MediaWiki Backup And Restore: Difference between revisions

From MediaWiki
Jump to navigationJump to search
 
(38 intermediate revisions by the same user not shown)
Line 233: Line 233:
   
   
  Alias /nst-webgl-globe "/var/nst/mediawiki/nst-webgl-globe"
  Alias /nst-webgl-globe "/var/nst/mediawiki/nst-webgl-globe"
#
# Provide server status information
#
#<Location /server-status>
#    SetHandler server-status
#
#    AuthType Basic
#    AuthName "NST WUI: System Management"
#    AuthUserFile "/etc/nst/httpd/conf/htuser.nst"
#    require valid-user
#</Location>
#
# Provide server information
#
#<Location /server-info>
#    SetHandler server-info
#
#    AuthType Basic
#    AuthName "NST WUI: System Management"
#    AuthUserFile "/etc/nst/httpd/conf/htuser.nst"
#    require valid-user
#</Location>


* Start these services and then check the NST Wiki.
* Start these services and then check the NST Wiki.
Line 249: Line 273:
* Review the ''/etc/httpd/conf/httpd.conf'' file.
* Review the ''/etc/httpd/conf/httpd.conf'' file.
* Review your mediawiki configuration file under the ''/etc/httpd/conf.d'' directory (''nstwiki.conf'').
* Review your mediawiki configuration file under the ''/etc/httpd/conf.d'' directory (''nstwiki.conf'').
=== Default Font Size ===
To change the global font size for all NST Wiki pages do the following.
* Search for "'''MediaWiki:Common.css'''"
* Add the following CSS entry:
body { font-size: 9pt; }
== No Logging: NST Wiki ==
The Apache Web server can produce copious amounts of logging. Use these steps to disable "'''httpd'''" logging: Stop the web service, comment out the following lines in these configuration files, remove the log files and restart the web service.
* Stop the Apache Web server:
systemctl stop httpd.service;
* In file: "'''/etc/httpd/conf/http.conf'''" comment out line:
#    CustomLog "logs/access_log" combined
* In file: "'''/etc/httpd/conf.d/nstwiki.conf'''" comment out line:
#CustomLog logs/deflate_log deflate
* Location of "'''httpd'''" logs:
[root@nst-wiki40 conf.d]# ls -al /var/log/httpd/;
total 2896604
drwx------. 1 root root        144 Jul 18 20:00 .
drwxr-xr-x. 1 root root        862 Jul 29 18:20 ..
-rw-r--r--  1 root root 2072902834 Aug 13 10:46 access_log
-rw-r--r--  1 root root  889980229 Aug 13 10:46 deflate_log
-rw-r--r--  1 root root    402944 Aug 13 10:46 error_log
-rw-r--r--  1 root root    1291618 Jul  4 10:57 ssl_access_log
-rw-r--r--  1 root root      48143 Jul  3 18:52 ssl_error_log
-rw-r--r--  1 root root    1486615 Jul  4 10:57 ssl_request_log
* Remove the "'''access_log'''" and "'''deflate_log'''" log files:
rm "/var/log/httpd/access_log";
rm "/var/log/httpd/deflate_log";
* Restart the Apache Web server:
systemctl start httpd.service;


== Certbot - HTTPS TLS Certificates ==
== Certbot - HTTPS TLS Certificates ==
=== Certbot Overview ===
[https://github.com/certbot/certbot Certbot] is part of [https://www.eff.org/ EFF]'s effort to encrypt the entire Internet. Secure communication over the Web relies on HTTPS, which requires the use of a digital certificate that lets browsers verify the identity of web servers (e.g., is that really google.com?). Web servers obtain their certificates from trusted third parties called certificate authorities (CAs). Certbot is an easy-to-use client that fetches a certificate from Let’s Encrypt—an open certificate authority launched by the EFF, Mozilla, and others—and deploys it to a web server.


