git pull
git checkout --orphan tmp-main
git add -A
git commit -m 'Initial commit'
git branch -D main
git branch -m main
git push -f origin main
git branch --set-upstream-to=origin/main main
git gc --aggressive --prune=all
git fetch --all
git reset --hard origin/main
/var/www/mysite.net
. Needless to say, Apache must be configured to support SSL, so at the very minimum do a2enmod ssl
. Added bonus since you're at it: do a2enmod headers
so you can add MIME and XSS protection later. Make sure to only enable strong TLS ciphers (notice: will break compatibility with some older browsers) by making sure these lines appear in /etc/apache2/mods-available/ssl.conf
:
SSLCipherSuite TLS_AES_256_GCM_SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256
SSLCompression off
SSLHonorCipherOrder on
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLUseStapling on
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
SSLSessionTickets off
/etc/ssl/letsencrypt/mysite.net
. Finally, make sure that the Apache website entry in /etc/apache2/sites-available/mysite.net.conf
has HTTPS enabled and correctly points to the two (not yet created) files key.pem
and cert.pem
.
<VirtualHost 1.2.3.4:80>
ServerAdmin admin@mysite.net
ServerName www.mysite.net
ServerAlias mysite.net *.mysite.net
# Redirect permanent / https://mysite.net/
DocumentRoot /var/www/mysite.net
<Directory />
Order Deny,Allow
Options -Indexes
AllowOverride None
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/access.log combined
Header set X-XSS-Protection "1; mode=block"
Header always append X-Frame-Options DENY
Header set X-Content-Type-Options nosniff
</VirtualHost>
<VirtualHost 1.2.3.4:443>
ServerAdmin admin@mysite.net
ServerName www.mysite.net
ServerAlias mysite.net *.mysite.net
DocumentRoot /var/www/mysite.net
# SSLEngine on
# SSLCertificateKeyFile /etc/ssl/letsencrypt/mysite.net/key.pem
# SSLCertificateFile /etc/ssl/letsencrypt/mysite.net/fullchain.pem
# <If "%{HTTP_HOST} == 'www.mysite.net'">
# Redirect permanent / https://mysite.net/
# </If>
<Directory />
Order Deny,Allow
Options -Indexes
AllowOverride None
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/access.log combined
Header set X-XSS-Protection "1; mode=block"
Header always append X-Frame-Options DENY
Header set X-Content-Type-Options nosniff
</VirtualHost>
a2ensite mysite.net
if not already enabled. Now check that the configuration looks OK with apache2ctl configtest
. If everything looks OK you can restart Apache with systemctl restart apache2
. Point your domain name to the server's IP if not done already and make sure that the non-HTTPS version of the website works.
curl https://get.acme.sh | sh -s email=me@whatever.com
acme.sh --set-default-ca --server letsencrypt
acme.sh --issue -d mysite.net -d www.mysite.net -w /var/www/mysite.net --keylength 4096
acme.sh --install-cert -d mysite.net --cert-file /etc/ssl/letsencrypt/mysite.net/cert.pem --key-file /etc/ssl/letsencrypt/mysite.net/key.pem --ca-file /etc/ssl/letsencrypt/mysite.net/ca.cer --fullchain-file /etc/ssl/letsencrypt/mysite.net/fullchain.pem --reloadcmd "systemctl restart apache2"
--reloadcmd
parameter, I guess root is required. Technically speaking, it might not be totally necessary, but I'm afraid it will make autorenewal fail. Well, let's see after 60 days what happens, we'll find out. (UPDATE 2022-11-09: I still haven't figured it out whether it works or not, because in the meantime I had to restart apache manually a couple of times, so I'm still not 100% sure)/etc/apache2/sites-available/mysite.net.conf
so to enable the SSL engine (these lines will remove the non-HTTPS version of the website because it's 2023 now), then reload Apache with systemctl restart apache2
et voila'!cryptfs
command, whose syntax has changed.su
vdc cryptfs changepw TYPEOFNEWPASSWORD OLDPASSWORD NEWPASSWORD
TYPEOFNEWPASSWORD
can be any of password, pin, pattern
(if you use a pattern, match the position of the dots with corresponding numbers on keypad to obtain a numeric string)
sudo su
lsblk -o name,uuid,mountpoint
/etc/fstab
or /etc/crypttab
. I assume you are a pr0 and this is not your case. Then, identify boot and encrypted partitions on your hard drive, and unmount them if not already dismounted. For the following we assume:
cryptsetup open /dev/sda3 sda3_crypt
mount /dev/mapper/sda3_crypt /mnt
mount /dev/sda2 /mnt/boot
mount /dev/sda1 /mnt/boot/efi
mount --bind /dev /mnt/dev
mount --bind /proc /mnt/proc
mount --bind /sys /mnt/sys
mount --bind /run /mnt/run
chroot /mnt
firmware-linux
removed the warnings. So, check that you have network connection in the chrooted system (if necessary edit resolv.conf to add DNS). Edit /etc/apt/sources.list
and make sure that there are the following two lines:
deb http://debian.org/debian/ sid main contrib non-free
deb-src http://debian.org/debian sid main contrib non-free
apt update
apt upgrade
depmod `uname -r`
cd /boot
and ls -Al
. You will see a bunch of files, for example:
total 107976
drwxr-xr-x 5 root root 4096 Jul 26 08:15 ./
drwxr-xr-x 24 root root 4096 Jul 21 21:39 ../
-rw-r--r-- 1 root root 206118 Mar 15 03:16 config-4.19.0-4-amd64
-rw-r--r-- 1 root root 206213 Jul 19 00:23 config-4.19.0-5-amd64
drwx------ 3 root root 4096 Jan 1 1970 efi/
drwxr-xr-x 5 root root 4096 Jul 23 20:54 grub/
-rw-r--r-- 1 root root 40260505 May 1 13:57 initrd.img-4.19.0-4-amd64
-rw-r--r-- 1 root root 52681191 Jul 26 08:15 initrd.img-4.19.0-5-amd64
drwx------ 2 root root 16384 Jan 10 2019 lost+found/
-rw-r--r-- 1 root root 3365519 Mar 15 03:16 System.map-4.19.0-4-amd64
-rw-r--r-- 1 root root 3371003 Jul 19 00:23 System.map-4.19.0-5-amd64
-rw-r--r-- 1 root root 5213424 Mar 15 03:16 vmlinuz-4.19.0-4-amd64
-rw-r--r-- 1 root root 5217520 Jul 19 00:23 vmlinuz-4.19.0-5-amd64
4.19.0-5-amd64
, so in this case do:
depmod 4.19.0-5-amd64
update-initramfs -u
dpkg-reconfigure locales
(and then select `update all`, will take some minutes, then redo update-initramfs -u
)
update-grub
grub-install /dev/sda
exit
unmount /mnt/boot/efi
unmount /mnt/boot
unmount /mnt
fsck -f /dev/sda3_crypt
cryptsetup close sda3_crypt
exit