuer information, you havent done these steps correctly.

Renewing certificates

Let’s Encrypt CA issues short lived certificates (90 days). Make sure you renew the certificates at least once in 3 months.

For renewing, use the same command as you did when you generated the certificates. For automating renewal use --renew-by-default.

Eg:

./letsencrypt-auto certonly --webroot -w /var/www/virtual/joel.co.in/elephant.in/htdocs/ -d www.elephant.in -d elephant.in --renew-by-default
Filed Under: Internet, Security Tagged With: , , , , ,

You are reading this post on Joel G Mathew’s tech blog. Joel's personal blog is the Eyrie, hosted here.

Setting up Keepass with Chrome and Firefox

November 4, 2012 by ·

A newer and more detailed post regarding Keepass can be found here.

  1. Install Keepass by running the Keepass installer exe (Alternately use the portable version).
  2. Get the latest version of KeePassHttp.plgx
  3. Copy KeePassHttp.plgx manually to %PROGRAMFILES(X86)%\KeePass Password Safe 2 (Or anywhere else you’ve installed Keepass exe to). It should be in the main directory which also contains KeePass.exe. If you copied it correctly, Keepass will show a “Compiling plugins” window next time it is run.
  4. Install Chromipass for Chrome from here. Alternately, Install Keefox for Firefox if you’re using Firefox.
  5. Now, open your database (or create a new one), assign a key and do whatever you want to do.

I move my Keepass database to my dropbox folder. Make sure to set up a very strong password for Dropbox before you do, however :), and never ever keep the Keepass Database and Key in the same location. You could simply put one in Dropbox and the other in Google Drive, or alternately encrypt the key and keep in the same location.

Filed Under: Internet, Security, Web Browsers Tagged With: , ,

You are reading this post on Joel G Mathew’s tech blog. Joel's personal blog is the Eyrie, hosted here.
Using Keepass with Chrome and Firefox

Using Keepass with Chrome and Firefox

September 17, 2012 by ·

Keepass, an open source software, is arguably one of the best password management tools available. My personal favorite is Lastpass for the sheer number of available features, and because of close integration with Chrome. Keepass however seems to have a few issues with Chrome, though Firefox integration with the Keefox extension is perfect.

Edit:
Newer steps for installation of chromipass on Linux Mint 18.1 Serena (updated April 2017):
1. Install Chromipass for Chrome.
2. Visit keepassxc-debian github page and get the latest .deb packages.

https://github.com/magkopian/keepassxc-debian/releases/download/2.1.4-1/keepassxc_2.1.4-1_amd64_stable.deb

3. Install the deb:

sudo dpkg -i keepassxc_2.1.4-1_amd64_stable.deb

4. Open keepassxc, open your database and enter password or choose key file.
5. Install mono-complete
apt-get install mono-complete
6. Download keepass http:

wget https://raw.github.com/pfn/keepasshttp/master/KeePassHttp.plgx
sudo cp KeePassHttp.plgx /usr/lib/keepass2/
sudo chmod 644 /usr/lib/keepass2/KeePassHttp.plgx

Older article:
This article explains how to install Keepass on Windows and Linux, and has been tested to work with Keepass 2.22, and Windows 8 64 bit, Ubuntu 12.10 and Debian Squeeze.

To use Keypass with your browsers:

How to install and use Keepass on Windows 7 and 8

The following article applies to Windows 7/8. For Linux info, skip to the end.

How to install and use Keepass on Windows 7 and 8 on Firefox:

Install the latest Keepass installer

Install Keefox extension

Run Keepass, create a database, and add either a Master password or Master Password+Composite key (This is a composite key. Both Key and password will be required), or just a Key.

Import your prior passwords (If using Lastpass, export from Lastpass to a .csv file, and then import the .csv file into Keepass, using the  Keepass menu>Import>Generic csv importer.

Save the key database (Only on saving does your master password and key file get updated into the database).

Now, on running Firefox, Keepass and Keefox will connect.

How to install and use Keepass on Windows 7 and 8 on Chrome/Chromium:

Install the latest Keepass installer

Install Chromipass extension from the Chrome web store.

Download KeePassHttp.plgx from the Github repo here. (If you omit this step, you will get a “KeePassHttp: Error: NETWORK_ERR: XMLHttpRequest Exception 101” error.

Copy the downloaded file to C:\Program Files (x86)\KeePass Password Safe 2\plugins (for 64 bit Win7/8). You can use the environment variable:

%PROGRAMFILES(X86)%\KeePass Password Safe 2
MWSnap004 2013-04-14, 10_19_41

The easiest way to get the correct location is probably to choose Keefox options from Firefox, and look at the Keepass Tab.

Now visit any site with a username/password field, Click on the small Chromipass icon and follow the prompts to Connect Chromipass and Keypass.

Run Keepass, create a database, and add either a Master password or Master Password+Composite key (This is a composite key. Both Key and password will be required), or just a Key.

Import your prior passwords (If using Lastpass, export from Lastpass to a .csv file, and then import the .csv file into Keepass, using the  Keepass menu>Import>Generic csv importer.

Save the key database (Only on saving does your master password and key file get updated into the database).

Common errors and their solutions:

Error #1: Unable to start HttpListener: System.Net.HttpListenerException (0x80004005): Failed to listen on Prefix ‘http://localhost:19455/’ because it conflicts with an existing registation on the machine.

The error is due to two copies of the file KeePassHttp.plgx. In my case, I had one at C:\Program Files (x86)\KeePass Password Safe 2\plugins, and another one at C:\Program Files (x86)\KeePass Password Safe 2. I deleted the latter, and the error disappeared.

Installing Keepass in Ubuntu 12.10:

Firefox

Install Keepass from the Ubuntu repo. Install latest Firefox from Mozilla. Now download and install the Keefox plugin for Firefox. Manually copy the .pglx file from the Firefox profile folder to /usr/lib/keepass2 (as suggested by the extension). Open up Keepass2 and then Firefox. Opening the database links them up.

sudo add-apt-repository ppa:jtaylor/keepass
sudo apt-get install mono-complete
sudo apt-get install keepass2
sudo cp [email protected]/deps/KeePassRPC.plgx /usr/lib/keepass2/

Note: You need to use the correct path as applicable to your PC.

Chrome

Association of Chrome with Chromipass and Keepass2 is buggy. It works on some sites but not on others. The author himself states that he was unable to associate these properly with the .pglx extension. The steps are the same. Get the specific files from Github, copy them to /usr/lib, install Keepass2 from the repo, and Chromipass from Chrome web store.

Note that the folder /usr/lib should contain the following files:

$l /usr/lib/keepass2/
total 2.4M
-rw-r--r-- 1 root root  252 Sep 28  2007 KeePass.config.xml
-rwxr-xr-x 1 root root 1.8M Sep 23 05:43 KeePass.exe
-rw-r--r-- 1 root root  535 May  1  2012 KeePass.exe.config
-rw-r--r-- 1 root root 180K Jan  7 09:53 KeePassHttp.plgx
-rw-r--r-- 1 root root 370K Jan  7 09:59 KeePassRPC.plgx

 

Once you’ve done this, reloading the browser asks for association.

Note that autofilling does not usually work in Chrome on Linux with Keepass2 and Chromipass. You can check if right clicking works.

Selection_001

Filed Under: Internet, Security Tagged With: , , , , , , , , , , , , ,

You are reading this post on Joel G Mathew’s tech blog. Joel's personal blog is the Eyrie, hosted here.