SSL Cert Installation

Installed SSL certificates in two ways, free and paid.

Free: as example
Download and run certbot file “letsencrypt”. cert only valid for 90 days.
Basic steps:
Make .cnf file
Run “openssl req” with the .cnf file to create CSR Certificate Signing Request .der file
Run “letsencrypt certonly” with the .der file to get the cert downloaded
During this process, create text file on web site to prove ownership

Paid: as example
$140 for two years with wild card support.
Instead of running certbot file, interact with web site, which is easier
Of course, creating file on web site is required to prove ownership

Copy the cert and private key file to web server, and update config file.
For nginx, as an example, they are ssl_certificate and ssl_certificate_key.

To confirm cert installation:
Using Chrome:
Developer Tools – Security, enter URL in address bar, click View Certificate button.
Using Online tool:
Just replace the hostname in the URL below.



Team Eenvironment Setup

Here are some team environment I have worked with, some with MaxxSports.

Version control: git(gitlab or github), svn, perforce, MS Team Foundation
Code review: Codeflow, Swarm
Issue Tracking: Jira, Bugzilla
Task tracking: Jira
Email: Gmail Business, AWS WorkMail, MS Exchange
Messaging: Slack, Lync
Conference: G Suite Hangouts Meet, bluejeans,
Wiki: Confluence
File sharing: Box
Build Management: Teamcity, Jenkins, MS Team Foundation
Build System: make, msBuild, BitBake, OpenEmbedded

Server Push Thru Http2

Server: nginx-1.15.8 downloaded as Pre-Built Packages from

Config: in /etc/nginx, different from nginx-1.9.15, whose config in /usr/local/nginx
Add to server section: listen 444 ssl http2;
Add to location section: http2_push /style.css;

with Chrome: go to
Developer Tools – network: header colum shows h2
with Curl 7.63: curl.exe -vso /dev/null –http2
watch for output: “server accepted to use h2”
Notes: style.css is downloaded both with and without http2. The difference is that without a separate corresponding request from browser, or so called Server Push.

TCP behind NAT

It’s assumed that host A B both behind NAT, and UDP hole punching is already working.
There are two more requirements for A to initiate a TCP connection to B.
1. natA has to tolerate B’s sending A a SYN by not replying a RST.
2. natB allows A’s SYN to come in, while natB normally expects A’s SYN/ACT.
Most NAT doesn’t meet these two requirements, which explains TCP hole punching seldom works.