Author: Gareth Eaton

Install web-server on Ubuntu 20.04 server

Gareth Eaton

We will show you how to install a web-server with EHCP Force Edition and Webmin control panel. 

NOTE:  Your ISP might block ports needed to run a Webserver, check with them first to see if they block ports, also your will need a public IP address. 

( EHCP Force Edition supports dynamic IP addresses by installing EHCP Force Edition on your home server, and then use Dynamix & its client software on your server to setup and use dynamic DNS. )

Your will also need to open ports on the rougher and port forward them to the IP address you are going to use for the server.  (You need to open ports 20,21,22,25,53,80,110,143,443,10000 on your server and on your modem/firewall/router. If you have no firewall on your server, you don’t need to do anything on your server.)

We are assuming you have followed the instructions on “Installing Ubuntu 20.04 server on VirtualBox” and this is a follow on from that post.

SSH into your server and go to the root dir using sudo -i

Installing webmin

First you will need to add need to add the Webmin repository so that we can install and update Webmin using our package manager.  To do this you will need to edit the Sources.list

Open the file in your preferred editor. We will use nano

  • sudo nano /etc/apt/sources.list

Then add this line to the bottom of the file to add the new repository:

  • deb http://download.webmin.com/download/repository sarge contrib

Save the file and exit the editor. If you used nano, do so by pressing CTRL+X, Y, then ENTER.

Next, you’ll add the Webmin PGP key so that your system will trust the new repository. 

Following that, download the Webmin PGP key with wget and add it to your system’s list of keys:

  • wget -q -O- http://www.webmin.com/jcameron-key.asc | sudo apt-key add

Now to update and install

  • sudo apt update
  • sudo apt install webmin
Once the installation finishes, you’ll be presented with the following output:
Webmin install complete. You can now login to https://your_server:10000/
as root with your root password, or as any user who can use sudo
to run commands as root.
 
I have always had to use the server IP address and not the server name so change the name to the IP address of the server.
 —-
Note: If you installed and enabled ufw during the prerequisite step, you will need to run the following command in order to allow Webmin through the firewall:
 
  • sudo ufw allow 10000
 For extra security, you may want to configure your firewall to only allow access to this port from certain IP ranges.

Installing Easy Hosting Control Panel - Force Edition

1st your will need to change the IP address to a Static configuration, to do this we will use Webmin.

Login to webmin by typing in HTTPS://YOUR_SERVER IP_ADDRESS:10000,

go to Networking – Network Configuration – Network Interfaces

click on the Bootup Interface and change it to a  Static configuration. Add the IP Address you would like to use (E.g. 192.168.??.??), and the netmask of 255.255.255.0

Now Save and go to Routing and Gateways, change the Gateway to you rougher address.

Now go to Hostname and DNS Client change the DNS to 8.8.8.8 and 8.8.4.4

Save and Apply Configuration, Clicking the button to activate the current boot-time interface and routing settings, as they normally would be after a reboot. 

Be careful if you have a different IP address then the one in the address field, this may make your system inaccessible via the network,  and cut off access to Webmin.

 
 
 

Install EHCP

Download & Install EHCP Force Edition (Stable)

To download and install the latest “stable” version of EHCP Force Edition, use the following commands at the terminal prompt:

  • wget -O “ehcpforce_stable_snapshot.tar.gz” -N https://github.com/earnolmartin/EHCP-Force-Edition/releases/download/1.1.1.1/ehcpforce_stable_snapshot.tar.gz
  • tar -zxvf “ehcpforce_stable_snapshot.tar.gz”
  • cd ehcp
  • sudo bash install.sh

You can Install EHCP Force Edition in unattended mode (installs all software without prompts and generates passwords) you will need to make note of the passwords if you use this, I personally don’t like this mode as I like to use password I can remember, but if you use passwords you generate make sure they’re strong. 

Add a working email – this is needed to send warnings etc…

Install extra software in addition to EHCP Force Edition – you may choose to do this but it will take extra space, time to install, and can slow down your server. I don’t install them.

Now sit back and wait…

After the install, you will have a working web server, you can access by adding your server IP in the address line of the web browser, but there are still some things you need to do finish the webserver off. 

Let’s look at that now….

