How to Setup Let’s Encrypt on Ubuntu 18.04

Reading Time: 3 minutes

Sites with SSL are needed more and more every day. It’s ubiquitious enforcement challenges website encryption and is even an effort that Google has taken up. Certbot and Let’s Encrypt are popular solutions for big and small businesses alike because of the ease of implementation.  Certbot is a software client that can be downloaded on a server, like our Ubuntu 18.04, to install and auto-renew SSLs. It obtains these SSLs by working with the well known SSL provider called Let’s Encrypt. In this tutorial, we’ll be showing you a swift way of getting HTTPS enabled on your site.  Let’s get started!

Pre-flight

 

Step 1: Update apt to ensure we are working with the latest package tool.

apt update && upgrade

 

Step 2: We’ll install the Certbot software, as this will aid in obtaining the SSL (certificates) from Let’s Encrypt.  Type Y when prompted to continue.

sudo apt install certbot

 

Step 3: Installing Certbot’s Apache package is also required. Type Y when prompted to continue.

apt install python-certbot-apache

 

Step 4: Time to attain the SSL from Let’s Encrypt.  Enter your email address and go through the prompts.  This step will look through your /etc/apache2/sites-available/yourdomain.com.conf file, specifically the website name set with the ServerName directive.

Note
If your installation gives the “Failed authorization procedure” message ensure you have followed the steps in the Apache Configuration article and that the A record is set for your domain.

certbot --apache

-------------------------------------------------------------------------------
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v01.api.letsencrypt.org/directory
-------------------------------------------------------------------------------
(A)gree/(C)ancel: A

Your choice to opt in to their newsletter.
-------------------------------------------------------------------------------
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about EFF and
our work to encrypt the web, protect its users and defend digital rights.
-------------------------------------------------------------------------------
(Y)es/(N)o:

 

Jumping off of our Apache Configuratio tutorial, we want both of our domains covered with the option of www and non www for our visitors. We’ll leave the input blank and hit ENTER.

Which names would you like to activate HTTPS for?
-------------------------------------------------------------------------------
1: domain.com
2: www.domain.com
3: domain2.com
4: www.domain2.com
-------------------------------------------------------------------------------
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):

 

In our tutorial we will select the Redirect option, you may choose No redirect if you would still like your site reachable through HTTP.

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
-------------------------------------------------------------------------------
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):2

 

A congratulation message will appear as well as instructions of where your SSL certificates are, just in case you need them later on.

- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/domain.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/domain.com/privkey.pem
Your cert will expire on 2019-07-16. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the "certonly" option. To non-interactively renew *all* of
your certificates, run "certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
Donating to EFF:                    https://eff.org/donate-le

 

Step 5: Verify your domain was issued the Let’s Encrypt SSL by visiting your site in the browser.  Be sure to clear your browser if you don’t readily see the SSL lock.

You now have an SSL encrypting the traffic to your site.  A few things to point out:

  • SSLs are valid for 90 days at a time
  • Let’s Encrypt will automatically renew
  • Any notifications from Let’s Encrypt will be sent to the email address specified in the .conf file

Get our fully Managed VPS servers, and you can control Let’s Encrypt through your WHM control panel.  Not only will you get a clean control panel to adjust server aspects but you also get 24/7 support at your fingertips.  See how our servers can make admin tasks easier!

Plesk to Plesk Migration

Reading Time: 9 minutes

Migrating from one Plesk installation to another is easy with the Plesk Migrator Tool! The Plesk team has done a great job creating an easy to use interface for migrating entire installations of Plesk to a new server.

If you need to move files, users, subscriptions, FTP accounts, mail and DNS servers setup through Plesk, this guide will help you successfully navigate the process and come out victorious!

We will be splitting this tutorial into three sections:

Continue reading “Plesk to Plesk Migration”

Install Poweradmin on Ubuntu 16.04

Reading Time: 3 minutes

What is Poweradmin?

