— pissing into the wind

Recently noticed time skew across my workstations and servers at home and put together a Stratum-1 NTP server for the local network using the Adafruit Ultimate GPS hat and an RPi 4. I’ll post the write up later. In the meantime, here are the commands I’m using to point all the rest of my RPis at the NTP servers for the local network:

sudo timedatectl set-timezone America/Chicago
sudo timedatectl set-ntp true
sudo bash -c 'echo "NTP=tick.guammie.localtock.guammie.local" >> /etc/systemd/timesyncd.conf'
sudo systemctl restart systemd-timesyncd

You can check and validate with these commands:

timedatectl timesync-status
timedatectl show-timesync
systemctl status systemd-timesyncd

Read More

Migrated to a new web host today and everything went pretty smooth. Used the Duplicator plugin to move the blog over. I ended up having to get the pro version because I set this up as multisite a long time ago when there were multiple users. It was only $79, worked flawlessly, and saved me a lot of time and headache, so money well spent to me.

Read More

Let me start by saying this:  I hate VCSA 6.5.  I hate the fact that I have to use Flash (which EVERYONE is dropping support for) to manage my enterprise environment.  Flash and Java… good riddance.  I didn’t even realize I didn’t have Flash installed until I had to manage this stupid thing and needed the plugin for IE11.

I recently upgraded(?) my Windows vCenter 6.0 installation to VCSA 6.5.  I couldn’t get the migration to work and this is just at home, so I did a clean install, recreated my 6.0 environment, and reattached my hosts to the new vCenter.  One of the things that I’ve been struggling with since then is not being able to deploy new OVAs or upload files to my datastores (short of just using scp).  Scouring the internet, I came across a couple of VMware KB articles that solved my issues:

This one talks about the issue and this one solves it.  Basically you have to either setup a valid cert on the VCSA or trust the built-in one signed by the VCSA CA.  Now I can even use Edge (for now) to access vCenter.

Read More

Noticed IPv6 DHCP was broken on all my Windows 10 clients after I upgraded to the anniversary edition (1607).  Had to run a couple powershell commands to get them pulling addresses:


Set-NetIPInterface ethernet -AddressFamily ipv6 -RouterDiscovery Enabled
Set-NetIPInterface ethernet -AddressFamily ipv6 -ManagedAddressConfiguration Enabled


Set-NetIPInterface wi-fi -AddressFamily ipv6 -RouterDiscovery Enabled
Set-NetIPInterface wi-fi -AddressFamily ipv6 -ManagedAddressConfiguration Enabled

That’s it!

Read More

I’ve been a longtime fan of Windows Live Writer for many years.  Alas, it has been unsupported for many moons and I haven’t been able to get it working with SSL.  The good news is that Microsoft decided to release WLW to the open source community.  The even better news is that someone has forked the code and taken up the mantle.  If you’re an existing Windows Live Writer, I suggest you give Open Live Writer a try.  The setup and user interface will be familiar and things seem to work overall.

Read More

So I had an issue at work that went like this:  We recently put in new managed switches at our remote sites.  One of them failed and was replaced by our 3rd party subcontractor.  They just do a hardware replacement and my team does the configuration.  By default, the switches are configured to use with no gateway info set.  There is only a web UI enabled by default as well.  I have to somehow open a browser and get access to that web console so I can configure the new switch.  I have an 1841 or 1921 router at the other end to configure to make this work.  NAT voodoo time.

The scenario:


The fix:

conf t

int f0/0
ip add
ip nat inside

int s0/0/0
ip nat inside

int l1
ip address
no shut


router bgp 65000
network mask


ip nat outside source static
ip nat inside source static
ip route f0/0 1


Now I can open a browser to and it works.  When doing any commands reaching back to my computer (tftp), I used as the server (tftp:// and that worked.

That’s it.

Read More

did some cleanup on the backend.  making sure everything still works.

Read More

I posted this on the freenas forums..

Here’s a short write-up on how I got SSL going with LDAPS against AD for authentication. I used the plugin and am working out of / in the jail.
keytool is located at /usr/pbi/subsonic-amd64/bin
1) Create a cnf file to be used for generating the csr.

