Category Archives: Troubleshooting

Redirecting HTTPS with Let’s Encrypt and Apache

The free TLS certificate provider Let’s Encrypt automates the request-and-setup process using the ACME protocol to verify domain ownership. Software on your server creates a file in a known location, based on your request. The certificate authority checks that location, and if it finds a match to your request, it will grant the certificate. (You can also validate it using a DNS record, but not all implementations provide that. DreamHost, for instance, only uses the file-on-your-server method.)

That makes it really simple for a site that you want to run over HTTPS.

Redirected sites are trickier. If you redirect all traffic from Site A to Site B, Let’s Encrypt won’t find A’s keys on B, so it won’t issue (or renew!) the cert. You need to make an exception for that path.

On the Let’s Encrypt forums, jmorahan suggests this for Apache:


RedirectMatch 301 ^(?!/\.well-known/acme-challenge/).* https://example.com$0

That didn’t quite work for me since I wanted a bit more customization. So I used mod_rewrite instead. My rules are a little more complicated (see below), but the relevant part boils down to this:


RewriteEngine On
RewriteBase /

# Redirect all hits except for Let's Encrypt's ACME Challenge verification to example.com
RewriteCond %{REQUEST_URI} !^.well-known/acme-challenge
RewriteRule ^(.*) https://example.com/$1 [R=301,L]

These rules can go in your server config file if you run your own server, or the .htaccess for the domain if you don’t.

Continue reading

Amazon Apps won’t Install on Android? Check Screen Dimmers

I mostly use the Google Play Store on my phone, but I have a few apps through the Amazon App Store. I recently found that I couldn’t update them — or the store itself. I could tell it to download the app, but at the point that I was ready to review the permissions and click on Install, the Install button wouldn’t respond. At all. Nothing. Cancel worked. Everything else worked. But not that one.

A forum thread pointed me to screen management apps. Lux, Twilight, etc. – the kind of apps that will alter your screen to red-shift it at night, or adjust brightness below the range of the screen’s backlight.

Sure enough, I disabled Lux from the pull-down, and the Install button worked. Once the update was done, I re-enabled it. Just an extra two seconds of work before and after.

It probably happens on other third-party app stores and stand-alone installers as well.

The cause wasn’t completely clear from the discussion thread, but reading between the lines and adding my knowledge of software and web development suggests that it’s a security issue: Apps like Lux and Twilight work by altering the appearance of the screen (“draw over other apps” permissions). It makes sense that Android would prevent installation (outside of its own privileged update system, anyway) actions when it can’t be sure that what the user sees is actually an Install button.

Imagine a malicious app that overwrites the screen to hide an Install button under something more benign. In web development, we call this clickjacking.

Anyway, that’s the issue and the workaround, and why I think it hasn’t been fixed in all this time: Fixing it would open up a security vulnerability.

Fortunately, the workaround is pretty easy!

Update: It occurs to me that Facebook also requires the “draw over other apps” permission, which was why I finally uninstalled it. I expect that might cause issues if chat heads are visible when you try to install/update an Amazon app.

Can’t Log into Feedly or Pinterest on Firefox 40? Check Ghostery!

I use Feedly to keep up with a lot of sites ranging from tech to entertainment. After upgrading to Firefox 40, I wasn’t able to log in using my Google account. The authentication pop-up would only bring up a plain HTML page saying, “Moved Temporarily The document has moved here.” The same problem occurs with Pinterest and Facebook login, though in that case the authentication pop-up is blank. Pocket also shows the “Moved Temporarily” message, but recovers. I’m having trouble logging into Disqus too. Lots (but not all) of third-party logins seem to be broken now.

Update: Ghostery 5.4.8 fixes the problem!

TL;DR: Use this workaround!

  1. Go into Add-Ons and disable Ghostery.
  2. Log into Feedly / Pinterest / whatever.
  3. Go back into Add-Ons and re-enable Ghostery.

A discussion on Google+ suggested disabling add-ons. I tried it, and was able to log in — great! But I wanted to know which extension was the problem.

