13 November 2021

Adding a wildcard SSL certificate to your WordPress site

So this one threw me for a little bit of a loop when I was first trying to figure it out, even though it shouldn’t have. I was just overthinking it. There was plenty of documentation out there for adding a certificate to a single site, but there is not much when it comes to adding a wildcard certificate to a multi-site WordPress install. I guess that was where I had gotten confused. For reference, this was the specific KB article that helped me the most.

For folks that don’t know what I’m talking about, a multi-site install is one where you can host different WordPress sites on the same server. Meaning that site1.<yoursite>.com and site2 .<yoursite>.com could both reside on the same server even if they are about completely different content. Thus you would only have to cover the cost to host one server, instead of paying for two, one for each host. Yes, they do share some resources, so there are some possible drawbacks… But for most personal sites it should not really be an issue for a few sites to share the same host.

You will need OpenSSL installed on your machine before we continue. It’ll likely already be installed if you are using LInux. If it’s not installed please use your OS’s package manager to install it.

Generate a new private key:

sudo openssl genrsa -out /opt/bitnami/apache2/conf/server.key 2048

Use that key to create a certificate:
***IMPORTANT: Enter the server domain name when the below command asks for the “Common Name”.***

sudo openssl req -new -key /opt/bitnami/apache2/conf/server.key -out /opt/bitnami/apache2/conf/cert.csr

Send the cert.csr file to your Certificate Authority (CA). After they complete their validation checks, they will issue you your new certificate.

Download your certificates. You should have received two files, one was your new certificate and the other file is the CA’s certificate. Rename them as follows:

  • STAR_YourSite_com.crt –> server.crt
  • STAR_YourSite_com.ca-bundle –> server-ca.crt

Backup your private key after generating a password-protected version in the pem format.

sudo openssl rsa -des3 -in /opt/bitnami/apache2/conf/server.key -out privkey.pem

Note: To regenerate the key and remove the password protection, you can use this command:

sudo openssl rsa -in privkey.pem -out /opt/bitnami/apache2/conf/server.key

We’re almost done. Next you’ll open the Apache configuration file to verify it’s setup to use the certificates you just uploaded. The config file can be found at: /opt/bitnami/apache2/conf/bitnami/

Scroll down until you find “<VirtualHost _default_:443>” and verify that it is pointing to the correct certificate, key, and CA certificate bundle that you uploaded earlier. You should find the below lines, if you don’t, go ahead and add them.

SSLCertificateFile "/opt/bitnami/apache2/conf/server.crt"
SSLCertificateKeyFile "/opt/bitnami/apache2/conf/server.key"
SSLCACertificateFile "/opt/bitnami/apache2/conf/server-ca.crt"

Note: It’s easiest to use these default names and not a custom name for these files. If you use a custom name you might need to update that name in other spots of the Apache config file, and you’ll have to google that on your own. If your cert/key is using another name, I recommend just renaming them to the default names above that Apache uses.

After we have copied our files over and have verified that the Apache config file is correct, we are going to update the file persmissions on our certificate files. We will make them readable by the root user only with the following commands:

sudo chown root:root /opt/bitnami/apache2/conf/server*
sudo chmod 600 /opt/bitnami/apache2/conf/server*

Open port 443 in the server firewall. If you’re using Bitnami you can reference this KB.

Restart your server.

Once it comes up, you should now be able to connect to your site using HTTPS.

  • If you are looking for where to purchase an SSL certificate, check out SSLs.com. I use them for my projects. I’ve shopped around, and they have the best deals that I have found anywhere on the Internet.
Category: AWS, Bitnami, WordPress | LEAVE A COMMENT
23 April 2021

WordPress tweaks

(Updated 12/6/2021) Here are a few tweaks that I have found and use on my WordPress installs to harden them and improve security. This post is mostly for my own benefit – for when I have to stand up a new server and can’t recollect what I did to my current server/site…. That said, I hope it helps you too.

Please note: While these work for me… I can not guarantee they will work for you.
Please make a backup of your site before you make any changes. I’m not responsible for any changes you make.

