Project

General

Profile

Bug #9283

Not obvious that HA sync will still sync certs if cert sync disabled but OpenVPN sync enabled

Added by Art Manion 5 months ago. Updated about 1 month ago.

Status:
Resolved
Priority:
Very Low
Assignee:
Category:
Config sync
Target version:
Start date:
01/22/2019
Due date:
% Done:

100%

Estimated time:
Affected Version:
2.4.4_2
Affected Architecture:
amd64

Description

system A has external/imported certificate A
system B has external/imported certificate B

Both just upgraded to 2.4.4_2. A is Netgate/ADI image, B is community.

System > High Avail. Sync

XMLRPC Sync

uncheck "Certificate Authorities, Certificates, and Certificate Revocation Lists"

External/imported certificate (A) from master is still synced to secondary, certificate B is deleted from secondary. On reboot, secondary gains an additional self-signed certificate C.

Work around: Create certificate D that has subject alternative names for all IPs and DNS names, use certificate D for web configurator on both systems and re-enable XMLRPC sync for certificates.

Associated revisions

Revision 9f3b87d8 (diff)
Added by Jim Pingle 5 months ago

Fix desc of OpenVPN sync to show that it also syncs certs. Fixes #9283

Revision 5e0fda8f (diff)
Added by Jim Pingle 5 months ago

Fix desc of OpenVPN sync to show that it also syncs certs. Fixes #9283

(cherry picked from commit 9f3b87d898e1fa8a5bfa40758e5747515cc38ad4)

History

#1 Updated by Jim Pingle 5 months ago

  • Subject changed from HA sync does not exclude certificates to Not obvious that HA sync will still sync certs if cert sync disabled but OpenVPN sync enabled
  • Assignee set to Jim Pingle
  • Target version set to 48

It does exclude certificates when all areas that need certificate sync are disabled. OpenVPN requires certs to sync, so if you have OpenVPN sync enabled, then it will also sync certs. To disable cert sync entirely, you must also disable OpenVPN sync.

I am pushing a commit to add a note to OpenVPN stating it implies cert sync to make this relationship more obvious.

The correct procedure for what you describe is to import all certs to the primary, and then select on secondary after they sync. You can also do one cert with SANs for both (which is best for LE).

#2 Updated by Jim Pingle 5 months ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100

#3 Updated by Art Manion 5 months ago

Jim Pingle wrote:

It does exclude certificates when all areas that need certificate sync are disabled. OpenVPN requires certs to sync, so if you have OpenVPN sync enabled, then it will also sync certs. To disable cert sync entirely, you must also disable OpenVPN sync.

I am pushing a commit to add a note to OpenVPN stating it implies cert sync to make this relationship more obvious.

The correct procedure for what you describe is to import all certs to the primary, and then select on secondary after they sync. You can also do one cert with SANs for both (which is best for LE).

I'm not using certs in OpenVPN so didn't check that behavior.

#4 Updated by Art Manion 5 months ago

Jim Pingle wrote:

The correct procedure for what you describe is to import all certs to the primary, and then select on secondary after they sync. You can also do one cert with SANs for both (which is best for LE).

Yep, I ended up using one cert with SANs for both hosts/IPs.

#5 Updated by Jim Pingle 4 months ago

  • Target version changed from 48 to 2.5.0

#6 Updated by Grischa Zengel 3 months ago

Even openvpn needs synced certs I would like not to sync them because of ACME certs.

Or skip deleting used ACME certs on backup systems.

My domain:
pfsense1.domain.tld 5.5.5.1 (static)
pfsense2.domain.tld 5.5.5.2 (static)
pfsense-ha.domain.tld 5.5.5.3 (CARP)

Pfsense1 can't create a certificate for pfsense2 because DNS points to pfsense2 and ACME needs a valid DNS entry.
And no I can't change to DNS challenge.

#7 Updated by Jim Pingle 3 months ago

Then you are using ACME incorrectly. Read the previous comments or post on the forum if you have further questions. You can't have it both ways.

#8 Updated by Jim Pingle about 2 months ago

  • Target version changed from 2.5.0 to 2.4.4-p3

#9 Updated by Chris Linstruth about 1 month ago

2.4.4-p3 looks good:

NAT configuration
IPsec configuration
OpenVPN configuration (Implies CA/Cert/CRL Sync)
DHCP Server settings
WoL Server settings

#10 Updated by Jim Pingle about 1 month ago

  • Status changed from Feedback to Resolved

Also available in: Atom PDF