Poweradmin is a web-based graphical user interface to interact with PowerDNS. It is released under the open source GPL license. It makes it easy to create and edit zone files and interacts directly with the SQL server. Poweradmin has full support for most PowerDNS features, including all zone types (master, native and slave), supermasters, for automatic provisioning of slave zones and full support for A, AAAA, CNAME, HINFO, MX, NS, PTR, SOA, SRV and TXT record types, validation against RFC’s. It also has user and permission management setup for controlling user permissions with templates.  In this tutorial, we’ll be showing you how to install and configure Poweradmin as well as some records.

Continue reading “Install Poweradmin on Ubuntu 16.04”

Gmail Blacklist

Reading Time: 4 minutes

As one of the most trusted email providers, Google keeps top-notch security by maintaining their own blacklist and security information. With the numerous users the company provides email accounts to, there is an overwhelming amount of data that Google can scrutinize for spam or malicious emails. By gathering this valuable information, rules are created to filter problem content. These rules are highly sophisticated, and as this data is compiled, specific IP addresses are flagged and sorted into what is called a blacklist.

The Gmail blacklist is designed to prevent unwanted spam, malicious content and excessive amounts of emails. Some of the most common reasons for getting blocked are as follows;

  • Large amounts of emails sent from a new IP address.
  • Sudden changes in email volumes.
  • High bounce rates.
  • Spam reports from Gmail users.
  • Incorrect DNS settings.
  • Low sender scores.
  • IP listing in public blacklists.

Gmail’s blacklist may also take information from several public blacklists in order to block malicious/unwanted/compromised IP addresses prior to having any complaints from them. This is a preventative measure intended to keep the lowest amount of spam possible. All things considered, this is the reason your Gmail address will likely have far less unwanted emails or better filtering rules.

 

There are several effects to being on the Gmail blacklist, and the most obvious is that all email from the IP address sending mail will be blocked. This means everything including personal communication, bulk messages, email lists, etc. Not only will it block the problem domain or user, but everything else on the SMTP server attempting to use that IP address.

This poses a large issue for shared IP addresses on any server. But there is hope! Both in the form of preventative measures as well as ways to redeem your IP address and clear it from the blacklist. Before clearing your IP address we highly suggest you review the information to make sure nothing has been compromised. Blacklists often mean an email has been hacked, or there are just poor emailing practices.

Preventatively, you can protect the IP you are using with SPF records should you have no current issues. These records will assist in providing additional verification for the IP address you are using and help keep your IP clean.

 

If you’re already experiencing issues with Gmail delivery, then the first step is to diagnose the SMTP server. If this is a managed environment, it’s best to contact your hosting provider and ask them to review the specific email address having issues. Be sure to include example messages, any bouncebacks you’ve received and any specifics you can remember. (Subject lines, recipients, time of email, etc.) This should help in the retrieval of data.

You can actually get a full copy of the headers of any messages having issues directly from your email client. If you need information on how to do this, you can always check out this article. View full e-mail headers.

If you are having trouble delivering mail and can’t find any fault on your SMTP server, then it’s time to search some blacklists to test the waters. One of the most reputable places to start is mxtoolbox.com. Although Gmail does not state what mechanisms they use to blacklist, this site allows you to search your domain and query a large number of blacklists that should tell you if there are issues coming from your server. Along with cleanup instructions and links to each blacklist, this site is a handy tool for anyone looking to admin their own email.

There are several other sites that can be referenced for blacklist checking, but unfortunately, the only one way to get information from Google specifically. If you are not on a blacklist and there are no issues coming from the SMTP server, then it’s time to fill out a Delivery Problem Form. This form asks for basic information as well as any technical information you can provide. The more information you can provide, the easier your process will become for a listing check and possible removal or de-listing.

From there, Google should help you through the rest of the process or provide further information that will move the issues along. But that still leaves us with one question….

 

Well, the guidelines differ depending on what you are using email for. As some of us just use email for personal use the rules are pretty simple. Don’t send malicious content, make sure you don’t attempt to use huge files or send to everyone in your address book every thirty minutes for no reason, etc. These are all suspicious behaviors or hard rules that will either fail or cause issues.

Really we can boil the best practices down to a few important rules of thumb.

