Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
High availability
»
Certificates synchronization
« previous
next »
Print
Pages: [
1
]
Author
Topic: Certificates synchronization (Read 2351 times)
JanZorz
Newbie
Posts: 4
Karma: 0
Certificates synchronization
«
on:
May 08, 2023, 03:12:00 pm »
Hi,
I'm running two firewalls in HA mode and sync from fw1 to fw2 works great. I also have OpenVPN server on both of them and when first fw goes down I use second one as OpenVPN server as VRRP address becomes primary there. That means that I need to have all the user certificates on a secondary server.
For Web interface I'm using ACME certificate and fw1.domain.com is different from fw2.domain.com.
If I enable synchronization of certificates - the sync process transfers all certificates, including fw1.domain.com and deletes the certificate for fw2.domain.com that I'm using on secondary firewall for web interface.
Is there an option to add "don't delete certificates on secondary server" setting on the synchronization configuration page?
Cheers, Jan Zorz
Logged
Patrick M. Hausen
Hero Member
Posts: 6817
Karma: 572
Re: Certificates synchronization
«
Reply #1 on:
May 08, 2023, 04:05:58 pm »
I use SANs (subject alternate names) in the certificate to cover all relevant hostnames in an HA configuration. E.g. "gate.mydomain.com" (VIP), "gate1.mydomain.com" (node 1), "gate2.mydomain.com" (node2).
So one and the same cert for both nodes.
Logged
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do.
(Isaac Asimov)
JanZorz
Newbie
Posts: 4
Karma: 0
Re: Certificates synchronization
«
Reply #2 on:
May 08, 2023, 05:19:11 pm »
That's a neat idea, thnx!!!
How do you redirect the acme challenge http request for a secondary node to the primary node that is doing the certificate renew? haproxy?
Chers, Jan
Logged
Patrick M. Hausen
Hero Member
Posts: 6817
Karma: 572
Re: Certificates synchronization
«
Reply #3 on:
May 08, 2023, 06:58:54 pm »
I use acme-dns, not HTTP.
Logged
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do.
(Isaac Asimov)
marcquark
Full Member
Posts: 103
Karma: 5
Re: Certificates synchronization
«
Reply #4 on:
May 08, 2023, 08:39:54 pm »
I don't know if anything has recently changed in OpenVPN, but normally you don't need to have all user certificates on both nodes. In fact you don't need to have any of them on your firewall(s) at all.
Technically all that should be necessary is the CA so that the OpenVPN server can validate the user's certificate chain. You could be issuing user certificates in another system and deploy them through whatever mechanism to your clients, it should still work
Logged
JanZorz
Newbie
Posts: 4
Karma: 0
Re: Certificates synchronization
«
Reply #5 on:
May 09, 2023, 08:08:25 am »
Ahhh... true! Thank you for that. So technically I don't need to sync all the certificates until I have to renew the CA...
Cheers, Jan
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
High availability
»
Certificates synchronization