From hkng at fsu.edu Wed May 13 16:10:19 2020 From: hkng at fsu.edu (H. K. Ng) Date: Wed, 13 May 2020 16:10:19 -0400 Subject: [LON-CAPA-admin] Fixed IPs address? Message-ID: Hi all, Do the loncapa servers IP addresses have to be fixed? Unfortunately, there is a planned power outage in our building for 3 days!! and my thought is to move the servers to another building but it is on a different subnet. What are the ramifications for doing this? Regards, -hk -------------- next part -------------- An HTML attachment was scrubbed... URL: From raeburn at msu.edu Wed May 13 17:38:42 2020 From: raeburn at msu.edu (Raeburn, Stuart) Date: Wed, 13 May 2020 21:38:42 +0000 Subject: [LON-CAPA-admin] Fixed IPs address? In-Reply-To: References: Message-ID: Hello hk, The main impact of a change to an IP address for a LON-CAPA node will be a temporary loss of full connectivity to other LON-CAPA nodes in the network. A loss of connectivity to a particular remote node will persist until either (a) a restart of loncontrol on the remote LON-CAPA server/VM or (b) /home/httpd/perl/loncron is run on the remote server/VM. Note: if an institution has campus firewall rules for its LON-CAPA servers/VMs, in addition to the OS-level rules managed by LON-CAPA itself, then the loss of connectivity for your nodes will also persist until those rules include the new IP addresses. The standard LON-CAPA cron file: /etc/cron.d/loncapa includes an entry to run /home/httpd/perl/loncron (as user www) at 5:10 am local time. A user with the domain coordinator role selected can also run loncron from the web GUI via: Main Menu > Status of domain servers > "Update Connections and Refresh Status Information" When loncron is run: (a) an up to date list of hostnames of LON-CAPA servers/VMs in the network will be retrieved from one of the Academic Consortium servers at MSU, UIUC and SFU; (b) OS firewall rules for access to the LON-CAPA port (5663) will be updated to allow access from the IP addresses which the DNS service used by the server/VM maps for the current hostnames of LON-CAPA nodes in the network; (c) a USR2 signal will be sent to the lond parent process, which will (i) kill any lond child processes for which the client IP address no longer matches any of those in the network; and (ii) reload the Apache web server. In the case where an institution has set-up firewall rules for the campus border which restrict inbound traffic to port 5663 on the institution's LON-CAPA servers/VMs, the team which manages the campus firewall will also need to update the rules to allow connections from the new IP addresses. On way to avoid the need to change IP addresses would be to ask your network team to establish a VLAN which encompasses both the current building and the other building. That way you could continue using the same IP addresses during the upcoming power outage when your hardware is moved, and there would be also be longer term benefits in terms of disaster recovery preparedness. Stuart Raeburn LON-CAPA Academic Consortium ________________________________________ From: LON-CAPA-admin on behalf of H. K. Ng Sent: Wednesday, May 13, 2020 4:10 PM To: list about administration and system updating Subject: [LON-CAPA-admin] Fixed IPs address? Hi all, Do the loncapa servers IP addresses have to be fixed? Unfortunately, there is a planned power outage in our building for 3 days!! and my thought is to move the servers to another building but it is on a different subnet. What are the ramifications for doing this? Regards, -hk From mmesseh at illinois.edu Sun May 24 01:03:18 2020 From: mmesseh at illinois.edu (Abdel Messeh, Maged) Date: Sun, 24 May 2020 05:03:18 +0000 Subject: [LON-CAPA-admin] Access node capacity Message-ID: Hi All, I am wondering if anyone has some practical tips on how many concurrent users can access LonCapa at one time. My theory is that it would be related to how much memory the system has? Our apache config allow the default 256 connections with each access node having 64G of memory. I normally don't see any problems but was wondering if I can increase the capacity of each node to server more connections? Also any tips about the library server will be appreciated. Thank you, Maged Messeh -------------- next part -------------- An HTML attachment was scrubbed... URL: From raeburn at msu.edu Sun May 31 16:11:23 2020 From: raeburn at msu.edu (Raeburn, Stuart) Date: Sun, 31 May 2020 20:11:23 +0000 Subject: [LON-CAPA-admin] Expiry of InCommon Certificate AddTrust External CA Root (5/30/2020) Message-ID: Hello all, If you are using SSL certificates signed by InCommon for the Apache web server on your LON-CAPA server(s) you may be impacted by the expiration of the InCommon root certificate -- AddTrust External CA Root -- which expired Saturday, May 30, 2020, at 6:48 a.m EDT. If you visit: whatsmychaincert.com and enter the hostname of your LON-CAPA server, in the textbox, and push "Test" you can find out if your Apache SSL certificate chain contains the expired root certificate. If an expired certificate is present in the chain you'll see the message: " has a trusted chain containing an expired certificate. This chain will work with modern web browsers but may fail with older clients ..." The presence of an expired certificate impacts LON-CAPA because a certificate chain containing one will prevent completion of internal web requests (by LWP): The solution is to remove the expired certificate from the chain, and reload Apache. For example, if your Apache configuration file (e.g., /etc/httpd/conf.d/ssl.conf on RedHat/CentOS/Scientific Linux) includes an entry for: SSLCertificateChainFile (i.e., an intermediate certificate), and if you received your signed SSL Certificate from InCommon, then you can download an intermediate certificate (expires 2024) from: incommon.org/custom/certificates/repository/sha384 Intermediate cert.txt (note the single space between sha384 and Intermediate and between Intermediate and cert.txt). save the file, and modify /etc/httpd/conf.d/ssl.conf (if necessary) so the path given for SSLCertificateChainFile is the path to the new intermediate certificate. Then reload the Apache web server (as root) using: service httpd reload. Stuart Raeburn LON-CAPA Academic Consortium From hkng at fsu.edu Sun May 31 17:21:12 2020 From: hkng at fsu.edu (H. K. Ng) Date: Sun, 31 May 2020 17:21:12 -0400 Subject: [LON-CAPA-admin] error 443 Message-ID: Hi all, Seems that all my loncapa servers are suffering from error 443. While students can login etc, but when I try to do some manual grading, the following error occurs An unrecoverable network error occurred: Unable to retrieve a resource from a server: Resource: /res/fsu/openstax-CollegePhysics/05_NewtonsLaws-Friction/07_Friction.problem Error: 500 Can't connect to loncapa10.fsu.edu:443 It is recommended that you try again later, as this error may mean the server was just temporarily unavailable, or is down for maintenance. If the error persists, please contact the Helpdesk for assistance. The resource is there. Also, if I use the course editor and try to add/remove a resource, nothing happens. Any idea what is going on? Thanks, Regards, -hk -------------- next part -------------- An HTML attachment was scrubbed... URL: From raeburn at msu.edu Sun May 31 18:08:00 2020 From: raeburn at msu.edu (Raeburn, Stuart) Date: Sun, 31 May 2020 22:08:00 +0000 Subject: [LON-CAPA-admin] error 443 In-Reply-To: References: Message-ID: Hello hk, See: mail.lon-capa.org/pipermail/lon-capa-admin/2020-May/003425.html which I posted earlier today. I checked the SSL certificate chain for: loncapa10.fsu.edu by pointing a web browser at: whatsmychaincert.com/?loncapa10.fsu.edu and it reported: "loncapa10.fsu.edu has a trusted chain containing an expired certificate. This chain will work with modern web browsers but may fail with older clients". > > While students can login etc, but when I try to do some manual grading, > the following error occurs > > In this case, internal web requests (which use LWP) are failing because of the expired AddTrust External CA Root certificate. Looking at the SSL certificate for loncapa10.fsu.edu, it appears it is issued by Sectigo (not InCommon), but it lists USERTrust as the CA Root, so, as is the case for certificates from InCommon, certificates from Sectigo are also impacted by the expiry of the AddTrust CA Root certificate. If you modify the certificate chain to remove the expired AddTrust CA Root certificate and reload Apache that will fix things. See: support.sectigo.com/Com_KnowledgeDetailPage?Id=kA03l00000117LT Other options: 1. Install SSL certificates from letsencrypt.org (using the certbot tool). or 2. As a temporary workaround you could disable hostname verification by LWP when using SSL by setting: $ENV{PERL_LWP_SSL_VERIFY_HOSTNAME} = 0; (e.g., in /etc/environment) Stuart Raeburn LON-CAPA Academic Consortium ________________________________________ From: LON-CAPA-admin on behalf of H. K. Ng Sent: Sunday, May 31, 2020 5:21 PM To: list about administration and system updating Subject: [LON-CAPA-admin] error 443 Hi all, Seems that all my loncapa servers are suffering from error 443. While students can login etc, but when I try to do some manual grading, the following error occurs An unrecoverable network error occurred: Unable to retrieve a resource from a server: Resource: /res/fsu/openstax-CollegePhysics/05_NewtonsLaws-Friction/07_Friction.problem Error: 500 Can't connect to loncapa10.fsu.edu:443 It is recommended that you try again later, as this error may mean the server was just temporarily unavailable, or is down for maintenance. If the error persists, please contact the Helpdesk for assistance. The resource is there. Also, if I use the course editor and try to add/remove a resource, nothing happens. Any idea what is going on? Thanks, Regards, -hk