Feed on

Throwing another tidbit of recently found knowledge out here. Along the way with playing different certs on my EAP-TLS I wound up removing the 802.1x password entry from the OS X Keychain (at the time thinking it would help my problem). What I discovered after that, even after reverting my RADIUS server config, I couldn’t connect back to my test SSID. OS X just threw a “unable to join network” message immediately and gave up. I couldn’t figure out why I couldn’t connect back, what would be keeping state about this network.

802.1x entry

The TL;DR is I went into System Preferences > Network > Wi-Fi and told it to forget about my test SSID. After this I was prompted for the username/password on my network when I retried it.

(Actually I’m not even sure how I got in this situation. I just deleted this again and I was able to rejoin the network?)

Along the way I found out the Wireless Diagnostic tool on OS X is actually nice and useful, you wouldn’t think it from the surface. It collects a ton of logs and even packet captures to review. From what I gathered from the internets I needed to look for “eapolclient” logging. In this case eapolclient was reporting “Acquired: cannot prompt for missing user name”. I didn’t get many leads hunting for this message. It wasn’t until I thought about the forgetting thing that fixed my problem.

eapolclient “cannot prompt for missing user name”

Yay, fixed.


Not really relevant to the post, but I found it amusing

You think you know something just enough to get by, until you have something that challenges your workflow and tools. Then you have to brush away the cobwebs, learn a few things, and work on some scripts. Based upon my recent adventures in dealing with EAP-TLS for wireless, I realized I was doing several things wrong with OpenSSL and my private certificate authority (CA) over the years. I never really spent any time reading good docs beyond creating cert requests and converting certificates, nor learning what all the options and extensions do.

I found a great instruction guide on how to properly set up not only a CA with OpenSSL, but an intermediate CA, revocation lists, and certificates for servers and users: https://jamielinux.com/docs/openssl-certificate-authority/. It goes a good job of explaining just the options you need and why.

Based on this guide and copious amounts of Googling to fix other problems I set about putting my CA house in order. Among other things, I wanted to make sure I was generating appropriate certs and finally get around to stop doing some things by hand. (And insert an intermediate CA to my setup for giggles because my home lab isn’t complicated enough Never mind, dealing with certificate chains and applications are annoying.)


Things I learned while yak shaving certificates, all in one place so hopefully other people can avoid my folly:

(disclaimer: I’m possibly wrong about some of this)

iOS needs a common name on certs to trust them: This is what started it all. On Apple iOS devices (unsure when this started, iOS 11?) if your private root CA certificate does not have a Common Name (CN) value set, you will not be able to trust the certificate on the device. Without a CN, the certificate just does not show up under General > About > Certificate Trust Settings > Enable Full Trust For Root Certificates. You can install the root certificate all day long, but you can’t get device-level trust without this.

Certificate Trust Settings: No CN on root cert


Certificate Trust Settings: root cert has CN

Can’t just casually add a CN: Based on what I read for regenerating a root certificate with the same key, I thought I might be able to issue a new root cert and fix the CN. Turns out you can’t just add the CN on your existing root CA certificate because this breaks the chain of trust of any certificates you’ve signed with it. In particular, OpenSSL is going to throw an “unable to get local issuer certificate” when it tries to verify a signed certificate against your newly altered root certificate:

# Existing cert, newly modified root, verification fails:
# openssl verify -CAfile /opt/pki/CA/certs/wannnet-ca-20180913-cert.pem \
certs/raptor.wann.net-20170624-cert.pem: C = US, ST = California, L = Fremont, O = wann.net, CN = raptor.wann.net, emailAddress = pki@wann.net
error 20 at 0 depth lookup:unable to get local issuer certificate

# Existing cert, original root, verification is OK:
# openssl verify -CAfile /opt/pki/CA/certs/wannnet-ca-20170624-cert.pem \
certs/raptor.wann.net-20170624-cert.pem: OK

This is because the Issuer: of our root certificates has changed and mismatched what the cert expects:

# Existing server certificate, signed with original root CA (without a CN):
# openssl x509 -in certs/raptor.wann.net-20170624-cert.pem -text | grep Issuer
        Issuer: C=US, ST=California, L=Fremont, O=wann.net, OU=wann.net CA/emailAddress=pki@wann.net

# Issuer: of original root CA certificate:
# openssl x509 -in wannnet-ca-20170624-cert.pem -text | grep Issue
        Issuer: C=US, ST=California, L=Fremont, O=wann.net, OU=wann.net CA/emailAddress=pki@wann.net

# Issuer: of new root CA certificate with a proper CN added:
# openssl x509 -in wannnet-ca-20180913-cert.pem -text | grep Issue
        Issuer: C=US, ST=California, L=Fremont, O=wann.net, OU=wann.net CA, CN=wann.net Root CA/emailAddress=pki@wann.net

This means unless you re-issue every single certificate you have to reflect the new CN on the root cert, you’re going to be carrying around both root CA certificates in your devices’ trust stores until the child certificates eventually expire and you re-issue/re-sign them with the new root certificate. (2 years for me).

Upgrading signature algorithm on the root: However! Allegedly you can regenerate the root CA certificate with different signatures (the SHA1 -> SHA256 signature fracas recently) or new validity periods as long as you use the same key file you originally created the self signed cert with. You just can’t change the subject or CN details. (I wish I had known this before reissuing all of my client certs last year when I needed SHA256 signatures)

Adding subjectAltNames is messy: Somewhere along the way browsers such as Chrome started requiring valid Subject Alternative Name (SAN) on TLS certificates. For our purposes this is a list of DNS names (e.g. CNAMEs) that the certificate is valid with.

There’s not an easy way to add this to certificate requests (yet*), and every example on the Internet has you cracking open openssl.cnf in a text editor every time you want a new cert (what could go wrong?!). For a while I did this, I couldn’t be bothered learning a better way and hated myself each time I made a cert.  There’s also some convoluted bash “one-line” scripts out there that attempt to remedy this, but they’re hard to follow what they’re doing until you understand what they’re doing.

Of course my script is better than everyone else’s script: https://github.com/bwann/pki-tools/blob/master/make-wannnet-csrkey.sh. I’ve tried to simplify the bash and make it a little easier to understand. For the skeptical, here’s some sample output.

This script generates an RSA key and certificate request with the server name/common name as the first argument to the script, and any further arguments adds them to the request as Subject Alternative Names.

[1] As of OpenSSL 1.1.1 just released in September 2018, they’ve tweaked the req -extension option to make this a bit easier: https://github.com/openssl/openssl/commit/bfa470a4f64313651a35571883e235d3335054eb

CAs drop subjectAltNames when signing: By default OpenSSL will drop any user-submitted extensions (such as subjectAltNames) from a certificate request when it comes time to sign the certificate with your CA. This means when you sign a certificate request that includes your alternative names, this undoes all the work you just did to add them. Now you’ve got to re-supply the subjectAltNames via the OpenSSL config somehow as seen above for the signing process. There’s a good reason for this behavior, preventing unwanted user input: a rogue user could submit a certificate request with an extension something like basicConstraints=CA:TRUE, and unless it’s caught at signing time, the root has just issued a CA certificate.

You can get around this in your own CA environment by configuring copy_extensions in your openssl.cnf under the CA_default section. There’s a couple of options for this and the man page (man ca) has clear warnings about the implications. By setting this to copy_extensions=copy, this will copy the subjectAltNames from the certificate request; however you will want to make sure whichever extensions you’re using to sign a certificate, you’ve already nailed down basicConstraints and keyUsage in them so the extensions from the request don’t try to overwrite them.

Key extensions for servers and clients: This is what I first learned while setting up certificates for EAP-TLS. There’s extensions you can add to the X509 certificate that tell what the intended purpose of the certificate is (man x509v3_config). I haven’t ever had to use these because Linux has always been pretty happy (blissfully ignorant?) with what I was using before. Apparently things like Windows and Android cares about these extensions, i.e. they expect a server cert on the server, a client cert on the client app.

Ideally in your openssl.cnf you’d have a section defining options to use while signing a certificate for servers (e.g. [ server_cert ], and another section for client/user certificates (e.g. [ user_cert ], each containing the appropriate extendedKeyUsage settings for each type. Then when it comes time to sign a cert, tell OpenSSL which extension to use.

Android needs magic to install a root CA with system level trust. I haven’t gone through the effort to figure this one out yet, every time I install my root CA certificate on my Nexus it only winds up as a user-level cert, and displays a fabulous “warning third parties are snooping on your network” notification. From what I gather some root-level muckery needs to happen. Surely some MDM software has figured this out already.


https://github.com/bwann/pki-tools/ : Some of my own scripts for generating cert requests, keys, signing them with an OpenSSL CA. Server-centric for now, still ironing out the kinks in user certificates for now and will post whenever they’re decent.

https://www.phildev.net/ssl/ : A friend’s guide to X509 certs that I had forgotten about until I posted this

https://jamielinux.com/docs/openssl-certificate-authority/ : The other CA setup guide I mentioned at the beginning of this post

If you’ve ever tried setting up FreeRADIUS and WPA2-Enterprise, and wondered how the example certs wind up with the X509v3 extended key “TLS Web Server Authentication” on it, the trick here is a config file specifying a numerical OID for the key instead of a text description. (Apparently Windows expects to see these TLS extended keys when connecting to a wireless network with EAP/TLS).

This puzzled me for a while, I’ve never seen this key and couldn’t figure out how they were getting it on their certs. It’s obvious now, but I spent way longer than I care to admit carefully combing over the example *.cnf files that came with the package, my system’s openssl.cnf, another system’s pristine openssl.cnf for any missing extendedKeyUsage or nsCertType directives, and the OpenSSL manual page for x509 looking for any missed defaults. It wasn’t until I carefully followed the Makefile in the example that they were pulling in an extension file via -extfile xpextensions and using an section with -extensions xpserver_ext that were specifying the options as OIDs. I had overlooked this file in earlier spelunking. Mystery solved.


P.S. this dude wrote an incredibly detailed instruction guide on a home lab setup using a Raspberry Pi as a UniFi wireless controller, private CA, FreeRADIUS, and WPA2-Enterprise.  It’s got more screenshots and explanations than most of the internet deserves.  https://dot11zen.blogspot.com/2018/04/wpa2-entreprise-using-unifi-access.html

P.P.S. FreeRADIUS has been incredibly annoying to write an attribute-API-driven Chef cookbook for.

users file? Easy, we’ll just iterate over a loop and dump out the values — not so fast, the last entry on a user can’t have a trailing comma, oh and we use tabs in some spots.

Config file? We’ll define convenience variables in it, using them all over the place and then use them to create more convenience variables in other config files we include. (I get it, for human maintainers this makes it easy) Without writing templates for each and every config file to get rid of them all, it took a while to locate the major ones to maintain compatibility.

Ubuntu? We’ll use completely different paths to store our RADDB, daemon names, TLS certs, system users and groups than CentOS, because we’re Ubuntu. And amazingly CentOS 7.x has FreeRADIUS v3, whereas Ubuntu 16.x has v2, which uses slightly different syntax.

The majority of the work is done now so hopefully I can post the cookbook on Github soon.

Yosemite trip: August

[photos: flickr – Yosemite]

A couple of weeks ago a friend passing through Yosemite informed me the smoke had cleared up, highways and campgrounds were open again. In theory this meant there should be a lot of campsites available from to all the recent cancellations due to the park closure. I sat on this for a few days and by the weekend I was itching to go. I checked the reservation.gov website, all the campgrounds in the valley were still booked solid, but there were three nights available in the middle of the week at Tuolumne Meadows Campground. I grabbed them and left home on Tuesday afternoon.

I arrived at the campground around 7 PM. The late list was posted with my assigned campsite, along with several warnings about bears in the area. The good news was that despite the recent Ferguson fires, camp fires were allowed above 8,000 feet. I pitched camp, wandered over to the store for firewood, started a fire and set in for the night. I had just received Chris Hadfield’s book An Astronaut’s Guide to Life on Earth from Amazon before I left, so that was my evening reading material under red headlamp light.

Coming from sea level, the altitude was not my friend. Moving around setting up my gear I was starting to get slightly lightheaded. It was cold at night and I tossed and turned many times trying to sleep. Before my last Death Valley trip I had given trying to find the slow leak in my Thermarest EvoLite (I even submerged it in the swimming pool) and bought a NeoAir on clearance from REI. For truck camping I didn’t really care about the weight or bulk of a pad very much. The NeoAir worked perfectly to keep me insulated from the cold ground, gave me cushion to sleep on my side, and best of all it wasn’t fucking deflated by the time I woke up!

Wednesday I had a bit of a headache and decided to take it easy until I acclimated a bit. I drove out to Lee Vining and back to scope out what was around me and what I had missed on the last trip. I had considered hiking up Lembert Dome or up to Elizabeth Lake, but not today. Instead I went over to Soda Springs and wandered around the meadows. It was nearly a full moon at night which did a great job of illuminating the mountains so I spent some time photographing around Tenaya Lake.


Thursday I drove over to Yosemite Valley, where I had wanted to hike the Valley Loop Trail. I found parking near Camp 4 and picked up the trail from there. Not too long after, I spotted a bear walking along the opposite bank of the Merced River before it disappeared back into the trees.

I intended to do the half loop, so I crossed over the river near El Capitan. In the meadow I spotted a pretty good spot to photograph the whole southern face of El Capitan. Using my long lens I was able to pick out a couple of climbers on the face of the rock. I still don’t know how they do it, even with bolts and rope.

Right after I passed Swinging Bridge on the south side, I sucked my Camelback dry. It was after 6 PM, I was annoyed by the flies, so I called it quits and cut back over to Camp 4. I drove up to Tunnel View after sunset to check it out, and wished I had gotten there about 30 minutes sooner for better light. I headed back to camp at Tuolumne Meadows for the night. Sitting by the campfire reading, a deer wandered by, completely undisturbed by my presence.

Friday morning I packed up camp, it was the last of my reservation. I got a bit of an earlier start, grabbed breakfast at the store, and returned to the valley. I was expecting it to be crazytown on a Friday afternoon, I got there right before noon and managed to beat most of the crowd. I wanted to finish off the half Valley Loop, I picked it up again at Camp 4 and headed east. I passed by Lower Yosemite Falls, it was bone dry. It turns out the Valley Loop Trail is considerably longer than the prescribed hiking guide tells you, not only does it go west toward Bridalveil Fall, it goes allllll the way east past Mirror Lake. I wasn’t about to go that far out, so I looped around Upper Pines and Half Dome village on the way back.

It was sometime around 4 PM when I made it back to where I left off Thursday at Swinging Bridge. I grabbed dinner and coffee, hung around for a while and headed back up to Tunnel View again before sunset. The light was great, but still smokey looking off down the valley. While I was there a bride and groom showed up with their photographers and took wedding photos.

After nightfall I stayed in the valley for a few more hours taking night shots. It was a full moon and it did a great job of illuminating the rock and trees. I was reluctant to wander back into the meadow at night by myself, but I did while making a bunch of racket along the way. I got my shots and bugged out!

