Build yourself a Comprehensive Business Suite with Odoo

Written on Fri, 30 December 2016

Odoo is an impressive Business Suite that contains so many enterprise management tools. The best part of Odoo is that most of the features are free. There are only a few paid features that would be very useful if you are managing more than 50 employees in your company. Of course, it is up to your use case to see if the enterprise features are useful. In this tutorial, I'll show you how to set up your own Odoo 10 Community Edition, which you can freely use if you are running a small company with very little employees.

Setup Odoo 10

Installing Odoo 10 on Ubuntu 16.04 is easy. Much of this tutorial is taken from the documentation. Feel free to review the documentation when in doubt.

Keep Ubuntu updated with the latest packages

apt-get update && apt-get -y dist-upgrade && reboot

Reboot your server to ensure everything is loaded with the latest packages.

Let's start with adding the repository for Odoo 10, then installing it.

wget -O - https://nightly.odoo.com/odoo.key | apt-key add -
echo "deb http://nightly.odoo.com/10.0/nightly/deb/ ./" >> /etc/apt/sources.list
apt-get update && apt-get install -y odoo

The configuration can be found in /etc/odoo/odoo.conf

nano /etc/odoo/odoo.conf

If you wish to set things to default, just leave the file as it is.

Running Odoo on port 80

If you're like me, I don't like to type the port number in the URL. And my server is running just 1 application. So why not use port 80?

nano /etc/rc.local

Add the following before exit 0 command.

iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8069
iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 8070
iptables-save

Then reboot the server

reboot

Browse to the server with your preferred browser, such as http://localhost if you have changed port, or http://localhost:8069 if you left it as default. From here on, it's straight forward installing modules and applications for your company needs. More information as Odoo's user guide.

If you're a developer looking to develop for Odoo 10, I recommend reading Odoo 10 Development Essentials. Companies who hire Odoo developers are usually looking to streamline their business to be more efficient. Many big companies will want to do that to reduce operational cost.

Creating a Hybrid Data Centre with OpenVPN

Written on Mon, 19 December 2016

Setting up a hybrid data centre comprising of on-premise data centre and cloud data centre isn't a difficult task. You do, however, need some knowledge of networking before you proceed with this tutorial. In this tutorial, I'll be focusing on AWS as the cloud provider.

Having hybrid data centre is like having best of both worlds, but do take note that you will also have the worst of both worlds.

Advantages

Data compliance - If you have a compliance to meet, having data stored on-premise will certainly help. Especially if it's critical data and infrastructure.
Cost Savings On-premise - This is only true in certain use-cases. A typical server rack can cost USD10 000 and potentially beyond. But if properly virtualised and containerised, you could run more than 100 virtual machines. Let's take a m4.large instance from AWS running Ubuntu. It will take you 10 years to your Return On Investment (ROI) for having on-premise server. But if you're running 2 m4.large, that's going to be a 5 year ROI for having on-premise server. The math goes on. After all, a typical server rack last for 5 years.
Cost Savings Cloud - This is also only true in certain use-cases. Let's say you only need a server for a short period of time, you could just spin up an AWS instance for just that period of time and pay for that time. This is only good if you don't have enough on-premise resource and don't intend to procure servers for just 1 cause. This is a good strategy where you launch enough cloud resources until procurement of a physical server is justified. That way, you don't need to plan ahead, and just procure equipments whenever cost is justified.
Agility - Having a cloud provider gives you agility to have a server instance within seconds. Procurement of server racks take days, in some cases weeks and months, if you have multiple company management approvals to obtain.
Ease of Management - You don't need to have expertise to manage cloud data centre, apart from your on-premise data centre. Those are taken care of by the cloud provider.
Innovation Leverage - Whenever the cloud provider innovates their product, you can take advantage of the innovation as well. AWS is innovating at an average of 3 innovation per day in 2016. This rate of innovation is seriously unheard of.
Reliability - A data centre like AWS typically have more backup systems in place than a typical SME. For instance, they would have multiple backup generator that an ensure service continuity in the event of prolong blackouts while you would most likely have 1 backup battery that only last 20mins. AWS also have Availability Zones(AZ) which has independent internet connections and power supply. It's simply an isolated data centre per zone. If you build your application to run across multiple AZ, you will have greater reliability. Compared to your on-premise data centre, which is likely just a physical location, having multiple data centre will increase reliability.

Disadvantages

HR Cost - You still need manpower to manage your on-premise data centre. If you're managing many physical servers, then it would make financial sense. Otherwise, you are better off running the your applications in the cloud where the expertise are already in place to maintain the physical servers.
Configuration Nightmare - If the network is not properly set up, you are going to have a nightmare trying to get your applications to communicate. In some cases, this is going to cost your business.

Preparing AWS

Let's prepare the cloud data centre to a specific configuration. If you need a different configuration, you may deviate from this tutorial. But if you're just starting out, I recommend that you follow through this tutorial before setting up your own network configuration.

The network configuration is done in such a way that there is a public subnet and a private subnet per Availability Zone (AZ). I assume that you do not want some applications to have public address, therefore, a private subnet would be suitable for such applications. I'm using Northern Virginia Region with 4 AZ, so that means I will have a total of 8 subnets. I'm only entitled to Zone A/C/D/E, so my tutorial will feature these zones. The AZs available to you might be different, so adjust the commands accordingly as you follow through. You will also need different subnets if you are using AWS features like Aurora, which requires at least 3 different AZ for it to work.

Create the VPC

I've created a VPC named MyAwesomeVPC with the network of 10.0.0.0/16.

Create the Subnets

Let's create the 8 subnets to use. I usually name my subnets properly, such as [Name-Zone-PublicOrPrivate]. If you ever scale your data centre, a good name will help ease administration.