  • Do not spam.
    • This includes redirects. Google has specific best practices for pulling email from other accounts, so setting up forwarders in other SMTP servers to shovel all mail over to Google addresses will simply count as spam.
  • Follow the bulk mail guidelines.
  • Pull, don’t push.
    • Meaning import messages or set Google to pull from third party, don’t forward to Google automatically. (Manual forwarding to share information is perfectly fine.)
  • Use SPF records.
    • SPF records are great added security and verification.
  • Change your passwords frequently.
    • Remember, passwords are vital and knowing the best practices for safe passwords is very important.
  • Watch for, and read, bounceback emails.

Following the few suggestions above will keep your SMTP server healthy and happy. When all information intended for Google is pulled via their methods, the likeliness of being blocked for false positives (meaning blocked for legitimate practices done incorrectly) will go down exponentially.

 

Change Primary Domain in WHM

Reading Time: 4 minutes

If you use multiple aliases ( previously called parked domains) within a cPanel account, you may find yourself wanting to change the main domain used for the cPanel account containing these domains. Changing the primary domain is desirable for multiple reasons and many times occurs when the site in use switches from one TLD to another (i.e., .net to .com). You may desire to change this if the name of your company or site Continue reading “Change Primary Domain in WHM”

A Beginner’s Guide to Managed WordPress

Reading Time: 7 minutes

Thank you for choosing Managed WordPress at Liquid Web! We hope this guide will help you get started in making the most of your experience with the Managed WordPress Portal. There are some great features in the portal, and we’ve worked hard to make sure site maintenance is a cinch. Continue reading “A Beginner’s Guide to Managed WordPress”

What is Power DNS?

Reading Time: 2 minutes

PowerDNS (pdns) is an open source authoritative DNS server that works as an alternative to traditional BIND (named) DNS. PowerDNS offers better performance and has minimal memory requirements. PowerDNS also works with many supporting backends ranging from simple zone files to complex database setups as well as various SQL platforms (Mysql, MariaDB, Oracle, PostgreSQL). Continue reading “What is Power DNS?”

Understanding the DNS Process

Reading Time: 8 minutes

Do you ask yourself, “What is DNS?” “Do I need to use DNS?”  Do you feel confused? In some cases, DNS can be convoluted and complicated.  Let’s talk about Domain Name System (DNS) services. When you need to access a website, you type the domain name, such as www.google.com, into the web browser instead of typing an IP address. A conversion happens between www.google.com to 172.217.12.46, an IP, which designated to a device on the Internet. This conversion is a DNS query, an integral part of devices connecting with each other to communicate over the internet. To understand the DNS query process, let’s talk about how a DNS query routes through different components.

Step 1: Requesting Website Information

First, you visit a website by typing a domain name into a web browser.  Your computer will start resolving the hostname, such as www.liquidweb.com. Your computer will look for the IP address associated with the domain name in its local DNS cache, which stores DNS information that your computer has recently saved.  If it is present locally, then the website will be displayed. If your computer does not have the data stored, then it will perform a DNS query to retrieve the correct information.

Step 2: Contact the Recursive DNS Servers

If the information is not in your computer’s local DNS cache, then it will query the recursive DNS servers from your (ISP) Internet service provider. Recursive DNS servers have their local DNS cache, much like your computer. Given that many of the ISP’s customers are using the same recursive DNS servers, there is a chance that common domain names already in its cache. If the domain is cached, the DNS query will end here and the website displayed to the user.

Step 3: Query the Authoritative DNS Servers

If a recursive DNS server or servers do not have the information stored in its cache memory, the DNS query continues to the authoritative DNS server that has the data for a specific domain. These authoritative name servers are responsible for storing DNS records for their respective domain names.

Step 4: Access the DNS Record

For our example, to find out the IP address for www.liquidweb.com, we will query the authoritative name server for the address record (A record). The Recursive DNS server accesses the A record for www.liquidweb.com from the authoritative name servers and stores the record in its local DNS cache. If other DNS queries request the A record for www.liquidweb.com, the recursive server will have the answer and will not have to repeat the DNS lookup process. All DNS records have a time-to-live value, which shows when a DNS record will expire. After some time has passed, the recursive DNS server will ask for an updated copy of the DNS record.

Step 5: Final DNS Step

The Recursive DNS server has the information and returns the A record to your computer. Your computer will store the DNS record in its local DNS cache, will read the IP address from the DNS record, and pass this information to your browser. The web browser will connect to the web server associated with the A records IP and display the website.

The entire DNS lookup process, from start to finish, takes only milliseconds to complete. For a more profound understanding let’s break down the previously mentioned DNS components that are relevant to the DNS lookup process.

The DNS Process

Authoritative DNS Server

An authoritative name server is a DNS server that stores DNS records (A, CNAME, MX, TXT, etc.) for domain names. These servers will only respond to DNS queries for locally stored DNS zone files.  For example, if a DNS server in my network has a stored A record for example.com, then that DNS server is the authoritative server for the example.com domain name.

Recursive Nameserver

A recursive name server is a DNS server that receives DNS queries for informational purposes. These types of DNS servers do not store DNS records. When a DNS query is received, it will search in its cache memory for the host address tied to the IP address from the DNS query. If the recursive name server has the information, then it will return a response to query sender. If it does not have the record, then the DNS query will be sent to other recursive name servers until it reaches an authoritative DNS server that can supply the IP address.

A DNS zone is an administrative space within the Domain Name System (DNS). A DNS zone forms one part of the DNS namespace delegated to administrators or specific entities. Each zone contains the resource records for all of its domain names.

A DNS zone file is a text file stored on a DNS server that contains all the DNS records for every domain within that zone. It is mandatory for the zone file to have the TTL (Time to Live) listed before any other information. The TTL specifies how long a DNS record is in the DNS server’s cache memory. The zone file can only list one DNS record per line and will have the Start of Authority (SOA) record listed first. The SOA record contains essential domain name information including the primary authoritative name server for the DNS Zone.

DNS Zone File

Stored in authoritative DNS servers are the DNS records, these records provide information about a domain including its associated IP address for each domain. It is mandatory for all domains to have a few necessary DNS records to be able to access a website using a domain name.

Below is a list of the most common types and frequently utilized DNS records. Let’s dive into each kind of record.

A (Address) Record
A (Address) Record An A record points a domain name to an IP address. For example, when you type www.google.com in a web browser, it will translate to 172.217.12.46. This record links your website’s domain name to an IP address that points to where the website’s files live.Example of A record
CNAME (Canonical Name) Record
A CNAME record forwards one domain name to another domain name. This record does not contain an IP address. Utilize this type of record only when there are no other records on that domain name. Otherwise, conflict is introduced by any other records interfering. An example, a CNAME can just go from www.google.com to google.com and not to any additional domain name such as gmail.com.

Example of CNAME record

MX (Mail Exchanger)
This type of record routes all email messages to a specified mail server on behalf of a recipient’s domain to a designated mail host. The MX records use a priority number when there is more than one MX record entered for any single domain name that is using more than one mail server. The priority number specifies the order of access to the listed mail servers. Counterintuitively, the lower number is the higher priority. For example, the priority number of 10 set within the MX record will receive the email messages first. The MX record with the priority number of 20 will be a backup if the MX record with the priority of 10 is unavailable.

Example of MX records

TXT (Text) Record
Utilized for information and verification purposes the TXT record discloses information to other services about your domain such as what services the domain is using. Sender Policy Framework (SPF) records are added as TXT records to help identify if email messages are coming from a trusted source.

