Category Archives: Progress

CAcert significantly reduces power consumption

DEUTSCH weiter unten FRANÇAIS voir plus bas

The operation of servers in a data centre is always associated with power consumption. And at the latest since the winter of 2022/2023 with the energy shortage in Europe, broad sections of the population have also realised that electricity consumption is associated with costs.

We at CAcert have been looking at our technical equipment for some time now: on the one hand, it should be cost-effective to purchase, as we don’t have an infinite amount of money and handle our friends’ donations with care. On the other hand, we will also take a look at the operating costs.

Some time ago, we drew up a plan to replace old, long-depreciated appliances that were becoming increasingly prone to failure and consuming a lot of electricity in several stages. The planning and initial steps were started by Secure-U before the machinery was transferred to CAcert Inc.

A look at the diagram above shows the success of these measures. August is shown as an example for the years 2014-2022, followed by all months for 2023-2023: Consumption was reduced from 600-800 kWh to around 200 kWh in two steps. This enabled us to offset the doubling of the electricity price.

Anyone who wants to share in the reduced electricity costs or make a contribution to fill the hole in the till that the purchase of the machines has torn as a small thank you to those volunteers who did the installation of the new servers in their spare time for you: Donation account CAcert: IBAN CH02 0077 4010 3947 4420 0 or with bank or credit card.

CAcert reduziert Stromverbrauch signifikant
Der Betrieb von Servern in einem Datenzentrum ist immer mit Stromverbrauch verbunden. Und spätestens seit dem Winter 2022/2023 mit der Energiemangellage in Europa ist auch breiten Schichten bewusst, dass Stromverbruach mit Kosten verbunden ist. Wir von CAcert beschäftigen uns schon länger mit unserer technischen Ausrüstung: Einerseits soll sie kostenkünstig sein in der Anschaffung, da wir nicht unendlich viel Geld haben und mit den Spendengeldern unserer Freunde sorgfältig umgehen. Andererseits werden wir auch einen Blick auf die Betriebskosten.

So haben wir schon vor längerem einen Plan erstellt, wie wir alte, längst abgeschriebene Gerät, die immer störungsanfälliger wurden und viel Strom verbrauchten in mehreren Schritten ersetzen können. Die Planung und die ersten Schritte wurden noch von Secure-U begonnen, bevor der Maschinenpark an CAcert Inc überging. Ein Blick auf obenstehendes Diagramm zeigt den Erfolg dieser Massnahmen. Für die Jahre 2014-2022 ist jeweils exemplarisch der August gezeigt, anschliessend alle Monate für 2023-2023: Der Verbrauch von 600-800 kWh konnte in zwei Schritten auf rund 200 kWh gesenkt werden. So konnten wir die Verdoppelung des Strompreises auffangen.

Wer sich an den reduzierten Stromkosten beteiligen will oder mit einem Beitrag das Loch in der Kasse auffüllen, das die Anschaffung der neuen Maschinen gerissen hat: Spendenkonto von CAcert: IBAN CH02 0077 4010 3947 4420 0 oder mit Bank- oder Kreditkarte.

CAcert réduit massivement la consommation d’énergie
L’exploitation de serveurs dans un centre de données est toujours liée à la consommation d’électricité. Et depuis l’hiver 2022/2023 et la pénurie d’énergie en Europe, de larges couches de la population sont conscientes que la consommation d’électricité est liée à des coûts.

Chez CAcert, nous nous préoccupons depuis longtemps de notre équipement technique : d’une part, il doit être peu coûteux à l’achat, car nous n’avons pas des moyens illimités et nous gérons avec soin les dons de nos amis. D’autre part, nous allons également jeter un coup d’œil sur les coûts d’exploitation.
Ainsi, nous avons établi depuis longtemps un plan pour remplacer en plusieurs étapes les anciens appareils amortis depuis longtemps, qui devenaient de plus en plus sujets aux pannes et consommaient beaucoup d’électricité. La planification et les premières étapes ont été entamées par Secure-U avant que le parc de machines ne soit transféré à CAcert Inc.

Un coup d’œil sur le diagramme ci-dessus montre le succès de ces mesures. Pour les années 2014-2022, le mois d’août est montré à titre d’exemple, puis tous les mois pour 2023-2023 : La consommation de 600-800 kWh a pu être réduite en deux étapes à environ 200 kWh. Nous avons ainsi pu compenser le doublement du prix de l’électricité.