=== Certbot Installation On NST Wiki - Tips & Modifications ===
This section goes through various steps to install certbot on an NST system for the NST Wiki web service ([https://en.wikipedia.org/wiki/Apache_HTTP_Server Apache - HTTPD]). It can be a bit tricky.


=== Crontab - Certificate Updates ===
==== DNF Install Required Packages ====
dnf install certbot python3-certbot python3-certbot-apache;


Add the following line for '''certbot''' to attempt to renew the NST Wiki certificate:
==== Fedora Python Code Modification (NST 40) ====
Insert this hack into the python code: "'''/usr/lib/python3.12/site-packages/certbot_apache/_internal/entrypoint.py'''" for Fedora OS identification. Verify if it has been fixed in a newer version before using the hack.
 
Before hack:
    os_name, os_version = util.get_os_info()
    os_name = os_name.lower()
    override_class = None
    # Special case for older Fedora versions
 
After hack:
    os_name, os_version = util.get_os_info()
    os_name = os_name.lower()
    override_class = None
>  os_name = 'fedora'
>  os_version = '40'
    # Special case for older Fedora versions
 
==== Create an Apache VirtualHost Configuration File ====
Certbot requires an Apache VirtualHost configuration file using port: 80. Add this file: "'''certbot.conf'''" to the Apache configuration directory: "'''/etc/httpd/conf.d'''"
[root@nst-wiki40 conf.d]# cat /etc/httpd/conf.d/certbot.conf;
<VirtualHost *:80>
ServerName wiki.networksecuritytoolkit.org
ServerAlias *.networksecuritytoolkit.org
DocumentRoot /var/nst/mediawiki
RewriteEngine on
RewriteCond %{SERVER_NAME} =*.networksecuritytoolkit.org [OR]
RewriteCond %{SERVER_NAME} =wiki.networksecuritytoolkit.org
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
 
==== Restart the Apache Web Service ====
Make sure the Apache Web services is restarted:
[root@nst-wiki40 scripts]# systemctl restart httpd.service php-fpm.service;
 
==== Certbot Configuration ====
This section will list the certbot apache plugin options used for configuration on and NST system.
* Certbot apache plugin options:
[root@nst-wiki40 ~]# certbot --help apache
usage:
  certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...
Certbot can obtain and install HTTPS/TLS/SSL certificates.  By default,
it will attempt to use a webserver both for obtaining and installing the
certificate.
options:
  -h, --help            show this help message and exit
  -c CONFIG_FILE, --config CONFIG_FILE
                        path to config file (default: /etc/letsencrypt/cli.ini and ~/.config/letsencrypt/cli.ini)
apache:
  Apache Web Server plugin
  --apache-enmod APACHE_ENMOD
                        Path to the Apache 'a2enmod' binary (default: None)
  --apache-dismod APACHE_DISMOD
                        Path to the Apache 'a2dismod' binary (default: None)
  --apache-le-vhost-ext APACHE_LE_VHOST_EXT
                        SSL vhost configuration extension (default: -le-ssl.conf)
  --apache-server-root APACHE_SERVER_ROOT
                        Apache server root directory (default: /etc/httpd)
  --apache-vhost-root APACHE_VHOST_ROOT
                        Apache server VirtualHost configuration root (default: None)
  --apache-logs-root APACHE_LOGS_ROOT
                        Apache server logs directory (default: /var/log/httpd)
  --apache-challenge-location APACHE_CHALLENGE_LOCATION
                        Directory path for challenge configuration (default: /etc/httpd/conf.d)
  --apache-handle-modules APACHE_HANDLE_MODULES
                        Let installer handle enabling required modules for you (Only Ubuntu/Debian currently) (default: False)
  --apache-handle-sites APACHE_HANDLE_SITES
                        Let installer handle enabling sites for you (Only Ubuntu/Debian currently) (default: False)
  --apache-ctl APACHE_CTL
                        Full path to Apache control script (default: httpd)
  --apache-bin APACHE_BIN
                        Full path to apache2/httpd binary (default: None)
 
