Let's Encrypt webroot on NGINX

Posted: 2015-12-06 14:09:42 by Alasdair Keyes

Direct Link | RSS feed

Like a number of people I've been looking forward to the release of Let's Encrypt, the free system to allow every one to get an SSL Certificate. It's now in open beta and can be used by all.

You can read how it works and how to get it setup here.

After some playing about I found the following setup good for my needs. My system is NGINX running on Debian Jessie.

Run the following with superuser access.

mkdir /var/le_root
chown www-data: /var/le_root
chmod 700 /var/le_root

Create /etc/nginx/snippets/lets_encrypt.conf with the following text

location /.well-known/acme-challenge/ {
    allow all;
    auth_basic off;
    root /var/le_root;

The allow all; and auth_basic off; is because some of my sites have IP or basic auth restrictions which I don't want taking effect on this folder as it'll stop Lets Encrypt validating the site.

In each website virtualhost config add the line

include snippets/lets_encrypt.conf;

This snippet aliases /.well-known/acme-challenge/ on any hosting space for the to /var/le_root, we can then tell Let's Encrypt to use /var/le_root for all its validation files so with one command, create certs for any site I have on my server

Then just run

./letsencrypt-auto certonly --webroot -w /var/le_root -d mydomain.com

And your cert/key will be available in /etc/letsencrypt/live/mydomain.com/

The Let's Encrypt certs only last 90 days, whilst this may increase in future, I've added it to my Nagios checks, however, you can also use the following bash script in a cron to check the expiry dates of your certificates. It's easily ammended to auto renew certificates if you wish, I'll update it to auto-renew once I've had to renew one of my own certs.


If you found this useful, please feel free to donate via bitcoin to 1NT2ErDzLDBPB8CDLk6j1qUdT6FmxkMmNz

xfreerdp clipboard

Posted: 2015-11-23 08:45:24 by Alasdair Keyes

Direct Link | RSS feed

You can allow XfreeRDP under Linux to access your clipboard, run it with the following plugin enabled

xfreerdp --plugin cliprdr hostname

No more typing in 32 character passwords key by key!

If you found this useful, please feel free to donate via bitcoin to 1NT2ErDzLDBPB8CDLk6j1qUdT6FmxkMmNz

Inbox Zero

Posted: 2015-11-21 15:43:24 by Alasdair Keyes

Direct Link | RSS feed

Having recently started a new job, I've started trying to implement Inbox Zero.

Although I don't stick to it's 5 points religiously, I find the basic premise extremely useful and have adapted it to a way that I find most useful.

I now use my inbox as part of my todo list, when I look at my inbox I now apply the following rules

At this point, the only things I have to worry about are what's in the inbox as soon as I have dealt with them, I file it and move onto the next one.

So far, it's working well, after 7 weeks on the job my inbox this weekend is 1!

I'm now slowly trying to apply it to my personal emails too...

If you found this useful, please feel free to donate via bitcoin to 1NT2ErDzLDBPB8CDLk6j1qUdT6FmxkMmNz

OpenVPN and Android Lollipop connection problems

Posted: 2015-10-09 23:49:23 by Alasdair Keyes

Direct Link | RSS feed

I recently bought myself a One Plus 2 Android based phone. My previous and trusty Samsung Galaxy S1 had been with me for over 4 years and was starting to be unusably slow.

I won't go on about the Oneplus, reviews can be found all over the internet, however I decided to connect it to my OpenVPN setup... which wasn't as easy as I thought it might be.

The Google Play store has the official OpenVPN Connect client, which connected to my server correctly but seemed to consistently fail to add in it's routes. After trying unsuccessfully for a while, I came to the conclusion that it couldn't be made to work.

I removed this app and went for OpenVPN for Android, setup was just as easy as OpenVPN Connect and still had an issue with adding pushed routes. It thankfully has the option of adding custom routes on the client, under Routing set a custom route of and you will be routing all your non-local traffic to your VPN, much needed when you're regularly connecting to unknown wifi networks.

