Re: [Sks-devel] sks.alpha-labs.net
Hey folks, sks.alpha-labs.net is back online and syncing up. peers: please note a change in IP. New IP is 46.229.47.139 Thanks! -Christian. On 13/07/15 22:50, Christian Reiss wrote: Hey folks, I am currently migrating to a new OS and during that time sks.alpha-labs.net will be DOWN. I expect it to be back up tomorrow. Dear sync peers, have patience :) Once the issue is resolved I will reply here. -Christian. -- Christian Reiss - em...@christian-reiss.de /\ ASCII Ribbon christ...@reiss.nrw \ /Campaign X against HTML XMPP ch...@alpha-labs.net / \ in eMails WEB christian-reiss.de, reiss.nrw GPG Retrieval http://gpg.christian-reiss.de GPG ID ABCD43C5, 0x44E29126ABCD43C5 GPG fingerprint = 9549 F537 2596 86BA 733C A4ED 44E2 9126 ABCD 43C5 It's better to reign in hell than to serve in heaven., John Milton, Paradise lost. signature.asc Description: OpenPGP digital signature ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] sks.alpha-labs.net downtime
Hey, the server has recovered yesterday and is back to operational state. -Christian On 25/01/15 11:39, Christian wrote: Hey, Server is back online, new IP is 46.229.47.134, DNS CNAME has been updated accordingly. Missing keys are being resynced right now. I expect it to be synced within the hour. Cheers! -Christian. On 25.01.2015 11:17, Christian wrote: Hey folks, I am currently having trouble with the current VM for the SKS server. Hence I am currently migrating the data files and the servers to a different one (shame on me, I tried NAT'ing it...) Anyway, after lagging behind 2.5k keys I am now moving back to a public IP again. To my sync peers: Keep syncing -- I am expected to be back up within a few hours. Cheers! -Christian. ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel -- Christian Reiss - em...@christian-reiss.de /\ ASCII Ribbon \ /Campaign GPG Key: http://gpg.christian-reiss.deX against HTML Jabber : ch...@alpha-labs.net/ \ in eMails It's better to reign in hell than to serve in heaven., John Milton, Paradise lost. signature.asc Description: OpenPGP digital signature ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] sks.alpha-labs.net migration
Hey, It's now 24 hours after the switch and I am not seeing any errors. To all my sync-peers: Please ensure that you are not refusing connect from 46.229.47.146. Cheers! -Christian. (Send via Zimbra Webinterface, not gpg signed.) - Original Message - | From: Christian Reiß em...@christian-reiss.de | To: SKS Development and Deployment discussion sks-devel@nongnu.org | Sent: Monday, 2 June, 2014 6:04:47 PM | Subject: [Sks-devel] sks.alpha-labs.net migration | | Hello folks, | | just letting you know that I am going to migrate the server | sks.alpha-labs.net to a different IP (from 46.229.47.140 to | 46.229.47.146). I am merging some servers. sks.alpha-labs.net will move | from a-record to cname, but sks.alpha-labs.net will remain as the | configured hostname in sks. | | The DNS zones ttl is set to 1 hour, so expect a 1h downtime tomorrow. | | Thank you all and have a great start into the week ;) | | -Christian. | | -- | | Christian Reiss - em...@christian-reiss.de /\ ASCII Ribbon | \ /Campaign | GPG Key: http://gpg.christian-reiss.deX against HTML | Jabber : ch...@alpha-labs.net/ \ in eMails | | It's better to reign in hell than to serve in heaven., | John Milton, Paradise lost. | | | ___ | Sks-devel mailing list | Sks-devel@nongnu.org | https://lists.nongnu.org/mailman/listinfo/sks-devel | -- Christian Reiss - em...@christian-reiss.de /\ ASCII Ribbon \ /Campaign GPG Key: http://gpg.christian-reiss.deX against HTML Jabber : ch...@alpha-labs.net/ \ in eMails It's better to reign in hell than to serve in heaven., John Milton, Paradise lost. ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
[Sks-devel] sks.alpha-labs.net migration
Hello folks, just letting you know that I am going to migrate the server sks.alpha-labs.net to a different IP (from 46.229.47.140 to 46.229.47.146). I am merging some servers. sks.alpha-labs.net will move from a-record to cname, but sks.alpha-labs.net will remain as the configured hostname in sks. The DNS zones ttl is set to 1 hour, so expect a 1h downtime tomorrow. Thank you all and have a great start into the week ;) -Christian. -- Christian Reiss - em...@christian-reiss.de /\ ASCII Ribbon \ /Campaign GPG Key: http://gpg.christian-reiss.deX against HTML Jabber : ch...@alpha-labs.net/ \ in eMails It's better to reign in hell than to serve in heaven., John Milton, Paradise lost. signature.asc Description: OpenPGP digital signature ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Heartbleed ans HKPS pool
On 28/05/14 12:11, Kristian Fiskerstrand wrote: They will not be able to issue a certificate related to hkps.pool.sks-keyservers.net as CN or subjectAltName, i.e. the validation on a pool would fail. It was too early in the morning, even pre-coffee. I honestly didn't see that coming and retract my statement :) -Christian. -- Christian Reiss - em...@christian-reiss.de /\ ASCII Ribbon \ /Campaign GPG Key: http://gpg.christian-reiss.deX against HTML Jabber : ch...@alpha-labs.net/ \ in eMails It's better to reign in hell than to serve in heaven., John Milton, Paradise lost. signature.asc Description: OpenPGP digital signature ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] status page