Here's my list of subnets created:

Subnet0-ZoneA-Public
- 10.0.0.0/24
Subnet1-ZoneA-Private
- 10.0.1.0/24
Subnet2-ZoneC-Public
- 10.0.2.0/24
Subnet3-ZoneC-Private
- 10.0.3.0/24
Subnet4-ZoneD-Public
- 10.0.4.0/24
Subnet5-ZoneD-Private
- 10.0.5.0/24
Subnet6-ZoneE-Public
- 10.0.6.0/24
Subnet7-ZoneE-Private
- 10.0.7.0/24

Now that we are done creating all the subnets in their respective AZ, so proceed.

Creating Internet Gateway

The internet gate allows instances created in the subnets to have internet access. Let's create an internet gateway and assign it to our VPC.

Creating Route Tables

Route tables allow proper network routing within the VPC. We will need 2 routing tables, one that has internet access and the other that doesn't.

In the first routing table, we make a public one named MyAwesomeVPC-Public and associate the subnets to it:

Subnet0-ZoneA-Public
Subnet2-ZoneC-Public
Subnet4-ZoneD-Public
Subnet6-ZoneE-Public

Now, under routes, let's add the internet gateway we created before. The destination is 0.0.0.0/0, which implies all IP. Internet Gateway ID starts with igw-.

The second routing table will be a private on named MyAwesomeVPC-Private. These are the subnets to associate it with:

Subnet1-ZoneA-Public
Subnet3-ZoneC-Public
Subnet5-ZoneD-Public
Subnet7-ZoneE-Public

We don't add the internet gateway because these subnets will not have internet.

We are done for now. We will be back here after we set up a VPN server.

Setting up OpenVPN server

We are going to set up an OpenVPN Server on Ubuntu 16.04. In most cases, a t2.nano server is enough. Upgrade the instance type if you experience hitting your credit limits regularly. You will also just be installing the server software. There is no storage of data for the traffic. The default 8GB HDD storage is more than sufficient.

The ports required for OpenVPN Server is only 22 for SSH, and TCP/UDP port 1194. If you are certain that your VPN clients will only use either TCP or UDP, you can specify only to allow one of it accordingly. For this tutorial, let's enable both. It's not a major security hole at this point in time anyway.

Don't forget to assign an Elastic IP to ensure your IP doesn't change for any reason.

All Linux/Ubuntu commands are running with root account. If you're not running root account, be sure to add sudo before every command.

sudo su

Update Ubuntu softwares to the latest version and reboot the instance.

apt-get update && apt-get -y dist-upgrade && reboot

Install OpenVPN server and it's related softwares.

apt-get install openvpn easy-rsa

Certificate Authority

Set up a Certificate Authority(CA) directory.

make-cadir ~/openvpn-ca

Configure the CA values

cd ~/openvpn-ca
nano vars

Search for the following and edit the values accordingly. You could leave it as default.

export KEY_COUNTRY="US"
export KEY_PROVINCE="CA"
export KEY_CITY="SanFrancisco"
export KEY_ORG="Fort-Funston"
export KEY_EMAIL="me@myhost.mydomain"
export KEY_OU="MyOrganizationalUnit"

Do not close this file yet. Search for the next configuration:

export KEY_NAME="EasyRSA"

Change it to:

export KEY_NAME="server"

Now save and close the file

Source the vars file:

source vars

You should see this once completed:

NOTE: If you run ./clean-all, I will be doing a rm -rf on /root/openvpn-ca/keys

Time to clean up:

./clean-all

Now build root CA:

./build-ca

Just hit enter as it prompts you for input. The values should be the same as what you typed in the configuration.

Now generate Server Certificates, Key, and Encryption files.

./build-key-server server

You can leave most of the input as default. When you are asked to sign the certificate and commit, choose y.

Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y

Let's generate a strong Diffie-Hellman keys to use during key exchange by typing:

./build-dh

This may take some time, so grab a cup of tea.

Generate a HMAC signature.

openvpn --genkey --secret keys/ta.key

Generating Clients

Now let's generate client keys. You can repeat this step as many as you need for the number of clients you have. I recommend generating a few more than what you have. Each time you generate new clients, you need to restart OpenVPN server for the new clients to take effect, which can be disruptive to existing connections. If you are generating more than 1 client, be sure to use unique names.

cd ~/openvpn-ca
source vars
./build-key client1

You can leave the inputs as default. Password is not required so that you can have automated access. Sign the certificate and commit with 'y'.

Configuring OpenVPN

Now we configure OpenVPN with the files we have generated. Copy them to /etc/openvpn

cd ~/openvpn-ca/keys
cp ca.crt ca.key server.crt server.key ta.key dh2048.pem /etc/openvpn

Get the sample OpenVPN configuration file into configuration directory so that we can use it as a basis for our setup:

gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz | sudo tee /etc/openvpn/server.conf

Configure the openvpn server file we have just unzipped:

nano /etc/openvpn/server.conf

I personally prefer TCP instead of UDP, so find and set the following:

proto tcp

For administrative purposes, I prefer to keep OpenVPN client subnet number equal to host subnet +1. Since our VPC is running on 10.0.0.0/16, I want my clients to be on subnet 10.1.0.0/16. You can leave this as default if you prefer.

server 10.1.0.0 255.255.0.0

In my set up, I allow the clients to communicate with each other. If your set up disallows it, leave this configuration commented out.

client-to-client

Let's ensure all traffic can be routed to 10.0.0.0/8. Otherwise, a connection without ability to access other host in the VPC is not very productive in our use case.

push "route 10.0.0.0 255.0.0.0"

Uncomment the following, and add the additional configuration if it doesn't exists:

tls-auth ta.key 0 # This file is secret
key-direction 0

Uncomment the following encryption type:

cipher AES-128-CBC

Add the following just below the encryption you just uncommented:

auth SHA256

Now uncomment the following:

user nobody
group nogroup

You are done with OpenVPN configuration. Save the file and close it.

Networking Configuration

Let's adjust some networking configurations to ensure network traffic is properly forwarded.

nano /etc/sysctl.conf

Uncomment the following:

net.ipv4.ip_forward=1

Save the file and do the following command to read the new settings:

sysctl -p

Firewall and NAT configurations

I assume that your public network interface is eth0. You will need to edit your /etc/ufw/before.rules file to add in relevant configurations.

nano /etc/ufw/before.rules

Now add the follow codes at the top of the file. It is important that these codes are added before the rest of the existing rules.

# START OPENVPN RULES
# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]
# Allow traffic from OpenVPN client to eth0
-A POSTROUTING -s 10.1.0.0/8 -o eth0 -j MASQUERADE
COMMIT
# END OPENVPN RULES

Save the file and close. Now we edit /etc/default/ufw.

nano /etc/default/ufw

Find this code:

DEFAULT_FORWARD_POLICY="DROP"

Change it to:

DEFAULT_FORWARD_POLICY="ACCEPT"

Save the file and close. We enable the relevant ports open in the firewall.

ufw allow 1194/udp
ufw allow 1194/tcp
ufw allow OpenSSH

Let's restart the firewall.

ufw disable && ufw enable

Start OpenVPN Server

Let's start OpenVPN server.

systemctl start openvpn@server

You can check the status of the server with:

systemctl status openvpn@server

You can also check the IP of the tunnel server with:

ip addr show tun0

If you're satisfied with all the configuration you've done, proceed to enable OpenVPN to autostart during boot.

systemctl enable openvpn@server

Configure VPC Routing

Now that we have created the OpenVPN server, we must update VPC to route traffic to 10.1.0.0/16 properly. You must do this for MyAwesomeVPC-public and MyAwesomeVPC-private. You will need to get the Network ID of the EC2 hosts. Network ID starts with eni-.

Then under your VPC Route Table, set 10.1.0.0/16 to the Network ID on both tables, public and private.

Now, your VPC EC2 instances will be able to communicate with your clients.

Configure OpenVPN clients

So now that we have set up the server, let's make sure the client works too. First of all, we need to get the client files we generated from the server. If you have followed this tutorial closely, the files you need should be located at:

~/openvpn-ca/keys/client1.key
~/openvpn-ca/keys/ta.key
~/openvpn-ca/keys/client1.crt
~/openvpn-ca/keys/ca.crt

Download them with any softwares that allows you to download from the server. Personally I use filezilla to download via SFTP.

I'm using Windows, so if you're using other OS, adjust accordingly. There are guides for OSX, Ubuntu, Android, and iOS.

Download and install Windows Client

Download OpenVPN client. I recommend getting 64bit, because it's the future. And my tutorial will be based on 64bit. Use the latest stable version, unless you know what you're doing.

The installation will be very straight forward. Leave the installation folder as default, which is C:\Program Files\OpenVPN. Agree to the terms and conditions, which is just simply, if anything screws up, don't fault OpenVPN. But so far, OpenVPN is running smooth for me and many others on the planet. So you should be fine too.

Client Configurations

Your OpenVPN should be installed in C:\Program Files\OpenVPN. Go to C:\Program Files\OpenVPN\config and create a folder called keys. Remember the 4 files you downloaded from OpenVPN server? Move client1.key, ta.key, client1.crt, and ca.crt to C:\Program Files\OpenVPN\config\keys.

Now go back to C:\Program Files\OpenVPN\config and create a file called MyAwesomeVPN.ovpn. Paste the following, but replace the server IP address with yours:

client
resolv-retry 20
keepalive 10 60
nobind
mute-replay-warnings
ns-cert-type server
comp-lzo
max-routes 500
verb 1
persist-key
persist-tun
dev tun
proto tcp
port 1194
cipher AES-128-CBC
auth SHA256
key-direction 1
cert keys/client1.crt
key keys/client1.key
ca keys/ca.crt
tls-auth keys/ta.key
remote 12.34.56.78 1194 # This is your server IP address and port
#redirect-gateway def1 # Only enable this if you want to route all traffic through OpenVPN server

Now in your OpenVPN taskbar icon, when you right-click on it, you will see that you have MyAwesomeVPN to connect to. Connect and make sure it works.

That's it! Now you have a data centre on the cloud that works like your own data centre. You access your server instances like normal Local Area Network(LAN) IP address. But wait, didn't we talk about hybrid data centre where you connect your on-premise data centre to your cloud data centre? Fret on, the steps for setting that up is very similar to how you do on Windows Client. In most cases, you need an extra hardware. Proceed to further reading for more information.

Conclusion

OpenVPN is a very powerful tool you can use to establish remote connections to work virtually in the office. While setup may be a little complicated, it is usually a one time event. Add to the fact there there are applications like Untangle that drastically simplfies your setup, this is easily the best VPN solution around.

Creating a Classroom Suite with Moodle and BigBlueButton

Written on Sat, 10 December 2016

Moodle is quite a feature rich Learning Management System. If you're like me, wishes to install moodle on your own server, here's a guide to show you how. Afterwards, I'll even show you how to install BigBlueButton to get it to work with Moodle. Combining LMS with a web conferencing tool and you get a full online classroom suite. What more power can you get from that?

In this tutorial, I'll be using Ubuntu 16.04 for Moodle and Ubuntu 14.04 for BigBlueButton. It is most unfortunate that the latest stable version of BigBlueButton won't work on the latest Ubuntu LTS. Although BigBlueButton 1.1 will support 16.04, there is no official news on its release date.

