X marks the spot

random commentary on life, the universe, and anything

June 5, 2018
by puhfu

WordPress, pretty permalinks, and 404s (part 2)

As I noted back in September 2017, I switched from Rackspace to Amazon Lightsail for my personal website as well as for a learning management system I run for Harbor-UCLA Pediatrics.

I’m using apache virtual hosts run both in separate subdirectories. One problem I had, but didn’t have time to fix (and then forgot about), was that turning on pretty permalinks in WordPress broke the learning management system. I knew two things: 1) it was probably a .htaccess issue and 2) my VirtualHost config was probably making a mess of things.

So why now? I have this lovely short domain (fu.fyi) doing nothing, I thought I’d use it as a custom URL shortener through bit.ly. I can set a default 404 for bad links in bit.ly so I thought I’d just use the themed WP one. But then I realized that the 404 being shown was the default apache 404 page. Which meant that I had to figure out why missing pages were not being passed to the WP stack. Which meant fixing .htaccess and httpd.conf.

This is the .htaccess code in WordPress. Can someone explain how it works?
A really lovely online .htaccess checker: https://htaccess.madewithlove.be/

The WP default .htaccess is pretty straightforward.

# BEGIN WordPress

RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]

# END WordPress

There’s a few sites out there that document that you need to modify the second RewriteRule if your WP installation is in a subdirectory.

RewriteRule . subdir/index.php [L]

What they don’t tell you is that you break things when you duplicate RewriteRules in both VirtualHost configs and .htaccess. So cleaning httpd.conf up:

# lms hosting
<VirtualHost *:80>
   ServerName lms.domain2.com
# redirect all HTTP traffic to HTTPS
   RewriteEngine on
   RewriteCond %{SERVER_NAME} =learn.harborpeds.org
   RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

<VirtualHost *:443>
   ServerName lms.domain2.com
   DocumentRoot "/var/www/html/lms"
   <Directory "/var/www/html/lms">
      Options -Indexes +FollowSymLinks
      Require all granted
   Include /etc/letsencrypt/options-ssl-apache.conf
   SSLCertificateFile /etc/letsencrypt/live/domain1.com/fullchain.pem
   SSLCertificateKeyFile /etc/letsencrypt/live/domain1.com/privkey.pem

And adding a catch-all to .htaccess before the WP default:

# Turn on rewrites
RewriteEngine On
# Set the base path for rewrites
RewriteBase /
# Redirect anything that slips through httpd.conf to wordpress
RewriteRule ^(/)?$ https://%{HTTP_HOST}%{REQUEST_URI}/subdir/index.php [L]

And the best thing? I actually understand .htaccess better now.

Oh yeah. And it works.

October 21, 2017
by puhfu

Adding a self-signed SSL certificate for UniFi on Mac OS X 10.12

Got tired of seeing the UniFi controller java service running https but not trusted on localhost. And almost have a solution. Found a solution, but it wasn’t easy.

CertSimple: Never see localhost HTTPS warnings again
Ubiquiti Network Community: Installing an SSL Certificate

Follow the CertSimple instructions to use Mac OS X Keychain Access to generate self-signed certificates for localhost. In Step 3, make sure to export both the localhost certificate (as .pem) and the localhost private key (select .p12 from drop down and then convert as per the openssl command in Step 3 OR export as .pem) from within Keychain Access.

Keychain Access

Instead of service unifi stop as in the Ubiquiti Network Community instructions (which are for a linux system), for Mac OS X, simply quit the UniFi app in order to stop the service. Alternatively, from the command line:

$ java -jar /Applications/UniFi.app/Contents/Java/ace.jar stop

Here are the commands that I used based on the Community page. I put the files on the Desktop for easy finding (from the command line natch).

$ sudo openssl pkcs12 -export -passout pass:aircontrolenterprise \
 -in ~/Desktop/localhost-cert.pem -inkey ~/Desktop/localhost-key.pem \
 -out ~/Desktop/localhost -name unifi \
 -CAfile ~/Desktop/localhost_CAcert.pem -caname root

$ sudo keytool -delete -alias unifi \
 -keystore ~/Library/Application\ Support/UniFi/data/keystore \
 -deststorepass aircontrolenterprise

$ sudo keytool -trustcacerts -importkeystore \
 -deststorepass aircontrolenterprise -destkeypass aircontrolenterprise \
 -destkeystore ~/Library/Application\ Support/UniFi/data/keystore \
 -srckeystore ~/Desktop/localhost -srcstoretype PKCS12 \
 -srcstorepass aircontrolenterprise -alias unifi

Unfortunately, I’m running into an error where the certificate is not getting imported into the keystore.

