ERR_ECH_FALLBACK_CERTIFICATE_INVALID
I’m not sure if I’ve blabbed about it before, but I have a collectd instance running in a container which shits RRD files into a shared directory, then I have another container that runs a Python script which spits out a bunch of MRTG-style graphs and a static HTML page to view them in. I do this because sometimes I want to show random people on the internet my graphs, and something like Grafana is actually a bit of a security nightmare when all I really want is a modern MRTG.
Occasionally, I want to look at one of these graphs from my work Mac, and in some cases I’ll get the error ERR_ECH_FALLBACK_CERTIFICATE_INVALID and it will refuse to load. After a time, the error goes away, and everything’s happy again.
I finally got to the bottom of it today, from a post on the pihole subreddit of all places!
ECH is “encrypted client hello”, which I don’t really give a shit about, but one of the hints that it’s usable is the HTTPS record type (which is DNS record number 65). Let’s back up a bit - one of the ways I make sure things will work even if our internet breaks is local services, such as Mastodon, etc, all have DNS overrides at our router - effectively split-horizon DNS, so when you’re on the public internet, I see an internet IP (either a Linode VM or CloudFlare, depending on the service and how much I care about people walloping it), when you’re in my house, you seen an RFC1918 address going directly to the service.
To accomplish this, I have a series of overrides in the dnsmasq configuration, so which one you see depends entirely on which DNS server you’re using.
But these DNS records don’t override the HTTPS request type, which occasionally gets passsed through to the upstream provider, and since that domain is hosted at CloudFlare, they do ECH on the free plans and you have to pay to turn it off, they return a happy response. Chrome (on my work machine, I’m a Firefox user otherwise) happily obeys, and then screams that the certificate isn’t the one specified specified in the HTTPS record (I think that’s what the base64 ech value is anyway) and refuses to connect. After a time the TTL of the HTTPS record expires, and the issue goes away.
Adding additional entries for each hostname dns-rr=some.hostname.fwaggle.org,65,000100 tells dnsmasq to respond to HTTPS queries with a record that’s a zero entry, one byte in length, with only a null byte for the contents.
And it appears to work?
There are apparently other ways I can turn off ECH at the browser level, but this is just for one specific domain so I think it’s fine. Is it the right way to do it? Probably not, “yeah we have a record for this” “jokes, it’s empty” is not really being conservative in what you send but as long as browsers do the right thing and silently reject it it’ll probably keep working.
Bathroom Fans
When we bought this place, the exhaust fan in the main bathroom didn’t work. I had a quick look in the ceiling and found them to be hard-wired (at least I was fairly sure this was the case), so I just swung it down, put some machine oil in the back of it into the bearing/bushing, spun it by hand a bit and it started working… but I was reasonably sure it was going to need replacing sooner or later, because what I’d done was not a permanent fix in my mind.
Fast forward almost five years and that fan’s actually still running - but the other one ceased functioning during the summer. Unfortunately the same thing that fixed the main fan did not fix this one - try as I might I just could not free this one up and there was zero free-spin in it after some 15 minutes of trying to lubricate it. Sabriena prefers that shower (the small tiles on the floor of the main shower are not pleasant on the feet, the en-suite shower has a textured plastic floor), but she was showering with the window open and it was fine, there wasn’t really any moisture build-up.
But we’re in the part of the year where that’s not really tenable any more, so I texted our electrician about it… the first thing he said was “those should have a socket, you should be able to replace them yourself?” I reiterated that I’m about 99% sure that they’re actually hard-wired, so he agreed to come out and could squeeze us in the next Monday, ie today.
He also said it’s better if we buy them, that way he can just drop them straight in, so I measured the hole (about 300mm) and went looking at Hammer Barn’s website and found… nothing. Everything was 250mm, that can’t be right! So after work one night we went in to look, taking the cover of one of them with us, and found that the actual size is apparently 290mm.
The next thing I wanted in them was I really kinda wanted one that had a damper flap on them, because in summer you can feel the heat radiating down, and in winter there’s a bit of a draft under them too. I also wanted them to move a fair bit of air. We found the Mercator BE4300SPWH which looked like it’d do the job, so we picked up two of them… they’re a bit spendy compared to the others (a cheap 250mm unit can be had for about $30, these were $105), but like I said I really wanted to start looking into doing something about the draftiness of the house and this seemed a reasonable way to start.
A pretty quick job to cut the old ones out, put the sockets in, test the sockets and the RCBO they’re attached to and we’re away.
I didn’t realize until afterwards that these actually have fairly poor reviews (primarily complaints about not moving enough air, or not removing moisture, with one instance of them dying prematurely), but they appear to be doing the job… but now that there are sockets in the ceiling I don’t need an electrician to replace them if they end up packing up.
