How to add a subdomain securely
I want to move wlankabel.com/blog to blog.wlankabel.at. After upgrading to Ubuntu20.04 I noticed that the certbot
executable was missing. A quick internet search provided me this post, where it's mentioned that certbot
was removed from the global repository. And that on Focal/Ubuntu 20.04 there are 3 options to install it: apt, pip and snap.
SNAP
is a package manager with the goal of packaging all dependencies into the binary, which can be advantageous, but takes a lot of space and it's reviews tend to be rather negative [1][2]. So let's exclude that from the optionsPIP
is the package manager for python packages. I once read that when installing packages withpip
, it is advisable to install them with a virtual environment. Since I'd rather not want to do that, the last option isapt
APT
is the default package manager for Debian based distros (e.g. Ubuntu) and up to nowcertbot
was installed withapt
, so I decided to install it withapt
again. In order for it to work I have to add a repository, but I thinkhope that there is no big downside except for, thatapt
will always check this additional repo for updates.
In the post it was mentioned, that only one option must be chosen and old installations should be deleted completely:
$ sudo apt remove certbot\* --purge
After reading that the APT version is two years behind, I decided to go with the PIP installation method. So let's create a virtual environment in order to leave the installtion of python as untouched as possible:
$ sudo apt install python3.8-venv $ sudo python3 -m venv /usr/local/src/certbot --prompt certbot # source /usr/local/src/certbot/bin/activate # pip3 install certbot # certbot --help
I had to install the virtual environment module for python. Then, I created a virtual environment. The last few commands I had to execute as root
user because I wasn't able to chain two commands with sudo
and otherwise the activation is reversed after the first command because sudo
opens a sub-shell.
When I looked at the help text (certbot --help
), I spotted the certbot apache plugin is not installed
, which sucked. So I had a look at the documentation (which I should have done from the beginning) and they propose (and even strongly recommend) to install with SNAP, even for Ubuntu 16 and Debian. Though, I found the official instructions on how to install with pip here.
And there is no need to login as root. Just use the following instead of the last code block:
$ sudo apt install python3.8-venv $ sudo python3 -m venv /usr/local/src/certbot --prompt certbot $ sudo /usr/local/src/cerbot/bin/pip3 install certbot certbot-apache $ sudo ln -s /usr/local/src/certbot/bin/certbot /usr/local/bin/certbot $ sudo certbot --help $ sudo certbot --apache
But - of course - I got some errors about some not existing files in a config file. So I commented them out and retried apache2ctl configtest
, which didn't return any errors anymore. So, I felt more or less confident executing sudo certbot --apache
again.
It was after I had answered diverse questions including which domains should be certified, that I noticed that blog.wlankabel.at isn't part of the options. A quick look in the folder /etc/apache2/sites-enabled
showed, that the subdomain was indeed not enabled.
I had to have a look at the short documentation at /etc/apache2/apache2.conf
where they point out, that the symbolic links from /etc/apache2/sites-available
to /etc/apache2/sites-enabled
shouldn't be managed manually, but rather with the a2ensite/a2dissite
helper scripts.
$ sudo a2ensite # enable site(s) interactive $ sudo systemctl reload apache2
By reloading the config I crashed the server even though apache2ctl configtest
didn't return any errors. The problem (which I found through this path /var/log/apache2/error.log
>/var/www/html/logs/error_log
) was, though, that I specified the virtual host with <VirtualHost *:443>
(https port) even though there was no SLL certificate present yet. So I changed it to :80
and restarted the apache2:
$ sudo systemctl restart apache2
This didn't solve the error : Fatal error initialising mod_ssl, exiting. See /var/www/html/logs/error_log for more information
, even though I changed port 80 for every virtual host. Even after disabling the ssl module apache didn't come back to life (which I used as an opportunity to disable some unneeded sql modules):
$ sudo a2dismod # disable ssl mod $ sudo systemctl restart apache2
What I needed to inspect was sudo systemctl status apache2.service
which told me, where I had forgotten to close a <Virtualhost>
tag and some other false conifg symantics which apache2ctl configtest
didn't catch. So, I got apache running in HTTP mode again. Every SSL option was commented out. Then, after re-enabling the ssl module, I finally could run
$ sudo a2enmod # enable ssl mod $ sudo certbot --apache
and everything was smoothly handled by certbot from there and this page is available under https://blog.wlankable.at. The only thing not working yet is, that when I click on a blog post, it will be redirected to https:wlankabel.at/blog, but I think this is a small tweak in the config.php file of MiMDoBloP.
Follow up question: difference between /usr/local/ and /opt/ (also /usr/bin and /bin)