* Run Certbot configuration using the apache plugin:
certbot --apache --apache-server-root /etc/httpd --apache-bin /usr/sbin/apachectl;
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Which names would you like to activate HTTPS for?
We recommend selecting either all domains, or all domains in a VirtualHost/server block.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: wiki.networksecuritytoolkit.org
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
 
==== Crontab - Certificate Updates ====
 
Add the following line to the crontab file: "'''/etc/crontab'''" for '''certbot''' to attempt to renew the NST Wiki certificate ('''***Note''': Both ports 80 and 443 must be accessible from the Internet for renewal to properly update.):
  [root@nst-wiki40 ~]# cat /etc/crontab
  [root@nst-wiki40 ~]# cat /etc/crontab
  SHELL=/bin/bash
  SHELL=/bin/bash
Line 273: Line 433:
   
   
  0 0,12 * * * root python -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew -q
  0 0,12 * * * root python -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew -q
=== Backup Scripts ===
Listing of NST Wiki backup scripts:
[root@nst-wiki40 scripts]# ls -al /var/nst/backup/scripts
total 224
drwxr-xr-x 1 root root    398 Jul  5 15:36 .
drwxr-xr-x 1 root root    32 Oct 25  2011 ..
-rw-r--r-- 1 root root      0 Feb 28  2007 backup_exclude
-rwxr-xr-x 1 root root  1177 Jul  5 15:36 backup_nstwiki_configs
-rwxr-xr-x 1 root root  2217 Nov  7  2016 create_nstwiki_archive
-rw-r----- 1 root root    36 Feb 28  2007 credentials.cifs
-rwxr-xr-x 1 root root    552 Aug 21  2019 cron_run_nstwiki_archive
-rwxr-xr-x 1 root root  1672 Oct 21  2009 nstwiki_mysql_backup
-rw------- 1 root root 185200 Aug 21  2019 restore-notes.pdf
-rwxr-xr-x 1 root root  2066 Jul  3 14:35 run_nstwiki_archive
-rw-r--r-- 1 root root  1480 Aug 28  2006 time.bash
-rwxr-xr-x 1 root root  2110 Nov 29  2014 transfer_nstwiki_archive
-rw-r--r-- 1 root root  5568 Mar  3  2007 verbose.bash
=== Cron: NST Wiki Daily Backups ===
Add the following links for NST Wiki daily backups:
[root@nst-wiki40 scripts]# ls -al /etc/cron.daily/
total 48
drwxr-xr-x. 1 root root  158 Jul  5 12:42 .
drwxr-xr-x. 1 root root  7814 Jul  4 11:05 ..
lrwxrwxrwx  1 root root    48 Jul  5 12:40 cron_run_nstwiki_arche -> /var/nst/backup/scripts/cron_run_nstwiki_archive
-rwxr-xr-x  1 root root 25571 Jun 19 22:42 google-chrome-beta
-rwxr-xr-x. 1 root root  1749 Jan 25 19:00 rkhunter
lrwxrwxrwx  1 root root    27 Jul  5 12:42 run_nstwiki_stats -> /root/bin/run_nstwiki_stats
-rwxr-xr-x. 1 root root  536 Jan 26 19:00 tripwire-check

Latest revision as of 10:25, 7 October 2024

Backup

The system which contains the NST WIKI performs nightly backups. The compressed back up files under the /var/nst/nstwiki_archive directory.

The /var/nst/nstwiki_archive directory is then mirrored at external locations.

The following items are backed up:

  • The SQL database associated with the Wiki.
  • The configuration files associated with the Wiki.
  • The media files (images) associated with the Wiki.

