DEV Community: Konstantin Bogomolov

What is a TLS Certificate? With an example

Konstantin Bogomolov — Fri, 04 Apr 2025 21:46:49 +0000

A TLS certificate (also called an SSL certificate) is a digital certificate that proves a website is secure and trustworthy. It enables HTTPS, which encrypts the data between a user's browser and the server.

When you visit a website with HTTPS (like https://example.com), your browser checks the TLS certificate to make sure:

It's valid
It's issued by a trusted Certificate Authority (CA)
It's not expired
It matches the domain name

Real Example

Let's look at the TLS certificate for https://www.google.com

Using CLI, you can get a certificate details:

echo | openssl s_client -showcerts -servername google.com -connect google.com:443 2>/dev/null | openssl x509 -inform pem -noout -text

You will get decoded certificate, which looks like this:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            9a:59:e3:69:20:54:81:cc:09:2f:9e:71:4d:cf:0b:42
        Signature Algorithm: ecdsa-with-SHA256
        Issuer: C=US, O=Google Trust Services, CN=WE2
        Validity
            Not Before: Mar 20 11:18:50 2025 GMT
            Not After : Jun 12 11:18:49 2025 GMT
        Subject: CN=*.google.com
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    04:81:de:88:48:63:00:73:1b:60:b7:5f:7a:d1:93:
                    a1:a8:50:ea:59:f0:eb:f8:3d:aa:41:7e:48:e3:1d:
                    f1:16:57:c9:cf:41:c5:b0:c7:3e:4b:bc:00:c9:75:
                    25:91:b7:eb:e6:a3:03:73:cf:25:59:98:5f:76:d7:
                    3c:06:5e:9e:26
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature
            X509v3 Extended Key Usage:
                TLS Web Server Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier:
                92:E6:2F:BA:C3:C2:DF:E6:3F:94:AE:58:48:6C:BB:B5:80:ED:AF:91
            X509v3 Authority Key Identifier:
                75:BE:C4:77:AE:89:F6:44:37:7D:CF:B1:68:1F:1D:1A:EB:DC:34:59
            Authority Information Access:
                OCSP - URI:http://o.pki.goog/we2
                CA Issuers - URI:http://i.pki.goog/we2.crt
            X509v3 Subject Alternative Name:
                DNS:*.google.com, DNS:*.appengine.google.com, DNS:*.bdn.dev, DNS:*.origin-test.bdn.dev, DNS:*.cloud.google.com, DNS:*.crowdsource.google.com, DNS:*.datacompute.google.com, DNS:*.google.ca, DNS:*.google.cl, DNS:*.google.co.in, DNS:*.google.co.jp, DNS:*.google.co.uk, DNS:*.google.com.ar, DNS:*.google.com.au, DNS:*.google.com.br, DNS:*.google.com.co, DNS:*.google.com.mx, DNS:*.google.com.tr, DNS:*.google.com.vn, DNS:*.google.de, DNS:*.google.es, DNS:*.google.fr, DNS:*.google.hu, DNS:*.google.it, DNS:*.google.nl, DNS:*.google.pl, DNS:*.google.pt, DNS:*.googleapis.cn, DNS:*.googlevideo.com, DNS:*.gstatic.cn, DNS:*.gstatic-cn.com, DNS:googlecnapps.cn, DNS:*.googlecnapps.cn, DNS:googleapps-cn.com, DNS:*.googleapps-cn.com, DNS:gkecnapps.cn, DNS:*.gkecnapps.cn, DNS:googledownloads.cn, DNS:*.googledownloads.cn, DNS:recaptcha.net.cn, DNS:*.recaptcha.net.cn, DNS:recaptcha-cn.net, DNS:*.recaptcha-cn.net, DNS:widevine.cn, DNS:*.widevine.cn, DNS:ampproject.org.cn, DNS:*.ampproject.org.cn, DNS:ampproject.net.cn, DNS:*.ampproject.net.cn, DNS:google-analytics-cn.com, DNS:*.google-analytics-cn.com, DNS:googleadservices-cn.com, DNS:*.googleadservices-cn.com, DNS:googlevads-cn.com, DNS:*.googlevads-cn.com, DNS:googleapis-cn.com, DNS:*.googleapis-cn.com, DNS:googleoptimize-cn.com, DNS:*.googleoptimize-cn.com, DNS:doubleclick-cn.net, DNS:*.doubleclick-cn.net, DNS:*.fls.doubleclick-cn.net, DNS:*.g.doubleclick-cn.net, DNS:doubleclick.cn, DNS:*.doubleclick.cn, DNS:*.fls.doubleclick.cn, DNS:*.g.doubleclick.cn, DNS:dartsearch-cn.net, DNS:*.dartsearch-cn.net, DNS:googletraveladservices-cn.com, DNS:*.googletraveladservices-cn.com, DNS:googletagservices-cn.com, DNS:*.googletagservices-cn.com, DNS:googletagmanager-cn.com, DNS:*.googletagmanager-cn.com, DNS:googlesyndication-cn.com, DNS:*.googlesyndication-cn.com, DNS:*.safeframe.googlesyndication-cn.com, DNS:app-measurement-cn.com, DNS:*.app-measurement-cn.com, DNS:gvt1-cn.com, DNS:*.gvt1-cn.com, DNS:gvt2-cn.com, DNS:*.gvt2-cn.com, DNS:2mdn-cn.net, DNS:*.2mdn-cn.net, DNS:googleflights-cn.net, DNS:*.googleflights-cn.net, DNS:admob-cn.com, DNS:*.admob-cn.com, DNS:googlesandbox-cn.com, DNS:*.googlesandbox-cn.com, DNS:*.safenup.googlesandbox-cn.com, DNS:*.gstatic.com, DNS:*.metric.gstatic.com, DNS:*.gvt1.com, DNS:*.gcpcdn.gvt1.com, DNS:*.gvt2.com, DNS:*.gcp.gvt2.com, DNS:*.url.google.com, DNS:*.youtube-nocookie.com, DNS:*.ytimg.com, DNS:android.com, DNS:*.android.com, DNS:*.flash.android.com, DNS:g.cn, DNS:*.g.cn, DNS:g.co, DNS:*.g.co, DNS:goo.gl, DNS:www.goo.gl, DNS:google-analytics.com, DNS:*.google-analytics.com, DNS:google.com, DNS:googlecommerce.com, DNS:*.googlecommerce.com, DNS:ggpht.cn, DNS:*.ggpht.cn, DNS:urchin.com, DNS:*.urchin.com, DNS:youtu.be, DNS:youtube.com, DNS:*.youtube.com, DNS:music.youtube.com, DNS:*.music.youtube.com, DNS:youtubeeducation.com, DNS:*.youtubeeducation.com, DNS:youtubekids.com, DNS:*.youtubekids.com, DNS:yt.be, DNS:*.yt.be, DNS:android.clients.google.com, DNS:*.android.google.cn, DNS:*.chrome.google.cn, DNS:*.developers.google.cn, DNS:*.aistudio.google.com
            X509v3 Certificate Policies:
                Policy: 2.23.140.1.2.1
            X509v3 CRL Distribution Points:
                Full Name:
                  URI:http://c.pki.goog/we2/xuzt3PU9F_w.crl