Installing Moodle

As usual, log into root account for ease of command line typing. If not, you will have sudo every other command.

sudo su

Update your Ubuntu Machine to the latest version.

apt-get update
apt-get -y dist-upgrade

Install Prerequisites

apt-get -y install postgresql postgresql-contrib apache2 php libapache2-mod-php php7.0-pgsql php7.0-xml php7.0-curl php7.0-zip php7.0-gd php7.0-mbstring php7.0-xmlrpc php7.0-soap php7.0-intl

Installing Postgres

This step is optional if you are using RDS. I highly recommend using RDS for database as you can take advantage of RDS features.

Set Password by logging in as user postgres, and going into postgres terminal

su - postgres
psql
\password postgres

Prepare a database and a user for moodle

CREATE USER moodleuser WITH PASSWORD 'yourpassword';
CREATE DATABASE moodle WITH OWNER moodleuser;

List the database to ensure you have created it properly.

\l

Now exit from postgres terminal

\q

And log out from postgres user

exit

Installing Moodle

Git clone the moodle application

cd /var/www
rm html/index.html
git clone --depth=1 -b MOODLE_32_STABLE git://git.moodle.org/moodle.git html
chmod -R 0775 html
find html -type f -exec chmod 0664 {} \;

You must create a secure moodle data directory. This directory will be used to store data related to your Moodle isntallation. It is not meant for public internet. If your computer is a shared terminal, please consult your administrator to see what permissions is most suitable.

mkdir moodledata
chmod 775 moodledata

Now browse to your Moodle installation on your web browser. You would be greeted to select your language. Proceed with your preferred language. I prefer English and the tutorial will be in English.

You will then need to confirm that the paths on your server is accurate. Most importantly, the moodle data directory. If you have followed the tutorial, the path will be /var/www/moodledata.

Choose your database. If you have followed the tutorial so far, you would choose PostgreSQL.

Enter the configuration for your PostgreSQL. If you have followed the tutorial so far, your host will be localhost. If you have used RDS instead, you will have to use the details provided by RDS.

Finally, the general configurations for Moodle.

When you are done with the installation, Moodle may not be able to write to the directory, so you might need to do it yourself. Create the file and paste the codes provided at the end of the installation.

nano html/config.php

Setting up cron job

Setting up cron job for moodle is important for moodle to function normally.

crontab -u www-data -e
*/1 * * * * /usr/bin/php /var/www/html/admin/cli/cron.php >/dev/null

Now cron job will run every 1 minute.

Setting up clamav

You should never trust anybody on the internet. That's why you need to install clamav in the server and scan every file that comes along.

apt-get install clamav

To update virus definition, run this:

freshclam

You can also use cron job to update virus definition automatically.

crontab -e

Add the follow for hourly updates. Change the rate of update if this is too much for you.

0 * * * * freshclam

In Moodle, enable the antivirus plugin under Site Administration > Plugins > Antivirus Plugin > Manage antivirus plugins. Then set up the configurations under ClamAV antivirus page.

That's it for Moodle. If you are interested in having online classrooms, proceed to the next part of the tutorial.

Installing BigBlueButton 1.0

So far I have not been able to get a working BigBlueButton installation on any EC2 instances on anything less than 4GB ram. So the minimum requirement is T2.medium instance.

Update Ubuntu libraries to the latest and reboot.

apt-get update && apt-get -y dist-upgrade && reboot

In order for your ubuntu to be supported till April 2019, you need to update the kernel to xenial release.

apt-get install --install-recommends linux-generic-lts-xenial && reboot

Now, you may wish to remove any unused package remaining in your Ubuntu.

apt-get autoremove

Ensure that multiverse in enabled in your source list. Otherwise, enable it.

grep "multiverse" /etc/apt/sources.list

To enable it, use this command:

echo "deb http://us.archive.ubuntu.com/ubuntu/ trusty multiverse" | sudo tee -a /etc/apt/sources.list

Do another update and dist-upgrade if you have added the multiverse.

apt-get update && apt-get -y dist-upgrade && reboot

Installing the latest libreoffice

You cannot use the default libreoffice in the repository as it is not stable. You will need to use libreoffice 4.4 and above. As of writing, the latest version is 5.2.

apt-get install software-properties-common
add-apt-repository ppa:libreoffice/libreoffice-5-2

You will also need ECDSA keys in the audio connection between the browser and FreeSWITCH server.

add-apt-repository -y ppa:ondrej/php

FFMPEG installation

For reasons beyond the scope of this tutorial, FFMPEG is not available in Ubuntu 14.04, so you have to compile it on your own.
Create a file called install-ffmpeg.sh and add the following codes into the file.

sudo apt-get install build-essential git-core checkinstall yasm texi2html libvorbis-dev libx11-dev libvpx-dev libxfixes-dev zlib1g-dev pkg-config netcat libncurses5-dev

FFMPEG_VERSION=2.3.3

cd /usr/local/src
if [ ! -d "/usr/local/src/ffmpeg-${FFMPEG_VERSION}" ]; then
sudo wget "http://ffmpeg.org/releases/ffmpeg-${FFMPEG_VERSION}.tar.bz2"
sudo tar -xjf "ffmpeg-${FFMPEG_VERSION}.tar.bz2"
fi

cd "ffmpeg-${FFMPEG_VERSION}"
sudo ./configure --enable-version3 --enable-postproc --enable-libvorbis --enable-libvpx
sudo make
sudo checkinstall --pkgname=ffmpeg --pkgversion="5:${FFMPEG_VERSION}" --backup=no --deldoc=yes --default

Now run the compilation script.

chmod +x install-ffmpeg.sh
./install-ffmpeg.sh

Run the following to ensure the FFMPEG is installed with version 2.3.3

ffmpeg -version

Actual BigBlueButton installation

It's time to install BigBlueButton by adding the package repository.

wget http://ubuntu.bigbluebutton.org/bigbluebutton.asc -O- | sudo apt-key add -
echo "deb http://ubuntu.bigbluebutton.org/trusty-1-0/ bigbluebutton-trusty main" | sudo tee /etc/apt/sources.list.d/bigbluebutton.list
sudo apt-get update
apt-get install bigbluebutton

This will take some time, so grab a coffee and relax while the installation progress.

