antipaucity

fighting the lack of good ideas

let’s encrypt centos 6 – truly free ssl

There’s been quite a bit of excitement surrounding Let’s Encrypt recently – a truly 100% free SSL issuer.

Last week I helped a friend of mine get his first Let’s Encrypt certificate generated and configured for his website. One of the things I found incredibly frustrating is that Let’s Encrypt does not have a package for Red Hat/CentOS/Fedora! Ignoring such a massive installed base seems monumentally dumb – so I hope that they correct it soon. Until they do, however, here’s a tutorial that should cover the gotchas for getting Let’s Encrypt to work on a CentOS 6 server with Apache 2.

The documentation (as of 06 Jan 2015) on the Let’s Encrypt website is in error in a few places (or, at least, not as correct as is could/should be). One big thing to note, for example, is that it says Python 2.6 is supported (the current release for RHEL/CentOS 6). If you run the certificate generator without the --debug flag, though, it will error-out saying Python 2.6 is not supported.

While I used an existing CentOS 6 server, I’ll start this tutorial as I have many others – by telling you to go get a CentOS 6 server from Digital Ocean or Chunk Host.

Preliminaries

Login as root (or a sudo-privileged account – but root is easier), and install Apache, Python, and SSLyum install httpd python mod_ssl.

Also enable the EPEL repository: yum install epel-repository (available from the CentOS Extras repository. I’m going to assume you are familiar with configuring Apache, and will only provide the relevant snippets from ssl.conf herein.

Now that the basics are done, let’s move to Let’s Encrypt. I ran the tool in interactive mode (which is going to require ncurses to be available – it’s probably already installed on your system) – but you’ll want to add a crontab entry since Let’s Encrypt certs expire after 90 days, so I’ll compact the interactive session into a single command-line call at the end, which you’ll need to “know” how to do, since the --help argument doesn’t do anything yet (that I could find).

Initial Certificate Creation

First, grab the latest Let’s Encrypt from GitHub:
git clone https://github.com/letsencrypt/letsencrypt && cd letsencrypt

Stop Apache: service httpd stop. Let’s Encrypt is going to try to bind to ports 80 and 443 to ensure you have control the domain.

Now run the letsencrypt-auto tool – in debug mode so it’ll work with Python 2.6: ./letsencrypt-auto --debug certonly.

Use certonly because the plugins to automate installing for Apache and Nginx don’t work on CentOS yet.

Enter your domain name(s) for which you want to issue a certificate. If you accept incoming connections to www.domain.tld and domain.tld, be sure to put both in the list (likewise, if you have, say, blog.domain.tld that you want included).

Enter an administrative email address.

When the tool finishes, it’ll put symlinks in /etc/letsencrypt/live/domain.tld, with the “actual” certs in /etc/letsencrypt/archive/domain.tld. We’re going to reference the symlinks in /etc/letsencrypt/live/domain.tld next.

Edit /etc/httpd/conf.d/ssl.conf (I prefer emacs – but use whatever you prefer), and add the following lines in your VirtualHost directive:
SSLCertificateFile /etc/letsencrypt/live/domain.tld/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/domain.tld/privkey.pem
SSLCACertificateFile /etc/letsencrypt/live/domain.tld/cert.pem

Restart Apacheservice httpd start.

Try hitting https://domain.tld in your web browser – and you should be golden!

Automating Renewal

Create a small shell script called renew-LE-certs.sh somewhere you’ll remember where it is – like /root:
service httpd stop
# add additional '-d' entries for more subdomains
/path/to/letsencrypt/letsencrypt-auto --debug --keep --agree-tos --rsa-key-size 2048 certonly -m ssladmin@domain.tld -d domain.tld -d www.domain.tld
service httpd start

For your crontab entry, do the following to setup monthly cert renewal:
@monthly /path/to/renew-LE-certs.sh

publicizing compensation – why not?

Many (if not all) companies have provisos when you become a salaried employee that you not discuss your salary/compensation package with other employees.

