cacert-sysadm AT lists.cacert.org

Subject: CAcert System Admins discussion list

List archive

RE: [Visit BIT][19.06.2013] restore correct operation of CAcert signer

From: <ulrich AT cacert.org>
To: <wytze AT cacert.org>
Cc: <cacert-sysadm AT lists.cacert.org>
Subject: RE: [Visit BIT][19.06.2013] restore correct operation of CAcert signer
Date: Mon, 24 Jun 2013 00:02:27 +0200
Importance: Normal

Hi Wytze,

regarding the index.txt file ...

> * Take a copy of the index.txt file to USB stick for off-site analysis
of
>   the serial number collision problem.

What's the content / structure of the index.txt file ?
does it include only the issued key's serial numbers ?
or is other personal identifiable information included in this file ?
or is a documentation about the structure of the index.txt file
located somewhere else that is unknown to me ?

--
mit freundlichen Gruessen / best regards
Ulrich Schroeter - CAcert Assurance Team Leader, CAcert Case Manager,
CAcert Arbitrator

CAcert.org - Free Certificates
E-Mail:
ulrich AT cacert.org

-----Original Message-----
From: Wytze van der Raay
[mailto:wytze AT cacert.org]

Sent: Wednesday, June 19, 2013 5:49 PM
To:
cacert-systemlog AT lists.cacert.org
Subject: [Visit BIT][19.06.2013] restore correct operation of CAcert
signer

Visit date & time:
    19.06.2013, 15:45 - 16:15 CEST

Persons:
    Stefan Kooman (Oophaga)
    Mendel Mobach (CAcert)
    Wytze van der Raay (CAcert)

Actions performed during this site visit:

* Inspect the logfile of the commmodule process on the signing server in
  order to find out why certificate signing of Class 3 certificates
started
  failing on June 17, 12:42 CEST. After some searching we found out that
the
  failures were caused by the fact that the next serial number to be used
  had already been issued somehow many years ago (May 2005).
* Take a copy of the index.txt file to USB stick for off-site analysis of
  the serial number collision problem.
* Edit /etc/ssl/class3/index.txt to increase the next serial number to
  be used by one.
* Apply the fix for https://bugs.cacert.org/view.php?id=1159 to
  /root/Commmodule/signer.pl and restart the signer process
* Verify correct operation of the patch and adjusted the time on the
  signing server (total time gained was about 1.5 minute).
* Power off the old webdb server and disconnect all cables leading to it
  in order to preserve power.

[outside server room]
* Verify that signer is correctly signing Class3 certificate requests
again.

Follow-up actions:
* Analyze class3 index.txt file for further problems
* Update status of https://bugs.cacert.org/view.php?id=1159 and apply
  same patch to the CVS repository
* Disks of the old webdb server will need to be taken into Oophaga
  secure storage awaiting full destruction on some future visit, so
  the remainder of the machine can be junked.

-- end

Attachment: smime.p7s
Description: S/MIME cryptographic signature

Re: [Visit BIT][19.06.2013] restore correct operation of CAcert signer, Wytze van der Raay, 06/20/2013
- <Possible follow-up(s)>
- RE: [Visit BIT][19.06.2013] restore correct operation of CAcert signer, ulrich, 06/23/2013
  - Re: [Visit BIT][19.06.2013] restore correct operation of CAcert signer, Wytze van der Raay, 06/24/2013