December 19 2016 Monday

2016 the annus horribilis review

Firefox started at 43, ended at 50 (they are slowing down....)

Chrome started at 47, ended at 55 (they are speeding up....)

IE....you know what? F**k IE.

Still using Chrome as my primary browser, although Vivaldi is slowly taking over

Didn't go Connect 16. Won't be at Connect 17. I already know what's going to happen....IBM is going to tell you about all the products that they promise * cognitive* is being added too. Like Verse (2 years ago?) and Toscana. "No, really we are" they will promise. There is a new GM. Can't possibly be worse than the last one.

Speaking of Toscana, it was released. In only a way IBM can release something. Think Verse Basic with all the features taken out. 

Following on from the "release" of new products, IBM decided not to release (as in ever) 9.0.2. Yeah, I know right.....

But Verse On-Prem should see the light of day on December 30th. Yeah, I know right.....

Oh, Hawthorn was released. So there's that.

Still never seen a live (or otherwise) CCM installation. 

Moved up to an iPhone 7 Plus, fingerprint smudge edition. Or as most people call it the shiny black one.

Oh, oh....new podcast. Stu and I could resist no longer. We also brought along Jesse Gallagher so IBM can blame someone new.

We also sneaked in one last TWIL. No really, 115 is it. (see above)

Any "Big IT" thinking of splitting itself in two should endeavor to be more like HPE/HP and not at all like the train wreck that is the Symantec/Veritas split. Train. Wreck. 

By year end I should have 50+ nights in hotels. Not the rented by the hour type, but *real* hotels. That number went up, but my time in a car is about 90 minutes less per day. Yes, per day. Ah, life in ATL.

Brexit *and* Trump. Luckily my grandparents were Irish, so I see another passport in my future.

After having voters potentially end the world, I decided not to inflict further damage on my psyche and stayed with Windows 7 Pro. Even a free Windows 10 is too much to take.

Completed 10,000+ steps every day since Nov 30, 2015. So over 365 days now....the streak is still active. 15,000,000 total steps on my various Fitbit devices.

Technologies that made 2016, Let's Encrypt, SONOS, Nest, Roku, 4K TV's








Darren Duke   |   December 19 2016 09:30:56 AM   |    misc    |   Comments [0]

A while back I blogged that I switched the SSL on this blog to Let's Encypt, the free SSL provider. I even linked to the Crontab post I used to renew the SSL certificate (they are only good for 90 days, so need to be renewed regularly).

Except mine would not renew. Hum.... I eventually got around to looking at this before the certificate ran out on Dec 20th and it turns out I needed to do a few more steps.

If you manually run the renew.sh on the server without these additional steps this is what you get:

[root@nginx ~]# /root/letsencrypt/scripts/renew.sh
/root/.local/share/letsencrypt/lib/python2.6/site-packages/cryptography/__init__.py:26: DeprecationWarning: Python 2.6 is no longer supported by the Python core team, please upgrade your Python. A future version of cryptography will drop support for Python 2.6
DeprecationWarning
Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/darrenduke.net.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for darrenduke.net
tls-sni-01 challenge for blog.darrenduke.com
tls-sni-01 challenge for blog.darrenduke.net
tls-sni-01 challenge for www.darrenduke.net
Cleaning up challenges
Attempting to renew cert from /etc/letsencrypt/renewal/darrenduke.net.conf produced an unexpected error: Cannot find a VirtualHost matching domain darrenduke.net.. Skipping.

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/darrenduke.net/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)
The Let's Encrypt cert has not been renewed!

File "/root/.local/share/letsencrypt/bin/letsencrypt", line 11, in sys.exit(main()) File "/root/.local/share/letsencrypt/lib/python2.6/site-packages/certbot/main.py", line 776, in main return config.func(config, plugins) File "/root/.local/share/letsencrypt/lib/python2.6/site-packages/certbot/main.py", line 592, in renew renewal.renew_all_lineages(config) File "/root/.local/share/letsencrypt/lib/python2.6/site-packages/certbot/renewal.py", line 365, in renew_all_lineages len(renew_failures), len(parse_failures))) Error: 1 renew failure(s), 0 parse failure(s)


Well that's not good....off I went a Goggling. Here's the missing step.....at least for NginX servers.

./letsencrypt-auto certonly -a webroot --agree-tos --renew-by-default --webroot-path=/usr/share/nginx/html/ -d darrenduke.net -d blog.darrenduke.net -d blog.darrenduke.com -d www.darrenduke.net


A few notes, check that the webroot-path is what is listed as the root in the NginX config and add each domain that is part of the SSL certificate with the -d option (I have 4 above).