After experimenting a bit, I found that disabling Ghostery allowed me to log into Feedly with Google.

Just to make certain, I logged out of Feedly, re-enabled Ghostery, and tried logging back in. Sure enough, I was back to the “Moved Temporarily…” error again. I’ve had Ghostery on this browser for a long time with no problems, and the about page shows that the extension was last updated toward the end of July, so I assume the problem is that something in Firefox 40 changed the way the browser, Ghostery and OAuth interact. I wouldn’t be surprised if it runs into issues with other privacy add-ons like AdBlock or Privacy Badger.

Fortunately, Ghostery can be turned on and off without restarting your browser. And turning it back on after you’re logged in doesn’t seem to interfere with Feedly.

I may go back and try to figure out the specific setting that’s causing the issue, but for now, I’m able to run both Feedly and Ghostery, so I’m not in too much of a hurry.

Update: Ghostery will be releasing a fix to resolve the bug, which turns out to affect quite a few sites. (via Feedly on Google+.) Update: Ghostery 5.4.6.1 is supposed to fix the problem, but it still breaks login on some sites, including Feedly and Pinterest.

Update: Ghostery 5.4.8 fixes the problem!

Jetpack Related Posts Missing on an SSL WordPress Site? Check for RC4 and Turn it Off!

After switching one of my self-hosted WordPress blogs to all-HTTPS, I ran into an odd problem: Jetpack Related comments stopped working after a while.

After going back and forth with Jetpack support and my web host, it turned out the problem was with the SSL configuration on my site. Jetpack has to download a copy of your posts in order to calculate recommendations, and it uses libcurl to do that. Curl has stopped supporting the RC4 cipher in SSL connections because weaknesses have been found in it…and that’s what my server was using! (Ack!) I assume it was an old compatibility setting that never got updated.

Jetpack needed to reindex the site, but couldn’t retrieve anything, so it got stuck on “Indexing request queued and waiting…” Disconnecting and reconnecting didn’t work. Jetpack thought it was connected, so it didn’t report an error. (I assume it uses a different library for some things.) Pages were loading the script and the placeholder, but didn’t have suggestions to put there. And of course it wasn’t done indexing, so it didn’t offer a reindex button on the debug page.

What to do:

SSL ciphers are a server configuration setting, not a problem with your SSL certificate, so you don’t need to revoke and reissue the cert. If your hosting provider manages your server, you can ask them to disable RC4. If you run your own server, you’ll need to look up how to disable RC4 on IIS, Apache, NginX, etc. You can verify your site’s settings at Qualys’ SSL Server Test: Look for RC4 in the results and see if it’s labeled Yes or No.

If Jetpack doesn’t start indexing after you change your config, try turning off the Related Posts module and turning it back on. It only took a few minutes before recommendations started appearing on the site again.

There is one downside, which is that some older browsers (specifically Internet Explorer on Windows XP) may not be able to connect. As always, it’s a trade-off.

Solved: NVIDIA/Nouveau picture extending beyond screen

I upgraded my desktop Linux system to Fedora 21 recently, and decided instead of trying to get the proprietary NVIDIA driver working, I’d just switch back to the open-source Nouveau driver. I uninstalled every RPM that had “nvidia” in the name (I use rpmfusion to keep the installation clean), restarted, and was dismayed to see that the system decided I could only run at 800×600. I didn’t have time to fix it immediately, so I shut down and went on with my day. That evening, I started it up again ready to fix it…and was surprised to see that the resolution had been detected correctly this time.

Almost.

It wasn’t obvious at the login screen, but the picture extended just a little past the edge of the monitor. I could tell because the mouse cursor would actually move off the screen in all directions. Once I logged in, and I could look at things near the edge, it was more obvious. And if I looked closely, I could tell that a lot of things that should have been sharp pixel lines were actually antialiased.

TL;DR: It was actually a monitor setting, and apparently the proprietary driver had been overriding it. Continue reading