If you found this useful, please feel free to donate via bitcoin to 1NT2ErDzLDBPB8CDLk6j1qUdT6FmxkMmNz

Packtpub Free Learning eBooks

Posted: 2015-10-09 16:24:43 by Alasdair Keyes

Direct Link | RSS feed

Yesterday Russ informed me of Packtpub's Free Learning offer.

Every day, a new eBook is available for free so you can continue learning at reduced cost.

Just visit https://www.packtpub.com/packt/offers/free-learning, sign up and click the "Claim Your Free eBook" button.

To make this a little easier, I created a quick Perl script you can add to cron once per day and it'll email you with details of the current eBook

wget -Oget_packtpub_botd.pl https://gitlab.com/snippets/1731322/raw
chmod 755 get_packtpub_botd.pl

Add to cron and you'll get an email once a day saying...

Today's book is 'Making Big Data Work for Your Business'


If you found this useful, please feel free to donate via bitcoin to 1NT2ErDzLDBPB8CDLk6j1qUdT6FmxkMmNz

Permission Denied when scanning in Linux Mint

Posted: 2015-10-05 20:28:03 by Alasdair Keyes

Direct Link | RSS feed

I bought a Brother DCP-L2500D Printer/scanner yesterday. After some trepidation as to whether I would be able to use it under Linux, a quick Google search showed that Brother provided drivers for Windows, Mac and Linux. Kudos Brother, it's nice to see companies supporting all their customers not just the high volume users.

After installation of the Drivers into Linux Mint, I could print but not scan. Every time I tried I received the following error.

When trying to scan with XSane I would get

Failed to open device `brother4:bus1:dev1': Invalid argument

And under Simple Scan I would get

Failed to scan - Unable to connect to scanner

As I could print, I assumed the device was correct, so the failure to open device error indicated a permissions issue.

Although CUPS doesn't make use of the traditional device /dev/usb/lp0 (but instead uses a separate identifier usb://Brother/DCP-L2500D%20series?serial=XXXXXXXXXXXXXX), looking at this device showed that it was owned by the lp group

ls -al /dev/usb/lp0 
crw-rw---- 1 root lp 180, 0 Oct  5 20:13 /dev/usb/lp0

Although I was a member of the lpadmin group, I wasn't part of lp

$ id alasdair
uid=1000(alasdair) gid=1000(alasdair) groups=1000(alasdair),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lpadmin),110(sambashare)

A quick change to my group ownership, then logging out and back in sorted it out and allowed me to scan.

$ sudo usermod -Ga lp alasdair
$ id alasdair
uid=1000(alasdair) gid=1000(alasdair) groups=1000(alasdair),4(adm),7(lp),24(cdrom),27(sudo),30(dip),46(plugdev),108(lpadmin),110(sambashare)

If you get this issue, remember to logout/login before trying to scan again, it's key as a usermod won't take effect until you do.

If you found this useful, please feel free to donate via bitcoin to 1NT2ErDzLDBPB8CDLk6j1qUdT6FmxkMmNz

Easier IE Development

Posted: 2015-08-20 12:03:54 by Alasdair Keyes

Direct Link | RSS feed

If you ever need to do Web development, you know just how much of a pain cross-browser compatability is, specifically Internet Explorer. To make this a little easier, Microsoft have released a number of VMs to allow you to test lots of IE versions.


They have VMs for a number of different Hypervisors across a number of platforms.

It's nice to see Microsoft providing support for Linux and Mac users.

If you found this useful, please feel free to donate via bitcoin to 1NT2ErDzLDBPB8CDLk6j1qUdT6FmxkMmNz

Spamassassin CountryFilter 0.02 Released - IPv6

Posted: 2015-08-12 12:09:57 by Alasdair Keyes

Direct Link | RSS feed

An updated version of the CountryFilter plugin for SpamAssassin https://gitlab.com/alasdairkeyes/countryfilter-spamassassin has been released.

The new version now has Country Mapping and filtering support for IPv6 addresses. For Anyone using it, please make sure you check the README.md file on installation as the configuration file now has 2 new config lines to specify GeoIP database paths.

