Installing mod_python on my mac laptop was surprisingly difficult. My first attempt of simply compiling it with {LD,C}FLAGS="-arch ppc -arch ppc64 -arch i386 -arch x86_64" failed in a bit of a strange way. It appeared to create a universal binary for the DSO, but apache failed to load it with the following error message: httpd: Syntax error on line 118 of /Volumes/Workplace/pflex/2.1.x/Build/build/ValidationWeb/apache/etc/httpd.conf: Syntax error on line 22 of /Volumes/Workplace/pflex/2.1.x/Build/build/ValidationWeb/apache/etc/platform/i386.Mac OS X/httpd.…

For those situations where you end up with a directory of certificates – openssl will use a hash to look up the cert it needs in that directory. You can generate that hash using the following command: openssl x509 -hash -in <cert.pem> -noout openssl will then look for HASH.0 for the certificate and HASH.r0 for the CRL associated with that cert. For example, the following could be useful: # ln -s ca.…

Having trouble getting your ipsec working with x509 certs? It would appear that racoon requires the subjectAltName extension to be set. It won’t use the CN. You have to set a subjectAltName field even if it contains nothing besides a copy of the CN. Heed this warning, or you’ll fall victim to the following: racoon: 2008-12-02 14:47:21: ERROR: racoon: 2008-12-02 14:47:21: ERROR: failed to get subjectAltName racoon: 2008-12-02 14:47:21: ERROR: no peer's CERT payload found.…

And – once again – cfengine has wasted part of my life. I’ve never had more trouble with software than I’ve had with cfengine. This time I had to delve into the source code to find the problem, and what I found hilights poor coding and even poorer testing. Stop me if you’ve heard this one already… For the life of my I can’t get the following editfiles snippet: { /etc/syslog-ng/syslog-ng.…

I’ve been struggling with the following warning in postfix for a while now: postfix/trivial-rewrite[xxxx]: warning: do not list domain subdomain.blarg.org in BOTH virtual_alias_domains and relay_domains The problem is, I’m not listing it in both. I swear. % postconf relay_domains relay_domains = $mydestination % postconf mydestination mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain % postconf virtual_alias_domains virtual_alias_domains = subdomain.blarg.org I finally tracked it down today to a relatively obscure (to me, anyway) feature in postfix that causes subdomains to be implicitly matched for certain coniguration parameters.…

It drives me nutso when someone reinvents the wheel and then the reinvention becomes more popular than the actual wheel. Usually it happens with some kind of great slogan explaining why this wheel is better. “New WHEEL! Now with more ROUND!” or “Much like previous so-called WHEELs, but NEW WHEEL is avaiable in 5 pastel colors!” With that in mind, I finally broke down and took a look at Matt’s Traceroute, mtr.…

It turns out that when you (a) disable the “disable ftp-proxy” on the WAN interface and (b) create a NAT rule that uses port 21, the ftp proxy will be automatically (and silently) started in the background. If you then modify that NAT rule, the ftp proxy application will not be updated (presumably until a reboot), but if you delete and create the rule again the ftp proxy will be started anew with the updated information.…

Anything that has a master/slave cluster should have some sort of mechanism for failing from the master to the slave, right? We’ll see… pfSense provides HA via OpenBSD’s (very excellent) CARP. Of course I could just increment the advskew on all of the interfaces to fail them over individually, but that doesn’t really work for me. That involves spending some amount of time in a partially failed-over state. Having quite a bit of experience with OpenBSD, I expected there to be a more elegant solution and I certainly wasn’t disappointed.…