Let’s get started with Let’s Encrypt

Let’s Encrypt

Finally it’s here: the chance for people to encrypt their websites free of charge. This can be done with Let’s Encrypt.

Clone the Let’s Encrypt tools

git clone https://github.com/letsencrypt/letsencrypt

Go in the directory

cd letsencrypt/

First time certificate generation

./letsencrypt-auto certonly –server https://acme-v01.api.letsencrypt.org/directory -a webroot –webroot-path=/var/www/www.sysstem.at –agree-dev-preview -d www.sysstem.at

/var/www/www.sysstem.at is my webroot and -www.sysstem.at is my domain.

Make sure your Webserver ist running on port 80, because Let’s Encrypt places a verification file in your webroot and tries to download it.

Set up your Apache VirtualHost like this

#010-www.sysstem.at.conf
<VirtualHost *:443>
 ServerAdmin admin@sysstem.at
 ServerName www.sysstem.at
 DocumentRoot /var/www/www.sysstem.at


 ErrorLog ${APACHE_LOG_DIR}/www.sysstem.at_error.log
 CustomLog ${APACHE_LOG_DIR}/www.sysstem.at_access.log combined

 SSLEngine on

 SSLCertificateFile /etc/letsencrypt/live/www.sysstem.at/fullchain.pem
 SSLCertificateKeyFile /etc/letsencrypt/live/www.sysstem.at/privkey.pem
 SSLProtocol all -SSLv2 -SSLv3
 SSLHonorCipherOrder on
 SSLCipherSuite "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"

 BrowserMatch "MSIE [2-6]" \
 nokeepalive ssl-unclean-shutdown \
 downgrade-1.0 force-response-1.0
 BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

</VirtualHost>

enable the site with

a2ensite 010-www.sysstem.at.conf

You may wonder where I got this huge load of cypher suites in the Apache config. Depending on which kind of site you are hosting you can decide for weaker or stronger suites. I chose the Intermediate from the Mozilla Site.

And make sure, that you forward all http traffic to https. This is important, because the Let’s Encrypt client tries to get the verification file from http. With the redirect the client will be able to get the file with https enabled.

#000-catchall.conf 
<VirtualHost *:80>
 ServerAdmin admin@sysstem.at
 ServerName catchall
 ErrorLog ${APACHE_LOG_DIR}/catchall.log
 LogLevel warn
 CustomLog ${APACHE_LOG_DIR}/catchall_access.log combined
 RewriteEngine On
 # This will enable the Rewrite capabilities
 RewriteCond %{HTTPS} !=on
 # This checks to make sure the connection is not already HTTPS
 RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]
</VirtualHost>

enable the site with

a2ensite 000-catchall.conf

We need to make sure to load every Apache module so that everything in our configuration will work.

Enable the SSL Module and the Rewrite Module with

a2enmod ssl
a2enmod rewrite

Restart the Apache Server

service apache2 restart

Let’s do a SSL-test on our site. SSL-Labs is my tool of choice for this job.

My site has a great score for now:

Now we have a certificate which is not valid for a very long time. This is by intention by Let’s encrypt. The goal is that certificate renewals should be automated. For this I wrote a little script.

Place this script in /opt/letsencrypt as letsencrypt-renew.sh

This script makes sure that you get a new certificate for your website. It also has a check enabled for people with a dynamic IP. In case this script runs and your provider switches the IP before your dynamic DNS service (like dynDNS and noip) gets the information about it, it will end.

#!/bin/bash
export DOMAIN=www.sysstem.at
export DIR=/var/www/www.sysstem.at
export LETSENCRYPT=/opt/letsencrypt

#if Cert older than 30 days and if IP in DNS is current IP
find -L /etc/letsencrypt/live/$DOMAIN/fullchain.pem -mtime +30 | egrep '.*' \
&& if [ `dig +short $DOMAIN | head -1` == `curl canihazip.com/s` ];then
#then renew cert
 mkdir -p $DIR && cd $LETSENCRYPT && ./letsencrypt-auto --renew-by-default certonly --server https://acme-v01.api.letsencrypt.org/directory -a webroot --webroot-path=$DIR -d $DOMAIN
#reload apache with new Cert
 service apache2 reload
fi

Make changes to comply with your website and make the file executable with

chmod +x letsencrypt-renew.sh

Now we check every day if our certificate is up to date. For this open crontab with

crontab -e

and append the following line

0 1 * * * /opt/letsencrypt/letsencrypt-renew.sh

Now you are ready to host your own websites with HTTPS enabled, a valid certificate and good security.

Raspberry Pi library for sensors DHT11, BMP085, DS18B20, WireGate DR9490R and more!