It's a facepalm. https://www.youtube.com/watch?feature=player_detailpagev=wjLgekyOZA0#t=57 (I did the facepalm several times over the course of this convsersation.) -Christian. On 20/04/14 19:51, Frank Villaro-Dixon wrote: Excuse my ignorance, but i'm curious to know what this smiley means, if someone could enlighten me ? ;) Thanks Frank -- Christian Reiss - em...@christian-reiss.de /\ ASCII Ribbon \ /Campaign GPG Key: http://gpg.christian-reiss.deX against HTML Jabber : ch...@alpha-labs.net/ \ in eMails It's better to reign in hell than to serve in heaven., John Milton, Paradise lost. signature.asc Description: OpenPGP digital signature ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
[Sks-devel] Tuning
Hey folks, I have some questions on which I need some pointers. First, -nodiskptree: To my understanding this would result in longer startup-times, more memory consumption but faster lookups. So the ptree is generated, but kept in ram. Final analysis: Enabling this option would speed up lookups on the tradeoff of consuming ram. So: turn on pagesize and ptree_pagesize. These options are used for importing/ generating the db and have no effect on a running server (or?). What would be good pointers in setting those? stat_hour: As far as I understand, stats are generated each hour. Why specify this? Are some more special stats generated here? In other news: I am dumping my DB each week each monday. (http://sks.alpha-labs.net/dump/) - if someone wants to restart / recover. Also I am using puppet to deploy the sks server. Anyone else using puppet? membership file (et all) is managed over hiera. So if we have any puppet3 users I am glad to share. Lastly, I wrote a (10 liner) php-script that queries the sks-keyserver stats page for (my) server checking keydiff, status and port-status (80, hkps) and exits with error/warning. Used in my case for bi-hourly icinga checks. Same here: I'll share. Drop me a line. -Christian -- Christian Reiss - em...@christian-reiss.de /\ ASCII Ribbon \ /Campaign GPG Key: http://gpg.christian-reiss.deX against HTML Jabber : ch...@alpha-labs.net/ \ in eMails It's better to reign in hell than to serve in heaven., John Milton, Paradise lost. signature.asc Description: OpenPGP digital signature ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] HKPS configuration?
Hey, hkps is basically a 443 to hkp forward - I am using nginx for that. Just be SURE you do NOT use SNI or rely/ need a vhost/hostname as some client/most clients (gnupg) do not send this information. It is actually only feasible on a dedicated IP for SKS where Port 443 is solely used for https/hkps. tl;dr: Just up a new ip and set up nginx on 443 on that, accepting all and forwarding to local hkp. -Christian. On 11/02/14 16:23, Tyler Schwend wrote: My SKS instance is behind a reverse proxy, plaintext on the standard port. I have connections on port 80 that reference my server name forwarded to localhost:11371. I assume this is port 80 HKP, and works for me through my at-work proxy. Is HKPS basically doing the same thing, but wrapping the outside connection in HTTPS? Are clients that contact HKPS nodes generally capable of specifying the server name, or do I need to run HKPS on its own port? ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel -- Christian Reiss - em...@christian-reiss.de /\ ASCII Ribbon \ /Campaign GPG Key: http://gpg.christian-reiss.deX against HTML Jabber : ch...@alpha-labs.net/ \ in eMails It's better to reign in hell than to serve in heaven., John Milton, Paradise lost. signature.asc Description: OpenPGP digital signature ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] HKPS configuration?
Hey, I am not saying it can't be done. Yes it is possible with your setup, but that some clients to not send vhost/domain data along with the request and expect the hostname of the sks server to match the default cert. So unless you are serving the hkps per default on your server you might break compatibility with clients. So, just up a new ip and serve all requests to that cert. Not really stressing, eh? :) -Chris. On 11/02/14 16:34, Daniel Kahn Gillmor wrote: On 02/11/2014 10:27 AM, Christian Reiß wrote: hkps is basically a 443 to hkp forward - I am using nginx for that. Just be SURE you do NOT use SNI or rely/ need a vhost/hostname as some client/most clients (gnupg) do not send this information. It is actually only feasible on a dedicated IP for SKS where Port 443 is solely used for https/hkps. actually, you do need SNI, if you want to be able to provide a different X.509 certificate to users who connect to it with different names. zimmermann.mayfirst.org serves keys at both hkps://keys.mayfirst.org and hkps://hkps.pool.sks-keyservers.net from the same IP address, and uses a different X.509 certificate, depending on which host the client is connecting to. This relies on the client using SNI. All of this can be done on the same IP address as your existing hkp service, but on TCP port 443. --dkg ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel -- Christian Reiss - em...@christian-reiss.de /\ ASCII Ribbon \ /Campaign GPG Key: http://gpg.christian-reiss.deX against HTML Jabber : ch...@alpha-labs.net/ \ in eMails It's better to reign in hell than to serve in heaven., John Milton, Paradise lost. signature.asc Description: OpenPGP digital signature ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel