Saturday, October 29, 2016

How to create and activate SSL self-signed certificate in Ubuntu 16.04/14.04

When running server with critical applications which involves credit card transactions,data transfer and logins, security is first thing you should put in mind, this lab is going to show you how to install self-signed certificate from scratch, the certificate will ensure secure connection between your server and clients.
To create and apply certificate follow simple steps below:


1. Update your system and install Apache
This step assumes that the server is new and apache is not yet installed, if already installed move to step 2
sudo su 
apt-get update
apt-get install apache2

To test if your apache is well installed, open your server IP/hostname on your browser and you you will see APACHE2 UBUNTU DEFAULT PAGE, otherwise restart apache,

 /etc/init.d/apache2 restart

2. Create the certificate
Run below command to create your certificate
mkdir /etc/apache2/ssl
openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt

This certificate will be valid for 10 years, but if you want the certificate to be valid for few years change the value 3650 by indicating how many days the certificate to be valid.

After running second command above it will ask you to provide information about your company, below is example

What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:TZ
State or Province Name (full name) [Some-State]:ARUSHA
Locality Name (eg, city) []:ARUSHA
Organization Name (eg, company) [Internet Widgits Pty Ltd]:JARASYOLA LTD
Organizational Unit Name (eg, section) []:ICT
Common Name (e.g. server FQDN or YOUR name) []:web.jarasyola.co.tz
Email Address []:administrator@jarasyola.co.tz

Now the certificate is created.

3. Configure Apache

a. Make sure that mod_rewrite, mod_ssl,  and the default SSL virtual host is enabled - you'll need these line items to be able to force visitors to use HTTPS.

a2enmod rewrite ssl
a2ensite default-ssl

b. The key must not be password protected, and it must be locked down such that only the root user can read it,
chmod 600 /etc/apache2/ssl/apache.key

c. Configure Apache to read new certificates
Change these lines in /etc/apache2/sites-enabled/default-ssl.conf, open the file

vim /etc/apache2/sites-enabled/default-ssl.conf
 and change:

 From:
SSLCertificateFile      /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
To:
SSLCertificateFile  /etc/apache2/ssl/apache.crt
SSLCertificateKeyFile /etc/apache2/ssl/apache.key

d. Add the following in /etc/apache2/sites-available/000-default.conf


        <Directory "/var/www/html">

            Options FollowSymLinks

            AllowOverride All

        </Directory>

This assumes /var/www/html is your document root. e. Restart Apache

/etc/init.d/apache2 restart

4. Push visitors to HTTPS

Now as you certificate is installed and apply, to push visitors to HTTPS, put something similar to the following snippet into /var/www/html/.htaccess





RewriteEngine On
# Redirect all HTTP traffic to HTTPS.
RewriteCond %{HTTPS} !=on
RewriteRule ^/?(.*) https://SERVERHOSTNAME/IPADDRESS/$1 [R,L]

Change SERVERHOSTNAME/IPADDRESS to actual server hostname/ip address.



Now your server is secure and all your traffic from your server to browser (client) is encrypted.


Friday, October 14, 2016

Updating calling rates in A2billing

It's normal for VOIP providers to update their rate cards once and a while and this may cause issues especially getting loss when the rates are increased.

I wrote a tutorial a while ago on how to create the rate in A2billing, to update rates may be very challenging sometimes, here are two options,  either updating the rates in mysql database or creating new ratecard, the later is simple.

Use the steps below to update the rates.

1. Create a new ratecard
    RATES -->Rate Cards --> Add RateCard


2. Login in mysql and edit the new rate card with per instruction found on my last post found here.

When updating the commands remember to change idtariffplan to match the ID of your new rate card, example

mysql> SELECT id,tariffname FROM cc_tariffplan;
+----+-----------------------+
| id | tariffname            |
+----+-----------------------+
|  1 | Ratecard1             |
|  2 | Ratecard2             |
|  3 | Ratecard141016  |
+----+-----------------------+

New rate card ID is 3, the command will be 

UPDATE cc_ratecard SET buyrate = rateinitial WHERE idtariffplan = 3

3. Apply the new rate card
Go to:

RATES --> Call Plan --> Update Call Plan with new rate card.


Hope it will help someone, drop comment if you face any issue.

Happy Nyerere day!!






Saturday, September 24, 2016

Replicating Emails between two mail servers by Dovecot dsync

If you're running mail server for large ISP, sometimes we may need to think of replicating your emails in two servers for redundancy, this is very possible if your are running Linux mail server with postfix, dovecot and mysql, and this is archived by using Devocot dsync.

dsync is Dovecot's mailbox synchronization utility. It can be used for several different use cases: Two-way synchronization of mailboxes, creating backups of mails, and convert mailboxes from/to different mailbox formats. All of these can be used within the same server or between different servers (via ssh(1) or tcp connections). Remote mailboxes can be accessed also via IMAP protocol, which allows using dsync for mailbox migration purposes.

Below is configuration on how to sync emails between two servers, Server A is fully configured original server and server B is new server which you will sync emails from Server A, make sure Server B is fully configured also, then follow the steps below to sync emails between server A and B.

Server A
Backup/export the email database from original server

mysqldump -u [username] -p [database name] > [database name].sql

eg. if my database is mail and user is postfix the command will be,

mysqldump -u postfix -p mail > emailbackup.sql

Server B
Restore/import email database to second server.

mysql -u [username] -p newdatabase < [database name].sql


The following configuration should be done on both servers

a.  Enable notify and replication plugins
Open the file,

/etc/dovecot/conf.d/10-mail.conf

and add the following,

# Enable globally the notify and replication plugins
# This will then apply to all protocols dovecot supports
mail_plugins = notify replication

b. Enable iterative _query
Open the file
/etc/dovecot/dovecot-sql.conf.ext or /etc/dovecot/dovecot-sql.conf , according to your settings and add the following or just un-commenting the existing one.

iterate_query = SELECT username AS user FROM mailbox WHERE active = '1';

c. Create the dsync configuration file 

 # vi  /etc/dovecot/conf.d/30-dsync.conf

and add the following:

# From here
# This sets globally the port needed to connect # Configure the aggregator service for notifications
service aggregator {
    fifo_listener replication-notify-fifo {
        # Your mail user that's managing files generally is used here
        user = vmail
        mode = 0666
    }
    unix_listener replication-notify {
        user = vmail
        mode = 0666
    }
}


# Configure the replicator service
service replicator {
    process_min_avail = 1
    unix_listener replicator-doveadm {
        mode = 0666
    }
}
service doveadm {
     user = vmail
    inet_listener {
        # port to listen on
        port = 12345
        # enable SSL
        #ssl = yes
    }
}

doveadm_port = 12345
doveadm_password = dovecot password
# Configure target hosts for replication
# tcps can be tcp if you don't want to connect with SSL
# :port can be omitted if it's the default set globally for doveadm

plugin {

    mail_replica = tcp:replica_server_IP
}

service config {
  unix_listener config {
    user = vmail
  }
}

# Up to here.

d. Restart dovecot

service dovecot restart

f. If configuration is done well, run the following to check the status of syncing,

doveadm replicator status '*'

You should see the syncing is on progress.