$ sudo java -jar /Applications/UniFi.app/Contents/Java/ace.jar \
 import_cert ~/Desktop/localhost-cert.pem ~/Desktop/localhost-CAcert.pem \
Unable to import the certificate into keystore 

Hurrah! Found the answer.

UBNT Support Page: UniFi – SSL certificate error upon opening controller page


If the error "Unable to import certificate into keystore" appears when importing the signed certificate & intermediate certs, try the following steps:

1. Edit the certificate file and remove any blank spaces after each line of the cert.

And that did it.

$ sudo java -jar /Applications/UniFi.app/Contents/Java/ace.jar import_cert ~/Desktop/localhost-cert.pem ~/Desktop/localhost-CAcert.pem ~/Desktop/localhost
parse localhost-CAcert.pem (PEM, 1 certs): CN=localhost Certification Authority
parse localhost, 0 certs found
parse localhost-cert.pem (PEM, 1 certs): CN=localhost
Importing signed cert[localhost]
Certificates successfuly imported. Please restart the UniFi Controller.

But still doesn’t work completely because it’s self-signed. I guess if I want that green lock then I’ll have to go get a real cert.

And for reference:

$ java -jar /Applications/UniFi.app/Contents/Java/ace.jar
Usage: java -jar lib/ace.jar  [...]
    start  : start the UniFi controller
    stop   : stop the UniFi controller
    info   : display some information
    installsvc/startsvc/uninstallsvc/stopsvc : install/start/stop as a Windows service
    new_cert      : create new certificate (with csr)
    import_cert  [...] : import the signed certificate and ca cert

September 4, 2017
by puhfu

Amazon Lightsail, Let’s Encrypt, and SSL

I’m really happy having migrated to Amazon Lightsail so far. The documentation is good and it has a big enough user base so that there are plenty of others who have had the same issues as I am encountering. Sometimes though, it’s not quite the same.

Tutorial: Configure Apache Web Server on Amazon Linux to Use SSL/TLS
Appendix: Let’s Encrypt with Certbot on Amazon Linux

Able to follow the first steps:

$ sudo yum-config-manager --enable epel
$ wget https://dl.eff.org/certbot-auto
$ chmod a+x certbot-auto
$ sudo ./certbot-auto --debug

As a sidenote, certbot-auto is located in /etc.

Anyway, after running through the certbot-auto steps, it fails with the following message:

Incorrect validation certificate for tls-sni-01 challenge. Requested 6e9f679b4c7458baae91e229b3352d33.6e3c653d675dfdf58604b4b049566594.acme.invalid from xxx.xxx.xxx.xxx:443. Received 1 certificate(s), first certificate had names \"ip-yyy-yyy-yyy-yyy, ip-yyy-yyy-yyy-yyy.us-west-2.compute.internal, localhost, localhost.localdomain\"

The certbot documentation for Apache on CentOS/RHEL 7 shows a certificate only process, instead of the automated installation of the certificate and key into the right locations.

The certificates are located in /etc/pki/tls/certs/
The private keys are located in /etc/pki/tls/private/

$ sudo certbot-auto --apache certonly

Running Certbot generates the certificate and key and puts them into /etc/letsencrypt/live/domain.com/

From there, it is just a quick ln -s to the right directories and boom. SSL works.

September 4, 2017
by puhfu

Goodbye Rackspace; Hello Amazon Lightsail

Some of the documentation I used:

1. Getting ssh to work from Mac OS X terminal. Lightsail uses ssh keys for access. They also have a web-based ssh session which is pretty good but it has a short time-out. Plus, I like my terminal.

How do I set or change the root password for my EC2 Linux instance?
Amazon EC2 Key Pairs – Retrieving the Public Key
Set up SSH in Amazon Lightsail
Log in with an SSH private key on Linux and Mac
Tutorial: Installing a LAMP Web Server on Amazon Linux

2. Now I need vsftpd

$ sudo yum install vsftpd 

How to Setup FTP (SFTP) on an AWS EC2 Instance

3. Wait, no iptables?

That’s right. With LightSail, it’s in the Networking tab on the Lightsail dashboard and you use that to open up ports, in this case, ftp 20-21, 1024-1048

4. SSL!
Tutorial: Configure Apache Web Server on Amazon Linux to Use SSL/TLS
Appendix: Let’s Encrypt with Certbot on Amazon Linux

Yikes. I can’t do SSL until the site is migrated over. Oh well. Let’s do that.