Most people have been raised in a mindset, largely because their parents have worked for companies like this (and maybe their grandparents, too – it is 2013, after all, and this is not a new phenomenon), that they shouldn’t ever discuss how much they make doing job R when their friend does job H – even at a different company.

Let me state, first, that I am not going to promulgate the idea that everyone should go around bragging about how much they make – especially if you are in front of either mixed company, or in front of someone you know is having a difficult time financially- after all, who wants to be the one guy in the room making $35000 when everyone else is in the 6 figures and gloating about it? I sure wouldn’t.

However, (and maybe I’m weird – though I don’t think so) I have never cared about how much you made in comparison to myself. If we are doing the same work with the same experience and we do not have the same compensation, it implies that one of us negotiated better (I have some thoughts about negotiating, too, both published and not). If you manage to get an extra $1 an hour ($2080 more per year), that’s awesome.

Given that the previous paragraph, outside of “basic” jobs like warehouse work, cleaning cars, etc, never happens – why should anyone be surprised that not everyone has the same compensation as the next guy? Somewhere along the line we got the idea that salary+benefits needed to be “fair”. “Fair” is a concept that only exists in economic theories not based on effort. (The first thing to know about compensation is encapsulated in the book Everything is Negotiable – and a related, but highly specifized1 form for salaries.)

There are services like Glassdoor that help to provide “competitive” salary information … but salary is only a small portion of compensation. Let’s say you and I both make $5000 a month ($60000 a year – make the math easy). But you have 2 weeks of vacation, and I have 4. But I took the lower-deductible insurance option, and you took the higher. Which one of us is bringing home more per month? Who cares! My individual desires and needs are, apparently, being met on my package, and yours are with yours. So why does it matter that we not discuss salary information with each other? Transparency is vital in the security world, it also is internally in a company. And between friends (though, of course, the amount of data we dump, and the methods we choose, will vary) it establishes trust.

Do I care if everyone in the world knows how much I earn per year? No. Tax returns are not public, but they’re not exactly private, either (they’re not that difficult to get if you want them). House sales prices are matters of public record. And from a house sale, along with known mortgage rates at the time of sale, you can determine how much someone is spending on their housing payment every month within a decent error margin (eg, $200000 home, 4% interest, 30 year mortgage, 10% down, you have in the ballpark of a $1000 base mortgage payment2 – within about 5-10% (to cover taxes, insurance, and PMI)). Presuming you’re not living on your credit cards, that means you’re making at a minimum $1500 a month ($18000 a year) just to afford to have a house payment. Add-in other normal essentials of 21st century America (car insurance and maintenance (or bike/bus money), groceries, phone, internet, tv, student loan, etc), and you’re at least at the household income level of $40000 (pretax). Likely quite a bit higher – especially if you have a car payment of any kind.

Why go through the miniature exercise above? Because no one seems to mind comparing they car insurance premiums. Or how often they eat out. Or what they like to cook at home. But SALARY! Heaven forbid you ever talk about THAT! That’s the one no-no in discussion of financial data between friends and coworkers. But it’s irrational when in just a few second you can ballpark the minimum someone earns.

We can compare generalities – vacation time, insurance plans, sick policies, maybe even bonuses (but only as percentages – don’t you dare use real dollars when discussing them) … but not the salary.

I read recently an Atlantic article discussing Millennials and the slow break-down of corporate boundaries to sharing compensation information. I think that’s wonderful.

Publicizing (at least internally) salaries (even if it’s in bands, a la FogCreek, HP, IBM, or the Federal Government (and Military)) is extremely positive. It doesn’t disclose stock options, bonuses, etc, but can give some kind of indication between colleagues of their relative value to their employer.

At one former employer, I found out shortly after I started that another recent hire (with more years of support experience) was being paid barely more than half what I was. And had had no options when he started (just weeks before me), when I had a modest issuance. Neither of us was upset about how much I was being paid, but I was disappointed to finally see “in the real world” such salary discrimination going on. The entire reason he was paid so much less than me? He didn’t negotiate well.

