Adding a letencrypt certificate for a server running seafile server

The regular letsencrypt certbot procedure fails due to reverse proxying-it essentially means that contrary to regular delivery of webpage content, where you type an address and apache serves the content from a specific folder, seafile runs a service as a reverse proxy. Apache binds to the particular port running seafile, and serves content provided by the seafile daemon (service). So obviously letsencrypt authorization doesnt work regularly. I struggled with a lot of apparent techniques for the reverse proxy, all of which threw up all kinds of errors while letsencrypt was authorizing in apache mode. Finally the solution is very simple-use letsencrypt certbot in manual DNS verification mode. It’s simple-you just add a particular TXT record to your DNS, and Cloudflare instantly verifies it and provides you the certificate, CSR and chain.

certbot -d yourdomain.com --manual --preferred-challenges dns certonly
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for cloud.yourdomain.com

-------------------------------------------------------------------------------
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
-------------------------------------------------------------------------------
(Y)es/(N)o: y

-------------------------------------------------------------------------------
Please deploy a DNS TXT record under the name
_acme-challenge.cloud.yourdomain.com with the following value:

XNuYmalkADgddffvrcbO7p2Gsscff1nbTPk

Once this is deployed,
-------------------------------------------------------------------------------
Press Enter to Continue
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0000_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0000_csr-certbot.pem

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/cloud.yourdomain.com/fullchain.pem. Your cert
   will expire on 2017-07-19. To obtain a new or tweaked version of
   this certificate in the future, simply run certbot again. To
   non-interactively renew *all* of your certificates, run "certbot
   renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

I found that there was a problem with the path of the chain.
Copying to new location:

mkdir /home/you/domains/cloud.you.com/certs
cp /etc/letsencrypt/live/cloud.you.com/*pem /home/you/domains/cloud.you.com/certs/

Apache config:

<VirtualHost cloud.you.com:443>
ServerName cloud.you.com
DocumentRoot /var/www
ErrorLog /var/log/virtualmin/cloud.you.com_error_log
CustomLog /var/log/virtualmin/cloud.you.com_access_log combined
Alias /media  /home/user/haiwen/seafile-server-latest/seahub/media
RewriteEngine on
<Location /media>
          Require all granted
</Location>
#
# seafile fileserver
#
ProxyPass /seafhttp http://127.0.0.1:8082
ProxyPassReverse /seafhttp http://127.0.0.1:8082
RewriteRule ^/seafhttp - [QSA,L]
#
# seahub
#
SetEnvIf Request_URI . proxy-fcgi-pathinfo=unescape
SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
ProxyPass / fcgi://127.0.0.1:8000/
ProxyPass /.well-known !
Alias /.well-known "/var/www/.well-known"
<Directory "/var/www/.well-known">
           Require all granted
           order allow,deny
           allow from all
           AllowOverride All
           AddDefaultCharset Off
</Directory>
SSLEngine on
SSLCertificateFile /home/you/domains/cloud.you.com/certs/cert.pem
SSLCertificateKeyFile /home/you/domains/cloud.you.com/certs/privkey.pem
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCACertificateFile /home/you/domains/cloud.you.com/certs/chain.pem
SSLHonorCipherOrder on
    SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"
</VirtualHost>

You are reading this post on Joel G Mathew’s tech blog. Joel's personal blog is the Eyrie, hosted here.

Fix seafile server for folder names containing spaces

This is an apache bug.

Use a newer apache version:

Generic steps to install a newer version of a package with apt than provided in the stable stream:

In /etc/apt/apt.conf.d add the following file

99defaultrelease:

APT::Default-Release "stable";

In /etc/apt/sources.list.d – add urls for testing / unstable sources

stable.list:

deb     http://ftp.de.debian.org/debian/    stable main contrib non-free
deb-src http://ftp.de.debian.org/debian/    stable main contrib non-free

deb     http://security.debian.org/         stable/updates  main contrib non-free

testing.list:

deb     http://ftp.de.debian.org/debian/    testing main contrib non-free
deb-src http://ftp.de.debian.org/debian/    testing main contrib non-free

deb     http://security.debian.org/         testing/updates  main contrib non-free
run
apt-get update

and then install what you need with

apt-get -t testing install something

So for our purpose:

apt-get update
apt-get -t testing install apache2
service apache2 restart

Choose to keep all your default config files with no changes.

