Let’s Encrypt on a macOS machine running 10.12.6 and Server.app

Are you doing your web hosting with Server.app? You’re probably not the biggest fan of it, but it works, so… let’s keep on keeping on. Do you want to have a free SSL certificate from Let’s Encrypt? Well, I found some really bad guides, so this is much better.

*Hat tip to MacAdmins slack for a few key points

Open up your Terminal.app (Go to the Go menu, choose Utilities, double-click on Terminal). This isn’t even a step, you should know this.

Step One – Install Homebrew

/usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"

At this point, you will be prompted to press RETURN to continue. Press the return key.

It will then start downloading and installing Homebrew.

Install XCode Select

Turns out you need XCode Select installed, too. So I ran this code.

xcode-select --install

That popped up a dialogue box, I said Install.

This install took a few minutes, and then once it was done, I was ready to install certbot.

Install certbot

brew install certbot

That easy? Aye!

Get a Certificate!

We’re almost there. Now to get a certificate from Let’s Encrypt.

sudo certbot certonly

It will prompt you to know what type of server you have. Choose 3: Place files in webroot directory.

It will prompt you to provide the fully qualified domain name (FQDN) for the server. Such as neverhadtofight.com

It will then create some files in a subdirectory called .well-known to confirm you have ownership of this website. Once that’s done it will save the .pem files for you.

Transfer the .pem files to desktop

Using the cp command enter these to copy your files.

Replace <<FQDN>> with your FQDN. Replace <<USER>> with your username.

sudo cp /etc/letsencrypt/live/<<FQDN>>/privkey.pem /Users/<<USER>>/Desktop/privkey.pem
sudo cp /etc/letsencrypt/live/<<FQDN>>/fullchain.pem /Users/<<USER>>/Desktop/fullchain.pem

Hooray, now these files are on your desktop.

Install Certs

Open Server.app

Go to Certificates.

Click on the +

Choose Import Certificate Identity…

Drag and drop the two .pem files and BAM

DONE!

via GIPHY

Recollection Volume 41 – Original Music From The Motion Picture “The Such”

Recollection is a project to review my record collection. I will listen to an album I own and review it. The album will be chosen randomly by computron 2.0. Today computron chooses…

Album: Original Music From The Motion Picture “The Such”
Artist: Elevator Through
Released: 1998
Format(s) I own it on: CD

After the break up of Eric’s Trip, Rick White began some home recordings under the name Elevator To Hell, eventually adding Eric’s Trip drummer Mark Gaudet, and Orange Glass alumnus and White’s then-wife, Tara White. Elevator To Hell eventually became Elevator Through who later became Elevator.

Elevator was one of the best psychedelic bands in Canada during the 1990s and 2000s. This is in no small part due to the fantastic rhythm section provided by Mark Gaudet and Tara White. Gaudet’s drumming style is uniquely his own, he plays with a heavy emphasis on the cymbals. Gaudet doesn’t have a light touch, one of the times I saw Elevator live, Gaudet broke his snare’s skin. The band was performing without any breaks in the music, so the Whites jammed while Gaudet fixed the drum.

Tara White’s bass playing is an attack. She knows where to go to move the song. Her bass playing is melodic where you don’t expect it to be. She’s damn good.

I first heard Elevator Through, specifically “The Pick-Up” on a cassette I received from someone I knew on IRC, the #sloan channel. It took me about 15 years before I finally purchased The Such. I still have this cassette, and the contents of that cassette live in a playlist in iTunes. I have no idea if the tape still plays, but sometimes I still expect it to transition between songs like that cassette, going from Belle & Sebastian’s “A Summer Wasting” to Beck’s “Halo of Gold” rather than the more expected “Seymour Stein.”

The Such is the soundtrack to a film that I only just saw. It’s on Vimeo, embedded below. It’s less a film, and more a long-form music video. There are definite pieces that stand out as being from a soundtrack, including the title track, which starts with wind chimes. I first put this record on for reviewing while lying in bed with the gusts of wind blowing through my open window. The chimes brought me into this record. The chimes return throughout the record.

Highlights

My favourite is “The Pick-Up” which I was my entry to Elevator’s music. It’s also the most melodic of the album. Though my partner referred to it as “that album you’ve been listening to that sounds like Doctor Who.” I think that’s a compliment, Delia Derbyshire’s realization of the original Doctor Who theme is an amazing feat.

“The Wink” comes in a close second. I feel it starts off poorly, but once the song gets going, it delivers.

Lowlights

“The Such” is windchimes. It’s going to go here, as lovely as it was that one time, it won’t be when it comes on randomly in my car.1

“Sleep Experiment No. 3” does nothing for me.

