gnucash announce - Dec 2020 - ANNOUNCE: [MAINT] Planned server reboot Monday, Dec 7, 8:00pm US/EST

TL;DR: Unless I hear major objections, I plan to reboot the VM server
tomorrow, Monday, Dec 7, around 8pm US/EST (0100 UTC Dec 8), in order to
refresh / update some certificates.  Please let me know if this is an
issue.

Long Version:

The GnuCash infrastructure uses a single-host OVirt VM platform for its
production system.  Unfortunately, this means that certain system
maintenance efforts require system reboots, and, unfortunately, replacing
the certificates is one of those.  All the new certificates are in place
so I should just need to reboot the system to allow it to take effect.

The reason for the certificate update is two-fold:

1) Many of the certificates were set to expire next year (2021), so they
would have to be renewed anyway.  Granted, this date was November 1, so I
had most of the year to do it, but still, it had to be done within the
next 11 months.

2) More importantly, the certificates were all using SHA1, and this was
causing problems with e.g. remote-viewer complaining that the certificates
were not secure.  This is JohnR and, after I update my own system this
weekend, me.

If I had a multi-server Ovirt setup (e.g. 3 hosts), then I could
round-robin update them.  I migrate all the running VMs to the other two
hosts and then I can safely take the third host down and do whatever I
needed.  Then I bring it up again, let everything stabilize, and then move
to the next one.  Alas, with a single host, I can't do this so I need to
reboot.

total downtime should be no more than 30 minutes, assuming of course I got
everything right.  Also, I am *hoping* this will fix the remote-viewer
issue, but I won't know for sure until after I reboot.

If you all have any questions, concerns, or the timing is bad, please let
me know.

Thanks!

-derek

PS: For John, Frank, Geert, etc -- due to the certificate changes you will
need to remove the old certificates from your browser trusted-cert cache
first and then import the new ones.  Search for IHTFP.  If you don't
remove it, it'll give you an error that the certificate changed but has
the same Issuer/Serial#.  I'm sorry, but there's nothing I can do about
that.

-- 
       Derek Atkins                 617-623-3745
       derek at ihtfp.com             www.ihtfp.com
       Computer and Internet Security Consultant

Reboot finished and everything should be back to normal.
Please let me know if you notice any issues.
Thanks!

-derek


On Sun, December 6, 2020 9:15 pm, Derek Atkins wrote:
> TL;DR: Unless I hear major objections, I plan to reboot the VM server
> tomorrow, Monday, Dec 7, around 8pm US/EST (0100 UTC Dec 8), in order to
> refresh / update some certificates.  Please let me know if this is an
> issue.
>
> Long Version:
>
> The GnuCash infrastructure uses a single-host OVirt VM platform for its
> production system.  Unfortunately, this means that certain system
> maintenance efforts require system reboots, and, unfortunately, replacing
> the certificates is one of those.  All the new certificates are in place
> so I should just need to reboot the system to allow it to take effect.
>
> The reason for the certificate update is two-fold:
>
> 1) Many of the certificates were set to expire next year (2021), so they
> would have to be renewed anyway.  Granted, this date was November 1, so I
> had most of the year to do it, but still, it had to be done within the
> next 11 months.
>
> 2) More importantly, the certificates were all using SHA1, and this was
> causing problems with e.g. remote-viewer complaining that the certificates
> were not secure.  This is JohnR and, after I update my own system this
> weekend, me.
>
> If I had a multi-server Ovirt setup (e.g. 3 hosts), then I could
> round-robin update them.  I migrate all the running VMs to the other two
> hosts and then I can safely take the third host down and do whatever I
> needed.  Then I bring it up again, let everything stabilize, and then move
> to the next one.  Alas, with a single host, I can't do this so I need
to
> reboot.
>
> total downtime should be no more than 30 minutes, assuming of course I got
> everything right.  Also, I am *hoping* this will fix the remote-viewer
> issue, but I won't know for sure until after I reboot.
>
> If you all have any questions, concerns, or the timing is bad, please let
> me know.
>
> Thanks!
>
> -derek
>
> PS: For John, Frank, Geert, etc -- due to the certificate changes you will
> need to remove the old certificates from your browser trusted-cert cache
> first and then import the new ones.  Search for IHTFP.  If you don't
> remove it, it'll give you an error that the certificate changed but has
> the same Issuer/Serial#.  I'm sorry, but there's nothing I can do
about
> that.
>
> --
>        Derek Atkins                 617-623-3745
>        derek at ihtfp.com             www.ihtfp.com
>        Computer and Internet Security Consultant
>
> _______________________________________________
> gnucash-devel mailing list
> gnucash-devel at gnucash.org
> https://lists.gnucash.org/mailman/listinfo/gnucash-devel
>

-- 
       Derek Atkins                 617-623-3745
       derek at ihtfp.com             www.ihtfp.com
       Computer and Internet Security Consultant