IRC SSL Client Certs

ChatZilla supports using SSL connections and auto-identifying with SSL Client Certificates on the OFTC and freenode IRC networks using CAcert WoT User and StartSSL free email verified certificates. You may have trouble using StartSSL verified user certificates. Tested using ChatZilla in Firefox 35.0.1.


How do I handle fstab mounts under run in Debian Wheezy?

A release goal for Debian 7.0 ("wheezy") was to introduce a new top level directory, /run, and relocate system state information that does not need to persist through a reboot but that may need to be written early or otherwise when the root filesystem is read only. Other distributions are also introducing /run and a proposal has been submitted to include it in the Filesystem Hiearchy Standard (FHS).

This is all fine and well, but it has tripped up automated mounting of /etc/fstab entries under /run (formerly /var/run).

The proposed update to debian-policy says this:
Files and directories residing in '/run' should be stored on a temporary filesystem and not be persistent across a reboot, and hence the presence of files or directories in any of these directories is not guaranteed and 'init.d' scripts must handle this correctly. This will typically amount to creating any required subdirectories dynamically when the 'init.d' script is run, rather than including them in the package and relying on 'dpkg' to create them.
Can I then conclude that /etc/init.d/mountall.sh is not handling /etc/fstab correctly with regard to mounts under /run or that there should be another init.d script to handle the /etc/fstab mounts under /run correctly or did the writers expect that fstab mounts under /run are invalid and all actions under it should be done programmatically by the individual services and generally be fixed-up by their init.d scripts?


Exploring StartSSL - Automated Registration Email

Reading about the decision to no longer include CACert.org in the Debian ca-certificates package (Debian bug 718434, LWN: Debian and CAcert) I was introduced to StartCom's free certificate offering. As I investigated their site I was both intrigued by the free offering and the Web-of-Trust program idea, and put off by the lack of clear or sometimes conflicting information.

For the impatient, the TL;DR version is this:

  1. Sign up first for a free (class 1) certificate by clicking Sign-up For Free in the top left of the site. Everything else is confusing.
  2. Use an email address that doesn't do grey listing, spam filtering, or anything, and that you have access to the logs on (is this service only for "techies"?)
    1. If you do have grey listing or spam filtering that blocks the web page test so they give you big red text telling you you're all wrong, disable it or at least allow from the names and IP addresses in their SPF record. (yes, I guess this service is only for "techies.")
  3. If the form submits without telling you your mail server is wrong but you don't get an email pretty quick, log out (top right corner icon) and try registering again.

If you'd like to learn more of the details or share my pain, read on:

All paths seemed to lead to getting a certificate so I settled on starting with the StartSSL Free (Class 1) certificate since I wasn't sure exactly what the requirements were to get the StartSSL Verified (Class 2) one. After deciding that "Sign Up" and "Express Lane" are the same thing, and seeing that I must fill out the form as an individual, I entered my personal (gmail) address.

This took me to a page asking for me to check my email right away and copy/paste in the code they sent me. Now Gmail is usually very fast about showing new emails, but nothing was there. Not in Important and unread. Not in Everything else, and not even in the Spam folder. Not several minutes later. The page was very insistent that I do not leave or reload it so in a new tab I started searching for answers.

The first answer I came across can be summarized thus "it must be your problem" with no additional suggestions. I have come to identify this as a common communication style from StartCom:
Important! Experience has shown that the failure of email messages not arriving are always the fault of the receiving end. If the wizard confirms to having sent the message, i.e. no error occurred, than the message has been delivered and accepted by your mail server!
 Surely they've had Gmail users do this process before. So strange that it wouldn't work. After all, I wasn't using one of their blacklisted email providers listed on their enrollment page. I decided to try again from a different browser using my work email address, the one that I manage and have access to the server logs on. This is what I learned.

When you click Continue on the enrollment page your server will get hit from one site. In my case it was []. If you have gray listing in place (the work server does) and it sends back an error like 450, the web page immediately tells you it couldn't deliver the email. It does mention that the problem could be grey listing among other things, and basically says it's your fault. So you try to open up your grey listing to allow startcom.org through, but that doesn't seem to be enough because for some reason the client name comes through as unknown. (Edit: I had recently upgraded our mail server and I believe the "unknown" issue was a local configuration issue.)

So you add their IP address and then the web page thinks that all is well and sends you to the "wait for it" code confirmation page, but still no email. Why? Probably because the web page just does a test connection. Right after it sends you to the next page another server, [] in my case, connects (also with client_name=unknown) and gets Greylisted. So I sit here waiting, hoping for a retry, feeling stuck with no help. Back to searching in a new tab.