            CT Precertificate SCTs:
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : CF:11:56:EE:D5:2E:7C:AF:F3:87:5B:D9:69:2E:9B:E9:
                                1A:71:67:4A:B0:17:EC:AC:01:D2:5B:77:CE:CC:3B:08
                    Timestamp : Mar 20 12:18:56.618 2025 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:44:02:20:3A:82:2A:9B:01:F1:18:46:DA:4F:C8:74:
                                83:8E:07:93:86:AD:FF:DE:E8:49:E4:C2:68:D4:C0:85:
                                76:ED:9A:D3:02:20:0B:6A:90:A0:FE:FB:C4:DA:CF:61:
                                C0:EC:62:EE:76:73:EF:C0:96:1D:63:F9:B5:3C:A0:3E:
                                35:0A:BC:C1:B0:17
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : E6:D2:31:63:40:77:8C:C1:10:41:06:D7:71:B9:CE:C1:
                                D2:40:F6:96:84:86:FB:BA:87:32:1D:FD:1E:37:8E:50
                    Timestamp : Mar 20 12:18:57.585 2025 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:45:02:21:00:DA:4A:51:5F:E0:D9:3F:7B:BA:DE:8F:
                                F7:1D:67:79:83:13:68:D8:40:F6:80:6A:2D:C5:2C:AE:
                                A1:26:40:BA:C6:02:20:61:24:F1:2F:0D:66:23:88:4A:
                                13:CB:AA:F9:84:77:72:7F:CF:23:7D:7A:81:52:59:7A:
                                83:7D:E5:C5:25:C5:26
    Signature Algorithm: ecdsa-with-SHA256
    Signature Value:
        30:45:02:20:19:91:27:bb:9e:cd:0b:d5:18:c4:67:2e:70:43:
        59:b0:79:39:4b:1e:ec:ad:03:81:10:15:b9:bd:78:af:c8:4f:
        02:21:00:cb:c0:0a:81:91:00:73:d6:31:54:d3:7f:28:eb:ec:
        60:e6:7f:7d:1d:9e:b4:5f:f0:98:7b:25:ca:de:1f:2c:5d

Main details of Google's TLS certificate

Common Name (CN): *.google.com
→ This is a wildcard certificate that covers all Google subdomains (like mail.google.com, docs.google.com, etc.).

Issued By: Google Trust Services, CN=WE2
→ The certificate was issued by Google’s own trusted Certificate Authority.

Validity Period:
Start: March 20, 2025
End: June 12, 2025
→ The certificate is valid for about 3 months.

Signature Algorithm: ECDSA with SHA-256
→ A modern, secure digital signature algorithm.

Public Key Type: Elliptic Curve (P-256) with a 256-bit key
→ Efficient and secure cryptography.

Key Usage: Digital Signature

Extended Key Usage: TLS Web Server Authentication
→ The certificate is used for authenticating secure web servers.

Subject Alternative Names (SAN):
→ Covers hundreds of domains and subdomains, including:
*.google.com, *.youtube.com, *.gstatic.com, *.android.com, google.com, youtu.be, etc.
(Also includes many .cn domains for Chinese services.)

