Mostly about my amusement

Tag: Ubuntu (page 1 of 3)

Let’s Encrypt is all kinds of awesome

I had some time and did a git pull on the Let’s Encrypt github page. This is a project that makes it easy to install and maintain free X.509 certificates for web servers. The certificates are in PEM format and can be easily used for any server app but usually it’s just for HTTPS on web servers.

Requesting your own certs

The first time I ran the ./letsencrypt-auto command it used apt-get to download its dependencies. The integration with Ubuntu is nice and works well. A few minutes later of some prodding and poking, meaning I read the Let’s Encrypt User Guide, I gave it a shot.

On my VPS I selected blog.epyon-1.com and ran the following command as root.

./letsencrypt-auto certonly --webroot -w /var/www/vhosts/dembowski.net/ -m not@my-email.btw -d blog.epyon-1.com

The site blog.epyon-1.com is on my WordPress network so the directory is the same. The end result of that was to politely create and place these symlinked files.

/etc/letsencrypt/live/blog.epyon-1.com/cert.pem
/etc/letsencrypt/live/blog.epyon-1.com/fullchain.pem
/etc/letsencrypt/live/blog.epyon-1.com/privkey.pem

A quick update to my nginx config for

ssl_certificate /etc/letsencrypt/live/blog.epyon-1.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/blog.epyon-1.com/privkey.pem;

I checked with “nginx -t” and “service nginx restart” and that was it.

Encryption has never been this easy

The certificate is valid for 90 days and is recognized by all browsers.

lets-encrypt-epyon-1.com

To renew it I’ve created a cron job for the first of every month to run this command.

./letsencrypt-auto certonly --webroot -w /var/www/vhosts/dembowski.net/ -m not@my-email.btw -d blog.epyon-1.com -d epyon-1.com --renew

Which is the same command with just --renew added to it. Easy. If you don’t renew the CA will send you a reminder at the email you specified via the “-m not@my-email.btw” command line argument.

I’m not directing the output to /dev/null because if that cronjob works or not I want to see that output. If the cronjob fails then I can always run the command by hand.

Will I switch all my domains to Let’s Encrypt?

Why not? The project is currently in a public beta and the Let’s Encrypt tools will change and continue to be developed. But for the next 90 days the certificate I obtained will work fine. Even better if they automatically renew.

What I am looking for is a reasonable expectation of privacy between my web server and my visitors. I do not use TLS for authentication and the Let’s Encrypt certificates work fine.

If I had an online store then I might consider getting an Extended Validation Certificate but that would be only to reassure visitors when they are making a purchase. EV certs are not cheap. Let’s Encrypt is free so it’s not a hard decision for me to make.

This helps protect the traffic from casual snoopers between my server and your browser. It’s not a magic bullet for security but the wide spread adoption of encryption will help promote privacy.

Opensource is still the best

As part of my ongoing home IT challenges I have set up a basement server running Ubuntu 10.04 LTS. My normal method of managing my servers is to do everything by ssh.

That’s geeky, but not much fun. So I looked for a free X server and came across Xming. It’s a not GPL’ed but is it freely available and the license is not burdensome.

Using XLaunch, I setup the parameters I want and saved that to a file. That .xlaunch file extension is registered to Xming so I just need to double-click the icon and it starts my desktop remotely using X windows.I’ve got the desktop in a neat 1280×1024 window using “-screen 0 1280 1024” as an Xming command line argument.

The only problem I am having is that I am launching gnome-session and it’s not exiting cleanly at then of my session. Most likely that’s not quiet the right program to initiate an X session but for now it’s acceptable.

Ubuntu UNR 9.04 performance boost

My Acer Aspire One netbook is good but the 8GB SSD drive that it shipped with is still the biggest drawback.  When I want to view HQ or regular YouTube clip (forget about HD), the SSD gets accessed and performance takes a dive. Videos stutter and playback is horrible.

After looking at the ApireOne community documentation page again I came across two tweaks that really helps a lot.  These are covered here at the Geek Sheet.

The first tweak is to mount the SSD switching the option from “relatime to “noatime”.

From the article:

Tweak #3: Change the file system mount options on SSDs to “noatime”. On certain Linux distributions, such as Ubuntu, the default is “relatime”. This tells the kernel to write the Last Accessed Time attribute on files. Conversely, “noatime” tells the kernel not to write them, which considerably improves performance. Linus himself suggests using it in circumstances such as this, so therefore, I consider it to be gospel.

The second tweek is on the kernel line in /boot/grub/menu.lst, right after splash, insert the option “elevator=noop”.  This will let you use the “noop” I/O scheduler.  The SSD is not a hard disk and there is no platter to optimize.

These combined reduces the amount of writes to the SSD and I am now able to view this whole episode of Gundam 00 in HQ. Before these changes I could not have done this.