I’ll keep the boxes for a few weeks just in case…
fwagglePublished:
Modified:
Filed under:
Location:
Horsham, VIC, AustraliaNavigation: Older Entry Newer Entry
Dryer Trouble!
A few years back we were stoked to buy a dryer, and functionally it’s done what we wanted it to. We don’t have to think about the weather before doing laundry, and it’s cheap enough on electricity that unless you’re silly enough to run it at night, it’s largely “free”.
But mechanically? Oh what a piece of shit this thing is. It’s a Fisher and Paykel DH8060P3, bought because Sabriena searched for reviews and most of them at the time appeared pretty good - the chief complaint appeared to be that the “sheets” setting would roll the sheets into a ball that would then not dry correctly, but we figured we could work around that.
We’d not had it super long and it developed an irritating squeal, and since it was still under warranty we called up the place we bought it from… who directed us to Fisher and Paykel, who then fucked about for a bit before realizing we were outside the metro area and directed us back to the retailer. Who then came and picked it up, and it took six weeks to get parts for it!
We got it back and it was mostly smooth sailing until about a week ago when it started making a terrible ruckus during use. I described it as “a vibrator on top of an empty vending machine”, like an incredibly irritating medium-frequency rattle throughout the entire cycle.
There are several videos of other people having the same issue, with no resolution. A lot of YouTube videos of folks taking apart and fixing the DE model equivalent, which is cosmetically the same unit but instead of a heat pump it’s an electric element with a condenser… but in practice these are built very differently and the videos are not all that helpful.
Looking into it, it’s properly outside warranty now, and I’m not going to live without this thing for six weeks, so fuck it, let’s have a peek.
Taking the back cover off, the first thing I notice is a wobbly wheel on the belt-driven (hah!) squirrel cage fan for the heat. Removing that belt squelches the noise, so it’s obviously related to that. Crack into further and I notice two things:
First, the rear-drum bearing appears to be made of some high-temperature plastic bushing, rather than a bearing, and it’s chewed to shit. There doesn’t appear to be any play with it though, so I’m thinking this is just a “wear item” - though the front drum bearings (that look something akin to rollerblade wheels) are a common complaint with folks on reviews these days, those appeared to be fine too.
Popped the fan out and got it apart, and the bearings… feel fine? Like they’re a tiny bit dry, and I considered repacking them but I don’t know what lubricant they need and putting the wrong stuff in would probably do more harm than good. So after thoroughly inspecting everything, I put it all back together and…
… would you believe the fucking noise is gone? I have no idea what I did.
I think if it comes back I will just pay someone competent to look at it, but for now I’m going to just be happy it’s shut the fuck up for a time.
For future reference, there are several models of this unit, judging by the serial number ours appears to be a 93281-C, which they helpfully provide a parts diagram for (of which I saved a copy to my Google Drive). Relevant part numbers for ours which I will likely want in the future are:
- “Fan Support” that appears to include the two bearings - H0180800252
- Rear drum bearing - H0020100313B
- Front drum bearing - H0180800201A
I cannot stress enough the aforementioned reviews - checking different consumer reports type websites and it’s basically a cacophony of “these things eat the drum bearings just outside the warranty period”, which is rather irritating. As with everything, I will get as many years out of this thing as I can but when we go to replace it it will not be with a F+P (or a Haier, which appear to be the same make but badge engineered).
fwagglePublished:
Modified:
Filed under:
Location:
Horsham, VIC, AustraliaNavigation: Older Entry Newer Entry
Ace Combat 7
I played one of the Ace Combat games on the PS2, primarily because I’d just gotten a neato surround-sound system and whichever one it was was apparently one of the better examples of surround sound on the Playstation 2 (and it worked as-advertised, the effect absolutely blew me away long enough for me to get good enough at that game to beat it).
I remember playing another one later in Australia, but I don’t recall which, and then I largely forgot about them, until recently when the internet started going batshit over the female character in the new one that’s about to come out, which made me remember that they’d “just” released one not that long ago I never checked out. I had a look, and yeah, the current one - released in twenty-fucking-nineteen by the way - was on sale at a significant discount (80% off if memory serves), so I bought it.
I then spent three goddamn days off and on trying to get my HOTAS working with it, because they only support one type of HOTAS and the rest of them you have to edit a .ini file to make it work.
I have a pair of VKB Gladiators, but I replaced the left one with a STECS last year, and it’s the STECS that doesn’t work. I even tried manually specifying it using the GUID of it robbed from Star Citizen’s profile, and it still would not respond.
