Security

Let’s Encrypt

by

Updated: 21 May 2025

DNS-01 challenge

The dns-01 challenge asks you to prove you control the DNS for a domain by putting a specific value in a TXT record, under that domain.

docker run -it --rm \
    -v "/home/chris/Desktop/do.ini:/tmp/do.ini" \
    -v "/home/chris/Desktop/certs:/etc/letsencrypt/live" \
    certbot/dns-digitalocean certonly \
    --dns-digitalocean --dns-digitalocean-credentials /tmp/do.ini \
    --dry-run -d example.com

Notes

  • certbot-dns-digitalocean documentation.
  • Contents of ~/Desktop/do.ini like this dns_digitalocean_token = token_here
  • Certbot, with it’s dns-digitalocean plugin will add a TXT record via the Digital Ocean API.
  • Place Digital Ocean API key in ~/Desktop/do.ini.
  • Certificates (x4) are saved to ~/Desktop/certs.
  • Note the --dry-run option.

SSL

by

Updated: 09 August 2025

Diagnose problems with certificates

Create self-signed certificates for Apache

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
-keyout /etc/ssl/private/apache-selfsigned.key \
-out /etc/ssl/certs/apache-selfsigned.crt

See Digital Ocean, how to create self-signed certs
See Self-signed wildcard cert check project on GitHub

Mozilla SSL configuration generator

https://ssl-config.mozilla.org/

ufw

by

Updated: 10 July 2025

List application profiles registered with ufw

ufw app list

Enable the firewall

ufw enable

Check status

ufw status verbose

Find a rule and delete it

sudo ufw status numbered
sudo ufw delete 2

Open port 9003. This may resolve a Xdebug: [Step Debug] Time-out connecting to debugging client error

sudo ufw allow 9003

Sample commands when setting up a new server

sudo ufw status verbose
sudo ufw app list
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow ssh
sudo ufw enable
sudo ufw status verbose