Repairing the road


So here’s a new thing for me to obsess about.  The condition of the road in the summer time.  This spring was especially tough on our road because the rain. never. stopped.  So our road, which was already getting pretty ratty, turned into a nightmare this year.

Here’s a picture from last year – note the gravel-free tracks through grass.  This is not what a gravel road is supposed to look like.  It’s supposed to have gravel in it, not grass.



Here’s a picture of that same segment of road as of this morning.  See?  Gravel, not grass.  Much better.  In essence this is what I’ve been fiddling with every dry day for the last month.  There have been precious few of those, so this project has taken a lot longer than I thought it would.


This is a piece of road we hardly ever use.  It was built so that semis can turn around when they get in here (useful for when we were building the house, and for grain trucks when we were still renting the land for row crops).  But most of the time it just sits there, and you can see that it likes to be covered with grass.


But here’s a picture of it this spring.  One trip across it with a truck and there are giant divots in the road.


So this was my first experiment with the land plane.  It’s starting to get grassy again because I fixed this chunk about a month ago and it’s been raining pretty much ever since.  But you can see how the divot is gone.


Now let’s take a look at some areas that got really bad this spring.  This first one never ever gets this bad.  And never this long a stretch needing to be repaired.


Here’s what it looked like after a few passes of the land plane.  This was the “dang, I’ve really messed this up” picture.  I was thinking that I might be doing more damage than good when I took this shot.  But fear not!  It has to get ugly before it can get pretty.  Pulling all that grass out makes a mess for a while.


See?  This is that same segment after the very last pass.


Here’s another view of that segment.  My first approach, before using the land plane, was to use the bucket on my other tractor.  That’s all I’ve done in prior years, but you can see that I wasn’t really making much of a dent — mostly because there was so much damage over a really long piece of the road.  I was pretty unhappy with the results.


Here’s that same “first few passes with the land plane” shot.


And here’s the “after last pass” shot.  It should be noted that to get through this whole project, I’ve taken something like 10-15 passes across the road.  I changed the settings a few times to try things out and have some ideas that you’ll find in the “Tips” section at the end of the post.


THIS part of the road is always nasty — it’s going through a really wet area and is always soft.  There’s a “redo this section of the road with road fabric” project in my future here.  But you can see just how bad things got this spring.  This shot was taken AFTER I’d worked on this area with the bucket for a while.


And here’s that last-pass shot…  It looks pretty good, but it’s still really fragile.  This smoothyness won’t last long, especially if a few trucks go over it before the rain stops.


Another “before” shot.  Same part of the road, just a little bit around the corner and looking out into the wetland.


And the “after” shot.  This part was really hard to do.  There’s a lot of dirt and not much gravel to dig up along here.  But even with all that, the gravel came back pretty well.  Again, the gravel along here will be pounded back into the road as the summer progresses.  The “redo with road-cloth” project is going to have to extend into this part of the road too.


Here’s the implement — a Woods land plane, hanging on the 3-point hitch of my Kubota M-6800.  This is a really slick deal.  The two edges adjust up and down, and tilt, independently.  See the four bolts at the bottom left?  Loosening them allows that shoe at the bottom to be adjusted up and down.  I fiddled with variations of “low in front, low on one side, etc.” and have a few ideas about how to do that.  You’re looking at my “last pass” configuration — low in front, high in the back, symmetrical side to side.   This doesn’t cut into the road at all, it just rides through the loose gravel and makes it flat.  My goal when running this configuration was to have a nice amount of gravel caught by the front blade and no gravel going over the top of the back blade.  That’s why the road’s so smoothy.  But this configuration is no good for actually repairing the road, only for dressing up the gravel at the end.


Here’s another view of the land plane, showing how the blades are on a diagonal.  In theory, this means that the gravel moves from one side to the other.  It probably does a little bit, but it’s certainly no replacement for a real rear blade if you need to move a lot of gravel from one part of the road to another.



OK, you’re probably really interested in this stuff if you made it this far through the post.  Here are some lessons I learned that I’m documenting for me, since I probably won’t do this project again until next spring and will likely forget some of this stuff.

Clearing grass

The box will clog up during early grass-pulling, dirt-removing passes.  Just raise it a little bit and back up.  That’ll smooth the dirt and grass out and after a few days it’ll have dried enough that it’ll break up rather than clogging the works in a subsequent pass (have I mentioned lots of passes??).  At first I was pushing that stuff off to the side, or pulling it out by hand.  Way too hard.


I ran the scarifiers right at the same level as the front blade for a while, but eventually pulled them off (they aren’t on the land plane in the pictures).  I think they would probably be really important if you were using this to stir up gravel when the road is really dry, but it’s wet here right now and the land plane did a better job of smoothing the ruts without them.

Removing ruts

I set the whole thing up at it’s mid-points all around and level (front and back, side to side, 3-point hitch level) while I was taking the ruts and grass out.  That worked OK, but I think next time I’ll try a slightly less aggressive version of this next setting.

Crowning and removing ruts

Towards the end of the project I wanted to put a little more crown in the road while removing some ruts that came in after a rain.  I set the “leading side” side of the land plane as low as it would go, front and back.  The “trailing side” got set as high as it would go.  I made the leading side bite even more by lowering that side of the box on the 3-point hitch.  So my goal was to bevel the road, with the leading side doing the cutting and then allowing the material to move over and escape out the trailing side.

Finishing and dressing the gravel

Those first two settings are fine for working divots out of the road, but they leave a lumpy surface, because a lot of material goes over the second blade.  I would try to keep that at a minimum by raising and lowering the 3-point but there’s almost no way to avoid it, because my goal was to remove ruts not leave a perfect surface.  But the last couple passes I just wanted to smooth out the gravel, not change the contour of the road.  For this setting, my goal is NO gravel going over the rear blade — that’s how I got that really smoothy surface.  So this setting was level side to side (both on the land plane and the 3-point), low in front and high in the back (to grab gravel easily with the front blade but not let much escape over the back blade).


A great project.  I borrowed the land plane from my friend Danny, but I think I’ll have to buy it from him.  He’s gonna have to pry this thing out of my cold dead hands.  I can imagine taking another pass or two several more times this summer, just to pull the grass.  Darn nifty.





A blog post from Fargo – a new gizmo

Dave Winer has a cool new gizmo (Fargo) that I’ve been messing around with for the last week or so (don’t get me all wrapped up in a time warp here).

Why I loves Fargo

  • I loves this gizmo because I’m addicted to outlining and I’m always on the hunt for simpler, more approachable ways to do it (and recruit other addicts). For the most part, I’ve gotten pretty solidly into the “mind mapping” groove, but that’s just a habit. When you boil my use of mind-mapping software down you find that all I’m really doing is outlining. Enough about why Fargo attracts me.

Problems this WordPress connector solve

  • The problem I was running into with Fargo was “well gee, in many cases I will eventually want to slurp it out of Fargo and push it into a traditional word processor and turn it into a report of some kind — how I do dat?”
  • Another problem I was running into was “how can I keep non-addicts up to date on the outline without forcing them into something that makes them uneasy?”

This connector between Fargo and WordPress may just be the ticket. So here’s a first-try blog post that I’ll then come back and edit a bit to test out how this gizmo works.


  • I coulda sworn I saw one of these outlines posted to a WP site in a way that the expanding/shrinking triangles came along too.
  • That would be good to know how to do — ’cause some of my outlines get
  • really big and it would be nice to allow people to open/close parts of
  • it rather than seeing the whole thing. I wonder if that’s done in CSS,
  • or if it’s a theme thing, or a plugin? Ah… maybe can do that with a public link to the post? Eeeauuu… That’s pretty homely. What about a link to view this post in Reader?
  • oops – lost all the links in that ‘graph. tried to pull them back in by copy/pasting from the WP version but the links didn’t come with.
  • i’m making hash out of this. where did all those extra Returns come from when i pasted the text back in (tried copy/paste of a portion of the paragraph)
  • hm… dragging does something. but not sure what. dragged a big chunk to the bottom of the page and it disappeared. where’s “undo” when i need it? 😉
  • How do I chop over-long paragraphs (like this one is getting to be) into chunks so I can reorganize them? Hitting Return in the middle of my long ‘graph gets me a new one at the bottom. Shift-Return? cmd-Return? alt-Return? ctr-Return? Enter? nope. Hmm. I’m constantly taking notes and tidying up afterward. Gotta be a way… Maybe it’s just a drafting habit I need to learn
    • But I think it would be nice to have a “split this headline” command. place cursor at split point, issue “split” command and wind up with the headline divided in two.
  • Ahhh. Firefox and Safari. That’s the source of my troubles. Safari is a lot nicer experience. I can cut/paste sections of headlines without getting a whole series of headlines.
  • Repainting the SC430

    OK, I admit it.  I’m kindof a lame car guy.  I love cars, but I am old and tired and hate being uncomfortable.  So about 5 years ago I bought a year-1 (2002) Lexus SC430 that had been rode hard and put away wet for the princely sum of $17000.  I’ve been bringing it back from an early grave ever since.  The first few years were devoted to repairing the driving stuff — replacing bent wheels, struts, etc.

