How To Secure Self-Hosted Bamboo and Crucible with Let’s Encrypt SSL Certificates

Author: erics, September 14th, 2023

Summary In this blog we explore how to use certificates from Let’s Encrypt to secure self-hosted Bamboo and Crucible. Process To Follow Install Certbot Ensure that external DNS resolves to the correct IP addressping example.yourdomain.com Ensure that Port 80 is open from the outside to that IP address so that Let’s Encrypt can validate the […]

Categories: How-To's, Technology Tags: Bamboo, Crucible, howto, https, keytool, openssl, security, ssl, tips | No comments

How To Use SSL With sysbench To Test MySQL Server

Author: erics, September 7th, 2023

SUMMARY If sysbench is started with the “–mysql-ssl=on” option, it looks in the current directory for the following files:

client-cert.pem
client-key.pem
cacert.pem (note no dash)

1

2

3

client-cert.pem

client-key.pem

cacert.pem (note no dash)

PROCEDURE Locate the current MySQL database certificates, usually in /var/lib/mysql, and make sure that the OS user running sysbench is able to read the following 3 files:

ca.pem
client-cert.pem
client-key.pem

1

2

3

ca.pem

client-cert.pem

client-key.pem

Next, cd to the OS user’s home […]

Categories: How-To's, Technology Tags: How To, howto, mysql, ssl, SysBench, tips | No comments

How To Enable HTTPS For Grafana Using Existing LetsEncrypt Certificates

Author: erics, July 15th, 2020

sudo  chgrp grafana /etc/letsencrypt/archive/www.yourdomain.com/privkey1.pem
sudo  chmod g+r /etc/letsencrypt/archive/www.yourdomain.com/privkey1.pem
sudo vi /etc/grafana/grafana.ini 
sudo service grafana-server restart

1

2

3

4

sudo chgrp grafana /etc/letsencrypt/archive/www.yourdomain.com/privkey1.pem

sudo chmod g+r /etc/letsencrypt/archive/www.yourdomain.com/privkey1.pem

sudo vi /etc/grafana/grafana.ini

sudo service grafana-server restart

[server]
# Protocol (http, https, socket)
;protocol = http
protocol = https 

# https certs & key file
;cert_file =
;cert_key =
cert_file = /etc/letsencrypt/archive/www.yourdomain.com/fullchain1.pem
cert_key = /etc/letsencrypt/archive/www.yourdomain.com/privkey1.pem

1

2

3

4

5

6

7

8

9

10

[server]

# Protocol (http, https, socket)

;protocol = http

protocol = https

# https certs & key file

;cert_file =

;cert_key =

cert_file = /etc/letsencrypt/archive/www.yourdomain.com/fullchain1.pem

cert_key = /etc/letsencrypt/archive/www.yourdomain.com/privkey1.pem

Categories: How-To's, Technology Tags: cert, certificate, Certs, chgrp, chmod, Enable, Existing, Grafana, Grafana Server, howto, https, LetsEncrypt, Restart, service, ssl, sudo, tips | No comments

How To Upgrade Certbot, Python and PIP on AWS Linux 1

Author: erics, May 6th, 2020

I ran letsencrypt-auto renew and got the following error:

root@prod06b:/etc/httpd/conf.d # /root/letsencrypt/letsencrypt-auto renew
Error: couldn't get currently installed version for /opt/eff.org/certbot/venv/bin/letsencrypt: 
Traceback (most recent call last):
  File "/opt/eff.org/certbot/venv/bin/letsencrypt", line 7, in <module>
    from certbot.main import main
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/certbot/main.py", line 2, in <module>
    from certbot._internal import main as internal_main
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/certbot/_internal/main.py", line 10, in <module>
    import josepy as jose
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/josepy/__init__.py", line 41, in <module>
    from josepy.interfaces import JSONDeSerializable
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/josepy/interfaces.py", line 7, in <module>
    from josepy import errors, util
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/josepy/util.py", line 7, in <module>
    import OpenSSL
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/OpenSSL/__init__.py", line 8, in <module>
    from OpenSSL import crypto, SSL
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/OpenSSL/crypto.py", line 12, in <module>
    from cryptography import x509
ImportError: No module named cryptography