Optional API demo

If you would like to, you can install a demo API to test that your installation is working.

apt-get install bbb-demo

This installation demo is exactly the same as the Official Demo Server.
Once you are done testing, you should remove it.

apt-get purge bbb-demo

Optional hostname setup

If you are hosting your set up on the internet, you will likely need to use your hostname instead of IP address. You will need to run the following command with your hostname:

bbb-conf --setip yourhostname.tld

That's it! You have a working BigBlueButton server to do any form of conferencing. I assume that you installed BigBlueButton because you wanted to have online classrooms with moodle right? Proceed on to integrate Moodle and BigBlueButton.

Getting Moodle to work with BigBlueButton

You will need to download the moodle plugin for both applications to work together.

Install the moodle plugin under Site Administration > Plugins > Install plugins. Select the file you have download and upload it to the site with the "Install plugin from the ZIP file" button. Follow the instructions and you will eventually be at the configuration page for the BigBlueButton setup.

You need to enter the URL which to connect to BigBlueButton. For the shared secret, you will need to go to your BigBlueButton and type the following command:

bbb-conf --secret

Then copy and paste the shared secret to the moodle configuration. You may leave the rest of the configuration by its default, or configure as you desire.

Congratulations. You are now able to run Moodle classrooms with BigBlueButton.

High Availability Storage with iSCSI

Written on Thu, 3 November 2016

If you have built storage devices, you know that hardware will eventually fail you one day. This is no exception when it comes to cloud storage. Although I recommend using AWS S3, you might have occasions where you just need to use iSCSI for data storage in the cloud and still need the ability to grow storage. Here's a tutorial for that.

You can perform this tutorial on-premise too. You just need to replace the cloud related devices to your physical ones.

I followed many tutorials from many different sites that I could no longer keep track. So here's a thank you to Google for helping me search through the sea of wonderous content to make this tutorial possible. There was very few tutorial on this subject on Ubuntu, let alone Ubuntu 16.04. Most of the tutorials I run across is based on Centos. But fear not, I have overcomed the dragons and I present you this tutorial on Ubuntu 16.04.

Disclaimer: I didn't actually build this on AWS yet. I used virtual machines on my xenserver. Once I have tried it on AWS, I'll update this tutorial and remove this disclaimer.

By the end of this tutorial, you will have:

2 EC2 instances for File Storage with 500GB each, excluding disk for Os

What you need

Amazon Web Service account
- Some knowledge administrating the AWS console
Basic linux administration experience
Some Networking Knowledge

Preparations

We are going to prepare the materials for the following tutorial.
Setting up Security Group for File Server
First, we create a security group for your file server. Configure accordingly for your use case.

Name: Fileserver for Webserver
- Description: Fileserver
- Inbound Port: 22
  - Source: Anywhere
- Inbound Port: 3260
  - Source: Custom - Select the previous Security Group: Webserver you created
- Inbound Port: 7788
  - Source: Custom - Select the Security Group: Fileserver. This is tricky. You need to create this Group without this rule first, then edit it and add this rule.
- Inbound Port: 7789
  - Source: Custom - Select the Security Group: Fileserver. This is tricky. You need to create this Group without this rule first, then edit it and add this rule.

Setting up your File Storage

We set up 2 EC2 instances here in 2 different availability zone for high availability.

Step 1: Choose AMI
When launching a new instance, choose Ubuntu 16.04.

Step 2: Choose Instance Type
Instance type: t2.nano (Choose the type that suits your production environment)

Step 3: Configure Instance
Here's where you ensure High Availability. You need to set up your instance such that they exist in different availability zone, so that if 1 zone goes bad, another zone serves as backup. For now, you launch 1 instance in ZoneA. Later, you need to repeat all the steps here for ZoneB.

Step 4: Add Storage
Here's the important part of the tutorial. The AMI you selected uses 8GiB to run. In most cases, this is more than enough to run the OS and the application you want to use. By the end of the tutorial, you will still have about ~6GiB to play around with.

Next, let's add another volume to the instance and give it 500GiB, more if your production environment needs it. This will be the volume for web hosting. For volume type, choose the one that suits your production environment. For tutorial purposes, "Cold HDD (SC1)" is good enough.
Volume Type: Cold HDD (SC1)
Size: 500GiB

Step 5: Tag Instance
Configure the tags you need. I recommend that you name the instance as FS1 for your first instance, and FS2 for your second instance.

Step 6: Configure Security Group
Use the security group you made, Fileserver.

Step 7: Review Instance Launch
Have a final check on the settings and configuration. If everything is good, go ahead and launch the instance. It will take about 5 minutes.

Set up the second file server instance by repeating the steps above. Be sure to launch your instance in ZoneB for HA and name your instance a different name so that you can differentiate easily.