Note,

The doveadm_password should be the same on both servers, mail_replica = tcp:replica_server_IP, for ServerA replica_server_IP is ip address of ServerB, and for ServerB replica_server_IP is ip address of ServerA.

Some usefully commands,

i. To check the replication on each server:

doveadm replicator status '*'

ii. Replicate a given email account manually

doveadm replicator replicate <email>

iii.  Replicate a given email account manually IN FULL

doveadm replicator replicate -f <email> 

iv. Check replication status. Also works without the email parameter.

doveadm replicator status <email>
Hope it helps someone, drop comments if you face any issues.





Saturday, June 18, 2016

Installing lastest version (1.4.6) of GNS3 in Ubuntu/Debian

GNS3 is a Graphical Network Simulator that allows emulation of
complex networks. In this lab am going to show you how to install the lasted version of it on Ubuntu/Debian distributions.
This lab was full tested in Debian 8 and Deepin 15. If you face any issue please drop me a comment.

1. Install dependencies

a. GNS3 dependencies

sudo apt-get install gcc
sudo apt-get install python3-setuptools
sudo apt-get install python3-dev
sudo apt-get install python3-netifaces
sudo apt-get install python3-pyqt4
sudo apt-get install python3-ws4py
sudo apt-get install python3-tornado
sudo apt-get install python3-zmq

b. Dyamips dependencies
The dynamips hypervisor is a program that emulates Cisco MIPS based router hardware, allowing you to run select IOS image files in GNS3. Using dynamips you can run IOS images for Cisco c1700, c2600, c3600, 3700, and 7200 series routers.

sudo apt-get install cmake
sudo apt-get install libelf-dev
sudo apt-get install uuid-dev
sudo apt-get install libpcap-dev

2. Install GNS3 from source

a. Download it

Check the latest release from here,
https://github.com/GNS3/gns3-gui/releases

As on time of compiling this howto the lasted release was version 1.4.6

On download section, download the file with .source.zip extension.

Use the terminal to change to directory containing the dowloand file and extract it.

unzip GNS3-1.4.6.source.zip -d GNS3-1.4.6.source
cd GNS3-1.4.6.source

The GNS3 software is made up of two main components; a server application, and a GUI application. This provides a great amount of flexibility by allowing you to run multiple servers on different PCs. Leveraging this feature, you can create large GNS3 networks.

b. Install GNS3 server

unzip gns3-server-1.4.6.zip
cd gns3-server-1.4.6/
sudo python3 setup.py install
cd ..

During installation it will download some packages online, make sure it finishes, below is expected final output
.
.
Using /usr/lib/python3/dist-packages
Finished processing dependencies for gns3-server==1.4.6

c. Install GNS3 gui

unzip gns3-gui-1.4.6.zip
cd gns3-gui-1.4.6
sudo python3 setup.py install
cd ..

During installation it will download some packages online, make sure it finishes, below is expected final output
.
.

Using /usr/lib/python3/dist-packages
Finished processing dependencies for gns3-gui==1.4.6

d. Install Dynamips Hypervisor

unzip dynamips-0.2.16.zip
cd dynamips-0.2.16/
mkdir build
cd build
cmake ..
make
sudo make install
sudo setcap cap_net_admin,cap_net_raw=ep /usr/local/bin/dynamips
cd .././..

Make sure everything finishes without any error.

d. Install IOU prerequisites

sudo apt-get install libssl1.0.0:i386
sudo ln -s /lib/i386-linux-gnu/libcrypto.so.1.0.0 /lib/libcrypto.so.4
sudo apt-get install bison
sudo apt-get install flex
sudo apt-get install git
git clone http://github.com/ndevilla/iniparser.git
cd iniparser
make
sudo cp libiniparser.* /usr/lib/
sudo cp src/iniparser.h /usr/local/include
sudo cp src/dictionary.h /usr/local/include
cd ..

e. Install GNS3 IOUYAP

unzip iouyap-0.97.zip
cd iouyap-0.97/
sudo make install
sudo cp iouyap /usr/local/bin
cd ..

f. Install VPCS

unzip vpcs-0.6.1.zip
cd vpcs-0.6.1/src
./mk.sh
sudo cp vpcs /usr/local/bin/
cd ../..

g. Install Ubridge
unzip ubridge-0.9.4.zip
cd ubridge-0.9.4/
make
sudo make install
cd ..

3. Install other supporting software Cpulimit, Virtualbox, QEMU and Wireshart

The cpulimit application allows GNS3 to reduce CPU usage when running Cisco ASA devices in GNS3. With VirtualBox installed you can link emulated VirtualBox devices with other GNS3 devices. QEMU (Quick Emulator) is another PC hypervisor, and it is used to create and run Cisco ASA and other devices in GNS3. Wireshark is a powerful packet analyzer; using Wireshark you can sniff packets from your virtual GNS3 networks and analyze them, just as you can in the real world. Enter the following commands to complete your installation.

sudo apt-get install cpulimit
sudo apt-get install virtualbox
sudo apt-get install qemu
sudo apt-get install wireshark

4. Start GNS3
gns3

Note:
If you get below message:

Please install the PyQt5.QtSvg module

Install the module using the command:

sudo apt-get install PyQt5.QtSvg


After installation of the module you will be able to run gns3 on command line without problem.

Tuesday, May 24, 2016

Dropbox LAN sync - Save bandwidth and time with local dropbox LAN sync

If you are working in organization which uses Dropbox at the daily bases, you might came across with bandwidth issue especially when syncing large file across different computers. At normal the file should be uploaded to Dropbox servers and then downloaded to each individual computers where the file is shared and this is considerable large use of bandwidth and takes time especially if the file is large enough, but with Dropbox LAN syncing feature bandwidth can be saved and syncing time can be minimized.

What is Dropbox LAN sync?

Dropbox LAN Sync is a feature that allows you to download files from other computers on your network, saving time and bandwidth compared to downloading them from Dropbox servers.

The LAN Sync feature can speed up the syncing of files that exist on your local area network (shared folders and computers connected to the network). It allows Dropbox to check for new versions of a file on your network without having to download the copy of the latter from Dropbox servers.

What is Dropbox LAN sync prerequisites?

 If you want to force a LAN Sync, you’ll need two computers on the network with either the same account or a shared folder in common. Add a file to one of the computers, and the other computer should attempt a LAN Sync. The computers should be in the same LAN.

How to configure and enable LAN sync?

a. Install the Dropbox client on your PC: www.dropbox.com.

b. Allow Dropbox.exe in your firewall's settings: The LAN Sync feature requires access to port 17500 (TCP). Go to the Control Panel > Firewall > Allow app or feature through Windows Firewall.

c. Click on the Dropbox tray icon > Preferences. Go to the Bandwidth tab and tick the Enable LAN sync checkbox: Click on Apply > OK.


Enjoy!



Friday, May 13, 2016

How to enable remote desktop in Window Server 2012 R2 Core

Server Core is a minimal server installation option for Windows Server that provides a low-maintenance server environment with limited functionality.After installing window server core there greater possibility you won't have direct access to server so remote desktop is the best option for you, follow the below steps to enable remote desktop on window server core.

a. Login to the server
After login below is the screen your going to see,


Use the seen command line interface to enable remote desktop.

b. Migrate to system32 directory
cd \Windows\system32
c. Run the script below found in system directory which will show you the current state of remote desktop
cscript scregedit.wsf /AR /v
If it returns 1, that means the remote desktop is not enabled you need to enable it by running the following command
cscript scregedit.wsf /AR 0
As seen below:



d.  Check if remote desktop is enabled on firewall, by running the following command.

Get-NetFirewallRule -DisplayGroup "Remote Desktop" | format-table Name,enabled -autosize

If it return false, enable it by running the following

Enable-NetFirewallRule -DisplayGroup "Remote Desktop"

As seen below:



Now you're good you can manage your server any ware by using remote desktop client.
Don't forget to allow tcp/udp port 3389 on the router via port forwarding when the server is inside local area network.

Wednesday, May 4, 2016

CSF firewall installation and configuration for VOIP/PBX systems-Part 2

After installation of csf firewall and webmin done on part 1 of this document, part 2 will concentrate on only configuration of the firewall, configuration to be done is described in steps below.

a. Allowing IP/IP blocks with fully access to the server.
You may start the configuration by adding you own block which should have fully access to pbx/voip system,fully access means the ip's should have fully access to all ports on the server these IP's should be your private LAN ip or ISP ip's if your configuring service providers voip/pbx system, to do so logon to your system via https://serverip:1000, then go to System > ConfigServer Security & Firewall, then csf - ConfigServer Firewall section, add your ip/ip blocks to Quick Allow and Quick Ignore,as seen on example below:

Don't forget to click on Quick Allow and Quick Ignore to save it to configuration file.
You should also add you Voip provider IP, if your system is connecting to online voip provider, otherwise you might experience issue when calls are routed to voip provider.

b. Allowing specific ports for IP/IP blocks without fully access.
Now go Firewall Configuration, to add ports which should be accessible for anyone without fully access to the server, if your voip system is accessible from the Internet, these are ports will be seen directly from the Internet.
You may allow as many ports as you can  for ports going out, but you should restrict ports which are coming to your server as minimum as you can, as far as my research below ports working fine for PBX/VOIP systems,

   i. Incoming
Only allow voip/pbx pors 5060:5061 and 10001:20000 which are used as media ports for some pbx systems, so the setup may look as below.
       a. TCP
           5060:5061

         b. UDP
           5060:5061,10001:20000

   ii. Outgoing
As i said you may allow as outgoing ports as you can, no problem on this.

       a. TCP
           20,21,22,25,53,80,110,113,443
       b. UDP
           20,21,53,113,123,1000:65000

So the setting will look as below,

c. Blocking ping from outside
You may also need to block ping from outside as means of security, to do search for Allow incoming PING and change it from ON(1) to OFF(0).



d. Enabling the firewall
When all configuration is done, you should enable the firewall for it to be operation on your server, go back to the beginning of configuration file and look for TESTING part and turn it off, as seen below:

e. Testing the firewall
After enabling the configuration you should now test the firewall to make sure it works as intended, below are hints for testing.

-Test if all pbx users are able to call via the pbx, also monitor if they can hear the voice with required quality.
-Test if the users coming from restricted IP are able to access the admin interface of PBX/VOIP, i mean any traffic going to port 80/443, they should not as the access to only be available to allowed IP's.

There a lot of settings which can be done on CSF firewall, but above is minimum which can be used to lock down your VOIP/PBX systems,drop down comments if you face any problem implementing the settings.


Wednesday, April 27, 2016

Restricting specific users from sending email to external domains in Postfix

Postfix is a free and open-source mail transfer agent (MTA) that routes and delivers electronic mail, intended as an alternative to Sendmail MTA.
When configuring mail server especially for small companies there sometime a requirement to restrict some of the users from sending email to the Internet, and allowing them to send email only to local domain or some domains.
This howto is going to show you how to achieve that extra functionality, this howto is assuming you have working mail server already where by the users are able to send and receive emails.Below are steps,

a. Create a file to catch specific email address which should be restricted.
i. Change to root and open the main Postfix configuration file.

 ~$ sudo su -
 ~# vim /etc/postfix/main.cf
ii. Add rule that will catch limited addresses.
The rule should be added as the first line in smtpd_sender_restrictions as below.

smtpd_sender_restrictions =
check_sender_access hash:/etc/postfix/restricted_senders,
as below:

If you put the rule below any permit rule there possibly it won't work as required.

b. Create specific rule and add the address which should be restricted, am using jarasyola.co.tz domain for the sake of demonstration only, you're going to use you're actual domain in real implementation.
vim /etc/postfix/restricted_senders
Add the email address which should be restricted on above created file and save;

james@jarasyola.co.tz  local_only
vanessa@jarasyola.co.tz local_only

as below


c.i.The rule above says to route restricted emails to a ruleset called "local_only". You need to define it, before you can add rules to it. Open main.conf file and add local_only ruleset as restriction class.

smtpd_restriction_classes = local_only
ii. Then create the restriction class "local_only" and add rules. They are executed top to bottom - first match wins:
local_only=
check_recipient_access hash:/etc/postfix/local_domains,
reject
The two lines should look as below on postfix main.conf configuration file.



d. Lastly, define the local domains where restricted users should be allowed to send, here i allow my local domain only.
Create a file

vim /etc/postfix/local_domains

add the domain(s)

jarasyola.co.tz   OK

If the recipient domain is not in /etc/postfix/local_domains Postfix will look for the next rule.In "local_only" I wrote "reject".This is a static action, which always is true if Postfix tests it. It gives you what you want. Either the recipient domain is on /etc/postfix/local_domains or the request action (send a message) will be rejected.

