< prev home next >
approximate reading time: 8 minutes
created by pur on 2022/03/27 - last changed on 2022/09/09

How to add a subdomain securely

I want to move wlankabel.com/blog to blog.wlankabel.at. After upgrading to Ubuntu20.04 I noticed that the certbot executable was missing. A quick internet search provided me this post, where it's mentioned that certbot was removed from the global repository. And that on Focal/Ubuntu 20.04 there are 3 options to install it: apt, pip and snap.

In the post it was mentioned, that only one option must be chosen and old installations should be deleted completely:

$ sudo apt remove certbot\* --purge

After reading that the APT version is two years behind, I decided to go with the PIP installation method. So let's create a virtual environment in order to leave the installtion of python as untouched as possible:

$ sudo apt install python3.8-venv
$ sudo python3 -m venv /usr/local/src/certbot --prompt certbot
# source /usr/local/src/certbot/bin/activate
# pip3 install certbot
# certbot --help

I had to install the virtual environment module for python. Then, I created a virtual environment. The last few commands I had to execute as root user because I wasn't able to chain two commands with sudo and otherwise the activation is reversed after the first command because sudo opens a sub-shell.

When I looked at the help text (certbot --help), I spotted the certbot apache plugin is not installed, which sucked. So I had a look at the documentation (which I should have done from the beginning) and they propose (and even strongly recommend) to install with SNAP, even for Ubuntu 16 and Debian. Though, I found the official instructions on how to install with pip here.

And there is no need to login as root. Just use the following instead of the last code block:

$ sudo apt install python3.8-venv
$ sudo python3 -m venv /usr/local/src/certbot --prompt certbot
$ sudo /usr/local/src/cerbot/bin/pip3 install certbot certbot-apache
$ sudo ln -s /usr/local/src/certbot/bin/certbot /usr/local/bin/certbot
$ sudo certbot --help
$ sudo certbot --apache

But - of course - I got some errors about some not existing files in a config file. So I commented them out and retried apache2ctl configtest, which didn't return any errors anymore. So, I felt more or less confident executing sudo certbot --apache again. It was after I had answered diverse questions including which domains should be certified, that I noticed that blog.wlankabel.at isn't part of the options. A quick look in the folder /etc/apache2/sites-enabled showed, that the subdomain was indeed not enabled. I had to have a look at the short documentation at /etc/apache2/apache2.conf where they point out, that the symbolic links from /etc/apache2/sites-available to /etc/apache2/sites-enabled shouldn't be managed manually, but rather with the a2ensite/a2dissite helper scripts.

$ sudo a2ensite # enable site(s) interactive
$ sudo systemctl reload apache2

By reloading the config I crashed the server even though apache2ctl configtest didn't return any errors. The problem (which I found through this path /var/log/apache2/error.log>/var/www/html/logs/error_log) was, though, that I specified the virtual host with <VirtualHost *:443> (https port) even though there was no SLL certificate present yet. So I changed it to :80 and restarted the apache2:

$ sudo systemctl restart apache2

This didn't solve the error : Fatal error initialising mod_ssl, exiting. See /var/www/html/logs/error_log for more information, even though I changed port 80 for every virtual host. Even after disabling the ssl module apache didn't come back to life (which I used as an opportunity to disable some unneeded sql modules):

$ sudo a2dismod # disable ssl mod
$ sudo systemctl restart apache2

What I needed to inspect was sudo systemctl status apache2.service which told me, where I had forgotten to close a <Virtualhost> tag and some other false conifg symantics which apache2ctl configtest didn't catch. So, I got apache running in HTTP mode again. Every SSL option was commented out. Then, after re-enabling the ssl module, I finally could run

$ sudo a2enmod # enable ssl mod
$ sudo certbot --apache

and everything was smoothly handled by certbot from there and this page is available under https://blog.wlankable.at. The only thing not working yet is, that when I click on a blog post, it will be redirected to https:wlankabel.at/blog, but I think this is a small tweak in the config.php file of MiMDoBloP.

Follow up question: difference between /usr/local/ and /opt/ (also /usr/bin and /bin)