I received an e-mail asking why Ubuntu was mounting NFS file systems with version 4.0 instead of 4.1, I responded I did not know and would need to research it.
What I found was that actually version 4.2 is supported by most modern systems, and according to the manual the NFS client is supposed to negotiate the highest version mutually supported by the client and server but for some reason it will not do this.
I found that if I added vers=4.2 to the mount options on machines which support it (the old centos6 machine does not with the stock kernel and is using 4.1 instead), then when the machine boots it will use that version. This should not be necessary if things worked as documented but that is not the case. Performance of version 4.2 is significantly better so changing this substantially improved the web server performance because it accesses it’s content via NFS.
Reboots have been completed. Often after a reboot of all servers there will be a handful that do not properly remount NFS partitions or bind to NIS servers properly. Checking for these issues presently is a manual operation. I am checking the machines for these issues now, otherwise things should be basically operational.
Shortly after midnight tonight I am going to reboot servers for a kernel upgrade. I keep hoping they’ll fix the Ethernet drivers but not exactly holding my breath.
The issues with SSL on the mail server have been fixed. It was caused by the new certificate ca-bundle file only having the intermediate files in it while last years had our site certificate followed by the intermediates. I had to cat both files together into a third which made dovecot and postfix happy. The web server was unaffected by this because it’s configuration includes both files so all of the necessary certificates were available to it.
I am having problems with our new Comodo certificate. It works fine with Apache web server but with the Dovecot mail server it is telling me the key does not match the cert but it does, I have verified this.
I am thinking the software is too outdated and I am trying to build the new openssl and dovecot for this machine. To put it mildly it is giving me fits. If mail does not work, please try to use webmail https://www.eskimo.com/mail or login to a shell server and use alpine configured to talk to local spool.
I am working hard to resolve this but running into numerous problems. I want to get the latest openssl in place which has support for elliptical curve cryptography, this will become important as quantum computers become more robust and we learn how to program them. But it will not find one of the shared libraries even though it is there and included in the path. Argh!
Anyway I’m working hard to resolve.
I’m going to be working on mail for a little bit to replace encryption certificates because the old is expiring today. There may be times when encryption does not work temporarily.
Turns out Thunderbird is broken. For some reason TLS does not work in the current Thunderbird either with our mail server or Googles IMAP, but STARTTLS does. Investigating further.
I broke our client mail server trying to install new SSL certificates. I do not know why yet but am restoring the previous configuration. Unfortunately this needs to be resolved soon or our old certificate expires in a couple of days. I am restoring the unbroken configuration from backup and then will try changing one thing at a time until I figure out what went wrong.
I did an sa-update -D which tells spamassassin to re-upload the default ruleset and then I restarted it. After doing this spamassassin begin scoring spam again properly.
All I can figure is a cron-scheduled sa-update downloaded a broken set of rules.