Project

General

Profile

Actions

Bug #9283

closed

Not obvious that HA sync will still sync certs if cert sync disabled but OpenVPN sync enabled

Added by Art Manion about 5 years ago. Updated over 4 years ago.

Status:
Resolved
Priority:
Very Low
Assignee:
Category:
XMLRPC
Target version:
Start date:
01/22/2019
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.4.4_2
Affected Architecture:
amd64

Description

system A has external/imported certificate A
system B has external/imported certificate B

Both just upgraded to 2.4.4_2. A is Netgate/ADI image, B is community.

System > High Avail. Sync

XMLRPC Sync

uncheck "Certificate Authorities, Certificates, and Certificate Revocation Lists"

External/imported certificate (A) from master is still synced to secondary, certificate B is deleted from secondary. On reboot, secondary gains an additional self-signed certificate C.

Work around: Create certificate D that has subject alternative names for all IPs and DNS names, use certificate D for web configurator on both systems and re-enable XMLRPC sync for certificates.

Actions #1

Updated by Jim Pingle about 5 years ago

  • Subject changed from HA sync does not exclude certificates to Not obvious that HA sync will still sync certs if cert sync disabled but OpenVPN sync enabled
  • Assignee set to Jim Pingle
  • Target version set to 48

It does exclude certificates when all areas that need certificate sync are disabled. OpenVPN requires certs to sync, so if you have OpenVPN sync enabled, then it will also sync certs. To disable cert sync entirely, you must also disable OpenVPN sync.

I am pushing a commit to add a note to OpenVPN stating it implies cert sync to make this relationship more obvious.

The correct procedure for what you describe is to import all certs to the primary, and then select on secondary after they sync. You can also do one cert with SANs for both (which is best for LE).

Actions #2

Updated by Jim Pingle about 5 years ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100
Actions #3

Updated by Art Manion about 5 years ago

Jim Pingle wrote:

It does exclude certificates when all areas that need certificate sync are disabled. OpenVPN requires certs to sync, so if you have OpenVPN sync enabled, then it will also sync certs. To disable cert sync entirely, you must also disable OpenVPN sync.

I am pushing a commit to add a note to OpenVPN stating it implies cert sync to make this relationship more obvious.

The correct procedure for what you describe is to import all certs to the primary, and then select on secondary after they sync. You can also do one cert with SANs for both (which is best for LE).

I'm not using certs in OpenVPN so didn't check that behavior.

Actions #4

Updated by Art Manion about 5 years ago

Jim Pingle wrote:

The correct procedure for what you describe is to import all certs to the primary, and then select on secondary after they sync. You can also do one cert with SANs for both (which is best for LE).

Yep, I ended up using one cert with SANs for both hosts/IPs.

Actions #5

Updated by Jim Pingle about 5 years ago

  • Target version changed from 48 to 2.5.0
Actions #6

Updated by Grischa Zengel about 5 years ago

Even openvpn needs synced certs I would like not to sync them because of ACME certs.

Or skip deleting used ACME certs on backup systems.

My domain:
pfsense1.domain.tld 5.5.5.1 (static)
pfsense2.domain.tld 5.5.5.2 (static)
pfsense-ha.domain.tld 5.5.5.3 (CARP)

Pfsense1 can't create a certificate for pfsense2 because DNS points to pfsense2 and ACME needs a valid DNS entry.
And no I can't change to DNS challenge.

Actions #7

Updated by Jim Pingle about 5 years ago

Then you are using ACME incorrectly. Read the previous comments or post on the forum if you have further questions. You can't have it both ways.

Actions #8

Updated by Jim Pingle almost 5 years ago

  • Target version changed from 2.5.0 to 2.4.4-p3
Actions #9

Updated by Chris Linstruth almost 5 years ago

2.4.4-p3 looks good:

NAT configuration
IPsec configuration
OpenVPN configuration (Implies CA/Cert/CRL Sync)
DHCP Server settings
WoL Server settings

Actions #10

Updated by Jim Pingle almost 5 years ago

  • Status changed from Feedback to Resolved
Actions #11

Updated by Jim Pingle over 4 years ago

  • Category changed from 62 to XMLRPC
Actions

Also available in: Atom PDF