In your OpenVPN server logs you see this error message
failed to find GID for group openvpn
followed by a server restart (Exiting due to fatal error).
Run this command to add the OpenVPN group:
sudo groupadd openvpn
In most cases, you’ll see this in your server log after doing that:
failed to find UID for user openvpn Exiting due to fatal error
In that case, refer to our previous post on How to fix OpenVPN “failed to find UID for user openvpn”
In your OpenVPN server logs you see this error message
failed to find UID for user openvpn
followed by a server restart (Exiting due to fatal error).
Run this command to add the openvpn user and add that user to the openvpn group:
sudo useradd openvpn -g openvpn
For our webserver or VPN server, you want to use unique Diffie-Hellman parameters but you don’t know how to generate the .pem file using OpenSSL.
Use this command to generate the parameters and save them in dhparams.pem:
openssl dhparam -out dhparams.pem 4096
This command generates Diffie-Hellman parameters with 4096 bits. This provides good security while still providing a very reasonable performance for modern devices. Depending on your preferred level of Paranoia you might want to increase the number of bits even more.
Note that even for “only” 4096 bits generating the parameters will usually take a couple of minutes. Larger parameter sizes might take many hours to days to generate. Ensure that you are generating the parameters on a fast computer and not on your Raspberry Pi or similar!
You want to use GnuPG’s –symmetric encryption, but instead of interactively entering the password you want to use a command line argument with the cleartext password.
Use --batch --yes --passphrase <passphrase>:
gpg --symmetric --batch --yes --passphrase 12345 <input file>
Note that this is potentially insecure as it’s way easier to find out the command line parameters of running programs than intercepting the inputs of the interactive input dialog. Therefore, use this strategy only if neccessary.
New: Our new post How to install automated certbot/LetsEncrypt renewal in 30 seconds features an updated procedure using systemd and an automated installer.
On Ubuntu, you can easily setup a daily job that tries to renew almost-expired Let’s Encrypt certificates.
Create /etc/cron.daily/renewcerts:
#!/bin/bash certbot renew service nginx reload
After that, sudo chmod a+x /etc/cron.daily/renewcerts.
Now you should verify that the script would actually run:
run-parts --test -v /etc/cron.daily
should print, among other lines, this line:
/etc/cron.daily/renewcerts
IMPORTANT: You still need to run certbot renew manually every 1-2 months to check if there are any errors that might prevent certs from being renewed.
NOTE: Since the script is calling service nginx reload, you need to ensure that your nginx config files are not left in a broken state for too long if you edit them. Use sudo nginx -t to check for errors after you edit them. Also note that if you make nginx config changes, the script might unintentionally apply them to your productive HTTP/HTTPS server!
You want to create a binary DEB package of libsodium. However, there is no official DEB package available for the latest version.
In C/C++ you want to encode/decode something from/to Base64. libtomcrypt is WTFPL-licensed and therefore provides a good choice for both commercial and non-commercial projects.
You want to calculate a hash of any string in C/C++. LibTomCrypt is WTFPL licensed, so it’s a good choice for commercial and non-commercial projects.