Certificate Policies: Standard public certificate policy OID: 2.23.140.1.2.1

🧾 OCSP & CRL URLs:
→ For real-time revocation checks and CRL (Certificate Revocation List)

Certificate Transparency (CT) Logs:
→ Contains signed timestamps from two CT logs, proving the certificate was publicly logged.

How to Know if an Issuer is Trustable

When you see something like this:

Issuer: C=US, O=Google Trust Services, CN=WE2

You're looking at the Certificate Authority (CA) that signed the certificate. But how do you know it's legit?

Here’s how to check.

Check If It’s in the Trusted Root Store

Operating systems (like Windows, macOS, Linux) and browsers (Chrome, Firefox) have a built-in list of trusted CAs, called a trusted root store.

If the issuer’s root or intermediate certificate is in that list, it's considered trustworthy.

How to check:

Open your browser.
Go to the website using the cert (e.g., https://www.google.com).
Click the padlock icon → View certificate details.
Check the certificate chain — if it says “trusted”, your browser already trusts the issuer.

In this case, Google Trust Services (CN=WE2) is trusted because:

It chains up to a trusted root certificate.
Google Trust Services is a publicly recognized Certificate Authority.

Look Up the CA in the Certificate Transparency Logs

You can search for Google Trust Services / WE2 in public Certificate Transparency (CT) logs:
crt.sh
Google Certificate Transparency

This shows how many certificates the CA has issued and confirms it’s active and used widely.

Verify on CA’s Official Site

You can check the issuer by name:
Google Trust Services CA info:
pki.goog
This is Google's official site for their public CAs, including WE2.

Get Notified with a Telegram Bot

Want to automate TLS monitoring and get notified before a certificate expires? Use Telegram Bot that can monitor TLS certificate expiration for you.

How to check domain expiration date in Linux using CLI

Konstantin Bogomolov — Wed, 16 Jun 2021 03:52:41 +0000

You can check domain expiration using whois command.

Let’s say we want to get medium.com domain expiration date. Here is a command example:

whois medium.com

The output looks like this:

Domain Name: MEDIUM.COM
   Registry Domain ID: 1329658_DOMAIN_COM-VRSN
   Registrar WHOIS Server: whois.registrar.amazon.com
   Registrar URL: http://registrar.amazon.com
   Updated Date: 2021-04-21T23:16:31Z
   Creation Date: 1998-05-27T04:00:00Z
   Registry Expiry Date: 2022-05-26T04:00:00Z
   Registrar: Amazon Registrar, Inc.
   Registrar IANA ID: 468
   Registrar Abuse Contact Email: abuse@amazonaws.com
   Registrar Abuse Contact Phone: +1.2067406200
   Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
   Name Server: ALINA.NS.CLOUDFLARE.COM
   Name Server: KIP.NS.CLOUDFLARE.COM
   DNSSEC: unsigned
   URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/
>>> Last update of whois database: 2021-06-10T03:46:55Z <<<
For more information on Whois status codes, please visit https://icann.org/epp
NOTICE: The expiration date displayed in this record is the date the
registrar's sponsorship of the domain name registration in the registry is
currently set to expire. This date does not necessarily reflect the expiration
date of the domain name registrant's agreement with the sponsoring
registrar.  Users may consult the sponsoring registrar's Whois database to
view the registrar's reported date of expiration for this registration.
TERMS OF USE: You are not authorized to access or query our Whois
database through the use of electronic processes that are high-volume and
automated except as reasonably necessary to register domain names or
modify existing registrations; the Data in VeriSign Global Registry
Services' ("VeriSign") Whois database is provided by VeriSign for
information purposes only, and to assist persons in obtaining information
about or related to a domain name registration record. VeriSign does not
guarantee its accuracy. By submitting a Whois query, you agree to abide
by the following terms of use: You agree that you may use this Data only
for lawful purposes and that under no circumstances will you use this Data
to: (1) allow, enable, or otherwise support the transmission of mass
unsolicited, commercial advertising or solicitations via e-mail, telephone,
or facsimile; or (2) enable high volume, automated, electronic processes
that apply to VeriSign (or its computer systems). The compilation,
repackaging, dissemination or other use of this Data is expressly
prohibited without the prior written consent of VeriSign. You agree not to
use electronic processes that are automated and high-volume to access or
query the Whois database except as reasonably necessary to register
domain names or modify existing registrations. VeriSign reserves the right
to restrict your access to the Whois database in its sole discretion to ensure
operational stability.  VeriSign may restrict or terminate your access to the
Whois database for failure to abide by these terms of use. VeriSign
reserves the right to modify these terms at any time.
The Registry database contains ONLY .COM, .NET, .EDU domains and
Registrars.
Domain Name: medium.com
Registry Domain ID: 1329658_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.registrar.amazon.com
Registrar URL: https://registrar.amazon.com
Updated Date: 2021-04-21T23:16:32.535Z
Creation Date: 1998-05-27T04:00:00Z
Registrar Registration Expiration Date: 2022-05-26T04:00:00Z
Registrar: Amazon Registrar, Inc.
Registrar IANA ID: 468
Registrar Abuse Contact Email: abuse@amazonaws.com
Registrar Abuse Contact Phone: +1.2067406200
Reseller:
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Domain Status: renewPeriod https://icann.org/epp#renewPeriod
Registry Registrant ID:
Registrant Name: On behalf of medium.com owner
Registrant Organization: Whois Privacy Service
Registrant Street: P.O. Box 81226
Registrant City: Seattle
Registrant State/Province: WA
Registrant Postal Code: 98108-1226
Registrant Country: US
Registrant Phone: +1.2065771368
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: owner-4504344@medium.com.whoisprivacyservice.org
Registry Admin ID:
Admin Name: On behalf of medium.com administrative contact
Admin Organization: Whois Privacy Service
Admin Street: P.O. Box 81226
Admin City: Seattle
Admin State/Province: WA
Admin Postal Code: 98108-1226
Admin Country: US
Admin Phone: +1.2065771368
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin Email: admin-4504344@medium.com.whoisprivacyservice.org
Registry Tech ID:
Tech Name: On behalf of medium.com technical contact
Tech Organization: Whois Privacy Service
Tech Street: P.O. Box 81226
Tech City: Seattle
Tech State/Province: WA
Tech Postal Code: 98108-1226
Tech Country: US
Tech Phone: +1.2065771368
Tech Phone Ext:
Tech Fax:
Tech Fax Ext:
Tech Email: tech-4504344@medium.com.whoisprivacyservice.org
Name Server: alina.ns.cloudflare.com
Name Server: kip.ns.cloudflare.com
DNSSEC: unsigned
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
>>> Last update of WHOIS database: 2021-04-21T23:16:32.902Z <<<
For more information on Whois status codes, please visit https://www.icann.org/resources/pages/epp
By submitting a query to the Amazon Registrar, Inc. WHOIS database, you agree to abide by the following terms. The data in Amazon Registrar, Inc.'s WHOIS database is provided by Amazon Registrar, Inc. for the sole purpose of assisting you in obtaining information about domain name accuracy. You agree to use this data only for lawful purposes and further agree not to use this data for any unlawful purpose or to: (1) enable, allow, or otherwise support the transmission by email, telephone, or facsimile of commercial advertising or unsolicited bulk email, or (2) enable high volume, automated, electronic processes to collect or compile this data for any purpose, including mining this data for your own personal or commercial purposes. Amazon Registrar, Inc. reserves the right to restrict or terminate your access to the data if you fail to abide by these terms of use. Amazon Registrar, Inc. reserves the right to modify these terms at any time.
Visit Amazon Registrar, Inc. at https://registrar.amazon.com
Contact information available here: https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/domain-contact-support.html
© 2021, Amazon.com, Inc., or its affiliates