  1. Follow my post about adding a SSL certificate to your site.

2. The one comes from the ReallySimpleSSL plugin. It’s a great plugin to use to migrate your site to SSL. Anyways, in one of their articles (link) they go over some settings to add to your site’s htaccess file. Please read their article, before adding the following lines so you understand what each is doing. (Just for reference, here is an article describing how the htaccess file works). If you are running bitnami, try look in “/opt/bitnami/apps/wordpress/conf”.

Header always set Strict-Transport-Security: "max-age=31536000" env=HTTPS
Header always set Content-Security-Policy "upgrade-insecure-requests"
Header always set X-Content-Type-Options "nosniff"
Header always set X-XSS-Protection "1; mode=block"
Header always set Expect-CT "max-age=7776000, enforce"
Header always set Referrer-Policy: "no-referrer-when-downgrade"

Another header that now needs to get added to your htaccess file is a “permissions-policy”, more info can be found here.

Header always set Permissions-Policy "geolocation=(); midi=(); notifications=(); push=(); sync-xhr=(); accelerometer=(); gyroscope=(); magnetometer=(); payment=(); camera=(); microphone=(); usb=(); xr=(); speaker=(self); vibrate=(); fullscreen=(self);"

After updating your htaccess file, restart your apache service using the command below,

sudo /opt/bitnami/ctlscript.sh restart apache

Then scan your site’s headers using SecurityHeaders.com to verify that you pass with an A+.

3. A backup/restore solution for your site. I use and recommend the plugin called UpdraftPlus.

4. A solution like WPS Hide Login to hide the normal login page. This will help reduce login attempts done by bots.

5. A firewall and malware scanner solution like Wordfence.

6. Run your site’s URL thru the Qualys SSL Server Test, and address any SSL shortcoming the server might have.

That’s it for now. I’ll try to update this post with more tweaks and hardening suggestions as I implement things.

Category: Bitnami, WordPress | LEAVE A COMMENT
12 November 2020

Useful Software

Let us be honest, software is what ultimately drives IT. It is what allows us to perform duties and complete tasks. We use it everywhere from our smartphones, to our home PCs and office workstations. But there is a difference between good software, and useful software, as well as just plain bad software. I am fortunate in that between work and home, I use a lot of different programs.

I’m always on the lookout for new programs that will help me do my job better, whether it’s at home or in the office. Like most things in IT, it is an iterative approach as there is always something new.

That said… here are some programs and services that I find myself using often. These are my personal recommendations. As my opinion or tastes change, I’ll make sure to update this post.

This post was last updated: April 6, 2021

Brave Browser https://brave.com/
This is a chrome based browser that is privacy focus. It’s taken all of the “nasty” user tracking features in Chrome and has stripped them out.

FastStone Capturehttps://www.faststone.org/FSCaptureDetail.htm
This application makes taking screenshots a breeze. I use it a lot when creating documentation. It’s inexpensive, but it really makes the chore of documentation a lot easier in my opinion.

MS Office 365https://www.microsoft.com/en-us/microsoft-365/
Love it or hate it, it is the gold standard of Office suites. It’s what 99% of people are using at home and work. If you have more than one person in your house, go for MS O365 Family, as it allows for 6 users on the plan for only $99/year. If you are a student, make sure to utilize your “free” Edu licensed copies of Office.

Yes, there are other free Office suites out there, like Google Apps or LibreOffice, which will work in a pinch – but why settle. Go with the gold standard and go with the software you know will work, go with O365.

NotePad++https://notepad-plus-plus.org/
This is my favorite text editor. If you haven’t tried it, what are you waiting for? It really is just the best multi-tab text editor out there.

VMware Workstation Playerhttps://www.vmware.com/products/workstation-player.html
This is a great, free, type two hypervisor. Do you want to run a VM on your workstation? This will do it! If you are really getting into virtualization (or use it a lot for work) look into purchasing (or having work purchase) VMware Workstation Pro, it’s $149. Having the Pro version unlocks a lot more features which the regular player doesn’t have. Also, take a look at the VMUG Advantage membership I mention below.

VMUG Advantagehttps://www.vmug.com/home
If you work with virtualization at all, then you probably want to get yourself a VMUG Advantage membership. VMUG is VMware’s free User Group and its paid VMUG Advantage provides members exclusive development opportunities with 365-day access to VMware solutions, discounted training, certification opportunities, and more.

