Reboot finished and everything should be back to normal. Please let me know if you notice any issues. Thanks!
-derek On Sun, December 6, 2020 9:15 pm, Derek Atkins wrote: > TL;DR: Unless I hear major objections, I plan to reboot the VM server > tomorrow, Monday, Dec 7, around 8pm US/EST (0100 UTC Dec 8), in order to > refresh / update some certificates. Please let me know if this is an > issue. > > Long Version: > > The GnuCash infrastructure uses a single-host OVirt VM platform for its > production system. Unfortunately, this means that certain system > maintenance efforts require system reboots, and, unfortunately, replacing > the certificates is one of those. All the new certificates are in place > so I should just need to reboot the system to allow it to take effect. > > The reason for the certificate update is two-fold: > > 1) Many of the certificates were set to expire next year (2021), so they > would have to be renewed anyway. Granted, this date was November 1, so I > had most of the year to do it, but still, it had to be done within the > next 11 months. > > 2) More importantly, the certificates were all using SHA1, and this was > causing problems with e.g. remote-viewer complaining that the certificates > were not secure. This is JohnR and, after I update my own system this > weekend, me. > > If I had a multi-server Ovirt setup (e.g. 3 hosts), then I could > round-robin update them. I migrate all the running VMs to the other two > hosts and then I can safely take the third host down and do whatever I > needed. Then I bring it up again, let everything stabilize, and then move > to the next one. Alas, with a single host, I can't do this so I need to > reboot. > > total downtime should be no more than 30 minutes, assuming of course I got > everything right. Also, I am *hoping* this will fix the remote-viewer > issue, but I won't know for sure until after I reboot. > > If you all have any questions, concerns, or the timing is bad, please let > me know. > > Thanks! > > -derek > > PS: For John, Frank, Geert, etc -- due to the certificate changes you will > need to remove the old certificates from your browser trusted-cert cache > first and then import the new ones. Search for IHTFP. If you don't > remove it, it'll give you an error that the certificate changed but has > the same Issuer/Serial#. I'm sorry, but there's nothing I can do about > that. > > -- > Derek Atkins 617-623-3745 > de...@ihtfp.com www.ihtfp.com > Computer and Internet Security Consultant > > _______________________________________________ > gnucash-devel mailing list > gnucash-devel@gnucash.org > https://lists.gnucash.org/mailman/listinfo/gnucash-devel > -- Derek Atkins 617-623-3745 de...@ihtfp.com www.ihtfp.com Computer and Internet Security Consultant _______________________________________________ gnucash-devel mailing list gnucash-devel@gnucash.org https://lists.gnucash.org/mailman/listinfo/gnucash-devel
