SSL: Certbot + AWS Lightsail + LetsEncrypt + Really Simple SSL Plugin - wordpress

Scenario:
Current server # example.com is running an older version of amazon AWS Lightsail with wordpress (ubuntu) and we just had a new certificate issued using letsencrypt. All is well. Original cert was requested with wildcard, so functional for any subdomain.
Now, we needed to spin up a fresh new server for a subdomain, let's call it development.example.com.
The new AWS lightsail instances now are no longer Ubuntu but Debian!
The idea was to install certbot in the new Debian instance and then copy over the certificate files from the primary server # example.com.
I've done this successfully in the past when it was going from Ubuntu to Ubuntu but now that the new instance is Debian, the Really Simple SSL plugin does not recognize that a certificate is installed.
STEPS I took to move the certificate files:
What I've done before is simply to copy /etc/letsencrypt/* from one server to another and then follow the steps outlined in the AWS documentation here:
https://lightsail.aws.amazon.com/ls/docs/en_us/articles/amazon-lightsail-using-lets-encrypt-certificates-with-wordpress#complete-the-prerequisites-lets-encrypt-wordpress
In this case, performing the steps 7.4, 7.5, 7.6 and section 8.
However, steps described in section 8.1 do not appear valid in this document anymore for Debian, because there is no such location on Debian:
sudo chmod 666 /opt/bitnami/apps/wordpress/htdocs/wp-config.php
AND because it seems an .htaccess does not exist either.
sudo chmod 666 /opt/bitnami/apps/wordpress/conf/htaccess.conf
Are there additional steps now which I've missed to be able to copy the necessary files for SSL to work properly on this new subdomain server now running Debian?
I was going to go through a new certificate request in the development server but wouldn't that invalidate the certificate currently installed for the primary domain?
In other words, how to properly copy the SSL files from the main Ubuntu server and configure the Debian subdomain server so that both wordpress installations have SSL correctly installed?

Thank you #mikemoy indeed, one can issue multiple wildcard certificates from different servers in a subdomain. Just went ahead and issued a new certificate.

Related

Browser shows letsencrypt certificate expired when it isnt

Can someone please render me some assistance
I have an issue where when accessing the domain sg.simpple.app results in an error indicating that the cert date is invalid
However when running certbot certificates it shows that the certificate is already up to date and has ample time till expiry
I have also restarted the server through
systemctl restart nginx
systemctl restart php-fpm
My suspicion is that it is using the wrong certificate, can someone please guide me in solving this issue?
Issue was with the filepath in nano /etc/nginx/conf.d/default.conf.
As the previous letsencrypt certificate had different domains to the new letsencryp certificate generated it didnt replace the original certificate.
had to manually change the filepath in nano /etc/nginx/conf.d/default.conf.

Cannot install plugin or updates in WordPress

I have a server set with NGINX: https://www.nginx.com/resources/wiki/start/topics/recipes/wordpress/
Recipe
Abridged basic setup
I have deployed WP in this directory: /var/www/blog.example.com/
/var/www and /var/www/blog.example.com/ does have nginx:nginx file/dir perms.
wp-config.php - 644
wp-content - 755
wp-content/plugins - 755
NGINX is running as nginx user.
I can browse in entire WordPress site including admin. However, when I want to install a new plugin or update I got always the message:
Installing plugin: iThemes Security (before Better WP Security) 7.9.1
Downloading the installation package from
https://downloads.wordpress.org/plugin/better-wp-security.7.9.1.zip…
Decompressing…
An error occurred while installing iThemes Security: Directory could not be created
What's I am wrong?
All libraries required according to https://make.wordpress.org/hosting/handbook/handbook/server-environment/ was installed.
When I try to upgrade a theme, for example, I got 200 code "OK" from a web server, but, I don't see anything in the error_log of NGINX.
Also, I've checked the php-fpm but I don't see any updating error.
php-fpm was running as an apache user.
I've switched the user into Nginx and It's solved. :D
It looks that the issue is the 'plugins' folder writing permissions. WP downloads the zip archive of the plugin then it decompresses it to the 'plugins' folder.
This article will help:
https://secure.wphackedhelp.com/blog/fix-file-and-folder-permissions-error-wordpress/
Just adding onto #sincorchetes answer, to those who need more specific instruction:
vim /etc/php-fpm.d/www.conf
I changed the lines
user = apache
group = apache
to
user = nginx
group = nginx
Then restarted the php-fpm and nginx service
systemctl restart php-fpm
systemctl restart nginx

curl 60 err Unable to get local issuer Ubuntu Nginx vmware

I am running a VM on Ubuntu 18.04 an using a self signed ssl certificate (openssl). I installed the CA AUthority, uploaded it to Chrome. Chrome recognizes the SSL so I am not getting and error there, I do however get a guzzle error in Symfony. I have tried editing php.ini and inputing the cacert.pem there and nothing is working. this is not a duplicate please
I am reaching out to see if anybody has run into this based on the stack above.