Credits:
Serverfault
https://wiki.debian.org/AptPreferences


You are reading this post on Joel G Mathew’s tech blog. Joel's personal blog is the Eyrie, hosted here.

Install ownloud on a Debian box running apache server and an i-mscp panel

Add a DNS entry for cloud.xyz.com in your DNS manager. I will choose Cloudflare.
Then, login to the i-mscp panel, create a domain alias, say cloud.xyz.com

Install owncloud:

echo 'deb http://download.opensuse.org/repositories/isv:/ownCloud:/community/Debian_8.0/ /' >> /etc/apt/sources.list.d/owncloud.list
wget http://download.opensuse.org/repositories/isv:ownCloud:community/Debian_8.0/Release.key
apt-key add - < Release.key
apt-get update
apt-get install owncloud

It will get installed to /var/www/ownlcoud
We will have to move the files to the directory of the new domain alias:

cd /var/www/
cp -a owncloud/* virtual/xyz.com/cloud/htdocs/
cp -a owncloud/.* virtual/xyz.com/cloud/htdocs/
rm -rf owncloud

Set permissions (Check the username for your directory virtual/xyz.com/cloud/htdocs first):

chown -R vu2004.vu2004 virtual/xyz.com/cloud/htdocs/*

Install owncloud by visiting http://cloud.xyz.com, and creating a new admin user and password.
Now that owncloud is confirmed to work, we will add SSL support.
In i-mscp, enable SSL support by visiting Admin settings.
Now, use the “Add/Edit SSL Certificate” to generate a new SSL certificate.

Enable Cloudflare for the domain.
Now you will be able to login to https://cloud.xyz.com


You are reading this post on Joel G Mathew’s tech blog. Joel's personal blog is the Eyrie, hosted here.

Create a self signed openssl certificate

Command:

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt

More


You are reading this post on Joel G Mathew’s tech blog. Joel's personal blog is the Eyrie, hosted here.

How to setup Owncloud for your own server

Install owncloud on own server.
First add an apache virtualhost.

Edit

/etc/apache2/sites-available/default

Create the following:

<VirtualHost *:80>
ServerName cloud.relsoft.in
ServerAlias cloud.relsoft.in
DocumentRoot /var/www/virtual/relsoft.in/cloud/htdocs
</VirtualHost>

Create a “A” record in the DNS panel for relsoft.in:

A cloud.relsoft.in [myipaddress]

Create the virtual directory:

mkdir -p /var/www/virtual/relsoft.in/cloud/htdocs
chown -R www-data.www-data /var/www/virtual/relsoft.in

Download and uncompress the latest owncloud installation package [Available at

https://owncloud.org/install/#instructions-server ]
wget https://download.owncloud.org/community/owncloud-8.0.3.tar.bz2
tar xf owncloud-8.0.3.tar.bz2
mv owncloud/* ./
rm owncloud-8.0.3.tar.bz2
rm -rf owncloud/

Install php gd module, php5-curl and php5-mysql:

sudo apt-get install php5-gd php5-curl php5-mysql

Set always_populate_raw_post_data to -1 in your php.ini
Now to set the appropriate value in php.ini, first I have to locate the correct php.ini to edit.

find /etc -iname 'php.ini'

Now locate the location of the setting:

grep -in 'always_populate_raw_post_data' /etc/php5/apache2/php.ini
704:;always_populate_raw_post_data = -1

Edit the correct line with emacs:

emacs /etc/php5/apache2/php.ini
Alt-G G 704

takes me to the correct line to edit. Remove the two leading semicolons.

Restart apache2 server:

service apache2 restart

Now reload cloud.relsoft.in in your browser.

Now I got a security warning:
Your data directory and files are probably accessible from the internet because the .htaccess file does not work.
For information how to properly configure your server, please see the documentation.