Here is an example of using rsync to download a copy of the back up files:

[nst@nst30-repo ~]$ rsync -avhP nstwiki:/var/nst/nstwiki_archive backup/nst30-repo
receiving incremental file list
nstwiki_archive/
nstwiki_archive/nstwiki_conf_archive0.tgz
        117.14M 100%    3.94MB/s    0:00:28 (xfr#1, to-chk=1/3)
nstwiki_archive/nstwiki_media_archive0.tgz
        694.91M 100%    3.99MB/s    0:02:46 (xfr#2, to-chk=0/3)

sent 66 bytes  received 812.24M bytes  4.13M bytes/sec
total size is 812.05M  speedup is 1.00
[nst@nst30-repo ~]$ ls -l backup/nst30-repo/nstwiki_archive
total 793020
-rw-r--r-- 1 nst nst 117138773 Aug 21 05:34 nstwiki_conf_archive0.tgz
-rw-r--r-- 1 nst nst 694906230 Aug 21 05:34 nstwiki_media_archive0.tgz
[nst@nst30-repo ~]$

Restore/Move

If you need to restore the NST Wiki or need to relocate the NST Wiki to another machine, use the following strategy:

  • Set up MediaWiki on the other machine by following the instructions on the MediaWiki page.
  • Stop the httpd service.
  • Stop the mysqld service.
  • Transfer and install from the back up archives.
  • Start the mysqld service.
  • Run any new MediaWiki database upgrade scripts (if you are moving to a newer version of MediaWiki).
  • Update your LocalSettings.php file.
  • Start the httpd service.

Set Up MediaWiki

If you are moving the NST Wiki to a new machine, you will need to set up MediaWiki on the new machine:

  • Before setting up MediaWiki, review the LocalSettings.php file as you will likely want to match some of the settings (if you don't it's not the end of the world - but if you take the time now it might save you some tweaks later).
  • See the MediaWiki page for details on setting up MediaWiki on a NST system.
  • Install the EmbedVideo media extension.

Stop Services

Stop the httpd and mysqld services as shown below (use service instead of systemctl if you are on a older system):

[root@probe-p3p1 ~]# systemctl stop httpd.service
[root@probe-p3p1 ~]# systemctl stop mysqld.service
[root@probe-p3p1 ~]# 

Transfer And Extract The Backup Archives

Get a copy of the NST Wiki backup files from the directory /var/nst/nstwiki_archive directory and transfer them to your /tmp directory:

[root@probe-p3p1 ~]# rsync -rp nstwiki:/tmp/nstwiki_archive /tmp/
root@nstwiki's password: 
[root@probe-p3p1 ~]# ls -l /tmp/nstwiki_archive
total 198476
-rw-r--r-- 1 root root  66375294 Oct 22 18:32 nstwiki_conf_archive0.tgz
-rw-r--r-- 1 root root 126201929 Oct 22 18:32 nstwiki_media_archive0.tgz
[root@probe-p3p1 ~]# 

Extract the contents of the nstwiki_conf_archive0.tgz file to the /var/nst/backup directory:

[root@probe-p3p1 ~]# install -d /var/nst/backup
[root@probe-p3p1 ~]# tar xzf /tmp/nstwiki_archive/nstwiki_conf_archive0.tgz -C /var/nst/backup/ .
[root@probe-p3p1 ~]# 

Create and initialize the /var/nst/mediawiki directory:

[root@probe-p3p1 ~]# install -d /var/nst/mediawiki
[root@probe-p3p1 ~]# mw-createinstance /var/nst/mediawiki
[root@probe-p3p1 ~]# 

Extract the contents of the nstwiki_media_archive0.tgz file to the directory where your MediaWiki files live.

[root@probe-p3p1 ~]# tar xzf /tmp/nstwiki_archive/nstwiki_media_archive0.tgz -C /var/nst/mediawiki
[root@probe-p3p1 ~]#

Add a sym-link to the images directory under /usr/share/mediawiki (still not sure why this is required). Also, you may need to edit/save each NST WIKI page if thumbnails are not being created automatically.

