Posts Tagged ‘how-to’

Installing Let’s Encrypt Free SSL/TLS Certificate in 2 Minutes with Certbot, Spending Hours Making it Work with Cloudflare

August 22nd, 2017 10 comments

I’ve been using an SSL certificate to the download subdomain of this blog running ownCloud for about 2 years, but recently my free StartSSL certificate expired, and I had troubles to renew it, and I also received an email from Google telling me that “Starting October 2017, Chrome (version 62) will show a “NOT SECURE” warning when users enter text in a form on an HTTP page, and for all HTTP pages in Incognito mode”.  So I decide to use free LetsEncrypt SSL/TLS certificates to replace the one in the download subdomain, as well as this main blog. Such SSL/TLS certificates are also very useful for the IoT gateways many of use have started using, and I found it’s even simpler than install a self-signed certificate, so there’s no reason to use those anymore.

The easiest way to install Let’s Encrypt certificate is by using Certbot with instructions for various web server or hosting platforms (nginx, apache, pleask, haproxy…) and BSD & Linux based operating systems. I’m using Ubuntu 14.04 trusty with nginx, so the instructions below are for this combination, and it took me around 2 to 3 minutes in my VPS to have the SSL/TLS certificate installed, and up and running.

Cerbot installation:

Certificate installation for nginx on subdomain:

Done! I could now go to with my freshly installed certificate. That’s it for the 2-minute installation procedure, but as with such quick and easy procedure, you can always add “wasting countless hours” steps to it, and that’s what I did, by first checking out the Qualys SSL Report as recommended in the output of the terminal above.

Grade C, not good. The certificate is mostly there to protect my login credentials, as I don’t have any important private data in that server, but let’s still try to improve this. The most critical issue is that the server is vulnerable to the POODLE attack, but luckily Nginx guys have a fix: disable SSLv3.

I just had to change a single line in the server block of the domain configuration file in /etc/nginx/sites-enabled directory to only allow for TLS connections:

I then reload the configuration with:

Ran the SSL report again, and I improved to Grade B. That was easy.

After Disabling SSLv3

The second problem is about “weak Diffle Hellman (DH) key exchange parameters”, but again there are solutions.

First I had to create a dhparams.pen files with the following command line:

then edit the domain configuration file in /etc/nginx/sites-enabled/ directory by adding the following in the server block:

After reloading nginx configuration, I had a grade A with no other problems to solve.

I checked two banking websites, and they got A-, two online shops (GearBest and GeekBuying), and they achieved Grade B, so when you share your credit card info, you are at risk, albeit likely a limited risk. Considering it’s so easy to fix some of the issues, they should do it, and I informed both companies.

Let’s Encrypt certificates expires just after 90 day, so you may want to setup automatic renewal. First check renewal works with a dry run:

If there are no errors, you can setup a cron or systemd job to run the following command regularly:

I then tried with some other domains, and I got a TLS handshake failure:

The reason was Cloudflare intercepting traffic, so I had to pause Cloudflare before running certbot, and installation went just fine, and I could use my website without any problem, until I resumed Cloudflare support, and got “too many redirects”. I started to look for solutions with come fairly complicated instructions for Certbot + Apache + Cloudflare. After a few hours trying to find a solution, I discovered my assumption that if I enable an SSL certificate on my side, I should just disable SSL in Cloudflare… Big mistake! After setting Cloudflare SSL to Full (Strict) it worked again, although I eventually just to set it to Full because Let’s Encrypt wildcard SSL certificate are not yet supported, but will be in January 2018.

So the TLS connection was working, but I tried a dry run to renew the certificate, and every domain managed through Cloudflare would fail… That’s when the “complicated instructions” above came handy… So I first installed Certbot Cloudflare plugin/add-on:

Created /etc/letscrypt/cloudflare.ini file with your email, and API key in Cloudflare (Global API Key)

and generated new certificates using that plugin:

This should overwrite the two files used for the certificates previously created with nginx option: /etc/letsencrypt/live/
& /etc/letsencrypt/live/  So normally, you don’t even need to change your nginx configuration after that, but if for some reasons the path has changed, you should edit your file in /etc/nginx/sites-enabled/ and updated the paths.

Finally, I tried the dry run to update the certificate and it worked, so I created a cron job to renew the certificates every month:

If your website is also designed to be compatible with https, then your job is done, if not, then you’ll have some work to do to remove all hardcoded http calls from your websites with the help of the developer console in web browsers such as Chrome or Firefox.

Fedora 26 Supports Single “Unified” OS Images for Multiple ARM Platforms

August 14th, 2017 29 comments

The decision to use device tree in Linux occurred several years ago, after Linus Torvalds complained that Linux on ARM was a mess, with the ultimate goal of providing a unified ARM kernel for all hardware. Most machine specific board files in arch/arm/mach-xxx/ are now gone from the Linux kernel, being replaced by device tree files, and in many case you simply need to replace the DTB (Device Tree Binary) file from an operating system to run on different hardware platforms. However, this is not always that easy as U-boot still often differ between boards / devices, so it’s quite frequent to distribute different firmware / OS images per board. Fedora has taken another approach, as the developers are instead distributing a single Fedora 26 OS ARMv7 image, together with an installation script.