Ceux qui souhaitent participer à la réduction des coûts d’électricité ou combler par une contribution le trou dans la caisse que l’achat des nouvelles machines a creusé : Compte de dons CAcert: IBAN CH02 0077 4010 3947 4420 0 ou avec une carte bancaire ou de crédit.

Finally: Create a Client Certificate in the Browser

Since Google and Mozilla have removed the <keygen> element we use from the HTML standard and from their browsers, we have endeavoured to provide a valid replacement so that client certificates can once again be created so easily that even my grandmother could do it.

Finding a solution was not easy; other CAs were also sweating bullets here. The solution that we have been offering for some time now was initially somewhat hidden, but has since been prominently linked as the seventh service on our community portal community.cacert.org.

Both the new solution and the community portal are the result of the tireless work of a small group of volunteers. As a small thank you, you can make their work easier by not having to worry about CAcert’s operating costs. Donation account CAcert: IBAN CH02 0077 4010 3947 4420 0 or with bank or credit card.

Visit at the Datacenter on 2024-02-02

Today we visited the datacenter again to return the newly installed backup machine webdb2 and verify some settings on the signer machines.

While we were onsite, we updated neary all critical machines (including our main firewall), which caused outages of some minutes of our services.

After all updates were done we ran some tests including issuing Class1 and Class3-certifcates (client and server). A minor isse with crl-server (not running the rsync-service) was corrected afterwards remotely.

Both signers are now communicating with their webdb-servers. In the next days we’ll set up an automatic backup of webdb1 to webdb2 so webdb2 can fully replace webdb1 in case of a failure, which could not be corrected remoted.

Upcoming changes during pentecost

+++ Update +++ www.cacert.org is now running on a new server, first tests were successful. Still some finetuning needs to be done afterwards +++ update +++

During the long weekend around pentecost (“Pfingsten” as it is called here in Germany) we’re planning the next step in replacing some hardware at the datacenter.

The main reason for the visit at the datacenter on monday is it to plug the serial connection between our webserver and signer to the new machine.

As our main website will move to a new server, which was installed in the datacenter during the last visit, there will be an interruption of service while doing the final copy and reconfiguration of the firewall (hopefully not longer than one hour).

While we’re at the datacenter we’re adding two SSD-drives to infra02. During the activation of the host system on these SSDs the services running on infra02 (like blog, wiki etc.) will not be accessible and/or slower than usual.

After all services are moved (remotely/afterwards) from the HDDs to SSDs everything should be active again … and most likely faster.

At a later visit (planned in July) the old sun1-server and old infra02-HDDs will be removed from the rack.

The final step for hardware-upgrade/replacement in the critical environment will be a replacement of the old signer machine(s) by new servers and HSM-modules. For this step software- as well as development team need some assistance in reviewing and testing especially the coding (written in Go). Feel free to contact us via support@.c.o, mailing-lists or using comments to this blog-entry.

Upcoming Changes for www.cacert.org

Today we switched the connection to our main website as a preparation for a “bigger” change. Unfortunately this (temporary) change is not IPv6-capable, so only IPv4 is working currently.

Over the weekend we plan to move www.cacert.org to another server for a more recent environment and add a second firewall to our rack. During this server-transition you may face some issues while using www.cacert.org, after the weekend the services should be normal again.

Early next week we’ll enable IPv6 again for our main website (maybe by using a new IPv6-Address, but that’s not yet decided).

All other services (like blog/wiki/bugs/…) should remain active as usual as there is currently no planned update.

Nameserver-Changes for CAcert.org -update-

Update: Nameserver-transition is currently finished, new DNSSEC-records are set and active. KSK and ZSK were replaced by CSK.

In the ongoing process to update hard- and software we’re moving our main domain cacert.org to another master-nameserver-machine (with different nameserver-software) within our rack …

As we’re using DNSSEC to secure our domains, we need to update KSK and ZSK-keys for our domains during this progress, too.

Therefore you may face some DNSSEC-errors or issues in resolving cacert.org-domains within the next days, but this should resolve itself within some hours/days.

As soon as the transition of the nameserver-move is finished, I’ll update this post.

Todo: Give ns1.cacert.org the “old” nameserver-address again (after next hardware-change onsite) so secondary-nameserver ns3.cacert.org can get back to work. ns3 is currently not listed at our registrar, so not active for CAcert-Domains.

