Skip navigation

Monthly Archives: February 2008 lists the seven deadly (and seven lesser) AJAX sins.

I thought I had really dug a hole today.  

When attempting to renew my SSL cert for our domain, the Server Admin kept giving me errors when I tried to add a signed certificate.  My erroroneous steps to install the renewed certificate were as follows:

  1. Take SSL off for the domain 
  2. Remove the certificate from the system
  3. add a self-signed certificate for the domain
  4. add a signed certificate from the CA

Upon doing so, I attempted to use the certificate sent to me by my CA, supposedly gotten with the original certificate request.  However, Server Admin was doing some strange things.  Upon the 1st attempt to load the signed certificate into the newly created self-signed certificate, it would throw this error (not an exact quote):

Cannot update the file….returning to the list

When it returned to the list, my self-signed certificate was gone.  However, if I opened up Keychain Access, it showed the CA’s certificate as being loaded. If I attempted to do it again, the following error would show up in the server log:

SecCertificateAddToKeychain (err = -25299)

I really couldn’t find jack about how to fix that other than this, which just told me what it meant — I already had a passkey for the cert I was trying to load.

So, after banging my head against my desk, I decided to go to my CA’s website and request a reissued cert.  I knew that I had to put in a new CSR in order to get a reissue so I thought that maybe that would help.  In fact, it did. However, I had to go into terminal and remove all the rements of the old certificates from /etc/certificates and /etc/httpd/ssl.crt.  I believe that also using a combination of the Keychain Access and Server Admin apps may allow you to remove any traces as well.  Don’t forget to remove the certificates, the .crt files and the .key files.

So, for future reference, whenever an signed ssl cert needs to be renewed, make sure you paste in a CSR during the renewal process, and use the associated signed certificate from the CA!  

I had some fun today attempting to set up multiple ssl enabled websites on OS X Server 10.4.  After about 5 hours of hacking away at the server admin app and the network preference panel, we almost gave up.  We nearly even dropped a nice $700 to get Apple involved (‘Enterprise’ incident my foot). 

It turns out that we had our terms mixed up.  The whole while, we had been trying to enable VLAN for the server, thinking that would allow us to handle multiple IP addresses coming into one NIC card.  We also assumed that IP aliases did the same thing as VLAN.  After some heavy Googling, we discovered that there is a quite a difference b/t the two.  IP aliasing is what we were looking for.  While I did this mainly through the command line (via ifconfig), there is also the way of the GUI: 

In the Network preference pane, add a new connection to the external network card.  Call it whatever you’d like, but manually set the address to whatever IP you’re attempting to alias. 
Then, set the subnet mask to ‘’.  This should minimize chances of getting a duplicate address error as well as preventing you from having to set a route.

After doing so, we pinged the address (to emulate outside traffic) and it worked perfectly.  Although the instructions on this page were related to FreeBSD, I found it extremely helpful since OS X is BSD based.  

Spotted a good page on optimizing MySQL queries in PHP.  In my experience with the projects we’ve been working on, there is truly no substitution for good planning on the outset.  Bad planning usually leads to a lot of miscommunication, buggy apps, and bad/inefficient code.

Great article on Microsoft’s attempt to take over Yahoo and what is threatened in such a move.  Support open source!

Dan found a nice CSS hack for IE5, 6 and 7. Seems to work really well!