We can read line by line and find the row with a domain expiration date.

Or we could use CLI tools to get it filtered. Here is a command:

whois medium.com | grep "Expiration Date"

How to get HTTPS working on localhost

Konstantin Bogomolov — Sun, 23 May 2021 10:34:08 +0000

The simplest way is to use mkcert utility.

It is easy to use tool for making local development SSL/TLS certificates.

Installation

At first, you need to install it. You can download a binary file from here to use it immediately without installation. Or follow the installation guide for your OS.

Usage

Run command to create local CA (Certificate Authority).

mkcert -install

Run command to create certificate files.

mkcert localhost

That's it.

You have two SSL certificate files now: *.pem which is a certificate file and *key.pem which is a key file.

Use these files in the configuration of your local webserver.

If you want to know how to generate it manually, read the How to get HTTPS working on localhost article on my website. The article has a simple Nginx example of configuration to use generated SSL certificate.

How to create a blog using Hexo static site generator and free web hosting on GitLab Pages

Konstantin Bogomolov — Sat, 27 Mar 2021 07:05:36 +0000

This is a complete tutorial on how to create a blog using a static website generator and free web hosting in 2021. It is better to have at least basic programming experience to proceed with the tutorial.

We will use Hexo as a blog framework, GitLab Pages as a free hosting with HTTPS and a custom domain, Node JS and Git.

In the end, I will give you a recommendation about website monitoring.

Let’s get started.

What is a static site generator

A static website is a website that is not generated on every request on the server-side. Every time you visit a page, the server will return the same pre-generated content.

Dynamic web pages, in contrast, may generate new content on every request. It may get data from the database or use business logic on the server-side to generate content.

A static site generator is an application that generates a website from templates or any other source. For example, Hexo generates HTML files from Markdown documents.

Choose the best static website generator

There are a lot of static site generators. Choosing the best is not an easy task. Many of them use Javascript frameworks like ReactJS or VueJS. Not everyone knows those frameworks. So there is another category, which uses Markdown as an input.

Here are the most known generators I found with some stats from Github. Stats actual for March 2021.

Hexo

used by 83.3K, 856 watchers
32.4K stars, 10.46 avg. stars/day
83 open issues, 3650 total issues
152 contributors, 956 total pull requests
primary language is Javascript
last release version is 5.4.0

Hugo

used by 65K, 1059 watchers
50.7K stars, 18.02 avg. stars/day
592 open issues, 5223 total issues
700 contributors, 3052 total pull requests
primary language is Go
last release version is 0.81.0

Jekyll

used by 1.1M, 1473 watchers
42.4K stars, 9.35 avg. stars/day
80 open issues, 4367 total issues
949 contributors, 4060 total pull requests
primary language is Ruby
last release version 4.2.0

Jekyll looks the best based on these simple stats. Hugo's major version number is still 0, and it has more issues than others.

