If you haven't heard of Let's Encrypt, check it out here.  In a nutshell, Let's Encrypt allows you to get a free SSL certificate for your personal site from a trusted CA, FOR FREE!  <applause here>

The process to install a Let's Encrypt certificate, and keep it renewed couldn't be simpler.  I've outlined here below.

Assumptions:

  1. You are running at least Amazon Linux AMI 03.2017
  2. You are using Apache as your web server.  You could use NGINX, but the file locations would be slightly different.
  3. Apache is currently using self signed certificates for SSL

 

Installing the SSL Certificates

Install Certbot and get the Certificates
  1. Log into your EC2 instance as ec2-user via SSH
  2. Download the certbot application, and make it executable
    1. wget https://dl.eff.org/certbot-auto
    2. sudo chmod a+x certbot-auto
  3. Run the certbot application to get your certificates.  This will execute a yum install for any necessary packages including PIP and Python
    1. sudo ./certbot-auto --debug -v --server https://acme-v01.api.letsencrypt.org/directory certonly -d Your_FQDN
  4. From here, Certbot will ask you several questions including where to validate with certbot (webroot, typically /var/www/html on Amazon Linux), and an administrative email.  This will place the certificate, private key, and chainfile onto your system.
    • Certificate File : /etc/letsencrypt/live/FQDN/cert.pem
    • Private Key : /etc/letsencrypt/live/FQDN/privkey.pem
    • Full Chain File : /etc/letsencrypt/live/FQDN/fullchain.pem
Configure Apache to use the new SSL Certificates
  1. Edit your SSL.conf file
    • sudo vi /etc/httpd/conf.d/ssl.conf
      1. Configure SSLCertificateFile to point to  /etc/letsencrypt/live/FQDN/cert.pem
      2. Configure SSLCertificateKeyFile to point to /etc/letsencrypt/live/FQDN/privkey.pem
      3. Configure SSLCertificateChainFile to point to /etc/letsencrypt/live/FQDN/fullchain.pem
  2. Restart your HTTPD process
    • sudo service httpd restart

 

That's all there is to it.  Now you have a fully trusted CA certificate protecting your websites SSL connections.  No more untrusted certificate browser errors for your site.  The next thing to do, would be to automate the certificate renewal process.  You can do that by adding the following line to your root user's crontab

  • 0 6 * * * /home/ec2-user/certbot-auto renew

This will have certbot renew your certificates everyday at 6am.

Quick tech tip, mostly for me to remember.

 

When running docker containers on OSX it can act a little weird.

 

Because Docker is running as a VM, when you do a port binding via :

 

docker run - p localhostport:containerport

The container port is actually bound to the IP bound to docker VM, and not necessarily to localhost.

Be sure to run a docker-machine ip default to verify what the address is for the VM.

so if docker-machine ip default

returns

192.168.100.100

then accessing the localport for a mapped container port would be 192.168.100.100:localhostport

 

Hopefully this saves some one else from pulling their hair out.

Ran across a really cool product today that I have personally been wishing into existence for years.  Being a person that had spent time in the trenches managing security policies across hundreds of Cisco devices; I had always thought it was so much more complex than it had to be.  It turns out that I was right.  Cisco has a new product out called Cisco Defense Orchestrator. 

Cisco Defense Orchestrator is a cloud based security policy management tool that can manage all of your Cisco devices across the globe.  Incredible.

Here's a brief listing of the benefits of the product:

  • Single Pane of Glass Management - All rolled into a single Web Based SAS Application
  • Consistent Security Policies - Create Security Templates, roll them out with a few clicks
  • Simple Provisioning - Easy Deployments via Template driven rollouts
  • Cloud Based - Incredibly fast deployment and Time to Value
  • More Time - Doing an impact analysis is a breeze and no longer a painstakingly involved process.

Quick link : http://www.cisco.com/go/cdo

 

Just posting this here, as the information wasn't really readily available when I did this.  Most of the newer and popular Joomla extensions require PHP 5.4 or better.  Since 5.4 is a dead branch, updates wise, I moved to 5.6.

 

Steps (Use sudo only if required)

1) Remove OLD Apache

sudo service httpd stop
sudo yum erase httpd httpd-tools apr apr-util

2) Remove OLD PHP

sudo yum remove php-*

3) Install PHP 5.6 (Apache 2.4 will be automatically installed with this)

sudo yum install php56

4) Make sure all the required PHP extensions are installed

yum list installed | grep php

5) If not then install them using

sudo yum install php56-xml php56-xmlrpc php56-soap php56-gd

6) To list the other available php extensions

yum search php56

7) PHP 5.6 MySQL extension (Assume you have already installed MySQL)

sudo yum install php56-mysqlnd 

(NOTE: it is not php56-mysql)

8) Start / Restart Apache

sudo service httpd start
sudo service httpd restart

9) Check the version

php -v
httpd -v

I'm a big fan of LastPass.  After the thorough methodology review by Steve Gibson at GRC, LastPass is a great option for password management.  They recently had a blog post with an interesting infographic. 

 

Here it is: 

You have all of this file data.  It's important to your family, or your business.  How do you protect it?  Traditionally, you would go out and purchase an onsite NAS or some other type of hardware that would be on your network.  That's great.  You now have two copies of your data.  But what happens if there is a fire?  What happens if you have a break in, and your laptops and NAS are all stolen?  How do you get that data back?

With the rise of cheap and secure cloud based storage, especially Cloud Storage via Amazon S3, getting that data offsite may be easier than you think.  From a family standpoint, most of your standard NAS services include a vaulting to S3 or Glacier software package.  If not, you can utilize the web interface or API for driving your data to S3 or Glacier.

 

Amazon also has their Virtual Storage Gateway software appliance.  The usage cost of $125/mo may be a bit high for a family, but could be perfect for a small to medium sized business.  There are also other methods of getting data into s3 via the AWS API's and the robust AWS CLI application.  I will do future posts on those options.

 

Here's an architectural layout on how the Storage Gateway VM works.