Example of TXT record

NS (Name Server) Record
Name servers are servers usually owned by a web hosting company, such as Liquid Web, that are used to manage domain names associated with their web hosting customers. The NS records are created to identify the name servers for each domain name in a given DNS zone. Example of NS records

SOA (Start of Authority) Record

The SOA record is a resource record which stores information regarding all the DNS records in a given DNS zone.  An SOA record contains properties for a zone such as:

  • The name of the primary DNS server
  • Email address of the responsible person for that zone
  • The serial number that is used by a secondary DNS server to check if the zone has changed
    • If a zone has changed on the primary DNS server, then the changes are copied to the secondary DNS server which changes the serial number.
  • Refresh Interval
    • This shows how frequently the secondary DNS servers check for changes to any of the records, as determined by the TTL . 
  • Retry Interval
    • The retry interval displays how frequently the secondary DNS servers should retry checking if any changes are made to the zone if the first refresh fails.
  • Expire Interval
    • Shows how long the zone will be valid after a refresh.
  • Minimum (default) TTL (Time to Live)
    • The SOA records are outlined in https://www.ietf.org/rfc/rfc1035.txt  under “Domain Names – Implementation and Specification”.

Example of SOA record

SRV (Service) Record

The SRV records are created to establish connections between services and hostnames.  For example, if an application is searching for a location of a service that it needs, it will look for an SRV record with that information.  When the app finds the correct SRV record, it will filter through the list of services to find the following information:

  • Hostname
  • Ports
  • Priority and Weight
  • IP Addresses

Here is an example of two SRV records.

_sip._tcp.example.com.   3600 IN SRV 10 50 5060 serviceone.example.com.

_sip._tcp.example.com.   3600 IN SRV 10 30 5060 servicetwo.example.com.

Note: _sip is the name of the service and _tcp is the transport protocol.

The content of the SRV record defines a priority of 10 for both records. The first record has a weight of 50 and the second a weight of 30. The priority and weight values promote the use of specific servers over others.  The final two values in the record describe the port and hostname to connect to for accessing any services.

PTR (Pointer) Record
A PTR record (Reverse DNS record) does the opposite of an A record. It resolves an IP address to a domain name. The purpose of this record is mainly administrative to verify that an IP address links to a domain name. Not all DNS hosting providers offer this type of DNS record.

Now that we have talked about the DNS services and the DNS components, we can troubleshoot any DNS issues which may have arisen. Below is a list of common DNS troubleshooting tips.  

  • If your website is displaying that a “server IP address could not be found,” then it’s possible that the A record is missing. You will need to add an A record to your DNS zone.

Error Page "IP Address Not Found"

  • Check to see if you have any improperly configured DNS records.
  • When you change your name servers for your domain name, you will need to wait for the name servers to propagate. The propagation can take up to 24 hours to complete.
  • Check to see if you have high TTL (Time to Live) values. For example, you have an A record that has 86400 seconds (24 hours) as the TTL value if you update the domain’s A record to point to a new IP address, it will take 24 hours to propagate. It is better to change the TTL value to 300 seconds which is 5 minutes. We have a great article that talks more about TTL values.
  • If you are using a third-party proxy server for your website and your website is not displaying, you can use your computer’s host file to see where the issue is occurring. For example, I have the website dnswebtest.com using a third-party proxy server, and it is displaying a connection error. I need to find out if the issue is with the web hosting company or the third-party proxy server. I will access my local host file, add my website dnswebtest.com as an entry and point it to the web hosting company’s IP address, for example, 98.129.229.4. If I then go to my site in the browser and it displays correctly, then I know the issue is with the third-party proxy server. Here is an excellent article on How to Edit Your Host File.

Although DNS can be a complex issue, with a better understanding of the process and a few troubleshooting tips, you will be much more confident when working with it or troubleshooting problems. The following third-party tools are also quite useful when checking for DNS propagation or finding what types of DNS records a domain name has:

  1. https://www.whatsmydns.net/  for DNS propagation
  2. https://www.whoishostingthis.com/ to show what IP address a website is resolving to

 

DNS Zones Explained

Reading Time: 3 minutes

DNS Zones

A DNS Zone is a portion of the DNS namespace that is managed by an organization or administrator. It serves as an administrative space with granular control of DNS components and records, such as authoritative nameservers. There is a common misconception that a DNS zone associates only with a single domain name or a single DNS server. In actuality, a DNS zone can contain multiple domain and subdomains. Multiple zones can also exist on the same server.  Information stored for a DNS zone lives within a text file called a DNS zone file. Continue reading “DNS Zones Explained”