Today we switched the connection to our main website as a preparation for a “bigger” change. Unfortunately this (temporary) change is not IPv6-capable, so only IPv4 is working currently.
Over the weekend we plan to move www.cacert.org to another server for a more recent environment and add a second firewall to our rack. During this server-transition you may face some issues while using www.cacert.org, after the weekend the services should be normal again.
Early next week we’ll enable IPv6 again for our main website (maybe by using a new IPv6-Address, but that’s not yet decided).
All other services (like blog/wiki/bugs/…) should remain active as usual as there is currently no planned update.
Relegating IPv6 to “not important” is a bad decission. Keeping an unreachable address in the DNS even more though. All the breakdowns you produce make the project look very unprofessional. Week long down times of the signature server, unreachable IP addresses (even if tempoary) and DNSSEC errors… as long as things like this happen regularly, I don’t see CAcert anywhere near a dependable certification authority.
I respect this is all run by volunteers, but in my eyes, you set the wrong priorities. Availability is more important than updates, or even security. CAcert’s policies had the organization deadlocked for several years because noone was willing to just start over. In terms of policy CAcert acts as if it had to adhere to military standards, while in reality nothing depends on it. As long as the system is not stable and the certs are not trusted by Mozilla and Google, it’s all child’s play.
Well … the target of the current replacements of hardware and software (which was tested before successfully out of the rack) is to make everything more stable …
… but sometimes we face some issues when setting things productive … (as not everything could be tested off-site) … ;-(
Disabling IPv6 for the main website temporarily while doing bigger maintenance work should not be considered as “we don’t care about IPv6”, but to inform our users, that there MAY be (in this case: are) issues while using IPv6 to access our main website during the transition.
If it’s possible to keep the old IPv6-adress with our new firewall will be decided by tomorrow (Monday) … so expect IPv6 working for http://www.cacert.org again latest during tuesday.
— update monday ~14:00 —
IPv6 is working again to the new server for http://www.cacert.org by keeping the old IP-Addresses