Images for 64-bit ARM (Aarch64) are a little different since they are designed for SBSA compliant servers, so a single image will work on any server leveraging UEFI / ACPI implementation on the hardware. So what follows is specific to ARMv7 hard-float images as explained in the Wiki.

You’ll need to install Fedora Arm installer after downloading one of the Fedora 26 images. This requires an Fedora machine, and since I’m running Ubuntu 16.04, and don’t want to setup a Fedora virtual machine in Virtualbox, I used docker instead right inside Ubuntu as it’s much faster to do:

The last line requires some explanation. /media/hdd is the mount point of the storage device on the host where I download the Fedora image and that will be accessible through /mnt in docker, /dev/sdd is my micro SD card device, while /dev/sdd3 will be the rootfs partition.Note that it took me a while to get that right, and I’m not sure it works for all targets (other other /dev/sddx are also needed), so using an actual Fedora 26 installation would be easier. The rest of the instructions below are not specific to docker.

I could then install the Fedora ARM Installer and the required xz & file packages…

…and check the usage:

Let’s see how many boards are supported in /usr/share/doc/fedora-arm-installer/SUPPORTED-BOARDS file:

AllWinner Devices:
A10-OLinuXino-Lime A10s-OLinuXino-M A13-OLinuXino A13-OLinuXinoM
A20-OLinuXino-Lime A20-OLinuXino-Lime2 A20-OLinuXino_MICRO
A20-Olimex-SOM-EVB Ampe_A76 Auxtek-T003 Auxtek-T004 Bananapi Bananapro CHIP
CSQ_CS908 Chuwi_V7_CW0825 Colombus Cubieboard Cubieboard2 Cubietruck
Cubietruck_plus Hummingbird_A31 Hyundai_A7HD Itead_Ibox_A20 Lamobo_R1
Linksprite_pcDuino Linksprite_pcDuino3 Linksprite_pcDuino3_Nano MK808C
MSI_Primo73 MSI_Primo81 Marsboard_A10 Mele_A1000 Mele_A1000G_quad Mele_I7
Mele_M3 Mele_M5 Mele_M9 Mini-X Orangepi Orangepi_mini Sinlinx_SinA31s
UTOO_P66 Wexler_TAB7200 Wits_Pro_A20_DKT Yones_Toptech_BS1078_V2 ba10_tv_box
colorfly_e708_q1 difrnce_dit4350 dserve_dsrv9703c i12-tvbox iNet_86VS
icnova-a20-swac inet86dz jesurun_q5 mk802 mk802_a10s mk802ii orangepi_2
orangepi_lite orangepi_pc orangepi_plus polaroid_mid2809pxe04
pov_protab2_ips9 q8_a13_tablet q8_a23_tablet_800x480 q8_a33_tablet_1024x600
q8_a33_tablet_800x480 r7-tv-dongle sunxi_Gemei_G9

MX6 Devices:
cm_fx6 mx6cuboxi novena riotboard wandboard

OMAP Devices:
am335x_boneblack am57xx_evm kc1 omap3_beagle omap4_panda omap5_uevm

MVEBU Devices:

ST Devices:

Other Devices:
jetson-tk1 rpi2 rpi3 trimslice

So we’ve got a list of device to choose from. For example, if you wanted to install Fedora 26 server in a micro SD card for Raspberry Pi 3, you’d run something like:

You’ll then be ask to confirm:

The full process will take several minutes, and at the end you’ll get “_/” rootfs partition, “_/boot ” partition, and a “30 MB volume” with u-boot, config,etc…

I did not try the micro SD card in Raspberry Pi 3 board myself, because Geek Till It Hertz has already done it successfully on both RPi 3 and Banana Pi boards as shown in the video below.

He also showed the boards run Linux 4.11.8 version, but that can be upgraded with dnf update to Linux 4.11.11, just as on his Fedora 26 installation on a x86-64  computer.

ROCK64 Board Review – Part 2: Quick Start Guide with Ubuntu 16.04.3 MATE, Multimedia Features, Some Benchmarks

August 7th, 2017 15 comments

Pine64 ROCK64 is the first maker board based on Rockchip RK3328 processor, and is potentially interesting for various applications including network storage thanks to USB 3.0 and Gigabit Ethernet, multimedia applications with 4K HDR video support, as well as other applications requiring I/Os. I’ve already tested Rock64 board with Android 7.1 operating system, so today I’ll report by finding and experience with Ubuntu 16.04.3 with MATE desktop.

Selecting and Flashing a Linux Image

You’ll find several operating systems in the Wiki, but you’ll also find more cutting edge images in ayufan’s github. But first let me explain some vocabulary used for Pine64 firmware files:

  1. Engineering version – Becomes with release build based on the stock build develop by Pine64 and the SoC vendor. It’s supposed to be more stable, but get less updates
  2. Community versions (currently managed via ayufan) are more frequently updates, and comes with more recent features. You’ll find two categories
    1. Release builds – The current stable version released by the community
    2. Pre-release builds – Version under test to eventually become the release build

Currently, documentation is still work in progress for the board, so I spent some time on IRC #Rock64 chatting with the helpful community there, and I noticed most of them used the community builds. I’ve also been told there has not been that much work on the Desktop version right now, with most people focusing on NAS support with images such as Debian + OpenMediaVault. But since I wanted to test a desktop image I was recommended the Ubuntu Mate image, and download the pre-release 64-bit version: xenial-mate-rock64-0.4.17-85-arm64.img.xz.

