Zhixian's Tech Blog

2017-07-12

Using ACMESharp to get SSL certificates from Let’s Encrypt

This blog post is a reminder note to myself on how to use the ACMESharp PowerShell module to get SSL certificates from Let’s Encrypt CA.

Essentially, the usage can be divided into the following phases:

  1. Install ACMESharp PowerShell module
  2. Import ACMESharp PowerShell module
  3. Initial (one-time) setup
  4. Register DNS of certificate
  5. Get “challenge” details (to prove that you are the owner of the domain)
  6. Signal Let’s Encrypt to confirm your challenge answer
  7. Download certificates

Steps 1-3 is only for setting up on a new PC.
Step 2, 4 should be repeated for each domain that you want SSL certificates for.
Steps 2, 5-7 should be repeated whenever you want to get or renew certificate.

1. Install ACMESharp PowerShell module

Install-Module -Name ACMESharp -AllowClobber

2. Import ACMESharp PowerShell module

Import-Module ACMESharp

 

3. Initial (one-time) setup

Initialize-ACMEVault

New-ACMERegistration -Contacts mailto:zhixian@hotmail.com -AcceptTos

4.  Register DNS of certificate

New-ACMEIdentifier -Dns plato.emptool.com -Alias plato_dns

5. Get challenge (to prove that you are the owner of the domain)

Complete-ACMEChallenge plato_dns -ChallengeType http-01 -Handler manual

6. Signal Let’s Encrypt to confirm your challenge answer

Submit-ACMEChallenge plato_dns -ChallengeType http-01
(Update-ACMEIdentifier plato_dns -ChallengeType http-01).Challenges | Where-Object {$_.Type -eq “http-01”}
New-ACMECertificate plato_dns -Generate -Alias plato_cert1
Submit-ACMECertificate plato_cert1
Update-ACMECertificate plato_cert1

7. Download certificates

NGINX

Get-ACMECertificate plato_cert1 -ExportCertificatePEM “C:\src\certs\plato_cert1.crt.pem”
Get-ACMECertificate plato_cert1 -ExportIssuerPEM “C:\src\certs\plato_cert1-issuer.crt.pem”

Add-Content -Value (Get-Content plato_cert1.crt.pem) -Path nginx.plato.emptool.com.pem
Add-Content -Value (Get-Content plato_cert1-issuer.crt.pem) -Path nginx.plato.emptool.com.pem

HAPROXY

ZX: Generating SSL certificates for HAPROXY is similar to NGINX, except it includes a key.

Get-ACMECertificate plato_cert1 -ExportKeyPEM “C:\src\certs\plato_cert1.key.pem”
Get-ACMECertificate plato_cert1 -ExportCertificatePEM “C:\src\certs\plato_cert1.crt.pem”
Get-ACMECertificate plato_cert1 -ExportIssuerPEM “C:\src\certs\plato_cert1-issuer.crt.pem”

Add-Content -Value (Get-Content plato_cert1.crt.pem) -Path haproxy.plato.emptool.com.pem
Add-Content -Value (Get-Content plato_cert1-issuer.crt.pem) -Path haproxy.plato.emptool.com.pem
Add-Content -Value (Get-Content plato_cert1.key.pem) -Path haproxy.plato.emptool.com.pem

 

IIS

Get-ACMECertificate plato_cert1 -ExportPkcs12 “C:\src\certs\iis.plato_cert1.pfx”

 

Advertisements

2017-07-09

How to deploy files to Windows using SFTP via Gitlab pipelines

Summary

This blog post describes how you would deploy files to a Windows Server via SFTP using Gitlab pipelines using shared runners.

The practical uptake for this is that you can deploy files for your website to be served by Internet Information Services (IIS) server using Gitlab pipelines.

Note: The context of this post is about deploying websites but the steps described can be used for deploying any type of file using Gitlab pipelines.

Contents

  1. Assumptions
  2. What are Gitlab pipelines
  3. How Gitlab pipelines work
  4. Sample .gitlab-ci.yml

Assumptions

  1. You have an working Gitlab account.
  2. You have a working Gitlab repository.
  3. You have a Windows Server
  4. You have a SFTP server running on your Windows Server and you have a working SFTP account for that server.

