ANNOUNCE: [GNC-dev] [MAINT] Planned server reboot Monday, Dec 7, 8:00pm US/EST
Derek Atkins
derek at ihtfp.com
Mon Dec 7 21:03:24 EST 2020
Reboot finished and everything should be back to normal.
Please let me know if you notice any issues.
Thanks!
-derek
On Sun, December 6, 2020 9:15 pm, Derek Atkins wrote:
> TL;DR: Unless I hear major objections, I plan to reboot the VM server
> tomorrow, Monday, Dec 7, around 8pm US/EST (0100 UTC Dec 8), in order to
> refresh / update some certificates. Please let me know if this is an
> issue.
>
> Long Version:
>
> The GnuCash infrastructure uses a single-host OVirt VM platform for its
> production system. Unfortunately, this means that certain system
> maintenance efforts require system reboots, and, unfortunately, replacing
> the certificates is one of those. All the new certificates are in place
> so I should just need to reboot the system to allow it to take effect.
>
> The reason for the certificate update is two-fold:
>
> 1) Many of the certificates were set to expire next year (2021), so they
> would have to be renewed anyway. Granted, this date was November 1, so I
> had most of the year to do it, but still, it had to be done within the
> next 11 months.
>
> 2) More importantly, the certificates were all using SHA1, and this was
> causing problems with e.g. remote-viewer complaining that the certificates
> were not secure. This is JohnR and, after I update my own system this
> weekend, me.
>
> If I had a multi-server Ovirt setup (e.g. 3 hosts), then I could
> round-robin update them. I migrate all the running VMs to the other two
> hosts and then I can safely take the third host down and do whatever I
> needed. Then I bring it up again, let everything stabilize, and then move
> to the next one. Alas, with a single host, I can't do this so I need to
> reboot.
>
> total downtime should be no more than 30 minutes, assuming of course I got
> everything right. Also, I am *hoping* this will fix the remote-viewer
> issue, but I won't know for sure until after I reboot.
>
> If you all have any questions, concerns, or the timing is bad, please let
> me know.
>
> Thanks!
>
> -derek
>
> PS: For John, Frank, Geert, etc -- due to the certificate changes you will
> need to remove the old certificates from your browser trusted-cert cache
> first and then import the new ones. Search for IHTFP. If you don't
> remove it, it'll give you an error that the certificate changed but has
> the same Issuer/Serial#. I'm sorry, but there's nothing I can do about
> that.
>
> --
> Derek Atkins 617-623-3745
> derek at ihtfp.com www.ihtfp.com
> Computer and Internet Security Consultant
>
> _______________________________________________
> gnucash-devel mailing list
> gnucash-devel at gnucash.org
> https://lists.gnucash.org/mailman/listinfo/gnucash-devel
>
--
Derek Atkins 617-623-3745
derek at ihtfp.com www.ihtfp.com
Computer and Internet Security Consultant
More information about the gnucash-announce
mailing list