Project

General

Profile

Actions

Feature #1451

closed

Certificate errors after CARP election

Added by Adam Thompson about 14 years ago. Updated about 13 years ago.

Status:
Resolved
Priority:
Low
Assignee:
-
Category:
Web Interface
Target version:
-
Start date:
04/21/2011
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:

Description

Using CARP VIP to administer pfSense, after the backup is promoted to master, Firefox complains about SSL certificate again, then refuses to add an exception because one already exists. The best way I can think of to fix this would be to maintain additional certificates for VIPs and sync those via XMLRPC. Syncing the main SSL cert via XMLRPC would be OK, but only if there was a way to disable that, as some people might want each cluster member to have its own certificate (particularly if issuing name-based certs from a $$$ CA).

(FYI, forcing the browser to reload the page fixes the problem.)

Actions #1

Updated by Chris Buechler about 14 years ago

  • Tracker changed from Bug to Feature
Actions #2

Updated by Jim Pingle about 14 years ago

  • Status changed from New to Feedback

Usually you would want to access the GUI on the boxes directly by accessing their actual IPs, not the CARP VIP, since you don't know which box that will lead to until after you are logged in.

That said, if you have the box checked in the CARP Settings to sync certificates, the GUI cert should already be synchronized. Or it was last time I tried it.

If you want separate certs, you can opt not to sync the certificates and remember not to access the box via the CARP IP.

Actions #3

Updated by Adam Thompson about 14 years ago

Hmm... in that case, I think this is a bug, not a feature. If the identical certificate is being offered from both members, why am I getting a fresh certificate validation error prompt? My browser shouldn't be able to tell the difference between a CARP failover and, say, httpd restarting - yet it does, somehow.
I don't have time to test this exhaustively now, but I did confirm that the default cert offered by the admin GUI is not the same. Different ser#s, different thumbprints, different PK. Which explains why Firefox gets grumpy whenever the master switches in the middle of an administrative browser session.

Synchronize Certificates is turned on under CARP Settings.

So... this shouldn't be happening, then, right?

Actions #4

Updated by Jim Pingle about 14 years ago

On the slave, go to System > Advanced, on the Admin tab, make sure the cert selected there is the same as the cert selected there on the master. Perhaps it did sync them but it's using two different certs for whatever reason.

Actions #5

Updated by Chris Buechler about 14 years ago

config sync does indeed sync the cert that's used, and there currently isn't any way to do otherwise. But, if you start with a different cert, it doesn't restart lighty after syncing, which is how you can end up with it being different. And you should never manage by CARP IP regardless.

Actions #6

Updated by Adam Thompson about 14 years ago

There's only one cert on each. However, I don't think the 2ry has been rebooted since setup; I'll do that and confirm whether it "fixes" the problem. I'm using the VIP to manage because I find I'm often having to kick the 2ry in order to get the 1ry back to being MASTER - having ongoing problems with CARP elections not working as expected, don't know why yet. (And if I login to the VIP and it turns out to be the 1ry, I don't need to do anything, thus saving a step or three.)

Actions #7

Updated by Jim Pingle about 13 years ago

  • Status changed from Feedback to Resolved
Actions

Also available in: Atom PDF