Drop a comment if you face any difficult in implementing the setup, tuonane kwenye post nyingine.

Friday, April 22, 2016

CSF firewall installation and configuration for VOIP/PBX systems-Part 1

During installation of any PBX/VOIP systems, security is one of the first thing you should consider in mind as compromising the system may bring greater loss especially interms of Money. There are different ways of securing voip/pbx systems but this how to is going to explain how to lock it down completely by blocking all standard ports not accessible from the Internet and being only accessible via the specified subnet while allowing only specified ports to allow users being able to call and receive the calls.
This howto's is divided into two main parts, part 1 (involves firewall installation) and part 2 will concentrate on configuration of your firewall to meet your needs,below are steps.

a. Webmin installation
b. Csf Installation
c. Firewall configuration

a. Webmin Installation
Webmin is a web-based graphical tool for unix . It is used to manage services like User management, Disk managemet, Network, Iptables ( Firewall ), Cron, Apache, DNS, File sharing and much more.Webmin is a web hosting control panel like cpanel which provides easy to use interface for managing Unix like systems.

i. Install required packages first.
# yum -y install perl perl-Net-SSLeay openssl perl-IO-Tty

ii. Install Webmin.

Make sure to check for the latest version here (http://www.webmin.com/download.html). As the time of writting of this document the latest version is 1.791.
# yum -y install http://prdownloads.sourceforge.net/webadmin/webmin-1.791-1.noarch.rpm


The installation will be done automatically to the directory /usr/libexec/webmin, the administration username set to root and the password to your current root password. You should now be able to login to Webmin at the URL http://localhost:10000/. Or if accessing it remotely, replace localhost with your system's IP address.




More tweaks:
-Starting and restarting the service use:
# /etc/init.d/webmin start
# /etc/init.d/webmin stop
# /etc/init.d/webmin restart
# /etc/init.d/webmin status
-Changing webmin root password

In order to change webmin root account password use following command. ( Note: It will not change your systems root password )

-Change webmin default port
If you do not want to run webmin with default port, use below steps to change the default port.

Login Webmin as root >> Webmin >> Webmin Configuration >> Ports and Addresses… you can change port there.


b. Csf Installation

CSF(Config Server Firewall) is generally considered a more advanced firewall as there are more configuration options compared to other firewalls, while still being simple enough to install and configure that even novice administrators can use it.An alternative firewall to CSF is the Advanced Policy Firewall or APF.
Installing CSF should be as simple as downloading the source file to your server and installing it, follow the following steps to install it.

i. Migrate to src directory and remove any existed csf file.
# cd /usr/src
# rm -fv csf.tgz
ii. Download the firewall and extract the downloaded file
# wget https://download.configserver.com/csf.tgz
# tar -xzf csf.tgz
iii. Change to csf directory and run installation script
# cd csf
# sh install.sh
iv.Test whether you have the required iptables modules:
# perl /usr/local/csf/bin/csftest.pl
Don't worry if you cannot run all the features, so long as the script doesn't
report any FATAL errors

v. Remove old CSF/APF firewalls

You should not run any other iptables firewall configuration script. For
example, if you previously used APF+BFD you can remove the combination (which
you will need to do if you have them installed otherwise they will conflict):
# sh /usr/local/csf/bin/remove_apf_bfd.sh
vi. Integrating CSF with webmin

Inorder to manage csf firewall on web browser via webmin you're required to Integrate it to webmin.
Install the csf webmin module in:
  Webmin > Webmin Configuration > Webmin Modules >
  From local file > /usr/local/csf/csfwebmin.tgz > Install Module

To access CSF configuration file via Webmin go to System System > Security & Firewall



vii. Uninstallation CSF firewall

Removing csf and lfd is even more simple:
# cd /etc/csf
# sh uninstall.sh
viii. Removing Warning

In case you get this warning below:

*WARNING* URLGET set to use LWP but perl module is not installed, reverting to HTTP::Tiny

When accessing CSF firewall via Webmin, install perl module using command below.
# yum install perl-libwww-perl
That's it, check out part 2 for voip firewall configuration.



Friday, April 15, 2016

How to stream movies on Samsung smart TV using Popcorn Time in Linux

If you're movies and torrent lovers, you might have heard of Popcorn Time. For those new to this technology Popcorn Time is  a multi-platform, free software BitTorrent client that includes an integrated media player. The applications provide a free alternative to subscription-based video streaming services (such as Netflix). Popcorn Time uses sequential downloading to stream video listed by several torrent websites (although other trackers can be added and used manually).
The software has been closed several times due to copyright issues, but now is available again, am going to explain step by step on how to stream movies on smart TV from Popcorn Time software running on Linux Machine (Deepin Linux which is based on Ubuntu 14) in the following easy steps.

a. Download the Popcorn software from its current offical site.

The current site is  https://popcorntime.sh/


Save the file in any of your preferred place, for mine it goes to Downloads.

b. Extract the downloaded file.

The extracted file will be called Linux but you may name it to any name of your preference.

c. Open the extracted folder and run the file called Popcorn-Time.

Inside the extracted folder you're going to find 3 folders and 8 files as seen below.


Below is the next screen after running Popcorn-Time file.

d. Choose movie,series, anime etc of your choice and start streaming.

Below is what i choose for demonstration.


e. Connect Popcorn-Time to To Samsung smart TV.

If your smart TV is connected in the same network where your computer is connected, you will see it when you click Watch now icon on selected movie as seen below,


As you can see above the watch now icon shows which media you can stream the movie from, which are TV (my Samsung LED smart TV), VLC (because is installed on my machine) and butter (default Popcorn Time media) players.Choose Samsung TV for streaming and press Watch now.

f. Allow Popcorn-Time to stream on your TV and Enjoy.

If it the first time to connect Popcorn to your TV you may have to allow it to access your TV.


