Bug #9283
closed
Not obvious that HA sync will still sync certs if cert sync disabled but OpenVPN sync enabled
100%
Description
system A has external/imported certificate A
system B has external/imported certificate B
Both just upgraded to 2.4.4_2. A is Netgate/ADI image, B is community.
System > High Avail. Sync
XMLRPC Sync
uncheck "Certificate Authorities, Certificates, and Certificate Revocation Lists"
External/imported certificate (A) from master is still synced to secondary, certificate B is deleted from secondary. On reboot, secondary gains an additional self-signed certificate C.
Work around: Create certificate D that has subject alternative names for all IPs and DNS names, use certificate D for web configurator on both systems and re-enable XMLRPC sync for certificates.
Updated by Jim Pingle almost 6 years ago
- Subject changed from HA sync does not exclude certificates to Not obvious that HA sync will still sync certs if cert sync disabled but OpenVPN sync enabled
- Assignee set to Jim Pingle
- Target version set to 48
It does exclude certificates when all areas that need certificate sync are disabled. OpenVPN requires certs to sync, so if you have OpenVPN sync enabled, then it will also sync certs. To disable cert sync entirely, you must also disable OpenVPN sync.
I am pushing a commit to add a note to OpenVPN stating it implies cert sync to make this relationship more obvious.
The correct procedure for what you describe is to import all certs to the primary, and then select on secondary after they sync. You can also do one cert with SANs for both (which is best for LE).
Updated by Jim Pingle almost 6 years ago
- Status changed from New to Feedback
- % Done changed from 0 to 100
Applied in changeset 9f3b87d898e1fa8a5bfa40758e5747515cc38ad4.
Updated by Art Manion almost 6 years ago
Jim Pingle wrote:
It does exclude certificates when all areas that need certificate sync are disabled. OpenVPN requires certs to sync, so if you have OpenVPN sync enabled, then it will also sync certs. To disable cert sync entirely, you must also disable OpenVPN sync.
I am pushing a commit to add a note to OpenVPN stating it implies cert sync to make this relationship more obvious.
The correct procedure for what you describe is to import all certs to the primary, and then select on secondary after they sync. You can also do one cert with SANs for both (which is best for LE).
I'm not using certs in OpenVPN so didn't check that behavior.
Updated by Art Manion almost 6 years ago
Jim Pingle wrote:
The correct procedure for what you describe is to import all certs to the primary, and then select on secondary after they sync. You can also do one cert with SANs for both (which is best for LE).
Yep, I ended up using one cert with SANs for both hosts/IPs.
Updated by Grischa Zengel over 5 years ago
Even openvpn needs synced certs I would like not to sync them because of ACME certs.
Or skip deleting used ACME certs on backup systems.
My domain:
pfsense1.domain.tld 5.5.5.1 (static)
pfsense2.domain.tld 5.5.5.2 (static)
pfsense-ha.domain.tld 5.5.5.3 (CARP)
Pfsense1 can't create a certificate for pfsense2 because DNS points to pfsense2 and ACME needs a valid DNS entry.
And no I can't change to DNS challenge.
Updated by Jim Pingle over 5 years ago
Then you are using ACME incorrectly. Read the previous comments or post on the forum if you have further questions. You can't have it both ways.
Updated by Jim Pingle over 5 years ago
- Target version changed from 2.5.0 to 2.4.4-p3
Updated by Chris Linstruth over 5 years ago
2.4.4-p3 looks good:
NAT configuration
IPsec configuration
OpenVPN configuration (Implies CA/Cert/CRL Sync)
DHCP Server settings
WoL Server settings
Updated by Jim Pingle over 5 years ago
- Status changed from Feedback to Resolved