    I also did some exterior work on my own, because the black paint (pity me, I own a black car) had gotten a really bad case of the swirlys from many years of bad car washes.  Plus the headlights had gotten really fogged, so I cleaned them up.

    But this year is the year to do what I’ve been dreaming of ever since I bought the car — a complete repainting job.  Mostly to cure all the battered-paint troubles, but also to slightly change the color to an extremely dark blue.  I’m hoping to get that effect where it looks black unless you really look at it in direct sun, at which point the blue metallic will show up.

    This is a post to chronicle the project.

    The folks who did it

    Will and Robert Latuff — of Latuff Brothers Autobody.  They look displeased, no?


    Rick, Dan, Brandon, Don and Tim — the guys that did the heavy lifting.  They look unhappy too.  Maybe they’re feeling crummy about the terrible job they did?  Or maybe they just don’t get along with each other very well.


    Huge hole in this post, waiting for a picture of Kim and Steve from Dick and Rick’s Auto Interiors in Bloomington — the folks who redid the upholstery.


    Ridiculous wallpaper photos (click on them — these thumbnails don’t do them justice)

    Being a big believer in eating my dessert first, here are some “ridiculous wallpaper photos” of the completed project, taken here at the farm.

    sc430 wallpaper 1

    sc430 wallpaper 2

    sc430 wallpaper 3


    sc430 wallpaper 5

    “Before” pictures of the body

    Click on the photos to get the full huge versions so you can see the nasties that I’m trying to fix. Dings, chips, swirlies.  The complete catastrophe.





    Not unexpectedly, this 12 year old car had some extra projects hidden inside it.  Like this crimped thingy.  I’ll have to ask Robert what it is.  My guess is that it’s one of the hoses for the headlight washers.


    This was a good one.  When the one of the prior repairs was made, the people at the body shop GLUED the front bumper on to the car.  No wonder it didn’t line up right.


    “In progress” pictures of the body

    Robert Latuff shared a whole boatload of documentation shots that he took along the way.  Thanks Robert!

    There was all kinds of detail work to do.


    And repairs to badly-done prior repairs.  This car has been through a lot, mostly at the hands of the prior 3 owners.


    There was some pretty rough hail damage, especially on the roof…


    The rear bumper needed to be reworked…


    Even the doors needed to be returned to something more closely approximating their original shape.


    Poor car, so many dents and troubles to be smoothed out.



    Here’s a series of pictures showing the car in various stages of being taken apart, repaired, primed, etc.  Again, these pictures are mostly courtesy of Robert Latuff, although there are a few of mine sprinkled in from the day Robert let me look in on the car while it was in progress.

    Ever wondered what your car looks like with all the soft cushy bits removed?


    It seems silly, but that’s where the “back seat” of an sc430 goes…



    I embarrassed Robert and forced him to stand in one of my pictures.








    Bits and pieces are coming off to get painted


    I don’t think this is street legal, but it looks like it might be fun to drive — if it had seats.


    Redoing the seats

    Speaking of seats. another part of this project was to redo those.  It started to feel like a good time to do it about half way into the repainting, since the seats had already been yanked out of the car.  So they went off to Dick and Rick’s Auto Interiors in Bloomington for a re-do.  Here are some pictures of the way they looked when we started…

    One of the prior owners must have been a cowboy that drove this car with his spurs on.  Really hard on the lower edge of the seat.



    One of the “rear seat” belts had been taped down to keep it from flapping in the wind…  Nice, huh?


    Driver’s seat didn’t look too bad from this angle, but the leather was pretty much on its last legs



    This is a weird sc430 problem that lots of owners have.  The “headrests” in the “rear seat” get clobbered by the sun, shrink, and pull away from their underlying frames.  Homely.


    Here’s the back of the “rear seat” after it’s been removed from the car — in all of it’s duct tape glory.


    And here are the front seats.


    Here’s a shot that Steve took over at the upholstery shop showing another surprise.  I wonder what took that bite out of the upper-left corner of the seat foam.  A bear?

    VINYL 006

    “After” pictures

    These are some more utilitarian pictures — not quite as snazzy as the ridiculous wallpaper pictures at the top of the post, but more documentation of this great project.  Nah, I don’t like it.  Ick.  What a misguided effort this was.

    This is one of the “before” pictures from up above, with a similar “after” picture right behind it.  Oh, one other change this year — I replaced the tires that had worn out with smaller wheels (went from 18″ to 17″) and higher-profile tires to bring the total diameter back up to roughly what it had been before.  If you’re thinking about this, I can tell you I couldn’t be happier.  It’s easy to see the comparison in these two shots.  Old = skinny tires.  New = slightly fatter tires.  It’s also pretty easy to see the slight change in color — from black to dark blue.



    Here’s another “before/after” comparison, again showing the difference in color and tires.  If you click on these thumbnails, you’ll be able to really see the difference in the paint.  Also note the lovely job that the lads did on fixing up the beat up mirror shrouds.




    I forgot to take a “before” picture of all the road rash on the front of the car.  But it’s all gone now.


    Another thing the folks at Latuff fixed was a funky gas cap cover.  It used to stick out in a weird crooked way.  Fixed.


    Hail damage to the trunk?  Fixed.


    Marcie liked the view of the clouds and the trees reflected in the hood.  I do too.


    And here are the seats!

    Here’s a “before” shot, just as a reminder…


    Are these nifty or what?  Steve and Kim over at Dick and Rick’s steered me straight on this one.  I told them that I was going for the color of an old Mercedes SL convertible and this is where we wound up.


    Note the way that the rear “head rests” look now that Steve’s been at it.


    Everybody was a little edgy about whether the remaining old black interior and seat frames were going to work with the new, different-color, upholstery.  I think they work great — I like the way they set each other off.


    The end

    So there you have it.  The Great 2013 Redo of a 2002 Lexus SC430.  I couldn’t be happier — thanks to all who helped!

    One last Ridiculous Wallpaper Picture to send you on your way.  Happy trails!

    sc430 wallpaper 4

    ICANN Intersessional meeting — LA — March, 2013

    A few photos from a “between meetings” ICANN meeting of the non-contracted parties house of the GNSO.  Click on the pictures for full-sized versions.










    You’ll definitely want to click on this panorama and take a look at the full-sized version.  This was an informal session with members of the Board who were arriving for meetings the following day.


    Front row seats




    Migrating from Snow Leopard Server to OSX Server (Mountain Lion)

    Back in late 2011 I wrote this scratchpad post to document my efforts to move from Snow Leopard Server to Lion Server.  I ran into some configuration problems that stumped the 2nd-level folks at Apple and eventually I abandoned the project and stayed on Snow Leopard.

    When Mountain Lion came out, and went through an update or two to iron the kinks out, I decided to have another go at it.  I’m crossing my fingers here, but I’ve been on OSX Server (the new/old name under Mountain Lion) for about a month now and things look pretty stable.  So here’s another scratchpad post to document what I did to put back a few things that were removed from the standard OSX Server environment.


    Stability and Reliability

    Upgrade memory

    I found that the standard 4gByte memory that shipped with my server started to get very tight as I started turning on the various Python based services (Calendar, Contacts, Wiki, etc.).  In fact, by the time I had all those services running, the machine would lock up and crash after being unreachable for a while.  I upgraded the memory to 16 gBytes (not officially supported).  Looking at this memory-use graph out of Server, you can see why the server was having trouble with 4 gBytes but it looks like 8 gBytes would work OK as well.


    Nightly auto-restarts

    I know, real men are supposed to run their servers for decades without restarting them.  But I’ve found that having the server reboot itself every night in the wee hours of the morning clears out a lot of memory-leak cruft and, combined with the added memory, has made the machine quite stable.  System Preferences/Energy Saver/Schedule is the place to do that.


    I hardly ever use it, but the idea of a completely-under-my-control VPN appeals to my tin-foil-hat privacy side.  Setting it up is a little tricky and I found this guide to setting up VPN on a Mac Mini server that’s running Mountain Lion to be really helpful.  I stepped through the process exactly as they described it and it worked.  I love that.

    Replace features that were removed

    Replace firewall capability

    The nifty firewall in Snow Leopard (IPFW) was replaced with the newer packet filter (PF) firewall in Mountain Lion.  And all of the firewall-management features were removed from Server Manager.  Most likely because the presumption is that these servers are running on a network that is already behind a firewall — and because these rascals are tricky and hard for Apple to support.  But I needed to run the PF firewall on this machine.  Doing that by hand is Too Hard, so here’s what I did.

    • Consider using IceFloor, a PF front end —
    • Note: firewall logging gets turned on every time you reload the settings.  Logging can be disabled (once you’ve got a stable set of rules) by editing the config file from the main rules tree.

    Restore MySQL

    Apple dropped MySQL from their distribution (licensing issues would be my guess).  But all of the family web sites run WordPress on top of MySQL so I need to add that back.  Here’s what I did:

    Webmail and email aliases

    Webmail is in the “nice to have in travel emergencies” category.  But the Roundcube webmail is also the best place I’ve found to replace some of the email-forwarding, email-exploder capabilities that went away in the transition from Snow Leopard to Mountain Lion.  So I put it back.  Conceptually, it’s an email client running on the server that can talk to the mail server just like any other client.  It just happens to use the web as its user interface.  Here are useful links to get you started.

    • A useful step-by-step guide –
    • I had the devil’s own time getting authentication to work properly.  In fact the only scheme that works for me is by allowing “Cleartext” as an authentication option in Server, and using LOGIN as the IMAP_AUTH setting in the RoundCube config file (  Here’s a thread that gives more detail around this, although the fix in that thread didn’t work for me —
    • Here’s how to add the “filters” capability (the most important part, for me).  The only thing to keep an eye on is that the example changes are being made to the file rather than the file.  I think this is just an error — but there may be super-cleverness going on there.  In any event, I made the changes to the live file and it’s working.  ymmv
    • I had to do a lot of debugging on this one.  The log/error files (in the /webmail directory where RoundCube is installed) are of great help in figuring out what’s going on.

    Once Roundcube is running, and supporting filters you can…

    Replace “group” emails (in other words, create multi-recipient email aliases)

    Here are the steps I would go through to create an alias

    • Set up the alias in Server Manager as a local user named “friends”
    • Use WorkGroup Manager (download here – to add additional email domains, if you need to.  In this example the “friends” user needs to have added because I host multiple email domains on this server and it would only answer to if I didn’t.
    • Log into Roundcube with the “friends” user credentials to establish the filter that will redirect the mail to the real recipients
      • Go to Settings/Filters
      • Create a new filter
      • Select the “all messages” option for the filter
      • Execute “Send message copy to” rule for each target address (there may be a limit on the number, I only use this for small lists)
      • Execute “Redirect message to” for the last addressee on your list if you don’t want to keep copies of the messages in the “friends” IMAP account on your server
      • Execute “Stop evaluating rules”

    Replace mailing list (Mailman) capability

    This was one of the hardest debugging jobs in the whole transition.  Now that I’ve been through the manual install of this system, I can see why Apple dropped it.  It must be a support nightmare for them.  But I host a couple of very active lists and I have to have this capability, losing it in the migration is a non-starter for me.

    For most of you, you can stop here.  Your email lists will be working on your new server.

    I wanted to run parallel lists under two domains, keeping the lists running under the old domain name until I had the new version up and tested on the new server and then cutting all the list members over to the new list.  If you have a low-priority list where participants can be down for a while, this is probably overkill.  Just let them know that things are going to be broken for a few days, take the lists across, redirect the domain when you change the main DNS MX entry for email and have done.  But I was trying for 100% uptime during the transition.  I bounced my users over a few rocks during this process, but we were up all the time.

    To do email lists under multiple domains in Mailman, you have to pay attention to Alias Maps.

    • I used two different sources to piece together a working configuration:
    • The first page, from Apple, gives you the right syntax for the changes you need to make to the Mailman config file (  The rest of the steps are useful too, except they are pointing to an older location for the Mailman installation (the files are now in usr/local/mailman rather than usr/share/mailman).
    • Here are the key lines in my live file, using my real domains.  The main server domain is, the other three are used for testing or delivering mailing lists.  Every goofy quote and comma matters here.
      • ##################################################     
        # Put your site-specific settings below this line.     
        MTA = 'Postfix'     
        DEFAULT_EMAIL_HOST = ''     
        DEFAULT_URL_HOST = ''     
        POSTFIX_STYLE_VIRTUAL_DOMAINS = [ ‘’, ‘’, '' ]
    • Note: do not use <angle brackets> around any of these entries.  It took me a week to realize that all the documentation was trying to do is look pretty.  But putting <angle brackets> around some of those domain name entries breaks Mailman in a really subtle way.  It works fine at receiving and sending posts to the lists.  But notification-emails to list-owners and list-admins are malformed and get rejected by the SMTP server.
    • That second link, from the GNU documentation, got me to working entries in the Postfix files.  Again, here are the two real working entries from my server.  They’re buried in the file, but that second post explains what you’re about:
      • virtual_alias_maps = $virtual_maps hash:/Library/Server/Mail/Config/postfix/virtual_users,hash:/usr/local/mailman/data/virtual-mailman
      • alias_maps = hash:/etc/aliases,hash:/usr/local/mailman/data/aliases
    • Now that all the plumbing is in place to create email lists under multiple domains, there’s one more trick.  The web-based front end to Mailman is fine if you’re creating lists in a single domain.  But it doesn’t allow you to specify which domain the list will be created in, so if you want to create a list in a domain other than the server’s default domain name, you have to use the command-line command to create the list.  It’s not hard, here’s how.
      • Enter the command line
      • Go to the following directory — you have to be in this directory in order to launch the program.  It will fail if you try it from anywhere else.
        • $ cd /usr/local/mailman/
      • Launch the newlist program and follow the prompts.  The key thing is to include the domain name in the name of the list when you’re prompted — that’s the bit that’s missing from the web front end.  Again, I’ll use live entries that work with the config stuff above.  You type the stuff in bold.
        • sudo bin/newlist
          Enter the name of the list:
          Enter the email of the person running the list:
          Initial bgnws-testing password:
          Hit enter to notify bgnwstest owner...
      • To restart mailman
        • sudo bin/mailmanctl restart
      • Finally, once the new list is created, here are the steps I went through to keep people on the air during the transition period.  My goal was to have the old list keep working while the new one was being built, and then have it wind up that people could send notes to either the old or the new address of the list and wind up in the same place.  This may be needlessly complicated, but it’s the way I did it.
        • Create an email alias in WG manager on the old server – same name, but forwards to the new-server address.  This alias won’t work until the old list is deleted with the rmlist command, coming up in a second.  (note, different domain names are needed for this to work, because I don’t want to migrate all the email/lists at the same time – this would be much easier if you’re just cutting over from an old server to new)
        • Create a forwarding account on the new server – NOT the same name as the new list (so it doesn’t conflict with the new list) but with an alias to the OLD domain name.  Use Roundcube forwarding to push old-domain posts along to the new-domain address of the list.
        • Create a duplicate list on the new server, along with all members and settings
        • Delete the old-server list – now the alias on the old server will kick in and redirect mail to the new-server address.
        • Transition is complete when old-server DNS is moved to new-server – list continues to answer to either new or old domain name because of the forwarding done by the alias account on the new server.



    Update, late 2013:  Preparing for the NEXT upgrade — the road to Mavericks

    I’ve started a thread over on the Apple Support Community to see if there are any impacts to these additions with an in-place upgrade to Mavericks.  It took me a really long time to get from Snow Leopard to Mountain Lion (my attempt to get to Lion never succeeded).  I’m hoping that the road won’t be quite as bumpy this time, but we’ll see.  Here’s a link to the thread.

    So far it looks like Roundcube may need to be updated, although the update looks pretty cool.  One of the appealing things is that address books may be available in the Roundcube environment.  That alone makes it intriguing.

    Loading a Comodo free email cert into Mac OSX Mountain Lion and iOS

    The previous post was all about self-signed certs on my Mac.  Worked fine until I tried to export the cert to my iPhone.  Then I ran into the dreaded “no valid certificates” problem when trying to authorize the profile to sign and encrypt outbound mail.  My homebrew cert worked fine for enabling s/MIME on the device, but it was crippled.  So I ran off and got me a Comodo free email cert and pounded that in.

