Uncategorized

I’ve been hacking away at getting DTC set up to use Googles’ Let’s Encrypt.

Here’s my work so far…

https://www.yournet.co.nz/getssl/

There are two files:

  • getssl – the getssl script that you get from the getssl site.
  • dtc-getssl

About dtc-getssl

This is a wrapper around getssl to do the stuff that DTC needs done to make it work.

To execute you:

  • Need to have the files in /home/dtc
  • Run ./dtc-getssl -a <ADMIN NAME> -d <DOMAIN NAME> -s <SUB DOMAIN> -cWhere

    * ADMIN NAME is the DTC Admin name of the account that the domain is located in.
    * DOMAIN NAME is the domain name you want the cert for.
    * SUB DOMAIN is the subdomain of the domain you want the cert for.

    What we’re doing is just creating the right stuff with the right permissions so it will all work in DTC.

    eg:  ./dtc-getssl -a deafblindassociation -d deafblindassociation.nz -s www -c

    getssl will create you a folder for the sub/domain combination in the .getssl folder.

    dtc-getssl wil then display a bunch of information that you need to copy into the getssl.cfg file.

  • Then edit the getssl.cfg file for the domaineg:  /home/dtc/.getssl/www.deafblindassociation.nz/getssl.cfg

    In the case of our example:

    #This tells getssl where to find the file it makes so that it can verify we actually own the domain.
    ACL=(‘/var/www/sites/deafblindassociation/deafblindassociation.nz/subdomains/www/html/.well-known/acme-challenge’)

    #This tells getsll to use the ACL above for all and any verification’s even if we’re getting a cert for more than one subdomain (which I don’t think we should be).
    USE_SINGLE_ACL=”true”

    #These lines just tell getssl where to put the files once it’s made them.
    DOMAIN_CERT_LOCATION=”/var/www/sites/deafblindassociation/deafblindassociation.nz/subdomains/www/ssl/www.deafblindassociation.nz.cert.cert”
    DOMAIN_KEY_LOCATION=”/var/www/sites/deafblindassociation/deafblindassociation.nz/subdomains/www/ssl/www.deafblindassociation.nz.cert.key”
    CA_CERT_LOCATION=”/var/www/sites/deafblindassociation/deafblindassociation.nz/subdomains/www/ssl/www.deafblindassociation.nz.cert.ca”

    You also need to make sure the production ssl server isn’t commented out and that the test one is.

    # The staging server is best for testing
    #CA=”https://acme-staging.api.letsencrypt.org”
    # This server issues full certificates, however has rate limits
    CA=”https://acme-v01.api.letsencrypt.org”

    Finally, comment out the SANS option unless you have reason for it.  You’ll see in our example the getssl script seemed to think we want a subdomain included that we don’t.
    #SANS=”dtc.yournet.co.nz”

  • Now Run ./dtc-getssl -a <ADMIN NAME> -d <DOMAIN NAME> -s <SUB DOMAIN> without the -c option

    You should see getssl generate the keys for you.

    We need this wrapper because we’re running the script with the correct user (dtc) so that we get the correct permissions on the file.

  • Restart apache2

    getssl does have the ability to restart the web server and we will need to do this in future, but this script is way to green to be letting it restart your production system without doing a bit of checking first!

 

 

 

 

 

Last year we installed two UPS’s ready for our new DC so we can have A and B side power.

Sadly the batteries are a bit shot in one of them.

Our aim is to have a solar driven DC with grid power being our backup.  Doing this is expensive so we’re planning it in stages.

But we’re also looking at the duplication that we already have in the server room from UPS systems.  So our B side UPS is off to see our friendly tech for a bit of a make over.  Now I’m on the hunt for APC 5000 VA service manuals.

The aim is to get a bigger array of batteries external to the UPS and then just apply charge from the solar and mains as backup.

We figured that we get nothing for power if we export it.

Building a DC we also considered the impact on the grid it we just start pulling lots of power for cooling.  We decided that we needed more cooling on hot sunny days, exactly the kind of weather that’s great for solar power generation.

Our other aim is to capture and reuse the heat that our servers generate to heat a glass house on the roof space.  We’re currently on the look out for a hot water heat pump that we can pump the heat from our server room into a spa pool (already on site) and then move that heat back in to the green house at night time.

 

Currently we’re running EoIP on Mikrotik.  As EoIP isn’t a standard, I thought we’d get busy and implement MPLS and VPLS.

Well take one was a disaster!  Teach me for not prototyping the whole thing in the lab first.

https://www.manitonetworks.com/mikrotik/2016/5/24/mikrotik-mpls-with-vpls

This is a good blog on MPLS/VPLS.

One hint it didn’t give me is that MTU has to be higher than 1500.  Our radio network will currently do 1524 so starting today I started setting gear to the higher MTU.

 

 

This week I’m working to write more words for our web site as part of my work to fully implement the DTC billing system.

As you can see, I’ve also been blogging random notes related to the DTC-XEN software.

DTC-XEN is the software that we use to interface users with our own VPS servers and resources we purchase from other DTC-XEN server providers such as GPLHost Global Hosting.

 

 

htpasswd /etc/dtc-xen/.htpassword dtc-xen

telnet <hostname> 8089

 

yes, is it running ?
on the host # netstat -antop | grep 8089

 

 

Volume group “node64901-vg” has insufficient free space (0 extents): 96 required.
root@node64901:/var/lib/dtc-xen/mnt# cat 01.setuplvm.stderr