  • EHCP Setup

Installing Ubuntu 20.04 server on VirtualBox

Gareth Eaton
  • VirtualBox installed
  • Download Ubuntu 20.04 server

Downloading Ubuntu 20.04 server

Setting up VirtualBox

1st Create a Virtual Machine by going to Machine – New or press crtl N

Add the Name of the Machine E.g. server, change the type to Linux and Version to Ubuntu (64-bit)

NEXT

MEMORY SIZE  – Set the Memory size, for now,use 1024MB you can change it later if you need to. 

NEXT

HARD DISK –  again use the default, Create a virtual hard disk now and click on Create. 

HARD DISK FILE TYPE – use VDI – NEXT 

Now we or going to use Dynamically allocated – A dynamically allocated hard disk file will only use space on your physical hard disk as it fills up (up to a maximum fixed size). – NEXT

Set it to 60 GB – click on Create.

Now it will appear on the right hand side of the main interface.

 

Settings

Click on your server which should change color to indicate that you have selected it. Click on the Setting button, on the top of the main interface on the left-hand side. 

Go to Network and change the Attached to: to Bridged Adapter.

Now click on Storage under the Controller: IDE you should see an Empty disk, select it, and now on the right hand-side  you should see Attributes – Optical Drive:  click on the Disk Icon on the right and choose a disk file.  Navigate to the Ubuntu-20.04 File select it and Open. Now the Controller: IDE should show the Ubuntu 20.04 file.

Click on OK

 

Start your server

Now you should be able to start your server.  Press Start, it will open a box to run the server in, (you will need to use the keyboard to navagate, the mouse will not work) now you should  boot to the welcome screen, select your language,  and [update to new installer].

When it’s finished the update click done. Now you should be on the Network connections page. Make a note of the DHCP IP address you will need it later, click Done.  If you use a Proxy set the address now, if your saying whats a Proxy leave it blank.  Click Done.

Ubuntu archive – Click Done

Storage Configuration – Use the tab button on your keyboard to highlight the Done button and click it.  and Done again on the next screen. tab button to highlight continue and press it.

Now answer the questions, 

for the server’s name use lower case and no spaces.  

Done when finished.  

SSH Setup

Now press your space bar to put an X in the Install OpenSSH server and tab to Done.

Featured Server Snaps

If you know you will need any on the list use tab and space to select, else go to Done.  

Now make a coffee and wait… 

When done Reboot

Using SSH to Access you server.

Now when your server has rebooted open a Terminal. We use Linux mint so we press Ctrl alt T, but if you use windows you will need to install third-party application called PuTTY.

For PuTTY – Type the host name or IP address of the SSH server into the “Host name (or IP address)” box. Ensure the port number in the “Port” box matches the port number the SSH server requires,  port 22 by default, Click “Open” to connect.

For Linux Terminal type the following.

ssh YOUR IP ADDRESS -l YOUR USER NAME

For me that would be the following….

ssh 192.168.0.105 -l myusername

Type yes for the fingerprint, and type in the password you setup for your server. 

 

 
 
 

Update the server

Update the server before installing  software, in the teminal type the following…

  • sudo -i
  • apt update
  • apt full-upgrade
This might take some time… 
 
When finished your ready to install the server software… 

See…

  1. Install web-server

Certbot Commands

Gareth Eaton
 

List All Certificats

  • certbot certificates

Delete a Certbot SSL Certificate

This command will offer an index from which you can select the domain name

  • sudo certbot delete

To delete a Certbot certificate by including the domain name in the command like this:

  • certbot delete –cert-name example.com

Issue or Renew an SSL certificate

The –force-renewal, –duplicate, and –expand options control Certbot’s behavior when re-creating a certificate with the same name as an existing certificate. If you don’t specify a requested behavior, Certbot may ask you what you intended.

–force-renewal tells Certbot to request a new certificate with the same domains as an existing certificate. Each domain must be explicitly specified via -d. If successful, this certificate is saved alongside the earlier one and symbolic links (the “live” reference) will be updated to point to the new certificate. This is a valid method of renewing a specific individual certificate.

–duplicate tells Certbot to create a separate, unrelated certificate with the same domains as an existing certificate. This certificate is saved completely separately from the prior one. Most users will not need to issue this command in normal circumstances.

