Category: Uncategorized

Set up Letsencrypt/Certbot with Nginx web server with webroot

The default certbot certonly –standalone is quite useful for a quick start to run a standalone server and get the SSL certificate. But nowadays everyone is running their own server. Which would cause the issue of binding port 80 fail. In order to fix this would be using –webroot instead.

Firstly, create a new folder for nginx to serve static file

mkdir -p /var/www/letsencrypt/.well-known/acme-challenge

Secondly, in each server config that you want to have SSL add the followings, E.g. inside abcd.com.conf into the server listen 80 block.


location ^~ /.well-known/acme-challenge/ {
root /var/www/letsencrypt;
}

It tells nginx when matching path /.well-known/acme-challenge/, go to /var/www/letsencrypt/.well-known/acme-challenge/ to find the file.

Thirdly, run nginx reload and

letsencrypt certonly --webroot -w /var/www/letsencrypt -d abcdef.com

Letsencrypt will put a text file inside /var/www/letsencrypt/.well-known/acme-challenge and fire a get request to achieve it in order to finish the justification. You can tail the nginx log to see the requests to debug.

Fourthly, you add the listen 443 block into your domain’s nginx config file


listen 443;
server_name asdf.com;
ssl on;
ssl_certificate /etc/letsencrypt/live/asdf.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/asdf.com/privkey.pem;
ssl_prefer_server_ciphers On;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECD;

Lastly, create a cron job task file asdf.com.renew in /etc/cron.d/

@monthly root /bin/bash -c "/usr/bin/letsencrypt certonly --webroot -w /var/www/letsencrypt -d asdf.com"

Hope that helps!

Advertisements

Action required: Let’s Encrypt certificate renewals

Just received email from letsencrypt.org to upgrade certbot as TLS-SNI-01 validation is reaching end-of-life.

By running

/usr/bin/letsencrypt --version
certbot 0.17.0

Following the instructions from https://community.letsencrypt.org/t/how-to-stop-using-tls-sni-01-with-certbot/83210 needs to upgrade to 0.28 or higher.


$ sudo apt-get update
$ sudo apt-get install python-certbot-nginx
certbot --version
certbot 0.28.0

2.Remove any explicit references to tls-sni-01 in your renewal configuration:

sudo sh -c "sed -i.bak -e 's/^\(pref_challs.*\)tls-sni-01\(.*\)/\1http-01\2/g' /etc/letsencrypt/renewal/*; rm -f /etc/letsencrypt/renewal/*.bak"

3. Run sudo certbot renew –dry-run. Remember to turn off nginx before you run it as it will have fail to bind port error.

That’s it. Good Luck with your upgrade.

Regex in Ruby

# encoding: utf-8

Regex In Ruby – Capture Groups

Lecky Lao(@leckylao)

RORO 09-06-2015

Mongo BSON Injection: Ruby Regexps Strike Again

Jun 4, 2015 • Egor Homakov (@homakov)

Mongoid is an ODM(Object Document Mapper) Framework
for MongoDB written in Ruby

Mongoid uses more low-level adapter Moped which uses BSON-ruby

the vulnerability is in legal? method of BSON::ObjectId 

 
  # /\nhi\n/ =~ /hi$/
  # /\nhi\n/ =~ /hi\Z/
  # /\nhi\n/ =~ /hi\z/

  # Vulnerable
  def legal?(string)
    # March 31 2013 to Apr 7 2013
    /\A\h{24}\Z/ === string.to_s
    # currently it thinks Mongo is down and pings it 39 more times with intervals.
    # In other words it keeps the worker busy for 5 seconds and makes x40 requests to Mongo DB
    # One way or another, it is Denial of Service.

    # Apr 7 2013 till now
    string.to_s =~ /^[0-9a-f]{24}$/i ? true : false
    # he attacker can send any data to the socket with something like
    # _id=Any binary data\naaaaaaaaaaaaaaaaaaaaaaaa\nAny binary data
  end

  # Patch
  def ((defined?(Moped::BSON) ? Moped::BSON : BSON)::ObjectId).legal?(s)
    /\A\h{24}\z/ === s.to_s
  end

—-Capturing Groups—-

    # What's the difference?

    /sat (in)/.match("The cat sat in the hat")

    "The cat sat in the hat" =~ /sat (in)/

The difference is

The operator =~ returns the index

of the first match (nil if no match)

and stores the MatchData

in the global variable $~

The method match returns

the MatchData itself (again, nil if no match)

Grouping with reference

    # What's the difference?

    /\$(?\d+)\.(?\d+)/.match("$3.67")

    "$3.67" =~ /\$(?\d+)\.(?\d+)/

    /\$(?\d+)\.(?\d+)/ =~ "$3.67"

The difference is

When named capture groups are used with a literal regexp

on the left-hand side of an expression and the =~ operator,

the captured text is also assigned to local variables

with corresponding names.

—-Backreferences—-

    # Is this correct?

"The cat sat in the hat".gsub(/(.*)cat(.*)/, "#{$1}black dog#{$2}")
"The cat sat in the hat".gsub(/(.*)cat(.*)/, "\1black dog\2")

"The cat sat in the hat".gsub(/(.*)cat(.*)/, '\1black dog\2')

"The cat sat in the hat".gsub(/(?<prefix>.*)cat(.*)/, '\k<prefix>black dog\2')

"The cat sat in the hat".gsub(/(?<prefix>.*)cat(?<suffix>.*)/, '\k<prefix>black dog\k<suffix>')

$1 and $2 only store after the execution, therefore
DO NOT USE $1 AND $2 IN GSUB,
and use \\1 and \\2 instead

use '' instead of "" when using regex

A regexp can't use named backreferences
and numbered backreferences simultaneously.

That's all, thanks!

slide: https://github.com/leckylao/tkn – examples/regex_in_ruby.rb

slides made using tkn(https://github.com/fxn/tkn)"

Rails Complex Order Query

Today gonna talk about Rails Complex Query for ordering. Here’s a simple query order by status

@events = @events.order("status DESC")

But what happen if you want to make the query to order the status in a specific sequence. Here’s the example:

@events = @events.order("
CASE
WHEN events.status = 'NEW' THEN 0
WHEN events.status = 'OPEN' THEN 1
WHEN events.status = 'UPDATED' THEN 2
WHEN events.status = 'WAITING' THEN 3
WHEN events.status = 'ABANDONED' THEN 4
ELSE 5
END")

Happy Hacking, Enjoy! 🙂