Men 33.295 (81%) | Women 7.705 (19%)
CD: 24 (59%) | Vinyl: 13 (32%) | Digital: 0 (0%) | 7″: 2 (5%) | Box: 1 (2%)
1960s: 5 (12%) | 1970s: 3 (7%) | 1980s: 1 (2%) | 1990s: 12 (29%) | 2000s: 17 (41%) | 2010s: 3 (7%)
Canada 13.8 (34%) | USA 17.2 (42%) | UK 8 (20%) | NZ 1 (2%) | FR 1 (2%)
Ontario 5 (36%) | Quebec 1 (7%) | Nova Scotia 4 (29%) | New Brunswick 2 (14%) | Manitoba 0 (0%) | British Columbia 1 (7%) | Prince Edward Island 0 (0%)
Saskatchewan 0 (0%) | Alberta 0 (0%) | Newfoundland and Labrador 1 (7%) | Northwest Territories 0 (0%) | Yukon 0 (0%) | Nunavut 0 (0%)
  1. Fun Story Time™: I have a two room setup with Sonos, was in my bedroom as I was finishing up this article. Pressed play, had two people in my living room yelling, “ADAM! What’s going on?” Apparently I was playing the wind chimes in the wrong room. I forgot about the footnotes part of my blog, I used to have fun with that, I should bring them back. []

Recollection Volume 40 – On The Beach

Recollection is a project to review my record collection. I will listen to an album I own and review it. The album will be chosen randomly by computron. Today computron chooses…

Album: On The Beach
Artist: Neil Young
Released: 1974
Format(s) I own it on: CD

On_the_Beach_-_Neil_YoungThis is the final selection by Computron 1.0. It was a FileMaker database, that somehow went missing. I don’t know where the file ended up. As I unpacked from my move, I recreated Computron as a Google Sheet. The next entry will be generated from that.

I haven’t been able to put down On The Beach, it’s one of Neil Young’s best records. I’ve had this record on loop since I finished writing the Another Side edition of Recollection.

Contributions from Ben Keith, Graham Nash, David Crosby, Levon Helm, Rick Danko and many more make this one an all-star lineup for a bit of a strange record.

Neil Young is no stranger to strange, and this won’t be his furthest departure, but this, his fifth record, is the beginning, or perhaps the end of the classic Neil Young. Depends on your perspective. He had his self-titled record under his belt, Everybody Knows This Is Nowhere (his first with Crazy Horse), and the brilliant After The Gold Rush and Harvest. Young would spend the rest of the decade creating with a quality of valleys and peaks. However, On The Beach is as much a child of Harvest as it’s the parent of Tonight’s The Night. This record is unique in its own right.

But is it good? Hell yes.

Highlights

The opening two tracks, “Walk On” and “See The Sky ABout To Rain” are amongst the best of Young’s output. I would put those on any best of compiled for Young’s career. When the original line up of The Byrds reunited they took the spots usually reserved for Dylan covers and provided them to Young and Joni Mitchell. They performed “Cowgirl In The Sand” and “See The Sky About To Rain.” While the former isn’t much to write home about, Gene Clark’s vocals on “See The Sky About To Rain” are divine. It doesn’t compare to the Neil Young original, which in turn doesn’t compare to the version on his Massey Hall album.

Lowlights

It’s hard to pick a lowlight, as the record is solid. There’s nothing I would remove, but I think “Vampire Blues” would be my least favourite.

Men 32.625 (82%) | Women 7.375 (18%)
CD: 24 (60%) | Vinyl: 13 (33%) | Digital: 0 (0%) | 7″: 2 (5%) | Box: 1 (3%)
1960s: 5 (13%) | 1970s: 3 (8%) | 1980s: 1 (3%) | 1990s: 11 (28%) | 2000s: 17 (43%) | 2010s: 3 (8%)
Canada 12.8 (32%) | USA 17.2 (43%) | UK 8 (20%) | NZ 1 (3%) | FR 1 (3%)
Ontario 5 (38%) | Quebec 1 (8%) | Nova Scotia 4 (31%) | New Brunswick 1 (8%) | Manitoba 0 (0%) | British Columbia 1 (8%) | Prince Edward Island 0 (0%)
Saskatchewan 0 (0%) | Alberta 0 (0%) | Newfoundland and Labrador 1 (8%) | Northwest Territories 0 (0%) | Yukon 0 (0%) | Nunavut 0 (0%)

Recollection Volume 39 – Another Side Of Bob Dylan

Recollection is a project to review my record collection. I will listen to an album I own and review it. The album will be chosen randomly by computron. Today computron chooses…

Album: Another Side Of Bob Dylan
Artist: Bob Dylan
Released: 1964
Format(s) I own it on: CD/Vinyl

Bob_Dylan_-_Another_Side_of_Bob_Dylan

I was excited for this one. I don’t listen to Bob Dylan much these days, but still like his music. Back in the high school days, this was one of my favourites. Something changed. I don’t know exactly what it was, but here I am, nearly three years after having started this post, and I’m only just getting back to it. It didn’t help that the FileMaker database I had catalogued everything in has gone missing.