–expand tells Certbot to update an existing certificate with a new certificate that contains all of the old domains and one or more additional new domains. With the –expand option, use the -d option to specify all existing domains and one or more new domains.

  • certbot –expand -d existing.com,example.com,newdomain.com
  • certbot –apache -d example.com

Revoking certificates

If your account key has been compromised or you otherwise need to revoke a certificate, use the revoke command to do so. Note that the revoke command takes the certificate path (ending in cert.pem), not a certificate name or domain.

  • certbot revoke –cert-path /etc/letsencrypt/live/CERTNAME/cert.pem

You can also specify the reason for revoking your certificate by using the reason flag. Reasons include unspecified which is the default, as well as keycompromise, affiliationchanged, superseded, and cessationofoperation:

  • ertbot revoke –cert-path /etc/letsencrypt/live/CERTNAME/cert.pem –reason keycompromise

Additionally, if a certificate is a test certificate obtained via the –staging or –test-cert flag, that flag must be passed to the revoke subcommand. Once a certificate is revoked (or for other certificate management tasks), all of a certificate’s relevant files can be removed from the system with the delete subcommand.

Note

If you don’t use delete to remove the certificate completely, it will be renewed automatically at the next renewal event.

This site works only in browsers with SNI support

Gareth Eaton
 

If you have a shared hosting, a cloud or virtual or dedicated server or service hosting multiple domains, it is normal to face the message.

This site works only in browsers with SNI support.

It’s not an error, it’s a warning message.

It is a thing related to IPv4 and initial days with TLS. We are trying to explain the implication of the error message and in very short, for ordinary websites like a personal website such error in general has no negative impact.

Number of IPv4 is limited and IPv6 unfortunately not so much popular yet. 

Server With SNI, can enable multiple SSL certificates on a single IP.

Some websites have one IP = Website, you can imagen that will use limeted IP address fast,  so we use SNI. SNI stands for server name indication, this means that one IP on a server can open multiple domains, then obviously the IP will not open one website.

So if you see this warning message it means that your website is on a server that is using SNI.

 
 
 

Installing Certbot on Ubuntu 20.04

Gareth Eaton
 

Step 1 – Installing Certbot

Certbot is a tool to obtain certificates from Let’s Encrypt and configure on your web server. Snap package is the easist way for installing certbot on Ubuntu system.

Open a terminal and execute below command to install certbot:

sudo snap install --classic certbot

Step 2 – Generate SSL Certificate

Now, You can request SSL certificates from Let’s encrypt based on the web server.

  1. Apache – The systems running Apache web server, execute the following command. This will list all the domains/sub-domains configured on your web server. Select appropriate numbers to request certificate.
    sudo certbot --apache

    We also use the following to install on a domain.

    sudo certbot - apache -d yourdomain.com
  2. Nginx – For the systems running Nginx web server, use below command to request for the SSL certificates.
    sudo certbot --nginx
  3. Other Web Server – For the system having any other web servers running except Apache or Nginx. Then you can get the certificate only and configure them manually.

    This command will ask you for domain name and document root for the domain.

    sudo certbot certonly --webroot
  4. No Web Server – The systems have no web server running, can also request a ssl certificate. Below command will ask your for the domain name and start a temporary web server on port 80 to complete the verification.
    sudo certbot certonly --standalone

In all of the above cases, the domain must be pointed to your server from dns. Also insure that /.well-known/acme-challenge are served by the webserver.

Step 3 – Test SSL

Once the SSL certificate is installed on the web server, visit https://your-domain.com/ in a web browser and look for the SSL lock icon in the URL bar. You can also do a security scan for the SSL setup on https://www.ssllabs.com/ssltest/.

 

Step 4 – Renew SSL Certificate

Let’s encrypt certificates are issues for 3 months only. You can renew certificate before 30 days of expiry. Certbot allows you a hassle free renewal just by running a single command.

Run the below command to renew all the certificates on that system.

sudo certbot renew

You can also run a dry run without actual renewal. This will help you to test if SSL renewal perform well.

sudo certbot renew --dry-run

Understanding File Permissions

Gareth Eaton
 

There are two parts to the file control mechanism: “Classes” and “Permissions.” Classes determines who can access the file, while the Permissions determines what the user can do with that file.

There are three Classes: Owner, Group, and Others.