Once you do this you will see a fair amount of messages on the screen and eventually get to this:

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/darrenduke.net/fullchain.pem. Your cert will
expire on 2017-03-09. To obtain a new or tweaked version of this
certificate in the future, simply run letsencrypt-auto again. To
non-interactively renew *all* of your certificates, run
"letsencrypt-auto renew"
- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
Donating to EFF:                    https://eff.org/donate-le


Now when I manually try to renew the certificate I don't get any errors:

[root@nginx letsencrypt]# ./letsencrypt-auto renew --nginx
/root/.local/share/letsencrypt/lib/python2.6/site-packages/cryptography/__init__.py:26: DeprecationWarning: Python 2.6 is no longer supported by the Python core team, please upgrade your Python. A future version of cryptography will drop support for Python 2.6
DeprecationWarning
Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/darrenduke.net.conf
-------------------------------------------------------------------------------
Cert not yet due for renewal

The following certs are not due for renewal yet:
/etc/letsencrypt/live/darrenduke.net/fullchain.pem (skipped)
No renewals were attempted.



Another thing worth noting is that I appended --nginx to the crontab job as well. That takes care of restarting NginX for me once the certificate is renewed.

I guess we'll see if this all works at the end of February.
Darren Duke   |   December 9 2016 11:06:31 AM   |    ssl  security    |   Comments [0]

A long time ago, before IBM came down like a hammer, there was a podcast. We really enjoyed doing This Week In Lotus, but it became a bit untenable as IBM threatened all kinds of stuff (including revoking *my* Champion status.....) so we stopped. But IBM kept doing "WTF?" kinds of things.....canceling 9.0.2, going to fix packs only, spreading Java 8 out over a year (from now). After getting together at MWLUG, Stuart and I started to reminisce and we started thinking about saddling up again.

So we did.....

Image:WTF? A new podcast? If you liked This Week In Lotus, you should (at least) like ’WTF Tech’

Except this time there are some notable changes:
  • New name, WTF Tech,
  • There are three hosts now. As noted in the last ever TWIL, Jesse Gallagher joins the team. He's funny so he offsets Stu, and he's knowledgeable so he offsets me.
  • Focus has moved from IBM. I would not say IBM are irrelevant (yet, in fact Episode 001's title comes for IBM), but we've expanded out reach.  No one is safe.
  • There will be no guests. So no more shitty audio from guests who never RTFM and had no headphones.
  • It will not be weekly. We're thinking every two weeks, but some weeks will be barren and others (like this last week) will be a perfect storm.

There will be tips, so don't worry. And snark. No point doing it if there wasn't snark.

So what are you waiting for? Head on over to http://wtftech.fm/ and join the fun, and be sure to follow @wtf_tech on Twitter.


Darren Duke   |   October 31 2016 09:00:00 AM   |    podcast    |   Comments [1]

I had switched the blog to SSL a while back (mainly due to Google threatening that non-SSL website will take a hit in searches). At the time Let's Encrypt (the free, yes free, CA SSL issuer) was just getting started and didn't have roots published to most of the browser root stores. Because of this I went with free certificate available from Start SSL. I'm not disappointed with StartSSL, it's just time to try something else when the StartSSL certificate expired.  In fact if you need anything SSL related I'd suggest you give StartSSL a look, they have lots of options are very reasonable on prices.

Still this blog doesn't need EV or anything like that so Let's Encrypt it is. While this blog runs on a Domino server it is fronted by a CentOS server running nginx. These servers are located at Prominic and a quick support request had the required Linux pre-reqs installed on the nginx server.

From there it took maybe 10 minutes to create and install the SSL.

I could outline the steps here, but really, I just followed this:

http://idroot.net/tutorials/how-to-install-letsencrypt-ssl-with-nginx-on-centos-6/

And then used this for the crontab stuff:

https://www.nginx.com/blog/free-certificates-lets-encrypt-and-nginx/

Darren Duke   |   September 21 2016 11:55:20 AM   |    ssl  security    |   Comments [0]

I had praised, then lamented the new-ish iNotes forms templates that allow you do copy and paste images from the clipboard into IE. Well, with FP7 IBM (so far) seem to have addressed the issue search issue that forced me to disable this again.

It's now back on for my servers. Let's see how long before I lament this again.

It is probably worth pointing out that Ulrich Krause is reporting issues with the "normal" iNotes forms9.nsf shipped in FP7. I have not seen the issue he reported in the forms9s.nsf.






 
Darren Duke   |   September 14 2016 10:18:37 AM   |    domino  inotes    |   Comments [4]

Update : Check the comments, Shaun has added a link to the actual IBM technote..... you may or may not want 127 as the value, so check that before doing anything.

9.0.1 FP7 has shipped. It's not all we hoped (only three new features, and no Java 8) but yet again the Domino security team has added stuff, this time the oft requested update to Notes client port encryption. But (at the time of writing) all the technotes on how to enable this either go to the wrong page (ICCA) or a nice looking, but still pointless 404 page.

So how do you enable this? We'll after scouring the design partner forum I found a post from the lovely Dave Kern that outlined this a few months back and was able to pretty easily figure it from there......