While it’s a little costly at $200/year, you get a lot back. Heck if you were to buy VMware Workstation Pro, that alone is worth $150, so for a little more, you can gain access to basically the entire VMware software library. How’s that for a LifeProTip. And with a bit of googling you could probably find yourself a discount code even.

7-ziphttps://www.7-zip.org/
This is my go-to archiving software. It is free. It is open-source. You can use it on any computer. You never have to register it to use it. It works with just about any compression/archive file format. What else could you want!?!

VideoLANhttps://www.videolan.org/index.html
Also known as, VLC player. Need to play a media file? Well, you are in luck! VideoLAN will play it.
If it can’t play your media file, then you got bigger problems. I find that VideoLAN just works better than other media players. It’s also fairly lightweight, so it won’t slow down your system. It’s also available on every platform iPhone, Android, Mac, Windows, and Linux.

PuTTYhttps://www.putty.org/
This app is a bit dated. But it’s still a powerful little app that gets used daily by a lot of folks. It’ll open a terminal session (i.e. – SSH or Telnet) to the server or host or device you specify. I know that there are “newer” and more “robust” applications now that will let you do what PuTTY does… and someday I might swap one of them onto this list. But for the role PuTTY plays, it’d be hard to find a more widely used app among IT professionals.

WinSCP https://winscp.net/
WinSCP is a great app that works as a FTP client, SFTP client, WebDAV client, SCP client & S3 client. Its mostly used for transferring files between your local and a remote machine, but it also has some capabilities in scripting and file management. I really like that it can share site settings with PuTTY, making it even easier to connect to my server and upload/download files.

Bitwardenhttps://www.bitwarden.com/
I have two scary words for you – Password Management. Yes, it’s a scary subject. However, it’s one we need to talk about. With passwords needed everywhere and for everything, it’s important to keep track of what you are using on what site. Even more so, it’s important that you are not re-using the same username/password combinations on every site.

By using an application like Bitwarden, you can keep some of your sanity by letting it keep track of all of your passwords. There are plenty of other password managers out there… so I’m not saying that this one is the best. It’s just the one I am using. You just need to find the one that will meet your needs and utilize it.

Ninitehttps://www.ninite.com/
This site is my goto when I’m setting up a ‘fresh’ Windows machine at home for myself or friends. To sum it up, it’s basically just a multi-installer. Tick the boxes to select all of the programs you want to install and then download just a single installer file. It’s fast and simple!

Trace32.exehttps://social.technet.microsoft.com/…
Trace32.exe, an executable found in System Center Configuration Manager 2007, can quickly open very large trace files and will automatically highlight lines with apparent errors. This tool will allow you to quickly open very large files and locate errors visually. It’s wonderful for log files!

Category: Software | LEAVE A COMMENT
12 April 2020

Restoring your RPi

As I’ve said before, the data running on your RPi is only as good as it’s last backup. You have already backed up your RPi, right?

This article is going to cover how to restore the backup image of your RPi with Windows. While can also restore it using Linux or MacOS, I’m not going to cover those as I primarily use the Windows Operating System. If you desire more info on the RPi backup/restore process, please consult the official documentation here.

Restore on Windows

In Windows, we’ll use a utility called “Win32 Disk Imager”. If you followed my previous article on backing up your RPi you should already have it installed. If you haven’t, please go download and install Win32 Disk Imager onto your computer. It is this software that will allow us to restore the full image copy we made back to the micro-SD card of your RPi.

On your Windows computer, open the Win32 Disk Imager program.

In the upper right, under ‘Device’, select the drive letter of the card reader.
Mine is “D:\”, your will likely be different.

In the ‘Image File’ box, click on the folder button to browse to, and select, the location of your backup image file, which you’d like to restore.

Click the ‘Write’ button at the button to begin restoring your backup image.
There will be a popup message that warns about writing to the device, click ‘Yes’ and it will begin your restore

Once the restore completes, there will be a popup message stating that the write is complete that you need to click ‘OK’ to.

Your restore is now complete!

Go ahead and eject the card from your card reader and return it to your RPi. You can then reconnect the power and turn it back on. Everything should be there, exactly as it was at the time you made the backup.