The main reason for me is a primary language. I am using NodeJS a lot, so this technology may be easier for me in case of any bugs or whenever I need to extend some functionality with a plugin.

That's why I choose Hexo there.

Hexo installation

At first, you need to install Node JS and Git version control system, if you don't have it. I am using NodeJS version 14. You can install specific NodeJS using NVM (Node Version Manager).

Then install Hexo globally. Run this command to install hexo-cli package.

npm install -g hexo-cli

I am using Hexo version 5.4.0.

Create a new Project with Hexo

Initialize new Hexo project. Change "blog" to your desired project name.

hexo init blog

Go to the new folder and install project dependencies.

cd blog
npm install

Create a simple post with the command below.

hexo new post "My first post title"

You will see the new post file in the output.

INFO  Created: /app/source/_posts/My-first-post-title.md

Let's add some content to our first page. Copy content below to the "My-first-post-title.md" file.

---
title: "My first post title"
date: 2021-03-16 06:19:49
tags:
---
# This is H1 header

This is content

Next, run Hexo server to preview your website and post. Enter the command below in your terminal to run a server locally.

hexo server

It will generate your website and serve generated files locally. So you can check how your website will look. If no errors, you will see this output:

INFO  Hexo is running at http://localhost:4000 . Press Ctrl+C to stop.

Open provided ULR in a browser and check your website.

That's it. Our simple website is ready to deploy.

For more information see Hexo documentation. Otherwise, use the help command instead of documentation. Just run hexo help in the terminal to see all available commands.

Let's continue with the deployment process to GitLab Pages.

What is GitLab Pages

GitLab Pages is a simple hosting for static sites. You can host your website for free here. The main difference with a traditional hosting is that you publish a website directly from the repository.

We will use GitLab Pages here as a free web hosting in the tutorial and set up it with a custom domain and HTTPS.

Here is the main alternative if you want to have a look: GitHub Pages.

Create a new GitLab repository

At first, create a new repository on the GitLab website. Then run the command below in the project folder to initialize Git repository locally.

git init

Add your created remote GitLab repository to your local repository with this command:

git remote add origin <your_repository_link>

You can get your repository link from the GitLab new repository. After you created the repository, scroll down a little, and you will see the commands listed under the "Push an existing folder" section.

Just copy commands from there. Here is my test repository commands screenshot as an example:

Let's proceed with a deployment configuration.

Add GitLab Deployment Configuration to the Project

The next step is to prepare a deployment configuration.

Hexo is a static website generator. It doesn't store generated HTML files in the Git repository. That's why we need to re-generate files on every website update.

Static files will be generated automatically at the GitLab side, every time you send updates to the remote repository with GitLab Continuous Delivery (CD) tool.

Add the new file .gitlab-ci.yml to the root of your project with the content below.

image: node:14
cache:
  paths:
    - node_modules/

before_script:
  - npm install hexo-cli -g
  - npm install

pages:
  script:
    - hexo generate
  artifacts:
    paths:
      - public
  only:
    - master

If you want to understand what this config does, here is a simple explanation:

image - here we specify Docker image. node:14 is the official Node JS Docker image with NodeJS version 14
cache:path: - contains a folder to cache between jobs
before_script - contains scripts we want to run before any job
pages - contains job configuration
pages:script - script to run in the job. We will generate static pages with Hexo here
artifacts:paths - this folder with a generated website will be hosted at GitLab Pages and will be available in GitLab UI after the job finishes
only - conditions to run jobs, i.e. run this job only on the master branch

Reference:
Actual Hexo config

Actual GitLab yaml reference

Commit your Project

Commit is saving your changes to the local repository. To save the state of your project, run the commands below.

git add --all
git commit -m "Commit message, describing your changes"

Now we are ready for the deployment. Next, we need to set up the GitLab project.

Create a Page on GitLab

Go to your GitLab repository and open Settings - Pages. Ensure that checkbox "Force HTTPS" is checked. Then press New Domain button and fill in your domain name.

Make your page available: go to Settings - General, click to Visibility, project features, permissions and change configuration for Pages to Everyone

Set up DNS records

The next step is to configure DNS records. Add TXT record in a domain DNS configuration to verify domain ownership. Then add A record with IP 35.185.44.232 to map your domain to GitLab Pages.

Check the actual GitLab Pages IP.

Here is how it looks for my domain in the CloudFlare Admin panel.

Enable GitLab Runners

Go to Settings -> CI / CD -> Shared Runners and click Expand in Runners. Enable Shared Runners if it is disabled.

A runner is an application that runs build and deployment jobs.

Upload your website to GitLab

Upload your local changes to the remote repository with the push command

git push -u origin master

After pushing GitLab CD automatically generate static files and update your website. You can see the running job in project Settings - Pipelines or Jobs.

It may take up to 30 minutes before the site is available after the first deployment. Then your website should be available by your domain.

Also, you can check it by GitLab URL. You can check URLs in the Settings - Pages.

