[GNC-dev] [MAINT] Planned server reboot Monday, Dec 7, 8:00pm US/EST

Derek Atkins derek at ihtfp.com
Sun Dec 6 21:15:44 EST 2020


TL;DR: Unless I hear major objections, I plan to reboot the VM server
tomorrow, Monday, Dec 7, around 8pm US/EST (0100 UTC Dec 8), in order to
refresh / update some certificates.  Please let me know if this is an
issue.

Long Version:

The GnuCash infrastructure uses a single-host OVirt VM platform for its
production system.  Unfortunately, this means that certain system
maintenance efforts require system reboots, and, unfortunately, replacing
the certificates is one of those.  All the new certificates are in place
so I should just need to reboot the system to allow it to take effect.

The reason for the certificate update is two-fold:

1) Many of the certificates were set to expire next year (2021), so they
would have to be renewed anyway.  Granted, this date was November 1, so I
had most of the year to do it, but still, it had to be done within the
next 11 months.

2) More importantly, the certificates were all using SHA1, and this was
causing problems with e.g. remote-viewer complaining that the certificates
were not secure.  This is JohnR and, after I update my own system this
weekend, me.

If I had a multi-server Ovirt setup (e.g. 3 hosts), then I could
round-robin update them.  I migrate all the running VMs to the other two
hosts and then I can safely take the third host down and do whatever I
needed.  Then I bring it up again, let everything stabilize, and then move
to the next one.  Alas, with a single host, I can't do this so I need to
reboot.

total downtime should be no more than 30 minutes, assuming of course I got
everything right.  Also, I am *hoping* this will fix the remote-viewer
issue, but I won't know for sure until after I reboot.

If you all have any questions, concerns, or the timing is bad, please let
me know.

Thanks!

-derek

PS: For John, Frank, Geert, etc -- due to the certificate changes you will
need to remove the old certificates from your browser trusted-cert cache
first and then import the new ones.  Search for IHTFP.  If you don't
remove it, it'll give you an error that the certificate changed but has
the same Issuer/Serial#.  I'm sorry, but there's nothing I can do about
that.

-- 
       Derek Atkins                 617-623-3745
       derek at ihtfp.com             www.ihtfp.com
       Computer and Internet Security Consultant



More information about the gnucash-devel mailing list