When you don’t have certbot

This will seem silly to some people; honestly, I am not a fan of what I have here yet. However, in a closed-loop environment where I run these scripts, it should be _safe_. I hope the code works. I have ripped it down to some fairly generic chunks.

So, why? Well, imagine I have a router or device that might run a small OS and can run UNIX commands but might not have access to the outside world or other tools installed. It can run shell scripts and most normal commands. I want to 1) get a yearly reminder to update the certificate and 2) find some easy way to install a certificate.

My solution is a cron job that runs every 11 months to generate a new CSR and email it to me <grin>. Step one is done. Then once I have got the certificate signed, I copy it up into the device with scp, and another script will move that file into the right place. First, it will check if it is derived from the local key, and maybe other checks can be added.

Step one, here’s the first script.


# Get the hostname

# Prepare the openssl configuration file

echo "[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no

C = Country
ST = State
L = Location
O = Organization
OU = Organizational Unit
CN = $HOSTNAME.macicap.com

keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

DNS.1 = $HOSTNAME.macicap.com" > $CONF_FILE
# the > wrote a new file and overwrote any old one.

# Check for existing ssl_key.pem and its size
# I want 4096 bit keys
if [ -e ssl_key.pem ]; then
  KEY_SIZE=$(openssl rsa -in ssl_key.pem -text -noout | grep 'Private-Key' | cut -d'(' -f2 | cut -d' ' -f1)
  if [ "$KEY_SIZE" -ne 4096 ]; then
    openssl genrsa -out ssl_key.pem 4096
  openssl genrsa -out ssl_key.pem 4096

# Generate a new CSR
openssl req -new -key ssl_key.pem -out $HOSTNAME.csr -config $CONF_FILE

# Send the CSR via email using sendmail (optional)
# You will need to replace "smtp_server", "smtp_port", "from_address", "to_address", and "email_subject"
echo "Subject: email_subject
From: from_address
To: to_address

$(cat $HOSTNAME.csr)" | sendmail -H"exec openssl s_client -quiet -connect smtp_server:smtp_port -tls1 -starttls smtp" -f from_address -t to_address

That’s maybe a lot, but I hope you can figure it out from the comments. In theory, I was emailed a CSR file to sign. So let’s pretend I did that and uploaded it to some folder on the system. If the checks pass, a cron job will pick up the file and move it and the key file to the right place in the OS. Then I’ll need to figure out a reboot or the process to stop/start. Below is the script for that cron.


# Define the directory where the certificate file will be uploaded

# Define the names of the key, CSR, and certificate files

# Define the target directory for the key and certificate files

# Check if there's a new certificate file in the upload directory
if [ -f "$UPLOAD_DIR/$CERT_FILE" ]; then
  # Verify that the certificate matches the private key
  if openssl x509 -noout -modulus -in "$UPLOAD_DIR/$CERT_FILE" | openssl md5 == openssl rsa -noout -modulus -in "$KEY_FILE" | openssl md5; then
    # Move the key and certificate files to the target directory (requires root privileges)

This a reminder to make the scripts executable.

chmod +x /path/to/csr_script.sh
chmod +x /path/to/certificate_script.sh

The lines in crontab would look like this.

0 0 1 */11 * /path/to/csr_script.sh
0 0 * * * /path/to/certificate_script.sh

I’ll spend a little time taking what I have posted and using it to rebuild what I have to ensure I have not created too many new bugs. If I fix anything, I’ll update this paragraph and note the edits.

** macicap.com is in the code intentionally – I own it, it is parked, and it’s fun.

A10 Thunder VIP – well…

VIP Configuration Guide


If you are setting up a test environment for an application, it is important to consider the “User Acceptance to Production” dilemma. This guide provides some basic tips on how to set up a VIP (Virtual IP) to ensure smooth deployment to production.

Test Environment

When setting up a test environment, always use port 443 (HTTPS) and never concede to having port 80 (HTTP) open. Although HTTPS can be a pain, it is essential to avoid setting up an HTTP path to the same resources on the test environment. This can create a dependency on HTTP that can cause problems in the future.


If you want to provide HTTP access to the test environment, be careful when using redirections. Ensure they are “hard” redirects and you are not propagating the path and full URI. However, remember that something could go wrong even with the best intentions. Therefore, it is important to create hard errors that developers can see, which will provide the feedback necessary to prevent deployment issues.

Production Environment

When you go to production, force a port 80 HTTP redirection to the application’s home page (with NO path or query strings). This will not disrupt the application functionality, as port 80 HTTP was never available in the test environment.

VIP Configuration

To create a VIP, you must define and group servers for redundancy and scale. You can then apply a service group to a port of a VIP to get the whole picture. Here is a minimum VIP configuration:

slb server mcyork1
port 80 tcp

slb server mcyork2
port 80 tcp

slb service-group example-mcyork tcp
member mcyork1
member mcyork2

slb virtual-server example.mcyork.com
 port 80 http
  service-group example-mcyork

DNS Primer If you go to the IP, the result should be a response from either or .51, where the website/application or API is hosted.


This is the most straightforward VIP configuration in any ADC/load balancer. Remember, no HTTP in pre-production – ever ( wait for the next example to see HTTPS in action). Follow these tips to ensure a smooth deployment to production.


A10 Thunder basic CLI

Step 1 – We are building a configuration to load balance a web service together. Won’t that be fun!

If you are new to the A10 ADC load balancer this may be interesting to you. If you use iRules with the F5 future steps may provide perspective. Experts in this area are encouraged to correct and enhance this content by emailing me ian@mcyork.com

That’s all for day one – exhausting right! Stay safe.

There is no phone book – Never change your email address again.

What’s a phone book?  Never mind that.

“If you don’t know I am not going to tell you” is how the Internet treats you if you need to find a friend’s email address.  When they change it and don’t email everyone they know of the change (and even when they do).  You will perhaps say Facebook, Twitter, et al will come to the rescue. This may be true in a lot of cases – but why rely on a rescue plan that’s as ephemeral as a fart?

Ephemeral you say (word of the day btw)?  I’d like to use a Yahoo example.  What if Yahoo fails (and we see it has teetered a bit).  I’d hate it to fail of course, but “what if” is how we need to approach the problem.  Say it goes poof.  You have no email now.  Um… what do you do?  Well of course you search through all your contacts and send out an email – hey I changed my email to pinkbunny42@somenewISP.com.  Please DO UNNECESSARY WORK, I need you all to update your address books. People all have the lazy gene on the Internet.  They’ll assume they can get to it later.  They won’t be able to find that email when they next think of you… The common thought you all have when going through this is “The close friends in my life know how to contact me regardless”.  Yup – well in this world you might also have moved, changed your cell phone number, and, not that it is relevant, been issued 4 different credit card numbers “because we detected suspicious activity” this year.  The point is (important) stuff changes all the time.  The perfect storm can leave you in the Internet’s dust.

Not to mention every site on the Internet you log into and forgot the password of – will no longer be able to email you a password reset.  This list is LONG.  Far more onerous than changing a credit card number.

Aside: Website password advice – use lastpass.com

Imagine a rock.  One touchstone that’s always there.  No matter what.  Your email address.  From beginning to end it never changes, not once.  Are you willing to go that extra mile to save a boatload of future pain?

My domain, mcyork.com, was registered on 1995-02-03.  Not the start of the Internet by any means but the start of my online life.  Associated with mcyork.com is my very first email address ianm@mcyork.com.  I HAVE changed my email now to ian@mcyork.com.  I never sent friends an update.  If they use ianm@ – I still get the email.  My replies are now from ian@.  Over time, but without a worry on my part, they will soon start to use my newer more current email address.  In fact, the more luddite-prone friends of mine will never know or need to know, my email address was modified. @mcyok.com is mine, I control it and all the email addresses (near-infinite) that can be associated with it.

What’s the answer/point?  Own your domain / control your destiny!

“Ok, thanks but there’s a catch, right?  To manage all that is probably technical and difficult.  We KNOW you are a geek with a blog!”

Let’s go through that over beers.  I’ll get you started.

This video can’t be played

It looks like your HDMI cable or connection doesn’t support HDCP, which is required to play this type of video. Try reconnecting the HDMI cable from Apple TV to your TV, and play this video again.


Yeah, not fun. Older TVs don’t know about the encryption stuff that’s happening now to help prevent us from recording the output, say from Apple TV of a BlueRay. Well don’t go buy a new TV unless you need to. Instead get this gizmo to solve the problem until you do. It’s a simple splitter and you don’t NEED a splitter but it has the HDCP decoder in it. Just get this and another short HDMI cable and your shows will play all day long. Bonus if you wanted your shows output to 2 TVs you can do that not too!

This worked for older equipment – DOES NOT WORK ON APPLE TV. Ordering a different part and will update if there is success.

Can’t connect your Trezor One?

Deposits are simple you just send to the address and crypto comes in. However if you need to open the hard wallet and you have a new MAC, yer stuck without one of these little gems. On the theme of everything seems to be USB-C these days this converter is cheap and simple to just leave connected. Turns that Trezor One into a USB-C capable device.

USB-C console cable

As you know we are geeks here @ McYork. So when we needed to get work from home all ramped up – our kit had to include console cables. Everyone (of the geeks) has these. However, most are now on new laptops and such where the older style USB is not native. Well simply grab one of these – we got 5 of them now.

2020 shopping list

For the next, while I will be posting products we’ve bought and used with links to the sites (mostly Amazon – thank you 2020!) These are “affiliate links” and so I’ll be clear – when you use these links I do get some type of a kickback. However, you may or may not know that I’d never steer you wrong just for my own gain. Every product listed I have bought in the past, probably in 2020, or have personally used (through a friend or work). As we get more “stuff” this site will grow.

What about all the other amazing McYork projects and blogs from the past? These exist and will be reorganized into a new section. Don’t panic.

A perfect read/listen

For the sci-fi lover or not, this is a fun book. Trust me if you like sci-fi you can buy this book without reading anything about it in advance. Go get it is all I can say. Go in blind it really will be one of the best ways to experience it. The audio version is very well produced.