Letsencrypt and webservices auto-restart

So I have a bunch of SSL-certificates, wildcarded, that is renewing from time to time. And since I hate googing for things ending up without any results anyway, I recently wrote a script that is checking against apache and nginx pid-files if any pem-files in the letsencrypt directory (under /etc/letsencrypt) are newer than the last restart time of the webserver.

If the pid files for apache and nginx are older than the respective pem-file, the script is set to restart the webserver. The script itself has focus on apache, since I still have unmigrated services left in my systems. The below script has been set to email me on such changes, but has been removed from this snippet.



ap=$(which apachectl)
if [ -f $apachePid ] ; then
	apacheDate=$(date -r ${apachePid} "+%s")
	restartCmd="$ap restart"

if [ -f $nginxPid ] ; then
	nginxDate=$(date -r ${nginxPid} "+%s")
	if [ "" != "$apacheDate" ] ; then
		if [ $nginxDate -gt $apacheDate ] ; then
			echo "Nginx date is newer than apache, will use that instead."
	restartCmd="service nginx restart"

if [ "$allowSslScan" = "1" ] ; then

	if [ -d /etc/letsencrypt/live ] ; then
		pems=$(find /etc/letsencrypt/live -type l)
		for pem in $pems
			realfile=$(readlink -f $pem)
			thisDate=$(date -r $realfile "+%s")
			if [ $thisDate -gt $apacheDate ] ; then
	if [ "$requireRestart" = "1" ] ; then
		echo "Chosen restart command: $restartCmd"
		echo "One or more SSL certificates are newer than the current apache2 session. We require a restart!"

The ability to show progress bar of chmod/chown with pipe viewer (pv)

There’s a lots of information of how to use pv together with ”dialog” as a progress indicator for a lots of different projects. For example, even pv shows an example on how to show a progress bar for taring and gzipping a file archive. But there are almost no documents that describes a similar thing for a simple chown/chmod process. Probably, in normal cases, this is not being done since such process is fast enough to not needing it. But for larger directory structures it sometimes is nices with a progress bar, rather than the verbose output of the process.

So here’s how to do it!

   # Run chown in verbose mode, but redirect the verbosity somewhere else, while pv counts the progress.
   # pv runs in line-mode instead of byte mode.
   chown -Rv $permissions $dir | \
   pv -f -c -n -l -s $(find |wc -l) 2>&1 >/dev/null | \
   dialog --gauge 'Taking ownership of $directory' 7 70 0

Adding for example ”-i 0.1” to pv will make dialog update the view more often, but it might affect the performance of the process.

The result will look like this:

Netflix and the blocking of tunneled ipv6-routes

The solution below is implemented at one of my recursion-dns servers so it can be used out of the box.

Today I discovered that Netflix started blocking tunneled ipv6-routes. This means, in SiXXS case (which I primarily use to reach ipv6 routes), that I’m for now blocked from using Netflix this way. This also means that I have a few options, to make Netflix work again, even if I run with ipv6 simultaneously:

  • Edit the hosts-file. Make a look up on netflix.com, to pick up all addresses based on ipv4. Problem: Any changes that Netflix makes, will never reach me. Besides, the streaming servers are probably named differently than only ”www.netflix.com”.
  • Disable ipv6 while watching netflix. Problem: All connectivity with ipv6 is lost while watching Transformers.

So, the real problem here is that Netflix resolves both on ipv4 and ipv6, so I need to find a DNS server that only gives me ipv4-responses, so I don’t have to guard DNS updates myself. What I did to solve this problem was, since I host my own DNS-services, therefore to set up a secondary DNS server that explicitly returns ipv4-addresses when making lookups on a ipv4-network – without the list of ipv6-addresses, like this:


In the primary master server, I’ll put up a forward zone like this:

zone "netflix.com" IN {
        type forward;
        forwarders {

And suddenly Netflix becomes available again, on a ipv4-only network…

Update 2019-12-29

As if bind 9.14, the above solution is obsolete [in the native daemon] and should removed. If you’ve installed bind with correct plugins (I’ve installed bind via ISC PPA), there’s a replacement for the above solution. In named.conf, place this outside the configuration block, and everything should run as before again.

plugin query "filter-aaaa.so" {
        filter-aaaa-on-v4 yes;

BBVote – Votech – i ny skepnad

votech_with_tornevall_crop100[1]BBVote – fast egentligen heter hela projektet Votech – har återigen byggts om! Tanken med Votech är som vanligt att vi inte skall fastna vid omröstningar för Big Brother. Så när Big Brother är över skall tjänsten finnas där för allmänheten. Därför är BBVote… förlåt – Votech denna gången byggt till förmån för besökare, bloggare och forum – vilka med ytterst enkla medel skall kunna klistra in sina omröstningar varhelst de behagar. För en gång skull ligger jag dessutom en hel vecka före i tidsplaneringen. I stället för att svettas över att saker skall ta form i sista minuten, kan nu befintliga system finslipas och få nya intressanta funktioner! Faktum är att sidan redan är lanserad när detta skrivs och just nu körs en omröstning som rör valet 2014 (se här) för att se hur allt fungerar inför Big Brothers release nu på söndag.

Förra gången sidan byggdes om, gjordes det några timmar – eller 1½ dygn, enligt inlägget jag länkar till – innan Big Brother gick av stapeln. Det vill jag lova, hade aldrig fungerat idag. Men redan när idén åter landade på mitt bord 2011, så tvekade jag och ifrågasatte om jag verkligen hade tid – och till skillnad från då, så har jag inte haft tid i år heller men gjort det ändå. Man vill ju inte svika fansen. I synnerhet inte efter att sett jag vilka röstningssystem dom tvingats använda tidigare…