I had so much problems with this record, because I used to love it, but now I don’t love it, and I don’t dislike it. There’s definitely some cringe moments on this records. I’m often listening and unsure about so much of the record.

Like the title suggests, this record is meant to show Bob Dylan in a new light. He’s no longer the protester, he’s singing love songs.

At times, Dylan’s lyricism can be generously described at pedestrian, but other times, we see the genius that everyone seems to always talk about.

Highlights

“Chimes of Freedom” is a song I loved from this album during my teenage years, and still do.

His nasal voice pouring out “Ballad in Plain D” might be one of Dylan’s greatest accomplishments. The song is so perfect, I cannot imagine any cover ever doing it justice.

Lowlights

I hate “Motorpsycho Nitemare” and “Black Crow Blues.”

Men 31.625 (81%) | Women 7.375 (19%)
CD: 23 (59%) | Vinyl: 13 (33%) | Digital: 0 (0%) | 7″: 2 (5%) | Box: 1 (3%)
1960s: 5 (13%) | 1970s: 2 (5%) | 1980s: 1 (3%) | 1990s: 11 (28%) | 2000s: 17 (44%) | 2010s: 3 (8%)
Canada 11.8 (30%) | USA 17.2 (44%) | UK 8 (21%) | NZ 1 (3%) | FR 1 (3%)
Ontario 4 (33%) | Quebec 1 (8%) | Nova Scotia 4 (33%) | New Brunswick 1 (8%) | Manitoba 0 (0%) | British Columbia 1 (8%) | Prince Edward Island 0 (0%)
Saskatchewan 0 (0%) | Alberta 0 (0%) | Newfoundland and Labrador 1 (8%) | Northwest Territories 0 (0%) | Yukon 0 (0%) | Nunavut 0 (0%)

macOS Sierra Beta

Apple has been seeding developer previews of macOS Sierra (10.12) since the Worldwide Developer Conference in June. I installed developer preview 6 and have been using that and version 7 since their release. Fortunately, everything seems to be running quite well.

One of the features of 10.12 is Siri on your Mac. The one thing I use Siri for the most is the clock functions. Timers and alarms. I tried setting a timer on my Mac using Siri, and there’s no functionality for that in 10.12.

Perhaps Apple will add this functionality. In the mean time we are seeing SiriKit being made available to iOS developers in iOS 10, so perhaps we’ll see something similar in macOS 10.13.

Siri on macOS

Standing Desk

At my work, I have a motorized standing desk. I was looking for apps that would remind me to stand and sit at regular intervals. In the long run, I want an app that conditions me, so it starts at standing for an hour a day for a week, then two hours a day for a week, and so on and so forth. I can’t find that app. Instead I made a quick AppleScript that will prompt me to change position every 45 minutes.


set answer to ""

repeat while answer ≠ "Quit"
set answer to the button returned of (display dialog "Please rise." buttons {"Quit", "Okay"} default button 2)
log answer

if answer = "Okay" then
delay 2700

else if answer is equal to "Quit" then
tell me to quit
end if

set answer to the button returned of (display dialog "Please be seated." buttons {"Quit", "Okay"} default button 2)

if answer is equal to "Okay" then
delay 2700
else if answer is equal to "Quit" then
tell me to quit
end if
end repeat

It’s been a long time since I’ve done any AppleScripting. I forgot how human it is. I expected not equal to to be !=, when it’s just the not equal to sign (≠). I expected else if to be elseif.

I’ve thrown it up on my GitHub repo, you can find that here. A compiled version can be found here.

Doctor Who Serial 062 – The Sea Devils

What better use of being sick in bed than watching Doctor Who?

vlcsnap-2015-09-20-12h37m08s588

Synopsis:

The episode begins with a sinking ship and The Doctor visiting The Master in prison. OH. MY. GOD. The Master is actually running the prison he’s a prisoner in! Dum dum dum! Something is peculiar about that sinking ship, so The Doctor investigates, this leads him and Jo to a Naval base, from where they visit a “sea fort.” Their motorboat is exploded… by SOMETHING!