Configuring infinite storage for your file servers

Know your instance IP address name hostname. You will need it later for your configuration. Look into your EC2 details in the AWS console and find the private IP and private DNS. It should look like:

FS1
- IP Address: 10.0.0.2
- ip-10-0-0-2.ec2.internal
FS2
- IP Address: 10.0.0.3
- ip-10-0-0-3.ec2.internal

Your ip address will be different from mine. Another important thing to note, your VPC must be able to resolve DNS hostname. Enable it in your AWS console if it isn't. Otherwise, the hostname cannot be resolved in the file servers we are about to configure.

Let's make sure your file server has the latest patches

apt-get update
apt-get -y dist-upgrade
apt-get -y autoremove

After an update, it's usually a good idea to give your instance a reboot

reboot

Look for your attached hard disk of 500GiB.

parted -l

It should look something like these if you've followed the previous steps accordingly.

So our hard disk is /dev/xvdb. We are going to let LVM manage this disk.

pvcreate /dev/xvdb

Next, we are going to create a volume group called "inifinitestoreVG" with the hard disk.

vgcreate infinitestoreVG /dev/xvdb

We can't use all 500GiB because LVM just seems to need some space for itself. 0.1GiB ain't significant when you can infinitely add storage anyway. So for the LUN, we will use 499.9GiB.

lvcreate -n infinitestoreLV -L 499.9g infinitestoreVG

Let's look at your Logical Volumes.

lvdisplay

Configuring DRBD

This section of the tutorial involves both nodes. All commands are executed on both nodes.

We need to install drbd8-utils and pacemaker. We will also use ntp for accurate time sync

apt-get install -y drbd8-utils pacemaker corosync ntp tgt

Avoid the DRBD startup script from being automatically launch at startup

update-rc.d -f drbd remove

We need to configure the hosts.

nano /etc/hosts

Ensure that the entry looks like this:

10.0.0.2 ip-10-0-0-2.ec2.internal ip-10-0-0-2
10.0.0.3 ip-10-0-0-3.ec2.internal ip-10-0-0-3

Your IP and DNS will likely be different, so use yours.

Edit drbd configuration and define the resource.

nano /etc/drbd.d/iscsi.res

Add the following to the file.

resource iscsi {
on ip-10-0-0-2 {
device /dev/drbd0;
disk /dev/infinitestoreVG/infinitestoreLV;
address 10.0.0.2:7788;
meta-disk internal;
}

on ip-10-0-0-3 {
device /dev/drbd0;
disk /dev/infinitestoreVG/infinitestoreLV;
address 10.0.0.3:7788;
meta-disk internal;
}
}

Be sure to replace the hostname and the ip address to match yours.

Initialize the meta-data disk on both servers.

drbdadm create-md iscsi
drbdadm up iscsi

if these commands check with you on whether to destroy existing data or not. Just reply yes. It's a new disk anyway.

Now restart drbd service

service drbd restart

Preparing DRBD for iSCSI target

In this section of the tutorial, all commands are specific to each node and will be indicated.

We will use node1 as the primary for the drbd device that will contain the iSCSI configuration files and initiate first full sync.

[node1] drbdadm -- --overwrite-data-of-peer primary iscsi

Check the progress of sync with:

[node1] cat /proc/drbd

Pacemaker and Corosync Configuration

Generate a key for the cluster to communicate with each other. Be prepared for tired fingers.

[node1] corosync-keygen

Then we copy [node1]/etc/corosync/authkey to the other node either through SFTP or other means to [node2]/etc/corosync/authkey. Ensure it has the right permissions on both nodes.

chmod 644 /etc/corosync/authkey

Now we are going to tell Corosync the cluster we are making on both nodes. In AWS, broadcast is disabled, so we must specify the individual members of the nodes manually. We will also have to use UDPU as the transport protocol.

We open up /etc/corosync/corosync.conf on both nodes.

nano /etc/corosync/corosync.conf

If there is anything existing, leave it as it's default. Your bindnetaddr is the network address, not the node address. Your totem configuration should look something like this:

totem {
version: 2
secauth: off
interface {
member {
memberaddr: 10.0.0.2
}
member {
memberaddr: 10.0.0.3
}
ringnumber: 0
bindnetaddr: 10.0.0.0
mcastport: 5405
ttl: 1
}
transport: udpu
}

Now append the following to the file.

service {
name: pacemaker
ver: 1
}

Save this file and proceed.

Open /etc/default/corosync on both nodes.

nano /etc/default/corosync

Now set this configuration. If it does not exist, just append it to the file.

START=yes

If your drbd sync is complete, it is a good time to reboot the computer for all the settings to take effect. Otherwise, just wait for a bit till the sync finishes.

cat /proc/drbd
reboot

Now let's see Cluster Resource Mamangement (CRM) in action.

crm_mon

You should see that a connection has been established. If it's attempting to connect, somewhere has gone wrong. Restart the tutorial.

We configure the CRM on node 1.

[node1] crm configure

These are the configurations you need to type

[node1] primitive p_drbd_iscsi ocf:linbit:drbd params drbd_resource="iscsi"
[node1] primitive p_target_iscsi ocf:heartbeat:iSCSITarget params implementation="tgt" iqn="iqn.2016-10.me.shurn:disk.0" tid="1" additional_parameters="DefaultTime2Retain=60 DefaultTime2Wait=5" op monitor interval="10"
[node1] primitive p_lu_iscsi_lun1 ocf:heartbeat:iSCSILogicalUnit params lun="1" path="/dev/drbd0" target_iqn="iqn.2016-10.me.shurn:disk.0" op monitor interval="10"
[node1] primitive p_ip ocf:heartbeat:IPaddr2 params ip="10.0.0.4" cidr_netmask="16" nic="eth0"
[node1] ms ms_drbd_iscsi p_drbd_iscsi meta notify="true" master-max="1" master-node-max="1" clone-max="2" clone-node-max="1"
[node1] order o_drbd_before_target inf: ms_drbd_iscsi:promote p_target_iscsi:start
[node1] order o_target_before_lun inf: p_target_iscsi:start p_lu_iscsi_lun1:start
[node1] order o_drbd_before_ip inf: ms_drbd_iscsi:promote p_ip:start
[node1] colocation c_drbd_with_target inf: p_target_iscsi ms_drbd_iscsi:Master
[node1] colocation c_drbd_with_lun inf: p_lu_iscsi_lun1 ms_drbd_iscsi:Master
[node1] colocation c_drbd_with_ip inf: p_ip ms_drbd_iscsi:Master
[node1] property stonith-enabled=false
[node1] property no-quorum-policy=ignore
[node1] commit
[node1] exit