After some effort, on Sunday evening I found the reason buried in a GameFAQs post of all places: the game flatly refuses to acknowledge devices with less than three axes on them. I had turned off one of the main axes, because I play nothing with independent throttle control at this point and it was confusing things, and VKB’s god-awful software lets you do that.
But I had a slider and two thumbsticks on it, surely that’s more than three axes? Nope, afraid not. Sure enough, I turned the X axis back on, and it detects fine. I got to play the first two missions before jumping on to a different game to play with someone else.
fwagglePublished:
Modified:
Filed under:
Location:
Horsham, VIC, AustraliaNavigation: Older Entry Newer Entry
New laptop dock
I don’t appear to have written about it, but ages ago when my beloved 2015 MacBook Pro was running out of support, coinciding with $WORK switching away from BYOD to a company-owned laptop policy, they bought and sent me an M1-powered MacBook Pro… which subsequently did not have two display ports for my two monitors.
So I bought what was highly-recommended at the time, a Dell D6000S USB “universal” dock, which would let me hook up those two monitors, and let’s just say… this thing was the bane of my existence. DisplayLink (basically compression software to let you drive high-resolution graphics over a pipe too small to carry the full uncompressed signal) was an utter piece of shit, the software crashed all the time, it routinely forgot about the orientation of my portrait monitor, they would disconnect constantly, etc. Utterly irritating.
But I put up with it for ages until upgrade time rolled around and they sent me another machine, an M4 one this time that’s by all accounts a very nice machine. But by this time I’m sick of DisplayLink, so I ask work if I can use my budget to replace my two 1440p screens with a single 4k monitor, reasoning that maybe I can do the thing without two monitors and avoid the pain of it.
This turned out to be a bad idea - first of all, without the DisplayLink software the best that the dock can do at 4k is 30Hz… utterly intolerable. Second, the M4 Macs are really picky about display cables, so while I could plug the monitor straight into the HDMI port on the Mac, it wouldn’t work with my fancy 3-meter long HDMI 2.1 cable. It did work, with only the tiniest of issues, with the cable bundled with a Nintendo Switch, so that’s what I put up with for ages.
Anyway, $WORK’s IT folks have been on me for a while now about replacing that dock with a Thunderbolt one. Thunderbolt 4 has enough bandwidth and then some to run uncompressed video over the cable with everything else, so there’s a lot less headaches with it. I snoozed on it for about two years now, and finally after some of my remote expenses budget expired unused, I decided it was time. I bought a Lenovo 7500 Thunderbolt 5 dock, and it arrived on Thursday. I plugged it in quickly on my desk, and it just worked.
Alas, I paid for it on my credit card, and despite Lenovo’s assurances that if I did a guest checkout I’d be able to sign up later, I appear to be unable to get the invoice for it… so we’ll see how it goes getting $WORK to pay for it. I think I’m going to hit them up for a second monitor (my old ones since diposed of) so I can finally stop relying on Apple’s “mission control” to find things.
The best part though? I unplug the work Mac and plug my laptop in, and it Just Works too… I’m typing this entry up on it. So far the only issue is opening up the sound widget thing in KDE Plasma results in the dock disappearing and then coming back… not sure what’s going on there, but I’m not particularly convinced it’s the dock’s fault.
So far, I’m pretty happy with it.
Update: 2026-05-27: I bought a second monitor and some appropriate cables, which came today. For some reason, this dock simply will not light up two monitors at once on my work Mac. I originally blamed the dock, but the funny part is that if I connect it to my personal laptop, it’s perfectly happy to drive both monitors at 60Hz (it freezes up if I have them set to 144Hz), so I know it’s not the dock.
I’m running one of them with the HDMI socket on the Mac so I have two monitors again, but it’s mildly annoying. On paper this is supposed to work!
Update: 2026-05-29: Upon the advice of both $WORK’s IT team and someone on Mastodon, they said that apparently this is a MacOS software issue, created on-purpose by Apple for who knows what reason. Apple refuse to support multi-stream transport, so it just doesn’t work. The docks that do work apparently either use multiple thunderbolt cables, or they have internal USB-C adaptors instead of one adaptor with several monitors.
The solution is to buy a USB-C to HDMI cable, so I did so… another A$60 out the door and I was not really expecting it to work… but it does! Everything runs through one cable, as intended. I do wonder if my old dock would have had the bandwidth to make this work as well if I’d just bought two USB-C to HDMI cables?
Fucking infuriating though.
fwagglePublished:
Modified:
Filed under:
Location:
Horsham, VIC, AustraliaNavigation: Older Entry Newer Entry