I encountered this problem again, so let’s write it down to avoid googling it.
PowerDNS fails to start with
pdns.service: Failed at step ADDRESS_FAMILIES spawning /usr/sbin/pdns_server: Invalid argument
- edit /lib/systemd/system/pdns.service
- comment out RestrictAddressFamilies
- comment out ProtectSystem=full
- possibly kill systemd-resolved
- systemctl daemon-reload
- ask yourself again, why are you using debian with systemd on server ? And why the hell it is starting services I’ve never configured to start ? Isn’t it time to switch to windows ? It seems more predictable to me…
I’ve hacked together and up-to-date version of Asuswrt Merlin firmware for oldie but goldie Asus RT-N16 router. Beware, this firmware is only intended for use by advanced users.
tinc is a great mesh Virtual Private Network daemon, with just one little glitch (and also little crypto problems ;-). I find its configuration really tedious and complicated compared to OpenVPN and its possibility to centrally assign IP addresses and push options to clients. I know, that’s the tax for being mesh, but wouldn’t it be great to configure your mesh network a bit centrally ?
Sometime it’s needed to selectively route specified IPs or networks via different interface – i.e. if you want to route private addresses over VPN (a.k.a split tunnel routing) or to route some public IPs over VPN to unblock some nationally restricted sites (Netflix). Here are simple scripts to achieve this.
If you are trying to access site with self-signed certificate with Firefox 31 (or later) and get Issuer certificate is invalid error (sec_error_ca_cert_invalid), you have to disable new mozilla::pkix certificate verification.
In about:config set
security.use_mozillapkix_verification = false
To find out more about mozilla::pkix and why your firefox just got so super secure and paranoid, that it doesn’t allows you to access you own site without googling – see https://wiki.mozilla.org/SecurityEngineering/Certificate_Verification. I’m only wondering, why did they renamed it from insanity::pkix to mozilla::pkix – do they confess that ‘mozilla’ is slowly becoming a synonym for ‘insane’ ?-) Throwing such an error without any hint or possiblity to add an exception (as usual) is IMHO insane – but, who cares about power users today…
Update: As noted in comments, this should not work in Firefox 33 (or later).
- Your internal CA certificate doesn’t specifies CA:TRUE in X509v3 Basic Constraints section
- You self-signed server certificate (the last one in certificate chain) specifies CA:TRUE – what is default for certificates generated by pkitool script from easy-rsa suite – and you have your CA certificate installed in FF.
See also FF bug #1042889.
Update3: Thanks to the work of , there is a fix for this in Firefox 31 ESR (