[GNC] [GNC-dev] [MAINT] Planned server reboot Monday, Dec 7, 8:00pm US/EST

Derek Atkins derek at ihtfp.com
Mon Dec 7 21:03:24 EST 2020


Reboot finished and everything should be back to normal.
Please let me know if you notice any issues.
Thanks!

-derek


On Sun, December 6, 2020 9:15 pm, Derek Atkins wrote:
> TL;DR: Unless I hear major objections, I plan to reboot the VM server
> tomorrow, Monday, Dec 7, around 8pm US/EST (0100 UTC Dec 8), in order to
> refresh / update some certificates.  Please let me know if this is an
> issue.
>
> Long Version:
>
> The GnuCash infrastructure uses a single-host OVirt VM platform for its
> production system.  Unfortunately, this means that certain system
> maintenance efforts require system reboots, and, unfortunately, replacing
> the certificates is one of those.  All the new certificates are in place
> so I should just need to reboot the system to allow it to take effect.
>
> The reason for the certificate update is two-fold:
>
> 1) Many of the certificates were set to expire next year (2021), so they
> would have to be renewed anyway.  Granted, this date was November 1, so I
> had most of the year to do it, but still, it had to be done within the
> next 11 months.
>
> 2) More importantly, the certificates were all using SHA1, and this was
> causing problems with e.g. remote-viewer complaining that the certificates
> were not secure.  This is JohnR and, after I update my own system this
> weekend, me.
>
> If I had a multi-server Ovirt setup (e.g. 3 hosts), then I could
> round-robin update them.  I migrate all the running VMs to the other two
> hosts and then I can safely take the third host down and do whatever I
> needed.  Then I bring it up again, let everything stabilize, and then move
> to the next one.  Alas, with a single host, I can't do this so I need to
> reboot.
>
> total downtime should be no more than 30 minutes, assuming of course I got
> everything right.  Also, I am *hoping* this will fix the remote-viewer
> issue, but I won't know for sure until after I reboot.
>
> If you all have any questions, concerns, or the timing is bad, please let
> me know.
>
> Thanks!
>
> -derek
>
> PS: For John, Frank, Geert, etc -- due to the certificate changes you will
> need to remove the old certificates from your browser trusted-cert cache
> first and then import the new ones.  Search for IHTFP.  If you don't
> remove it, it'll give you an error that the certificate changed but has
> the same Issuer/Serial#.  I'm sorry, but there's nothing I can do about
> that.
>
> --
>        Derek Atkins                 617-623-3745
>        derek at ihtfp.com             www.ihtfp.com
>        Computer and Internet Security Consultant
>
> _______________________________________________
> gnucash-devel mailing list
> gnucash-devel at gnucash.org
> https://lists.gnucash.org/mailman/listinfo/gnucash-devel
>


-- 
       Derek Atkins                 617-623-3745
       derek at ihtfp.com             www.ihtfp.com
       Computer and Internet Security Consultant



More information about the gnucash-user mailing list