If you do not have a SFTP server, you can consider SFTP/SCP Server from SolarWinds.
Its not a fantastic product but it would have to do (considering that it is a free product)
The software is available at the following url after registration:
http://www.solarwinds.com/free-tools/free-sftp-server/registration

What are Gitlab pipelines

To put it simply, pipelines is Gitlab’s mechanism to perform tasks specified by you when you check-in files into your Gitlab repository. These tasks are executed by processes (dubbed "runners" in Gitlab terminology).

The runners can be grouped in shared and private (non-shared) runners.

Shared runners are hosted by Gitlab to be used by all users of Gitlab that wishes to use them). They are free to use but are limited to 2000 CI minutes per month unless you upgrade your Gitlab plan.

In comparison, private runners are setup using your own resources. After you setup your private runner, you have to register it to Gitlab in order to have Gitlab to use it.

How Gitlab pipelines work

When you check in files into your Gitlab repository, Gitlab will check for the existence of a file called ".gitlab-cl.yml". This file must be named exactly as typed (it is case-sensitive). The existence of this file tells Gitlab that there are tasks to be done. This file will list out the "jobs" for Gitlab to carry out.

Side note: As can be guessed from the file extension ".yml", this is a YAML (YAML Ain’t Markup Language) file. For details for the syntax of YAML, see http://www.yaml.org/

Sample .gitlab-ci.yml

As mentioned in the summary of this blog post, we want to setup a Gitlab pipeline that deploy to our SFTP server whenever we checked in a file. As such the below is the ".gitlab-ci.yml" file that would allow us to do that.

image: alpine

before_script:
– apk update
– apk add openssh sshpass lftp

deploy_pages:
stage: deploy
script:
– ls -al
– mkdir .public
– cp -r * .public
– echo "pwd" | sshpass -p $SFTP_PASSWORD sftp -o StrictHostKeyChecking=no zhixian@servername.somedomain.com
– lftp -e "mirror -R .public/ /test" -u zhixian,$SFTP_PASSWORD sftp://servername.somedomain.com
artifacts:
paths:
– .public
only:
– master

The following is what what each of lines do:

Line 1: Declare that "jobs" will be executed in a Docker container that use the image "alpine". The "alpine" image used here is one of the lightest Linux container, Alpine Linux. You can use other images as long as that image is in Docker store.

Line 3: The "before_script" section. Declare the actions to be carried before any jobs are executed in this section.

Line 4: Update the Alpine Linux software package manager, "apk". By default, "apk" is empty. So we need to populate it with the software catalog.

Line 5: Install the "openssh", "sshpass" and "lftp" software packages.

Line 7: Our declaration of a job call "deploy_pages"

Line 8: Indicate that this job is only to be execute in the "deploy" stage.

Quick concept of "stage": Basically, a job are executed in different stages in the order of "build", "test", and "deploy". Jobs in the same stage are executed concurrently (assuming there are sufficient runners to execute the jobs).

Line 9: The "script" section. Actions to be carried for the job are specify under here.

Line 10: List files in the docker container entry point. By default, Gitlab will dump a copy of your code repository at the container entry point. I like to see a list of the files. This is otherwise a frivolous step that is not need.

Lines 11 and 12: Make a directory call ".public" (note the period in front of "public") and copy all files at the entry point into this directory.

ZX: This step is for facilitating lftp at step 14. The problem is that Gitlab will dump a copy of the git repository at the entry point as well. But we don’t want to accidentally deploy the git repository, hence the copying of files to a sub-directory.

Line 13: Start a SFTP session to "servername.somedomain.com" using the account name "zhixian" using password stored in secret variable "$SFTP_PASSWORD".
Execute a SFTP command "pwd" and terminate the SFTP session.

ZX: This step seems frivolous, but is essential to the success of this job.
As mentioned, jobs are executed in a Docker container environment.
Hence, if we initiate any form of connection to a new SSH-based environment, system will prompt us to accept the "fingerprint-key" for that new SSH-based environment.
This line creates SFTP connection and accepts "fingerprint-key" for the SSH-based environment without prompts.

ZX: Note the "$SFTP_PASSWORD". This is a secret variable set under your Gitlab repository "Settings" section, under "Pipelines" subsection.

2017-07-09_001326

If you scroll down, you will see a "Secret variables" section like the below. The password to the SFTP account is specified here.

2017-07-09_001418

Line 14: Executes the "lftp" command. Here, we use the "mirror" feature of lftp. This feature makes a replica of the file structure of the source to the destination.