If you found this useful, please feel free to donate via bitcoin to 1NT2ErDzLDBPB8CDLk6j1qUdT6FmxkMmNz


Posted: 2015-08-10 16:30:26 by Alasdair Keyes

Direct Link | RSS feed

Containerisation seems to be taking over the OpenSource world at the moment, the increased uptake of systems like Docker is enabling systems admins and developers to perform rapid app deployment with increased portability.

Parallels proved the power of containerisation with their OpenVZ and Virtuozzo containerisation platforms showing that with the lower overheads you could run 2-3 times as many containers as you could VMs on a given bit of hardware. Containers aren't quite as isolated as VMs, but for most use cases they will do the job.

I had a cause today to require a number of machines that I could test some client server code at scale. Creating a number of VMs from scratch would be a daunting task (not to mention resource intensive) so I decided I'd give LXC a whirl. I'd been aware of LXC and what it can do for some time but I'd never tried it, I found quite a few of the articles were lacking a bit on setup so I thought I'd document my findings so others didn't have to find out the hard way.

This was installed on my LinuxMint desktop, the one package that a lot of guides missed out was the templates. Templates are build scripts build up containers for you.

sudo apt-get install lxc lxc-templates

If you look at ifconfig on the host, you'll see a new bridge interface created for your Containers to connect onto. DHCP is provided on the range by dnsmasq providing your containers access to the same network as your host. It will also allow access to the internet through the host machine.

$ ifconfig lxcbr0
lxcbr0    Link encap:Ethernet  HWaddr fe:c6:fc:75:66:ae  
          inet addr:  Bcast:  Mask:
          inet6 addr: fe80::6482:4aff:fea8:407f/64 Scope:Link
          RX packets:3863 errors:0 dropped:0 overruns:0 frame:0
          TX packets:5951 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:362523 (362.5 KB)  TX bytes:6926072 (6.9 MB)

If you're looking to run debian based containers you'll need to install debootstrap

sudo apt-get install debootstrap

and if you're wanting CentOS, you'll need yum

sudo apt-get install yum

Once this is done you have everything you need.

First see what templates are available

# ls /usr/share/lxc/templates/
lxc-alpine     lxc-busybox  lxc-debian    lxc-gentoo        lxc-oracle  lxc-ubuntu
lxc-altlinux   lxc-centos   lxc-download  lxc-openmandriva  lxc-plamo   lxc-ubuntu-cloud
lxc-archlinux  lxc-cirros   lxc-fedora    lxc-opensuse      lxc-sshd

The templates names are the files shown with the lxc- prefix removed. First I'll build up a centos Box

# lxc-create -t centos -n lxc-centos-2
Host CPE ID from /etc/os-release: 
This is not a CentOS or Redhat host and release is missing, defaulting to 6 use -R|--release to specify release
Checking cache download in /var/cache/lxc/centos/x86_64/6/rootfs ... 
Cache found. Updating...
Loaded plugins: fastestmirror
Setting up Update Process
base                                                                                    | 3.7 kB     00:00     
base/primary_db                                                                         | 4.6 MB     00:02     
extras                                                                                  | 3.4 kB     00:00     
extras/primary_db                                                                       |  26 kB     00:00     
updates                                                                                 | 3.4 kB     00:00     
updates/primary_db                                                                      | 749 kB     00:00     
No Packages marked for Update
Loaded plugins: fastestmirror
Cleaning repos: base extras updates
0 package files removed
Update finished
Copy /var/cache/lxc/centos/x86_64/6/rootfs to /var/lib/lxc/lxc-centos-2/rootfs ... 
Copying rootfs to /var/lib/lxc/lxc-centos-2/rootfs ...
sed: can't read /etc/init/tty.conf: No such file or directory
Storing root password in '/var/lib/lxc/lxc-centos-2/tmp_root_pass'
Expiring password for user root.
passwd: Success

Container rootfs and config have been created.
Edit the config file to check/enable networking setup.

The temporary root password is stored in:


The root password is set up as expired and will require it to be changed
at first login, which you should do as soon as possible.  If you lose the
root password or wish to change it without starting the container, you
can change it from the host by running the following command (which will
also reset the expired flag):

        chroot /var/lib/lxc/lxc-centos-2/rootfs passwd

The example above is quite a short output, when you run it for the first time, you will get much more output as LXC grabs all the files it needs from the CentOS repository.

