[GNC-dev] Updated Ovirt Certs

[Derek Atkins]

HI,

Just wanted to let you know that I'm in the process of upgrading the OVIRT
certificates.  This includes the CA Cert which you included in your
browser.  This means that right now, if you attempt to access ovirt you
will get a certificate error.

The fix is to remove the existing certificate(s) from you browser
cache/memory and load the new one in.

If you need me to email you the new CA certificate instead of pulling it
ovirt directly, please let me know.

Sorry for the inconvenience and short notice.

I also need to plan a reboot to get VDSM to take the new certs.

-derek

-- 
   Derek Atkins 617-623-3745
   de...@ihtfp.com www.ihtfp.com
   Computer and Internet Security Consultant

___
gnucash-devel mailing list
gnucash-devel@gnucash.org
https://lists.gnucash.org/mailman/listinfo/gnucash-devel

[GNC-dev] [MAINT] Planned server reboot Monday, Dec 7, 8:00pm US/EST

[Derek Atkins]

TL;DR: Unless I hear major objections, I plan to reboot the VM server
tomorrow, Monday, Dec 7, around 8pm US/EST (0100 UTC Dec 8), in order to
refresh / update some certificates.  Please let me know if this is an
issue.

Long Version:

The GnuCash infrastructure uses a single-host OVirt VM platform for its
production system.  Unfortunately, this means that certain system
maintenance efforts require system reboots, and, unfortunately, replacing
the certificates is one of those.  All the new certificates are in place
so I should just need to reboot the system to allow it to take effect.

The reason for the certificate update is two-fold:

1) Many of the certificates were set to expire next year (2021), so they
would have to be renewed anyway.  Granted, this date was November 1, so I
had most of the year to do it, but still, it had to be done within the
next 11 months.

2) More importantly, the certificates were all using SHA1, and this was
causing problems with e.g. remote-viewer complaining that the certificates
were not secure.  This is JohnR and, after I update my own system this
weekend, me.

If I had a multi-server Ovirt setup (e.g. 3 hosts), then I could
round-robin update them.  I migrate all the running VMs to the other two
hosts and then I can safely take the third host down and do whatever I
needed.  Then I bring it up again, let everything stabilize, and then move
to the next one.  Alas, with a single host, I can't do this so I need to
reboot.

total downtime should be no more than 30 minutes, assuming of course I got
everything right.  Also, I am *hoping* this will fix the remote-viewer
issue, but I won't know for sure until after I reboot.

If you all have any questions, concerns, or the timing is bad, please let
me know.

Thanks!

-derek

PS: For John, Frank, Geert, etc -- due to the certificate changes you will
need to remove the old certificates from your browser trusted-cert cache
first and then import the new ones.  Search for IHTFP.  If you don't
remove it, it'll give you an error that the certificate changed but has
the same Issuer/Serial#.  I'm sorry, but there's nothing I can do about
that.

-- 
   Derek Atkins 617-623-3745
   de...@ihtfp.com www.ihtfp.com
   Computer and Internet Security Consultant

___
gnucash-devel mailing list
gnucash-devel@gnucash.org
https://lists.gnucash.org/mailman/listinfo/gnucash-devel