PowerDNS + systemd fail

I encountered this problem again, so let’s write it down to avoid googling it.

Problem:

PowerDNS fails to start with
pdns.service: Failed at step ADDRESS_FAMILIES spawning /usr/sbin/pdns_server: Invalid argument

Solution:

  1. edit /lib/systemd/system/pdns.service
  2. comment out RestrictAddressFamilies
  3. comment out ProtectSystem=full
  4. possibly kill systemd-resolved
  5. systemctl daemon-reload
  6. ask yourself again, why are you using debian with systemd on server ? And why the hell it is starting services I’ve never configured to start ? Isn’t it time to switch to windows ? It seems more predictable to me…

TINC VPN config generator

tinc is a great mesh Virtual Private Network daemon, with just one little glitch (and also little crypto problems ;-). I find its configuration really tedious and complicated compared to OpenVPN and its possibility to centrally assign IP addresses and push options to clients. I know, that’s the tax for being mesh, but wouldn’t it be great to configure your mesh network a bit centrally ?

Continue reading

firefox 31 + self-signed certificate = sec_error_ca_cert_invalid

If you are trying to access site with self-signed certificate with Firefox 31 (or later) and get Issuer certificate is invalid error (sec_error_ca_cert_invalid), you have to disable new mozilla::pkix certificate verification.

In about:config set

security.use_mozillapkix_verification = false

To find out more about mozilla::pkix and why your firefox just got so super secure and paranoid, that it doesn’t allows you to access you own site without googling – see https://wiki.mozilla.org/SecurityEngineering/Certificate_Verification. I’m only wondering, why did they renamed it from insanity::pkix to mozilla::pkix – do they confess that ‘mozilla’ is slowly becoming a synonym for ‘insane’ ?-) Throwing such an error without any hint or possiblity to add an exception (as usual) is IMHO insane – but, who cares about power users today…

Update: As noted in comments, this should not work in Firefox 33 (or later).

Update2: As noted by #29 and referenced bugs, there seem to be (at least) 2 major cases, where new insane::pkix will refuse to accept a https site.

  1. Your internal CA certificate doesn’t specifies CA:TRUE in X509v3 Basic Constraints section
  2. You self-signed server certificate (the last one in certificate chain) specifies CA:TRUE – what is default for certificates generated by pkitool script from easy-rsa suite – and you have your CA certificate installed in FF.

See also FF bug #1042889.

Update3: Thanks to the work of Kai Engert, there is a fix for this in Firefox 31 ESR (download from https://www.mozilla.org/en-US/firefox/organizations/) and hopefully the same comes also with Firefox 33.1.