If you’ve read the WIki, you’ll notice all those are “micro SD” images, so since I had a eMMC flash module, I was a little confused at the beginning, but since I have Hardkernel’s micro SD to  eMMC flash module adapter, installation was just the same as on a micro SD card with Etcher.

Top to Bottom: ROCK64’s 16GB eMMC flash Module, Hardkernel adapter, and micro SD card reader

But Pine64 does not sell such adapter, so how are you supposed to do with you bought an eMMC flash module? I’ve been explained you first need to flash a micro SD card with the image, and then interrupt the boot in u-boot (USB to TTL debug board required), remove the eMMC jumper, and continue the boot by typing “boot”. This has be to be done, or you won’t see the eMMC flash module, while booting from a micro SD card.

Now you can download, and flash the firmware to the eMMC flash module with curl:

Not the most user-friendly method, but it should work. If you don’t have a USB to TTL board, first you should really buy one, but for this specific case, you could remove the eMMC jumper about two seconds after applying power. In that case, your mileage may vary though… Pine64 is working on an easier method of installation to the eMMC flash module.

Rock64’s Ubuntu 16.04.3 MATE Boot, System Info, and Initial Setup

Since I want to get the boot log, I connected the USB to TTL board. There’s no dedicated UART connected on the board, so I download the GPIO pinout charts for Pi 2 Bus and Pi 5+ Bus from the Wiki, amd we’ll use it to test GPIOs later on.

Pi 2 Bus – Click to Enlarge


Pi 5+ Bus – Click to Enlarge

UART Tx and Rx can be found on respectively pin 8 and 10 of Pi 2 Bus header, so I connect the debug board accordingly, together with USB keyboard and mouse, a USB harddrive, Ethernet and HDMI cables.

Click to Enlarge

Finally I put the micro SD card into the board, applied powered, and after a few seconds, I got to the Ubuntu MATE desktop. however, I only got ribberish in the serial console, which was set to 115,200 8N1, the most common settings “in the universive”. There’s currently no info about serial console setting in the Wiki, but a web search lead me to the right settings: 1,500,000 8N1, which apparently is the default in Rockchip SDK.

This high bitrate may cause troubles with some serial adapter, but after changing minicom settings accordingly, I had no trouble with the serial console. That’s the complete boot log after a reboot:

We can now login with rock64/rock64 credentials in the desktop or the serial console:

I checkout some infor about CPU, storage, memory usage, and Linux & Ubuntu versions:

I have the 1GB version of the board, and the firmware is based on the latest Ubuntu 16.04.3 LTS release with a fairly recent Linux 4.4.70 kernel. However, we can see that with just 4.8GB capacity the rootfs partition has not been automatically resized during the first boot. So let’s run the relevant script, and check again:

All good, as we now have a 14GB rootfs partition. It’s worth noting the other scripts in /usr/local/sbin too:

Modules and GPIOs on Rock64

The next step was to check pre-loaded modules and GPIOs:

Only uas and usb_storage modules are loaded, which shows people are truly focusing on the NAS part right now, or some other drivers are directly built-into the kernel. GPIOs need to be exported manually, and a quick search lead me to that forum post (again no info in the Wiki right now).

You need to convert the gpio pin name as shown in the pinout diagram (e.g. GPIO3_A5) into a raw number using a formula combining bank number (3), pad name (A) and pad number (5). marcushh777, who is also a helpful member on IRC, wrote a Python script to do just that, and you may want to create that script in /usr/local/sbin/

The file is also on Github so you could use wget or curl instead:

We can now run the script with the GPIO we want to use…

… switch to root, then use sysfs to export the gpio number and set the direction, and switch the GPIO to high and low levels:

I connected a 5V LED to GPIO3_A5 pin via a transistor and could turn it on and off with the last two commands above.

Eventually, a PDF document will be uploaded to the Wiki, but it does not appear to be ready yet. I was unable to find info to use I2C or SPI at this stage.

GPU (OpenGL ES) and VPU (Video Decoding) Testing

GPU and VPU support are often problems in Linux on ARM, and while I had low expectation, I still tried those by installing the usual OpenGL ES demo to test Mali GPU support:

I ran es2info first, and Mali-450MP GPU support is indeed enabled:

That command ended in a segfault however. Not too reassuring.

So I ran es2gears demo, but could not take a screenshot, as all screenshots were black with only the mouse pointer showing up, so instead I some photos, and it works, but the transparent window is unlikely to be normal.

Performance does not appear to be optimal right now however with just around 35 fps.
glmark2-es2 demo started well too…

Click to Enlarge

… but some features are not supported (maybe normal), and it crashed at the end as shown in full log below: