Matthew Ernisse

March 11, 2020 @15:00

The Problem

So I came into the office this morning and noticed that my Ubiquiti USG-3 had upgraded itself from v4.4.44.5213844 to v4.4.50.5272448 and the VPN tunnel was down. I flailed at a few obvious things, reset the clock since it had lost connection to my NTP server, made sure the configuration didn't get wiped, made sure my certificates appeared to be in place. Everything checked out OK and the logs weren't showing anything so I went and cranked up the debug level in /etc/strongswan.d/charon-logging.conf changing the level of both ike and net to 2 and restarting the daemon with ipsec stop and ipsec start. After a bit I noticed the following in /var/log/charon.log:

More (26%) …

February 25, 2020 @17:34

So DNS over HTTPS is coming to Firefox. For most people this is certainly a good thing. When I worked for a national ISP in around 2008 they started snooping DNS queries and sending them off to various ad networks and inserted those stupid advertising laden search pages into user's sessions instead of returning the correct and proper NXDOMAIN response when you mistyped a URL. There were executives which were very pleased with this extra revenue stream and got large bonuses as a result. This was over a decade ago so I can only imagine how this has gotten worse. DNS over HTTPS (and also DNS over TLS) makes this impossible, which is good.

More (22%) …

February 16, 2020 @17:57

Buried in a long rant about general Apple screwyness lately I mentioned that I've been having issues with automount(8) in macOS Catalina. I have been periodically poking around at the system to see if I can figure out why the heck it is happening. The general wonkyness already drove me to convert my iTunes Library backup script to using rsync(1) to use SSH as a transport instead of simply copying to the automounted backup folder.

More (21%) …

February 14, 2020 @22:40

I have not really had the time to sit down and have a good rant about Apple lately. I swear that I try not to get too emotionally invested in products but since I end up using one Apple product or another just about every day the annoyance just seems to pile up and eventually I just need to let it out. I will start on a somewhat nice note by remembering that since switching to OSX back around Snow Leopard and iOS back in 2017 it has mostly been a decent experience. At first I really liked having simple access to Unix style tools in an OS that I didn't need to screw around with. I also appreciated the privacy features and consistent user interface in iOS.

More (8%) …

February 11, 2020 @09:30

I was chasing down random errors last weekend in an effort to cut down on the daily deluge of messages from cron(8) and I realized that it had been several months since the Synology NAS I have at work successfully backed up. It only runs once a week so the e-mails largely got overlooked and somewhat shamefully when I came across them I often suspected that the office Internet connection just dropped mid-transfer.

More (15%) …

January 13, 2020 @17:30

Back in 2014 I built a FlightAware ADS-B feeder using a Raspberry Pi and a USB SDR dongle. While all commercial traffic is required to use the 1090MHz 'Extended Squitter' extension to the Mode S transponder as of January 1, 2020 there is an option for the general aviation community known as UAT, which operates on 978MHz and is meant to provide more affordable in-aircraft equipment for aircraft that will not operate above 18,000 ft MSL. Now that adoption is mandatory in US controlled airspace, I wanted to add UAT capability to my surveillance site. Since the 1090MHz feeder uses most of the capability of the Raspberry Pi in it, I decided to use a Raspberry Pi Zero W that I had laying around to build a separate feeder for UAT.

More (27%) …

January 12, 2020 @12:00

A while back I began working on replacing MRTG and RRDtool. I have written about the major parts of this previously, but the one feature of RRDtool that I needed to support was the summarization and retention policies. The RRDtool database will automatically consolidate and roll off values stored based on the definitions setup when the database is created. This is used by MRTG to generate the 'Daily' graph with a 5 minute average, the 'Weekly' graph with a 30 minute average, the 'Monthly' graph with a 2 hour average and the 'Yearly' graph with a daily average.

More (26%) …

Original: November 07, 2019 @08:46
Edited: November 11, 2021 @14:11

Last night I had a need to put together a new OpenBSD machine. Since I already use DigitalOcean for one of my public DNS servers I wanted to use them for this need but sadly like all too many of the cloud providers they don't support OpenBSD. Now they do support FreeBSD and I found a couple writeups that show how to use FreeBSD as a shim to install OpenBSD.

More (22%) …

November 02, 2019 @22:20

I've been using iOS 13 since the public beta and have has some... unkind things to say already. I will pile a few other complaints on as an introduction here to set the tone. The most general one I have is that the random new animations in the UI that seem to periodically result in slowdowns or lost taps. iOS 13.1 had a horrible bug where it would not let you scroll while the selection animation was running in a list view (like in Mail), but at least that seems to be fixed in 13.2. Finally the continuing user anti-experience that I complained about in my impressions of iOS 11 post continues. It takes at least 3 taps to get anywhere useful in half of the stock apps now because of the stupid defaults views. Music and Podcasts are my most frequently used examples of this but the App Store is now totally useless. I don't even think there is a way to just list all the apps in a single category anymore. So good luck if you aren't searching for an app by name or looking for one of the 100 most popular apps out of the however many million apps in there. Good thing Apple doesn't lock you into their App Store for getting software on your device... oh... wait.

More (32%) …

November 02, 2019 @15:20

I think it's pretty clear that I have a pretty large pile of technology laying around. Most of it exists to bend some of the more vile trends in technology to my will (for example, I force everything to use my own DNS resolvers which have extensive block lists and force all requests that go out to the Internet to use DNS-over-TLS so my ISP can't intercept my DNS requests to profile me), but I also believe that if you are involved in technology you should try to host as much of your own online presence as you can.

More (18%) …

October 31, 2019 @15:00

Another year of Podcasts It is that time of the year again, so below is a list of my favorite podcasts this year. As previously, and previously I am not throwing shade on any previously mentioned podcasts. I am still very much enjoying the ones that are still running. I will call out a couple previous podcasts that stood out to me this year, but think of this exercise as additive.

More (10%) …

Original: September 26, 2019 @13:58
Edited: March 11, 2020 @14:55

Edit: March 11, 2020

There appears to be some behavior in the USG's configuration system that made it seem like the below Just Worked with intermediate certificates, however it doesn't. A software update exposed that weakness. Everything else seems to hold true even in version v4.4.50 (current as of now). See this post for the updated information on intermediate CA certificates.

More (12%) …

September 17, 2019 @09:24 circa 2002 I registered my first domain name in 2001 ( and though I had several of those dyndns style names for a few years prior that is where I put up my first blog. In 2015 I got tired of spelling out my e-mail address and got

More (20%) …

September 09, 2019 @11:17

I have been in a mood lately. I've had a couple projects converge to come crashing down all at once. So while fighting the infrastructure changes needed to switch to LetsEncrypt, updating my own internal CA to support modern standards, remodeling a spare bedroom in the house, and trying to organize my password manager I found myself re-reading ancient blogs.

More (11%) …

September 07, 2019 @19:30

So over the last few days I've done a bunch of work on the software that generates the website. It has remained mostly the same since I originally wrote it with the exception of a small refactoring when I moved the publishing workflow over to Docker. After looking at the timing metrics I decided that the various index pages get too damn big even with only 15 articles per page. They often take several seconds to get to DOM Interactive, which... is stupid.

More (35%) …

Subscribe via RSS. Send me a comment.