Re: How to "func" when bidirectional connections not allowed?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07/29/2009 10:24 AM, Berthe Brühlman wrote:
> Hi,
> 
> Due to our Network policy it is not possible for a minion to open a
> connection to an overlord (bidirectional connections not allowed by the
> firewall); this means that it is not possible for the minion to contact
> the certmaster to sign its certificate. In order to circumvent this
> problem is it possible to pregenerate a signed certificate for the
> minion? What are the other options or possibilities I have to solve this
> problem? I am certainly not the only one having to fight with
> unidirectional firewall rules. It could be nice feature to tell the
> certmaster to get a CSR from a given hostname (minion) and sign it; as
> the connection would be issued by the certmaster to the minion, the
> connection would be allowed in our Network and we would be able to sign
> the CSR.
> 
> Thanks a lot for your help and tips.
> 
> B
> 
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Func-list mailing list
> Func-list@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/func-list

You should be able to do this out-of-band as a workaround:

1. Start up the minion so that it generates a CSR.  Then it will try to
submit to the certmaster and fail in your case.
2. Get a copy of /etc/pki/certmaster/[your-minion-hostname].csr
3. Place the CSR on the certmaster in /var/lib/certmaster/certmaster/csrs/
4. Sign the CSR with certmaster-ca
5. Get the cert from
/var/lib/certmaster/certmaster/certs/[your-minion-hostname].cert
6. Place the cert on the minion as
/etc/pki/certmaster/[your-minion-hostname].cert
7. Restart funcd on the minion and you should be good to go.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkpwYP4ACgkQdxt4pd4ztYtMSgCgojqAKKXt2Cy5nxxr8Egi9YvY
q+kAoLJU1lET9KDmbdBKEfMJclethOHq
=7nqh
-----END PGP SIGNATURE-----

_______________________________________________
Func-list mailing list
Func-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/func-list
[Index of Archives]     [Fedora Users]     [Linux Networking]     [Fedora Legacy List]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]

  Powered by Linux