# Let’s Encrypt: Reload Nginx after Renewing Certificates

Today I had an incident which caused my webserver to serve expired certificates. My blog relies on Let’s Encrypt for SSL/TLS certificates, which have to be renewed every 3 months. Usually, the cronjob which runs certbot --renew takes care of it automatically. However, there is one step missing, the server must reload the renewed certificates. Most of the time, the server gets reloaded often enough so everything is okay, but today, its been a quite a while since the last time since the nginx server was restarted, so expired certificates were served and the blog became unavailable.

To workaround it, we can make sure nginx reloads it configuration after each successful certificate renewal. The automatic renewal is defined in /etc/cron.d/certbot. The default contents under Debian Jessie are as follows:

# /etc/cron.d/certbot: crontab entries for the certbot package
#
# Upstream recommends attempting renewal twice a day
#
# Eventually, this will be an opportunity to validate certificates
# haven't been revoked, etc.  Renewal will only occur if expiration
# is within 30 days.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

0 */12 * * * root test -x /usr/bin/certbot && perl -e 'sleep int(rand(3600))' && certbot -q renew


The last line makes sure certificate renewal runs twice a day. Append --renew-hook "/etc/init.d/nginx reload" to it, so it looks like this:

0 */12 * * * root test -x /usr/bin/certbot && perl -e 'sleep int(rand(3600))' && certbot -q renew --renew-hook "/etc/init.d/nginx reload"


The --renew-hook runs the next argument after each successful certificate renewal. In our case we use it to reload the nginx configuration, which also reloads the newly renewed certificates.

# LyX: Missing title when passing ignorenonframetext to Beamer

Passing ignorenonframetext as an option to Beamer, causes it to ignore all the text that is not inside a frame. It is useful when you want to add content for the article version of the presentation (or simply script lines for yourself) that would not show in the regular presentation. LyX puts the title elements outside any frame. Therefore, if you use ignorenonframetext you end up missing the title frame. The solution is to manually wrap the title block (the title, author, institute, etc.) in a frame and append to it \maketitle. This will cause the title frame to be rendered correctly.

# Optimize LaTeX PDF Output for Kindle

Kindle can display PDFs, but usually the result is very hard to read. Normal PDFs are not suitable, especially when it comes to paper size for the, relatively, small display of the Kindle. For a forthcoming project, which I intend to write in LaTeX and read on Kindle, I looked into optimizing the document settings so the result will be rendered in a readable manner on Kindle.

I’ve started with the normal article class. The result, is not good at all:
While Kindle zooms-in automatically to remove, the usually very wide, margins LaTeX uses, the big (A4) paper size, still results in a tiny font on the Kindle display. Switching to Koma-Script, is a bit better, but mainly provides better mechanisms to control the paper size for later experiments.

The next try, is simply to use the A5 paper size. The result is getting better, but the paper size is still too big. Setting the paper size manually to 12cm by 9cm (the screen’s physical dimensions) and setting the pagestyle to empty (removes the page numbering among other things) results in a much better results because of the (still) wide margins and the auto-zoom in a font size that is too big and not enough content fits in a page:

Finally, by manually setting the text area to be a bit smaller (11cm by 8cm) than the paper size, results in small margins and very little auto-zoom. The output can be clearly read on the Kindle, and still quite a bit of text fits on a single page:

The LaTeX code for the last example is:

\documentclass[DIV=calc,paper=9cm:12cm,pagesize]{scrartcl}

\areaset{8cm}{11cm}
\pagestyle{empty}
\usepackage{lipsum}
\begin{document}
\lipsum
\end{document}


# KOMA-Script: Specifying Binding Correction for RTL Documents

The KOMA-Script bundle provides an option to specify the amount of binding correction needed in order to compensate for the width lost in the binding process. By default, it is added to the left margin, which is where the binding is applied for Left to Right languages. However, if a document is written in Hebrew or Arabic, one binds it on the right. The KOMA-Script manual does not consider that option. After a bit of playing I’ve found out that simply using a negative value for the binding correction works.