I drove home after this and got in around 2 AM. I keep forgetting Yosemite is only about a 3 hour drive, I need to go out there more. I had wanted to go up to Glacier Point at night, but from reading the info signs I got the impression that you could only hike up or had to buy a bus ticket to get to the top. Only after I got home and looked at the maps I realized not only can you drive up there, there’s a snack shop up there. It wouldn’t have mattered though, I saw where the road was still closed due to the fires.

Death Valley: August

Joshua Tree at Lee Flat

[photos: flickr – Death Valley]

[bonus video: Death Valley hyperlapse hwy 190 to Furnace creek]

Last weekend was a new moon and it happened to coincide with the peak of the Perseid meteor shower. I thought “great! an excuse to go out to Death Valley and take photos of it!”

The trip turned out to be a dud as far as photography went, but at least I explored some new territory. I had planned to go out to Furnace Creek or Stovepipe Wells and frame some of my shots with some of the local landmarks, but nature had different ideas. Driving in from the west over the Panamint Range, the sky was clear and stars were easily seen. As I got closer to Emigrant I noticed I couldn’t see any stars anymore and wondered if it was clouds or smoke from all the wildfires. Finally when I got into Stovepipe Wells I realized what was going on: a dust storm. There was strong winds whipping up dust everywhere, and despite being midnight it was still 104 F there. I bailed and headed back up to Panamint and spent the night at Father Crowley Vista Point.

Poor man’s manual shutter switch

I wasn’t the only one in the parking lot in the dark, there was another group next to me with their lawn chairs out doing some stargazing. It wasn’t a clear night, there were still some scattered clouds all around. I was miffed that I had forgotten to bring the manual shutter release for my second camera body for the long exposures, so I wound up improvising by lashing a wad of tissue over the shutter button with a length of paracord.  I set up one camera pointed at the Milky Way and the other camera toward Perseus and waited. The meteors came every 5-10 minutes, but I didn’t get any interesting photos out of it.

Sunday morning I drove down to Panamint Springs Resort to grab some breakfast and mull over plans. I went to Darwin Falls, which is right next to Panamint Springs and hiked the mile or so up to the waterfall. Surprisingly even in August there was a lot of running water here which gradually disappeared into the creek bed. There was also a 4″ pipeline that ran all the way from the falls, along the canyon wall, out to the highway, and presumably providing drinking water to Panamint Springs.

Next I drove up Saline Valley Alternative Road, which skirts the west edge of the park from highway 190. This led me through BLM land and then up inside the park again at Lee Flat, where there was a large swath of Joshua Trees. I tried to continue north toward Hunter Mountain but gave up several miles out because the road was starting to get rougher.

115 F at Furnace Creek

Later that afternoon I made a quick trip over to Furnace Creek to see how things were. At 4:30 PM it was “only” 116 F at the visitors center. Along the way I threw a tripod in my front seat, mounted up my iPhone and used the Instagram Hyperlapse app to make a super long hyperlapse video of the drive in. I didn’t hang around in Furnace Creek very long, I returned to Father Crowley for another attempt at night photography.

As the sun went down I decided to go back out on Saline Valley road to find a place to camp and set up. I found a freshly graded road, followed it for a couple of miles even further in the middle of nowhere. This time the sky was perfectly clear and I was in pitch darkness. I had set up one camera for a Milky Way timelapse starting at dusk, which started out great, then I thought about how it was going to track to the west and I should’ve aimed the camera differently. So I had the big idea to move the tripod and ruin my timelapse. The other camera I started using later on to get star trails around Polaris. That kind of worked out until I got home and couldn’t retrieve anything off the CF card. sigh.


Defeated I was ready to leave. Another breakfast at Panamint Springs I stopped by Father Crowley one last time, wondering if there would be any jets flying through Rainbow Canyon this time of day. As soon as I pulled in my question was answered as a F/A 18 came flying up through the canyon. I hung around at the viewpoint for a couple of hours. Aside from myself, there was one family out there, we had the whole place to ourselves. In the time I was there I saw 6-7 passes through the canyon and one very loud flyover. The 1.4x teleconverter I bought worked out pretty well here, giving me effectively 280mm of zoom. The jet that flew directly over, I didn’t even have to crop, it nearly filled frame! By noon I was starting to cook and decided to come home.

Minuteman III launch 7/31

Long exposure of Minuteman III launch

Sunday morning I got an email from the launch-alert mailing list about an upcoming Minuteman III ICBM test out of Vandenberg AFB on Tuesday morning. I had just gotten back from photographing the Iridium 7 launch a few days prior, but being a cold war nerd I definitely did not want to miss seeing an ICBM going up. So, I headed south once again, bringing along gear to camp out on the central coast.

The Air Force occasionally pulls a random active missile out of a silo in Montana, South Dakota, or Wyoming, removes the nuclear warhead, and ships it down to Vandenberg AFB to test launching it. They make sure the thing still flies and hits the expected target way out in the South Pacific, usually near Kwajalein or sometimes near Guam.

VAFB – Kwaj path

I didn’t know much about Minuteman launches so I scrambled to find out more. I knew roughly whereabouts on base they were launched from, and the path they’d take, but didn’t know how high it’d get, how visible it’d be, nor the best vantage for photographing it. Most importantly I didn’t know exactly when it would launch, for this launch there was a 6 hour window between 12:01 AM and 6:01 AM, which is a lot of uncertainty. Without a way to know exact timing I’d have to watch the horizon constantly for launch to avoid having super long exposure photos. From what I gathered it would lift off a lot faster than a Falcon 9, have a considerably higher apogee, and because it was a solid fuel booster the exhaust plume should be much brighter.

Some people had compiled information about Minuteman launches, but most had ran out of steam and interest in the late 2000s. Not many people have photographed a launch recently either it seems. Fortunately the 30th Space Wing posts a ton of launch video on Youtube, and cross referencing against news articles, I was able to get a rough idea of the launch windows and when the launch actually takes place. Apparently I had just missed MMIII launches in April and May. They seem to launch at the beginning of the window, but there were still many that launched much later.

Trivia: the “GT” in launch titles, e.g. GT-226GM, apparently stands for “Glory Trip”, an Air Force designation stretching back into the 70s. Interestingly they also occasionally test launches by sending commands from an airborne launch command in case silos become isolated from ground launch command centers.

==== 2018 ====
GT-226GM  2018-04-25  05:26:00 AM  LF-10  Window 03:26 AM-09:36 AM
GT-225GM  never flown?
GT-224GM  2018-05-14  01:23:00 AM  LF-04  Window 01:21 AM-07:21 AM
==== 2017 ====
GT-223GM  2017-08-02  00:02:10 AM  LF-10  Window 12:01 AM-06:01 AM
GT-222GM  2017-05-03  00:01:59 AM  LF-04  Window 12:01 AM-06:01 AM
GT-221GM  2017-02-08  11:38:59 PM  LF-04  Window 11:30 PM-05:39 AM
GT-220GM  2017-04-26  00:03:06 AM  LF-09  Window 12:01 AM-06:01 AM
==== 2016 ====
GT-219GM  2016-09-05  02:10:00 AM  LF-04  Window 12:01 AM-06:00 AM
GT-218GM  2016-02-25  11:00:59 PM  LF-10  Window 11:00 PM-05:00 AM
GT-217GM  2016-02-20  11:34:02 PM  LF-09  Window 11:00 PM-05:00 AM

I settled in on a site in the Los Padres National Forest north of Santa Ynez. From there in the distance I could see the red lights of the antenna tower at Vandenberg just off Ocean Ave, right next to the unofficial viewing area for SpaceX launches from SLC-4E. I knew the Minuteman launches happened just north of this, but didn’t know how far, so I aimed my camera in this direction and hoped for the best. I was relieved when I turned on my radio and heard the launch net chatter discussing the launch checklist, because then I would know for sure when it would launch and click off the camera right before.

Recycle, recycle

At first everything was going fine for a 12:01 AM launch, when I heard “not clear to proceed” about T-15 minutes. The held the countdown, then started recycling after mention of some sort of launch anomaly. After a while they restarted the countdown for 1:20 AM, then another hold until 1:40 AM. At the last minute they held and recycled again due to an anomaly. Then they tried for 2:55 AM and again held at the last minute of the countdown. The moon had risen around 11 PM and was conveniently staying out of the way. By now it was starting to add glare to my photos.

(Times are approximate from bits of video+audio I recorded and photo EXIF, I didn’t know I’d be making a timeline later)

Finally after a long time they tried again around 4:40 AM and it finally launched. The sky to the west was still fairly dark and the missile made this bright, rich, orange dot as it rose up in the air. About a minute or two into the flight I thought I saw the first stage separate and glimmering as it fell back to earth. After this, there was just a very faint spec continuing westward. I kind of expected see a brighter exhaust plume for longer, but wrote it off as flying so far away from me. The arc is barely noticeable on the photo I took, but it’s there. Like the Falcon 9 launch from afar, after a few minutes a very very faint rumbling sound comes in and goes away.

Looking at the photo the glimmering is following the upward trajectory, so I’m not sure what I was looking at. The shitty iPhone video I made clearly shows something falling away around 4:41 AM and something else continuing to burn upward. Lesson for next time, get a heck of a lot closer and further south.

Surprise ending

I later found out from the news they actually terminated the flight of this missile due to an anomaly (I’m finally learning how to spell “anomaly”). The article says they terminated at 4:42 AM, in theory I was still exposing the photo. It makes me wonder if the pulsating brightness was the missile being destroyed, a sign of the problem, or that’s just what it normally does. It probably explains why I could barely see anything after it arced over. I never saw a giant explosion or flash, nor heard a big boom to indicate it went out in a blaze of glory.

At the time during all the launch holds I was thinking to myself “gee I thought these were supposed to launch at a minute’s notice”. Then it entered my mind that because this is a test flight, they could be intentionally running down to the last minute to test recycling the missile and exercising their checklists so people get practice. I guess this one really did have problems.

SpaceX Iridium-7 launch

Launch, stage separation

[photos: flickr – SpaceX Iridium-7]

After not being able to make the Iridium-6 and NASA InSight launches I was eager to make the next launch from Vandenberg. Last night I drug along a friend and we pulled an all-nighter driving down to Lompoc and back for the SpaceX Iridium-7 launch. I’m wore out but at least I have a photo and new knowledge for next time.