Seven months later, I’m no longer sick in bed, and I find myself watching Doctor Who again.  Episode 3 began with a sword fight between The Doctor and The Master. It might have been one of the greatest episodes ever. The vast majority of episode takes place when The Master insists the warden of the prison takes The Doctor into custody. It’s up to Jo to free The Doctor, and she does, by pretending to be an ottoman while The Doctor pushes a guard over her. Jo then delivers a karate chop that Jon Pertwee must have been proud of as the guard falls down.

vlcsnap-2015-09-20-12h36m49s078

Episode 3 ends when The Doctor and Jo are making their escape. The Master summons a Sea Devil, and our heroes are faced with prison guards on one side, a sea devil on another, a cliff with The Master behind them, and a mine field to their right. Roll credits.

The Doctor eventually goes down to the sea floor in a capsule and meets the Sea Devils. He proposes brokering peace negotiations between the Humans and the Sea Devils, while The Master is just a shit-disturber and trying to TAKE OVER THE WORLD!

Eventually is leads to shots of people in ridiculous costumes proceeding to war. The visuals are amazingly hilarious.

Then The Doctor encounters the invasion force, and YES! Pertwee’s karate chop is the highlight of his era in Doctor Who.

It’s strange that the main story of this episode seems to resolve itself with a firefight. Not the most Doctor Who of resolutions.

Then The Master escapes with a karate chop. Which leads to a watercraft chase

Overall, a worthwhile episode.

NetGear ReadyNAS Time Machine Backup

It seems you cannot mount your Time Machine backup on a ReadyNAS device using normal credentials. Time Machine is segmented off with a special user. Which means I needed to restore my computer using Migration Assistant. It took FOREVER over wifi. However, I seem to be missing my Aperture Libraries. What’s the solution? Assuming it was backed up, I need to find the sparsebundle. It took a lot of searching, but I found it, and will share my brilliance with you in case you ever need to find it, too.

/data/.timemachine

To access: SSH in as root. Then copy the files to a SMB or AFP accessible directory.

cd /data/.timemachine
cp -R * /home/<yourusername>

New Job, New Server

Adam

If you weren’t aware, when the month changed from June to July, I also changed jobs. I graduated from elementary school to high school. Today was the first day at my new job where I really had time to myself to do what I please. It was time to play with servers.

The school already had a Hyper-V setup, so I installed a copy of Ubuntu and hit the ground running. Once I had the IP setup and SSH enabled, I was ready to go. First thing to install was Docker.

$ wget -qO- https://get.docker.com/ | sh

With that simple command I had Docker running on the server.

For those unaware, Docker is a container system for servers. It allows you to compartmentalize services on a server without the overhead of extra operating systems, like virtualization does. In other words, when you virtualize, you could have 10 virtual servers on one physical machine, all running full copies of Windows. That’s 10 copies of Windows. That’s a lot of overhead. Docker let’s you run on one single OS, sharing resources, but compartmentalizing services.

Once I had my server setup, I had to create a Munki repository. Munki is a program that allows you to easily distribute applications.

I started by creating a data storage container to hold my Munki files. I used this to guide me, https://registry.hub.docker.com/u/macadmins/munki/

$ docker run --name munki-data -v /mnt/docker_data/munki_repo:/munki_repo busybox

Boom, I had a place to store my files, but I needed to get at the files. So I set up an SMB share. This time it takes three lines of code. I’m not inventing anything here, taking generously from here https://registry.hub.docker.com/u/nmcspadden/smb-munki/

$ docker run -d -p 445:445 --volumes-from munki-data --name smb nmcspadden/smb-munki /munki_repo

$ docker exec smb chown -R nobody:nogroup /munki_repo/

$ docker exec smb chmod -R ugo+rwx /munki_repo/

Now I can access my Munki repo through the Finder on my Mac. Now to populate the repo. To do that, I opened up AutoPKGr, pointed it to the new Munki server, and starting running some .munki recipes. There were some new programs I hadn’t used before that I needed to include. Among them were GameSalad and Sonic Pi. There weren’t AutoPKG recipes for them, so I dove in, and now they’re available to the whole community. There’s still a couple titles I need to create recipes for, but I’ll get to that tomorrow.

Next was activating the web server. Munki is just files on a web server. Using Docker to create an Nginx instance shouldn’t be hard, and it’s already been done for Munki. So all I had to was type in:

$ docker run --name munki --rm -p 80:80 --volumes-from munki-data macadmins/munki

Easy peasy, right?