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

root@prod06b:/etc/httpd/conf.d # /root/letsencrypt/letsencrypt-auto renew

Error: couldn't get currently installed version for /opt/eff.org/certbot/venv/bin/letsencrypt:

Traceback (most recent call last):

File "/opt/eff.org/certbot/venv/bin/letsencrypt", line 7, in <module>

from certbot.main import main

File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/certbot/main.py", line 2, in <module>

from certbot._internal import main as internal_main

File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/certbot/_internal/main.py", line 10, in <module>

import josepy as jose

File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/josepy/__init__.py", line 41, in <module>

from josepy.interfaces import JSONDeSerializable

File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/josepy/interfaces.py", line 7, in <module>

from josepy import errors, util

File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/josepy/util.py", line 7, in <module>

import OpenSSL

File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/OpenSSL/__init__.py", line 8, in <module>

from OpenSSL import crypto, SSL

File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/OpenSSL/crypto.py", line 12, in <module>

from cryptography import x509

ImportError: No module named cryptography

The solution in this article gave me the answer:

sudo rm -rf /opt/eff.org/*
sudo pip install -U certbot
sudo certbot renew --debug

1

2

3

sudo rm -rf /opt/eff.org/*

sudo pip install -U certbot

sudo certbot renew --debug

Turns out Python was old at version 2.7, so did the following also:

sudo yum -y install python36
sudo alternatives --config python
sudo pip install --upgrade pip

1

2

3

sudo yum -y install python36

sudo alternatives --config python

sudo pip install --upgrade pip

Also had to change the cron job script to call certbot directly instead of letsencrypt-auto : vi /root/letsencrypt-cron.sh

#!/bin/sh
#
# letsencrypt-cron.sh
#
#OLD: if ! /root/letsencrypt/letsencrypt-auto renew > /var/log/letsencrypt/renew.log 2>&1 ; then
#NEW:
if ! /usr/bin/certbot renew > /var/log/letsencrypt/renew.log 2>&1 ; then
    echo Automated renewal failed: 
    cat /var/log/letsencrypt/renew.log
    exit 1  
fi
apachectl graceful

1

2

3

4

5

6

7

8

9

10

11

12

#!/bin/sh

#

# letsencrypt-cron.sh

#

#OLD: if ! /root/letsencrypt/letsencrypt-auto renew > /var/log/letsencrypt/renew.log 2>&1 ; then

#NEW:

if ! /usr/bin/certbot renew > /var/log/letsencrypt/renew.log 2>&1 ; then

echo Automated renewal failed:

cat /var/log/letsencrypt/renew.log

exit 1

fi

apachectl graceful

Categories: How-To's, Technology Tags: AWS, AWS Linux, cert, Certbot, howto, Install, Linux, pip, Python, Renew, ssl, tips, upgrade, Yum | No comments

How To Convert An RSA Private Key to PEM Format

Author: erics, January 10th, 2020

openssl rsa -in ~/.ssh/id_rsa -out ~/.ssh/id_rsa.pem

1	openssl rsa -in ~/.ssh/id_rsa -out ~/.ssh/id_rsa.pem

Categories: How-To's, Technology Tags: .pem, convert, howto, id_rsa, id_rsa.pem, id_rsa.pub, key, openssl, Private, private key, RSA, ssl, tips | No comments

How To Fix Apache VirtualHost Overlap on Port 443 on AWS Linux

Author: erics, July 4th, 2016

If you get this error when starting Apache or via apachectl configtest: [warn] _default_ VirtualHost overlap on port 443, the first has precedence then you must add: NameVirtualHost *:443 to /etc/httpd/conf/httpd.conf, then restart Apache

Categories: How-To's, Technology Tags: 443, apache, AWS, CentOS, howto, https, Linux, Overlap, ssl, tips, VirtualHost, Web | No comments