[root@probe-p3p1 ~]# mv /usr/share/mediawiki/images /usr/share/mediawiki/images.orig  
[root@probe-p3p1 ~]# ln /var/nst/mediawiki/images /usr/share/mediawiki/images
[root@probe-p3p1 ~]#

Restore The NST Wiki Database

At this point you can start up the mysqld service and restore the most recent version of the NST Wiki backup. However, before you can restore using the SQL file you will need to drop the wikidb (or whatever you named your database) if it exists:

[root@probe-p3p1 ~]# systemctl start mysqld.service
[root@probe-p3p1 ~]# mysql -h 127.0.0.1 --user=root --password
Enter password:  
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 2
Server version: 5.5.14 MySQL Community Server (GPL)

Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> drop database wikidb;
Query OK, 45 rows affected (0.15 sec)

mysql> \q
Bye
[root@probe-p3p1 ~]# 

At this point you can restore the NST Wiki database:

[root@probe-p3p1 ~]# gzip -dc < /var/nst/backup/db/nstwikidb.sql.gz | mysql -h 127.0.0.1 --user=root --password
Enter password: 
[root@probe-p3p1 ~]#

Update The NST Wiki Database

If the location you are restoring the database to uses a newer version of MediaWiki, you will likely need to run the MediaWiki upgrade commands. Review the /usr/share/doc/mediawiki/UPGRADE file. Most likely you will need to run the following commands:

[root@probe-p3p1 ~]# cd /usr/share/mediawiki/maintenance/
[root@probe-p3p1 maintenance]# php update.php 
A copy of your installation's LocalSettings.php
must exist and be readable in the source directory.
[root@probe-p3p1 maintenance]# php update.php --conf /var/nst/mediawiki/LocalSettings.php
MediaWiki 1.16.5 Updater

Going to run database updates for wikidb
Depending on the size of your database this may take a while!

... Lot's of output as database is updated ...

Purging caches...done.
Done.
[root@probe-p3p1 maintenance]# cd
[root@probe-p3p1 ~]#

Update LocalSettings.php

Before starting up the web server, you will want to review your LocalSettings.php file:

  • Compare it with the back up you made earlier (/root/LocalSettings.php.working).
  • Initially disable any extensions currently configured (you may need to install the extension modules before enabling).
  • Review the contents of /usr/share/mediawiki/includes/DefaultSettings.php to see if there are any new settings you need to add.
[root@probe-p3p1 ~]# emacs -nw /var/nst/mediawiki/LocalSettings.php LocalSettings.php.working
[root@probe-p3p1 ~]#

Also, for some reason a copy of the LocalSettings.php file also needs to be under the /usr/share/mediawiki (at least for MediaWiki 1.33 and Fedora 30 packaging).

[root@probe-p3p1 ~]# ln /var/nst/mediawiki/LocalSettings.php /usr/share/mediawiki/LocalSettings.php
[root@probe-p3p1 ~]#

Restart The Web Service And Test

At this point you should be able to restart the web service and PHP engine and test your installation.

Notes:

  • Make sure a php-fpm configuration file exists for the systemd httpd.service unit: "/etc/php-fpm.d/www.conf"
  • NST Wiki uses a httpd configuration file: "/etc/httpd/conf.d/nstwiki.conf"
#
# This is for the NST Wiki

#DocumentRoot "/var/nst/mediawiki"
#ServerName wiki.networksecuritytoolkit.org

#LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\""
#TransferLog logs/wiki_access_log
#ErrorLog logs/wiki_error_log
#LogLevel warn

BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4\.0[678] no-gzip
BrowserMatch \bMSIE # !no-gzip !gzip-only-text/html

DeflateFilterNote Input input_info
DeflateFilterNote Output output_info
DeflateFilterNote Ratio ratio_info
LogFormat '"%r" %{output_info}n/%{input_info}n (%{ratio_info}n%%)' deflate
CustomLog logs/deflate_log deflate

  #
  # NST Wiki entry point...
  <Directory "/var/nst/mediawiki">
    DirectoryIndex index.php
    Options FollowSymLinks ExecCGI
    Require all granted

