2020-12-13 Makefile logic not working perfectly
I noticed the certificate for idefix.net was expired according to my webbrowser. I dug up the reason and found out the scripts to maintain the ocsp files managed to confuse the Makefile to keep the haproxy certificates updated. The ocsp responses have more updates than the certificates, but a certificate update needs to be processed anyway. So I updated the Makefile in the previous post. The dependency is now certificate-stamp depends on installed certificates, installed certificates depend on copied certificates. And installing the certificate also updates the ocsp response.
2020-12-04 Using a snapshot for an upgrade so I can roll back
This evening I upgraded the production webserver from Devuan ascii to Devuan beowulf and to have the option available to roll back everything I created a snapshot and left that running until I was satisfied with the new configuration and everything worked. The steps were simple, found via Commit or revert a Linux LVM snapshot? - serverfault: Before starting the upgrade, create a snapshot:# lvcreate -L 10G -s -n turing_upgrade /dev/conway_ssd/turing_rootDo all the upgrade stuff, reboot, make sure everything works again. The usage of the snapshot went up to 22.38 percent:# lvs LV VG Attr LSize Pool Origin Data% Meta% Move Log Cpy%Sync Convert turing_root conway_ssd owi-aos--- 30.00g turing_upgrade conway_ssd swi-a-s--- 10.00g turing_root 13.17After everything worked, remove the snapshot:# lvremove /dev/conway_ssd/turing_upgrade
2020-10-21 Upgrading Devuan linux from ascii to beowulf
I am upgrading Devuan linux installations from ascii to beowulf to get newer packages and continued security updates. There is only one package where I really want a newer version: openssl, so I can start using TLSv1.3. This upgrade is just as simple as the upgrade from Devuan jessie to ascii three years ago. Just change the release name version and use apt update and apt dist-upgrade commands. Today I did the development webserver and apache didn't start afterwards. I found out I need to enable php7.3 by hand, in the previous configuration php7.0 was enabled. A thing to keep in mind when upgrading the production webserver.
2020-09-22 TLSA records for DANE can't have it all
Yesterday I read about changes at LetsEncrypt that influence LetsEncrypt intermediate certificates and DANE and had a look at my own DANE record set up in december 2019. I decided to change the 'usage' value to 1, meaning 'EE match validated by public CA' because it's linked to a known public CA, and the old value 3 meaning 'private EE' wasn't completely true because it's linked to a known public CA. But I received a notification this morning, with:Only certificate usages DANE-TA(2) and DANE-EE(3) are supported with SMTP.With references to rfc 7672 section 3.1.1 and further which makes a valid point about CA validation in SMTP sessions. So the validation chain is purely based on DNSSEC.
2020-07-30 Backup to a remote webdav server using rclone
After the earlier issues with backing up to a remote webdav server I let the problem rest but made sure my backups were in order from time to time. Until I came across a mention about rclone which especially mentions copying to various cloud services. Since I am trying to backup to a webdav server based on owncloud I had a look and this is a supported configuration in rclone. So I installed rclone to give it a try. From the devuan distribution I got rclone version 1.35 which seemed to have problems with the specific owncloud server. So I had a look and newer .deb packages are available on the Rclone download page. This worked better. On the first run rclone was convinced a lot of the files were modified locally since I transfered them with fusedav+rsync, so those were refreshed. But now it is all synchronized correctly the changes are minimal and the runtime isn't very long. I do make sure my uplink isn't filled completely so I limit the bandwidth. Command:$ rclone --bwlimit 1M -v sync /camera/ owncloudservice:backuptest/camera/
2020-07-16 Time to grow the diskspace for the home server
There were some ideas for one or more new virtual machines in the homeserver conway 2017 and the current volume group is almost full. Time to order some new diskspace because there's also some upcoming Devuan upgrades where I'd like to keep a snapshot of the 'before' situation so I can go back if everything breaks. So I ordered 2 960 Gb SSDs. They will run in a mirror anyway. I was wondering whether to add them to the current volume group or take the 2 256 Gb SSDs out of the volume group. I decided to take those two out: there will be enough space after the upgrade and it can save some power. This does mean the new SSDs will also be set to be bootable and I will have to do a move of the volume group. The order of changes:Read the rest of Time to grow the diskspace for the home server
Quite a number of steps, this will take some time.
- Shut down machine
- Install 2 new disks
- Boot up machine
- Partition 2 new disks with boot partition, make bootable with UEFI
- Test boot from new disk
- Make raid-1 device from the rest of the space on both disks
- Add new raid-1 to volume group
- Move volume group away from old raid-1
- Remove old raid-1 from volume group
- Unlink old raid-1
- Shut down machine
- Remove 2 old disks
- Boot up again
2020-05-14 After years of rants, Windows can still surprise me in a positive way
Microsoft Windows does fall straight into the "does not work well with others" category for me, but today Windows 10 on my work laptop managed to give me a positive surprise. I wanted to print something at home, and my home network is set up to publish CUPS printers via multicast DNS, both via IPv4 and IPv6 so Linux devices on the network see the printer right away. On selecting "Add a printer" in Windows 10 it just showed me the main home printer as an option and sending something to the printer worked the first time. I did notice the default paper size was still Letter although I have set up A4 everywhere, so that was the only thing left to adjust. Now for the screenshot I removed the printer and tried to add it again and I notice the availability isn't very consistent. I do see a lot of mdns traffic when I start adding a printer!
2020-05-05 Internal documentation of my home network
A few times I had to lookup something again about the way things work in my setups. I made a remark before that I should set up a documentation wiki at home to keep this information somewhere central. Right before I started with the homeserver conway I set up Mediawiki on a webserver. First on the previous homeserver greenblatt but as soon as web production was migrated to the new server I ran it on the web production server virtual machine. So for a lot of 'how did I' questions there are answers, and some future plans. Also for plans on the house and on amateur radio related things. People who know me from work will just say this is an extension of the trail of MediaWiki based documentation systems I left behind, and they are right.
2020-04-29 Seeing when it's time to walk to the laserjet printer
I have an aged laserjet 4100 DTN printer at home and it sometimes takes a while to print something. The logs from cups will state that it has been sent to the printer but the printer will still show processing. Solution: ask the printer for the active pagecounter. This will be updated after the page has really been output, so it will only change when the printer is done with the page.$ snmpget -v1 -c internal laserjet 220.127.116.11.18.104.22.168.22.214.171.124.1 iso.126.96.36.199.188.8.131.52.184.108.40.206 = Counter32: 738042
2020-04-04 Found the probable reason of the DNSSEC subzones problemItems with tag homeserver before 2020-04-04
I think I found the most probable reason of the earlier problem with DNSSEC signed subzones. I was trying this with a domain for which I don't have control over one of the secondary nameservers. In one of my showerthought moments I decided to try another domain where I have that full control (just less nameservers) and was able to make it all validate correctly after some tries. Forgetting one or more of all the steps needed to correctly create a domain with DNSSEC and getting the delegation right will give errors. So I guess running a nameserver with all DNSSEC options disabled hinders validation.