Read my post How to monitor the website to know more.

Facebook login with Symfony

Konstantin Bogomolov — Tue, 12 Jan 2021 11:25:42 +0000

My goal was to add Continue with Facebook (Log In) button into the existing Symfony application. I do not provide here full code. Only the main parts to creating your Facebook login button. Here is what I did.

Overview

Workflow overview is:

User clicks the Facebook login button
Facebook authenticate user
App sends facebook token (auth data) to Symfony backend
Backend gets user data (name and email) using auth data and logs in with Symfony handlers.

So Facebook is only necessary for the only first part - checking the person who wants to log in.

I use Guard to auth user in the backend.

Facebook libraries

Create new app here.

You need Facebook Javascript SDK for the frontend and PHP library for the backend.
Install PHP Facebook library:

composer require facebook/graph-sdk

Include Facebook Javascript SDK to your template. It should look like that:

<script async defer crossorigin="anonymous"
        src="https://connect.facebook.net/en_US/sdk.js#xfbml=1&version=v7.0&appId=<your app id here>">
</script>

The simplest way is to generate this snippet from Facebook developers page in Facebook Login - Quickstart section.

Frontend

Next, you need to add a button and handle login result. Button example:

<div class="fb-login-button"
     data-size="large"
     data-button-type="continue_with"
     data-layout="default"
     data-auto-logout-link="false"
     data-use-continue-as="false"
     data-scope="public_profile,email"
     onlogin="fbGetLoginStatus();"
     data-width=""></div>

Here is a button configurator.

I created a Javascript module with that code:

window.fbGetLoginStatus = function () {
    FB.getLoginStatus(function (response) {
        if (isConnected(response)) {
            fbLogIn(response);
        }
    });
}
function isConnected(response) {
    return response.status === 'connected';
}

function fbLogIn(response) {
    let loginForm = document.querySelector('.login-form');
    let input = getHiddenInput("fbAuthResponse", JSON.stringify(response.authResponse));    
    loginForm.appendChild(input);
    loginForm.submit();
}

function getHiddenInput(name, value) {
    let input = document.createElement("input");
    input.setAttribute("type", "hidden");
    input.setAttribute("name", name);
    input.setAttribute("value", value);
}

When a user clicks to *Continue with Facebook button and successfully logged in, then I submit a login (or registration) form and send data to backend via POST request.

Backend - Symfony Guard

I had already one Guard for usual login-password authentication. So I add the second one. Here is my security.yaml config for Guard:

security:
    firewalls:
        main:
            guard:
                authenticators:
                    - App\Security\LoginFormAuthenticator
                    - App\Security\FacebookAuthenticator
                entry_point: App\Security\LoginFormAuthenticator

Now you need to create Guard file, which extends AbstractFormLoginAuthenticator:

class FacebookAuthenticator extends AbstractFormLoginAuthenticator {}

The main methods of the FacebookAuthenticator will be:

supports - it checks if you should use that Guard. I used the same logic for the login and register page. So it looks like that:

public function supports(Request $request)
{
    $route = $request->attributes->get('_route');
    $isLoginOrRegister = in_array($route, ['app_login', 'app_register']);
    return $isLoginOrRegister 
        && $request->isMethod('POST') 
        && $request->get('fbAuthResponse');
}

getCredentials - gets Facebook auth response and decode it to an array:

public function getCredentials(Request $request)
{
    return json_decode($request->get('fbAuthResponse'), true);
}

onAuthenticationSuccess - I redirect the user to the landing page:

public function onAuthenticationSuccess(
    Request $request, 
    TokenInterface $token, 
    $providerKey
)
{
    return new RedirectResponse(
        $this->urlGenerator->generate('app_landing')
    );
}

In order to use a url generator, add it to constructor (see below).

getUser - the main part, where you gets email and name from Facebook Graph API and return User entity:

public function getUser($credentials, UserProviderInterface $userProvider)
{
    if (empty($credentials['accessToken'])) {
        throw new CustomUserMessageAuthenticationException('Your message here');
    }

    $fbUser = $this->fbService->getUser($credentials['accessToken']);

    if (empty($fbUser->getEmail())) {
        throw new CustomUserMessageAuthenticationException('Your message here');
    }

    return $userProvider->loadUserByUsername($fbUser->getEmail());
}

I use email and name for registration when the user does not exist. Here is only the login part, without registration for simplicity.

Here is the way you can autowire services in Guard constructor:

public function __construct(
    FacebookService $fbService, 
    UrlGeneratorInterface $urlGenerator
)
{
    $this->fbService = $fbService;
    $this->urlGenerator = $urlGenerator;
}

My fbService looks like this:

<?php

namespace App\Service;

use App\Entity\FacebookUser;
use Facebook\Facebook;

class FacebookService
{
    private $client;

    public function __construct(
        string $fbAppId, 
        string $fbAppSecret, 
        string $fbGraphVersion
    )
    {
        $this->client = new Facebook([
            'app_id' => $fbAppId,
            'app_secret' => $fbAppSecret,
            'default_graph_version' => $fbGraphVersion,
        ]);

    }

    public function getUser(string $token): FacebookUser
    {
        $user = new FacebookUser();

        try {
            $fbUser = $this->client->get("/me?fields=name,email", $token);
            $data = $fbUser->getDecodedBody();
            $user
                ->setName($data['name'])
                ->setEmail($data['email']);
        } catch (\Throwable $exception) {
            // handle exception here
        }

        return $user;
    }
}

In order to autowire FacebookService constructor arguments, add variables to .env file (according to your environment) and add parameters to services.yaml config:

services:
    App\Service\FacebookService:
        arguments:
            $fbAppId: '%env(FB_APP_ID)%'
            $fbAppSecret: '%env(FB_APP_SECRET)%'
            $fbGraphVersion: '%env(FB_GRAPH_VERSION)%'

Here is a FacebookUser entity. You can use an array instead of an entity, but OOP is more convenient for me.

