Author Archives: wytze

CAcert server move completed on December 12, 2013

The move of all existing CAcert servers  to a new smaller rack at the current hosting centre has completed, mostly successful, on December 12 at 23:00 UTC. All main services are available again now, but we still have some smaller problems to sort out, mostly due to the switch-over to a new much more compact firewall with a completely new architecture.

So please bear with us while we iron out the remaining problems, and feel free to report any issues you are still encountering.

Please join me in expressing thanks to the team that worked very hard over four hours after an already stressful day to get this major job completed: Stefan Kooman, Mendel Mobach, Martin Simons.

CAcert signing server service restored

[29.08.2013 – 18:30] The operation of the CAcert signing server has been restored. It has been down from 28.08.2013 13:30 CEST until 29.08.2013 18:30 CEST.
By replacing a repeatedly failing primary disk drive, we expect that no more service outages will occur soon. All pending signing and revocation requests have been picked up and processed automatically after the restoration of the service this evening,

CAcert signing server temporarily out of service

[29.08.2013 – 09:00] The CAcert signing server is temporarily out of service. As far as we can tell, the problem started on 28.08.2013 around 13:30 CEST, and is likely to be similar to the problem we saw earlier this week.
Two CAcert critical system administrators will visit the hosting centre this afternoon in order to fix the problem if possible. We hope that the signing service will be back online around 17:30 CEST.
Currently pending signing and revocation requests will automatically be processed after the service is resumed.

CAcert web server downtime on April 3, 2013

The CAcert webdb server will be upgraded and migrated to another server with better hardware running Debian Squeeze on Wednesday April 3, 2013. During the migration, the web server (including the signing server) will not be available for users. We expect that the total downtime will be less than two hours. This maintenance work has been scheduled for the period 11:00 – 13:00 CEST (9:00 – 11:00 UTC).

All other CAcert services, like OCSP, DNS, mail etc. will remain available during this time.

Security incident

Yesterday a security incident has been discovered which could potentially have affected the security of the CAcert servers. As far as we can tell now, there has not been any unauthorized access due to this, but further investigations will be done to confirm that. For the technical details please check the message posted to the cacert-systemlog mailinglist here.

World IPv6 Launch at CAcert

On 6 June 2012 World IPv6 Launch will take place. CAcert is joining the show by permanently enabling its main website for use via IPv6. Of course the existing service via IPv4 will be continued.
The CAcert DNS service has been available via IPv6 for quite some time already. Other CAcert infrastructure services will be following to offer IPv6 support in the near future.

Downtime scheduled for CAcert webserver on Nov 23, 2011

The CAcert main webserver will be unavailable for about one hour on Wednesday November 23, 2011, starting at 10:00 UTC. A database update is scheduled to take place on that day between 10:00 UTC and 11:00 UTC. If you are interested in the technical details, please check https://bugs.cacert.org/view.php?id=976.

We expect that the update will be completed within one hour. During the update the website cannot be accessed, and no certificates can be issued or revoked. Other CAcert services (CRL, OCSP, mailing lists, wiki etc) will remain available as usual.

CAcert webserver downtime on Wednesday December 29, 2010

We have scheduled to perform a system software upgrade of the CAcert webserver on Wednesday December 29 2010, starting at 10:00 CET. The upgrade will last at most until 13:00 CET, but we are aiming to complete well before that time. During the upgrade, the CAcert webserver will be unavailable for all users, and no certificates can be signed or revoked. All other CAcert servers will remain up and running though (including OCSP and CRL services).

Wytze van der Raay
team leader CAcert ciritical system administrators

Replacement of CAcert signing server – photo reportage

On September 11, 2009 the aging CAcert signing server was replaced by new up-to-date hardware, thanks to a donation from NLUUG (the association of (professional) Open Systems and Open Standards users in the Netherlands) to Oophaga, CAcert’s hardware keeper. Please also check the original announcement.

Here we show some pictures taken during the replacement/upgrade action.

Hans Verbeek checks the sliders for mounting the new CAcert signing server at BIT
Hans Verbeek checks the sliders for mounting the new CAcert signing server at BIT

New CAcert signing server mounted in the rack at BIT
New CAcert signing server mounted in the rack at BIT

Backside of new CAcert signing server plus Sun1,2,3,4
Backside of new CAcert signing server plus Sun1,2,3,4

Mendel Mobach debugging new usbserial connection, Hans Verbeek watching
Mendel Mobach debugging new usbserial connection, Hans Verbeek watching

Mendel Mobach and Wytze van der Raay debugging new usbserial connection between CAcert webserver and signing server
Mendel Mobach and Wytze van der Raay debugging new usbserial connection between CAcert webserver and signing server

 Generator and fuel tank for backup power for CAcert servers at BITs data centre
Generator and fuel tank for backup power for CAcert servers at BIT’s data centre

CAcerts old signing server after putting back the copied master disk
CAcert’s old signing server after putting back the copied master disk

CAcert new signing server with properly locked front panel
CAcert new signing server with properly locked front panel

CAcert new signing server features a dual redundant power supply!
CAcert new signing server features a dual redundant power supply!

Replacement of CAcert signing server – no service on Sep 11 14:00 – 22:00 CEST

Recently CAcert has experienced some hardware problems with its signing server. The critical systems admin team has recommended to install new up-to-date hardware, and thanks to a donation from NLUUG (the association of (professional) Open Systems and Open Standards users in the Netherlands) to Oophaga, CAcert’s hardware keeper, a new machine has been made available to CAcert on July 20, 2009.

This opportunity is used by the critical systems administrators to test new technology and software. Thorough testing is performed on the new system before migrating all data from the old signing server to the new server inside the secure data center.

The actual migration will take place on Friday September 11. During the migration, the signing system will be out of operation for a period of period of four to eight hours. This means that CAcert signing service will not be available on Friday September 11 2009 between 14:00 CEST and 22:00 CEST. If all goes well, the service may be restored before 22:00 CEST, but we cannot predict that in advance.

UPDATE: full service was restored at 16:00 CEST, the total service interruption lasted only from 14:30 CEST until 16:00 CEST.