Working with sensors on the Raspberry Pi is real fun. You can try out stuff, expand the Internet of things, make automations and so on.

The problem for me was that there were so many different scripts out there with different functionalities and outputs. I wanted to make on package with unified in and output and there it is. It would have never been possible with the excellent work of Adafruit Industries (DHT, DS18B20 and BMP085 driver) and of course Matt Hawkins from www.raspberrypi-spy.co.uk (Ultrasonic and PIR driver)

Currently supported sensors: DHT11, DHT22, AM2302 (temperature and humidity), DS18B20 (temperature, with kernel driver or Wiregate), HC-SR04 (Ultrasonic distance sensor), BMP085 (Temperature, pressure, altitude), PIR (Motion detection)

You can get the whole package from here: rpi_sensors

Or get it via Github (make sure to put all into one directory)

git clone https://github.com/syss/rpi_sensors
git clone https://github.com/adafruit/Adafruit-Raspberry-Pi-Python-Code/tree/master/Adafruit_BMP085

When you want to use this library you need to install the following packages: python-dev python-smbus owfs-fuse

This can be done by the following command

#update lists and upgrade software first
sudo apt-get update && sudo apt-get upgrade
sudo apt-get install -y python-dev python-smbus owfs-fuse

It is very convenient to load all needed modules on startup. You need to disable the blacklisted modules (default on raspbian image) here:

/etc/modprobe.d/raspi-blacklist.conf

just comment out the blacklist lines with a sharp (#)

# blacklist spi and i2c by default (many users don't need them)

#blacklist spi-bcm2708
#blacklist i2c-bcm2708

then you need to set the modules which should be loaded on startup. You will find them here:

/etc/modules

edit it so it looks like this.

# /etc/modules: kernel modules to load at boot time.
#
# This file contains the names of kernel modules that should be loaded
# at boot time, one per line. Lines beginning with "#" are ignored.
# Parameters can be specified after the module name.

snd-bcm2835
#Used for BMP085
i2c-dev
i2c-bcm2708
spi_bcm2708
#Used for 1-Wire DS18B20
w1-gpio
w1-therm

If you use the Dallas Wiregate (DR9490R) you can do these easy steps to make it work with this python library. (make sure you have installed the package owfs-fuse). I found the commands from this site

sudo mkdir /media/1-wire
sudo owfs --allow_other -u /media/1-wire

Now you are done and can use the Python library for your projects.

Some examples will follow in the next days.

Raspberry Pi VNC Mirror – simplified

This post describes to setup a VNC Mirror on your Raspberry Pi. You can see any desktop of any machine running VNC on your Raspberry Pi’s connected screen. You may come from these posts: Hardening the Raspberry Pi VNC Mirror and Raspberry Pi – VNC Mirror (Repeater) – Make any computer public anywhere which can be a little bit confusing especially when trying to get both into one project. Here in a few easy and understandable steps

Preparation

Download the latest Raspbian Image from the Raspberry Pi site. Unpack it and write the IMG file with Win32DiskImager (on Windows) or dd (on Linux or MAC) on your SD Card (make sure you have at least 4GB).

First Start

When you first start your Raspberry Pi with a monitor it runs raspi-config. If it doesn’t you can rerun it with

sudo raspi-config

In this menu select

Enable Boot to Desktop/Scratch

then

Desktop Log in as user 'pi'...

but say No to reboot, because we want to know the IP address of the raspberry and work via SSH later on. Type

ifconfig

to get your IP address. You may remember it or write it down. Now you can type

reboot

to restart the Raspberry Pi. (Please do not unplug the Raspberry Pi instead of rebooting because your filesystem may get corrupted)

Installing and configuring

On next start login to SSH via PuTTY (or similair SSH client) and standard credentials (pi/raspberry) Start a root console with

sudo bash

Company / Proxy settings

If you are in a company or using proxies you need to set them for updates and upgrades of packages (you don’t need this in most home environments)

nano /etc/apt/apt.conf

and enter your proxy:

    Acquire::http::Proxy "http://user:password@proxy1.sysstem.at:8080";

Update, Upgrade and Install packages

After the proxy settings are done start the update of the package information and the upgrade your packages

apt-get update && apt-get upgrade -y

Install packages needed for maintaining and for the VNC mirror itself

apt-get install -y x11vnc vim ssvnc unp htop

Store VNC Passwords

Generate a hidden directory for the VNC password file

mkdir /home/pi/.vnc

Generate a VNC password for X11VNC

x11vnc -storepasswd /home/pi/.vnc/x11vncpasswd

Store the VNC password of the remotemachine (the password you have defined on the remote machine)

x11vnc -storepasswd /home/pi/.vnc/remotevncpasswd

set read permission for the password files

chmod +r /home/pi/.vnc/*

Scripts

VNCViewer

open the following file

vim /home/pi/vncviewer

and copy the following content (more about it’s content you can find here)

# Process check script: The script simply checks if a process is running and if it is not found to be running it will execute it.
# The script loops in preset intervals, hence it is possible to monitor a process continuously.

