Author Archives: dirk astrath

(Upcoming) work at the Datacenter

Update #1:

Moving www.cacert.org to new hardware was not successful due to some firewall settings, so we decided to keep the old server active.

During the next days/weeks we’ll change some firewall settings remotely so short downtimes may apply before we try to activate the new server during the next visit in some weeks.

Original note:

During the next visit at the datacenter on Friday we’re doing some hardware-changes within our rack, especially for our main website www.cacert.org.

As a preparation we will disable most of the services on www.cacert.org on Tuesday evening. The site will be fully operational again after the new server is up and running (most likely during Friday morning).

All other subdomains like blog/wiki/… will only have a short outage while we install a new firewall.

— this post will be updated after returning back from the datacenter —

Datacenter-Visit on 2021-07-16 *UPDATE*

The activation of signer machine was successful, all pending certificates were processed in the last hours.

Short version: There is a visit at the datacenter planned to enable the signer again (and do some other maintenance there).

Long version:

Unfortunately it was not possible to get the signer back to work again during the last visit due to a hardware-issue with the harddrive.

To get the server running on the (pre-)created backup drive did fail, too …

Therefore we took the time during the last weeks (when it was not possible to visit the datacenter due to different business and personal reasons) to rebuild a test-environment on spare hardware and to train ourselves.

We should now be able to do the necessary steps to bring back the signer machine to work.

In the background we’re currently adjusting our processes to make it easier to visit the datacenter during out-of-office-times (as every trip to the datacenter takes several hours additionally to the time we’re working at the servers).

In future we plan to set up an additional confuguration, which can take over in case of a failure in the datacenter, but this will still take time. However: The exact procedure needs to be worked out as the machines are not to be connected to the internet, but need to communicate (e.g. for CRL-creation, certificate serial numbers etc.).

Report of visit at datacenter on 2021-04-19

After a new member was added to the access engineers team it was possible to visit the datacenter following the epidemiological guidelines for SARS-CoV-2, as well as our own security guidelines.

During this visit we applied the long-awaited patch for bug 1438 by adding the serial number to certificate revocation lists.

This visit also provided an opportunity to instal a new infrastructure-server, courtesy of Abil’I.T. , a Luxembourg based free software service provider. Many thanks again!

… and …

We did the Class-3-resigning during this visit. Currently we’re testing this new Class-3-certificate and will publish it real soon.

A new visit in the summer will be necessary to replace hardware (and maybe apply further patches on the signer).

Signer is working again

Today we were able to investigate the signer machine at the datacenter.

As previously assumed, the signer machine was powered off. It was not possible to power it on again, so either both PSUs or other components died.

As we ordered a replacement-machine of the same type we were able to use the existing harddrives to power up the signer again.

Currently the signer is catching up, which will take some hours. As soon as your certificate was processed, you’ll get an email from our server.

The certificate of www.cacert.org is in the queue (together with your certificates and revocations), so we need to wait until it’s ready. It will get updated as soon as possible.

Update 2020-05-05: All pending certificates requests are processed now, new requests should now processed on the fly again.

Dirk Astrath
CAcert critical admin

dirk astrath

2020-01-22

Since yesterday evening the main webserver of CAcert is currently not available.

We’re working hard in the background to get it up and running again.

Update:

According to the logfiles the server crashed at (or shortly after) Jan 21 18:07:39

The machine is up again after a hardware restart since: Jan 23 10:55:17

(Software-Restarts of the sun-server did not help yesterday …)

The root-cause-analysis is yet to be done (and will be done later the day).

Update2:

A detailed investigation of our logfiles did NOT show any intrusion attack. We were not able to find any details, why the hardware-server stopped responding.

Sorry for any inconvenience.

dirk astrath

CAcert Crtitical Admin

CAcert at Fosdem 2019

On February, 2nd and 3rd, Fosdem in Brussels (Belgium) will open its doors. It is an ideal platform to get informed about free software – and of course CAcert will attend. The fair takes place in the ULB Campus.

But: This time CAcert and secure-u will NOT have stand there due to limited space in the builings. On Saturday noon and Sunday morning I’ll be at Infodesk in K-Building, where wearing my white CAcert Jacket to answer questions about the current status of CAcert and secure-u.

