Let’s Encrypt, acme.sh and cpanel deployment

09 June 2017 by Lincoln Ramsay

This site was using a startssl certificate but… the certificate expired (I got an email mere hours before this happened) and when I went to update the certificate, startssl had somehow forgot all about me. It seems there was an ownership change and I found some things that made me decide a new certificate provider might be a good idea.

So I decided to get a Let’s Encrypt certificate instead. But I can’t run their suggested client (certbot) because I’m on a shared webhost without root access.

But I found acme.sh, which does the same thing certbot does without root or the heavy python dependencies. Apparently it will even handle auto-renewing my certificates for me.

New: This is the TL;DR version that just works.

ssh yasmar.net
curl https://get.acme.sh | sh
exit # probably could have just re-sourced .bashrc...
ssh yasmar.net
acme.sh --issue -d yasmar.net -w ~/public_html
acme.sh --deploy -d yasmar.net --deploy-hook cpanel_uapi

Back to the original story…

However, there was no cpanel_uapi deploy hook originally. So acme.sh could not deploy my new certificates to cpanel. Bummer. Luckily, I found a cpanel API reference to do just that and whipped up a bit of perl code (only slightly changed from the reference) that deploys certificates to cpanel. My change is here.

For the record, here’s how I got everything going.

ssh yasmar.net
curl https://get.acme.sh | sh
exit # probably could have just re-sourced .bashrc...
ssh yasmar.net
acme.sh --issue -d yasmar.net -w ~/public_html
acme.sh --deploy -d yasmar.net --deploy-hook cpanel

Though, the deploy step will do nothing without my modified cpanel.sh script. It has 3 important variables:

export DEPLOY_CPANEL_USER=myusername
export DEPLOY_CPANEL_HOSTNAME=localhost:2083

In my case, I had to use a real hostname instead of localhost to access cpanel.

My script is quick and dirty and doesn’t do any error checking. But it prints out the response so hopefully if there’s a problem it’ll be clear why.

It looks like the deploy hook is saved so when my certificate auto-renews, it should auto-deploy. I’ll know for sure in 60 days time.

Update: It did automatically renew and deploy 🙂

Update (June, 2018)

So my hosting company decided to seriously break perl. LWP was removed and there’s no compiler so I can’t install any equivalent CPAN modules. However, PHP is present and works just fine, so I have updated the deployment script. The new code is here.

With PHP, I can use the expected localhost:2083 to access cpanel, which is nice.

Update (again)

However, while looking at pushing this to the upstream project, I noticed that someone else has implemented support for the cpanel uapi command (which my hosting provider has). This has the advantage that you don’t need to put your credentials into a file and since it’s a cpanel thing, it probably won’t break in the future.

   acme.sh --deploy -d yasmar.net --deploy-hook cpanel_uapi

Rogue for Android

21 February 2017 by Lincoln Ramsay

This is the story of how I came to find myself porting rogue to Android.

I’ve played various roguelikes on a number of occasions over the years. One in particular stands out for me though. It was called PocketRogue and it was a straight port of rogue for PalmOS. I played it on a Treo, where the keyboard came in handy. I even got the source code but it was a CodeWarrior project that I never managed to port to the prc-tools environment.

When I got an Android phone I looked for roguelikes but was sorely disappointed in what I found. There were lots of apps available but most of them just didn’t work on my phone. I get the feeling most of them were designed to run on larger tablets with a physical keyboard attached or something. Luckily though, I found the excellent Pixel Dungeon (and later, its many forks) to satisfy my roguelike cravings. However, despite being an excellent roguelike that actually plays well on a phone, I find myself sometimes missing the simple charms of the classic ASCII interface and the simpler gameplay that rogue has.

So I did some experimenting… more…

Pina Colada

09 November 2016 by Lincoln Ramsay

Here is the Pina Colada recipe I’ve been working on. I’ve been wanting to put this together for ages and finally got around to it.

