Jun 18

Letsencrypt ssl for a non standard web ports

In this tutorial, I would like to demonstrate how to use Letsencrypt ssl for a non standard web ports other than 80, 443 to generate a  SSL certificate for an Apache. If you wish, you can follow same method to implement SSL on other web servers such as nginx  and Tomcat as well. If you are new to Letsencrypt SSL, here is the brief introduction . Letsencrypt is a free, and non-profit CA (certificate authority) which owned by Internet Security  Research Group (ISRG).

please note this is done on Centos 7

01) Install cerbot

first enable the EPEL repository

how to enable EPEL repo on RHEL / Centos read this  and enable EPEL optional channel

then install cerbot using yum as follows

#yum install certbot

02) Install SSL certificate

execute following as root
#certbot certonly –manual  –preferred-challenges dns

This is the most important command, because we generate certificate manually even though cerbot provide Apache plugin. manually generated certificates are flexible so we can integrate it to any preferred web server later :) . preferred-challenges is set to dns, so domain verification is done using  TXT records

 

After that you will get similar wizard like following image. once you submit the domain. it will give DNS TXT record as challenge
. you must create it before continue. Then after it will generate ssl certificate for your domain.

certonly with dns

03) Configure SSL on Apache

you can use following Apache virtual-host config template

 

 

Letsencypt SSL for non standard port

 

04) SSL renewal

you can renew SSL certificate automatically. Add new cron just like following which runs renewal process every week. It’s recommended to reload / restart apache server, so in next line we do restart apache process as well

 

 

 

Jan 12

How to Move MySQL Data Directory to New Location on CentOS

In default MySQL installation, Data Directory pointed to “/var/lib/mysql/” . As a best practice, it’s recommended to move Data directory to new location
which contains more disk space than default root partition. This tutorial guides you how to Move MySQL data directory to new location on CentOS or RHEL. Even data directory contains data, you can still move it to another location, but you have to be careful if you try this on production environment. Let’s go through it quickly :-)

1) Prepare new location

2) Find current Data Directory location

you can get it from /etc/my.cnf if it’s defined on. To verify it or it’s not mentioned on configuration file, most probably use default location.
let’s find that out

log into mysql server and run following command

As per above current location is “/var/lib/mysql/

3) Shut down MySQL server

4) Copy MySQL data directory to new location

now new location is /opt/newmysql_datadir/mysql

5) Modify SELinux to allow MySQL to use the different (non default) path

This step is mandatory if your system enabled with SELinux, otherwise you can ignore this step

6) Update new settings to my.cnf

Find the line in the [mysqld] block that begins with datadir=. Change the path which follows to reflect the new location. In addition to that, socket was previously located in the data directory,  we’ll need to update it to the new location

It should like below after updating.

Apart from that we’ll need to add configuration for the MySQL client.  Insert the following settings at [client]  block which is at the bottom of the file.

7) Start MySQL server

If it won’t start  , you may need to troubleshoot by checking  MySQL  error log. You can make comments any issues if you have faced here, I’m always happy to assist you !!

Dec 23

Configure NTP server (Chrony) on CentOS / RHEL7

Classic NTP is replaced by Chrony and  CentOS / RHEL7 is no longer use it, instead it’s default is Chrony.  The Chrony is a different implementation of the network time protocol (NTP) than the network time protocol daemon (ntpd)  that is able to synchronize the system clock faster and with better accuracy than ntpd. Here is little comparison between Chronyd and NTPd

 

Things chrony can do better than ntp:

  • chrony can perform usefully in an environment where access to the time reference is intermittent. ntp needs regular polling of the reference to work well.
  • chrony can usually synchronise the clock faster and with better time accuracy.
  • chrony quickly adapts to sudden changes in the rate of the clock (e.g. due to changes in the temperature of the crystal oscillator). ntp may need a long time to settle down again.
  • chrony can perform well even when the network is congested for longer periods of time.
  • chrony in the default configuration never steps the time to not upset other running programs. ntp can be configured to never step the time too, but in that case it has to use a different means of adjusting the clock (daemon loop instead of kernel discipline), which may have a negative effect on accuracy of the clock.
  • chrony can adjust the rate of the clock in a larger range, which allows it to operate even on machines with broken or unstable clock (e.g. in some virtual machines).
  • chrony is smaller, it uses less memory and it wakes up the CPU only when necessary, which is better for power saving.

 

Things chrony can do that ntp can’t:

  • chrony provides support for isolated networks whether the only method of time correction is manual entry (e.g. by the administrator looking at a clock). chrony can look at the errors corrected at different updates to work out the rate at which the computer gains or loses time, and use this estimate to trim the computer clock subsequently.
  • chrony provides support to work out the gain or loss rate of the real-time clock, i.e. the clock that maintains the time when the computer is turned off. It can use this data when the system boots to set the system time from a corrected version of the real-time clock. These real-time clock facilities are only available on Linux, so far.

 

Things ntp can do that chrony can’t:

  • ntp supports all operating modes from RFC 5905, including broadcast, multicast, and manycast server/client. However, the broadcast and multicast modes are inherently less accurate and less secure (even with authentication) than the ordinary server/client mode and should generally be avoided.
  • ntp supports the Autokey protocol (RFC 5906) to authenticate servers with public-key cryptography. Note that the protocol has been shown to be insecure and it will be probably replaced with an implementation of the Network Time Security (NTS) specification.
  • ntp has been ported to more operating systems.
  • ntp includes a large number of reference clock drivers. chrony relies on other programs (e.g. gpsd) to access the timing data via the SHM or SOCK driver.

 

So let’s look at how to Configure NTP server (Chrony) on CentOS / RHEL7

1) Install Chrony

 

2) Change servers for synchronization

this step is optional, you can skip if do not want to customize NTP servers

 

then commented out default servers and add your own NTP servers .

 

3) Disable NTP server and start chronyd

 

4) Verify NTP sources

chronyc sources -V

chronyc sources -V

5) Verify NTP time synchronization

 

Have a Nice day 😀

Older posts «

Fetch more items