Considering that my main desktop PC is dying and needs to be replaced, having an optimized netbook is not a bad thing at all.

Acer Aspire One UNR 9.04 settings

Sometimes I post things to be able to recall 6 months later what I did. This is one of those “I’d better write this down” articles.

After a couple of iterations, my Acer Aspire One Netbook runs well on Ubuntu Netbook Remix 9.04. Here’s what I did.

I created one root 8 GB filesystem formatted in ext2 with no swap space. I don’t know why but using ext3 (a journaling filesystem) and/or swap meant poor performance. It’s probably due to the SSD not handling the read/writes well.

Following the advice from the Ubuntu AspireOne documentation page, I installed linux-backports-jaunty-modules and ran all the updates.  Among other things this gets the wireless LED working. UNR 9.04 is still young yet so it’s not a lot of updates.

In my /boot/grub/menu.lst file I added “enable_mtrr_cleanup pciehp.pciehp_force=1” to my defoption line and kernel line. The mtrr_cleanup is to allow the X server to take advantage of a performance boost and with the pciehp I can use both SD card readers without any problem.

After using lspci to get the correct values, I added this line to my /etc/rc.local

echo "base=0x40000000 size=0x10000000 type=write-combining" > /proc/mtrr

The mtrr part is for improving video performance, the pciehp portion is to get both SD card readers working.

With these settings, the netbook is working well with only a few caveats.  Youtube is still jumpy and slow. But I got this netbook to play with Ubuntu, ssh to my servers, and view web pages so I’m satisfied.

Ubuntu Netbook Remix 9.04

The nice thing about my netbook is that I have no hesitation to wipe it clean and install a new OS on it. Which is what I did today after I downloaded Ubuntu Netbook Remix 9.04.

904-netbook-remix

It was released today and the instructions for installing off of a USB stick were very clear. It’s a very slick package and for what I am doing with Firefox and Gnome Terminal it’s more than enough. The menu system is replaced with a compatible front end that lets you create a favorites page and launch apps from there. And unlike the recently talked about”floats like a lead baloon” Windows 7 Starter, I can easily run more than three apps at a time.

I’m writing this on my netbook and I still need to optimize the environment for speed. But so far so good.

Upgrade of VPS from Ubuntu 6.06 LTS to 8.04 LTS

My upgrade from Ubuntu 6.06 LTS = FAIL.

Last week I created a VPS on Slicehost.  I’ve been using Tektonic for a while now and have no complaints.  The support is very good and I can backup my VPS for when I need to.

I’m using Slicehost because I don’t want both of my domain DNS servers on the same provider. They offer Ubuntu 8.04 LTS, runs on top of Xen, and provide console access via an Ajax web front end.  You need to pay extra for a backup option. Aside from that one little point, using Slicehost is ridiculously easy and very manageable. They eat their own dog food and it shows.

On my Tektonic VPS it’s running on top of Virtuozzo.  No console just ssh but I do get to make a backup of my VPS and re-installing is a breeze. My only complaint is that it’s running Ubuntu 6.06 LTS which is a little dated.  For example the subversion client is 1.3.2 and I’d like to see more current versions such as 1.5.x.  On Ubuntu 8.04 LTS I just added the backports repository and I get current versions of packages.

Switching to Ubuntu 8.04 LTS should be simple. As root I ran these commands:

apt-get update
apt-get upgrade
apt-get install update-manager-core
do-release-upgrade

This is a seamless process and aside from asking me some questions, I had no issues.  The only issue I had is when I rebooted my VPS, it left the VPS un-bootable.  The support tech that I chatted with had not seen that before.  My VPS would not even start and I had to re-install it.

I’m now restoring the VPS to the backup I made yesterday, so it’s not all a total wash.  Most likely I’ll work with Tektonic to get 8.04 LTS on that slice provided they offer it.  Ubuntu 6.06 LTS is still supported so aside from consistency across servers, this is not a big deal for me.

Upgraded to Ubuntu 8.04 LTS

My Ubuntu T40 laptop is “only MOSTLY dead”.  The built in LCD display is too dark to read and I replaced it with a HP laptop running Vista Home Premium.

I feel slightly guilty about running Vista on it but it runs really well so ptthhhhppp.  I put the T40 onto it’s docking station and hooked it up in the basement with the other equipment.

The upgrade was easy as usual.  Just sudo su – and update-manager -d.  It took a while to download the files but a reboot later and I’m running.

This new Ubuntu feels faster.  It’s hard to really quantify that with old hardware, but it does.  So far the only issue I have is that the spell checker in Firefox 3 beta 5 is broken sometimes (I had to use the one built into WordPress for this post).

It’s like a refined version of 7.10.