Wrong.

$ sudo defaults write /Library/Preferences/ManagedInstalls SoftwareRepoURL "http://FQDN/munki_repo"

I, of course, replaced FQDN with the fully qualified domain name. It wasn’t working. Running managedsoftwareupdate on the computer was returning a 404 error. It wasn’t hitting the server properly. What did I do wrong?

After a bit of help from the author of the docker file, I discovered that it’s pointed to http://FQDN/repo, not /munki_repo. D’OH! I could have gone here and seen on the original file that repo is pointing to munki_repo.

But it’s up and running. I could now use Munki to have to client upgraded to OS X 10.10.4, so I can test Yosemite (or Yo, Semite!) in this environment. And that worked like a charm.

That was all I was supposed to do that day, but it was still early. Why not tackle one more job? Let’s set up MunkiReport-PHP!

MR-PHP is a program which lets the client computers report in and give the admin useful data about the state of the fleet. Fantastic! It’s also been Dockerized, so it should be easy. I found it on DockerHub, and I was ready to go…

As you can see from above, my Munki repo is sitting at /mnt/docker_data/munki_repo, so it made sense to put the config file for MR-PHP at /mnt/docker_data/munkireport.

$ sudo mkdir /mnt/docker_data/munkireport

$ cd /mnt/docker_data/munkireport

I needed the config file there.

$ sudo curl -O https://raw.githubusercontent.com/munkireport/munkireport-php/master/config_default.php

$ sudo cp config_default.php config.php

That downloaded the file and copied it, so I had a factory default if needed. I then ran the docker container.

$ docker run -d -v /data/munkireport -v /mnt/docker_data/munkireport/config.php:/app/config.php -p 80:80 macadmins/munkireport-php

Except the ports of 80:80 won’t work! EEK! 80 is in use by Munki. So I ran…

$ docker run -d -v /data/munkireport -v /mnt/docker_data/munkireport/config.php:/app/config.php -p 5000:80 macadmins/munkireport-php

So now I could go to http://FQDN:5000 and generate a password, which I would then throw into the config.php file, along with any other changes I might need to make. Hoorah!

And that’s it, easy peasy lemon squeezy.

Tomorrow I test Yo, Semite!

Yosemite Sam 10.10.3

OS X 10.10 Yosemite

In September, Apple released OS X 10.10 (Yosemite). September is not a good time to release a new OS from the point of view of a K-8 IT Manager. We need a few months before the school year starts to do testing, and that was not able to happen.

In previous years I had waited until the following summer to upgrade. This year with the implementation of Munki at the school, I wanted to roll out 10.10 to staff and students as an optional install after 10.10.3 or 10.10.4 was released. During the Passover break, Apple released 10.10.3, and that release led to a major realization.

Apple had patched a security vulnerability in 10.10, which is also present in 10.9, 10.8, and 10.7. This vulnerability gives a user access to root privileges, allowing one to install software. I can’t think of a better reason to roll out Yosemite.

Upon return from break, I used createOSXInstallPkg to create an OS X installation package. In other words, it makes an installer that one can distribute through normal distribution means; including Munki.

I ran my first test and I was getting an error saying the drive must be an HFS+ drive to install Yosemite. Turns out all it really means is that I have to enable journaling. It’s a simple terminal command to allow one to do that.

/usr/sbin/diskutil enableJournal /

That was easy. Now to do this for the entire school fleet. That’s also easy. I created a nopkg installer through Munki and was left with this file (hosted on GitHub). Once that was in Munki, I watched it go out without a hitch.1

Now that I could install 10.10.3, I did, but umm, why is it taking me through the setup assistant?

I booted into Deploy Studio and told it to skip the setup assistant. On reboot, the computer looked normal, but there was no local admin user (LBDS). Uh oh.

With an email to MacEnterprise email group, I was reminded of a discussion from months ago that Apple now owns users with a userID below 500, back then I wasn’t worried, our local admin user was 501. Turns out I was wrong. Our userID was 499.

To be able to roll Yosemite out to all users, I’d have to change the admin user. Do I make a new one and roll out that package through Munki using CreateUserPkg? Allowing Yosemite to erase the old local admin user? That could work, but what if it doesn’t erase the old user? I could delete the user using dscl, or I could just use dscl to change the userID. What about all the permissions? A quick Google search led me to here.

That would be easy to implement with a nopkg installation through Munki. And I did.

Now just to make those two a prerequisite for 10.10 installation and we’re Yosemite-bound.

  1. We had a weird problem where the actual script wasn’t running, so we put it in the install check, it worked fine that way. []