Instead of viewing the launch from Ocean Ave we opted to go back up on the Santa Ynez Mountains, about 30 miles away. (Actually I swung through Lompoc at 1 AM to see if going out to Surf Beach was possible, but the road was already closed). I was barely able to pick up the 386.3 MHz Launch Net on my handheld radio, but I was not receiving several chunks of audio I expected from last time, including the final countdown which made timing the shot tricky.

The launch was at 4:39 AM, the moon had just set around 4:25 AM and it got surprisingly dark quickly. The Milky Way was just visible directly over the launch location and overhead. I was able to see the glow at ignition which allowed us to set off our shutters. After about 30 seconds into flight there was a beautiful, very bright, long blue flame that looked like a giant shooting star or comet streaking through the sky. There wasn’t any sound for the longest time, then some faint rumbling like from a distant thunderstorm that went on for a long time.

After the rocket passed out of what I estimated my lens’ view, I turned it to the south and took another long exposure. The second stage was this bright little pinprick of light gradually going to the horizon. I was surprised that I could see the boost-back and landing burns all the way down to the ocean considering how far off it was. I’m pretty sure I heard a faint sonic boom during booster re-entry as well!

So yeah, it turns out I overexposed my shots trying to bring in the Milky Way. I was able to bring it down a bit in Lightroom to a somewhat tolerable level. This made me realize other rocket trail photos I’ve seen aren’t exposed too much, because there are few stars to be seen and eliminates the star streaks. The 16-35 mm lens I had was perfect for capturing the arc at that distance until stage separation. Things to remember for next time!

Second stage continuing on to the horizon, first stage landing burns

As a bonus, here’s a photo I botched but still looks cool, and it’s the only one of the long flame trails that I have.

When I first saw this I was wondering what I had photographed. What was that weird offset flame? Was that a gas generator? That can’t be right, this was the first stage. After fiddling with exposure I realized I had jiggled the camera while hand holding it so much that I essentially got the flame trails from the Falcon 9 several times in the same exposure. Only one of the streaks is “real”.

Crater Lake trip

Crater Lake from The Watchman

[photos: flickr – Lava Beds Revisited]

[photos: flickr – Crater Lake NP]

I was looking at a map of Oregon thinking I should go explore the central and eastern part of the state. I spotted Crater Lake and it reminded me I wanted to go there. Google Maps had suggested an alternate route there through Reno and up highway 395, about two hours longer than the trip up I-5. At first this seemed ridiculously funny but then I warmed to the new route because I’d see new scenery in northeastern California. I’ve already seen fireworks show in the Bay Area (and they’re a bit of a hassle to go to), so I opted to go up there instead of hang around at home for Independence Day.

On Tuesday the 3rd I headed out. The holiday traffic was already filling up the freeways, so I opted not to go the Reno route. The thought was to get up near the park or Klamath Falls and camp in the forest. I got near the Modoc forest around 9 PM and it was already getting dark. I decided to camp at the Lava Beds park and scored a site at the campground there (I wanted a fire). I didn’t even bother pitching my tent, I just laid my sleeping bag on the picnic table. The sky was clear and dark, so I spent a while taking Milky Way photos. The last time I was here was in the summer of 2016.

Beam of sunlight in Sentinel Cave

Wednesday morning I went into a couple of the lava tubes because I wanted to see what my TNV/PVS-14 did in the pitch dark caves. With just a little red LED light it gave the PVS-14 something to work with and I was able to navigate. Other than constant re-focusing I think it would be just fine with a brighter IR flashlight. After leaving the park and on the way to Klamath Falls I stopped over and visited the petroglyph site too.

I rolled into the Crater Lake park around 3 PM. At first I went to the ranger station to ask about dispersed camping outside the park (which would’ve been several miles), but wound up at the campground at Mazama Village. Amazingly they had sites still available despite being a major holiday. The guy right in front of me registered the last tent site, but the employee talked me into getting one of the remaining RV sites and just putting my tent there, so that’s what I did.

View from The Watchman

With camp now squared away I went up to the crater. First impression was that it was a really big lake hidden among all the trees and the water was a really rich, deep dark blue. After a couple of stops along the west side rim road I spotted The Watchman fire lookout on top of a big hill and had to go check it out. It was a little hazy due to the wildfires down south, but still offered a great view of the lake and the island.

I continued to the north and around the lake, taking photographs as the sun was going down. Cell service was nonexistent down at the campground and on the west side of the crater, but there were a few turnouts on the east side where I got AT&T LTE service. I drove out to the Pinnacles right as it started getting dark, but wasn’t too wowed by it. Mosquitos were terrible the whole way around, despite wearing 100% deet and picaridin repellent, the fuckers swarmed me when I was outside and still bit me through my shirt and socks. I guess I need to try permethrin next.


On Thursday a lot more people started rolling into the park. This time I started off on the eastern side of the rim and went around. I learned that there was a boat tour you could take if you were lucky enough to get tickets. I didn’t have one, but wanted to get closer to the water so I went down to the boat dock. It’s a long, hot hike down from the rim to the water, a bit over a mile, and a 600 foot elevation difference.