The Owner is usually the creator of the file or folder. In Linux, any files or folders that you create in your Home directory are usually owned by you unless you specifically change the ownership.


The Group contains a group of users who share the same permissions and user privilege.


Others means the general public.

 
 
 

As for permissions, there are three type of actions that you can perform on a file or folder:

Read. You cannot modify the contents of the file in any way. When applied to a Folder, you can only view the files within that folder; you cannot delete or modify the files in any way or add more files to the folder.


Write. You can modify the file. If you have “write” access to a folder, then you can delete and add files to that folder.


Execute. Execute is mainly used when you need to run the file and is most commonly used when you need to run a script.

By using Classes in combination with Permissions, you can control who has access to a file and the actions they can perform on said file.

The file owner will usually have all three permissions (read, write and execute). If you’re not the owner of the file or folder, then you’ll typically have to change Ownership to your name, or change the permissions of Group or Others to read, write and/or execute.

In a web server, if you’re unable to upload a file, then it’s probably because you’re not the owner of the destination folder. Alternatively, you may not have sufficient permissions to add files to the folder.

Here’s the different permutation:

0 – no permission
1 – execute
2 – write
3 – write and execute
4 – read
5 – read and execute
6 – read and write
7 – read, write, and execute

Depending on the permissions you want to grant to the file, you just need to set the number accordingly.

Here are some of the commonly used permissions:

755. This set of permissions is commonly used by web servers. The owner has all the permissions to read, write and execute. Everyone else can read and execute but cannot make changes to the file.

777. Everyone can read, write, and execute. 

In a web server, it’s not advisable to use the “777” permission for your files and folders, as this allows anyone to add malicious code to your server. However, in some cases you’ll need to set the 777 permissions before you can upload any file to the server – for example: uploading images in WordPress.

644. Only the owner can read and write. Everyone else can only read. No one can execute this file.

655. Only the owner can read and write and cannot execute the file. Everyone else can read and execute and cannot modify the file.

You can also change permissions using the chmod command in the Terminal. In short, “chmod 777” means making the file readable, writable and executable by everyone.

chmod 777 /path/to/file

Certbot not installing ssl certificate with “sudo certbot renew”

Gareth Eaton

If Certbot fails when using “sudo certbot renew”

And you get this….

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you’re using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.

Try make the changes to your Apache configuration by hand, and run this command.

sudo certbot certonly --apache

This has work for us 99% of the time.

SSL Will not renew with EHCP – let’s encrypt

Gareth Eaton

If the auto renew is not working on EHCP, to renew your SSL certificates you are best using certbot.

Certbot Instructions for Apache on Ubuntu 18.04 LTS (bionic)

  1. SSH into the server

    SSH into the server running your HTTP website as a user with sudo privileges.

  2. Add Certbot PPA

    You’ll need to add the Certbot PPA to your list of repositories. To do so, run the following commands on the command line on the machine:

    1. sudo apt-get update
    2. sudo apt-get install software-properties-common
    3. sudo add-apt-repository universe
    4. sudo add-apt-repository ppa:certbot/certbot
    5. sudo apt-get update
  3. Install Certbot

    Run this command on the command line on the machine to install Certbot.

    sudo apt-get install certbot python3-certbot-apache
  4. Choose how you’d like to run Certbot
    • Either get and install your certificates…

      Run this command to get a certificate and have Certbot edit your Apache configuration automatically to serve it, turning on HTTPS access in a single step.

      sudo certbot --apache
    • Or, just get a certificate

      If you’re feeling more conservative and would like to make the changes to your Apache configuration by hand, run this command.

      sudo certbot certonly --apache
  5. Test automatic renewal

    The Certbot packages on your system come with a cron job or systemd timer that will renew your certificates automatically before they expire. You will not need to run Certbot again, unless you change your configuration. You can test automatic renewal for your certificates by running this command:

    sudo certbot renew --dry-run

    The command to renew certbot is installed in one of the following locations:

    • /etc/crontab/
    • /etc/cron.*/*
    • systemctl list-timers
  6. Confirm that Certbot worked

    To confirm that your site is set up properly, visit https://yourwebsite.com/ in your browser and look for the lock icon in the URL bar. If you want to check that you have the top-of-the-line installation, you can head to https://www.ssllabs.com/ssltest/.