5. Migrate WordPress files, export/import the database. Needed to change wp_options siteurl and home from http://domain.com to http://x.y.z.a After using the IP address in the URL, I can get pages to load. Whoo hoo!

6. Migrated the DNS

7. Hm. Why is /html not directing to subdirectory/ and why and why am I getting 500 errors? Well, I can get WP to work now but by manually adding the subdirectory in the URL which means that mod_rewrite isn’t working.

Enable mod_rewrite on Apache EC2 Linux Server

Hm. check php.ini. Well, mod_rewrite is installed. So what’s up then?

/var/log/httpd/error_log is showing something funky in .htaccess. Weird control characters? Oh man, I must have introduced them in a copy/paste. Once retyped, it works.

Except non-default Permalinks. Argh.

September 3, 2017
by puhfu

Open source projects have the craziest names – Wazuh

Decided I was unhappy with the unsupported, very old school visualization OSSEC-WUI. It’s been unsupported for a while. There must be something new out there.

Lo an behold. Wazuh open source host and endpoint security

Great documentation:
Migrating OSSEC manager installed from packages
Install Wazuh server with RPM packages

In general, the step-by-step instructions are clear and explicit. I had do some steps manually though.

1. Created the wazuh.repo repository file /etc/yum.repos.d/wazuh.repo

name=CentOS-$releasever - Wazuh

2. For NodeJS install, had to add ‘sudo’ in order for bash to run correctly

$ curl --silent --location https://rpm.nodesource.com/setup_6.x | sudo bash -

3. And I need Python 2.7. Python 2.6 is installed already for yum, but Wazuh wants 2.8.

$ yum install -y centos-release-scl
$ yum install -y python27

4. Also had to create the elastic.repo repository file /etc/yum.repos.d/elastic.repo

name=Elastic repository for 5.x packages

But uh oh. I can’t run elasticsearch. Not enough memory. Hm.

So far, I have installed:


Hm. Maybe it’s time to admit that I’m overpaying for hosting with Rackspace – well, overpaying for what I need.

Time for another rabbit hole.

September 2, 2017
by puhfu

Idle hands are the devil’s workshop (Prov 16:27)

or How I spent the Saturday of Labor Day weekend.

Because it was so hot outside, I decided to do some server maintenance.

1. Used yum and the @ius repository to install Apache 2.4. I heard that 2.4 does memory management better.
2. Discovered that I broke something and WP would not load correctly (PHP module dependency)
3. Decided that the differences between 2.2 and 2.4 were not sufficient for me to spend time making 2.4 work
4. Uninstalled apache 2.4 using yum
5. Tried to install apache 2.2 using yum and watched it fail.
6. Learned yum clean all and how to find the name of a package yum list installed and remove the ones that didn’t get erased cleanly with the uninstall
7. Finally reinstalled apache 2.2
8. Installed PHP 7 because why not
9. Decided to add my instagram feed to the main X marks the spot page so mucked with my child theme and discovered that it is no longer supported (but I like it and I can read CSS so NBD I guess)
10. Discovered that my CSS is very rusty. Thank goodness for backups.
11. Decided to figure out my social media cross posting.

Twitter –> Facebook app –> Facebook post (set Only Me so that I don’t spam with my conference/HIT tweeting)
Instagram –> IFTTT –> Twitter
Instagram –> IFTTT –> Tumblr (I have a tumblr?)
Instagram –> WP widget –> WP
WP –> WP plugin –> Twitter (selective by post)
Twitter –> WP widget –> WP

I show my insta and twitter on the main WP page (right columns, see #9/10 above)
But I am old so I use FB instead of instagram. How do I get my Facebook to cross-post to WordPress? There are many WP plugins to do the opposite.

Facebook simple text post –> IFTTT –> WP post ** WORKS **
Facebook link post –> IFTTT –> WP photo post ** DOESN’T WORK **

Well let me rephrase, cross posting FB link post to WP photo post works, but for some reason, the IFTT applet runs multiple times, resulting in multiple WP posts.

Troubleshooting that will be left to another day.