How to add a subdomain securely

I want to move wlankabel.com/blog to blog.wlankabel.at. After upgrading to Ubuntu20.04 I noticed that the certbot executable was missing. A quick internet search provided me this post, where it's mentioned that certbot was removed from the global repository. And that on Focal/Ubuntu 20.04 there are 3 options to install it: apt, pip and snap.

• SNAP is a package manager with the goal of packaging all dependencies into the binary, which can be advantageous, but takes a lot of space and it's reviews tend to be rather negative [1][2]. So let's exclude that from the options
• PIP is the package manager for python packages. I once read that when installing packages with pip, it is advisable to install them with a virtual environment. Since I'd rather not want to do that, the last option is apt
• APT is the default package manager for Debian based distros (e.g. Ubuntu) and up to now certbot was installed with apt, so I decided to install it with apt again. In order for it to work I have to add a repository, but I thinkhope that there is no big downside except for, that apt will always check this additional repo for updates.

In the post it was mentioned, that only one option must be chosen and old installations should be deleted completely:

$ sudo apt remove certbot\* --purge

After reading that the APT version is two years behind, I decided to go with the PIP installation method. So let's create a virtual environment in order to leave the installtion of python as untouched as possible:

$ sudo apt install python3.8-venv
$ sudo python3 -m venv /usr/local/src/certbot --prompt certbot
# source /usr/local/src/certbot/bin/activate
# pip3 install certbot
# certbot --help

I had to install the virtual environment module for python. Then, I created a virtual environment. The last few commands I had to execute as root user because I wasn't able to chain two commands with sudo and otherwise the activation is reversed after the first command because sudo opens a sub-shell.

When I looked at the help text (certbot --help), I spotted the certbot apache plugin is not installed, which sucked. So I had a look at the documentation (which I should have done from the beginning) and they propose (and even strongly recommend) to install with SNAP, even for Ubuntu 16 and Debian. Though, I found the official instructions on how to install with pip here.

And there is no need to login as root. Just use the following instead of the last code block:

$ sudo apt install python3.8-venv
$ sudo python3 -m venv /usr/local/src/certbot --prompt certbot
$ sudo /usr/local/src/cerbot/bin/pip3 install certbot certbot-apache
$ sudo ln -s /usr/local/src/certbot/bin/certbot /usr/local/bin/certbot
$ sudo certbot --help
$ sudo certbot --apache

But - of course - I got some errors about some not existing files in a config file. So I commented them out and retried apache2ctl configtest, which didn't return any errors anymore. So, I felt more or less confident executing sudo certbot --apache again. It was after I had answered diverse questions including which domains should be certified, that I noticed that blog.wlankabel.at isn't part of the options. A quick look in the folder /etc/apache2/sites-enabled showed, that the subdomain was indeed not enabled. I had to have a look at the short documentation at /etc/apache2/apache2.conf where they point out, that the symbolic links from /etc/apache2/sites-available to /etc/apache2/sites-enabled shouldn't be managed manually, but rather with the a2ensite/a2dissite helper scripts.

$ sudo a2ensite # enable site(s) interactive
$ sudo systemctl reload apache2

By reloading the config I crashed the server even though apache2ctl configtest didn't return any errors. The problem (which I found through this path /var/log/apache2/error.log>/var/www/html/logs/error_log) was, though, that I specified the virtual host with <VirtualHost *:443> (https port) even though there was no SLL certificate present yet. So I changed it to :80 and restarted the apache2:

$ sudo systemctl restart apache2

This didn't solve the error : Fatal error initialising mod_ssl, exiting. See /var/www/html/logs/error_log for more information, even though I changed port 80 for every virtual host. Even after disabling the ssl module apache didn't come back to life (which I used as an opportunity to disable some unneeded sql modules):

$ sudo a2dismod # disable ssl mod
$ sudo systemctl restart apache2

What I needed to inspect was sudo systemctl status apache2.service which told me, where I had forgotten to close a <Virtualhost> tag and some other false conifg symantics which apache2ctl configtest didn't catch. So, I got apache running in HTTP mode again. Every SSL option was commented out. Then, after re-enabling the ssl module, I finally could run

$ sudo a2enmod # enable ssl mod
$ sudo certbot --apache

and everything was smoothly handled by certbot from there and this page is available under https://blog.wlankable.at. The only thing not working yet is, that when I click on a blog post, it will be redirected to https:wlankabel.at/blog, but I think this is a small tweak in the config.php file of MiMDoBloP.

Follow up question: difference between /usr/local/ and /opt/ (also /usr/bin and /bin)