Verify that the changes you have done is in effect

crm status

You are done

If you are building an application that wants to use HA iSCSI instead of standalone iSCSI, such as Xenserver and VDI, you now have a peace of mind.

Installing Zimbra with Docker

Written on Tue, 11 October 2016

Installing Zimbra on your own can be quite a daunting task for even experienced administrators. Fortunately, with docker, the process is very much simplified. On top of that, you will also get to have letsencrypt certificates running on your mail server.

The following tutorial is based on Zimbra Community Docker, zextras' docker page, Certbot Installation and Zimbra's letsencrypt installation.

Step 1: Getting Docker

It goes without saying that you must get docker. Check out my tutorial for more information.

Step 2: Getting the docker image

We will be using the image from xextras and also its 8.7.0 version.

docker pull zextras/zimbra8:8.7.0

Step 3: Launch the image

There will be some configuration you need to do.

According to zextras instructions:

EXTERNALDNS: Provide your upstream DNS server for resolutions other than the container itself. You can modify configuration later by adding config lines to dnsmasq configuration (/etc/dnsmaq.conf). Default value is 8.8.8.8.
MAILBOXD_DEBUG: If set to "yes", copies the zmmailboxdmgr.unrestricted executable over zmmailboxdmgr and applies some magic options (Default value is "no").
PASSWORD: no need to go deeper, huh? :-P
TIMEZONE: The timezone of the container and the principal domain of Zimbra. It must be specified according to Zimbra timezones. Default Value: "Etc/UTC"

Host name is required. Make sure the DNS mx entry by your DNS provider is pointing to the IP of the machine your are installing. Your hostname should be something like mail.domain.tld. Be sure to replace this with your own hostname.

There will also be many ports to forward. Here's how the command will look like:

docker run -d -p 25:25 -p 80:80 -p 465:465 -p 587:587 -p 110:110 -p 143:143 -p 993:993 -p 995:995 -p 443:443 -p 8080:8080 -p 8443:8443 -p 7071:7071 -p 9071:9071 -h mail.domain.tld -v ${your-authorized_keys}:/root/.ssh/authorized_keys -e TIMEZONE="Asia/Singapore" -e PASSWORD="SUPERSECRETPASSWORD" -e MAILBOXD_DEBUG="no" zextras/zimbra8:8.7.0

This command will take about 5 minutes to complete, depending on your hardward capabilities. Have a cup of drink while you wait.

Browse to your domain, https://mail.domain.tld, on your browser to see if it's working. If you see that your site is insecure, it's due to self-signed certificates. Proceed to next step once you see this.

Step 4: Get Letsencrypt Certificate
We are going to install letsencrypt into the container itself. Let's list out the containers so that we can attach to the container.

docker ps

You will see a big bunch of details due to the number of ports we port forwarded. We need to look out for the container id, which will look like 250a24730351. Let's get attached to this container:

docker exec -it 250a24730351 /bin/bash

Now login to zimbra user

su zimbra

Disable these 2 services.

zmproxyctl stop
zmmailboxdctl stop

Exit back to root user

exit

We need to get the certbot that will issue us certificates.

cd /root
wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto

We must run the certbot script so that it installs all its dependencies to make issuing cert works.

./certbot-auto

Select yes if it prompts you to install additional packages
Let's get the certbot to issue us a cert.

./certbot-auto certonly

When it prompts you how you would like to authenticate, select "Spin up a temporary server (standalone)". Then enter your email so that letsencrypt can contact you for lost key recovery and other urgent notices. Agree to the terms and conditions. Enter the hostname of your server, like mail.domain.tld. Your certificate will be stored in /etc/letsencrypt/live/mail.domain.tld/fullchain.pem.

I highly recommend backing up your certs, up to this point.

Step 5: Installing the cert in Zimbra

Now, we need a proper Intermediate CA plus Root CA in chain.pem file. Open up chain.pem file.

nano /etc/letsencrypt/live/mail.domain.tld/chain.pem

Append the following text to the file. Do not remove previous text. Just add the follow right after the original text ends.

-----BEGIN CERTIFICATE-----
MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
-----END CERTIFICATE-----

Create a folder that Zimbra will read the certs from.

mkdir /opt/zimbra/ssl/letsencrypt

Then we link everything that's in /etc/letsencrypt/live/mail.domain.tld/ to the new folder and set permissions for zimbra to read.

ln -s /etc/letsencrypt/live/mail.domain.tld/cert.pem /opt/zimbra/ssl/letsencrypt/cert.pem
ln -s /etc/letsencrypt/live/mail.domain.tld/chain.pem /opt/zimbra/ssl/letsencrypt/chain.pem
ln -s /etc/letsencrypt/live/mail.domain.tld/fullchain.pem /opt/zimbra/ssl/letsencrypt/fullchain.pem
ln -s /etc/letsencrypt/live/mail.domain.tld/privkey.pem /opt/zimbra/ssl/letsencrypt/privkey.pem
chmod 777 -R /etc/letsencrypt/live
chmod 777 -R /etc/letsencrypt/archive

Let's log in as zimbra and verify the certs

su zimbra
cd /opt/zimbra/ssl/letsencrypt
/opt/zimbra/bin/zmcertmgr verifycrt comm privkey.pem cert.pem chain.pem

Once you see that the certs are valid, we need to link the privkey to the commercial path.

exit
ln -s /opt/zimbra/ssl/letsencrypt/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key

Now, it's time to deploy!

su zimbra
/opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem chain.pem

We restart zimbra and go to the browser with https in your url to see your achievement!

zmcontrol restart

Congratulations! You have working mail server with a certificate from letsencrypt.

