Switching Arch Linux Kernel to LTS

The server has been acting strange and randomly freezing not allowing ssh or the ability to switch to different screens.  I checked all logs, and no evidence of what the issue could be.  After doing some research, people were saying the the LTS kernel offered a little more stability for their servers, so I gave it a shot and it seemed to work perfectly.  I haven’t experienced a freeze since the switch.  The process was easy, but you just have to make sure that you fix grub as well, or you’ll be booting a live stick to fix that.

pacman -S linux-lts linux-headers-lts
pacman -R linux linux-headers
grub-mkconfig -o /boot/grub/grub.cfg

Realtek 8812au Drivers for Raspberry Pi 2

The problem with the Raspberry Pi 2 is that it’s a great device, but it lacks wireless capability.  Additionally, from what I’ve read, the Pi 3 has a problem with connecting to wireless at distances because of the antenna (or lack of).  The venture started because I wanted to install OctoPi for my 3D Printer and have that control everything.  Not having a Pi 3, I decided to use one of my old Realtek wireless antennas to get wireless access.  Most linux distributions don’t support the 8812au out of the box and getting this installed was proving to be a huge pain, but once I found the right drivers, the installation was pretty simple.

First, had to identify the device:

lsusb:

Bus 001 Device 004: ID 0bda:0811 Realtek Semiconductor Corp.

On a Debian or Raspian build, you need to update you kernel and install the kernel headers.

# apt-get update && apt-get install rasperrypi-kernel raspberrypi-kernel-headers

Then install dkms so that it can rebuild the drivers if you update.

# apt-get install dkms build-essential

Now, we have to get the right driver.  The one that worked for me was the gnab drivers on github.

mkdir drivers/ &&; cd drivers/
git clone -b v4.3.21 https://github.com/astsam/rtl8812au
cd rtl8812au
sed -i ‘s/CONFIG_PLATFORM_I386_PC = y/CONFIG_PLATFORM_I386_PC = n/g’ Makefile
sed -i ‘s/CONFIG_PLATFORM_ARM_RPI = n/CONFIG_PLATFORM_ARM_RPI = y/g’ Makefile
make CROSS_COMPILE=arm-linux-gnueabihf- ARCH=arm
make install
cp 8812au.ko /lib/modules/`uname -r`/kernel/drivers/net/wireless
depmod -a
modprobe 8812au

Then for the DKMS piece:

dkms add -m 8812au -v 4.3.21
dkms build -m 8812au -v 4.3.21
dkms install -m 8812au -v 4.3.21

To remove the driver:

dkms remove -m 8812au -v 4.3.21 --all

Using ddclient to Update DDNS on Google Domains

‘ddclient’ is a simple DDNS callback program developed in perl.   It reports the IP address to the DDNS server to automatically update your machines IP address.  One of the great features is that it’s compatible with Google Domains.  In order to get it working, you need  to install it from your distros package manager. (pacman, apt-get, emerge etc.)

Once installed, locate your ddclient.conf (most likely in /etc/ddclient/) and edit it with the following block:

<span style="font-family: 'courier new', courier, monospace;">daemon=300
syslog=yes
pid=/var/run/ddclient.pid
ssl=yes
 
use=web, web=https://domains.google.com/checkip
protocol=dyndns2
server=domains.google.com
login=LOGIN-FROM-GOOGLE
password=PASSWORD-FROM-GOOGLE
WWW.MYWEB.SITE</span>

For the login and password, when you log into your domains.google.com account and navigate your Synthetic records and get your username and password credentials from clicking the view option. Make sure that your website matches and the credentials are case sensitive.

Once you have updated ddclient.conf, save it, and start the system service:

sudo systemctl start ddclient.service
sudo systemctl enable ddclient.service

or for others:

sudo service ddclient start
sudo update-rc.d ddclient enable

When complete, it takes about 1-2 minutes for everything to update and then your DDNS should be working and pointing your IP address to your domain name.

Obtaining SSL Encryption Certificates for Apache on Arch Linux

This has been an issue for me for quite some time. I have been trying to get SSL working and get valid certificates so that I could secure a few things and offer better security. Additionally, these days, having secure http is an added benefit. Most web-based server functions prefer the use of https over http for the extra security as well.

Here is how I got SSL and the proper encryption installed on Arch Linux with Apache.

First, Install what you need (assuming that you already have [LAMP](https://wiki.archlinux.org/index.php/Apache_HTTP_Server) stack).

yaourt -S certbot certbot-apache acme-tiny letsencrypt-cli openssl

Next, you need to obtain the certificates. Also, I port forwarded 80 and 443 through the router to the server. This would be a good time to make sure that port forward is good or else this won’t work properly.

certbot certonly --email your.email@address.com --webroot -w /srv/http/site1/ -d www.inject.run,inject.run

If you have received the congratulations message, then you should have certificates in the designated folder. (Mine were located in /etc/letsencrypt/live/inject.run/fullchain.pem.)

Now we have to activate/use the certificates through Apache.

Edit /etc/httpd/conf/httpd.conf and uncomment the following (I use nano and ctrl+w to search):

<span style="font-family: 'courier new', courier, monospace;">LoadModule ssl_module modules/mod_ssl.so
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
Include conf/extra/httpd-ssl.conf</span>

and, while you’re in httpd.conf, search for Listen 80 and add Listen 443 right below that line.

Now, this might seem like a duplication of effort, but it was the only way I got this to work:

In /etc/httpd/conf/extra/httpd-ssl.conf, find the Virtual Host Context section, and add your VirtualHost server information as follows:

DocumentRoot "/srv/http/inject.run"
ServerName inject.run:443
ServerAdmin YOUR.EMAIL@ADDRESS.COM
ErrorLog "/var/log/httpd/error_log"
TransferLog "/var/log/httpd/access_log"
SSLEngine on
SSLCertificateFile "/etc/letsencrypt/live/inject.run/fullchain.pem"
SSLCertificateKeyFile "/etc/letsencrypt/live/inject.run/privkey.pem"
#SSLCertificateChainFile
"/etc/letsencrypt/live/inject.run/chain.pem"
#SSLCACertificatePath "/etc/httpd/conf/ssl.crt"
#SSLCACertificateFile "/etc/httpd/conf/ssl.crt/ca-bundle.crt"

Note, the only two files you have to reference from your certificates are fullchain and privkey.

And, the last thing before you restart all of your services is to add a separate VirtualServer in your httpd-vhosts.conf file. Edit /etc/httpd/conf/extra/httpd-vhost.conf and add a second VirtualHost for the same website but with *:443 instead of *:80. Additionally, you are going to need to add your certificate information as well. Look below as an example:

     ServerName www.inject.run
     OTHER OPTIONS FOR VHOST HERE IF NEEDED
 
 
 
     ServerName www.inject.run
     OTHER OPTIONS FOR VHOST HERE IF NEEDED
 
     SSLEngine on
     SSLCertificateFile "/etc/letsencrypt/live/inject.run/fullchain.pem"
     SSLCertificateKeyFile "/etc/letsencrypt/live/inject.run/privkey.pem"

Notice I added the SSL stuff in the second VirtualHost entry.

Now, if you chose, you can remove everything from the non-encrypted VirtualHost and add the following line below the ServerName to redirect all traffic to secure connections.

Redirect / https://www.inject.run/

Hopefully, this helps get your SSL encryption working.

Switching to Google Domains

After doing some research, I found that Google now offers a dynamic DNS service with their beta addition, ‘Domains‘.  The transition was fairly simple, with a few minor hangups on some of the configuration.  They have a fairly simplistic configuration page, but it’s highly customizable and clean.  The only downfall is; there wasn’t a lot of documentation on the setup procedure and what was provided was didn’t cover a few topics that could make the process frustrating.

When reading about the DDNS setup, the guide refers to most everything with in the resource (www) as the subdomain.  The guide alludes to the simplistic setup by adding an ‘@’ as in the sub domain block to setup the DDNS.  After configuring your ddclient.conf and adding the domain name, you’ll notice that the update doesn’t work properly.  Maybe it’s just me, but I don’t consider www as a sub domain (or maybe it’s all just a play on words in my own head).  Anyway, to sum this part up, don’t use ‘@’; use www in the sub domain block to properly setup your DDNS configuration.

The configuration of ddclient.conf was another process all in itself.  I am running my webserver on arch linux and maybe there hasn’t been a push for ddclient to have support for Google Domains yet.  I tried using the recommended configuration for Google Domains, but that didn’t push any updates for DDNS to match my IP address.  Long story short, I had to use the alternate configuration ‘without Google Domains support’ but making a slight modification to the use by adding the web for obtaining the IP address.

protocol=dyndns2
use=web, web=https://domains.google.com/checkip
server=domains.google.com
ssl=yes
login=generated_username
password=generated_password
your_resource.your_domain.tld

I had been receiving errors that I couldn’t get my IP address. Not sure if it was a local network NAT issue caused by my modem and router of if it was operator error, but regardless, the above configuration worked (sort of).

The last thing I noticed was; ddclient likes to have the password enclosed with the single quote marks.  Note that all of the ddclient config examples (on their wiki and on Google Domains) doesn’t show these marks around the password.  My recommendation is; add them!  The end result of my configuration file for ddclient looked like this:

daemon=300
syslog=yes
#mail=root
#mail-failure=root
pid=/var/run/ddclient.pid
ssl=yes
use=web, web=https://domains.google.com/checkip
protocol=dyndns2
server=domains.google.com
login=PROVIDEDBYGOOGLE
password='PROVIDEDBYGOOGLE'
www.thebytes.net