<?php

namespace App\Entity;

class FacebookUser
{
    private $name;
    private $email;

    public function getName(): ?string
    {
        return $this->name;
    }

    public function setName($name): self
    {
        $this->name = $name;
        return $this;
    }

    public function getEmail(): ?string
    {
        return $this->email;
    }

    public function setEmail(string $email): self
    {
        $this->email = $email;
        return $this;
    }
}

That's it.

Actually, there are some more methods in Guard, but it shouldn't be complex to create them.

Setup your own email server with Postfix on Ubuntu

Konstantin Bogomolov — Wed, 06 Jan 2021 05:08:37 +0000

I was needed to send emails for my new project. I have explored SaaS services first. Free packages provided by them have a small amount of sending emails. So as long as I am a programmer, I decided to host my own sending email server.

After some research, I decided to stay with Postfix send-only configuration. Continue to read how to install and configure SMTP server to send emails and not send them to a spam folder.

Prerequisites

I used a single-core VPS with Ubuntu 18.04 for just 2.5 USD per month. My main app uses a table in DB as an email queue, so I have two NodeJS apps: one to handle the queue and second to get delivery status and update it in the main app DB. Tell me if you want to see it. Here is only the Postfix part.

I also have a domain. Let it be example.com here. Since it will be used for a website, I am using a subdomain email.example.com for the email server.

Postfix installation

Install Postfix using commands below:

sudo apt-get update
sudo apt install mailutils

During installation, select Internet Site option for type of mail configuration. As a System mail name enter your domain, e.g. example.com.

You can see domain later with this command:

cat /etc/mailname

Server configuration

Open the main config file with an editor:

sudo nano /etc/postfix/main.cf

Find inet_interfaces parameter and change it to loopback-only. With that parameter, Postfix will not listen for any connection from outside of VPS.

inet_interfaces = loopback-only

Other parameters and values to change for now:

mydestination = $myhostname, localhost.$mydomain, localhost

Set your mail domain as a server hostname:

sudo hostnamectl set-hostname email.example.com

Check the hostname with the command:

hostname --f

Edit /etc/hosts file and add that subdomain with your remote IP:

1.2.3.4    email.example.com email

Command to restart Postfix after configuration change:

sudo systemctl restart postfix

Command to check current configuration:

postconf -d

Create DKIM signature

Install DKIM tools:

sudo apt-get install opendkim opendkim-tools

Add the user to the group:

sudo gpasswd -a postfix opendkim

Open configuration file /etc/opendkim.conf:

sudo nano /etc/opendkim.conf

Then add or update parameters below in the configuration file:

Socket              inet:8892@localhost
Canonicalization    simple
Mode                sv
SubDomains          no
AutoRestart         yes
AutoRestartRate     10/1M
Background          yes
DNSTimeout          5
SignatureAlgorithm  rsa-sha256
UserID              opendkim
KeyTable            refile:/etc/opendkim/key.table
SigningTable        refile:/etc/opendkim/signing.table
ExternalIgnoreList  /etc/opendkim/trusted.hosts
InternalHosts       /etc/opendkim/trusted.hosts

Create a folder for DKIM keys:

sudo mkdir -p /etc/opendkim/keys

Change folder permissions:

sudo chown -R opendkim:opendkim /etc/opendkim
sudo chmod go-rw /etc/opendkim/keys

Create opendkim signing table:

sudo nano /etc/opendkim/signing.table

With content inside:

*@example.com    default._domainkey.example.com

Then create key table:

sudo nano /etc/opendkim/key.table

With content inside:

default._domainkey.example.com     example.com:default:/etc/opendkim/keys/example.com/default.private

Add trusted hosts:

sudo nano /etc/opendkim/trusted.hosts

With content inside:

127.0.0.1
localhost
*.example.com

Create keys folder:

sudo mkdir /etc/opendkim/keys/example.com

Then generate keys:

sudo opendkim-genkey -b 2048 -d example.com -D /etc/opendkim/keys/example.com -s default -v

Change the private key file owner:

sudo chown opendkim:opendkim /etc/opendkim/keys/example.com/default.private

Then restart opendkim service:

sudo service opendkim restart

Check the key:

sudo opendkim-testkey -d example.com -s default -vvv

Now add or update parameters in the Postfix configuration file (/etc/postfix/main.cf):

milter_default_action = accept
milter_protocol = 2
smtpd_milters = inet:localhost:8892
non_smtpd_milters = inet:localhost:8892

Then restart Postfix:

sudo systemctl restart postfix

DNS configuration

You need to configure some DNS records. With that configuration, email services will not treat your emails as spam.