Renewing Cert

So the time has come to renew the certificate. As you need to go through specific steps to renew the cert, we cannot use the automated renewal provided. Here's how to renew certificate, if you have followed the tutorial accordingly.

su zimbra

Disable these 2 services.

zmproxyctl stop
zmmailboxdctl stop

Renew the certificate

cd /root
./certbot-auto renew

We must append the CA to the certificate again as the renewal process removed it.

nano /etc/letsencrypt/live/mail.domain.tld/chain.pem

Append the following text to the file. Do not remove previous text. Just add the follow right after the original text ends.

-----BEGIN CERTIFICATE-----
MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
-----END CERTIFICATE-----

Verify that the certificate works:

cd /opt/zimbra/ssl/letsencrypt
/opt/zimbra/bin/zmcertmgr verifycrt comm privkey.pem cert.pem chain.pem

Then deploy and restart zimbra services.

/opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem chain.pem
zmcontrol restart

That's it! Now you have another 3 months of certificate.

Multiple SSL Certificates per domain each

It is quite common to have multiple domains in a zimbra server. After all, it's cost-efficient and network-efficient to consolidate domains into 1 server. I assume you have already generated your other certificates from the instructions before, and you have already restarted zimbra, but you did not install the certificate.

Domain: myawesomedomain.com
Mail Server Domain: mail.myawesomedomain.com

Add the virtual host name.

su zimbra
zmprov md myawesomedomain.com zimbraVirtualHostName mail.myawesomedomain.com zimbraVirtualIPAddress 1.2.3.4
exit

Make sure you use your IP address. If you are behind firewall or NAT, make sure you use your public address instead of local address.

We must append the CA to the certificate.

nano /etc/letsencrypt/live/mail.myawesomedomain.com/chain.pem

Append the following text to the file. Do not remove previous text. Just add the follow right after the original text ends.

-----BEGIN CERTIFICATE-----
MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
-----END CERTIFICATE-----

Let's verify that the certificate works:

su zimbra
/opt/zimbra/bin/zmcertmgr verifycrt comm privkey.pem cert.pem chain.pem

We need to merge the certificate and the chain into a single file.

cat cert.pem chain.pem >> myawesomedomain.com.bundle

Now we save the certificate to LDAP.

/opt/zimbra/libexec/zmdomaincertmgr savecrt myawesomedomain.com myawesomedomain.com.bundle privkey.pem

The syntax for this command is:

/opt/zimbra/libexec/zmdomaincertmgr savecrt

Now we deploy the certificates.

/opt/zimbra/libexec/zmdomaincertmgr deploycrts

Let's ensure SNI is enabled in all proxies.

zmprov mcf zimbraReverseProxySNIEnabled TRUE

If you are using other proxies, make sure all of it has SNI enabled.

Restart Proxy.

zmproxyctl restart

That's it! You can now browse to the domain and see your work. Repeat these steps as many times as you have domains.

Greetings Earthlings , Shurn the Awesomer is here to give you an awesome time.

This little site is a record of my life, opinions, and views. I'm mainly writing about Technology & Gadgets, Busting Creationist Myths, and other philosophical stuff.

This site is done using CakePHP.

With this uptime, how much more can I be proud of to showcase to the world? This uptime monitoring is brought to you by StatusCake since 13th May 2017.

I will always check for copyright usage before using any materials on my site. Whenever due, credit shall be given.

However, if you notice that I may have infringed on any copyright material. Please do not hesitate to contact me. All works of every artist deserves to be honoured and respected.

Build yourself a Comprehensive Business Suite with Odoo

Setup Odoo 10

Running Odoo on port 80

Creating a Hybrid Data Centre with OpenVPN

Advantages

Disadvantages

Preparing AWS

Create the VPC

Create the Subnets

Creating Internet Gateway

Creating Route Tables

Setting up OpenVPN server

Certificate Authority

Generating Clients

Configuring OpenVPN

Networking Configuration

Firewall and NAT configurations

Start OpenVPN Server

Configure VPC Routing

Configure OpenVPN clients

Download and install Windows Client

Client Configurations

Further Reading

OpenWRT

Untangle

PfSense

Conclusion

Creating a Classroom Suite with Moodle and BigBlueButton

Installing Moodle

Install Prerequisites

Installing Postgres

Installing Moodle

Setting up cron job

Setting up clamav

Installing BigBlueButton 1.0

Installing the latest libreoffice

FFMPEG installation

Actual BigBlueButton installation

Optional API demo

Optional hostname setup

Getting Moodle to work with BigBlueButton

High Availability Storage with iSCSI

By the end of this tutorial, you will have:

What you need

Preparations

Setting up your File Storage

Configuring infinite storage for your file servers

Configuring DRBD

Preparing DRBD for iSCSI target

Pacemaker and Corosync Configuration

You are done

Installing Zimbra with Docker

Step 1: Getting Docker

Step 2: Getting the docker image

Step 3: Launch the image

Step 5: Installing the cert in Zimbra

Renewing Cert

Multiple SSL Certificates per domain each