    Get the cert — using your Mac

    Go HERE — but don’t use Firefox, use Safari on your Mac.  If your default browser is Firefox, copy and paste this link into Safari.  You’ll thank me later.  It works fine in Firefox, but it doesn’t install the cert in a way that actually talks to email.  Their download is highly automated and there’s breakage along the way.

    Follow the steps on the Comodo site and keep your fingers crossed, by the end of the normal process the cert will be correctly installed.  Be not dismayed if the site stalls on the “attempting to collect and install your free certificate” step.  Go look in Downloads — it’s there, with a name like Collectccc.p7s.  Double-click that file and you will find that the Keychain Access app will pop up and start prompting for the password you created when you configured the cert at Comodo.

    Configuring Mail to use the cert, on the Mac

    Nothing to it.  If the cert has been properly loaded, all you should have to do is restart Mail and the signing and encrypting buttons should show up when you launch a new email message.  Note that they’re toggles — so you’ll want to pay attention to what state they’re in.  Otherwise you’ll be signing or encrypting all your mail which may make your recipients a little crazy.

    Configuring iOS to use the cert

    I sure hope this post never goes away.  That’s what I used to learn how to load the cert on my iPhone.  I’m going to put a shorthand version here, just to preserve it (since I’m going to need to repeat this every year when I renew the cert).

    Find the Comodo cert in the Keychain Access app.  UPDATE: Open the Keychain Access app, Click the “My Certificates” choice in Category, select the cert with your email address.  This will solve the “.p12 option greyed out” problem that PY Schobbens noted in the comments.

    Export it in Personal Information Exchange (.p12) format.  Pay attention to the password you put on the export file, you’ll need it on the other end.

    Email the exported cert (drag it into a Mail message to yourself) to the iOS device that’s using the same email address as your Mac.

    Open the attached cert on the iOS device and blast through the “Unsigned Profile” warning.  This is where that password will come in handy.

    Enable s/MIME on the phone (Settings/Mail, Contacts, Calendars/<your email account>/Advanced).  Check to make sure that the signing and encrypting options actually find your cert.  Then take care to back up a layer and tap “Done” to actually write the change to the account.   Note:  this bold highlighting is mostly a message to myself — surely you won’t skip that last step…

    Note: with the arrival of iOS 8, the toggles for encrypting have changed.  So now the “encrypt” option is available at email-sending-time even when “Encrypt by default” is toggled off for the account — much better arrangement for those of us who only encrypt to a few people.

    Notes: adding and using a self-signed s/MIME email certificate to OSX Mail in Mountain Lion

    This is just a scratchpad post to remind myself what I did to get a self-signed cert into Mail under OSX Mountain Lion.

    This first post is all about using a self-generated cert — which will work fine unless you ALSO want to use it on an iOS device.  In which case, skip to the NEXT post, where I cracked the code of getting a Comodo cert installed on my Mac and my iPhone.  Sheesh, this is harder than it needs to be.

    Generating a self-signed certificate

    Click HERE to read the post that laid out the step by step process I followed to create that self-signed cert.  That post goes through the openssl commands to do the deed.  The instructions are written for a Windows user so I’ve rewritten them for a Mountain Lion user

    • Note: openssl is already installed on Mountain Lion, so you shouldn’t need to do any installation
    • make sure to create the cert with the email address you are using in Mail.  In addition, I used that email address as the answer to the “common name” request during the prompting that happens in the Certificate Request part of the process (Steps 2 and 3 below).  I’m not sure that’s required, but it’s part of the formula that worked for me.

    Here are the command-line commands (mostly lifted from the blog post)

    1.    Generate a RSA Private Key in PEM format

    Type: (one time, just to drop into the openssl environment):



    genrsa -out my_key.key 2048


    my_key.key  is the desired filename for the private key file
    2048  is the desired key length of either 1024, 2048, or 4096

    2.    Generate a Certificate Signing Request:


    req -new -key my_key.key -out my_request.csr


    my_key.key is the input filename of the previously generated private key
    my_request.csr  is the output filename of the certificate signing request

    3.    Follow the on-screen prompts for the required certificate request information.

    4.    Generate a self-signed public certificate based on the request.


    x509 -req -days 3650 -in my_request.csr -signkey my_key.key -out my_cert.crt


    my_request.csr  is the input filename of the certificate signing request
    my_key.key is the input filename of the previously generated private key
    my_cert.crt  is the output filename of the public certificate
    3650 are the duration of validity of the certificate. In this case, it is 10 years (10 x 365 days)
    x509 is the X.509 Certificate Standard that we normally use in S/MIME communication

    This essentially signs your own public certificate with your own private key. In this process, you are now acting as the CA yourself!

    5.    Generate a PKCS#12 file:


    pkcs12 -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -export -in my_cert.crt -inkey my_key.key -out my_pkcs12.pfx -name “my-name”


    my_cert.crt  is the input filename of the public certificate, in PEM format
    my_key.key  is the input filename of the private key
    my_pkcs12.pfx  is the output filename of the pkcs#12 format file
    my-name  is the desired name that will sometimes be displayed in user interfaces.

    6.    (Optional) You can delete the certificate signing request (.csr) file and the private key (.key) file.

    7.    Now you can import your PKCS#12 file to your favorite email client, such as Microsoft Outlook or Thunderbird. You can now sign an email you send out using your own generated private key. For the public certificate (.crt) file, you can send this to others when requesting them to send an encrypted message to you.

    Importing a self-signed certificate into the OSX Keychain Access application

    I double-clicked the .pfx (PKCS) file that I’d just created.  That fired up the Keychain Access app and loaded it into the keychain.   I told it to trust the cert when it asked about that.

    Getting OSX Mountain Lion Mail to recognize the self-signed certificate

    Part of what derailed me in this process was that the transition from Lion to Mountain Lion eliminated the account-setup option to select a cert.  It’s automatic now.  So if the email address that’s in the cert matches the email address of the account, the s/MIME capability simply appears when composing a new message.  But in order for this to work, there’s one step needed in order to pull the cert in:

    • restart the Mail app



    Test shots from my new camera (Sony HX30V)


    Hi all.  This is partly a test of the new photo-uploader in WordPress 3.5 — along with a chance to show off pictures from the new camera.  Click through the photos if you want to pixel-peep the ginormous originals.

    This first one is a test of the panorama feature…  This shot is looking from the point behind the house down Pat’s Prairie towards Highway 88 (south).  The nice thing is how it’s picking up the two valleys that form the point I’m standing on.

    Indian Grass Panorama
    Indian Grass Panorama

    This next one is an HDR shot, just using the HDR in the camera instead of shooting 3 bracketed shots and then post-processing them in Photomatix Pro

    Marcie's workstation
    Marcie’s workstation

    This one is a macro shot, taken in really low light, of a gizmo sitting on my desk last night.  I did nothing — this is Superior Auto (super-idiot) mode.

    Stupid macro
    Stupid macro

    This next one is completely silly macro.  Push camera up against the screen of the computer and pull the trigger.  I don’t think there really is a “minimum distance” for macro focus.

    Silly macro
    Silly macro

    The rest of this series is just “stuff that sits behind my desk” in town.  All these shots were taken at night with available light, in Superior Idiot (er, Auto) mode.

    This is one of Dad’s sewing-thread weaving.  It’s double-weave, which means both pieces of cloth are woven at the same time.  REALLY small threads, peepul.

    Paul O'Connor bead double weave
    Paul O’Connor bead double weave

    A cute little turtle that Mom found somewhere in her travels.

    Granny Pat's turtle
    Granny Pat’s turtle

    And an elephant…

    Granny Pat's elephant
    Granny Pat’s elephant

    And two little folks.  This shot was taken from across the room — they’re about half an inch tall.  This is a good example of 20x zoom at work.

    Granny Pat's couple
    Granny Pat’s couple

    Same deal here — shot from across the room.  The bell is a couple inches high.

    Granny Pat's bell
    Granny Pat’s bell

    Another across the room shot…

    Granny Pat's paper Xmas tree
    Granny Pat’s paper Xmas tree

    The Flying Spaghetti Monster, who has unfortunately lost an eye…

    Flying Spaghetti Monster
    Flying Spaghetti Monster

    Ah HA!  Houston, we have the “unexpected rotation” problem.  This picture of folding paper art is rotated 90 degrees to the left.

