Binary World

Let’s Encrypt continued

The first cer­ti­fic­ate I’ve ordered during the closed beta phase has been replaced now. HPKP is enabled again. With the standard Let’s Encrypt (LE) procedure, a new private key is generated every time a new cer­ti­fic­ate is issues.

In order be able to enable HPKP again, you either need to use the standard LE client with a pre­vi­ously created CSR or use some other client.

With the LE client, that would mean: letsencrypt-auto certonly -a manual --csr {csr} as outlined in an article by Thomas Leister (in German).

One very nice altern­at­ive client is acme-tiny. I’ve decided to follow that route. It’s quite nicely outlined in a post by Scott Helme.

I still haven’t estab­lished a proper key turnover procedure for standard TLS cer­ti­fic­ates and for DNSSEC (where the key regis­tra­tion with the TLD is the most chal­len­ging and time-intensive task, depending on your provider). That’s some project for rainy, boring

Binary World

Let’s Encrypt

The first pro­duc­tion Let’s Encrypt cer­ti­fic­ate is issued and installed on HTTP/2 is also enabled, thanks to nghttpx. Works like a charm :)

I’ll try to post some config settings for nghttpx and also Let’s Encrypt, but that’s a really straight forward task (if no servers are listening to ports 80 and 443).

Binary World Excitements Work

LXC Scripts for Ubuntu Lucid

In his blog, Nigel McNie provides a nice hands-on intro­duc­tion to LXC. Along with this, he provides us with a set of scripts that do the work quite nicely. I cloned that repos­it­ory and added a script for Ubuntu Lucid. It’s quite handy to me, sup­posedly also for somebody else out there?

A git repos­it­ory is available at GitHub:

Binary World Excitements Private

Gallery Moved

I finally decided to move my gallery to a (more spe­cial­ised) service provider. Maybe you already noticed the new naming scheme. Even though Menalto Gallery is a great piece of software, I wanted to have an easy-to-use, safe solution that does not require manual software updates or upgrades to be installed. I’m getting lazy, I know :)

So, the new gallery is still reachable via but it will be redir­ec­ted to Unfor­tu­nately, SmugMug offers no secured con­nec­tions to the user galleries. You will further need to enable JavaS­cript, just in case you deac­tiv­ated it.

Please do not be alarmed by the new domain name of missing cap­ab­il­it­ies of the new service. I hope you still enjoy browsing through my col­lec­tion and do not hesitate to comment or rate the pictures! :)

Categories Uncategorized


Pre­sum­ably due to a SSM bug in the Linux kernel, the backup server crashed some days ago. Since my ISP is about 500 km from here, I had to wait until Monday for my provider to restart the server. Now it is up again. The following message was logged to syslog:

Jul 18 08:39:20 localhost sm-mta[30237]: rejecting connections on daemon MTA-v6: load average: 978

Quite a high load, isn’t it? :)