Sign up for the new credit card and get 80,000 points. (I’ll get 20,000 if you use my link.) 🙂 https://t.co/clpVkadt3B It’s well worth it. It does cost an annual fee of $85, but the 80k points will get you 2-3 nights. I think the one night per year covers the $85 annual fee. 🙂
I started using Marriott early on only because I had stayed at Courtyards multiple times for work. I’ve started to take a liking to Marriott and their bonus system. With the Marriott card, you can get 5 points per dollar spent at Marriotts, which is awesome! You get free rooms pretty quickly that way and also get lounge access pretty quickly as well.
If you’re not a member and happen to just be staying at a Marriott, I would say to sign up! The points do expire (I think after 18 months), but you can keep them pretty easily just by continuing to accrue. There are a few ways to accrue them without staying at Marriotts. One of the ways is to sign up for the credit card. Better yet, use my link above! 🙂 Another way is to shop to keep them! https://marriott.rewards.com There, just click through the site and buy anything and they’ll credit you Marriott points. That way, you’re accruing as you spend money. Something I wish I had done during the holiday season. I could’ve had at least one additional point for every dollar I spent! I’ll write another posting on maximizing your shopping points sometime soon.
One last point is to try to stay loyal to one particular brand i.e. if you’re flying United, only fly United. If you’re flying American, only fly American – it’s much easier to accrue points that way and be able to use them. If you’re staying at Marriotts and collecting Marriott points, you won’t get anything by staying at a Hilton. You will get some credit for staying at an SPG though! I’ve already linked my 2 accounts, but haven’t transferred any points yet.
Hope this helps! Please let me know if you have any other/better ideas!
I know there are a ton of postings on how to sign your own SSL certificates. I just think there’s too much out there (including in my own blog) and none that are very simple. Recently, I figured that I would do it myself (again).
Are you sick of seeing something like this in your browser bar?
Rather see something like this?
I’ll show you how to do it for free.
First off, We create a Certificate Authority. This is the guy that will vouch for your server to say that he is who he is.
You create the new CA by running:
On Mac OS X:
or on an Ubuntu system:
Here’s the output:
alyu1-mbpr:~ alyu$ /System/Library/OpenSSL/misc/CA.sh -newca CA certificate filename (or enter to create) Making CA certificate ... Generating a 2048 bit RSA private key ...................+++ ...............................................................................................................+++ writing new private key to './demoCA/private/./cakey.pem' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:California Locality Name (eg, city) :San Francisco Organization Name (eg, company) [Internet Widgits Pty Ltd]:ShocKNetworK Organizational Unit Name (eg, section) :Security Common Name (e.g. server FQDN or YOUR name) :alton-mbp.shocknetwork.com Email Address :[email protected] Please enter the following 'extra' attributes to be sent with your certificate request A challenge password : An optional company name : Using configuration from /opt/local/etc/openssl/openssl.cnf Enter pass phrase for ./demoCA/private/./cakey.pem: Check that the request matches the signature Signature ok Certificate Details: Serial Number: 9449349124978877974 (0x8322d4f6e103a616) Validity Not Before: May 17 23:00:51 2016 GMT Not After : May 17 23:00:51 2019 GMT Subject: countryName = US stateOrProvinceName = California organizationName = ShocKNetworK organizationalUnitName = Security commonName = alton-mbp.shocknetwork.com emailAddress = [email protected] X509v3 extensions: X509v3 Subject Key Identifier: C5:5E:16:99:96:81:1F:1D:BE:D2:FE:81:B0:57:34:A1:19:24:D8:AF X509v3 Authority Key Identifier: keyid:C5:5E:16:99:96:81:1F:1D:BE:D2:FE:81:B0:57:34:A1:19:24:D8:AF X509v3 Basic Constraints: CA:TRUE Certificate is to be certified until May 17 23:00:51 2019 GMT (1095 days) Write out database with 1 new entries Data Base Updated
Next, you go and get the certificate request. With typical Linux applications, you would request a certificate with the following command:
On Mac OS X:
or on an Ubuntu system:
alyu1-mbpr:~ alyu$ /System/Library/OpenSSL/misc/CA.sh -newreq Generating a 2048 bit RSA private key .........................+++ ........+++ writing new private key to 'newkey.pem' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:California Locality Name (eg, city) :San Francisco Organization Name (eg, company) [Internet Widgits Pty Ltd]:Riverbed Organizational Unit Name (eg, section) :Tech Marketing Lab Common Name (e.g. server FQDN or YOUR name) :alton-web-server.pod3.techmktg.lab Email Address :[email protected] Please enter the following 'extra' attributes to be sent with your certificate request A challenge password : An optional company name : Request is in newreq.pem, private key is in newkey.pem
Now, let’s sign the certificate you just requested.
On Mac OS X:
or on an Ubuntu system:
alyu1-mbpr:~ alyu$ /System/Library/OpenSSL/misc/CA.sh -sign Using configuration from /opt/local/etc/openssl/openssl.cnf Enter pass phrase for ./demoCA/private/cakey.pem: Check that the request matches the signature Signature ok Certificate Details: Serial Number: 10013577564278676468 (0x8af75fbd91a6dbf4) Validity Not Before: May 23 00:34:03 2016 GMT Not After : May 23 00:34:03 2017 GMT Subject: countryName = US stateOrProvinceName = California localityName = San Francisco organizationName = Riverbed organizationalUnitName = Tech Marketing Lab commonName = alton-web-server.pod3.techmktg.lab emailAddress = [email protected] X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: F1:A4:7E:2E:DA:2B:29:96:6C:B6:F1:2C:C5:CD:43:34:6D:2B:75:5E X509v3 Authority Key Identifier: keyid:43:52:6A:22:33:C4:67:E9:3B:17:DF:DD:20:5D:77:59:E1:C4:EC:67 Certificate is to be certified until May 23 00:34:03 2017 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated Certificate: Data: Version: 3 (0x2) Serial Number: 10013577564278676468 (0x8af75fbd91a6dbf4) Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, ST=California, O=Riverbed, OU=Security, CN=securityserver.riverbed.com/[email protected] Validity Not Before: May 23 00:34:03 2016 GMT Not After : May 23 00:34:03 2017 GMT Subject: C=US, ST=California, L=San Francisco, O=Riverbed, OU=Tech Marketing Lab, CN=alton-web-server.pod3.techmktg.lab/[email protected] Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:9a:17:37:3b:68:4a:5c:60:73:c5:5f:bb:40:39: b0:ed:eb:df:76:f1:1c:37:c0:3a:71:82:5d:d6:1c: 04:a1:24:1c:d6:26:c0:cc:f3:1f:51:f9:b8:d4:65: f2:fb:ec:6e:87:42:12:e5:ec:0c:38:53:91:62:8a: 2e:1e:be:33:e9:f4:ce:8d:92:f8:81:cd:bd:52:67: 85:c6:ec:85:d2:29:33:37:a2:fb:d9:23:0c:47:62: d8:8b:03:12:12:ff:9f:61:83:a7:9b:18:37:8c:37: 87:f1:dc:66:bc:6c:2c:19:87:dc:29:c1:8e:ab:d3: cf:6d:d5:2c:a8:9e:11:ea:81:b9:c0:d0:5d:28:a0: d8:fe:dd:fe:e2:4d:ad:a5:74:9a:42:40:c8:e8:9e: 92:37:c2:39:ec:4c:21:1c:88:69:ec:5c:77:1e:f0: 48:0e:8a:df:69:4b:af:6e:c4:cb:4f:80:02:e4:38: ea:ee:ad:bd:82:df:ae:47:a5:e5:39:7e:6f:18:65: 12:bd:a1:79:f7:f7:73:1a:8d:71:17:31:5b:f7:66: eb:e6:80:1e:4b:bf:65:33:7d:e7:2c:94:38:8c:13: ee:06:99:56:fd:f7:70:24:a0:4d:d5:c4:0f:df:48: 84:88:83:4f:c3:59:50:d2:e9:9b:f4:bc:02:c1:c1: 3f:ad Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: F1:A4:7E:2E:DA:2B:29:96:6C:B6:F1:2C:C5:CD:43:34:6D:2B:75:5E X509v3 Authority Key Identifier: keyid:43:52:6A:22:33:C4:67:E9:3B:17:DF:DD:20:5D:77:59:E1:C4:EC:67 Signature Algorithm: sha256WithRSAEncryption 72:85:da:b3:57:f6:4d:49:df:33:ae:f3:bd:58:99:d2:fc:ca: af:03:63:07:3a:16:f9:69:ea:50:db:97:30:d5:fe:71:a8:90: 4a:3c:88:04:49:b7:a3:14:6d:e1:14:8e:96:80:77:e8:6f:9c: 26:07:35:75:fa:d2:e5:48:93:b7:0c:64:7f:d4:29:32:f8:da: f1:6f:12:1b:8f:50:d3:e8:79:e0:ff:f0:86:80:bc:14:73:52: 21:c5:71:f2:70:ba:7b:db:11:4c:b7:9c:9e:b8:66:ed:4f:d8: 9b:b6:c3:d1:18:c6:e7:a2:25:f6:80:3d:02:b8:98:56:9c:80: 81:76:cb:f1:4a:c7:0d:4a:8b:7e:7b:41:e0:82:95:b5:bf:34: 2f:6f:8e:91:cf:43:40:c0:91:4d:43:9c:4a:c6:2f:bf:69:de: 5d:fa:a9:ed:1c:63:eb:85:a1:97:fa:53:95:f0:ac:a1:55:db: 72:61:eb:3f:dc:ff:2b:77:38:f5:c2:9e:26:ca:41:b4:67:b2: 9a:5d:b7:84:23:0d:89:b4:f3:f1:1b:e2:f5:55:f9:4b:bf:24: 40:2d:77:55:4d:b8:b0:76:23:50:e2:bc:74:9f:38:4c:27:42: a2:4d:3f:67:dc:ea:b3:d3:69:ee:85:2c:eb:ab:a0:f1:d2:29: a5:45:c1:a1 -----BEGIN CERTIFICATE----- MIIEUTCCAzmgAwIBAgIJAIr3X72Rptv0MA0GCSqGSIb3DQEBCwUAMIGUMQswCQYD VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTERMA8GA1UECgwIUml2ZXJiZWQx ETAPBgNVBAsMCFNlY3VyaXR5MSQwIgYDVQQDDBtzZWN1cml0eXNlcnZlci5yaXZl cmJlZC5jb20xJDAiBgkqhkiG9w0BCQEWFWFsdG9uLnl1QHJpdmVyYmVkLmNvbTAe Fw0xNjA1MjMwMDM0MDNaFw0xNzA1MjMwMDM0MDNaMIG9MQswCQYDVQQGEwJVUzET MBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzERMA8G A1UECgwIUml2ZXJiZWQxGzAZBgNVBAsMElRlY2ggTWFya2V0aW5nIExhYjErMCkG A1UEAwwiYWx0b24td2ViLXNlcnZlci5wb2QzLnRlY2hta3RnLmxhYjEkMCIGCSqG SIb3DQEJARYVYWx0b24ueXVAcml2ZXJiZWQuY29tMIIBIjANBgkqhkiG9w0BAQEF AAOCAQ8AMIIBCgKCAQEAmhc3O2hKXGBzxV+7QDmw7evfdvEcN8A6cYJd1hwEoSQc 1ibAzPMfUfm41GXy++xuh0IS5ewMOFORYoouHr4z6fTOjZL4gc29UmeFxuyF0ikz N6L72SMMR2LYiwMSEv+fYYOnmxg3jDeH8dxmvGwsGYfcKcGOq9PPbdUsqJ4R6oG5 wNBdKKDY/t3+4k2tpXSaQkDI6J6SN8I57EwhHIhp7Fx3HvBIDorfaUuvbsTLT4AC 5Djq7q29gt+uR6XlOX5vGGUSvaF59/dzGo1xFzFb92br5oAeS79lM33nLJQ4jBPu BplW/fdwJKBN1cQP30iEiINPw1lQ0umb9LwCwcE/rQIDAQABo3sweTAJBgNVHRME AjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0 ZTAdBgNVHQ4EFgQU8aR+LtorKZZstvEsxc1DNG0rdV4wHwYDVR0jBBgwFoAUQ1Jq IjPEZ+k7F9/dIF13WeHE7GcwDQYJKoZIhvcNAQELBQADggEBAHKF2rNX9k1J3zOu 871YmdL8yq8DYwc6Fvlp6lDblzDV/nGokEo8iARJt6MUbeEUjpaAd+hvnCYHNXX6 0uVIk7cMZH/UKTL42vFvEhuPUNPoeeD/8IaAvBRzUiHFcfJwunvbEUy3nJ64Zu1P 2Ju2w9EYxueiJfaAPQK4mFacgIF2y/FKxw1Ki357QeCClbW/NC9vjpHPQ0DAkU1D nErGL79p3l36qe0cY+uFoZf6U5XwrKFV23Jh6z/c/yt3OPXCnibKQbRnsppdt4Qj DYm08/Eb4vVV+Uu/JEAtd1VNuLB2I1DivHSfOEwnQqJNP2fc6rPTae6FLOuroPHS KaVFwaE= -----END CERTIFICATE----- Signed certificate is in newcert.pem
Now, you probably want to remove the passphrase from the certificate so that Apache or Nginx doesn’t ask you to input it each time you start the service. You can do this by running first backing up the key.pem and then running:
openssl rsa -in newkey.pem -out key.pem
alyu1-mbpr:~ alyu$ cp newkey.pem newkey.pem.orig alyu1-mbpr:~ alyu$ openssl rsa -in newkey.pem -out key.pem Enter pass phrase for newkey.pem: writing RSA key
Make sure you get the “writing RSA key” message. If you don’t, you’ll get a message like this:
alyu1-mbpr:~ alyu$ openssl rsa -in newkey.pem -out key.pemd Enter pass phrase for newkey.pem: unable to load Private Key 140735125303376:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:529: 140735125303376:error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 cipherfinal error:p12_decr.c:108: 140735125303376:error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error:p12_decr.c:139: 140735125303376:error:0907B00D:PEM routines:PEM_READ_BIO_PRIVATEKEY:ASN1 lib:pem_pkey.c:141:
You now have the necessary files. You’ll want to protect the files in some directory on the system and make them readable only by the web server.
cacert.pem – in the demoCA folder. You can rename it to cacert.crt and just double click on it in Windows or open it with the keychain in Mac and add it to your trusted certificates list.