    AddOutputFilterByType DEFLATE text/html
  </Directory>

  #
  # IP tools areas (fetch public IP address via SHTML - requires Includes directive)
  <Directory "/var/nst/mediawiki/tools">
    Options Includes
    Require all granted
  </Directory>

Alias /nstwiki "/var/nst/mediawiki"

  #
  # NST Repo...
  <Directory "/var/nst/repo">
    Options Indexes
    Require all granted
  </Directory>

Alias /repo "/var/nst/repo"

  #
  # Icons for NST Repo dir listing...
  <Directory "/var/nst/mediawiki/icons">
    Options Indexes MultiViews
    AllowOverride None
  </Directory>

Alias /icons/ "/var/nst/mediawiki/icons/"

<Directory "/usr/share/nst-webgl-globe">
    Options -Indexes
    Require all granted
</Directory>

Alias /nst-webgl-globe "/var/nst/mediawiki/nst-webgl-globe"

#
# Provide server status information
#
#<Location /server-status>
#    SetHandler server-status
#
#    AuthType Basic
#    AuthName "NST WUI: System Management"
#    AuthUserFile "/etc/nst/httpd/conf/htuser.nst"
#    require valid-user
#</Location>

#
# Provide server information
#
#<Location /server-info>
#    SetHandler server-info
#
#    AuthType Basic
#    AuthName "NST WUI: System Management"
#    AuthUserFile "/etc/nst/httpd/conf/htuser.nst"
#    require valid-user
#</Location>
  • Start these services and then check the NST Wiki.
[root@probe-p3p1 ~]# systemctl start httpd.service
[root@probe-p3p1 ~]# systemctl restart php-fpm.service
[root@probe-p3p1 ~]#
[root@probe-p3p1 ~]# firefox http://127.0.0.1/nstwiki
[root@probe-p3p1 ~]#

At this point you should be able to review the contents of the Wiki and determine what is broken (not working) and then try to figure out what you need to do in:

  • Examine log files under the /var/log/httpd directory - they will often provide useful clues.
  • The /var/nst/mediawiki/LocalSettings.php file (look for new values you might need to override in /usr/share/mediawiki/includes/DefaultSettings.php). Also, consider temporarily enabling the debug logging feature with:
# Uncomment to enable debug log file when trouble shooting
$wgDebugLogFile = "/var/log/httpd/debug-wikidb.log";
  • Review the /etc/httpd/conf/httpd.conf file.
  • Review your mediawiki configuration file under the /etc/httpd/conf.d directory (nstwiki.conf).

Default Font Size

To change the global font size for all NST Wiki pages do the following.

  • Search for "MediaWiki:Common.css"
  • Add the following CSS entry:
body { font-size: 9pt; }


No Logging: NST Wiki

The Apache Web server can produce copious amounts of logging. Use these steps to disable "httpd" logging: Stop the web service, comment out the following lines in these configuration files, remove the log files and restart the web service.

  • Stop the Apache Web server:
systemctl stop httpd.service;
  • In file: "/etc/httpd/conf/http.conf" comment out line:
#    CustomLog "logs/access_log" combined
  • In file: "/etc/httpd/conf.d/nstwiki.conf" comment out line:
#CustomLog logs/deflate_log deflate
  • Location of "httpd" logs:
[root@nst-wiki40 conf.d]# ls -al /var/log/httpd/;
total 2896604
drwx------. 1 root root        144 Jul 18 20:00 .
drwxr-xr-x. 1 root root        862 Jul 29 18:20 ..
-rw-r--r--  1 root root 2072902834 Aug 13 10:46 access_log
-rw-r--r--  1 root root  889980229 Aug 13 10:46 deflate_log
-rw-r--r--  1 root root     402944 Aug 13 10:46 error_log
-rw-r--r--  1 root root    1291618 Jul  4 10:57 ssl_access_log
-rw-r--r--  1 root root      48143 Jul  3 18:52 ssl_error_log
-rw-r--r--  1 root root    1486615 Jul  4 10:57 ssl_request_log
  • Remove the "access_log" and "deflate_log" log files:
rm "/var/log/httpd/access_log";
rm "/var/log/httpd/deflate_log";
  • Restart the Apache Web server:
systemctl start httpd.service;