This is not everything, there seems to be at least one other setting, but this will get you AES port encryption, so it's a start


It's a server side notes.ini setting called PORT_ENC_ADV and it's a bitmask value. Based on Dave's post I set this value to 127. That gets me the best available (based on current standards) port encryption that Notes can do. In this case AES_GCM_256, with a AES_128 ticket.

It is backward compatible, I tested with FP6 and FP7 clients with this new ini setting with no issue. I see no reason why any client from 6.x onwards would be an issue, but test all the same.. So to enable add this to you server notes.ini:

PORT_ENC_ADV=127


Restart Domino. If you have a FP7 or later client then you will be using AES. To prove this you can enable these two notes.ini settings on the client:

LOG_AUTHENTICATION=1
Debug_Console=1


And you can now see the new port encryption being used. Here's a (just upgraded) FP7 client debug output:

Image:9.0.1 FP7 and how to enable the new port encryption settings

Here's a FP6 client, where the server fails back to RC4_128:

Image:9.0.1 FP7 and how to enable the new port encryption settings
Darren Duke   |   September 14 2016 04:37:42 AM   |    domino  notes  security    |   Comments [2]

Stuart, myself and Jesse Gallagher join for the weekly bi-annual podcast for one last time....listen to it here:

http://thisweekinlotus.com/115-doing-a-three-way/

There is also an exciting announcement at the end.....
Darren Duke   |   September 6 2016 09:15:54 AM   |    twil  ibm  mwlug  domino    |   Comments [3]

Hawthrorn 2.0, AKA IBM Mail Support for Microsoft Outlook, AKA IMSMO has recently been released. One of the main install differences between GA (2.0) and LA (1.0) code is that GA requires use of IBM DB2 as a state store for the IMSMO Domino server (whereas 1.0 had no such requirement).

Most organizations can count on the fingers of no hands how may DB2 servers they have, so you'd expect IBM to support MS SQL server right? You'd be wrong. You along with me are a moron, and no one's ever asked for that.

Except now I have. And I have a SPR  to prove it. IBM uses SPR's to weigh the decision to add a requested feature to a product, so the more organizations that pile on, the bigger the chance IBM will provide this..

If you want this added to IMSMO then you can call IBM support (or using the website) and request that your organization be added to the SPR by referencing SPR RCGOAD5LHQ (APAR LO90041).
Darren Duke   |   August 29 2016 01:46:34 PM   |    domino  hawthorn    |   Comments [3]

Originally 9.0.2 was scheduled for release in late 2015.

Then February 2016 (this would have been 28 months since 9.0.1 shipped)

Then 2H 2016.

Then 2017.

Now, well,  never (if the scuttlebutt at MWLUG is to be believed, and I do believe it).

It was pushed for many reasons, notably to get Verse out of the door. As I mentioned in this post (9.0.2 where for art thou?) and this one (my customers don't want mail next) I've ranted and raved about this before.

To no avail.

Well, it seems some genius (<---sarcasm alert) at IBM has decided to not release 9.0.2 but to roll some (most?) of those features into the upcoming FP7 (and FP8?) release(s). At least we'll (allegedly) get Java 8 and AES port encryption at some point . I guess there is that.

So why would IBM kill a release that is all but ready to ship? I can only fathom one reasonable answer to this.....to forgo the need to support Notes/Domino for a further 5-7 years. I believe a fix pack is only supported as long as IBM want to support it (unless someone can guide me to an IBM document saying otherwise....a quick Google yielded no real answer to this), which is a whole metric shit ton less than 5-7 years. I also think that IBM is going to change the "fix pack" nomenclature, and this was alluded to in several IBM presentations at MWLUG, mainly, I believe as Domino is required for Verse On-Prem (VOP). Still it does look like this is the end of the line for the Notes client (not really a shock) and any semblance of a Domino app-dev strategy (kind of a shock).

Yet again, IBM is causing itself a decent dose of customer hate and migrations with their lack of communication, messaging and approach. You'd think both they and I would learn from this, alas I keep hoping for better for IBM. More fool me, right?

If I'm wrong about 9.0.2, I'm sure an IBM executive will post here. If I'm correct, no doubt I'll get a threatening phone call or two.
Darren Duke   |   August 24 2016 02:42:42 PM   |    902  domino  notes    |   Comments [14]

The first page of the presentation displays fine, but you can't navigate to any other slide or use any other actions (like the image below):

Image:Unable to view embedded SlideShare presentations in Chrome? Try this.....

The fix it is to allow 3rd party cookies from SlideShare.net. You can do this in the Chrome settings page, like this:

Image:Unable to view embedded SlideShare presentations in Chrome? Try this.....
Then, manage exceptions:

Image:Unable to view embedded SlideShare presentations in Chrome? Try this.....

Add the following to the hostname pattern:

[*.]slideshare.net


Like this:

Image:Unable to view embedded SlideShare presentations in Chrome? Try this.....


You can now navigate embedded SlideShare presentations.





Darren Duke   |   August 22 2016 04:34:51 PM   |    presentations  chrome    |   Comments [0]