Cleetwood Cove boat dock

Down at the water’s edge, people were fishing, and jumping off boulders into the water. It was pretty cold water, but crystal clear and pretty. I’d like to take the boat tour someday, going over and hiking up Wizards Island looks interesting. Hiking back up to the rim wasn’t toooo bad, it went quicker than I expected. I saw people making the walk in flip flops and pushing strollers, sucks for them!

By the time evening rolled around I debated just going back to camp or hanging out until nightfall and taking Milky Way photos over the lake. I still had a few hours so I grabbed a bite to eat at Rim Village and went north out of the park to see what was there. Near Diamond Lake I spotted a black bear on the highway right-of-way, the first time I’ve ever seen a bear!  It ran back into the tree line as I got closer, I wasn’t able to get a picture of it.

At dusk I set up on the north side of the rim for a time lapse shot over the island. I fiddled with settings for a bit, doing a 30 second exposure every minute, then finally settled on an exposure every 30 seconds to have a smoother time lapse. It didn’t turn out as good as I had hoped, there was still a bit of haze and there were clouds rolling in. It was really windy and cold, by midnight I had had enough. I had failed to check the weather in the morning, now there was a slight chance of rain, so I packed it in and headed back down to camp where I had left my rain fly half on and all of my sleeping stuff exposed.

Friday morning I packed up camp, had breakfast at the cafe, and headed out. At 11 AM there was a good mile-long string of cars trying to enter the park. I stopped by the Annie Creek Sno-Park, a few miles from the park, one of the places the ranger suggested for camping. It was a big asphalt parking lot, with vault toilets on one end, fire rings on the other end, and a log building that served as a snow shelter. Not exactly scenic camping, but it would do if the park was full; best of all it was free during the summer!

The drive back home was uneventful. On the way back I followed highway 395 down, which took me back through the Lava Beds, along the eastern edge of California, and into Reno. No windshields were damaged on this trip.

Mono Lake tufa

[photos: flickr – Eastern Sierra]

[photos: flickr – Mono Lake]

The Tioga pass through Yosemite finally opened up in the latter part of May, so I wanted to go check out things on the other side of the park. It’s a shortcut, otherwise I’d have to go up to Tahoe then head south, or down to Bakersfield and back up (practically a whole Death Valley trip). The goal was to check out some of Yosemite, Mono Lake, Mammoth, and maybe White Mountain Peak.

The whole trip was beset with bad luck, which made things interesting to say the least.

The bad:

Friday: On the way over the Altamont pass heading out of the Bay Area, a motorcycle wreck had really backed up traffic. It was the hottest day of the year so far, and sitting in the heat on the road the truck started overheating. I turned off the A/C and turned on the heater on full blast with the windows down to get things under control. Then they closed the freeway to land a medi-heli in the middle of the lanes to evacuate the poor soul. It was after 6 PM before I got to Tracy, putting me arriving way after sunset and trying to find a dispersed camping spot in the dark. I gave up and returned home.

Saturday: Got to Mono Lake. Drove down Picnic Ground Road, went through a narrow spot lined with brush and put several scratches from bumper to bumper on the side of the truck

Sunday: The Lions Point fire west of Mammoth made the entire mountain and surrounding valley smokey. At one point when I stopped, it was snowing bits of white ash. So much for hiking here.

Busted windshield

Monday night: driving home on westbound 580 outside Livermore, something off of a semi-truck slammed into my windshield, breaking it. I don’t know what it was, and the truck was two lanes over. It left a nice pancake sized shatter which was spongy in the middle, meaning it almost went all the way through.

Tuesday morning: I had noticed lower oil pressure after driving the White Mountain road, and was keeping an eye on it and oil level. When I started the truck this morning, the oil pressure read zero and it immediately threw a “low oil pressure” alert. Oil level seemed fine, so I’m suspecting the sending unit. Also on Tuesday, the property management said they’d need access to my apartment for fire alarm checks. This was the whole reason I came back Monday night, so I could be here. They never showed up, and I noticed on the letter they said “Tuesday June 25”; the 25th was Monday, so I have no idea if they did their work yesterday. (The alarm never went off).

So yeah. The universe was conspiring against me.

The good:

Tuolumne Creek

I got to Tuolumne Meadow in Yosemite right at sunset on Saturday, perfect timing. Yosemite is beautiful as ever, so I ran around snapping pics and recording video. I continued on to Mono Lake, to find a place along one of the forestry roads for some dispersed camping. The first place was just northeast of the visitors center next to Lee Vining Creek. I wasn’t the only one camping there, I noticed two other vehicles on the other side of a group of trees. The creek was running and made a pleasant sound all night long.

Shooting star photographs was a bust, I had waited so long to make this trip that it was almost a full moon again. Between the moon setting at 2 AM and twilight happening around 4 AM because of summer, there wasn’t much time to do time lapses of the Milky Way. At least Mars, Saturn, Jupiter, and Venus were all visible which was a nice treat.