Signature server back in operation

Retour en fonctionnement du serveur de signature

Le serveur responsable de signer à la demande les certificats émis par CAcert dispose de deux disques durs, en redondance l’un de l’autre. Lorsqu’un dysfonctionnement se produit, aucune maintenance à distance n’est possible, car la machine n’est intentionnellement pas branchée au réseau. Seul un câble série permet d’échanger requêtes et réponses avec le reste de notre infrastructure. Aucune connexion n’est possible par ce moyen.

Or, depuis le 2 Août, nous observions la mise en attente de toutes les demandes de signature de certificats. L’équipe des infrastructures critiques est donc intervenue sur site ce 21 Août. Un problème dans le traitement d’un des certificats était la cause du blocage. Ce problème est résolu, mais reste à diagnostiquer avec précision. Il s’agit d’une série d’incidents que nous n’avions jamais vus auparavant.

Compte tenu des deux autres incidents intervenus plus tôt cette année, liés au système de fichiers de notre serveur de signature, nous devions accroitre sa résilience. Aussi, ce 21 août, l’équipe des infrastructures critiques a installé dans le rack un second serveur de signature, comme secours passif du premier. La présence de liens série dédiés vers chaque machine permettra à l’avenir de basculer très rapidement sur le second serveur de signature, en cas de nouveau problème. Dans tous les cas, les deux serveurs restent comme auparavant isolés du réseau.

Nous prions nos membres de nous excuser pour ces dysfonctionnements, et encourageons ceux résidant en Hollande où dans sa proche périphérie, à envisager de s’associer au travail de notre équipe des infrastructures critiques, ce qui augmenterait notre capacité d’intervention rapide.

Simultanément, nous espérons que l’intervention d’hier marque la fin de cette longue et exceptionnelle série.

English version

The server responsible for signing certificates issued by CAcert on demand has two hard disks, redundant to each other. When a malfunction occurs, no remote maintenance is possible, as the machine is intentionally not connected to the network. Only a serial cable is used to exchange requests and responses with the rest of our infrastructure. No connection is possible by this means.

However, since the 2nd of August, we have been seeing all certificate signing requests being put on hold. The Critical Infrastructure team therefore intervened on site on the 21st of August. A problem in the processing of one of the certificates was the cause of the blockage. This problem has been solved, but remains to be precisely diagnosed. This is a series of failures that we have never seen before.

In light of the two other incidents earlier this year related to the file system of our signature server, we needed to increase its resilience. So on 21 August, the Critical Infrastructure team installed a second signature server in the rack as a passive backup to the first. The presence of dedicated serial links to each machine will make it possible in future to switch very quickly to the second signature server in the event of a new problem. In any case, the two servers remain isolated from the network as before.

We apologise to our members for the inconvenience, and encourage those living in or near the Netherlands to consider working with our Critical Infrastructure team, which would increase our ability to respond quickly.

At the same time, we hope that yesterday’s intervention marks the end of this long and exceptional series.

New signer proves itself in use

EN: Signer is running again

DE: Signer ist wieder in Betrieb

FR: Signataire fonctionne à nouveau

ES: Firmante vuelve a funcionar

IT: Firmatario è di nuovo in funzione

The signer has been running again since yesterday, Friday, around 13:00 CEST. We then (while we were doing other work) watched the processing for about another hour… Around 0:30 CEST all outstanding certificate requests (~3000) were processed.

Things didn’t quite go as planned in June. As soon as something cannot be done remotely – there is no remote access to critical systems for security reasons – someone who is authorised to do so has to go the data centre in the Netherlands. Despite Corona, quarantine, floods, overtime at the company and whatever else comes up. That’s maybe two hours. Then two hours home again and in between the actual work. During the opening hours of the data centre, in your free time and paying for your own train ticket or petrol. It’s not always easy to reconcile all that. On Friday afternoon, however, the time had come and the Signer has now been running smoothly again for over a day.

As can be seen from the Critical Team’s plan published yesterday, preliminary work is already underway to make the system redundant throughout and even more robust, so that failures should no longer be noticed by users, because no one is interested in such failures! We are very sorry that you had to wait so long. At the same time, we thank the small core team who have sacrificed nights and weekends over the last five weeks to get the technology back up and running for the CAcert community!

Re-signed Class-3-Certificate – take action now!

English | Deutsch | Français | Español | Fingerprints

English | We already reported here in January that our Class 3 certificate is being re-signed. This was done a few weeks ago in our data centre in the Netherlands and subsequently tested extensively by our volunteers.

The new Class 3 certificate can now be downloaded here. In some days we will update the fingerprints and publish the other formats here. We recommend that all users use the new Class 3 certificate immediately, as the old certificate is approaching its expiry date and will no longer be valid after May 20th. Download the new certificate today and install it in your browser, e-mail program or certificate server as required.

