"
Ahhh... true! Thank you for that. So technically I don't need to sync all the certificates until I have to renew the CA...
Cheers, Jan
Cheers, Jan
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages1
#2
High availability / Re: Certificates synchronization
May 08, 2023, 05:19:11 PM
That's a neat idea, thnx!!!
How do you redirect the acme challenge http request for a secondary node to the primary node that is doing the certificate renew? haproxy?
Chers, Jan
How do you redirect the acme challenge http request for a secondary node to the primary node that is doing the certificate renew? haproxy?
Chers, Jan
#3
High availability / Certificates synchronization
May 08, 2023, 03:12:00 PM
Hi,
I'm running two firewalls in HA mode and sync from fw1 to fw2 works great. I also have OpenVPN server on both of them and when first fw goes down I use second one as OpenVPN server as VRRP address becomes primary there. That means that I need to have all the user certificates on a secondary server.
For Web interface I'm using ACME certificate and fw1.domain.com is different from fw2.domain.com.
If I enable synchronization of certificates - the sync process transfers all certificates, including fw1.domain.com and deletes the certificate for fw2.domain.com that I'm using on secondary firewall for web interface.
Is there an option to add "don't delete certificates on secondary server" setting on the synchronization configuration page?
Cheers, Jan Zorz
I'm running two firewalls in HA mode and sync from fw1 to fw2 works great. I also have OpenVPN server on both of them and when first fw goes down I use second one as OpenVPN server as VRRP address becomes primary there. That means that I need to have all the user certificates on a secondary server.
For Web interface I'm using ACME certificate and fw1.domain.com is different from fw2.domain.com.
If I enable synchronization of certificates - the sync process transfers all certificates, including fw1.domain.com and deletes the certificate for fw2.domain.com that I'm using on secondary firewall for web interface.
Is there an option to add "don't delete certificates on secondary server" setting on the synchronization configuration page?
Cheers, Jan Zorz
#4
General Discussion / PREF64 in RA packet implementation
October 27, 2022, 04:37:17 PM
Hi,
RFC8781 defrines the option to signal to clients where your NAT64 server is so you can skip using DNS64. I see this as a very useful information to send out if you are running IPv6-only network with NAT64. Any idea when/if this might get implemented in OPNsense?
https://www.rfc-editor.org/rfc/rfc8781.html
I understand that radvd already implemented this feature...
Cheers, Jan Žorž
RFC8781 defrines the option to signal to clients where your NAT64 server is so you can skip using DNS64. I see this as a very useful information to send out if you are running IPv6-only network with NAT64. Any idea when/if this might get implemented in OPNsense?
https://www.rfc-editor.org/rfc/rfc8781.html
I understand that radvd already implemented this feature...
Cheers, Jan Žorž
Pages1