Tufa formation at Mono Lake

Because I was up all night I was struggling to try to sleep in after the sun came up and it started getting warmer. It turns out the Tioga Gas Mart by Lee Vining actually has a pretty decent deli, along with outdoor seating and a lake view. I headed over to the South Tufa Area at Mono Lake to look around. Mono Lake is also the namesake for Facebook/OpenCompute’s Mono Lake servers that I worked with before I left. The water was surprisingly clear and blue-green which made for some nice photos. The exposed tufas along the shore were created when the lake level was much higher, when underground freshwater springs brought in calcuim that mixed with the lake water, which formed calcium carbonate pillars.

Next I headed down to Mammoth Lakes. It turns out there was a wildfire just east of Mammoth which blanketed the entire area in smoke. When I stopped at Minaret Summit the sun was blotted out by brown smoke and it was actually snowing a bit of white ash. I continued down in the valley to Devil’s Postpile, because I had no idea what a postpile was and why the devil made one!

Devils Postpile

The postpiles were hexagonal columns of basalt that formed when lava pooled behind a glacier in the area. As the lava cooled they formed a tight group “posts” a few dozen feet tall. Many had collapsed, but indeed the remaining basalt did look like a pile of posts.

Down in the valley there wasn’t nearly as much smoke. This is also where the John Muir and Pacific Coast Trails ran though and a common place for hikers to take a break. I also noticed at the Mammoth ski lodge, they have a gondola that will take you to the top of Mammoth Mountain. I’d like to try that sometime in the future, this time it would’ve just been too smoky to see anything I think.

After dinner in Mammoth I headed back up to Mono Lake. I found a different camping spot this time further south and it was pretty nice with lots of space and a view overlooking the lake.

Smoke from the Lion fire


White Mountain Road warning sign

Monday, I headed south again, this time to White Mountain Peak. Or at least to the locked gate leading to the peak. I wasn’t prepared to hike it, but I did want to go check it out. I learned on the way up the mountain there was a “Ancient Bristlecone Pine Forest”, full of the oldest trees in the world; going back thousands of years. Worth checking more next time around. Beyond the visitor’s center, there was an ominous sign on White Mountain Road warning of no AAA service, no cell service, and that a tow beyond this point would be a minimum of $1,000.

Of course I proceeded onward down the 16 miles of rough dirt road to the trailhead. This was some slow going and I was trying not to get bounced around. The road went up past 11,000 feet and above the treeline, with just nothing but fields of rock up above. Near the trailhead I noticed marmots started running around in the fields by the road. When I got to the locked gate where the trail began, there were a few other vehicles parked there. More marmots were running around and several were getting shade from the parked vehicle. The altitude here was something like 11,790 feet and I was getting lightheaded just walking around taking photos. After several minutes of this I headed back down the mountain.

Marmots at the White Mountain Peak trailhead

Getting down took even longer than driving up, I was seriously getting bounced around on the road and had to creep down it. There’s no way I’m driving that again unless I have something meant for off-road driving. This is where I noticed my oil pressure had dropped, so I was starting to keep an eye on it.

After dinner at the Gas Mart again, I headed back home through Yosemite. It was all pretty uneventful until I got outside Livermore on 580. This is where the unknown object hit my windshield and made one hellofva bang.

The next morning, Tuesday, is when I discovered the problem with the low oil pressure.

It’s now Thursday afternoon, I just got a new windshield put in. I tried replacing the oil pressure sending unit yesterday, discovering it’s way the hell at the back of the engine and going to be a real pain to replace. I may give up and let a mechanic try to do it for me instead.

Through a long story of poor planning and choices, I recently found myself trying to get home in the middle of the night in the suburbs without my vehicle and with a dead iPhone. In the beginning the idea was to just summon an Uber or Lyft to take me home. I realized my battery was getting really low (thanks old iPhone 6) and I didn’t quite know exactly where I was, so I quickly fired up Google Maps to at least orient myself. Then my phone completely died and I was on my own. I thought “ok, fine, I’ll just walk down the street to find a gas station and call a cab.” After a very long walk out of the neighborhood and down a street I recognized toward home, I looked for a gas station or at least familiar territory. Boy was I wrong.

Nobody has pay phones nor yellow pages anymore. We all know this, but it sure would’ve been nice at the time. I found a station and their payphone was out so I asked the cashier to use their phone. I fumbled around with automated 411 saying “taxi”, “yellow taxi”, “checker taxi”, to try to find a taxi company. By now it was around 5 a.m.

I quickly realized not all of the taxi companies in the search results have 24/7 dispatch, as several calls went to voicemail. Of the two that did answer, one wouldn’t pick me up unless I was at the airport, and the other just didn’t care about picking me up that early. On top of this, I realized I had walked a terribly long ways in the wrong direction (I later figured out it was 4 miles), thinking I was going toward home but instead walking away from it. (Next time double check where Polaris is!)

Finally a very gracious random customer heard my taxi-calling plight and offered to summon an Uber ride on her own phone and dime to get me to BART. I had plenty of cash on me and offered to pay her for the trip, but surprisingly she declined and told me to just buy her coffee and help somebody else out in the future. Such an awesome thing!

It didn’t even occur to me until the ride home that I should’ve just bought a damn phone charger at one of the gas stations, hijacked an outlet somewhere to charge my phone for a bit, and get my own ride home.

Lesson learned, buy a phone charger instead of trying to call a cab, and the generosity of complete strangers does still exist.

« Newer Posts - Older Posts »