Foundational setup on a Debian 8 (jessie) virtual server (DNS via BIND, apache2, certbot (TLS/SSL))

This blog post is about building a foundational working environment for whatever you have planed with your (virtual) server, let’s assume a fresh installation of Debian 8.7 (jessie).

We will setup the DNS record(s) using BIND and generate TLS/SSL certificates via certbot.

Access your server:

ssh root@helenenhof.org

If your not starting on a fresh installation make sure to:

sudo apt-get update && upgrade

Hands down, install Midnight Commander if using a visual file editor is what you’d like to do / use your preferred editor. Run mc after the installation is complete and adjust it’s settings by clicking on Options > Configuration > Use internal edit to enable the internal editor:

apt-get install mc

Setting LC_ALL to en_US.UFT-8

LC_ALL is the environment variable that overrides all other localization settings. You might have noticed this while installing mc:

perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
    LANGUAGE = "en_US:en",
    LC_ALL = (unset),
    LC_TIME = "de_DE.UTF-8",
    LC_MONETARY = "de_DE.UTF-8",
    LC_ADDRESS = "de_DE.UTF-8",
    LC_TELEPHONE = "de_DE.UTF-8",
    LC_NAME = "de_DE.UTF-8",
    LC_MEASUREMENT = "de_DE.UTF-8",
    LC_IDENTIFICATION = "de_DE.UTF-8",
    LC_NUMERIC = "de_DE.UTF-8",
    LC_PAPER = "de_DE.UTF-8",
    LANG = "en_US.UTF-8"
    are supported and installed on your system.
perl: warning: Falling back to a fallback locale ("en_US.UTF-8").
locale: Cannot set LC_ALL to default locale: No such file or directory

Changing your LC_ALL can be done by adding:

LC_ALL=en_US.UFT-8

to /etc/environment and rebooting your server.  Once your server is back online, run locale to check your settings, this should output:

LANG=en_US.UTF-8
LANGUAGE=en_US:en
LC_CTYPE="en_US.UTF-8"
LC_NUMERIC="en_US.UTF-8"
LC_TIME="en_US.UTF-8"
LC_COLLATE="en_US.UTF-8"
LC_MONETARY="en_US.UTF-8"
LC_MESSAGES="en_US.UTF-8"
LC_PAPER="en_US.UTF-8"
LC_NAME="en_US.UTF-8"
LC_ADDRESS="en_US.UTF-8"
LC_TELEPHONE="en_US.UTF-8"
LC_MEASUREMENT="en_US.UTF-8"
LC_IDENTIFICATION="en_US.UTF-8"
LC_ALL=en_US.UTF-8

Install and configure your DNS server with BIND

apt-get install bind9

Backup the initial named.conf.options file:

cp /etc/bind/named.conf.options /etc/bind/named.conf.options.orig

To enable logging we create a new folder named bind9 in /var/log/ and make it owned by bind:bind:

mkdir /var/log/bind9
chown bind:bind /var/log/bind9

Open /etc/bind/named.conf.options and insert this after “options” is defined:

logging {
        channel query_log {
                file "/var/log/bind9/query.log" versions 2 size 1m;
                print-time yes;
                severity info;
        };
        category queries { query_log; };
};

to create a log file named query.log in /var/log/bind9.

Configure your domain zone file name, type and location by adding the following to /etc/bind/named.conf.local:

zone "helenenhof.org" {
type master;
file "/etc/bind/db.helenenhof.org";
};

Create your domain zone file:

cp /etc/bind/db.local /etc/bind/db.helenenhof.org

Adjust it accordingly:

;
; BIND data file for helenenhof.org
;
$TTL    604800
$ORIGIN    .
helenenhof.org    IN    SOA    ns1.helenenhof.org. root.helenenhof.org. (
            20170205    ; Serial
            604800        ; Refresh
            86400        ; Retry
            2419200        ; Expire
            604800 )    ; Negative Cache TTL
; Nameserver(s)
    IN    NS    ns1.helenenhof.org.
; A record(s)
    IN    A    80.131.240.119
; MX record(s)
    IN    MX    10    mail.helenenhof.org.
$ORIGIN    helenenhof.org.
ns1    IN    A    80.131.240.119
ns2    IN    A    80.131.240.119
; Aliases
srv01    IN    A    80.131.240.119
www    IN    CNAME    srv01
mail    IN    CNAME    srv01
im    IN    CNAME    srv01

Make sure to increment the Serial every time you adjust this file, in most cases a year / month / day (e.g. 20170205) format is used.

Restart BIND and check if it’s running as intended:

service bind9 restart
service bind9 status

Because ns1.helenenhof.org is in the same domain you need to register your name server with the registrar (Glue-Record). Afterwards, you can specify ns1.helenenhof.org as the name server for helenenhof.org. Don’t forget to set your rDNS. The wiki provided by the registar used for helenenhof.org (Hetzner) might be helpful.

BIND’s manual or DNS for rocket scientists are always worth browsing through.

MxToolbox offers a simple way of testing your configuration.

Install and configure apache2 + certbot to get your TLS/SSL certificates

apt-get install apache2

Enter your domain.tld or IP address in your browser to check if it’s working, the image below answers appropriately:

In /etc/apache2/sites-available/000-default.conf adjust:

ServerName helenenhof.org
ServerAlias www.helenenhof.org
ServerAlias mail.helenenhof.org
ServerAlias im.helenenhof.org

to allow for an accurate installation of your certificates.

Certbot was not available when Debian 8 was released, thus we need to add:

deb http://ftp.debian.org/debian jessie-backports main

to /etc/apt/sources.list and update the changes to enable the backports:

apt-get update

Install certbot afterwards:

apt-get install python-certbot-apache -t jessie-backports

and get your certificates by following the instructions given to you.

certbot --apache

Your certificates are stored at /etc/letsencrypt/live/helenenhof.org/.

 

Final thoughts

This should be a sufficient setup for getting into future projects (chat / mail server), comments / constructive criticism  are always welcome.

2 Replies to “Foundational setup on a Debian 8 (jessie) virtual server (DNS via BIND, apache2, certbot (TLS/SSL))”

Leave a Reply

Your email address will not be published. Required fields are marked *