Category: Backups, Linux, RaspberryPi, Raspbian | LEAVE A COMMENT
12 April 2020

Backing up your RPi

Like any other computer system, the data running on your RPi is only as good as it’s last backup. Heck, have you ever even backed-up your RPi since you got it up and running? Well let me show you how to get backed-up so that you can get back up in the event that you ever have a RPi catastrophe.

This article is going to focus on backing up your RPi with Windows. While can also back it up using Linux or MacOS, I’m not going to cover those as I primarily use the Windows Operating System. If you desire more info on backing up your RPi, please consult the official documentation here.

Backup on Windows

In Windows, we’ll use a utility called “Win32 Disk Imager”. Go ahead and download and install Win32 Disk Imager onto your computer. It will allow us to make a full image copy of the micro-SD card that is used in our RPi. That way we can restore a 1:1 image of that micro-SD card as it is at the time of backup, back onto the card or onto a new card if we ever need to. We can keep that image copy on a desktop or NAS or cloud storage.

Start by shutting down the RPi with the following command.

sudo shutdown now

One the RPi has shut down, disconnect the power. You can now pull the micro-SD card out of it. Place it into the the card reader on your Windows computer. This might be a usb adapter that you are using, or there might be a SD slot on your laptop that will take a “micro-SD to SD card” adapter.

On your Windows computer, open the Win32 Disk Imager program.

In the upper right, under ‘Device’, select the drive letter of the card reader.
Mine is “D:\”, your will likely be different.

In the ‘Image File’ box, click on the folder button to browse to, and select, the location of where you would like to save the image file to.

Click the ‘Read’ button at the button to begin creating your backup image.

Once the backup completes, there will be a popup message you need to click ‘OK’ to.

Your backup is complete!

Go ahead and eject the card from your card reader and return it to your RPi. You can then reconnect the power and turn it back on.

You can now restore you RPi to this point-in-time image when anything ever goes wrong in the future.

Category: Backups, Linux, RaspberryPi, Raspbian | LEAVE A COMMENT
26 March 2020

Folding@Home

The corona virus and COVID-19 are at the top of everyone’s mind right now. The whole world is trying to deal with this pandemic. States are issuing stay-at-home orders and just about every company is trying to figure out how to allow their staff to work from home. The least that a tech nerd like me can do is contribute a few clock cycles towards the research that will hopefully help to bring about an end to all this madness.

Folding@Home (F@H) is a project focused on disease research thru distributed computing power. They get folks like you and I to share our otherwise unused computer power (when our PCs sit idle) to solve calculations that help them get answers to their medical questions about proteins and disease. The more people that set-up the Folding@Home client in their Home-Labs or on that spare laptops/PCs laying around their house to contribute towards their project, the bigger the distributed supercomputer we create. How cool is that!

Before the global COVID-19 outbreak F@H had roughly 30,000 users globally that contributed their spare compute power. In the past couple weeks, that number has surged. They have over 400,000 users that are now contributing and that number keeps growing daily. The F@H project is now at over 470 PetaFLOPs (FLOPs = floating point operations per second) of raw compute power. That makes it over twice as fast as the fastest supercomputer in the world (2019). Not only that, but it is faster the the top seven supercomputers combined. Combined! That’s equivalent to the horsepower of 27,433,824 CPU/GPU cores. I can’t even fathom that. They are predicting that F@H will soon reach exaFLOP levels. That’s a billion billion operations per second. Totally crazy!

Here are a couple links to news articles about the recent explosion in growth around the Folding@Home project:
https://www.forbes.com/sites/jasonevangelho/2020/03/24/the-new-supercomputer-researching-coronavirus-is-powered-by-400000-ordinary-pc-users/

https://techcrunch.com/2020/03/26/coronavirus-pushes-foldinghomes-crowdsourced-molecular-science-to-exaflop-levels/

While F@H 1,200%+ increase in contributors and associated surge in demand has temporarily lead to a shortage of work units, the F@H team is working to expand and increase their capacity to serve units. In F@H terms, work units are the smaller bits of a larger workload, and are what is actually sent to each user.