For example, if in an English document you would use

\documentclass[BCOR=8.25mm]{scrreprt}


For Hebrew you would set

\documentclass[BCOR=-8.25mm]{scrreprt}


# Installing OrderNet Pro on Debian Jessie

OrderNet is a a popular stock trading platform in Israel. OrderNet comes in two versions: The regular version is based on Silverlight and can be used on Linux using Pipelight. The Pro version is a desktop program written in .NET Framework and features better interface. This post walks through the steps needed to get OrderNet Pro running on Debian Jessie using Wine.

# LyX 2.2.0 for Debian Jessie

I’ve backported LyX 2.2.0-2 from Debian Testing to Jessie. The binaries for amd64 can be found in https://www.guyrutenberg.com/debian/jessie.

You can add my repository by appending the following line to /etc/apt/sources.list:

deb https://www.guyrutenberg.com/debian/jessie ./


# Creating a personal apt repository using dpkg-scanpackages

From time to time I build and backport deb packages. Most of them are for my personal use, but sharing them would be nice. Another advantage for setting up a personal repository over directly installing deb files is that you can install dependencies from that repository automatically. Especially useful if one source package builds multiple binary packages which depend on one another.

There is a list of programs ways how to setup such personal repository in the Debian wiki. However, I found most ways to be too cumbersome for my limited requirements. The way I’m describing below is probably the simplest and easiest way to get up and running.

First thing is installing dpkg-dev which provides dpkg-scanpackages.

sudo apt install dpkg-dev


Next put the deb files you created in some local repository such as /usr/local/debian and cd into it.

# dpkg-scanpackages -m . | gzip -c > Packages.gz


will scan all the *.deb files in the directory and create an appropriate Packages.gz file. You need to repeat this step whenever you add new packages to /usr/local/debian.

Finally to enable the new local repository, add the following line to /etc/apt/sources.list:

deb [trusted=yes] file:///usr/local/debian ./


The [trusted=yes] options instruct apt to treat the packages as authenticated. Alternatively, if you want to share it with others, make sure that your webserver serves the directory and point to it

deb https://www.guyrutenberg.com/debian/jessie ./


(You will need the apt-transport-https in order to use https repositories).

Don’t forget to apt update before trying to install packages from the new repository.

# Playing Opus Files on Android Marshmallow (6.0)

The Opus codec provides superior audio quality over codecs such as AAC, MP3 and Vorbis. Android has support for Opus since Android 5.0 (Lollipop). However, when I tried playing Opus files on My LG G4, it wouldn’t recognize the file as a media file at all. It turns out, that the default .opus extension is not recognized by Android. The workaround is to change the extension to .ogg. Generally speaking, this is technically correct, as most Opus streams are encapsulated by an Ogg container, however, .opus is the recommended extension (but apparently not for Android).

# Fixing HTML Rendering in Wine on Debian Jessie

Some application rely on Internet Explorer to provide HTML rendering capabilities. Wine implements the same functionality based on a custom version of Mozilla’s Gecko rendering engine (the same engine used in Firefox). In Debian Jessie you have a package called libwine-gecko-2.24 (the version is part of the name) which provides this rendering engine for Wine. However, different versions of Wine require different versions of wine-gecko. The package provided in Debian Jessie, matches the Wine version provided by wine-development from the main Jessie repository (1.7.29). Unfortunately wine-development from the jessie-backports if of version 1.9.8 and requires wine-gecko of version 2.44 which is not provided by any Debian repository. This will lead to errors like

Could not load wine-gecko. HTML rendering will be disabled.


and blank spaces where HTML content would be rendered in many applications.

The solution would be to manually install the required version of wine-gecko. We start by downloading the MSI binaries provided by Wine

$wget https://dl.winehq.org/wine/wine-gecko/2.44/wine_gecko-2.44-x86.msi$ wget https://dl.winehq.org/wine/wine-gecko/2.44/wine_gecko-2.44-x86_64.msi


Now install the required one, based on whether you are using 32bit or 64bit wine environment:

wine-development msiexec /i wine_gecko-2.44-x86.msi


(be sure the setup the correct \$WINEPREFIX if needed).