X Marks the Spot

random commentary on life, the universe, and anything

April 21, 2020
by puhfu
0 comments

4/20 daily COVID19 reading log

I think it’s interesting to see the narrative changing now that we are progressively peaking in various states. It will also be interesting to follow the epidemiology as states reopen in staggered and varied fashion. In the absence of any significant widespread PCR testing or antibody serology testing, it is still throwing darts.

April 10, 2020
by puhfu
0 comments

4/10 daily COVID19 reading log

Busy last couple of days working on telehealth. Built up a backlog to plow through.

April 7, 2020
by puhfu
0 comments

4/7 daily COVID19 reading log

April 1, 2019
by puhfu
0 comments

Change is hard, but also good

Some personal news:

I am joining @cityofhope as #CMIO starting today.

Words can’t really describe how will greatly I will miss my @HarborUCLA and @Harborpeds family (but I’ve never been short of them, so I’ll try). Harbor-UCLA Medical Center (nee Harbor General Hospital) has been my professional home for over 25 years and is where I trained to be a #pediatrician, met my wife, became a #clinical informaticist, grew a #PHM program, implemented @Cerner #EHR, and had the wonderful opportunity to work with and learn from hundreds of residents and fellows. Thank you to all of my faculty colleagues for making it a place that I love. Thank you to #CMO @anishpmahajan #CEO Kim McKenzie #PedsChair Lynne Smith for providing me with the opportunity to do what I live to do. Thank you to the #CIOs (Mary Morgan, Sandy Mungovan, Katie Uyemura) and their awesomely talented IT teams for allowing me to incessantly ask/bother them in my quest to improve the #HealthIT user experience. Thank you to all of the amazingly! talented! pediatric and neonatal nurses without whom I never would have made it through residency, let alone 20 years as faculty. And of course, my biggest thanks to everyone with whom I had the genuine pleasure of working with at Harbor-UCLA, in every department, in every location, in every shift. I couldn’t have done it without all of you.

A good friend said to me the other day, it’s not goodbye but see you later.

So, Harbor-UCLA, see you later.

I am excited to turn the page to the next chapter.

July 31, 2018
by puhfu
0 comments

Adding a subdomain to a LetsEncrypt certificate

So I needed to add a subdomain to an existing Let’s Encrypt certificate and you know, finding instructions was far harder than it was to actually do it.

Sources:
Certbot User Guide
How can I add more subdomains to my SSL Certificate?

I tried this:

$ cd /etc
$ sudo ./certbot-auto
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: domain.com
2: sub2.domain.com
3: sub1.domain.com
4: domain2.org
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 2
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for sub2.domain.com
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. sub2.domain.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://sub2.domain.com/.well-known/acme-challenge/ 
"<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p"


Which sent me down a hole learning about ACME challenges and where I created a new but separate cert for sub2.domain.com but did not add it to the original cert which is the goal.

$ sudo ./certbot-auto certonly --webroot -w /var/www/html/sub2 -d sub2.domain.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for sub2.domain.com
Using the webroot path /var/www/html/sub2 for all unmatched domains.
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/sub2.domain.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/sub2.domain.com/privkey.pem
   Your cert will expire on 2018-10-29. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again. To non-interactively renew *all* of your certificates, run
   "certbot-auto renew"


Finally, stumbled on a Let’s Encrypt community forum page that allowed me to put it together.

$ sudo ./certbot-auto certonly --webroot -w /var/www/html --cert-name domain.com -d domain.com -d sub1.domain.com -d domain2.org -d sub2.domain.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
You are updating certificate fuweb.com to include new domain(s):
+ sub2.domain.com

You are also removing previously included domain(s):
(None)

Did you intend to make this change?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(U)pdate cert/(C)ancel: u
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for domain.com
http-01 challenge for domain2.org
http-01 challenge for sub2.domain.com
http-01 challenge for sub1.domain.com
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/domain.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/domain.com/privkey.pem
   Your cert will expire on 2018-10-29. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again. To non-interactively renew *all* of your certificates, run
   "certbot-auto renew"

The money command:

$ sudo ./certbot-auto certonly --webroot -w /var/www/html --cert-name domain.com -d domain.com -d sub1.domain.com -d domain2.org -d sub2.domain.com


Breaking it down:
certonly grabs the certificate only
--webroot uses the webroot plugin for http-01 authentication
-w (the same as --webroot-path) specifies the top-level directory containing files served by webserver
--cert-name is the domain name of the cert to use (if a single cert for multiple domains, use the primary domain)
-d specifies each of the domains you want to be included in the --cert-name cert

And added a renewal to the crontab

$ sudo crontab -e


Then add:

30 2 * * * /usr/bin/certbot renew >> /var/log/le-renew.log