    Folding paper art
    Folding paper art

    This next one is a really memory-laden picture by an old friend of my parents

    Ried Hastie painting
    Ried Hastie painting

    Mom made baskets for us kids — with pithy phrases worked in the bottoms of them.  This is one of my favorites — “Reach into life”

    Granny Pat basket - Reach Into Life
    Granny Pat basket – Reach Into Life













    Logic Pro runs lots better on my new MacBook Pro

    This is mostly a post that only Logic Pro music-software users will like.  But hey.

    I just went through an agonized decision-making process to upgrade my MBP.  I knew that the cool new CPUs were coming this summer, but then Apple threw the “Retina” curve-ball at me.  I chewed and chewed on that and finally went with the old-style machine because:

    • It’s cheaper (I saved enough to buy a Thunderbolt display)
    • It’s just as fast (how fast?  see below)
    • It’s got lotsa ports (btw, my Axiom Pro keyboard works fine on the USB 3.0 port)
    • My aging eyes don’t benefit from the Retina display
    • It’s easier to upgrade and repair

    So I finally got it home and just ran a “run Logic Pro” comparison between the 2012 MBP and the 2010 MBP and the results are exactly what I had hoped for.  Logic nicely spreads the load across all the cores in the new CPU.  The result is a MUCH cooler-running machine, whereas the 2010 MBP kicks its fans on and starts heating up right away.

    Here’s the picture that tells the tale.  Same song, at the same place, running on the two machines — these are screen-grabs of the CPU displays.  Sure, your mileage may vary.  But I’m really pleased with the first impression.  This is seeming like a machine I can really truly rely on in a live setting.


    I did make one choice that I’d avoid if I were doing it over — I’d skip the hi-resolution screen upgrade.  Yep, even on the old-style MBP you can opt for a slightly denser 1680 x 1050 display rather than the normal 1440 x 900 one.  It turns out my 60+ year old eyes struggle with the now-smaller font size.  Probably means it’s time to upgrade the trifocals.  :-)


    DSSA — DNS Security and Stability Analysis working group

    I’ve been spending a fair amount of time working on an ICANN cross-constituency working group that’s taking a look at the risks to the DNS.  Our gang just posted a major report today and I thought I’d splash this up here so I can brag about our work on Twitter and Facebook.

    That first picture is a summary of the methodology we built (we had to build a lot of stuff in order to get our work done).  It’s basically a huge compound sentence that you read from left to right in order to assess risk.  By the way, click on the pictures if they’re too small/fuzzy to read.

    This second picture shows where we, the DSSA gang might fit in a much larger DNS security context.  We also had a lot of stuff to puzzle through about where we “fit” in the larger DNS security landscape.

    And that last picture is a super high-level summary of what we found.  There’s lots more ideas and pictures in our report — but these three give you kindof a taste of what we’ve been working on.  I think it’s darn nifty.

    If you’re interested in the whole scoop, head over to the DSSA web site.  You’ll find links to the full report, a cool Excel worksheet that crams the whole methodology on to one page (complete with scoring) and more.



    Grinnell Reunion 2012 — a life of happy accidents

    I gave a talk at my Grinnell College reunion last weekend and decided to build this post to share a bunch of links to things that I talked about.  This ain’t a’gonna make any sense to the rest of you.  But the stuff is interesting.  :-)

    This is a story of rivers of geeks.  I described the rivers that I swam in during my career, but these are by no means all of the species of geeks that ultimately built the Internet.  I was lucky to be a part of a gang of 10’s maybe 100’s of thousands of geeks that came together in the giant happy accident that resulted in this cool thing that we all use today.  But don’t be confused — it was a complete accident, at least for me and probably for all of us.  Here’s a diagram…


    The opening “bookend” of the talk was to introduce the idea of “retrospective sense-making” which I first learned about from Karl Weick when I was getting my MBA at the Cornell business school

    I talked a little bit about what it was like as an Asperger guy showing up at Grinnell in the fall of 1968 — when everything was changing.  We Asperger folks have a pretty rough time dealing with changes.  Several people spoke with me about this part of the talk later in the weekend.  The really-short version of my reply was “just give us more runway.”  Many of the geeks that built the Internet are Asperger folks.

    Another giant gaggle of geeks is the “community radio” gang that I was part of.  That part of the talk opened with a discussion of Lorenzo Milam, one of the folks who inspired many of us community-radio organizers to go out and do ridiculous impossible things.

    • These days Lorenzo hangs out at Mho and Mho Works (and Ralph Magazine)
    • He put the word “sex” in the title of his handbook about starting a community radio station, Sex and Broadcasting, just to get your attention and this was the book that got a lot of us going

    Which led into a discussion of my involvement with the community radio movement — Tom Thomas, Terry Clifford and Bill Thomas are all still very much involved in public and community radio these days.

    Then there was a musical interlude (you cannot believe how much the music went off the rails — almost all the technology failed — oh well).

    The next series of accidents revolved around the “learn my chops in brand-name consulting organizations” part of the saga.  Another of the rivers of geeks — many people of the Internet construction workers came from big firms like Arthur Andersen and Coopers and Lybrand, the two places I worked.  Probably the biggest things I learned there were Structured Programming and project management.  And this…

    The next accidents ran this Forrest Gump type guy through a couple of now long-dead mainframe companies , another BIG source of internet-building geeks.  First ETA Systems, the hapless wannabe competitor to Cray.  Then Control Data, where I learned how to do mass layoffs in an imploding manufacturing company.  Ugh.

    I was an early personal computer enthusiast as were almost all Internet geeks.  I live in the Midwest, so I missed out on the Homebrew Computer Club in Silicon Valley.  Dang.  But relatively cheap modems showed up about that time which led to the rise of the Bulletin Board System (BBS) movement which provided the gathering places for a lot of us Internet geeks. Boardwatch Magazine, published by Jack Rickard, was the glue that held us together — Jack inspired me much the same way that Lorenzo Milam did.  The arrival of FidoNet allowed email to flow beyond the local boundaries of a BBS and brought a lot of us geeks together for the first time.

    Another giant pile of Internet geeks came from the ham radio movement.  My call is KZ0C and I’m completely lame — I hardly do anything ham radio related these days.  But a whole giant tradition of “makers” comes out of that gang.  We hams were darn early adapters of the packet networking protocols that underpin the Internet.  We turned that stuff into packet radio.

    So there’s the list of pre-Internet geek communities that I was a part of in one way or another.  No wonder some of my friends call me a Forrest Gump of Internet technology.  So what happened next?  This is what happened next…


    That’s a picture of the first four-node ARPANET network in the late 60’s.  The network grew slowly over the next couple decades and by the mid-80’s had been opened up to include institutions of higher education.  I worked at the University of Minnesota which, when I was there, was home to the Gopher protocol and the POP3 email protocol — another great gaggle of geeks.  I was a Dreaded Administrator, there to fix a financial system problem, but I loved those geeks ’cause they were the ones that turned me on to the Internet.

    The next kind of geeks that still play a huge role in the Internet are the folks that work at Internet Service Providers (ISPs).  Ralph Jenson and I started an ISP in my basement and called it  That project grew into an amazing gang that eventually got rolled up as the ISP market consolidated in the late 90’s and thereafter.  Lots of the geeks I’ve described in this post were involved in starting those early pioneering ISPs — what a time…

    The last geek that I mentioned in my talk is Hubert Alyea, the role-model for the Disney films about the Absent Minded Professor.  Professor Alyea was another great Asperger geek who was quite emphatic in telling me about lucky accidents, great discoveries and the prepared mind.  Click HERE to see movies of some of his lectures on Youtube — they’re astounding.

    What are Mike and Marcie obsessing about now?

    The rest of this post is a series of links to projects that I mentioned during the talk.

    The final thing I need to throw into this post is three little graphs I made up to describe the half life of knowledge — in which I choose to view the glass as half full.  As the half-life shortens, it takes less and less time to become an expert!








    Frac sand mining

    Pore old Haven2.  ‘lil old blog’s being neglected.  I was going to blog about frac sand mining here but the issue kinda exploded into such a big deal that it needed a URL all its own and I forgot to cross-post a link to the new site back here at the ranch.

    So here’s a link for those of you that follow me on this blog.  Sorry about that.  Things got a little crazy there for a while and I’m just now circling back to do the housekeeping.

    this is a teaser from the front page over there…

    Here’s an overview of the concerns that have been raised about frac sand mining.  We’ll glue this to the front page, update it as we go and write more-detailed posts on specific topics.  But here’s a list to summarize things;

    • Community — The old quote “if we don’t hang together, we’ll hang separately” comes to mind.  Will trusted leaders emerge to get us through this?
    • Economic development — Who is thinking through the tradeoff between new jobs versus old, short-term jobs versus long-term ones, money that stays in the region versus fortunes made elsewhere at our expense?
    • Environmental — Is anybody keeping an eye on air emissions and pollution, impact on groundwater, loss of natural and agricultural land, impact on forest projects, nuisance noise and dust, etc.?
    • Health — Who’s minding the impacts of silica dust in the air and processing-plant chemicals in water supplies?
    • Infrastructure — Who will pay for road repairs and will those commitments be honored?
    • Leadership — Town and County officials are used to deciding issues like where to site a farmer’s barn.  Are they ready to handle the onslaught of a sophisticated billion-dollar industry?
    • Prices — Are local sand-producers getting a fair prices for their sand, or are they getting ripped off too — by slick mining-company representatives?  Do you know what that sand is worth?
    • Property values — Who’s keeping an eye out for the innocent bystanders who can’t escape the blight because their savings are tied up in nearby land?
    • Regional development — This isn’t a one-county conversation or even a one-state conversation.  Who’s reaching out to make sure that one unprepared county doesn’t become the easy “target of opportunity”?
    • Restoration – How does the land get repaired once the sand is gone and designed-to-disappear local mining-companies have vanished?
    • Road Safety — What’s the impact of 100′s or even 1000′s of heavy trucks (on a tight schedule) running across our sub-par roads?  Who’s going to be accountable when a schoolbus full of kids gets in an accident with a runaway sand truck on one of our dugway roads?
    • Transparency — Who is publishing good, fair, accurate, non-confrontational information about what’s going on?  Is “good information” going to be available only for the insiders at the expense of all others?  Rumors breed in the dark.


    Adding capabilities to Mac OS X Lion Server


    I never converted to Lion Server.  You can sortof see things unraveling in the middle of this post.  I’m taking another run at it now that Mountain Lion Server (now renamed back to OSX Server) is getting stable.  I sympathize with what Apple is trying to do.  If you’re kindof the power user in the office, the newer version of Server is much better for you.  But for those of us who were using the server to do slightly more complicated stuff, it’s been a long hard road.

    I’ll write another post pretty soon that summarizes how I put stuff back into Mountain Lion Server.  It’s still not easy, but it’s going better — at least so far.  For now, just ignore the rest of this post.  It’s out of date, and it didn’t result in a working server.



    This is another “scratchpad” post as I make the transition from Snow Leopard to Lion on my little family cloud server.  Here’s why the struggle is worth it for me;

    • Staying with the current release means Apple is updating my platform, which in turn means…
    • Better security/stability
    • Better compatibility with the iGadgets
    • Ease of use

    The design philosophy for Server changed just a bit from Snow Leopard to Lion.  Lion Server is built on pretty much the same foundation, but the user-interface has been dramatically thinned out with the aim of making Server something that regular people could use.  I get that, and thing it’s a rational decision by Apple.  I was astounded to learn however that I’m in the “advanced user” category and lost some capabilities when this happened.  Who’da thunk it??  :-)

    So I’ve got to go looking for ways to “put back” some of the things I use the server for.  My goal is to either find work-arounds within Lion Server or find bits and pieces of software that I can run on top of Lion to do those things.

    This post will be the place where I post my findings — both about installing and configuring Lion, and solving the little work-around problems.  Should be fun.

    Installation puzzlers

    Running Lion in a VMWare virtual machine

    Turns out that VMWare 4 brought in support for running instances of Lion in a virtual machine.  Kewl!  So I ran off and bought Lion Onna Stick (USB flash drive) from Apple, plugged it into my MacBook Pro, pointed VMWare Fusion at it, accepted the defaults, took a nap and when I came back I had me a Lion machine running on top of Snow Leopard.  Things to do differently from just accepting defaults;

    • Give the VM at least two cores in the CPU (runs a lot better — I may bump it to four the next time around).  Once Server is installed, my little Lion VM runs just dandy on the 2009 MacBook Pro — consumes about 5% of the CPU when idle.  Sweet.
    • When building Lion (not server, just Lion) pick a user/computer name that’s not a real personal type name — I ran into conflicts with my personal name in Open Directory because I’d already used it for the core Lion account.
    • Pay attention to networking — you’ll be using the Ethernet adapter a lot more rigorously than the default NAT configuration in VMWare — I set mine to go directly to the gateway router rather than using the default virtual-NAT.
    • Since we’re configuring the basis for a server here (especially if you want it to run Open Directory), this is the best time to get the DNS stuff sorted out.  I waited until later the first few times and the Server install vacuumed up a bunch of wrong-settings as a result.  I think I’ll do a little “Networking and DNS” section about all that.  Open Directory’s auto-configuration/startup process will break badly if DNS isn’t set up right.  I never figured out how to fix it after the fact — clean install with proper DNS was my path to success.
    • Take lots of snapshots of the VM.  The basic Lion install was pretty clean (except for the wrong-DNS stuff, see below), but I had to fall back to it several times before I got Server settled in properly (especially Open Directory).  The nice thing is that the App Store was quite happy to let me re-download the Server stuff and re-install it once I’d bought it.  I don’t know if there’s a limit, but I’ve re-installed Server on top of my clean Lion at least five times so far.  The word “Doh!” covers the reasons-why pretty well.

    Networking and DNS for Lion Server

    One of the things that really caught me was installing Lion Server behind an at-home gateway router.  In the past I’ve always been using a data-center router as the gateway and DNS was a no-brainer — just set up an A Record pointing at the server in DNS and go.  But home routers have a different job to do and those differences got pulled into the configuration of the server in ways that I wasn’t expecting.  Here are lessons-learned.

    • I’d never paid attention to the network name of my home router because in normal circumstances it doesn’t matter.  But since I am now using it as a gateway out to the “real” internet, it does.
    • My router thought it was in the “lan” domain — which is fine for a NAT-providing home router.  The trouble came when Lion Server pulled that domain into the name of the server when it talked to Lion during install.  Lion had in turn pulled in that “lan” domain through DHCP during install and built the computer-name with it (Mikes-Mac.lan or somesuch).  Again, this normally doesn’t matter, but that’s not a good name for a machine that is going to be put out on the public Internet.
    • My solution was to pound the real domain into the home router ( in my case) before building Lion (yes Lion — don’t wait for the Server install — many headaches avoided).  That way all the computer-name bits and bobbins will have a real internet-routeable name instead of a non-routeable name.

    Replacing Functionality

    The good news about Lion Server is that it’s built on the same platform as all the earlier versions of Server.  The bad news is that the user interface has been redesigned with a different user in mind.  Not complaining, I get why they did this and it makes sense to me.  But I need to hunt around a bit to “add back” some of the tools that disappeared.  Here’s where I’ll take notes about that — my first pass will be based on scouring the Apple discussion-list for Lion Server and then I’ll see where I go from there.

    Mail — Mail-forwarding and email-group accounts

    My use of the mail server is pretty standard, but I have a few accounts which forward mail to a different address (mostly family members that retrieve their mail from their ISP’s server but want a consistent email address, or multiple people instead of just one).  I used the “Mail” tab in Workgroup Manager to do this on Snow Leopard, but that tab is missing in the Lion version of Workgroup Manager.

    • In Lion — build a filter using the webmail interface.  Once the account has been set up in the Workgroup Manager, log into the account with webmail and add filters that redirects messages to the downstream addresses.  One filter per address (rather than multiple addresses, separated by commas).  There’s a limit of 4 destinations per account, which is fine for me — most of mine are single destination forwarding accounts.  There’s a hack to expand that 4-destination limitation but I haven’t had to use it.

    Mail — Hosting multiple domains for email

    I use several domains for email.  Under Snow Leopard I would add them as as either Local Host Aliases or Virtual Domains in the Mail/Advanced/Hosting tab of Server Admin.  Doh!  They’re still there in the new version.  I was looking at Server rather than Server Admin.  Silly me.

    Mail — Email aliases

    These work the same as before — Workgroup Manager.

    Web — SSL on sites

    Initial post:

    SSL encryption is pretty important to me, especially on web-based versions of wiki, mail, calendar, contacts, etc.  Don’t want people logging into those over an unencrypted connection, thank you very much.  So we gotta turn SSL on for some sites, but not all.

    Argh.  I struggled with this for far too long. Did all kinds of fooling around with the files in the Apache “sites” folder, only to watch them get overwritten by Server each time I restarted it.  Worked all the way into the “readme” file in the Apache folder, on and on.  Terrible pain in the neck.  Nothing worked

    Then I discovered the “Help” system in the Server app (not Server Admin, although the help system is fine there too).  SSL for virtual sites done in a different place.  Which Help told me.  Bah.  Went to the “Hardware/Server/Settings/SSL Certificate/Edit” menu, picked a certificate for the virtual site (and maybe restarted the web service) and it was set.  Does exactly the right thing too — when somebody goes to an SSL-enabled virtual site, they’re automatically redirected to the SSL version.