Feel free to contact me there for a short talk … or to agree to a later schedule after my shift there for a longer discussion about CAcert support, software …

CAcert and secure-u on OpenRheinRuhr – limited

Die OpenRheinRuhr in Oberhausen öffnet am Wochenende 3./4. November 2018 wieder ihre Tore für freie Software. Die Veranstaltung im Rheinischen Industriemuseum ist perfekt erreichbar direkt am Hauptbahnhof in Oberhausen.

CAcert und secure-u sind dieses Mal aus organisatorischen Gründen NICHT mit einem Stand dabei. Ab Samstag Mittag werde ich mit meiner weissen CAcert-Jacke aber vor Ort sein, um Fragen zum aktuellen Stand von CAcert und secure-u zu beantworten.

Sollte jemand anderes vom CAcert-Team auch am Sonntag vor Ort sein, werde ich diesen Blog-Post entsprechend anpassen.

————

On Novemver, 4th and 5th, OpenRheinRuhr in Oberhausen open its doors. It is an ideal platform to get informed about free software – and of course CAcert will attend. The fair takes place in the Rheinisches Industriemuseum directly located at the central station of Oberhausen.

But: This time CAcert and secure-u will NOT have stand there due to organisational reasons. I’ll be onsite starting Saturday noon wearing my white CAcert Jacket to answer questions about the current status of CAcert and secure.

In case somebody of the CAcert-Team will be onsite on Sunday, I’ll update this post.

CAcert and secure-u on Froscon 2018

FrOSCon open its doors on August, 25th + 26st, and of course, CAcert is present!

On the annual FrOSCon event CAcert is present, willing to assure members and to have nice talks to the public. We are very pleased to take part in an event targeted on free software and open source. FrOSCon takes place at Hochschule Bonn-Rhein-Sieg in Sankt Augustin, near Cologne (Köln). We’re happy to welcome you there and enjoy nice talks about securing yourself on the Internet.

If you want to be part of the events-team at FrOSCon feel free to add yourself to our wiki page at https://wiki.cacert.org/Events/FrOSCon2018.

This year CAcert will have it’s stand together with secure-u, who support CAcert-Teams since years.

CAcert and secure-u at FrOScon 2017

FrOSCon open its doors on August, 19th + 20st, and of course, CAcert is present!

On the annual FrOSCon event CAcert is present, willing to assure members and to have nice talks to the public. We are very pleased to take part in an event targeted on free software and open source. FrOSCon takes place at Hochschule Bonn-Rhein-Sieg in Sankt Augustin, near Cologne (Köln). We’re happy to welcome you there and enjoy nice talks about securing yourself on the Internet.

If you want to be part of the events-team at FrOSCon feel free to add yourself to our wiki page at https://wiki.cacert.org/Events/FrOSCon2017.

Next to CAcert there will by stand by secure-u, who support CAcert-Teams since years.

Updates for blog and bugs

We just updated some of our servers to the latest updates:

https://blog.cacert.org/ to the latest WordPress-release.

https://bugs.cacert.org/ to the latest mantis-release.

Furthermore the client certificate login on https://bugs.cacert.org was activated by today for Class-3 certificates. To login you have to enter your username or email-adress of your mantis-account.

Trying to login to https://bugs.cacert.org/ using an unknown email-adress will NOT create a new account: You have to create an account first using the email-adress, which is listed in your client certificate. If you already have an account at https://bugs.cacert.org/ you may change the email-adress of your account to the first email-adress in your client-certificate.

If the certificate-authentication fails (no matter, if you use no client certificate, an expired one or a certificate, which does not match your email-adress) you can use the normal “classic” username/password-credentials to login.

If you try to use a Class-1-client certificate, you currently will may probably receive an error-message like “ERR_BAD_SSL_CLIENT_AUTH_CERT”. In this case please login without a client certificate or create a Class-3-certificate.

In case you face any issues don’t hesitate to contact us for help.

Kind regards,

dirk astrath (CAcert blog admin/CAcert software assessor)