After connecting and while the downloading is on progress also the streaming will be on progress.

  
Endelea kumovika, tuonane mara nyingine.



Saturday, April 9, 2016

Configuring Mikrotik router to allow traffic from mail server running on LAN

Its normal to run mail server within the LAN if you have reliable power system but also because it is because is one of the best method for security of your mail server. This how to is going to explain how to configure Mikrotik router to allow traffic going and leaving the mail server which is running in the LAN.

This how to assumes the following

  • X.X.X.X being your public IP,
  • mail.jarasyola.co.tz being MX records of your server domain and 
  • 192.168.1.200 being IP address of mail server.

The setup will have only three simple steps as below.


Step 1
Create firewall to allow inbound TCP traffic from any IP address to these ports on the server.

25 (SMTP)
110 (POP3)
143 (IMAP)
443 (HTTPS)
465 (SMTPS)
587 (Submission)
993 (IMAPS)
995 (POP3S)

I here assume access to webmail and any web access on the server is done on port 443(https) as port 80 will be used by mikrotik web access.

Copy the following on notepad and edit by changing the mail server IP (192.168.1.200) and mikrotik public IP (X.X.X.X)  and paste the following firewall rules on mikrotik terminal.

/ip firewall nat
add action=dst-nat chain=dstnat comment="Email server port forwarding" \
    dst-address=X.X.X.X dst-port=25 protocol=tcp to-addresses=\
    192.168.1.200 to-ports=25
add action=dst-nat chain=dstnat dst-address=X.X.X.X  dst-port=22 \
    protocol=tcp to-addresses=192.168.1.200 to-ports=22
add action=dst-nat chain=dstnat dst-address=X.X.X.X  dst-port=110 \
    protocol=tcp to-addresses=192.168.1.200 to-ports=110
add action=dst-nat chain=dstnat dst-address= dst-port=143 \
    protocol=tcp to-addresses=192.168.1.200 to-ports=143
add action=dst-nat chain=dstnat dst-address=X.X.X.X  dst-port=443 \
    protocol=tcp to-addresses=192.168.1.200 to-ports=443
add action=dst-nat chain=dstnat dst-address=X.X.X.X  dst-port=465 \
    protocol=tcp to-addresses=192.168.1.200 to-ports=465
add action=dst-nat chain=dstnat dst-address=X.X.X.X  dst-port=587 \
    protocol=tcp to-addresses=192.168.1.200 to-ports=587
add action=dst-nat chain=dstnat dst-address=X.X.X.X  dst-port=993 \
    protocol=tcp to-addresses=192.168.1.200 to-ports=993
add action=dst-nat chain=dstnat dst-address=X.X.X.X  dst-port=995 \
    protocol=tcp to-addresses=192.168.1.200 to-ports=995

Step 2
Create DNS redirect to allow creating static DNS entry for the server for local access

Copy and paste the following in the terminal.
/ip firewall nat
add action=redirect chain=dstnat comment="Dns redirect" dst-port=53 protocol=\
    udp to-ports=53
add action=redirect chain=dstnat dst-port=53 protocol=tcp to-ports=53
The setting above will force all dns entry being replied by router before being redirected to provider DNS server.

Step 3
Create the static entry for mail server MX records, so that traffic within the LAN should not be redirected to public IP but going direct to mail server local IP.
Copy and paste the following in mikrotik terminal and change only mail server IP and domain MX records to reflect your mail server.
/ip dns static
add address=192.168.1.200 name=mail.jarasyola.co.tz
That's all, the server will work perfectly within your LAN, to avoid blacklist to spam generated by other users in the network you should block port 25 not being used by other computers in the network for sending unauthorized emails, the howto is found here.


Blocking rogue mail server from LAN using Mikrotik

Rogue mail server is any unauthorized mail server which can be used to send emails usually SPAMS. These are mostly compromised computers in the network which are used by spammers via your public IP's to send SPAM to the rest of the world. The main problem of this is your public IP will be frequently listed in world blacklist database and blocking good operation of legitimate mail servers running within your network.
If you're running mail server inside your LAN its good practice to create a firewall that will allow only your mail server IP to send and receive emails and blocking the rest of IP's.
In mikrotik this can be done by simple 3 firewall lines, the firewall lines are below.

Copy and paste the following on mikrotik terminal.
/ip firewall filter
add chain=forward comment="Allowing mail server" dst-port=25 out-interface=\
    ether1-gateway protocol=tcp src-address=192.168.1.200
add chain=forward comment="Allowing mail server" dst-address=192.168.1.200 \
    dst-port=25 in-interface=ether1-gateway log=yes protocol=tcp
add action=drop chain=forward comment="Blocking Spammers" dst-port=25 log=yes \
    protocol=tcp

The first two lines of the firewall allow traffic going and leaving the mail server where the last line block any traffic leaving the LAN via port 25 which which is mainly used to mail traffic.
In this firewall 192.168.1.200 is mail server IP so if you're copy and pasting that firewall you should change that IP.
After that sit and relax because if you find your public IP being blacklisted is because the spam is originated from your mail server and that is easy to troubleshooting if the server is well configured and secured.


Thursday, March 31, 2016

Importing Callwithus rates to A2billing

There different ways of importing rates to a2billing, some are straight forward but others you will be required to do a bit of editing to make it work.
This HOWto's is going to show step by step on how import callwithus rate card to a2billing.

Step 1- Download rate card from provider.

This will depend on which provider you're using, on this post am going to use callwithus as my provider, download the rates from their website found here, then extract the file and save it anyway on your computer.


Step 2- Create new rate card
Now I go to RATECARD, Create new Rate Card
Give your ratecard a name and a description click CONFIRM DATA

Step 3- Import rate card
Now select the Import RateCard menu
Ensure the “Choose the ratecard to import” is set to the rate card you just created
Also the callwithus import file includes “BUYRATE MIN DURATION” and “BUYRATE BILLING BLOCK” information so I have moved those 2 fields over to the “Selected Fields” box
Click on Browse to select your import file then click “Import Ratecard”


File size is greater than allowed limit error.
If you get error that the file limit is greater than allowed limit means the file you're trying to upload is greater than 1Mb which is default value. To change it Go to SYSTEM SETTINGS, Global list and on lower left side of the page change the DISPLAY TO all, then click GO to display all Global list settings. Now search for Max File Upload Size parameter and change it to any big value, or simply add zero to make the maximum file you can upload to be 10Mb, then click COMFIRM DATA to save it.