    UPDATE 9-Jan:

    Unfortunately, this returns to the “open issue, broken” status.  I’ve managed to wedge the Server app so that there are two states:

    • State 1 — everything turned off in the Server app including “web”
    • httpd daemon is running (sites respond to external requests, but with the /var/empty folder)
    • no functionality
    • relatively quiet logs (sample: Jan  9 01:05:32–Jan  9 05:05:31)
    • something odd going on with MySQL, probably unrelated)
    • Jan  9 01:06:29 server SubmitDiagInfo[4016]: Submitted shutdown stall report: file://localhost/Library/Logs/DiagnosticReports/ipfwloggerd,mysqld,sh_2012-01-01-080056_localhost.shutdownStall
    • something odd going on with xscertd (once an hour)
    • 1/9/12 6:05:24.632 AM sandboxd: ([6369]) xscertd(6369) deny job-creation
    • State 2 — “web” turned on, but NO SSL certificates assigned
    • httpd daemon is running (sites respond to external requests, but with the /var/empty folder)
    • no functionality
    • quiet logs — check logs around 6:52;28 AM for startup messages.  here are interesting ones;

    1/9/12 6:52:28.713 AM xscertd: Starting xscertd/1.0.0 (MacOS X Server)
    1/9/12 6:52:28.721 AM sandboxd: ([6723]) xscertd(6723) deny job-creation
    1/9/12 6:52:31.176 AM servermgrd: servermgr_web: waiting for pid, file /private/var/run/

    • State 3 — “web” turned on AND an SSL certificate is assigned
    • httpd daemon is NOT running (browser returns “problem loading page” and “unable to connect” errors
    • To get to this state — 1) shut down “web” in at 7:00:08 2) assign cert at 7:01:16 3) restart “web” at 7:03:46 4) shut off “web” again at 7:29:19 5) removed cert at 7:30:43
    • Here’s an extract of the interesting log messages:shut down “web” in Server app – 7:00:08Jan  9 07:00:08 server sandboxd[6807] ([6806]): xscertd(6806) deny job-creation
      Jan  9 07:00:09 server servermgrd[808]: servermgr_web: Disabling port forwarding for port 80
      Jan  9 07:00:11 server servermgrd[808]: servermgr_web: waiting for pid, file /private/var/run/
      Jan  9 07:00:12 server servermgrd[808]: servermgr_web: Enabling port forwarding for port 80
      Jan  9 07:01:10 server CoreCollaborationServer[6852]: [main.m:103 40a280 +0ms] HTTP server listening at loopback:4444
      Jan  9 07:01:10 server[6852]: Jan  9 07:01:10 CoreCollaborationServer[6852] <Warning>: [main.m:103 40a280 +0ms] HTTP server listening at loopback:4444
      Jan  9 07:01:10 server[1] ([6852]): Tried to setup shared memory more than once
      Jan  9 07:01:10 server wikiadmin[6858]: Updating schema…
      Jan  9 07:01:10 server[6852]: 2012-01-09 07:01:10.231 wikiadmin[6858:307] Updating schema…
      Jan  9 07:01:10 server wikiadmin[6858]: Schema updates completed.
      Jan  9 07:01:10 server[6852]: 2012-01-09 07:01:10.235 wikiadmin[6858:307] Schema updates completed.
      Jan  9 07:01:15 server servermgrd[808]: servermgr_notification[I]: External configuration change detected, re-loading: c2s.xml
      Jan  9 07:01:15 server servermgrd[808]: servermgr_notification[I]: External configuration change detected, re-loading: Jan  9 07:01:17 server[1] (org.apache.httpd[6892]): Exited with code: 1
      Jan  9 07:01:17 server[1] (org.apache.httpd): Throttling respawn: Will start in 10 seconds
      Jan  9 07:01:17 server servermgrd[808]: servermgr_notification[N]: jabberd service startup completed.
      Jan  9 07:01:18 server jabberd_notification/router[6886]: [, port=57627] connect
      Jan  9 07:01:18 server[6901]: http server appears to have started
      Jan  9 07:01:18 server[6901]: Connected to XMPP server
      Jan  9 07:01:18 server jabberd_notification/router[6886]: [, port=57627] authenticated as
      Jan  9 07:01:18 server jabberd_notification/router[6886]: [] online (bound to, port 57627)
      Jan  9 07:01:18 server jabberd_notification/router[6886]: [, port=57628] connect
      Jan  9 07:01:18 server jabberd_notification/router[6886]: [, port=57628] authenticated as
      Jan  9 07:01:18 server jabberd_notification/router[6886]: [] online (bound to, port 57628)
    • restart “web” at 7:03:46
    • Jan  9 07:03:09 server xscertd-helper[6808]: idle timer triggered, exiting
    • Jan  9 07:03:46 server servermgrd[808]: servermgr_web: enabling
      Jan  9 07:03:48 server sandboxd[6979] ([6978]): xscertd(6978) deny job-creation
      Jan  9 07:03:49 server servermgrd[808]: servermgr_web: Disabling port forwarding for port 443
      Jan  9 07:03:50 server servermgrd[808]: servermgr_web: waiting for pid, file /private/var/run/
      Jan  9 07:03:55: — last message repeated 3 times —
      Jan  9 07:03:55 server servermgrd[808]: servermgr_web: Enabling port forwarding for port 443
      Jan  9 07:03:55 server servermgrd[808]: servermgr_web: Cannot confirm Apache was started; missing or invalid pid file
      Jan  9 07:07:25 server xscertd-helper[6980]: idle timer triggered, exitingshut off “web” again at 7:29:19
      Jan  9 07:29:19 server servermgrd[808]: servermgr_web: Disabling port forwarding for port 443
      Jan  9 07:29:20 server servermgrd[808]: servermgr_web: waiting for pid, file /private/var/run/
      Jan  9 07:29:20 server[1] (org.apache.httpd[7792]): Exited with code: 1
      Jan  9 07:29:20 server[1] (org.apache.httpd): Throttling respawn: Will start in 10 seconds
      Jan  9 07:29:21 server servermgrd[808]: servermgr_web: waiting for pid, file /private/var/run/
      Jan  9 07:29:25: — last message repeated 3 times —
      Jan  9 07:29:25 server servermgrd[808]: servermgr_web: Enabling port forwarding for port 443
      Jan  9 07:29:25 server servermgrd[808]: servermgr_web: Cannot confirm Apache was started; missing or invalid pid fileremoved cert at 7:30:43
      Jan  9 07:29:19 server servermgrd[808]: servermgr_web: Disabling port forwarding for port 443
      Jan  9 07:29:20 server servermgrd[808]: servermgr_web: waiting for pid, file /private/var/run/
      Jan  9 07:29:20 server[1] (org.apache.httpd[7792]): Exited with code: 1
      Jan  9 07:29:20 server[1] (org.apache.httpd): Throttling respawn: Will start in 10 seconds
      Jan  9 07:29:21 server servermgrd[808]: servermgr_web: waiting for pid, file /private/var/run/
      Jan  9 07:29:25: — last message repeated 3 times —
      Jan  9 07:29:25 server servermgrd[808]: servermgr_web: Enabling port forwarding for port 443
      Jan  9 07:29:25 server servermgrd[808]: servermgr_web: Cannot confirm Apache was started; missing or invalid pid file
    • 1/9/12 6:52:37.981 AM setupThread failed rcode=-2147418111

    UPDATE 12-Jan:

    The road to recovery.  I spoke with Apple Support and worked my way up to a Tier-2 support person who helped me out a lot.  He gave me a bunch of great pointers which I’ll post here as I use them.  He was very careful to point out that some of this is for experienced folks only, your mileage may vary, if you break it you bought it and some of this may result in something that’s so broken that it falls outside the normal free telephone support.  Be careful!

    The problem seems to be caused by the way I set the server up.  Y’see, I built the server at the farm and then moved it to the data center.  So the IP address changed.  That IP address gets “baked in” to a bunch of things, and especially the SSL certificate that gets created when the server is first configured.  Moving the server to a new IP-address puts it out of sync with the information in the certificate and that’s very likely what’s causing the problem.

    Step 1 — Set the Web server back to defaults.

