Differences

This shows you the differences between two versions of the page.

--- public:computers:vps_tips_tricks [06/03/25 15:08 GMT] – [Security] john
+++ public:computers:vps_tips_tricks [05/07/25 16:55 BST] (current) – [06/04/25 : Renew SSL certificate] john
@@ Line 10: / Line 10: @@
    * SSL Certificate replaced to enable HTTPS
 </note>
+===== New VPS : March 2025 =====
+  * New VPS 1 obtained at Fasthosts
+<code>
+Type:Virtual Machine
+Size:vps 1 2 60
+Cpu:1 vCore
+RAM:2 GB
+Disk:60 GB NVMe SSD
+</code>
+<code>
+Distributor ID: Ubuntu
+Description:    Ubuntu 24.04.1 LTS
+Release:        24.04
+Codename:       noble
+</code>
+  * Installed PHP and Apache2
+<code bash>
+gm4slv@gm4slv:~ $ php --version
+PHP 8.3.6 (cli) (built: Dec  2 2024 12:36:18) (NTS)
+Copyright (c) The PHP Group
+Zend Engine v4.3.6, Copyright (c) Zend Technologies
+    with Zend OPcache v8.3.6, Copyright (c), by Zend Technologies
+</code>
+  * configured SSL per previous method [[public:computers:ssl_install_vsp|]]
+  * changed SSH port from default 22 to a //new// port, changed VPS firewall to suit new SSH port
+  * Ubunto OS brought up to date: ''sudo apt-get update'' and ''sudo apt-get upgrade'' and ''sudo apt-get dist-upgrade''
+===== Dokuwiki Security =====
+  * previous installations used .htaccess to prevent web access to data/conf/lib/bin etc. directories
+  * this time I decided not to use .htaccess but to follow the alternative instructions in [[https://www.dokuwiki.org/security]] to use **LocationMatch**
+==== LocationMatch method ====
+Apache is told which directories (data, conf, bin, inc, vendor) to make private. The downside is that this configuration might need altering if new directories are added during ''dokuwiki'' upgrades.
+add to ''/etc/apache2/apache2.conf''
+<code apache>
+<LocationMatch "/(data|conf|bin|inc|vendor)/">
+    Order allow,deny
+    Deny from all
+    Satisfy All
+</LocationMatch>
+</code>
+''sudo service apache2 restart''
+==== .htaccess method ====
+the secured directories in ''dokuwiki'' have suitable .htaccess files already. Apache needs to betold to allow them to alter behaviour <code apache>AllowOverride All</code>
+add to ''/etc/apache2/apache2.conf''
+<code apache>
+         <Directory /var/www/html>
+                Options Indexes FollowSymLinks MultiViews
+                AllowOverride All
+                Order allow,deny
+                allow from all
+        </Directory>
+</code>
+''sudo service apache2 restart''
+===== SSH Security =====
+  * Configured ''sshd'' to disallow password-logins and only accept public-key authentication
+    * be careful to check the files in ''/etc/ssh/sshd_conf.d'' for hidden config options!
+  * uploaded public keys from
+    * Puttygen for [[https://www.putty.org/ | putty]] on laptop
+    * [[https://connectbot.org/ | ConnectBot ]] app on phone
+  * saved both in ''~/.ssh/authorized_keys''
+  * now only logins with a valid public key will succeed.
+    * In the event of a loss of the public keys it's still possible to gain access via Fasthosts account dashboard
+      * -> then reconfigure sshd to accept password logins again until new keys can be uploaded.
+===== 06/04/25 : Renew SSL certificate =====
+  * Same procedure as before
+    * Download "Certificate" -> ''signed.crt''
+    * Download "Intermediate Certificate" -> ''ca.pem''
+    * Upload via WinSCP to VPS
+    * Copy old ''/usr/local/ssl/signed.crt'' -> ''signed.crt.old''
+    * Copy old ''/usr/local/ssl/ca.pem'' -> ''ca.pem.old''
+    * Copy new files into ''/usr/local/ssl''
+    * Restart Apache
+  * There were 2 "Intermediate Certificate" for download from Fast Hosts...
+    * I used the one named ''7D5B5126B476BA11DB74160BBC530DA7.cer''
+    * This is the same as the one used when I renewed ''YaddNet.org'' SSL [[public:radio:2025:yaddnet_ssl_renewal|]]
+    * It seems that the intermediate certificate is not unique to the domain being secured, it's a certificate that verifies the identity of the authenticator of the domain's SSL certificate.