It was technically against company policy for him to tell me how much he made. And me him. Technically, it was a dismissable offense.

That’s the ridiculous part of not sharing compensation data – that by sharing it you can have your employment terminated. Employers who are worried about little things like whether a given employee knows another employee’s salary are [most likely] micromanaging – at least from the Personnel Department3.

Additionally, if the company is concerned that finding out how much someone else is earning is going to cause unhappiness amongst the team, they’ve done several other things wrong. They’ve [at least]:

  • hired people whose only motivation is money (or believe that’s the only motivator)
  • intentionally tried to undervalue their team
  • established an immediate sense of distrust
  • decided to treat their employees like children instead of adults who can rationally and intelligently discuss differences between themselves – and not just on their preferred lunch joint

I would love to see this aura of distrust disappear.

If you really do have people whose only motivation is money, you need a better team: they’ll jump ship as soon as something more lucrative comes along – instead of changing only when the work becomes more boring .. or more interesting elsewhere.


1 I know it’s not a word – I’m using it anyway
2 Divide the mortgage amount by 180, and you have the rough base payment on a 30 year mortgage (for the under 5% mortgages I see in mid-2013); your base payment is the home’s cost *2 / 360 (number of months in 30 years) – or just price/180
3 I positively despise the term “Human Resources” – employees are only “resources” to the MBA types: they’re people, and should be accorded good treatment (including referentially) as such

organizational knowledge capture, retention, and dissemination

Knowledge capture, retention, and dissemination has been an interest of mine for a long time. I have written about various aspects of it before.

The most vital commodity any organization has is the knowledge of its members – it does not matter if it is a historical society, company, church, or school: the organizational knowledge base is vital to ongoing health of the organization.

I love the picture of the “Tree of Wisdom“: at the ground there is a meadow of data, from this data information roots are gathered, the roots grow into knowledge branches, and at the end is the application of that knowledge in wisdom leaves.

Data is easy to come by.

Information similarly so.

Knowledge, taking information and transforming it into a more-usable form, is important.

When to apply that knowledge – aka using wisdom – is the topic for another post.

Capturing Knowledge

There are a host of available tools for capturing knowledge – text files, brown bags, PowerPoint, SharePoint, blogs, Plone, wikis, etc. The “best” one to use is the one you use.

Culture

Getting team members to contribute to organizational knowledge pools can be difficult – unless it is an organizational priority .. a part of the organization’s culture.

Incorporating this culture switch (if it’s not already innate to the organization) needs to be done not merely as a top-down directive, but encouraged via bottom-up interest.

Retaining (Managing) Knowledge

Now that you’ve captured (or started capturing) the organization’s data, managing it becomes the next task of import.

For example, should the KB article written 5 years ago be updated, replaced, or left alone?

Who is responsible for managing all of the information that has been collected? Will it be self-managed and -directed, will there be a curation team, will it be a combination?

Who determines the process for taking “internal” knowledge and “promoting” it to “outside” knowledge?

How are these roles going to be managed as the team changes memberships through people leaving, entering, and shifting in the organization?

For extremely small organizations, formal curation may be unnecessary. Perhaps since everyone knows everyone else, or the knowledge domain is so small, everyone’s individual contributions will remain fairly static and the “promotion” path will merely be proofreading (eg a historical society’s archives – the archives may be extensive, but the material doesn’t ‘change’ all that much (excepting being added-to, of course)).

For very big organizations (like the MSDN documentation available on microsoft.com), many layers of curation are likely going to be needed – proofreading, formatting, verifying, etc.

Finding the right balance of self-direction and organizational management can be tricky.

Disseminating Knowledge – Getting The Word Out

All of the captured knowledge in the world is useless if you can’t find it – and knowing where to look is vital. A close second to knowing where to look is how to find it.

Where is it?

There needs to be a solid document, landing page, directory, table of contents, etc so that new members (or folks who forget) can find the tribal knowledge that exists in the organization.

As a part of the new-hire\introduction\etc process\period, be sure to tell new members where information can be found, and who to talk to about certain major topics.