Now try importing the rates again by following the procedures in step 3.

A2billing shows us an example of what it’s going to import. This is the first record in the file.
Click “Continue to Import the Ratecard” if the example looks good.


A2billing should now tell you how many rates have been imported.



Step 4- Verifying the Imported rates
Unfortunately if we now go and look at one of these rates we’ll see that the callwithus file wasn’t particularly well formatted to be imported into a2billing.

The buy rate is zero, the selling rate is our buying cost and “SELLRATE MIN DURATION / SELLRATE BILLING BLOCK” are both zero!



Step 5 - Editing the rates via database.
So we need to sort this out. What we could have done was edit the file in something like Excel before we imported it to get everything in the correct layout. This is probably the easiest option, however I’m going to edit my ratecard using SQL in the database. Be sure you know what you’re doing if you choose this option!
First I need to log into mysql with the password set during installation. The default database name is mya2billing – yours may differ.
mysql -u a2billinguser -p

Output:
Enter password:
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 3497
Server version: 5.1.73 Source distribution

Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql>


List existing databases;

mysql> show databases;

Output:
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mya2billing        |
| test               |
+--------------------+
3 rows in set (0.00 sec)

Choose to use mya2billing database

mysql> use mya2billing;

Output:
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> 

Next I need to find out the ID of the tarifplan I want to edit.

mysql>  SELECT id,tariffname FROM cc_tariffplan;

Output:
+----+-----------------------+
| id | tariffname            |
+----+-----------------------+
|  1 | Ratecard1             |
|  2 | Callwithus 29-03-2016 |
+----+-----------------------+
2 rows in set (0.00 sec)

Now I’m going to set the buy rate to be the sell rate that was loaded from the import file.

mysql> UPDATE cc_ratecard SET buyrate = rateinitial WHERE idtariffplan = 2;

Output:
Query OK, 37109 rows affected (1.14 sec)
Rows matched: 37117  Changed: 37109  Warnings: 0

Now I’m going to add 40% on to my sell rate.

mysql> UPDATE cc_ratecard SET rateinitial = (rateinitial*1.4) WHERE idtariffplan = 2;

Output:
Query OK, 37109 rows affected, 17139 warnings (1.23 sec)
Rows matched: 37117  Changed: 37109  Warnings: 17139

Now to set the “SELLRATE MIN DURATION” to the “BUYRATE MIN DURATION” that was loaded from the import file.

mysql> UPDATE cc_ratecard SET initblock = buyrateinitblock WHERE idtariffplan = 2;

Output:
Query OK, 37117 rows affected (0.76 sec)
Rows matched: 37117  Changed: 37117  Warnings: 0

Finally to set “SELLRATE BILLING BLOCK” to the “BUYRATE BILLING BLOCK” that was loaded from the import file.

mysql> UPDATE cc_ratecard SET billingblock = buyrateincrement WHERE idtariffplan = 2;


Output:
Query OK, 37117 rows affected (0.75 sec)
Rows matched: 37117  Changed: 37117  Warnings: 0

Now if we go and look at the rate we were looking at before it looks much better. The billing increments are all the same and my sell rate it 40% more than my buy rate!


Now I just need to go to my call plan and remove the test rate card  created earlier and add my new callwithus rate card.


Step-6 Testing the results

The importation is successfully now and you can test it using A2billing simulator by going to rates then simulator.

Seems everything is fine now, much credits should go to owner of this post, i documented this because i face a bit difficult when importing rates using the manual excel method and when i come across to this post i thought it is worth sharing.

Installation of A2billing version 2.2 on AsteriskNow 6

After compiling my last post on installing A2billing, i noticed i installed the old version (1.94), not only it was old but also has a lot of complications and bugs, so i think i was worth compiling another with include installation of latest version of a2billing. This howto's has steps of installing the lastest version of A2billing as the time of writing of this post.

This howto's was tested on
AsteriskNOW6.12
FreePBX v12
A2billing v2.2
Asterisk v11

All the command below should be run as root user (#)

1. Prepare the server
Prepare the server by updating it and installing additional packages
yum -y update && yum -y groupinstall core && yum -y groupinstall base && yum -y install epel-release
yum -y install php-mcrypt php-xml perl-DBD-Pg git wget

2. a. Get A2billing from source

cd /usr/src
wget --no-check-certificate https://github.com/Star2Billing/a2billing/archive/master.tar.gz
tar zxvf master.tar.gz 
mv a2billing-master/ a2billing

2.b. Get vendor packages using composer.
cd /usr/src/a2billing
curl -sS https://getcomposer.org/installer | php
php composer.phar update
php composer.phar install

3.a. Create MySQL root password
If you did not create a mysql root password during the asterisk install you should create one now.
mysqladmin -u root password 'mysql-root-password'

3.b. Create A2Billing Database
cd /usr/src/a2billing
mysql -u root -p < DataBase/mysql-5.x/a2billing-createdb-user.sql
which, after you enter your root password, will create:

Database name: mya2billing
Database user: a2billinguser
Database user password: a2billing

Now run script to create tables and insert some basic configuration data
cd /usr/src/a2billing/DataBase/mysql-5.x
./install-db.sh
Answer questions as follows:

Enter Database Name: mya2billing
Enter Hostname: localhost
Enter UserName: root
Enter Password: {mysql-root-password}

Copy a2billing.conf file to /etc/ and edit it.
cp /usr/src/a2billing/a2billing.conf /etc/

Make sure the following parameters are set as shown.
vi /etc/a2billing.conf
[database]
hostname = localhost
port = 3306
user = a2billinguser
password = a2billing
dbname = mya2billing
dbtype = mysql

4. Create files and set permissions

Only required if not using Asterisk Realtime.  If unsure then proceed as if you are not using Asterisk Realtime.