Pina Colada

1 measure of coconut cream
2 measures of pineapple juice
1 measure of rum
5 large ice cubes
half a measure of simple syrup (or 2 teaspoons icing sugar)

Put all the ingredients into a Thermomix (blender)
Mix on speed 6 until smooth
Pour into a glass
Put on Escape (The Pina Colada Song) and contemplate the lyrics while you enjoy the drink

I use a 1/3 cup measure which happens to make exactly the right amount to fill up my cup.
Simple syrup (1:1 sugar to water) doesn’t have to dissolve. Icing sugar is better at dissolving than regular sugar if you don’t have syrup.
If you start with colder ingredients (eg. store in the fridge or freezer), you’ll get a nice slushy texture. But really, as long as the drink ends up cold, it’ll be fine.
The official standards say to use white rum but I have made this with Bundaberg rum and it’s just as good, if not better (but then I do like the taste of rum).

How to factory reset a Brother HL-2170W printer

13 July 2016 by Lincoln Ramsay

I have a Brother HL-2170W printer. It’s great, and has been quietly getting on with it’s job for years.

But yesterday, I went to print something and it didn’t work. The printer has been running wirelessly because even though it now sits near the router, it used to be half a house away and I never bothered to change the configuration. But now it didn’t show up on the network at all.

I upgraded my router on the weekend… so I figured maybe it got confused and just needed some kind of reset to be able to connect again. I plugged in an ethernet cable but it quietly ignored it. Hmm…

I searched and found a guide to get the wireless going. The first thing it suggested was to do a factory reset. That sounded like a good idea. But it had no effect. Hmm…

So I started trying ever-more desperate options. I confirmed the printer was still operational by printing over USB. I confirmed the ethernet wasn’t burned out by running tcpdump (the printer sent a BOOTP probe at boot, but then it turned off the ethernet port).

Just as I was starting to feel hopeless, I stumbled onto a page telling me how to factory reset the printer. It was different to the instructions on the other page. Here is how you factory reset a Brother HL-2170W printer.

  1. Turn the printer off
  2. Hold the Go button
  3. Turn the printer on
  4. Wait for the LEDS to come on (this was near-instant for me)
  5. Release the Go button
  6. Press the Go button 7 times

The incorrect instructions told me to press it 10 times, which caused the printer to reboot and then print a test page. But crucially, the settings did not reset.

Of course after doing a factory reset, the ethernet came up properly so I could connect to the printer and configure the wireless again. I found a setting where you could set the ethernet or wireless as the only interface. I may have disabled ethernet back when I first setup the printer (explaining why it turned the port off).

As a bonus, I noticed the plethora of (probably insecure) services the printer was offering to the world. I turned them all off because nobody even accesses the printer directly anymore. The iOS devices need AirPrint and the Windows 10 devices need to be rebooted (!) if the printer runs out of paper during a job. So everybody connects to CUPS on my server now.

How I found a bug in a USB Ethernet driver

02 April 2016 by Lincoln Ramsay

I have an old USB ethernet device. It’s an ADMtek ADM8511 “Pegasus II”. Apparently I am the only person left on the planet with this device because it has been causing kernel panics since Linux 3.10 (released around 3 years ago).

I had been using this device at work (to connect things to my computer without letting them access the office network) but when we finally upgraded from Ubuntu 10.04 (to Ubuntu 14.04), it started locking up the machine. Since it was work and time is money, I just bought a USB ethernet adapter that used a different chipset and put this one in a drawer.

At home, I have a machine that I’d like to dual home for… reasons. It’s also running Ubuntu 14.04. I got out the adapter and tried it out and sure enough, it caused lockups. But this time, I was willing to put a bit of time into investigating it since having it work was not critical.

I raised a bug and included as much information I could get from the system. One of the more interesting things I found out was netconsole, where a Linux system sends its logs out via UDP (and another machine captures this to a file). This is handy when the machine is kernel panicking because you don’t need to take a photo of the message and things that don’t fit on one screen can also be reported.

One annoying thing was that the bug triage person insisted I update my BIOS and re-test. Which meant I had to get Windows on the machine. I ended up making a “portable Windows” USB stick on an old (slow) SD card so that I could run the BIOS update program.

