14:02 <gharris> Anyone doing live backup? Will a mongodump plus /opt/sandstorm rsync get a good enough backup for recovery? The notion of having to shut down the service just to do a backup is not very workable.

14:38 <TimMc> gharris: Yes, I'm doing live backup.

14:38 <TimMc> I moved Sandstorm to a ZFS partition so I can take a ZFS snapshot and then back up the snapshot.

14:39 <TimMc> mongodump and rsync isn't guaranteed to do the trick.

16:47 <webch555> hi, is anyone using digicert wildcard cert to secure sandstorm? digicert is telling me i cant add a SAN of *.myname.mydomain.com

17:27 <gharris> @TimMc Thanks for the info. From what I understand, ZFS has a significant set of issues of it's own, primarily in the unexpected hard shutdown area, which should never happen but of course will. Secondarily, converting from ext4 isn't fun. Rock, meet hard place.

17:32 <gharris> @webch555 GoDaddy had no problem with creating a wildcard cert with SAN fields. However, I think if I had tried to order a SAN cert, it would have been a problem. In other words, GoDaddy has two different products. Is Digicert the same? Or are they telling you that wildcard certs have been depricated, so they won't issue them?

17:42 <TimMc> gharris: ZFS is likely to have problems after crashes? I thought the copy-on-write property would help with that.

17:45 <webch555> gharris, looks like digicert is the same. I have a wildcard cert, they have another option called Multi Domain (SAN) cert that i think i would need

17:47 <TimMc> IIRC, all browser-compatible certs use SAN, and the CN field is deprecated. Apparently "SAN cert" is a misnomer these days, but a rather sticky one. :-D

17:47 <webch555> this is a sub sub domain. my domain is example.univ.edu. my wildcard is for *.example.univ.edu. i can secure sandstorm.example.univ.edu with this wildcard cert, but i cannot use *.sandstorm.univ.edu in the SAN field

17:48 <webch555> so my grains dont load because of the cert error

18:01 <webch555> might try lets encrypt

18:17 <TimMc> webch555: LE doesn't do wildcard.

18:25 <webch555> thanks

20:26 <gharris> @TimMc Perhaps it will. Still, the idea of rebuilding yet again. Surely there has got to be a real solution to this. Snapshosts for an external backup will take a TON of extra disk space if we have any kind of reasonable usage. And it will be difficult to pull incrementals from the external backup. Additionally, with backing up from a snapshot,

20:26 <gharris> I doubt that pooling with work.

20:48 <gharris> @webch555 I think you got it backwards. You want a wildcard for *.example.univ.edu with two SAN records of example.univ.edu and *.example.univ.edu. You have to tell OpenSSL to add the SAN records to the .csr template. Not hard, but definately a Google.