Some of these files assume you have FreePBX installed and not just Asterisk.  If you just have Asterisk installed then use the files specified in the INSTALL.rst instructions included with A2billing source files.
touch /etc/asterisk/additional_a2billing_iax.conf
touch /etc/asterisk/additional_a2billing_sip.conf
echo \#include additional_a2billing_sip.conf >> /etc/asterisk/sip_custom.conf
echo \#include additional_a2billing_iax.conf >> /etc/asterisk/iax_custom.conf
chown -Rf asterisk:asterisk /etc/asterisk/additional_a2billing_iax.conf
chown -Rf asterisk:asterisk /etc/asterisk/additional_a2billing_sip.conf
chmod 777 /etc/asterisk

5. Run sound installation script
cd /usr/src/a2billing/addons/sounds
./install_a2b_sounds.sh
chown -R asterisk:asterisk /var/lib/asterisk/sounds/
Add the following to /etc/asterisk/manager_custom.conf

You can also do it via the Freepbx Asterisk API module.  If you don't have Freepbx installed then you should follow the INSTALL.rst instructions included with the a2billing source files.
[myasterisk]
secret=mycode
deny=0.0.0.0/0.0.0.0
permit=127.0.0.1/255.255.255.0
read=system,call,log,verbose,command,agent,user
write=system,call,log,verbose,command,agent,user

Note:
Am changing default a2billing root folder from /var/www/html/a2billing to /var/www/html/voipbilling due to security reasons since hackers are aware to that directory so it's one step to server security

Add fwconsole blacklist

This is very important otherwise a fwconsole restart or fwconsole chown command will delete necessary symlinks in a2billing.
vim /etc/asterisk/freepbx_chown.conf
Add the following and save
[blacklist]
item=/var/www/html/voipbilling

6. Set up a2billing web folders

A2billing has 3 GUI sections.  admin, agent, and customer.
mkdir /var/www/html/voipbilling
cp -rf /usr/src/a2billing/admin /var/www/html/voipbilling
cp -rf /usr/src/a2billing/agent /var/www/html/voipbilling
cp -rf /usr/src/a2billing/customer /var/www/html/voipbilling
cp -rf /usr/src/a2billing/common /var/www/html/voipbilling
cp -rf /usr/src/a2billing/vendor /var/www/html/voipbilling
chown -R asterisk:asterisk /var/www/html/voipbilling
chmod 755 /var/www/html/voipbilling/admin/templates_c
chmod 755 /var/www/html/voipbilling/customer/templates_c
chmod 755 /var/www/html/voipbilling/agent/templates_c
Prevent public access to /common and /vendor folders.
echo 'Deny from all' > /var/www/html/voipbilling/common/.htaccess
echo 'Deny from all' > /var/www/html/voipbilling/vendor/.htaccess
Check admin web interface

From a web browser go to http://{my-ip-address}/voipbilling/admin and make sure you get the authentication screen.  Log in as follows.

user: root
password: changepassword

Once logged in click change password link at bottom left and change it.

7. Set up AGI
mkdir /var/lib/asterisk/agi-bin
cd /usr/src/a2billing/AGI             
cp a2billing.php /var/lib/asterisk/agi-bin
cp a2billing_monitoring.php /var/lib/asterisk/agi-bin
chown -R asterisk:asterisk /var/lib/asterisk/agi-bin
chmod 755 /var/lib/asterisk/agi-bin/a2billing.php
chmod 755 /var/lib/asterisk/agi-bin/a2billing_monitoring.php
ln -s /var/www/html/voipbilling/common/lib /var/lib/asterisk/agi-bin/lib
ln -s /var/www/html/voipbilling/vendor /var/lib/asterisk/vendor
Add the following extensions to /etc/asterisk/extensions_custom.conf

If not using Freepbx then this would go into /etc/asterisk/extensions.conf.  These are just examples.  Depending on what you are doing and how you are doing it some may not apply and some may not work.

Customizing this to your needs is considered beyond the scope of this document.  Search for documentation on Asterisk custom extensions and dialplans.  If possible try find examples specific to A2Billing.

Open the below file
vim  /etc/asterisk/extensions_custom.conf

And add the contents below and save.
[macro-dialout-trunk-predial-hook]
exten => s,1,GotoIf($["${OUT_${DIAL_TRUNK}:4:4}" = "A2B/"]?custom-freepbx-a2billing,${OUTNUM},1:2)
exten => s,2,MacroExit

[custom-freepbx-a2billing] exten => _X.,1,DeadAGI(a2billing.php,${OUT_${DIAL_TRUNK}:8}) exten => _X.,n,Hangup()
[a2billing] exten => _X.,1,Answer exten => _X.,n,Wait(1) exten => _X.,n,deadAGI(a2billing.php,1) exten => _X.,n,Hangup
[a2billing-callback] exten => _X.,1,deadAGI(a2billing.php,1,callback) exten => _X.,n,Hangup
[a2billing-cid-callback] exten => _X.,1,deadAGI(a2billing.php,1,cid-callback,34) ;last parameter is the callback area code exten => _X.,n,Hangup
[a2billing-all-callback] exten => _X.,1,deadAGI(a2billing.php,1,all-callback,34) ;last parameter is the callback area code exten => _X.,n,Hangup
[a2billing-did] exten => _X.,1,deadAGI(a2billing.php,1,did) exten => _X.,2,Hangup
[a2billing_callingcard] ; CallingCard application exten => _X.,1,NoOp(A2Billing Start) exten => _X.,n,DeadAgi(a2billing.php|1) exten => _X.,n,Hangup
[a2billing_voucher] exten => _X.,1,Answer(1) exten => _X.,n,DeadAgi(a2billing.php|1|voucher) ;exten => _X.,n,AGI(a2billing.php|1|voucher|44) ; will add 44 in front of the callerID exten => _X.,n,Hangup
[custom-a2billing-did] exten => _X.,1,deadAGI(a2billing.php,1,did) exten => _X.,2,Hangup
[custom-a2billing] exten => _X.,1,deadAGI(a2billing.php,1) exten => _X.,n,Hangup

8. Connect FreePBX with A2billing

8.a. Add custom Trunk

Go into FreePBX GUI>Connectivity>Trunks>Add Trunk>Add Custom Trunk give it a name and add the following custom dial string:

A2B/1
This is the trunk that is used to send calls out via A2Billing.  Simply select this trunk in outbound routes.  The /1 refers to which agi-conf is going to be used.