Now just run it

 lxc-start -n lxc-centos-2
CentOS release 6.7 (Final)
Kernel 3.19.0-25-generic on an x86_64

lxc-centos-2 login: init: rcS main process (7) killed by TERM signal
Entering non-interactive startup
iptables: No config file.                                  [WARNING]
Bringing up loopback interface:                            [  OK  ]
Bringing up interface eth0:  
Determining IP information for eth0... done.
                                                           [  OK  ]
Starting system logger:                                    [  OK  ]
awk: cmd. line:1: fatal: cannot open file `/etc/mtab' for reading (No such file or directory)
Mounting filesystems:                                      [  OK  ]
Generating SSH2 RSA host key:                              [  OK  ]
Generating SSH1 RSA host key:                              [  OK  ]
Generating SSH2 DSA host key:                              [  OK  ]
Starting sshd:                                             [  OK  ]

CentOS release 6.7 (Final)
Kernel 3.19.0-25-generic on an x86_64

lxc-centos-2 login: 

There you are, you can see all your containers with

# lxc-ls
lxc-centos-1  lxc-centos-2  
# lxc-info -n lxc-centos-2
Name:           lxc-centos-2
State:          RUNNING
PID:            21055
CPU use:        1.06 seconds
BlkIO use:      56.00 KiB
Memory use:     2.85 MiB
KMem use:       0 bytes
Link:           veth3GI7HY
 TX bytes:      1.42 KiB
 RX bytes:      5.25 KiB
 Total bytes:   6.67 KiB

You can see the network interface for the container on your host

# ifconfig veth3GI7HY
veth3GI7HY Link encap:Ethernet  HWaddr fe:c6:2d:53:f1:d8  
          inet6 addr: fe80::fcc6:2dff:fe53:f1d8/64 Scope:Link
          RX packets:13 errors:0 dropped:0 overruns:0 frame:0
          TX packets:36 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:1458 (1.4 KB)  TX bytes:5607 (5.6 KB)

You can see how lightweight these containers are in disk usage

# du -hs /var/lib/lxc/lxc-centos-2/

To test it's speed lets create 10 containers

# time for NUM in `seq 10 20`; do lxc-create -t centos -n lxc-centos-$NUM; lxc-start -d -n lxc-centos-$NUM; done

system 0m16.356s

52 seconds to create and start 10 Containers

# lxc-ls
lxc-centos-10  lxc-centos-11  lxc-centos-12  lxc-centos-13  lxc-centos-14  lxc-centos-15  lxc-centos-16  lxc-centos-17  lxc-centos-18  lxc-centos-19  lxc-centos-20  

Don't need them anymore? lets just get rid of them.

# time for NUM in `seq 10 20`; do lxc-destroy -f -n lxc-centos-$NUM; done

system 0m2.744s

Each container runs SSH, so you can treat it as just another server when it comes to management. For development an use of leightweight systems, LXC really is the way forward.

If you found this useful, please feel free to donate via bitcoin to 1NT2ErDzLDBPB8CDLk6j1qUdT6FmxkMmNz

Critical Firefox Vulnerability

Posted: 2015-08-07 12:14:43 by Alasdair Keyes

Direct Link | RSS feed

If you're not aware, a critical Firefox vulnerability has been found being exploited in the wild.


It can affect Windows, Linux and MacOSX (althouth Mac hasn't been actively exploited) and allows a remote attacker to read any files you have permissions for on your local machine.

It's pretty shocking and if you use Firefox, you should update straight away. I mean, don't even finish this article. Upgrade it and then come back. There's no details how long this exploit has been in the wild for, so potentially, a lot of personal data has been hoovered up.

If you found this useful, please feel free to donate via bitcoin to 1NT2ErDzLDBPB8CDLk6j1qUdT6FmxkMmNz

IT Consultancy Services

I'm now available for IT consultancy and software development services - Cloudee LTD.

Happy user of Digital Ocean (Affiliate link)


Validate HTML 5