The second answer I came across also says "it must be your problem" :(
The program always sends the verification code! Do not blame us, if it does not arrive....we do not have control over your mail server and mail account!
 Third time's the charm? Good thing I have three browsers installed. So I checked the SPF (TXT) record for startcom.org and added all of the names and IP addresses listed into my server's client whitelist for greylisting and tried again from the third browser using the work email address. Success! The email made it to my inbox.

I didn't really want to do the certificate in the third-choice browser, so I went to the second browser and pasted the code there. It failed to verify but the failure message told me something I would have loved to have known long before. I didn't copy the exact message, sorry, but basically it said "if it fails, log out and try to sign in again". A "resend this request" button would have been better, but at least now I know that I don't have to stand like a deer in the headlights on the "wait for it" page when things fail.

Now I just have to wait 6 hours for the account to be reviewed, probably because I tried so many times.

Good luck. I may end up dabbling with CACert, Comodo, or retreating to my own self-signed certificates again.


FamilySearch Indexing on Ubuntu 13.10 x86_64 via Oracle JRE 7

The hard disk drive on my old used Toshiba Techra A9 suddenly died a death of a thousand bad blocks, so I replaced it with a SSD (snappy!) and re-installed Ubuntu. They seemed to be pushing 64 bit unlike a couple of years ago, so I went with that since it was supported, not because I have oodles of bios hidden RAM.

The next thing to do was install some of the programs I use the most. NetBeans and Eclipse are right up there, so first stop was Java. I like the idea behind OpenJDK and recognize the push to use it, but I've been bitten many times in the past by performance and display, and outright broken issues (looking at you web start) that I go straight to the Oracle JDK. Sorry guys. I used the webupd8.org ppa to install it. Good stuff. One less thing to manage in /opt. Next came NetBeans, Eclipse, and the Arduino IDE, all Java based.

Since I was on a roll with Java based programs, I thought I'd stick FamilySearch Indexing back on. The Eclipse "unzip it where you want it" and the Netbeans and Arduino installers had gone well enough that I didn't expect any trouble, but that's what I got.
bin/unpack200: not found
After a few false starts, I found the best answer for this issue on the LDSTech forums where I was put onto the idea that it was a 32 bit compatibility issue on some 64 bit setups, and the work-around was to install the ia32-libs package. So I tried that:
Package ia32-libs is not available, but is referred to by another package.
This may mean that the package is missing, has been obsoleted, or
is only available from another source
However the following packages replace it:
  lib32z1 lib32ncurses5 lib32bz2-1.0

Reading around I found more confirmation on the ia32-libs package going away. This seemed like a roadblock, except that the error had to do with decompressing. Maybe ia32-libs only included those three packages, so I tried the first, lib32z1, and that error went away, but another appeared.

java.lang.NoClassDefFoundError: java.awt.Container
    at com.install4j.runtime.installer.frontend.headless.AbstractHeadlessScreenExecutor.init(Unknown Source)
    at com.install4j.runtime.installer.frontend.headless.ConsoleScreenExecutor.(Unknown Source)
    at com.install4j.runtime.installer.frontend.headless.InstallerConsoleScreenExecutor.(Unknown Source)
    at com.install4j.runtime.installer.Installer.getScreenExecutor(Unknown Source)
    at com.install4j.runtime.installer.Installer.runInProcess(Unknown Source)
    at com.install4j.runtime.installer.Installer.main(Unknown Source)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
    at java.lang.reflect.Method.invoke(Unknown Source)
    at com.exe4j.runtime.LauncherEngine.launch(Unknown Source)
    at com.install4j.runtime.launcher.Launcher.main(Unknown Source)
How could java.awt.Container not be defined. This now sounded like a Java Runtime Environment (JRE) issue, but I know mine is fine. I just installed and tested three IDEs. It wasn't until this point that I noticed it was an install4j based install, so I started including that in my searches.

The problem wasn't unique to FamilySearch Indexing. I found someone trying to troubleshoot it for Visual Paradigm for UML among other things. Their solutions were the now obsolete ia32-libs or making sure their installed JRE was good.

Then I came across a post by Matthew O. Smith talking about Indexing and obsolete ia32-libs. He installed a number of extra libraries, including some i386 ones, and then installed using the headless option to get things going and save on installing a few more libraries. I felt like I had gone far enough with lib32z1 so I decided to try a different route, to try and run the Indexing software with my Oracle Java 7 environment. To do that I first leveraged the headless install tip Matthew gave, and then I modified a copy of the install4j shell script indexing launcher it created in $HOME/.FamilySearchIndexing/indexing.familysearch.org/
./Indexing_unix.sh -J-Djava.awt.headless=true
$ diff indexing indexing-jre7 
> INSTALL4J_JAVA_HOME_OVERRIDE=/usr/lib/jvm/java-7-oracle
<     if [ "$ver_minor" -gt "6" ]; then
>     if [ "$ver_minor" -gt "7" ]; then
I copied the .desktop entry and tweaked it to point to my modified launcher instead and now I'm in business again.


Java RESTful Web Services, NetBeans Style

I’ve been interested in exploring Java RESTful Web Services to backend some AngularJS front-ends, with my current focus on JAX-RS implementations.

Blaise Doughan has been blogging a lot about EclipseLink, JAXB, and MOXy. I decided to follow the code example in his post MOXy is the New Default JSON-Binding Provider in GlassFish 4 using NetBeans 7.4 since the Java EE download bundles an install of GlassFish Server Open Source Edition 4.0.

Start by creating a new Java Web Application by choosing New Project from the File menu, going to the Java Web category and selecting Web Application. To keep things the same as his example, name it CustomerResource. Select the GlassFish Server 4.0, Java EE 7 Web, with the suggested context path of /CustomerResource. If you run this right away you should be served the index.html page saying “TODO write content”.

We will work backwards a bit in his blog post, building a little infrastructure before we use it. So first we will right-click Source Packages and add a new Java Class named PhoneNumber in the org.example.model package. Paste or type his code into this class. Do the same for the Customer class. NetBeans will suggest you use the diamond inference and make phoneNumbers final. The code works fine either way.

Still working up in the blog, we will create the CustomerApplication and CustomerService classes in the org.example.service namespace. At this point you should be able to click run and visit the local URL to get our “hello world” type xml response for Jane Doe:


Everything up to this point “just works” in the excellent NetBeans IDE and GlassFish Server, but I was interested in his JSON tweaks, having seen some of the shortcomings he mentions unless I map to a JSON object by hand. To do some testing I first commented out the APPLICATION_XML line from the @Produces list so that I could see (download) the output and move forward to Customizing the JSON-Binding with it’s use of MoxyJsonConfig. This is where I was stumped for a bit.

Pulling in the JAXBContextProperties wasn’t a big deal. The EclipseLink from GlassFish library seemed to have what I was after. Just right-click the Libraries folder in the project and Add Library then choose that library and click Add Library.

To get MoxyJsonConfig, download jersey-media-moxy-2.4.1.jar and stick it someplace handy. I use a folder named Libraries in my NetBeansProjects folder. Then right-click the Libraries folder in the CustomerResource project in NetBeans and click Create in the Add Library dialog. Name it something like Jersey Media Moxy and then in the library classpath Add Jar/Folder to add jersey-media-moxy-2.4.1.jar. Then add this library to your project.

At this point you should have output like Blaise has documented for New Response in his blog post. Enjoy.

If you can’t find jersey-media-moxy-2.4.1.jar or the API has switched around again and a later version is missing the dependency, then read on for my tale of woe and sorrow trying to locate it in the first place. Perhaps it will help.

I haven’t jumped on board with maven yet, so when I came across Blaise’s follow-up question to the StackOverflow question Cannot import EclipseLink MOXy while searching for MoxyJsonConfig where he implied the use of Maven, I was a little disappointed. I was equally disappointed in my next dozen searches all failing to find the jar containing MoxyJsonConfig. I could find API docs, people talking about using it, etc. findjar.com failed. Even mvnrepository.com searches failed. Finally after Google searches of varying portions of the class or package name, one for org.glassfish.jersey.moxy pointed me to jersey-media-moxy within MVN. Unfortunately it was pointing me to 2.0-m07 which has MoxyJsonConfiguration and not MoxyJsonConfig. I didn’t realize that right away and tried implementing using it. It doesn’t work. The current latest version, 2.4.1, has MoxyJsonConfig and does work. I have no idea when things changed or what version Blaise used.

I was glad to finally find the jar, but there has got to be some better way to find a class and know what version of things people are talking about. If there is, please share. If there isn’t, please keep this in mind when sharing code examples.


Scratch - programming in disguise

My memory of my introduction to programming is a little fuzzy, but a few notable exposures stand out. In no particular order they were ChipWits, TurboTurtle/Logo, World Builder and a BASIC based program that controlled a little submarine which it seems was tongue-in-cheek called GoSub. Each had it's own reason for sparking some interest in figuring out the logic of a program and each had it's quirks.

I think I spent the most time with ChipWits, an old version for the early Macintosh (Were we up to a "512"(K) or a Plus by this time? I am not sure.) It's simplistic IBOL interface for graphically coding the actions of the little computer on roller skates was easy to grasp, and the sounds and animations as it touched, tasted, ate and zapped (or got zapped) were entertaining.

The TurboTurtle intro was a brief after-class exercise while doing some kind of introduction to computers evening class. I mostly remember pen up, pen down, and seeing the computer screen draw patterns like you could make with a spiral sketch tool.

World Builder started out as a game to play (playing games created with it) but then I wanted to try and make my own story/game. Even though it inspired me to think a lot about the story and programming, I never got more than a basic grasp of the language as I tried learning from other code without a manual. Another hurdle for me was not being particularly artsy so the graphical aspect of the game was pretty lacking.

The "GoSub" program was fun. It seems like it was a program/IDE and a book to teach some programming. I was typing in some actual code that was calling all the drawing routines and it felt like quite an accomplishment when I could actually get the sub to dive and surface and fire a torpedo. The program would have one of those crushing sad mac error messages when the torpedo would hit the target. After a while of not figuring that out I gave up on it.

Looking back and summarizing my experiences, my spark of interest to learn how to program the computer wasn't started by looking at code and thinking "wow, 'declare i integer' looks really amazing. I want to type that all day." No, It was the desire to create something fun that I could then play with or show off to others. Programming was the necessary evil for my desired end.

I want to provide the opportunity for the same spark to code within my own children. Sure, they may not be interested in being programmers, but they will be interacting with computers a lot and it can be helpful to "know how the engine works". Besides, the problem solving and logic skills can be applied to many aspects of life.

At first I thought I could take something like GNU Robots and wrap it in a ChipWits like interface. That turned out to not be a quick task and lead me down the road of exploring other robot programming concepts, most frequently the "robot battle" and even LEGO Mindstorm NXT. It seemed a little too advanced to keep their interest for now, so I looked some more.

There is a lot of buzz about a couple of drag-and-drop programming systems, Scratch and Alice, for introducing programming concepts and empowering people to be creative with their computers.

After watching some videos about Scratch and even more impressively, downloading and playing community contributed programs I'm hoping that my more creatively minded kids will catch some of the vision of how they could use Scratch to express themselves through animated comics (even better than my old friend Comic Strip Factory,) music videos, drawing random patterns (TurboTurtle), and arcade (GoSub) or role playing style games l(World Builder).

The Scratch community gives a lot of opportunity for sharing your strengths to build onto a started project (remixing) or join a team and to show off your works. I think that is a very powerful aspect.

If they push the limits of the Scratch 2d world and are willing to get a little more technical to go 3d, they can step up to Alice and do "Word Builder in 3d". Who knows, maybe one of them will really get into it and be willing to work through How To Design Programs and/or Python Programming: An Introduction to Computer Science or some Python tutorials. Maybe after 10 years they will start to be a really good programmer.

The trick is to get them started and keep it fun and consistent and the best way to do that seems to be for me to do it with them.


Rethinking Nagios config layouts

I've been using Nagios 1.4 in Debian Etch for some time now. By default they set you up with a working layout like this:


The services.cfg file started out with a generic-service template where you set the standard options most generic-service services will be using, and then a list of services. A service definition must contain, among other things, the name of the host or host_group that the service runs on. So each time I setup a new host, I would enter it in the hosts.cfg, hostgroups.cfg, and add all of it's services in services.cfg. I was using hostgroup objects just for display and contact_groups and not taking advantage of them in service objects. Those two things combined made for a long services.cfg file. At least I was taking advantage of a couple of service object templates.

The nagios3 config layout shipped with Debian 5.0 (Lenny) opened my eyes to a new structure. It uses the cfg_dir directive to point to /etc/nagios3/conf.d and in there we have:


In the localhost_nagios2.cfg file they define a simple host that inherits from geric-host and a few extra services, rather than putting localhost entries into the services config file. Checking out services_nagios2.cfg I found a bunch of generic (eg check_http, check_ssh, check_ping) services using host_group names instead of hosts.

Wandering over to hostgroups_nagios2.cfg I found a bunch of very simple hostgroup object definitions. Some like http-servers listed localhost as one of their members. If we reverse that situaion though and drop the hostgroup.members declaration and instead set host.hostgroups to include http-servers, then if I need to make customizations to localhost or delete it alltogether, I do it all in/to localhost_nagios2.cfg. One file. I like this much better!

Nagios' object based configuration system is very flexible. I don't think any of this stuff is new to version 3. I've read the docs dozens of times but it took a fresh install with a new layout idea, some mistakes on my part and some help from Marc on nagios-users to get it sorted out in my head and on disk. Once I had that, the migration of other hosts to the nagios3 setup has been fast and minimal.