OpenSSL Heartbleed Security Flaw Summary and Resources

Author: erics, April 8th, 2014

Summary TLS heartbeat read overrun (CVE-2014-0160) – A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64k of memory to a connected client or server. OpenSSL Versions Affected The 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including 1.0.1f and 1.0.2-beta1. OpenSSL 1.0.2-beta through 1.0.2-beta1 […]

Categories: How-To's, Technology Tags: Bleed, Flaw, Heart, Heartbeat, Heartbleed, howto, openssl, security, ssl, Summary, tips | No comments

How To Install A Network Solutions EV SSL Certificate On CentOS Apache 2

Author: erics, October 11th, 2011

Create the server key from your original private key by removing the pass-phase:

openssl rsa -in key.pem -out server.key

1	openssl rsa -in key.pem -out server.key

These are the files that NetSol provided me in the download .zip file (domain name changed to protect the innocent):

AddTrustExternalCARoot.crt
NetworkSolutionsAddTrustEVServerCA.crt
NetworkSolutionsEVServerCA.crt
WWW.YOURDOMAIN.COM.crt

1

2

3

4

AddTrustExternalCARoot.crt

NetworkSolutionsAddTrustEVServerCA.crt

NetworkSolutionsEVServerCA.crt

WWW.YOURDOMAIN.COM.crt

Network Solutions does not make it easy on you – in the install docs they tell you there is yet […]

Categories: How-To's, Technology Tags: conf.d, EV, EV SSL, howto, httpd.conf, key, NetSol, Network Solutions, openssl, private key, RSA, server.key, ssl, ssl.conf, tips | 2 comments

Apache 2 SSL Hints

Author: erics, February 16th, 2011

yum install mod_ssl vim /etc/httpd/conf.d/ssl.conf If you got a sign certificate from Thawt, is may be in a signed bundle in PKCS #7 format. Look for this at the top: —–BEGIN PKCS #7 SIGNED DATA—– To extract the cert that you will need for Apache, run the following command: openssl pkcs7 -print_certs -in signed_bundle.pkcs7 Your […]

Categories: How-To's, Technology Tags: apache, Apache2, cert, certificate, Hints, howto, mod_ssl, openssl, PKCS7, ssl, Thawt, tips, Yum | No comments

How To Enable TLS/SSL Encryption In Postfix (smtpd)

Author: erics, December 17th, 2010

Below info copied from http://yocum.org/faqs/postfix-tls-sasl.html Verify that the correct libraries have been linked in: # ldd /usr/libexec/postfix/smtpd You should see the following: smtpd: libsasl2.so.2 => /usr/local/lib/libsasl2.so.2 (0x28096000) libssl.so.3 => /usr/local/lib/libssl.so.3 (0x280aa000) libcrypto.so.3 => /usr/local/lib/libcrypto.so.3 (0x280db000) If you see libsasl2, libssl, and libcrypto, congratulations — the server is ready to support SASL and TLS. Generate an […]

Categories: How-To's, Technology Tags: cacert, Encrypt, Encryption, howto, PostFix, SMTP, smtpd, smtpd.pem, ssl, tips, TLS | No comments

How To Secure Self-Hosted Bamboo and Crucible with Let’s Encrypt SSL Certificates

How To Use SSL With sysbench To Test MySQL Server

How To Enable HTTPS For Grafana Using Existing LetsEncrypt Certificates

How To Upgrade Certbot, Python and PIP on AWS Linux 1

How To Convert An RSA Private Key to PEM Format

How To Fix Apache VirtualHost Overlap on Port 443 on AWS Linux

OpenSSL Heartbleed Security Flaw Summary and Resources

How To Install A Network Solutions EV SSL Certificate On CentOS Apache 2

Apache 2 SSL Hints

How To Enable TLS/SSL Encryption In Postfix (smtpd)

Our Link Network

Business

Client Websites

Fine Dining

Friends & Family

Galleries

Health

Resources

Technology

Travel

The Archives

Latest Ramblings…

Various Topics of No Interest