Host certification

OpenNode > Installation and Configuration

Host certification

(1/6) > >>

jpoole:
I seem to have trouble replicating the process of OMS registration and importing hosts into certmaster correctly

Here is some code to show you what I have:

/etc/hosts - inside OMS

--- Code: ---::1 localhost localhost.domain localhost6 localhost6.localdomain6
127.0.0.1 localhost.localdomain localhost localhost4.localdomain4 localhost4
# Auto-generated hostname. Please do not remove this comment.
192.168.17.2** oms.domain.com oms
192.168.19.2** host.domain.com host

--- End code ---

/etc/hosts - inside host

--- Code: ---127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.17.2** oms.domain.com oms
192.168.19.2** host.domain.com host

--- End code ---

/etc/certmaster/minion.conf - OMS

--- Code: ---# configuration for minions

[main]
certmaster = oms.domain.com
certmaster_port = 51235
log_level = DEBUG
cert_dir = /etc/pki/certmaster

--- End code ---

/etc/certmaster/certmaster.conf - OMS

--- Code: ---# configuration for certmasterd and certmaster-ca

[main]
autosign = no
listen_addr = oms.domain.com
listen_port = 51235
cadir = /etc/pki/certmaster/ca
cert_dir = /etc/pki/certmaster
certroot = /var/lib/certmaster/certmaster/certs
csrroot = /var/lib/certmaster/certmaster/csrs
cert_extension = cert
sync_certs = False

--- End code ---

/etc/certmaster/minion.conf - inside Host

--- Code: ---[main]
certmaster = oms.domain.com
log_level = DEBUG
cert_dir = /etc/pki/certmaster
certmaster_port = 51235

--- End code ---

/etc/certmaster/certmaster.conf - inside Host

--- Code: ---# configuration for certmasterd and certmaster-ca

[main]
autosign = no
listen_addr =
listen_port = 51235
cadir = /etc/pki/certmaster/ca
cert_dir = /etc/pki/certmaster
certroot = /var/lib/certmaster/certmaster/certs
csrroot = /var/lib/certmaster/certmaster/csrs
cert_extension = cert
sync_certs = False

--- End code ---

I'm not sure what else you would need from me. The host is running OpenNode 6.0 Bare Metal installer.

On occassion, I am able to get the OMS instance to receive the cert request and then I will sign it and subsequently see this host within the ONC console. However, replicating this task is incredibly annoying and I guess I don't fully understand the internals of funcd and certmaster. Oh yes.. I have certmaster running on both host and oms, funcd on just the oms, and I restart /etc/init.d/omsdrc everytime.

I have tried to find wiki documentation somewhere, about certmaster/funcd/etc but it doesn't seem to exist anywhere commonplace.

I appreciate all of your replies thus far, regardless of all the bugs, it has been a beneficial learning process on my end. So thank you.

justin

ilja_l:
Hi, Justin

so, the first thing is that certmaster daemon should run only on OMS, while as funcd should be working on ON host. Funcd serves for accepting RPC calls, certmaster daemon is needed only when a new host asks for registration (we'll modify this schema in the future making it more simple and robust, but for now that's how it is).

By the way, there's a basic script for checking the environment - https://github.com/opennode/opennode-tui/blob/master/sanity_check.sh . It's mostly targeted at a situation when ON and OMS run on the same host (dev. env), but will be also helpful in a typical scenario. Perhaps you could run it and post the output?

thanks,
I.

jpoole:

./sanity_check.sh - inside Host

--- Code: ---funcd (pid 26665) is running...
certmaster is stopped
==> Warning: Certmaster daemon is not running. New requests will not be accepted.

[FUNC] CERTMASTER certificates and cert.requests
ca.cert
devkvm5.dforce.com.cert
devkvm5.dforce.com.csr

[FUNC] Configured certmaster server:
certmaster = devkvm5-oms.dforce.com
certmaster_port = 51235

[FUNC] Checking for possible registration conflict

[CERTMASTER] List of existing certificate requests:

[CERTMASTER] List of signed certificates:

--- End code ---

ilja_l:
Seems ok, could you run the same in OMS VM?

jpoole:
./sanity_check.sh - inside OMS

--- Code: ---funcd is stopped
==> Warning: FUNC daemon is not running, execution of remote calls is not possible.
certmaster (pid 2530) is running...

[FUNC] CERTMASTER certificates and cert.requests

[FUNC] Configured certmaster server:
certmaster = devkvm5-oms.dforce.com
certmaster_port = 51235

[FUNC] Checking for possible registration conflict

[CERTMASTER] List of existing certificate requests:

[CERTMASTER] List of signed certificates:

--- End code ---

Navigation

[0] Message Index

[#] Next page

Go to full version