8.b. Add custom destinations

Add custom destinations to FreePBX via FreePBX GUI>Admin>Custom Destinations

These destinations are referring to the custom extensions created above in /etc/asterisk/extensions_custom.conf

Target: custom-a2billing,${EXTEN},1
Description: A2Billing - Callthrough

Target: custom-a2billing-did,${EXTEN},1
Description: A2Billing - DID

Start or restart FreePBX
fwconsole restart
Recurring Services
Recurring services are handled via the /etc/crontab. Make directory for A2Billing cron PID
mkdir -p /var/run/a2billing
chown asterisk:asterisk /var/run/a2billing

Copy cron files to some permanent location such as /usr/local
mkdir -p /usr/local/a2billing
cp -R /usr/src/a2billing/Cronjobs /usr/local/a2billing/
ln -sf /var/www/html/voipbilling/common/lib /usr/local/a2billing/Cronjobs/lib
chown -R asterisk:asterisk /usr/local/a2billing

9. Add cron

Add the cron jobs to /var/spool/cron/asterisk as follows
Run command below:
crontab -e -u asterisk

Copy and paste the contents below to opened cron file.
# update the currency table
0 6 * * * php /usr/local/a2billing/Cronjobs/currencies_update_yahoo.php
# manage the monthly services subscription
0 6 1 * * php /usr/local/a2billing/Cronjobs/a2billing_subscription_fee.php
# To check account of each Users and send an email if the balance is less than the user have choice.
0 * * * * php /usr/local/a2billing/Cronjobs/a2billing_notify_account.php
# this script will browse all the DID that are reserve and check if the customer need to pay for it.
# bill them or warn them per email to know if they want to pay in order to keep their DIDs.
0 2 * * * php /usr/local/a2billing/Cronjobs/a2billing_bill_diduse.php
# This script will take care of the recurring service.
0 12 * * * php /usr/local/a2billing/Cronjobs/a2billing_batch_process.php
# To generate invoices and for each user.
0 6 * * * php /usr/local/a2billing/Cronjobs/a2billing_batch_billing.php
# to proceed the autodialer
*/5 * * * * php /usr/local/a2billing/Cronjobs/a2billing_batch_autodialer.php
# manage alarms
0 * * * * php /usr/local/a2billing/Cronjobs/a2billing_alarm.php
# manage archive
0 12 * * * php /usr/local/a2billing/Cronjobs/a2billing_archive_data_cront.php
#autorefill
0 10 21 * * php /usr/local/a2billing/Cronjobs/a2billing_autorefill.php
15 * * * * php /usr/local/a2billing/Cronjobs/a2billing_batch_cache.php

10. Add log files

mkdir -p /var/log/a2billing
touch /var/log/a2billing/cront_a2b_alarm.log
touch /var/log/a2billing/cront_a2b_autorefill.log
touch /var/log/a2billing/cront_a2b_batch_process.log
touch /var/log/a2billing/cront_a2b_archive_data.log 
touch /var/log/a2billing/cront_a2b_bill_diduse.log 
touch /var/log/a2billing/cront_a2b_subscription_fee.log 
touch /var/log/a2billing/cront_a2b_currency_update.log 
touch /var/log/a2billing/cront_a2b_invoice.log 
touch /var/log/a2billing/cront_a2b_check_account.log 
touch /var/log/a2billing/a2billing_paypal.log
touch /var/log/a2billing/a2billing_epayment.log
touch /var/log/a2billing/a2billing_api_ecommerce_request.log
touch /var/log/a2billing/a2billing_api_callback_request.log
touch /var/log/a2billing/a2billing_api_card.log
touch /var/log/a2billing/a2billing_agi.log
chown -R asterisk:asterisk /var/log/a2billing

Add index file to prevent browsing of folders

touch /var/www/html/voipbilling/index.html

Log into the webpage

http://{my-ip-address}/voipbilling/admin
user:  root
pass: mynewpassword

Or use default password changepassword if you have not changed it yet and then click the change password link at the bottom left.

11. Set Asterisk version in A2Billing

Go into System settings>Global list.  Go to the bottom left and set to display all.  From your web browser search for "asterisk_version".  It will find that setting twice.  One for Global group and one for agi-conf1 group.  Change both accordingly.  If using Asterisk v11 then use "1_11"

Disable Asterisk Realtime if not setting up the following Asterisk Realtime procedure. Go to System settings>Global search for "realtime".  Change that setting to "no".

That's all, please let me know if you face any difficult in implementing the steps above, credits should also go to composer of original howto found here,  where i customized it a bit to fits my needs.

Tuesday, March 22, 2016

Forcing access to Asterisknow/FreePBX and A2billing to HTTPS

When installing asteriskNow PBX/voip system and a2billing to access it by default is via http. When it comes to VOIP/PBX system security is one thing you should consider. This HOWto's is going to explain the steps to follow when you want you pbx server to be access via https, the steps include creating self signed certificate and forcing all traffics to https.

1. Install Mod SSL
# yum install mod_ssl
2. Create a new directory
Next, we need to create a new directory where we will store the server key and certificate
# mkdir /etc/httpd/ssl
3. Create a self signed certificate

When we request a new certificate, you should specify how long the cerficate remains valid, for me i want certificate to remain valid for ten years, you may change 3650 to any number of number of days you want.
openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /etc/httpd/ssl/apache.key -out /etc/httpd/ssl/apache.crt
With this command, we will be both creating the self-signed SSL certificate and the server key that protects it, and placing both of them into the new directory.

This command will prompt terminal to display a lists of fields that need to be filled in.

The most important line is "Common Name". Enter your official domain name here or, if you don't have one yet, your site's IP address.

See example below,

For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:TZ
State or Province Name (full name) [ ]:Arusha
Locality Name (eg, city) [Default City]:Arusha
Organization Name (eg, company) [Default Company Ltd]: JARASYOLA COMPANY LTD
Organizational Unit Name (eg, section) [ ]:VOIP
Common Name (eg, your name or your server's hostname) [ ]:voip.jarasyola.co.tz
Email Address [ ]:voip@jarasyola.co.tz


4. Copy the newly created keys to their respective locations as needed by apache
 # cd /etc/httpd/ssl/
 # cp apache.crt /etc/pki/tls/certs/
 # cp apache.key /etc/pki/tls/private/

5. Now you must change some parameters in the /etc/httpd/conf.d/ssl.conf file
# vi /etc/httpd/conf.d/ssl.conf

5a. Look for the line beginning with: SSLCertificateFile and change the path to our reflect our newly created certs (/etc/pki/tls/certs/apache.crt)

5b. Look for the line beginning with: SSLCertificateKeyFile and change the path to reflect our newly created certs (/etc/pki/tls/private/apache.key)


6. Force all traffic coming to your server to https

To force all web traffic to use HTTPS insert the following lines of code in the .htaccess file in your website’s root folder.
# cd /var/www/html
# vim .htaccess

Add the following code and save the file
RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://www.yourdomain.com/$1 [R,L]

Make sure to change yourdomain.com to your server valid domain or IP address.


7. Restart apache

You are done. Restarting the Apache server will reload it with all of your changes in place.
 /etc/init.d/httpd restart

In your browser, type https://youraddress to view the new certificate.