ZX: Note the "sftp://" prefix in front of the server domain name ("servername.somedomain.com"). It is important to include this to establish SFTP connectivity. If this is not specified, lftp will assume normal FTP.

Line 15: Specify the "artifacts" section. Items listed under the "artifacts" section will be available for download after the job is completed.

Line 16: Specify the "paths" section for the artifacts.

Line 17: Specify that ".public" folder is to be treated as a an artifact made available for download.

Line 18: Specify the branch of code that will cause this job would be executed.

Line 19: Specify the this job is to be executed only when someone checked-in to the "master" branch.

That’s basically all that is needed to get Gitlab to send files to your SFTP server.

References

Configuration of your jobs with .gitlab-ci.yml (https://docs.gitlab.com/ee/ci/yaml/)

2016-09-12

Cannot pull images from docker.io

Filed under: docker — Tags: , , , — Zhixian @ 18:14:09 pm

Summary

  1. You are unable to download docker images from the repository.
  2. You received a network timed out error message.
  3. This issue is probably due to your Docker DNS Server setting. Switch it from Automatic to Fixed to resolve issue.

Details

If you just installed docker in Windows (in my case, it is Windows 10 Pro), you may encounter the following error message when trying to pull a docker image from docker.io:

C:\VMs\Docker>docker pull hello-world
Using default tag: latest
Pulling repository docker.io/library/hello-world
Network timed out while trying to connect to https://index.docker.io/v1/repositories/library/hello-world/images. You may want to check your internet connection or if you are behind a proxy.

image

However, when you open up your browser to navigate to the url (https://index.docker.io/v1/repositories/library/hello-world/images) of the image, you found that you have no problems.

image

This maybe due to an issue with the Network settings of Docker.
Specifically, the problem maybe with the DNS Server setting.
The DNS Server is set to Automatic by default and that DNS server may not be able to find the docker image repository.

image

To resolve this issue, simply set the DNS Server setting to “Fixed”.
For the IP address of the DNS Server, you can probably accept the default of “8.8.8.8” (which points Google’s DNS server)
After clicking on the “Fixed” radio button, click on the “Apply” button to apply your changes.
This will cause Docker to restart.

image

After Docker have restarted, you should find that you are able to pull docker images without any issues.

image

2016-01-04

Fixing “The Parallel port driver service failed to start” on Windows 2003

Filed under: computing, windows — Tags: , — Zhixian @ 19:42:01 pm

My first blog post for 2016.
This is a reminder blog post.

Summary

  1. Symptoms
  2. Solution
  3. Reference

Symptoms

When your Windows 2003 boot up, you may see another a message like the below:

VirtualBox_Win2k3-ZXDBM_04_01_2016_19_14_09

When you logged into Windows and examine the Event Viewer, you may see an error under System.

VirtualBox_Win2k3-ZXDBM_04_01_2016_19_21_43

When you open up the error, you would see, the following error message:

VirtualBox_Win2k3-ZXDBM_04_01_2016_19_23_32

 

Solution

Start a Windows command prompt and run the following command:

sc config parport start= disabled

Note the space after “start=” in the above command. It is required.

After you ran this command, you should not see the error message prompt on your next Windows bootup.
Note: This solution deviate from the one stated in the reference.

 

Reference

  1. Error message on a Windows Vista-based or Windows Server 2008-based computer that does not have a parallel port: "The Parallel port driver service failed to start"

2015-11-02

Minix3 Basic Software Sets

Filed under: computing, minix3 — Zhixian @ 17:49:11 pm

This is done by executing the following commands at the command line:

# pkgin update
# pkgin_sets

When executing pkgin_sets, it will show the following screen and prompt you to install each set one by one.

Zhixian’s note: The software installed can be found in /usr/pkg/bin (or /usr/pkg/sbin for system executables).

First prompt installs:

  1. openssh
  2. vim (exception from the above note; executable is found at /usr/bin/vi)
  3. curl

Second prompt install:

  1. git-base
  2. bmake
  3. gmake
  4. binutils
  5. clang

Third prompt installs:

  1. bison
  2. groff
  3. perl
  4. python (the executable for python is named “python2.7” instead of “python” as found in other installations.)