Next up was running a current kernel, v4.5 to verify that the issue had not been fixed yet. Then I had to establish roughly when the bug was introduced. I did a manual bisect of the releases (downloading 33 kernels in the process) to establish that it was a Saucy kernel that introduced the bug. Specifically, kernel 3.9.0-7.15 was good while the next kernel 3.10.0-0.6 was bad.

Then, I had to download a git repo and bisect the code. I was a bit shocked to find there was around 14,000 commits between those two tags! Thankfully, I only had to do 11 builds to identify the problem (though my poor machine could only manage one build every 2 hours and I had to be physically at the machine for the test so I could only get in 2 or 3 tests per day).

Interestingly, there were 3 commits in a row specifically for the pegasus driver. But it was the first one that caused the bug, or was it? Upon inspection, the commit looked ok (it was replacing an apparently unnecessary pool of buffers with demand-allocated buffers). It did look like the new code would consistently allocate 2 bytes less than the old code but I think that was more or less a padding/alignment thing that should have ended up equivalent. The real problem was elsewhere in the driver where the code was reading PEGASUS_MTU + 8 bytes into the buffer, which had been allocated to PEGASUS_MTU bytes. WTF?! I can only guess the pool allocation pattern meant that the overflow did not clobber important memory but once it switched to demand allocation, it started doing so. I did try git blame to see how this code got this way but apparently, it happened before Linux was in git.

I wonder if my proposed fix (changing the read to use PEGASUS_MTU bytes) can make it into the kernel with my name still on it? That would be cool. I have never pushed code to the upstream Linux kernel before.


It got in. And my name is there 🙂


Make IBM Notes 9 run a custom browser on Windows

18 March 2016 by Lincoln Ramsay

I have a Linux VM that I do my work in. I want links opened from Windows programs to be opened in a browser in the VM. I setup a working solution using this page as a guide (the main difference being that I use a file on a shared mount to get URLs from Windows to the VM). In case this sounds like something you want to do, download MultilevelSecurityBrowser.zip and check it out.

The problem is that Notes on Windows only has 2 browser settings. “Use embedded browser” and “Use system browser”. And when you set it to “Use system browser” it does not use my custom browser.

According to the internet, Notes 8 uses the older-style path HKEY_CLASSES_ROOT\http\shell\open\command to find the browser but Notes 9 is not looking here.

The actual registry key I needed to change was HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice (Progid = MultilevelSecurityBrowser) but Windows has locked this down so you can’t change it via a .reg file. This meant I had to use the Default Programs -> Set Associations screen to change it.

Virtualbox, Multiple Monitors, Hot-plugging Screens

16 October 2015 by Lincoln Ramsay

At work I have 2 big screens. They used to be run from a Linux desktop but I got upgraded to a laptop running Windows with my Linux desktop moved into a VM. I use Virtualbox which lets me use the 2 big screens as monitors for my Linux system. With Virtualbox set to “full screen” things are pretty much the way they were on the desktop, with an extra Windows screen to the right (that I pretty much don’t use).

One big change though is that I sometimes have to take my laptop away from my desk and when it undocks, strange things happen. I had previously suspended or shut down the VM but today I figured all the things out.

Problem 1: The number Windows puts on your screen may not match the number Virtualbox puts on your screen.

Here’s what my desktops look like.


The laptop is on the right and according to Windows, the screens are numbered 3, 2, 1 (left to right). But what Windows calls screen 2, virtualbox calls screen 3 and Windows screen 3 is virtualbox screen 2. Why? I dunno.

Problem 2: Linux and Virtualbox disagree on where the monitors are.

The mouse is handled by Virtualbox so it tracks according to the Windows screen layout, not the Linux monitor layout. Virtualbox decides which Linux monitor goes on which screen, not the Linux monitor layout. I did set the Linux monitor layout so that it was “correct” but I’m not really sure it is having any effect.

Problem 3: Due to the desktop legacy, the monitors were reversed.