Add A record for the email.example.com:

Type: A
Name: email.example.com
Value: 1.2.3.4

Add SPF record:

Type: TXT
Name: example.com
Value: v=spf1 mx ~all

Add DMARC record:

Type: TXT
Name: _dmarc
Value: v=DMARC1; p=none

Add DKIM record. Use previously generated DKIM signature (/etc/opendkim/keys/example.com/default.txt):

Type: TXT
Name: default._domainkey
Value: v=DKIM1; h=sha256; k=rsa; p=you-key-here-without-spaces

Set PTR record (rDNS). You need to set it in your hosting provider's control panel.

Set email.example.com as a hostname and 4.3.2.1.in-addr.arpa as IP address. IP should be in reversed order.

Check if it set correctly with the command below:

host 1.2.3.4

Email encryption

Install Certbot:

sudo apt install certbot

Then generate keys:

sudo certbot certonly --standalone -d email.example.com

Configure Postfix to use that keys. Add or edit parameters below in /etc/postfix/main.cf:

smtpd_tls_cert_file = /etc/letsencrypt/live/email.example.com/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/email.example.com/privkey.pem
smtpd_tls_security_level=may
smtp_tls_CApath=/etc/letsencrypt/live/email.example.com
smtp_tls_security_level=may

Then restart Postfix:

sudo service postfix restart

Test

Send a test email with command:

echo "This is the body of the email" | mail -r test@example.com -s "This is the subject" your_email@gmail.com

Check spam score with online services, e.g.: https://www.mail-tester.com/ (not an ad).

Send message to Telegram on any SSH login

Konstantin Bogomolov — Tue, 05 Jan 2021 05:08:21 +0000

In this article, you will walk through creation a simple shell script to send messages to Telegram messenger. Then you will use this script to send a notification on every ssh login into your server.

Create telegram bot

To send a message to Telegram group or channel, you should first create your own bot. Just open Telegram, find @botfather and type /start. Then follow instructions to create bot and get token to access the HTTP API.

Create Channel

Create a new Channel in Telegram and add your bot as a member. So your bot could send messages to the Channel.

In order to get Channel Id, first, post any message to the Channel. Then use this link template to get Channel Id:

https://api.telegram.org/bot<YourBOTToken>/getUpdates

Here is a response example:

{
  "ok":true,
  "result": [
    {
      "update_id":123,
      "channel_post": {
        "message_id":48,
        "chat": {
          "id":-123123123, // this is your channel id
          "title":"Notifications",
          "type":"channel"
        },
        "date":1574485277,
        "text":"test"
      }
    }
  ]
}

Script to send message

In order to send a message we could use simple command:

curl 'https://api.telegram.org/bot<YourBOTToken>/sendMessage?chat_id=<channel_id>&text=<text>'

But in programming, it is good practice to hide the low-level implementation. So we will create a linux terminal command telegram-send and could send messages with this simple command.

Lets create file telegram-send.sh

touch telegram-send.sh

Then add script to this file. Set your group id and token in script.

#!/bin/bash

GROUP_ID=<group_id>
BOT_TOKEN=<bot_token>

# this 3 checks (if) are not necessary but should be convenient
if [ "$1" == "-h" ]; then
  echo "Usage: `basename $0` \"text message\""
  exit 0
fi

if [ -z "$1" ]
  then
    echo "Add message text as second arguments"
    exit 0
fi

if [ "$#" -ne 1 ]; then
    echo "You can pass only one argument. For string with spaces put it on quotes"
    exit 0
fi

curl -s --data "text=$1" --data "chat_id=$GROUP_ID" 'https://api.telegram.org/bot'$BOT_TOKEN'/sendMessage' > /dev/null

It is not a good practice to store your token in that place, but for now, it is ok. Also, you could limit actions your bot could do in the Channel only to send messages.

To run this script we should add permission

chmod +x telegram-send.sh

Now you can test it

./telegram-send.sh "Test message"

In order to use this script from everywhere and type telegram-send instead ./telegram-send.sh add it to /usr/bin/ folder

sudo mv telegram-send.sh /usr/bin/telegram-send

Owner of all files in /usr/bin is root user. So let's do the same with our script:

sudo chown root:root /usr/bin/telegram-send

Now you can test it

telegram-send "Test message"

Send notification on SSH login

All files with .sh extension in /etc/profile.d/ folder will be executed whenever a bash login shell is entered or the desktop session loads.

Let's add a new script to send the notification.

touch login-notify.sh

Add this code to script

#!/bin/bash

# prepare any message you want
login_ip="$(echo $SSH_CONNECTION | cut -d " " -f 1)"
login_date="$(date +"%e %b %Y, %a %r")"
login_name="$(whoami)"

# For new line I use $'\n' here
message="New login to server"$'\n'"$login_name"$'\n'"$login_ip"$'\n'"$login_date"

#send it to telegram
telegram-send "$message"

Then move this script to /etc/profile.d/ folder

sudo mv login-notify.sh /etc/profile.d/login-notify.sh

Now re-login to your web server and check it works.