Setup lets-encrypt certbot certificates with nginx server in debian-ubuntu Linux

Prerequisites

1. first your nginx server must be publicly accessible via a public ip. If not you will get an authentication error when creating the certificate via lets-encrypt.

Install nginx and check accessibility from publicly internet.

2. CN(certificate name or your domain name) must be correctly redirect to your publicly accessible nginx server.

Create an A record from your cloud console( if you are using any )

Step 1

First install required repositories to download cert-bot

xxxxxxxxxxxxxxxxx$ sudo add-apt-repository ppa:certbot/certbot

This is the PPA for packages prepared by Debian Let’s Encrypt Team and backported for Ubuntu(s).

More info: https://launchpad.net/~certbot/+archive/ubuntu/certbot

Press [ENTER] to continue or ctrl-c to cancel adding it

 — -

gpg: no valid OpenPGP data found.

Below are some errors I faced,

Error,

xxxxxxxxxxxxxxxxx$ sudo add-apt-repository ppa:certbot/certbot

sudo: add-apt-repository: command not found

Solution,

xxxxxxxxxxxxxxxxx$ sudo apt-get install software-properties-common

Reading package lists… Done

Building dependency tree

Reading state information… Done

The following additional packages will be installed:

…

xxxxxxxxxxxxxxxxx$ sudo apt-get update

Hit:1 http://security.debian.org stretch/updates InRelease

…

Reading package lists… Done

Error,

xxxxxxxxxxxxxxxxx$ sudo add-apt-repository ppa:certbot/certbot

…

gpg: keyserver receive failed: No dirmngr

Solution,

xxxxxxxxxxxxxxxxx$ sudo apt-get install dirmngr

Reading package lists… Done

Building dependency tree

…

Steps 2

Install cert-bot packages

xxxxxxxxxxxxxxxxx$ sudo apt-get install python-certbot-nginx

Reading package lists… Done

Building dependency tree

Reading state information… Done

…

Step 3

lets assume that our ssl certificate domain name is mysampledomain.com . Please note that you must register your domain before continue with lets-encrypt.

go to /etc/nginx/sites-available folder and create a file named mysampledomain.com

add below content to the file,

server {

listen 443 ssl;

server_name mysampledomain.com;

…

<remaining code here>

}

save the file.

Step 4

test the configuration,

xxxxxxxxxxxxxxxxx$ sudo nginx -t

Restart nginx service if test is pass.

xxxxxxxxxxxxxxxxx$ sudo systemctl restart nginx

xxxxxxxxxxxxxxxxx$ sudo systemctl status nginx

● nginx.service — A high performance web server and a reverse proxy server

Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled)

Active: active (running) since Mon

Step 5

now you can create lets-encrypt certificate using certbot command,

xxxxxxxxxxxxxxxxx$ sudo certbot — nginx -d mysampledomain.com

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Plugins selected: Authenticator nginx, Installer nginx

Enter email address (used for urgent renewal and security notices) (Enter ‘c’ to

cancel):

- — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — -

Please read the Terms of Service at

(A)gree/©ancel: A

- — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — -

Would you be willing to share your email address with the Electronic Frontier

- — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — -

(Y)es/(N)o: N

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.

- — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — -

Select the appropriate number [1–2] then [enter] (press ‘c’ to cancel): 2

Congratulations! You have successfully enabled

its done now. Check in etc sites-enabled/default file for ssl 443 configuration created by lets-encrypt cert-bot . You can write you own rules for load balancing using that part.

Complete configuration of AWS CLI in Ubuntu for EKS (Kubernetes)

AWS CLI installation is pretty simple in an ubuntu. but there is a one concern when you install aws cli in ubuntu which is the available version of aws cli doesnt has required eks commands. therefore you have to keep that in mind when you are typing eks commands.

Install AWS CLI

xxxx@xxxxxxx:~$ aws

Command ‘aws’ not found, but can be installed with:

xxxx@xxxxxxx:~$ sudo snap install aws-cli

or

xxxx@xxxxxxx:~$ sudo apt install awscli

See ‘snap info aws-cli’ for additional versions.

xxxx@xxxxxxx:~$ aws configure

Install eksctl in ubuntu

xxxx@xxxxxxx:~$ curl — silent — location “https://github.com/weaveworks/eksctl/releases/download/latest_release/eksctl_$(uname -s)_amd64.tar.gz” | tar xz -C /tmp

xxxx@xxxxxxx:~$ sudo mv /tmp/eksctl /usr/local/bin

xxxx@xxxxxxx:~$ eksctl version

[ℹ] version.Info{BuiltAt:””, GitCommit:””, GitTag:”"}

Install aws iam authenticator

xxxx@xxxxxxx:~$ curl -o aws-iam-authenticator https://amazon-eks.s3-us-west-2.amazonaws.com/1.13.7/2019-06-11/bin/linux/amd64/aws-iam-authenticator

xxxx@xxxxxxx:~$ chmod +x ./aws-iam-authenticator

xxxx@xxxxxxx:~$ mkdir -p $HOME/bin && cp ./aws-iam-authenticator $HOME/bin/aws-iam-authenticator && export PATH=$HOME/bin:$PATH

xxxx@xxxxxxx:~$ echo ‘export PATH=$HOME/bin:$PATH’ >> ~/.bashrc

xxxx@xxxxxxx:~$ aws-iam-authenticator help

as i mentioned previously, you might get below error if there is a version mismatch,

Error,

xxxx@xxxxxxx:~$ aws eks update-kubeconfig — name <cluster name>

Invalid choice: 'eks', maybe you meant: * es

Solution,

xxxx@xxxxxxx:~$ sudo apt-get remove -y — purge awscli

xxxx@xxxxxxx:~$ sudo apt-get install -y python3 python3-pip

xxxx@xxxxxxx:~$ sudo pip3 install awscli — upgrage

xxxx@xxxxxxx:~$ sudo pip install awscli — upgrage

xxxx@xxxxxxx:~$ sudo pip3 install awscli

xxxx@xxxxxxx:~$ aws — version

xxxx@xxxxxxx:~$ aws eks update-kubeconfig — name <cluster name>

that's it now you can work on AWS CLI.

How to enable disable HAproxy backend server nodes in Linux RHEL CentOS

Enabling and disabling HAproxy backend server option not comes with default installation. Therefore we have setup a way to do it ourselves.

Below is how I do enable and disable servers without restarting whole HAproxy server. I have configured unix socket and used socat command to enable disable servers.

Therefore if not already installed you need to install socat in your linux machine. I use yum command since I am using RHEL,

After installing socat, you need to enable stats socket in the haproxy configuration file as mentioned below,

( For more information check on http://www.haproxy.org/download/1.5/doc/configuration.txt url and go 

the “9.2. Unix Socket commands section” ).

global

        stats socket /var/run/haproxy.sock mode 600 level admin

        stats timeout 2m

Save haproxy configuration and restart haproxy service,

#systemctl restart haproxy.service

Now you can enable or disable your server by using below commands,

[root@localhost ~]# echo "enable server <your backend name>/<server name in 

                 HAproxy configuration>" | socat stdio /var/run/haproxy.sock

[root@localhost ~]# echo "disable server <your backend name>/<server name in 

                  HAproxy configuration>" | socat stdio /var/run/haproxy.sock

That’s all. You can check whether server is enabled or disabled via haproxy stats page,

http://<serverIP>:<statPort>/haprxy?stats