First Prompt:image

 

Second Prompt:image

 

Third Prompt:
image

For some reason the tiff library is missing from repository.
image

 

Installation complete:image

 

Searching and installing the tiff library that got missed out earlier.

image

MINIX3 Installation

Filed under: computing, minix3 — Tags: , , — Zhixian @ 16:32:11 pm

A list of screen dumps that I taken while installing Minix3 on VirtualBox.
Dumping the screens first. I intend to annotate them at a later date.

 

image

 

image

 

image

 

image

 

image

 

image

 

image

 

 

image

 

 

image

 

image

 

image

 

image

 

image

 

image

 

image

 

image

 

End of installation

2015-10-23

Setup Ubuntu (Trusty Tahr) for development

Filed under: development, ubuntu — Tags: , , , , — Zhixian @ 11:18:10 am

This blog post is on my setting up another Ubuntu Server VM.
This time I want a VM that has the common software development applications pre-installed.
As such most of the steps are similar to what I did in a previous blog post.
So on this blog post, I will start from the screen where I can select pre-packaged software.

image

Although, I was not really sure I really need the DNS server and print server, I thought “Ah well. Might as well.”
So they are included.

Setup MySql

First thing to setup is to assign a password for MySql server “root” account.
Note: You may have notice that background color have changed from purple to blue.
This was because I typed the wrong confirmation password when setting the password.

image

 

image

Setup E-mail

 

image

 

image

 

image

 

image

2015-10-15

Connecting to OpenSSH server using MobaXterm

Filed under: computing, ubuntu — Tags: , , , , , — Zhixian @ 14:19:10 pm

This blog post covers connecting to the openssh server installed on Ubuntu server using MobaXterm.

Testing OpenSSH

I want to connect to the openssh server.
For this purpose, I use MobaXterm from Mobatek (http://mobaxterm.mobatek.net/).
This is a terminal application with a few other tools built-in.
It has a professional edition which cost money and a home edition that is free.
For our local development purpose, the free edition is fine.

Alternatively, there’s the putty-series (http://www.putty.org/) of applications.

The remainder of this session assumes you are using MobaXterm.

After you start up MobaXterm, you may see a window like the below.
Click on the Session button on the menu.
This will open the Session Settings dialog.

image

On the Session Settings dialog, click on the SSH button on the top menu.

image

Under the Basic SSH settings tab, enter the name of the remote host.
Click the OK button to connect to the server.

image

After you clicked OK, MobaXterm will start your session on a new tab.
You should see your usual login prompt.
You should be able to login to your account as usual.

image

File transfer using SFTP

You can transfer files from your Windows machine to your Ubuntu machine using SFTP (Secure-FTP).
One the tools built-in the MobaXterm client is a SFTP client.
Click on the SFTP tab to display the directory and files in the directory.

image

To transfer files, simple drag and drop the files that you want to transfer in the area showing files in specified directory.

Ubuntu Server Initial Setup

Filed under: computing, ubuntu — Tags: , , , , , — Zhixian @ 13:29:10 pm

After you have installed your Ubuntu server, you may want to do some initial setup.
Specifically, you may want to add a another account.

Adding user account

Adding users can be done using the command adduser. In the below command-line, I am creating a developer account call ‘developer’.

$ sudo adduser developer

image

After you have create the user account, it might be useful to add the account to the ‘sudo’ group so that the account can make use of the ‘sudo’ command. To do so,

$ sudo addgroup developer sudo

image

You can check which groups an account belongs to using the ‘groups’ command:

$ groups developer

image

2015-10-11

Setting up Ubuntu 14.04 Server on VirtualBox

Filed under: computing, ubuntu — Tags: , , , , — Zhixian @ 17:15:10 pm

This is a blog post that describes my setup of Ubuntu Server 14.04 (Trusty Tahr) on VirtualBox.
I intended to use this server for local software development.

Selected Software Package Description
OpenSSH server Needed for remote secure shell sessions
LAMP Linux Apache MySql PHP development stack
PostgreSQL database Best open-source database
Samba file server File sharing
Skipped Software Packages Description
DNS server Don’t really think I need it
Mail server I will describe this in a later blog post
Print server Don’t really think I need it
Tomcat Java Server Not sure if I want to use this;

 

image

 

image

 

image

 

image

 

image

 

image

 

image

 

image

 

image

 

image

 

image

 

image

 

image

 

image

 

image

 

image

 

image

 

image

 

image

 

image

 

image

 

image

 

image

 

image

 

image

 

image

 

image

 

image

Older Posts »

Create a free website or blog at WordPress.com.