newcert.pem – this is your certificate. In Apache, it will go with the “SSLCertificateFile” line in the /etc/apache2/sites-enabled/<site> file. In NGINX, it goes in the “ssl_certificate” line in the /etc/nginx/sites-enabled/<site> file.
key.pem – this is your private key file. In Apache, it will go with the SSLCertificateKeyFile” line in the same file. In NGINX, it goes in the ssl_certificate_key line.
Enable SSL on the web server and you should be all set!
Why do you really need this? When Shibby first put out the firmware with MultiWAN support, I questioned why someone would pay for 2 service providers. Too much bandwidth utilization? If you need more bandwidth, just upgrade your line with your current ISP. It would be cheaper than getting a new line!
Do you need reliability? When you work from home and need to be connected to the Internet for your work and it’s not available, that’s when you might look into a solution like this one! I have Comcast Business. Does that help? No, not really when the problems is with the infrastructure and not a misconfiguration or something internal. It just means that when you call, you talk to someone a little more competent and you can get a person quicker than going through the phone system. You can have someone come on-site a little faster too. That said, the service is the same as that of all other consumers. After a few rains and a couple of Comcast outages (not exactly outages, but huge degradations in service), I started to think about getting a second provider. Luckily, in San Francisco, we have a few options for service providers here. I happen to be lucky enough to have access to 2 different cable providers, Comcast and Wave Broadband (formerly Astound). I used Astound before. It was not bad. My experience was not nearly as bad as what the Yelp reviews say. I’ve now had them for a couple of weeks and still have the same opinion. They seem to be just fine.
So, moving onto the implementation. As you can see from the screenshot, Shibby makes it easy! First configuration the VLAN. It points to a link for where to do it – in advanced settings. You can look at the next screenshot to see an example of the VLAN being set up. I’m using LAN port 1 for the 2nd WAN port.
In this screen however, You might notice my “Load Balance Weight”. The problem with my service providers is that Comcast gives me unlimited bandwidth. Wave Broadband does not. Because of this, I want more connections to go out of the first WAN link and Shibby gives us a couple of ways to do it. First is with “Load Balance Weight”. I’m just setting the 1st link to 2 and 2nd WAN link to 1. You can play with the numbers to try finding your desired balance.
Another place to do load balancing is by pinning a particular host to a particular WAN link. For example, I have some traffic I want out of 1 WAN link and some out of another. This way, I can tell my highest traffic hosts to go through WAN1 while some others through WAN2.
Here’s a status window to show that I have both WANs connected.
Lastly, you can see from different searches of what’s my IP, that both WAN links are being utilized.
Please post your comments and share!