It takes just minutes to setup. They have clients for Windows, Mac, and Linux, as well as support for both CPUs and GPUs. Once it is setup, it’s effortless on your part and just runs in the background.

Now that you are ready to contribute, the first step is to create a passkey. The passkey will identify you and will allow FAH to assign you work units. To create your passkey, use the link below.

https://apps.foldingathome.org/getpasskey

Just to let you know, when I signed up this week, it took a few hours for me to receive my passkey from F@H. So don’t get upset if you don’t hear from them immediately after clicking “Get Passkey”.

Once you have your Passkey, follow one of my posts (coming soon!) below to install and deploy the Folding@Home client on your system.

Category: Containers, Software | LEAVE A COMMENT
25 March 2020

WordPress – Set Timezone

I had originally thought that by setting the timezone on a Bitnami server that WordPress would then pull and use that time info. Oh, I was so wrong! It wasn’t a bad exercise, as at least I’ll be able to better read my logs in a more “timely” manner. LOL. But it turns out that setting the timezone info for WordPress is much simpler and doesn’t involve any need to console in or SSH to the server. Lets get started…

Log in with an account that has admin privileges to your WordPress dashboard. In the dashboard menu that is on the left side, navigate to “Settings” then click on “General”

The fifth item down from the top of this page is “Timezone”. Use the dropdown menu to select your desired timezone. Then click the “Save Changes” button at the very bottom of the page. I’m choosing “Honolulu” as my desired timezone.

That’s it! Your WordPress posts will now all reflect the local time you chose as your timezone. It couldn’t be any simpler than that!

Category: WordPress | LEAVE A COMMENT
4 December 2019

ReFS allocation size

I was reformatting a drive for some Veeam backups and was trying to recall what I had set the ReFS allocation unit size to when I initially setup the drive. Well, I could not remember to save my life. Luckily, with a little command line action, it’s easy enough to find out what it was set it to.

The command line tool to use is fsutils. To see what options are available to us when using fsutils, we can run the following command.fsutils fsinfo /?

Using “E:/” as the drive we are checking out, we can run the following line to discover information about the volume itself. fsutil fsinfo volumeinfo E:

To view the specific ReFS info on this drive, we can run the following line. fsutil fsinfo refsinfo E: Take a look at value for the “Bytes Per Cluster”, this is where we can see that when this drive was formatted, it’s allocation unit size was set to 65k. 65k is also the recommended setting for Veeam destinations if you are using ReFS.

Category: Backups, Microsoft | LEAVE A COMMENT
4 October 2019

Veeam Backup O365

While I’ve spent more than a few years working with Veeam’s Backup & Replication (VBR). But I’m pretty new to Veeam’s Backup O365 (VBO365). I recently learning about some of their differences while setting up a new install of VBO365 in an environment which already used VBR.

One is that unlike VBR, VBO365’s repositories don’t support drives have data deduplication enabled and running on it. It can be on a Windows server with the data deduplication role installed, that won’t break anything. But the disk volume that the repositoy lives on can not have a running data dedupe task, as you risk a change of corruption in your backup file.

The next is that it’s recommend that the VBO365 application is installed on it’s own VM. It can be run on the same VM as your VBR, but it can be resource intensive so they recommend it be running on it’s own.

The VBR backup job that is running against your VBO365 VM needs to be application aware. On top of that, they recommend running pre-job and post-job scripts to stop and start the VBO365 services. This means before the VBR job runs, it’ll need to run a script to stop VBO365 services (there are three services, though the RESTful API is probably already off by default). Then once the VBR job completes, it’ll need to start up it’s VBO365 services (there are two of them).

Luck for you and me, VBR can easily be set up to run the pre- and post- job scripts. And even luckier for you, I have already put together the Powershell command you’ll need to stop and start those services

Stop Services:

Get-Service | where {$_.name -match “Veeam.Archiver”} | sort-object Status -desc | stop-service

Start Services:

Get-Service | where {$_.name -match “Veeam.Archiver.Service”} | sort-object Status -desc | start-service

Get-Service | where {$_.name -match “Veeam.Archiver.Proxy”} | sort-object Status -desc | start-service

Category: Backups | LEAVE A COMMENT