This means that htaccess is not enabled for the server. So to setup .htaccess for apache:

Edit /etc/apache2/sites-available/default
emacs /etc/apache2/sites-available/default

Add the “AllowOverride All” directive.
So the block now looks like:

ServerName cloud.relsoft.in
ServerAlias cloud.relsoft.in
DocumentRoot /var/www/virtual/relsoft.in/cloud/htdocs

AllowOverride All


If while editing apache directive files, you face issues, run: systemctl status apache2.service Or journalctl -xn for details

Create database with mysql:
mysql -u root -p
mysql> CREATE DATABASE ‘owncloudie’;
mysql> USE owncloudie;
mysql> CREATE USER ‘cloudsrvrusr’@’localhost’ IDENTIFIED BY ‘mypassword’;
mysql> GRANT ALL PRIVILEGES ON owncloudie.* TO ‘cloudsrvrusr’@’localhost’ WITH GRANT OPTION;
mysql> FLUSH PRIVILEGES;
mysql> EXIT;

Restart apache2, and reload the install page.

Now, add an admin username and password, and add the database details that we created with mysql.
When you click on ‘Finish setup’, mysql installation will be over, and you can login as administrator.
Create users.

Download the Desktop client at https://owncloud.org/install/#install-clients, and the Android client from https://play.google.com/store/apps/details?id=com.owncloud.android

To create ssl:

mkdir -p /etc/apache2/ssl
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt
emacs /etc/apache2/sites-available/default-ssl.conf
<IfModule mod_ssl.c>
    <VirtualHost _default_:443>
        ServerAdmin [email protected]
        ServerName cloud.relsoft.in
        ServerAlias www.loud.relsoft.in
        DocumentRoot /var/www/virtual/relsoft.in/cloud/htdocs
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
        SSLEngine on
        SSLCertificateFile /etc/apache2/ssl/apache.crt
        SSLCertificateKeyFile /etc/apache2/ssl/apache.key
        <FilesMatch "\.(cgi|shtml|phtml|php)$">
                        SSLOptions +StdEnvVars
        </FilesMatch>
        <Directory /usr/lib/cgi-bin>
                        SSLOptions +StdEnvVars
        </Directory>
        BrowserMatch "MSIE [2-6]" \
                        nokeepalive ssl-unclean-shutdown \
                        downgrade-1.0 force-response-1.0
        BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
    </VirtualHost>
</IfModule>
a2ensite default-ssl.conf
service apache2 reload

You are reading this post on Joel G Mathew’s tech blog. Joel's personal blog is the Eyrie, hosted here.

Blocking listing of certain file types in apache directory listing with .htaccess

If you’d like to block listing of *.avi files in the directory listing on your server, add the following to the same directory, in a file named .htaccess:

IndexIgnore *avi

You are reading this post on Joel G Mathew’s tech blog. Joel's personal blog is the Eyrie, hosted here.

Run php files without typing in the extension in apache

On i-mscp, edit the file /etc/apache2/sites-available/domain.com.conf,

Modify:

<Directory /var/www/virtual/joel.co.in/htdocs>
        Options -Indexes +Includes +FollowSymLinks +MultiViews
        # SECTION php_enabled BEGIN.
        AllowOverride All
        # SECTION php_enabled END.
        Order allow,deny
    Allow from all
    </Directory>

adding the following:

Options +MultiViews
DirectoryIndex index.php
AddType application/x-httpd-php .php

so that final code becomes:

 <Directory /var/www/virtual/joel.co.in/htdocs>
        Options -Indexes +Includes +FollowSymLinks +MultiViews
        DirectoryIndex index.php
        AddType application/x-httpd-php .php
        # SECTION php_enabled BEGIN.
        AllowOverride All
        # SECTION php_enabled END.
        Order allow,deny
    Allow from all
    </Directory>

You are reading this post on Joel G Mathew’s tech blog. Joel's personal blog is the Eyrie, hosted here.

Install Pydio on webserver

Get it from here: http://sourceforge.net/projects/ajaxplorer/files/pydio/stable-channel/

Eg:

wget -O pydio-core-5.0.4.tar.gz http://sourceforge.net/projects/ajaxplorer/files/pydio/stable-channel/5.0.4/pydio-core-5.0.4.tar.gz/download

Extract the file to a chosen directory.

tar xf pydio-core-5.0.4.tar.gz
mv pydio-core-5.0.4 /var/www/explore
chown -R www-data /var/www/explore/data/

Install mysql-server if not already installed.

apt-get install mysql-server-5.5

Install mcrypt, php5-gd, php5-mysql:

apt-get install php5-mcrypt php5-gd php5-mysql

Now, add “AllowOverride All” to /etc/apache2/sites-available/default

<Directory "/var/www/explore">
                    AllowOverride All
 </Directory>

Restart apache2:

service apache2 restart

Create a mysql database, then a user and assign a password for the user on the database.

mysql -u root -p

And the following on the mysql shell.