# Variables
Running=1
SleepInterval=10
ProcessInstances=`sudo ps aux | grep [s]svncviewer | wc -l`

#VNC Variables
vnc=ssvncviewer
host=WSWDL02:1
display=0
resolution=1920x1080
passfile=/home/pi/.vnc/remotevncpasswd
para="-display :$display -viewonly -fullscreen -shared -passwd $passfile -scale $resolution -encoding zrle"

function checkstatus() {
        vncpid=$(pidof ssvncviewer)
        sigign=$(sudo cat /proc/${vncpid}/status | grep SigIgn | awk '{print $2}')
}

# Logic
while [ $Running -gt 0 ]
do

        if [ `sudo ps aux | grep [s]svncviewer | wc -l` -gt 0 ]; then
                echo Process already running! Checking the Status.
                checkstatus
                if [ $sigign !=  "0000000000000004" ]; then
                        echo SSVNCViewer has not status 4
                        echo Killing SSVNCViewer
                        kill ${vncpid}
                else
                        echo SSVNCViewer status seems to be ok
                fi
        else
                echo Process not running! Starting process
                # This is the command that should start the process in question
                $vnc $host $para &
        fi

        # How often shall we repeat the check?
        echo Sleeping for $SleepInterval seconds
        sleep $SleepInterval

done

exit 0

Change the permission for this script to execute

chmod +x /home/pi/vncviewer

VNCViewer Daemon

Make a little Daemon for the vncviewer to start and stop it.

vim /etc/init.d/vncviewerd

enter the following

### BEGIN INIT INFO

# Provides: vncviewerd
# Required-Start: $remote_fs $syslog
# Required-Stop: $remote_fs $syslog
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Start or stop Custom VNC Viewer
# Description: Start or stop Custom VNC Viewer
### END INIT INFO
#! /bin/sh
# /etc/init.d/monitor
# Carry out specific functions when asked to by the system

#Start vncviewer
start() {
    echo Starting VNC Viewer
    su pi /home/pi/vncviewer &
}
#Stop vncviewer
stop() {
    echo Stopping VNC Viewer
    pkill -f vncviewer
}

### main logic ###
case "$1" in
    start)
        start
        ;;
    stop)
        stop
        ;;
    restart|reload)
        stop
        start
        ;;

    *)
        echo "Usage: $0 {start|stop|restart|reload}"
        exit 1
esac
exit 0

Make the script executable

chmod +x /etc/init.d/vncviewerd

and register it for autostart

update-rc.d vncviewerd defaults

Monitor

Create a script for turning on and off your monitor

vim /etc/init.d/monitor

enter the following

### BEGIN INIT INFO

# Provides: monitor
# Required-Start: $remote_fs $syslog
# Required-Stop: $remote_fs $syslog
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Start or stop Monitor
# Description: Start or stop Monitor
### END INIT INFO
#! /bin/sh
# /etc/init.d/monitor
# Carry out specific functions when asked to by the system

#Start Monitor
start() {
    echo Starting Monitor
    # Enable HDMI with preferred mode
    /opt/vc/bin/tvservice -p
    # Change console to enable monitor output
    # not very nice but ok
    sudo chvt 6
    sudo chvt 7
}
#Stop Monitor
stop() {
    echo Stopping Monitor
    /opt/vc/bin/tvservice -o
}

### main logic ###
case "$1" in
    start)
        start
        ;;
    stop)
        stop
        ;;
    restart|reload)
        stop
        start
        ;;

    *)
        echo "Usage: $0 {start|stop|restart|reload}"
        exit 1
esac
exit 0

Make it executable (but do not add it to autostart!)

chmod +x /etc/init.d/monitor

Miscellaneous Monitor settings

Disable monitor standby

vim /etc/kbd/config

search for POWERDOWN_TIME=30 and set it to 0

POWERDOWN_TIME=0

Restart KBD to activate new settings

sudo /etc/init.d/kbd restart

Disable overscan (it tries shrink the picture a little to fit on older monitors and TVs)

vim /boot/config.txt

remove the sharp (#) from #disable_overscan=1 it should now look like this

disable_overscan=1

Now it’s time to reboot your Raspberry VNC Mirror.

reboot

If you have questions or problems left leave them in the comments!