Certbot - HTTPS TLS Certificates

Certbot Overview

Certbot is part of EFF's effort to encrypt the entire Internet. Secure communication over the Web relies on HTTPS, which requires the use of a digital certificate that lets browsers verify the identity of web servers (e.g., is that really google.com?). Web servers obtain their certificates from trusted third parties called certificate authorities (CAs). Certbot is an easy-to-use client that fetches a certificate from Let’s Encrypt—an open certificate authority launched by the EFF, Mozilla, and others—and deploys it to a web server.

Certbot Installation On NST Wiki - Tips & Modifications

This section goes through various steps to install certbot on an NST system for the NST Wiki web service (Apache - HTTPD). It can be a bit tricky.

DNF Install Required Packages

dnf install certbot python3-certbot python3-certbot-apache;

Fedora Python Code Modification (NST 40)

Insert this hack into the python code: "/usr/lib/python3.12/site-packages/certbot_apache/_internal/entrypoint.py" for Fedora OS identification. Verify if it has been fixed in a newer version before using the hack.

Before hack:

    os_name, os_version = util.get_os_info()
    os_name = os_name.lower()
    override_class = None

    # Special case for older Fedora versions

After hack:

    os_name, os_version = util.get_os_info()
    os_name = os_name.lower()
    override_class = None
>   os_name = 'fedora'
>   os_version = '40'

    # Special case for older Fedora versions

Create an Apache VirtualHost Configuration File

Certbot requires an Apache VirtualHost configuration file using port: 80. Add this file: "certbot.conf" to the Apache configuration directory: "/etc/httpd/conf.d"

[root@nst-wiki40 conf.d]# cat /etc/httpd/conf.d/certbot.conf;
<VirtualHost *:80>
ServerName wiki.networksecuritytoolkit.org
ServerAlias *.networksecuritytoolkit.org
DocumentRoot /var/nst/mediawiki
RewriteEngine on
RewriteCond %{SERVER_NAME} =*.networksecuritytoolkit.org [OR]
RewriteCond %{SERVER_NAME} =wiki.networksecuritytoolkit.org
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

Restart the Apache Web Service

Make sure the Apache Web services is restarted:

[root@nst-wiki40 scripts]# systemctl restart httpd.service php-fpm.service;

Certbot Configuration

This section will list the certbot apache plugin options used for configuration on and NST system.

  • Certbot apache plugin options:
[root@nst-wiki40 ~]# certbot --help apache
usage: 
  certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...

Certbot can obtain and install HTTPS/TLS/SSL certificates.  By default,
it will attempt to use a webserver both for obtaining and installing the
certificate. 

options:
  -h, --help            show this help message and exit
  -c CONFIG_FILE, --config CONFIG_FILE
                        path to config file (default: /etc/letsencrypt/cli.ini and ~/.config/letsencrypt/cli.ini)