+=== UPDATE ON TWO INTERMEDIATE CERTIFICATES 5/7/25 ===
+I've discovered that the 2 Intermediate Certificates are necessary to complete the //chain// of authority.
+What should be done is to join them together into one //ca.pem// file (and in the correct order.... )
+<code bash>
+[root@wiki:/home/g4slv/ssl]# cat 397A66CC2756362E0DAA87CA6EABE3B1.cer 00D27FBBC1DE359E5216AD6149586099C4.cer > ca.pem
+[root@wiki:/home/g4slv/ssl]# cp ca.pem /usr/local/ssl
+[root@wiki:/home/g4slv/ssl]# systemctl restart apache2
+</code>
+Check correct SSL operation at [[https://www.ssllabs.com/ssltest/analyze.html]]
+===== Old information below is for historical information =====
 <note warning>
@@ Line 22: / Line 140: @@
 </note>
-===== Old information below is for historical information =====
 <code>
 OS      : Debian 10 (Buster)
@@ Line 38: / Line 156: @@
 ==== Access via FastHosts ====
-  * browse to [[https://admin.fasthosts.co.uk/Servers/VPS/1116040162]] and login with credentials (email : g...@..p.....)
+  * browse to [[https://admin.fasthosts.co.uk/Servers/VPS/1116040162]] and login with credentials
 ===== Installing SSL for HTTPS =====
 ==== Create Certificates ====
@@ Line 183: / Line 301: @@
     * restarted apache ''sudo service apache2 restart''
   * check new valid certificate now in use in web browser
-    * {{:public:linux:screenshot_2024-04-04_07.24.16.png?400|}}
+    * {{:public:computers:screenshot_2024-04-04_07.24.16.png?400|}}
     * Validity Issued on & Expires on dates now show new certificate is in use
-===== New VPS : March 2025 =====
-  * New VPS 1 obtained at Fasthosts
-<code>
-Type:Virtual Machine
-Size:vps 1 2 60
-Cpu:1 vCore
-RAM:2 GB
-Disk:60 GB NVMe SSD
-</code>
-<code>
-Distributor ID: Ubuntu
-Description:    Ubuntu 24.04.1 LTS
-Release:        24.04
-Codename:       noble
-</code>
-  * Installed PHP and Apache2
-<code bash>
-gm4slv@gm4slv:~ $ php --version
-PHP 8.3.6 (cli) (built: Dec  2 2024 12:36:18) (NTS)
-Copyright (c) The PHP Group
-Zend Engine v4.3.6, Copyright (c) Zend Technologies
-    with Zend OPcache v8.3.6, Copyright (c), by Zend Technologies
-</code>
-  * configured SSL per previous method [[public:computers:ssl_install_vsp|]]
-  * changed SSH port from default 22 to a //new// port, changed VPS firewall to suit new SSH port
-  * Ubunto OS brought up to date: ''sudo apt-get update'' and ''sudo apt-get upgrade'' and ''sudo apt-get dist-upgrade''
-===== Dokuwiki Security =====
-  * previous installations used .htaccess to prevent access to conf/lib/bin etc.
-  * this time I decided not to use .htaccess but to follow the alternative instructions in [[https://www.dokuwiki.org/security]] to use **LocationMatch**
-==== Location Match method ====
-Apache is told which directories (data, conf, bin, inc, vendor) to make private. The downside is that this configuration might need altering if new directories are added during ''dokuwiki'' upgrades.
-add to ''/etc/apache2/apache2.conf''
-<code apache>
-<LocationMatch "/(data|conf|bin|inc|vendor)/">
-    Order allow,deny
-    Deny from all
-    Satisfy All
-</LocationMatch>
-</code>
-''sudo service apache2 restart''
-==== .htaccess method ====
-the secured directories in ''dokuwiki'' have suitable .htaccess files already. Apache needs to betold to allow them to alter behaviour <code apache>AllowOverride All</code>
-add to ''/etc/apache2/apache2.conf''
-<code apache>
-         <Directory /var/www/html>
-                Options Indexes FollowSymLinks MultiViews
-                AllowOverride All
-                Order allow,deny
-                allow from all
-        </Directory>
-</code>
-''sudo service apache2 restart''
- //[[gm4slv@gm4slv.plus.com|John Pumford-Green]] Wed May  4 09:03:28 2022//
 Page Updated : ~~LASTMOD~~