2021-03-17 Upgraded another system at home, now serving webpages with TLSv1.3 3 weeks ago
After the recent work on updating the TLS settings for the webservers at home there was one element missing: TLSv1.3 support. This needed an upgrade of openssl and the 'easy' way to get there was a full upgrade of the server running the external facing proxy. So I took that step yesterday evening. Made a snapshot first and started upgrading devuan ascii to beowulf. After the update a lot of things were broken: I defined a non-standard location for bind9 logging and AppArmor disagreed. Without a working nameserver a lot of stuff breaks internally! So after managing to get on the upgraded system with console I changed the AppArmor rules to allow it. After that things started again. For the next time I manage to break the resolving nameserver: I should remember that avahi/multicast dns works on most systems even when DNS resolving fails. I checked and I can use .local names to get to the right equipment. After checking how everything is running for about a day I threw out the old snapshot.
2021-03-06 Digging for more entropy 1 month ago
Looking at the newest graphs I created with grafana of system statistics I noticed the available entropy was still getting dangerously low from time to time on the system that runs the home server. For some reason this system has no available hardware random number generator. Even after the earlier changes to add more sources of randomness it was sometimes dropping low, especially during dnssec signing operations. This does mean that the encryption processes for TLS in the webservers may also get delayed. Which is really not what I want. Time to update settings on randomsound and haveged: I want a minimum of 2048 bits of available entropy. Sofar, this seems to have the desired effect.
2020-12-13 Makefile logic not working perfectly 3 months ago
I noticed the certificate for idefix.net was expired according to my webbrowser. I dug up the reason and found out the scripts to maintain the ocsp files managed to confuse the Makefile to keep the haproxy certificates updated. The ocsp responses have more updates than the certificates, but a certificate update needs to be processed anyway. So I updated the Makefile in the previous post. The dependency is now certificate-stamp depends on installed certificates, installed certificates depend on copied certificates. And installing the certificate also updates the ocsp response.
2020-12-04 Using a snapshot for an upgrade so I can roll back 4 months ago
This evening I upgraded the production webserver from Devuan ascii to Devuan beowulf and to have the option available to roll back everything I created a snapshot and left that running until I was satisfied with the new configuration and everything worked. The steps were simple, found via Commit or revert a Linux LVM snapshot? - serverfault: Before starting the upgrade, create a snapshot:# lvcreate -L 10G -s -n turing_upgrade /dev/conway_ssd/turing_rootDo all the upgrade stuff, reboot, make sure everything works again. The usage of the snapshot went up to 22.38 percent:# lvs LV VG Attr LSize Pool Origin Data% Meta% Move Log Cpy%Sync Convert turing_root conway_ssd owi-aos--- 30.00g turing_upgrade conway_ssd swi-a-s--- 10.00g turing_root 13.17After everything worked, remove the snapshot:# lvremove /dev/conway_ssd/turing_upgrade
2020-10-21 Upgrading Devuan linux from ascii to beowulf 5 months ago
I am upgrading Devuan linux installations from ascii to beowulf to get newer packages and continued security updates. There is only one package where I really want a newer version: openssl, so I can start using TLSv1.3. This upgrade is just as simple as the upgrade from Devuan jessie to ascii three years ago. Just change the release name version and use apt update and apt dist-upgrade commands. Today I did the development webserver and apache didn't start afterwards. I found out I need to enable php7.3 by hand, in the previous configuration php7.0 was enabled. A thing to keep in mind when upgrading the production webserver.
2020-09-22 TLSA records for DANE can't have it all 6 months ago
Yesterday I read about changes at LetsEncrypt that influence LetsEncrypt intermediate certificates and DANE and had a look at my own DANE record set up in december 2019. I decided to change the 'usage' value to 1, meaning 'EE match validated by public CA' because it's linked to a known public CA, and the old value 3 meaning 'private EE' wasn't completely true because it's linked to a known public CA. But I received a notification this morning, with:Only certificate usages DANE-TA(2) and DANE-EE(3) are supported with SMTP.With references to rfc 7672 section 3.1.1 and further which makes a valid point about CA validation in SMTP sessions. So the validation chain is purely based on DNSSEC.
2020-07-30 Backup to a remote webdav server using rclone 8 months ago
After the earlier issues with backing up to a remote webdav server I let the problem rest but made sure my backups were in order from time to time. Until I came across a mention about rclone which especially mentions copying to various cloud services. Since I am trying to backup to a webdav server based on owncloud I had a look and this is a supported configuration in rclone. So I installed rclone to give it a try. From the devuan distribution I got rclone version 1.35 which seemed to have problems with the specific owncloud server. So I had a look and newer .deb packages are available on the Rclone download page. This worked better. On the first run rclone was convinced a lot of the files were modified locally since I transfered them with fusedav+rsync, so those were refreshed. But now it is all synchronized correctly the changes are minimal and the runtime isn't very long. I do make sure my uplink isn't filled completely so I limit the bandwidth. Command:$ rclone --bwlimit 1M -v sync /camera/ owncloudservice:backuptest/camera/
2020-07-16 Time to grow the diskspace for the home server 8 months ago
There were some ideas for one or more new virtual machines in the homeserver conway 2017 and the current volume group is almost full. Time to order some new diskspace because there's also some upcoming Devuan upgrades where I'd like to keep a snapshot of the 'before' situation so I can go back if everything breaks. So I ordered 2 960 Gb SSDs. They will run in a mirror anyway. I was wondering whether to add them to the current volume group or take the 2 256 Gb SSDs out of the volume group. I decided to take those two out: there will be enough space after the upgrade and it can save some power. This does mean the new SSDs will also be set to be bootable and I will have to do a move of the volume group. The order of changes:Read the rest of Time to grow the diskspace for the home server
Quite a number of steps, this will take some time.
- Shut down machine
- Install 2 new disks
- Boot up machine
- Partition 2 new disks with boot partition, make bootable with UEFI
- Test boot from new disk
- Make raid-1 device from the rest of the space on both disks
- Add new raid-1 to volume group
- Move volume group away from old raid-1
- Remove old raid-1 from volume group
- Unlink old raid-1
- Shut down machine
- Remove 2 old disks
- Boot up again
2020-05-14 After years of rants, Windows can still surprise me in a positive way 11 months ago
Microsoft Windows does fall straight into the "does not work well with others" category for me, but today Windows 10 on my work laptop managed to give me a positive surprise. I wanted to print something at home, and my home network is set up to publish CUPS printers via multicast DNS, both via IPv4 and IPv6 so Linux devices on the network see the printer right away. On selecting "Add a printer" in Windows 10 it just showed me the main home printer as an option and sending something to the printer worked the first time. I did notice the default paper size was still Letter although I have set up A4 everywhere, so that was the only thing left to adjust. Now for the screenshot I removed the printer and tried to add it again and I notice the availability isn't very consistent. I do see a lot of mdns traffic when I start adding a printer!
2020-05-05 Internal documentation of my home network 11 months agoItems with tag homeserver before 2020-05-05
A few times I had to lookup something again about the way things work in my setups. I made a remark before that I should set up a documentation wiki at home to keep this information somewhere central. Right before I started with the homeserver conway I set up Mediawiki on a webserver. First on the previous homeserver greenblatt but as soon as web production was migrated to the new server I ran it on the web production server virtual machine. So for a lot of 'how did I' questions there are answers, and some future plans. Also for plans on the house and on amateur radio related things. People who know me from work will just say this is an extension of the trail of MediaWiki based documentation systems I left behind, and they are right.