apache:
  Apache Web Server plugin

  --apache-enmod APACHE_ENMOD
                       Path to the Apache 'a2enmod' binary (default: None)
  --apache-dismod APACHE_DISMOD
                        Path to the Apache 'a2dismod' binary (default: None)
  --apache-le-vhost-ext APACHE_LE_VHOST_EXT
                       SSL vhost configuration extension (default: -le-ssl.conf)
  --apache-server-root APACHE_SERVER_ROOT
                        Apache server root directory (default: /etc/httpd)
  --apache-vhost-root APACHE_VHOST_ROOT
                        Apache server VirtualHost configuration root (default: None)
  --apache-logs-root APACHE_LOGS_ROOT
                        Apache server logs directory (default: /var/log/httpd)
  --apache-challenge-location APACHE_CHALLENGE_LOCATION
                        Directory path for challenge configuration (default: /etc/httpd/conf.d)
  --apache-handle-modules APACHE_HANDLE_MODULES
                        Let installer handle enabling required modules for you (Only Ubuntu/Debian currently) (default: False)
  --apache-handle-sites APACHE_HANDLE_SITES
                        Let installer handle enabling sites for you (Only Ubuntu/Debian currently) (default: False)
  --apache-ctl APACHE_CTL
                        Full path to Apache control script (default: httpd)
  --apache-bin APACHE_BIN
                        Full path to apache2/httpd binary (default: None)
  • Run Certbot configuration using the apache plugin:
certbot --apache --apache-server-root /etc/httpd --apache-bin /usr/sbin/apachectl;
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Which names would you like to activate HTTPS for?
We recommend selecting either all domains, or all domains in a VirtualHost/server block.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: wiki.networksecuritytoolkit.org
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1

Crontab - Certificate Updates

Add the following line to the crontab file: "/etc/crontab" for certbot to attempt to renew the NST Wiki certificate (***Note: Both ports 80 and 443 must be accessible from the Internet for renewal to properly update.):

[root@nst-wiki40 ~]# cat /etc/crontab
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root

# For details see man 4 crontabs

# Example of job definition:
# .---------------- minute (0 - 59)
# |  .------------- hour (0 - 23)
# |  |  .---------- day of month (1 - 31)
# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...
# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# |  |  |  |  |
# *  *  *  *  * user-name  command to be executed

0 0,12 * * * root python -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew -q

Backup Scripts

Listing of NST Wiki backup scripts:

[root@nst-wiki40 scripts]# ls -al /var/nst/backup/scripts
total 224
drwxr-xr-x 1 root root    398 Jul  5 15:36 .
drwxr-xr-x 1 root root     32 Oct 25  2011 ..
-rw-r--r-- 1 root root      0 Feb 28  2007 backup_exclude
-rwxr-xr-x 1 root root   1177 Jul  5 15:36 backup_nstwiki_configs
-rwxr-xr-x 1 root root   2217 Nov  7  2016 create_nstwiki_archive
-rw-r----- 1 root root     36 Feb 28  2007 credentials.cifs
-rwxr-xr-x 1 root root    552 Aug 21  2019 cron_run_nstwiki_archive
-rwxr-xr-x 1 root root   1672 Oct 21  2009 nstwiki_mysql_backup
-rw------- 1 root root 185200 Aug 21  2019 restore-notes.pdf
-rwxr-xr-x 1 root root   2066 Jul  3 14:35 run_nstwiki_archive
-rw-r--r-- 1 root root   1480 Aug 28  2006 time.bash
-rwxr-xr-x 1 root root   2110 Nov 29  2014 transfer_nstwiki_archive
-rw-r--r-- 1 root root   5568 Mar  3  2007 verbose.bash

Cron: NST Wiki Daily Backups

Add the following links for NST Wiki daily backups:

[root@nst-wiki40 scripts]# ls -al /etc/cron.daily/
total 48
drwxr-xr-x. 1 root root   158 Jul  5 12:42 .
drwxr-xr-x. 1 root root  7814 Jul  4 11:05 ..
lrwxrwxrwx  1 root root    48 Jul  5 12:40 cron_run_nstwiki_arche -> /var/nst/backup/scripts/cron_run_nstwiki_archive
-rwxr-xr-x  1 root root 25571 Jun 19 22:42 google-chrome-beta
-rwxr-xr-x. 1 root root  1749 Jan 25 19:00 rkhunter
lrwxrwxrwx  1 root root    27 Jul  5 12:42 run_nstwiki_stats -> /root/bin/run_nstwiki_stats
-rwxr-xr-x. 1 root root   536 Jan 26 19:00 tripwire-check