All this exciting work (planning, re-signing, testing, communication) was done by volunteers from the CAcert community. They have acquired a lot of expertise over time and have worked their way up in the community. CAcert continues to offer such opportunities to interested and committed people today.

Alles neu macht der Mai – Neuerungen bei CAcert

Deutsch | Wir haben bereits im Januar an dieser Stelle darüber berichtet, dass unser Class-3-Zertifikat neu signiert wird. Dies ist vor einigen Wochen in unserem Rechenzentrum in den Niederlanden geschehen und anschliessend ausführlich von unseren Freiwilligen getestet worden.

Das neue Class-3-Zertifiat kann jetzt hier heruntergeladen werden. In wenigen Tagen werden wir die Fingerprints als auch die anderen Formate hier an gewohnter Stelle veröffentlichen. Wir empfehlen allen Nutzern, ab sofort das neue Class-3-Zertifikat zu verwenden, da das alte Zertifikate seinen Ablaufdatum entgegenschreitet und dann nicht mehr gültig ist. Laden Sie heute noch das neue Zertifikat herunter und installieren Sie es je nach Bedarf in Ihrem Browser, e-Mailprogramm oder Zertifikatsserver.

Alle diese spannenden Arbeiten (Planung, neu signieren, testen, Kommunikation) wurden von Freiwilligen der CAcert-Gemeinschaft erledigt. Sie haben sich im Laufe der Zeit viel Fachwissen angeeignet und sich in der Gemeinschaft hochgearbeitet. CAcert bietet auch heute interessierten und engagierten Leuten solche Möglichkeiten.

Changez vers le nouveau certificat class 3
Français | Nous avons déjà signalé ici en janvier que notre certificat de classe 3 était en cours de re-signature. Cela a été fait il y a quelques semaines dans notre centre de données aux Pays-Bas et a ensuite été testé de manière approfondie par nos volontaires.

Le nouveau certificat de classe 3 (comme l’ancien) peut être téléchargé ici. L’empreinte digitale va être publié dans les jours à venir ici. Nous recommandons à tous les utilisateurs d’utiliser le nouveau certificat de classe 3 à partir de maintenant, car l’ancien certificat approche de sa date d’expiration et ne sera plus valide. Téléchargez le nouveau certificat aujourd’hui et installez-le dans votre navigateur, votre programme de messagerie ou votre serveur de certificats, selon vos besoins.

Tout ce travail passionnant (planification, re-signature, tests, communication) a été réalisé par des bénévoles de la communauté CAcert. Ils ont acquis une grande expertise au fil du temps et ont gravi les échelons au sein de la communauté. CAcert continue aujourd’hui à offrir de telles opportunités aux personnes intéressées et engagées.

Español | Hace unas semanas, nuestro certificado de clase 3 se volvió a firmar en nuestro centro de datos de los Países Bajos y, a continuación, nuestros voluntarios lo probaron exhaustivamente. El nuevo certificado de clase 3 puede descargarse aquí. La huella dactilar y los demás formatos estarán disponibles en los próximos días aquí. Recomendamos a todos los usuarios que utilicen el nuevo certificado de clase 3 a partir de ahora, ya que el antiguo dejará de ser válido en breve. Instale el nuevo certificado de clase 3 hoy mismo.

Todo este apasionante trabajo ha sido realizado por voluntarios de la comunidad CAcert. CAcert ofrece interesantes oportunidades a las personas interesadas y dedicadas.

Fingerprints | SHA1 Fingerprint = D8:A8:3A:64:11:7F:FD:21:94:FE:E1:98:3D:D2:5C:7B:32:A8:FF:C8
SHA256 Fingerprint = 1B:C5:A6:1A:2C:0C:01:32:C5:2B:28:4F:3D:A0:D8:DA:CF:71:7A:0F:6C:1D:DF:81:D8:0B:36:EE:E4:44:28:69

Engineers nominated

The free certificate authority CAcert is making progress in increasing the number of its working groups. In the past few days, the committee approved the appointment of Jan to the post of Critical Engineer.

The appointment of Michaela as Access Engineer was also approved. Both have a broad range of experience and are distinguished by their specialist knowledge and sense of responsibility. We wish both engineers much success and fulfilment in their voluntary work for the CAcert community. These are challenging tasks and come with great responsibility. CAcert offers interested volunteers a variety of tasks, the opportunity to gain exciting experience and stimulating career opportunities.