Rather than moving the monitors when I setup the desktop, I had all my “primary” desktop stuff on monitor 2 with monitor 1 as the “secondary” display. I had to drag my desktop icons from one monitor to the other. Moving the MATE panel was a bit harder. You have to right-click, preferences and uncheck Expand. Then you can use the tabs at the side of the panel to move it to the other monitor. Then you can make it expand again. Now my “primary” stuff is on monitor 1 (screen 2) and my “secondary” screen is monitor 2 (screen 3).

Problem 4: Virtualbox hides full-screen VM monitors if there is no physical screen to locate them on.

This is what was getting me when I undocked the laptop. Before I’d fixed everything up, my “primary” display would disappear. Virtualbox allows monitor 1 to display on the laptop and it simply hides monitor 2. Virtualbox does not tell the guest that it’s hiding monitor 2 either. After fixing things, my “secondary” display disappears, which is better. I also find out you can un-full-screen in order to see both monitors (they become 2 windows).

Bash history nirvana

09 October 2015 by Lincoln Ramsay

I thought I’d written about this ages ago. But it turns out I didn’t.

The default bash history handling is terrible. Run one shell at a time and always cleanly exit the shell and it’s ok, but run more than one shell at a time and abnormally exit shells and disaster will strike. The number of saved entries is relatively tiny. Duplicates are saved and you can’t really share history between running shells.

Here’s how you fix it.

First, we want to append to the history file rather than clobbering it.

shopt -s histappend

I once had a bash start and fail to read .bashrc properly. It clobbered my history. So now I use a non-standard file to keep broken bash shells from clobbering the history.


Store lots and lots of history.


I don’t want duplicates in the history. Also, I ignore commands that start with a space (eg. for those times when you have to give something sensitive like a password to a command).

#HISTCONTROL=ignorespace # start a command with a space and it doesn't go into history
#HISTCONTROL=ignoredups # ignore duplicates
HISTCONTROL=ignoreboth # both of the above

You can run history -a to dump the history immediately and history -n to import history into a running shell. I like to automate the dumping so that an abnormally terminating shell doesn’t take it’s history with it. I get bash to call a function just before showing a prompt. I do lots of other things in here, and dump history too.

    history -a # export history immediately

I don’t automate history importing.

If you’re looking for the copy+paste version, here it is.

# Don't clobber history
shopt -s histappend

    history -a

The Mysterious Cities of Gold Soundtrack

25 September 2015 by Lincoln Ramsay

I watched at least a few episodes of The Mysterious Cities of Gold (hereafter TMCoG) as a kid. More recently, the series was shown on TV and the whole family sat down to watch it. Then last weekend, an offhand comment got me wondering about the soundtrack. TMCoG has awesome music. Very 70s, French and electronic but still awesome.

Some searching quickly turned up information about an LP release that was done at the time. And apparently there was a CD for sale but I couldn’t track it down. I did find a youtube playlist that had been put together. Some of the tracks are preserved well, some not so much. Still… it’s the TMCoG music so it’s great.

Then I stumbled onto the “re-orchestration” scene. People clearly want better sounding audio and have re-made the songs. The main problem with this is that it all sounds completely different. Except for this one guy. He has gone as far as sourcing the same instruments (I’m guessing mostly old synths) so that he can faithfully re-create the music. And he totally nails it.

His site is The Grand Heritage. It’s all in French so you’ll need to run it through a translator.

This guy had a CD of re-created tracks out in 2002 (again, I couldn’t find it), then started up this site in 2011 to continue the work. There’s 88 songs there. Further than any soundtrack would normally go, he seems intent on re-creating all the music, even little incidental bits. I love it!

iMovie HD Launcher for Yosemite

20 August 2015 by Lincoln Ramsay

I have been using iMovie since version 1 on the classic MacOS. Which means I know the iMovie HD interface really well. So I was dismayed to find that it doesn’t launch on Yosemite.

But I found information that said it does run, it just can’t be launched by clicking on its icon.

I already had some Automator applets that launched apps so I modified one to launch iMovie HD and gave it an icon. If you like the idea of a clickable launcher for iMovie HD, get it here. If you don’t want to trust a random app you can open it in Automator to verify it for yourself.

← Older posts

Newer posts →