letsencrypt and NearlyFreeSpeech

I’ve been running this site on nearlyfreespeech for some time now.

Last week I created a cert using the tools and service made available by letsencrypt.org, and then configured my NFS server to use it. It was pretty easy, but not documented. I’ll share here what I did to make it work.

I am able to SSH into the nearlyfreespeech server. I can also perform a git clone from that server to get the letsencrypt tools. But when I ran the letsencrypt-auto tool from the server, it didn’t do what I wanted it to do. This was my first time with the tool, and I’m unfamiliar with the options, so maybe it was just pilot error.

In any case, I solved it by running the tool on my Mac OSX machine and transferring the generated PEM files to the server.

  1. I ran git clone on my local workstation (Mac OSX)
  2. from there, I ran the letsencrypt tool with these options:
    ./letsencrypt-auto certonly  --manual  \
       -d www.dinochiesa.net -d dinochiesa.net \
       --email dpchiesa@hotmail.com
  3. follow the instructions. I needed to create endpoints on my NFS server that responded with specific values.
  4. when that completed, I had the cert and keys in PEM format. I then copied them to /home/protected/ssl on the NFS server
  5. opened a service ticket on NFS as per This FAQ
  6. a couple hours later, the NFS people had completed the SSL config for me

Maybe this will help someone else.

It’s possible that I could have used the –manual option on the NFS Server, and avoided the need to transfer files. Not sure. If anyone else has done this, I’d like to know. I will need to renew my certs every couple months.

I’m really pleased about the letsencrypt service. I hope it gets used widely.

Update, 2017 December 7: I’ve updated my certs 3 or 4 times since I made this post. Now, this is what I do:

   sudo certbot certonly  \
     --authenticator manual  \
     --domain www.dinochiesa.net \
     --domain dinochiesa.net \
     --email dpchiesa@hotmail.com \
     --rsa-key-size 4096

I’ve automated the other parts – creating the right endpoints on the NFS server, and then copying the generated certs when they’re sent. Also NFS no longer requires a service ticket; it will automatically install certs when I update them. The change takes a minute or less. Super easy.

Why is GIMP still so crappy?

Yes, it’s the question on everybody’s mind: Why does Gimp suck so bad?

In the old days I used Windows almost exclusively. I had a nice Windows machine set up; it worked for me. I used cmd.exe and Powershell and WSH for scripting. I used Outlook and Word and Powerpoint for office documents.

I used freeware and open source stuff for some things: I used emacs for editing files. DotNetZip for manipulating ZIP files. ReloadIt for reloading web pages automatically as I saved files. Cropper for capturing screenshots and posting them to cloud photo share services. Lots of other tools. One notable tool: Paint.NET for manipulating images.

It worked. It all worked!

I have since moved to a Mac, not because I didn’t like Windows, but because everyone around me in my new job uses Mac. Being different just means being left out and being unable to share stuff with people. So I converted to Mac.

I am thankful to still have emacs. Obviously I can no longer use WSH and Javascript for scripting basic stuff, but I do have Node.js, which is just fine. (I don’t miss Powershell. Truth be told I never did fully realize the benefits of the object pipeline. It sounded good in theory but it was too darned hard to figure everything out. I use bash for shell scripting now, and it feels simpler to me.)

And Now, when I want to manipulate image files, I often slip up, and try to use gimp. I try. Yoda might say, after trying Gimp, With Gimp there is no do. There is only try, and do not. Generally I give up before accomplishing my goal, which is usually really really simple, something like “remove part of this image and replace it with white fill.” Gimp sucks. I have never opened Gimp and tried to use it without swearing. That I keep opening it is a testament to my ongoing descent into lunacy.

The UI is so infuriating; at the very start it opens windows on the Mac which obscure other applications. When I activate the other applications the GIMP windows stay on top. Why? Because that’s the most infuriating thing it could possibly do, that’s why.

When I highlight part of an image and click ctrl-C top copy that portion, I get – and I’m not making this up – everything EXCEPT the part I highlighted. You would think that would be a simple thing to correct, right? There’s even a “Select” menu with an “Invert” menu item in GIMP. You’d think if a COPY action was copying everything EXCEPT the thing I wanted, then inverting the selection and retrying the COPY action would do what I wanted. But no. Why? Because it’s the most infuriating thing possible.

GIMP always does the most infuriating, frustrating, and ridiculous thing possible.

Handily, when you open an image file that is kinda small, GIMP opens the window beneath one of it’s own “floats above all other windows” windows. So you can’t see the thing, and you need to move Windows around to try to find it. Why? You know why.

There are people who say, “I’ve been using Gimp for 2 years. Sure, at first it’s a bit hard to learn, but after that it’s awesome.” That’s stupid. Absolutely idiotic. Software shouldn’t be this hard, sorry. Just because you invested your valuable time in compensating for a software designer’s madness, does not mean the software is good. It means you don’t value your own time as much as you should.

For an example of an image manipulation app that works, is easy for novices to pick up but also supports advanced features, look at Paint.NET. Only available on Windows! For an example of how to create endless user frustration, try Gimp.

“No technology can ever be too arcane…”

From an ironic fictional interview with Linus Torvalds on TypicalProgrammer, via @ckindel.

Q: You released the Git distributed version control system less than ten years ago. Git caught on quickly and seems to be the dominant source code control system, or at least the one people argue about most on Reddit and Hacker News.

A: Git has taken over where Linux left off separating the geeks into know-nothings and know-it-alls. I didn’t really expect anyone to use it because it’s so hard to use, but that turns out to be its big appeal. No technology can ever be too arcane or complicated for the black t-shirt crowd.

Q: I thought Subversion was hard to understand. I haven’t wrapped my head around Git yet.

A: You’ll spend a lot of time trying to get your head around it, and being ridiculed by the experts on github and elsewhere. I’ve learned that no toolchain can be too complicated because the drive for prestige and job security is too strong.

We’ve all seen that phenomenon. On the other hand, some situations demand more complex solutions, unpleasant as that fact may seem. One cannot build a robot without a sophisticated control system. One cannot build an internet-scale social app without some sort of fault-tolerant distributed data storage infrastructure.

The trick is determining to what degree the complexity is necessary, and to what degree the complexity is self-sustaining due to the prestige and job security factors.

HTTP apps? REST? JSON? XML? AJAX? Fiddler is invaluable

For developers, having access to and knowing how to use the proper tools is invaluable.  For any sort of communication application, I find Fiddler2 to be indispensable.  It is an “HTTP Debugging Proxy”, but ignore that – the main point is that it lets a developer or network engineer see the HTTP request and response messages, which means you can get a real understanding of what’s happening.  It’s WireShark for HTTP.

As an added bonus, in sniffs SSL traffic, and can transparently display JSON or XML in an appropriate human-friendly manner.

The name Fiddler refers to the ability to “fiddle” with requests as they go out, or responses as they arrive. This can be really helpful in trying what-if scenarios.

Free, too.  Thanks to EricLaw for building it.

I want to point out: this tool is not commercial, there’s no training course for it, there’s no vendor pushing it. It illustrates that developers need to train themselves, to stay current and productive. They need to keep their eyes open and add to their skills continuously, in order to stay valuable to their employers.