[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
req_extensions = v3_req
x509_extensions = v3_req
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = US
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Texas
localityName = Locality Name (eg, city)
localityName_default = San Antonio
0.organizationName = Organization Name (eg, company)
0.organizationName_default = Company
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = Department
commonName = Common Name (hostname)
commonName_default = subsonic
commonName_max = 64
emailAddress = Email Address
emailAddress_default = email@domain.com
emailAddress_max = 64
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
DNS.1 = subsonic
DNS.2 = subsonic.domain.com
IP.1 =

2) Generate the csr and private key

openssl req -new -sha256 -out subsonic.csr -config subsonic.cnf -newkey rsa:2048 -nodes -keyout subsonic.key

3) Submit the CSR to your CA. I used a Windows CA and received the subsonic.cer certificate.
4) Generate a PKCS12 file to be used for the Web SSL Java Keystore. I could not get this working using the sytem keystore, so this one is just for https.

openssl pkcs12 -export -out subsonic.pfx -inkey subsonic.key -in subsonic.cer -certfile CA-Certificate.cer

5) Create the Java Keystore to be used for SSL access.

./keytool -importkeystore -srckeystore subsonic.pfx -destkeystore subsonic.keystore -srcstoretype PKCS12 -srcalias 1 -destalias subsonic.domain.com

6) Add your CA certificate to the system Java Keystore as well. This will be used for LDAPS authentication. The default password is ‘changeit’ You should probably change that as well.

./keytool -import -trustcacerts -alias CA-domain.com -file /CA-Certificate.cer -keystore /usr/pbi/subsonic-amd64/openjdk7/jre/lib/security/cacerts

7) Enable LDAP Authentcation under Settings\Advanced

LDAP URL: ldaps://server.domain.com:636/dc=domain,dc=com
LDAP search filter: (&(sAMAccountName={0})(&(objectCategory=user)(memberof=cn=subsonic,ou=groups,dc=domain,dc=com)))
LDAP Manager: DOMAIN\user (non privileged!)

8) The default user cache is too high. Edit it in /var/db/subsonic/jetty/4427/webapp/WEB-INF/classes/ehcache.xml

<cache name="userCache"

Read More

This is a copy/paste from https://forums.he.net/index.php?topic=3194.0.  I’m keeping it here in case that post ever disappears and I need a reference.