    Here’s a link to the page in the Advanced Administration guide for Lion Server —

    My sequence of steps was this;

    • Toggle off all the services in the Server application and turned off the SSL cert
    • Run “sudo serveradmin command web:command=restoreFactorySettings” (omit the quotes) repeatedly while at the same time watching the logs in Server.  The command failed several times because it couldn’t find copies of various default versions of config files in the /var/apache2/sites/ folder.  Fortunately, I have backup copies of those files so I just replaced them one at a time until the command ran to the end successfully.

    Step 2 — Create a new SSL cert

    • Created a new SSL certificate in the Server application (Hardware/YourServerName/Settings/”Edit” SSL certificate/select the “gears” dropdown/select “manage certificates”/click the “+” button to add a new certificate/select “create a certificate identity”/accept the defaults/)

    Step 3 — Cycle the server and cross fingers

    • Rebooted the server
    • Waited for the logs to quiet down
    • Started the Web service and watched it create it’s config files in the apache2/sites folder — logs were still quiet
    • Assigned the newly-created SSL cert (I wish I could delete the old one but I can’t) — logs are still quiet
    • Turned on the Wiki service — logs are still quiet
    • So far so good!  I think I’ll leave things like this for a while before adding back the other services and the custom web sites.  More updates to follow.

    Web — MySQL

    Lion switched from MySQL to PostGres (rumbles of ORACLE lawsuits no doubt) so I’ve got to start running a “real” version of MySQL so that all the little WordPress sites continue to function.

    • Hm.  MySQL only supports OS X through Snow Leopard — looks like we’re kinda out here on our own.  <shrug, what could go wrong?>
    • Downloads are here  – (roll down to the DMG file — way easier install)
    • Installation instructions are here –
    • Documentation is here – (haven’t used it yet)
    • PHP needs to be tweaked – (I only did the “change-sockets to /tmp/mysql.sock” thingy)
    • Installed Sequel Pro ( and tested the installation by creating and dropping a database.

    Web – loading up a WordPress site

    Let’s see how much of the Lion stuff I can use…

    • Point a domain at the server (an A record in DNS)
    • Create a new site in the Server app (using the same domain name)
    • Copy in WordPress files (download them from
    • Give ownership to _www user (CD into the folder *above* the folder for the site is and type “sudo chown _www your-site’s-foldername” in Terminal)
    • Transmit ownership to all files in the folder (Finder/Get info/Unlock/Permissions/Apply to enclosed items)
    • Create a database (I use Sequel Pro — create an empty database and a user that has full rights to the database)
    • Create the wp-config.php that points at the database

    Web — point multiple URLs at the same site

    I don’t do this often, but sometimes I point more than one variant of a domain at a site.

    • Lion way — create an addition site in the Server app — new URL, pointed at the same content directory as the first site.  Works fine  Ooops…  things get sticky when doing this — I wound up with a bunch of Apache site configuration files, and thus the opportunity of conflicts.  Better way…
    • Set the site up in the Server app with *just* the domain name (leave the “www” variant for the next step)
    • Edit the site configuration (file etc/apache2/sites/ip-address-stuff_port-number_domain-name.conf) and add ServerAlias records at the very bottom of the file, just before the closing </VirtualHosts> entry.
    • Like this:
    • ServerAlias
    • ServerAlias
    • ServerAlias
    • Restart the web server (and clear the browser cache) to check

    Web — redirects

    I like to throw redirects into sites from time to time.  In Snow Leopard, this was easily done through Server Administrator but that’s gone in Lion.  Adding them into the Apache files isn’t too bad though.  Here’s how.

    • Open the site file (etc/apache2/sites/ip-address-stuff_port-number_domain-name.conf — I like the TextWrangler editor for this kind of stuff)
    • Insert a section that looks like this (I lifted this from my file on the Snow Leopard file and stuck it into my test site);

    <IfModule mod_alias.c>
    Redirect temp “/rss.xml” “”

    • Only need one set of bracketed “IfModule” statements, and stick in as many “Redirect temp” statements as needed.
    • I’ll probably just copy these sections over from their files on the Snow Leopard server and see how they work out.
    • Restart the web server (toggle Web off and back on in the Server app)

    Web — separate log files

    Some of my domains get a lot of traffic and it’s handy to be able to strain out their stuff into a separate log file.  Not a show-stopper but handy.  Once again, the site files in Apache seem to be the place to do this.

    • Open the site file (etc/apache2/sites/ip-address_port-number_domain-name.conf)
    • Change the CustomLog and ErrorLog statements to point at a unique file rather than the default
    • Restart the web server
    • Check to make sure things are working by looking in var/log/apache2 for the new files after the restart
    • Best to open the log files with the Console app — lots easier to read the files (and get real-time updates)

    Web — rotate log files

    I like to have the log files break themselves up into weekly chunks so i can go clear out the old ones every once in a while.  In Snow Leopard, this was easy — just tick the little box and it did it.  Lion makes me work harder.

    • Open the site file (etc/apache2/sites/ip-address_port-number_domain-name.conf)
    • Change the CustomLog from this:

    CustomLog “/var/log/apache2/example_access_log”

    • To this:

    CustomLog ‘|/usr/sbin/rotatelogs “/var/log/apache2/example_access_log” 604800 -360’ “%h %l %u %t \”%r\” %>s %b”

    • Change the ErrorLog from this:

    ErrorLog “/var/log/apache2/example_error_log”

    • To this:

    ErrorLog ‘|/usr/sbin/rotatelogs “/var/log/apache2/example_error_log” 604800 -360’

    One wonders if making these changes to the default version of the configuration file would drive this stuff in automagically.  Might just research that some day.

    Web — permalinks in WordPress sites

    WordPress has the ability to change the format of the URLs for posts and pages from the ugly PHP link to a prettier “permalink” structure.  Apache needed to be tweaked in Snow Leopard to make this work right, and it still does in Lion.  Here’s how.

    • The etc/apache2/httpd.conf file needs to be changed (only once, the first time through) so that the “AllowOverride” statement in the “/Library/WebServer/Documents/” section reads “AllowOverride All” (there are several AllowOverride statements in — pay attention to which one is being changed).  Note: I’m not sure this step is really required — my testing was a little horked up and I’m too lazy to repeat it to verify
    • Open the site file (etc/apache2/sites/ip-address_port-number_domain-name.conf)
    • Change the statement “AllowOverride None” to “AllowOverride All” in the “Directory” section
    • Create a .htaccess file in the site directory (use Terminal, CD to the site directory, “sudo touch .htaccess”)
    • Change ownership of the .htaccess file to the “_www” user (“sudo chown _www .htaccess”) — this lets WordPress modify the .htaccess file with the permalink rules.
    • Restart the web service in the Server app
    • When all else fails (I had a heck of a time getting the server to write the .htaccess file correctly — although restarting Finder [Apple-menu/Force-quit…/Finder/Restart] may have cured that problem) I manually edit the .htaccess file.   Here’s the code that needs to be in it:
    # BEGIN WordPress
    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteRule ^index\.php$ - [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]
    # END WordPress


    Well, none of this is real tough — so I think I’m about ready to start moving stuff over to the Lion environment.  I’ll probably wind up running it under a virtual machine until I’ve converted everything.  Then I’ll explore moving it out of the virtual machine back into a native Lion install on my tiny little server.  Or maybe not.  That’s for another day.

    Taking out a beaver dam


    Uh oh…  That swirl in the water?  That’s a beaver.  That grass at my feet?  That’s our culvert.  Beavers like to build dams just on the upstream side of our culvert, which leads to trouble like The Big Flood.  So this beaver-project must be removed…

    Here’s one of the culprits…  Making a getaway…

    Here’s their handiwork.  This got built in one night (I know this ’cause Marcie and I took a dam out yesterday in exactly the same spot — the beavers like it so much they rebuilt it overnight).  So this one turned out to be really small and really easy to take out (unlike the one before which was a lot more challenging).

    The compleat beaver-dam extraction module.  Note the smile on her face — taking out beaver dams is a boatload of fun.  I had a little too much fun on the one we took out yesterday and wiped out my finger.  So Marcie sidelined me and took over the job.

    This is the “before” picture — Marcie’s getting ready to attack.

    Here’s the “after” picture.  All gone.  Along with another little one that they’d started just downstream from the culvert (an equally big problem for flooding).

    Here’s Marcie holding a giant Angelica stem in the downstream-dam.  That’s not a little tree.  That’s a flower stalk!

    Here’s the dam — loaded on Trakdor for disposal.  We’ll see whether they try again tomorrow.