Finding it once you know where to look

“Search is a hard problem.” Google’s own Udi Manber said that. Anna Paterson at Stanford wrote, “Writing Your Own Search Engine Is Hard.”

Search in general may be hard, but many tools handle at least basic (and some fuzzy) searching well – OSQA, WordPress, Plone, Drupal, and many others. If, in addition to categorization, a tag taxonomy is employed, quickly finding content relevant to the searcher’s wants\needs can become easier.

“A tag is a keyword or label that categorizes your question with other, similar questions. Using the right tags makes it easier for others to find and answer your question.” {SO description}

Knowledge contributors should be the primary agents of tagging. However, consumers should be able to suggest additional tags. Administrators\curators should be able (under unusual, but well-defined, circumstances) to remove tags.

The human factor

For any given topic / knowledge region in the organization’s realm, there need to be established “experts” and “mentors” who will help guide new individuals through the fog to locate the buoys to be able to navigate themselves into a clearer understanding of the new world they have been made a part of.

Apprenticing upcoming experts into the organization is the single most vital aspect of the knowledge capture process – if it is not disseminated, it doesn’t matter if it is captured.

on twitter and the police

Dave Winer had an interesting take on the recent Twitter-NYPD flare-up.

Personally, the thought of any government organization demanding records without a warrant is abhorrent.

However, since the entire point of Twitter is to make your tweets public … then what is there to subpoena? They’re all out there – visible to the world… Unless the user has deleted them (and, from my understanding, they are “real” deletes (unlike facebook “deletes” which may or may not go anywhere)).

So, NYPD – why are you not just looking at the tweets that are available publicly? Why are you trying to demand data that may or may not exist, and without a warrant?

Lastly, to Mr Winer’s comment that “the government has no business investing taxpayer dollars in private companies”: there’s a couple big problems therein. First, since it was in reference to the Library of Congress, we should make sure that in addition to not “investing” in archiving tweets, they also not invest in archiving books, journals, newspapers, etc – after all, those are also coming from “private companies”. Second, if the government shouldn’t be investing taxpayer dollars in private companies, then where, exactly, do you propose the “government” get what it needs to operate? By fiat? By dictatorial claim? No – those aren’t good public relations moves. The government needs to obtain the services and goods it needs to continue its functions from private industry (or we need to abandon this whole ‘capitalism’ thing and go for a pure central economy wherein all produced goods and services are provided by the government).

digital preservation

I have been an active member on the Stack Exchange family of sites [nearly] since StackOverflow started a few years ago.

Recently a new proposal has been made for Digital Preservation. Many of the proposed questions are interesting (including one of mine) – and I would strongly encourage anyone interested in the topic to check it out.

The topic has resparked a question I have had for a long time – why is it important to archive data?

Not that I think it’s inherently bad to hold onto digital information for some period of time – but what is the impetus for storing it more-or-less forever?

In tech popculture we have services like Google’s gmail which starts users at a mind-boggling 7+ gigabytes of storage! For email! Who has 7GB of email that needs to be stored?! For a variety of reasons, I hold onto all of my work email for the duration of my employment with a given company – you never know when it might be useful (and it turns out it’s useful fairly frequently). But personal email? Really? Who needs either anywhere near that much, or to hold onto it for that long? And those few people who arguably DO need that much, or to keep it forever, can afford to store it somewhere safely.

I think there is a major failing in modern thinking that says we have to save everything we can just because we can. Is storage “cheap”? Absolutely. But the hoard / “archive” mentality that pervades modern culture needs to be combated heavily. We, as a people, need to learn how to forget – and how to remember properly. Our minds are, more and more, becoming “googlized“. We have decided it’s more important to know how to find what we want rather to know it. And for some things, this is good:

If you are a machinist, is it better to know how to reverse-thread the inside of a titanium pipe end-cap, or to go look up what kind of tooling and lathe settings you will need when you get around to making that part? I suppose that if all you ever do in life is mill reverse-threaded titanium pipe end-caps, you should probably commit that piece of information to memory.

