Bug #9283
closed
Not obvious that HA sync will still sync certs if cert sync disabled but OpenVPN sync enabled
Added by Art Manion almost 6 years ago.
Updated over 5 years ago.
Affected Architecture:
amd64
Description
system A has external/imported certificate A
system B has external/imported certificate B
Both just upgraded to 2.4.4_2. A is Netgate/ADI image, B is community.
System > High Avail. Sync
XMLRPC Sync
uncheck "Certificate Authorities, Certificates, and Certificate Revocation Lists"
External/imported certificate (A) from master is still synced to secondary, certificate B is deleted from secondary. On reboot, secondary gains an additional self-signed certificate C.
Work around: Create certificate D that has subject alternative names for all IPs and DNS names, use certificate D for web configurator on both systems and re-enable XMLRPC sync for certificates.
- Subject changed from HA sync does not exclude certificates to Not obvious that HA sync will still sync certs if cert sync disabled but OpenVPN sync enabled
- Assignee set to Jim Pingle
- Target version set to 48
It does exclude certificates when all areas that need certificate sync are disabled. OpenVPN requires certs to sync, so if you have OpenVPN sync enabled, then it will also sync certs. To disable cert sync entirely, you must also disable OpenVPN sync.
I am pushing a commit to add a note to OpenVPN stating it implies cert sync to make this relationship more obvious.
The correct procedure for what you describe is to import all certs to the primary, and then select on secondary after they sync. You can also do one cert with SANs for both (which is best for LE).
- Status changed from New to Feedback
- % Done changed from 0 to 100
Jim Pingle wrote:
It does exclude certificates when all areas that need certificate sync are disabled. OpenVPN requires certs to sync, so if you have OpenVPN sync enabled, then it will also sync certs. To disable cert sync entirely, you must also disable OpenVPN sync.
I am pushing a commit to add a note to OpenVPN stating it implies cert sync to make this relationship more obvious.
The correct procedure for what you describe is to import all certs to the primary, and then select on secondary after they sync. You can also do one cert with SANs for both (which is best for LE).
I'm not using certs in OpenVPN so didn't check that behavior.
Jim Pingle wrote:
The correct procedure for what you describe is to import all certs to the primary, and then select on secondary after they sync. You can also do one cert with SANs for both (which is best for LE).
Yep, I ended up using one cert with SANs for both hosts/IPs.
- Target version changed from 48 to 2.5.0
Even openvpn needs synced certs I would like not to sync them because of ACME certs.
Or skip deleting used ACME certs on backup systems.
My domain:
pfsense1.domain.tld 5.5.5.1 (static)
pfsense2.domain.tld 5.5.5.2 (static)
pfsense-ha.domain.tld 5.5.5.3 (CARP)
Pfsense1 can't create a certificate for pfsense2 because DNS points to pfsense2 and ACME needs a valid DNS entry.
And no I can't change to DNS challenge.
Then you are using ACME incorrectly. Read the previous comments or post on the forum if you have further questions. You can't have it both ways.
- Target version changed from 2.5.0 to 2.4.4-p3
2.4.4-p3 looks good:
NAT configuration
IPsec configuration
OpenVPN configuration (Implies CA/Cert/CRL Sync)
DHCP Server settings
WoL Server settings
- Status changed from Feedback to Resolved
- Category changed from 62 to XMLRPC
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by 
Updated by