This isn’t something people do often, so I figured I would add a post about it (mostly so I can Google it myself in a few years…)
To configure Dynamic DNS (DDNS) updates on your NetScreen/SSG device (may vary slightly between revisions/models):
NOTE: You might also require PING/ICMP Echo Request to be enabled on WAN interface…
By default, DDNS uses HTTPS to connect to update server. You must add the CA certificate that signed the server’s certificate.  For tunnelbroker, connect tohttps://ipv4.tunnelbroker.net/nic/update – you don’t need to login so click cancel if prompted. To display the certificate click (or double-click) on the "padlock" next to "https" in the address bar.
– in Chrome, click "Connection" then "Certificate details"
– in IE, click the padlock then "View certificates" – (IE seems to have issues saving certificates to a file…)
Select the "Certification Path" tab
Double-click the entry immediately above(currently "Starfield Secure Certificate Authority – G2") the default/bottom one (e.g. tunnelbroker.net)
Select "Details" tab
Select "Copy to file"
Next / Base-64 / Browse – pick somewhere you can find it and a name you can remember, e.g. "starfield-2.cer"
Now, go to Web-UI on NS/SSG
Navigate to Objects – Certificates
Select "File: Choose File"
Find the cert you saved previously, OK
Select "Load"
Adding Certificates via CLI:
Not recommended as it requires storing the cert file on a tftp server, but read about it here: http://kb.juniper.net/InfoCenter/index?page=content&id=KB4777
The NS/SSG can now validate the certificate when it connects to update server!
Next, gather your tunnel information.
From https://tunnelbroker.net/ find your tunnel entry
e.g. username-1.tunnel.tserv3.xxx1.ipv6.he.net
copy this hostname somewhere you can find it
Click on the tunnel entry
Click on the Advanced tab
Copy your Update Key somewhere you can find it
Now, the actual DDNS part….
Option #1: Web-UI
In NS/SSG Web-UI, navigate to Network / DNS / DDNS
Take note of any existing entries as you will be prompted for an ID number that is not currently in use…
Select "New"
Enter an unused ID number (1 is fine if you have no existing entries)
Set server type to "dyndns"
Set server name to "ipv4.tunnelbroker.net"
Defaults for update intervals should be fine
Leave "Clear text" unchecked – that is why we added the cert!
Enter your account name in "Username"
Enter your "Update Key" in Password
Leave Agent blank – it will auto-populate with your OS version, unless you want to put something else here
Bind to Interface – Select your WAN/untrust interface your tunnel is on
For "Hostname", enter your tunnel name – e.g. username-1.tunnel.tserv3.xxx1.ipv6.he.net
For Service, leave default of "dyndns"
Select OK!
Option #2: CLI:
get dns ddns  – take note of any existing entries as they must each have a unique ID number
set dns ddns id X server "ipv4.tunnelbroker.net"server-type dyndns
set dns ddns id X username USERNAME password UPDATEKEY
set dns ddns id X src-interface ethernet0/0 host-name username-1.tunnel.tserv3.xxx1.ipv6.he.net
set dns ddns enable
To view status:
-> get dns ddns
status: enable  usage: 1/8
id type   state server          username   interface  nextupdate   lastresp
1 dyndns     1 ipv4.tunnelbrok username   eth0/0     6d;23:24:00  nochg
To view detailed status:
-> get dns ddns id X
Id:                     1
State:                  Init
Socket:                 -1
Type:                   dyndns
Server:                 ipv4.tunnelbroker.net
Clear-text:             no
Refresh-int:            7 days 0 hours 0 minutes 0 seconds
Min-update-int:         1 hours 0 minutes 0 seconds
Next-update:            6 days 23 hours 24 minutes 0 seconds
Username:               username
Password:               **********
Agent:                  Netscreen-6.X-00000
Src-interface:          ethernet0/0
Host-name:              username-1.tunnel.tserv3.xxx1.ipv6.he.net (dyndns)
Last-response:          nochg
Last-Updated:           before 36 minutes 8 seconds
Successful updates:     3
Failed updates:         0
Server lookup failures: 5
Socket creation errors: 0
Socket connect errors:  3
Socket send errors:     0
Update retries:         0
To debug / troubleshoot:
From CLI:
Cancel debugging / clear buffer:
-> undebug all   (or press <ESC>)
-> clear dbuf
Enable DDNS debugs:
-> debug dns ddns
View dbuf:
-> get dbuf stream
Errors that show DNS is working:
ddns: server ipv4.tunnelbroker.net resolved to
Errors that show SSL issue:
DDNS: connect error
socket creation failed
Successful update:
ddns: server ipv4.tunnelbroker.net resolved to
GET /nic/update?system=dyndns&hostname=username-1.tunnel.tserv3.xxx1.ipv6.he.net&myip=XXX.XXX.XXX.XXX&wildcard=OFF&mx=mail.exchanger.ext&backmx=NO&offline=NO HTTP/1.0
Accept: text/html;*.*;
Host: ipv4.tunnelbroker.net
ddns: succesfully updated DYNDNS server
The "nochg" means the updated IP matches the existing one, so "no change".
Don’t forget to cancel debugging with "undebug all" or pressing "<ESC>"

Read More

The antivirus server at work was pissing me off and saturating our OC3.  I policed it down to 50mbps.

ip access-list extended traffic-police
permit ip host any

class-map traffic-police
match access-group name traffic-police

policy-map traffic-police
    class traffic-police
        police 50000000 conform-action transmit exceed-action drop

int po1/0
service-policy output traffic-police

Read More

ip wccp version 2
ip access-list standard WCCP_Proxies
10 permit host
20 permit host

ip access-list extended WCCP_Redirect
10 deny ip host any
20 deny ip host any
30 permit ip any

ip wccp 0 group-list WCCP_Proxies redirect-list WCCP_Redirect

int vlan 10
ip wccp 0 redirect in

Read More

After I installed Exchange 2013 and tried to access either OWA or ECP on it, I kept getting Error 500.  Looking at the httpproxy logs, I saw this: The unhandled exception was: System.Security.Cryptography.CryptographicException: Invalid provider type specified.

Turns out Exchange doesn’t like the key provider, Microsoft Software Key Storage Provider, so you have to reissue a cert using Microsoft RSA SChannel Cryptographic Provider as the provider.

I did this by going through the web cert enrollment and using the Web Server template.  Then I assigned the new certificate to the SSL sites in IIS.

The solution is over here.

Read More