But we need to remember to forget, too:

when you need to make two of these things. Ever. In your entire life. In the entire history of every company you ever work for. Well, then I would say it’s better to go look up that particular datum when you need it. And then promptly forget it.

The historical value, interest, and amazing work that is contained in the “Domesday Books” is amazing – and something that has been of immense value to historians, archivists, politicians, and the general public. Various and sundry public records (census data, property deeds, genealogies, etc) are fantastic pieces to hold onto – and to make as available and accessible as possible.

Making various other archives available publicly is great too (eg the NYO&WRHS) – and I applaud each and every one of those efforts; indeed, I contribute to them whenever I can.

I continuously wonder, though, how many of these records and artifacts truly need to be saved – certainly it is true of physical artifacts that preservation is important, but how many copies of the first printing of Moby Dick do we need (to pick an example)?

I don’t know what the best answer is to digital hoarding, but preservation is a topic which needs to be considered carefully.

lightsquared

I’ve been hearing about a new company called LightSquared a lot recently. Both arstechnica and alarm:clock have both had interesting articles on the company in the last week.

The goal of LS is to create from scratch a nationwide 4G wireless network – and funder Philip Falcone thinks they can do it for about $15B. That’s a pretty impressive number, in my book, especially when compared to how much AT&T, Verizon, and Sprint have spent over the last decades building-out their networks.

The ars article points-out that the GPS industry is upset that LS is using a similar spectrum to the one used by the global position satellite system, and are worried it will make GPS receivers act poorly by overpowering the satellite signal.

Personally, I think that if your devices are built so poorly that a non-identical signal can interfere with their functionality, you have an issue on your hands – not on the hands of the folks with the similar signal. Also, LightSquared could take it upon themselves to be a private, terrestrial location service – either by repeating signals from the GPS constellation, or by adding location data to the signal they are broadcasting (40 000 towers with multiple antennae per tower ought to be able to send some useful data over the air along with everything else being carried).

Moving back to the future of the business, it looks like a very exciting time in the telecom industry in the US – like we may finally get some “real” competition to the Big Three already operating. If AT&T’s T-Mobile acquisition goes through, cell phone and wireless broadband competition would be hurt – so I’m thrilled that groups like LightSquared are coming out to play, too.

As a sidebar: Tarus, you should get in front of Philip – they’re going to need some serious monitoring 🙂

oracle discontinuing itanium support

This morning I saw the headline on InfoWorld: “Oracle stopping development on Itanium — slap at HP or obvious decision?

At my previous employer, we were entertained by a couple visits from both HP and Intel folks ballyhooing the Itanium, HP-UX, and the future of the platform – especially in the database arena.

I thought those visits were pretty funny because every company I have seen with any HP-UX installed base has been migrating off to either AIX or Linux for some time, leading me to conclude that HP-UX is a dead platform. The fact that Microsoft and Red Hat both dropped support for Itanium processors with there last OS releases also tells me that Itanium is not here for the long haul – at least not in anything other than specialized platforms (such as some of the Top 500 entrants).

Yes, in Japan Fujitsu and others are shipping Itanium-based products, but they’re not running anywhere outside of Asia.

Intel had the chance 15 years ago to produce the game-changer for the server and home markets. If they had properly implemented an x86 emulation module (or, shoot, put an x86 processor on the die and switched via microcode), AMD’s x64 extensions would never have taken off the way they did, and we wouldn’t be stuck with bizarre functionality that only made sense in a 16bit world – but not anymore.

But between HP and Intel, they horched the platform, delaying it by months then years. In the process, the venerable DEC Alpha was killed-off by HP, as was HP’s own PA-RISC line.

In my opinion, Oracle’s move is brilliant for a couple reasons:

  • HP-UX is dead
  • Itanium has no future with any other OS vendor
  • Larry Ellison wants to push OEL and some form of Solaris (though I’m convinced Solaris is not long for this world either)
  • Larry Ellison doesn’t care what other people think of him
  • Oracle is making more money than they know what to do with – so why support something you don’t want to?

What think ye?