What is the cause of the "502 Bad Gateway" after Ghost 1.8.7 update

I recently installed Ghost 1.8.4 and Nginx on my AWS ec2 Ubuntu 16.04 server. When I loaded my blog site, it correctly took me to the Ghost home page, from where I logged into Ghost admin. On the admin screen, there was a message to update.
I ran ghost update in putty
The update appeared to be successful, but when I returned to my blog site, I received the following error:
502 Bad Gateway
nginx/1.10.3 (Ubuntu)
Does anyone know a probably cause of this error and how to resolve?
I checked some posts, which suggested I should have turned Ghost off before the update. If this is true, is my ghost installation now corrupted?
I went to my ghost directory in /var/www/ghost and tried to run:
sudo service ghost start
but it returned:
Failed to start ghost.service: Unit ghost.service not found
and trying to stop, returns Unit ghost.service not loaded. Am I running the command from the correct location?
I've experienced 502 issues with ghost behind nginx several times over a few years of running it. I'm not sure if the cause of mine today is the same as yours, but what I observed was that after a restart ghost had changed its port number to one different than what its nginx config was listening on.
I followed these directions from https://web.archive.org/web/20200807095031/https://www.danwalker.com/running-ghost-on-a-5-digital-ocean-vps/ which resolved it for me:
See which port ghost is running on:
sudo netstat -plotn
Check that it matches the proxy_pass in the nginx config file in /etc/nginx/sites-enabled.
In my case the port in the nginx config had incremented to 2369 while the actual node process was running on 2368. Changing the proxy_pass port back to 2368 in my ghost blog's nginx config file resolved the issue for me.
I ran into the same problem after upgrading ghost.
Make sure the port number configured in your ghost's config file and the proxy_pass in your ghost site's nginx configuration files match.
Check the port number in
/var/www/ghost/config.production.json matches the proxy_pass port in the nginx config files.
/var/www/ghost/system/files/<yourDomainName>.<extension>.conf
/var/www/ghost/system/files/<yourDomainName>.<extension>-ssl.conf
In my case I had to change 2368 to 2369 in the nginx config files to fix the issue.
Make sure you restart your ghost and nginx after you make the changes.
# restart your ghost site
cd /var/www/ghost/
ghost restart
# restart nginx
sudo systemctl restart nginx
Hope this helps someone.
Apparently when I posted this issue it was due to a bug in the Ghost CLI that the ghost team were in the process of fixing.
They provided me with these instructions to run on my server:
systemctl stop ghost_www-blogwebsite-com
ghost update --force
The resulting output:
stopping Ghost [skipped]
Removing old Ghost versions [skipped]
This fixed the problem and updated to the correct version.

SELinux Policy to Allow NGINX Access to Parallels Shared Folders on Mac

I'm trying to keep SELinux enforcing but to allow NGINX to directly access shared OSX folders that are connected via Parallels Desktop.
Host system: Mac OSX 10.10
Parallels Desktop: 10
Running Virtual OS: CentOS 7 (minimal / command line)
I have the the Parallels tools installed and in CentOS I see the shared folder: /media/psf/Shared-Folder
When I set the Nginx server root to that folder I get a 403 Forbidden. I know it is a configuration parameter that needs editing because if I change SELinux to Permissive, the files are served correctly in NGINX.
When checking how the files are mounted I see this:
root root system_u:object_r:removable_t:s0 /media/psf/Shared-Folder/
I can see the 'removable_t' context - however - my issue is that I cannot seem to find a way to allow the httpd service to serve files that are mounted as removable storage.
I have tried:
chcon -R -t public_content_t /media/psf/Shared_Folder/
chcon -R -t httpd_sys_content_t /media/psf/Development-Projects/
and in all cases I get a "chcon: failed to change context of: '...': Operational not supported" error.
Checking /usr/sbin/getsebool -a | grep http I do not see any option to allow httpd to access removable storage mounts.
Last item: I do not believe I can change the way Parallels mounts the shared folders.
Question: Is there a way to keep SELinux enforcing but to allow NGINX to directly access shared OSX folders that are connected via Parallels Desktop?
What you need to do is use semanage.To get it you have to install policycoreutils-python.
The same type of question has already been asked Here. Cheers!

Resources