CREATE DATABASE IF NOT EXISTS pydiodbase;
CREATE USER 'pydiouser'@'localhost' IDENTIFIED BY 'yourpassword';
GRANT ALL PRIVILEGES ON pydiodbase.* TO 'pydiouser'@'localhost';
FLUSH PRIVILEGES;

To change password of the dbuser:

UPDATE mysql.user SET Password=PASSWORD('yourpassword') WHERE User='pydiouser';

Then, access the web install at http://yourip/explore, and follow the onscreen prompts.

Your files appear in ./data/files/

Troubleshoot:
Error message during installation:

It seems that your data/ folder is not correctly protected, and that subfolders (like the data/cache/ folder) are web-accessible. If you are using Apache, make sure the AllowOverride All option is active for your current directory. If you are running Windows IIS, you must manually add a RequestFiltering/HiddenSegments configuration to prevent web access to these folders. If you have defined a different AJXP_DATA_PATH pointing outside the webfolder, you can ignore this warning.

Solution:
Check the default apache config:


ServerAdmin [email protected]
DocumentRoot /var/www

Options FollowSymLinks
AllowOverride None


Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all

ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/

AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all

ErrorLog ${APACHE_LOG_DIR}/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/access.log combined

In the code:


Options Indexes FollowSymLinks MultiViews
AllowOverride none
Order allow,deny
allow from all

change none to All:

Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all

Warning about locale not set:

dpkg-reconfigure locales
Generating locales...
  en_IN.UTF-8... up-to-date
Generation complete.

Now,

grep -in AJXP_LOCALE conf/bootstrap_conf.php
30: * define("AJXP_LOCALE", "");
32://define("AJXP_LOCALE", "en_EN.UTF-8");
33://define("AJXP_LOCALE", "");

And edit line 33 of the file to change it to:

33:define("AJXP_LOCALE", "en_IN.UTF-8");

Warning: PHP Output Buffer disabled
You should disable php output_buffering parameter for better performances with Pydio.

Solution:
Check php value:

#grep -in output_buffering /etc/php5/apache2/php.ini
126:; output_buffering
245:output_buffering = 4096

Edit it to:

245:output_buffering = Off

Restart apache2 when you’re done.


You are reading this post on Joel G Mathew’s tech blog. Joel's personal blog is the Eyrie, hosted here.

Failed to create virtual server : No virtual domains file (virtual_alias_maps) was found in your Postfix configuration!

I received the following error from Webmin (Virtualmin) when creating a new virtual server

The solution is to add the following:

virtual_alias_maps = hash:/etc/postfix/virtual

to /etc/postfix/main.cf

Next error:

The Apache webserver does not appear to be installed on your system, or has not yet been set up properly in Webmin's Apache Webserver module. If your system does not use Apache, it should be disabled in Virtualmin's module configuration page.

Just visit https://domain:10000/apache/

and install apache

Suexec is enabled in the default template, but the Apache module mod_suexec is not installed or not enabled.

 

apt-get install apache2-suexec

 


You are reading this post on Joel G Mathew’s tech blog. Joel's personal blog is the Eyrie, hosted here.

WordPress error: To perform requested action, wordpress needs access to webserver

The error message displayed is:

“Connection Information: To perform the requested action, WordPress needs to access your web server. Please enter your FTP credentials to proceed. If you do not remember your credentials, you should contact your web host.”

This occurs due to permission issue. Check ownership of files.

The reason is that certain files in your wordpress installation directory cannot be written to, as they’re not owned by the user running the apache process.

To find out the user runing apache, put the following code in a file testeuser.php and run it:

<!--?php echo(exec("<span class="hiddenSpellError" pre=""-->whoami")); ?&gt;

For me, it outputs:

rt6004

So I have to change ownership of my htdocs folder:

[[email protected]] ~/domains/htdocs #chown -R rt6004.www-data *

Here, rt6004 is the user and www-data is the group.


You are reading this post on Joel G Mathew’s tech blog. Joel's personal blog is the Eyrie, hosted here.