-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 07/29/2009 10:24 AM, Berthe Brühlman wrote:
> Hi,
>
> Due to our Network policy it is not possible for a minion to open a
> connection to an overlord
(bidirectional connections not allowed by the
> firewall); this means that it is not possible for the minion to contact
> the certmaster to sign its certificate. In order to circumvent this
> problem is it possible to pregenerate a signed certificate for the
> minion? What are the other options or possibilities I have to solve this
> problem? I am certainly not the only one having to fight with
> unidirectional firewall rules. It could be nice feature to tell the
> certmaster to get a CSR from a given hostname (minion) and sign it; as
> the connection would be issued by the certmaster to the minion, the
> connection would be allowed in our Network and we would be able to sign
> the CSR.
>
> Thanks a lot for your help and tips.
>
> B
>
>
>
> ------------------------------------------------------------------------
>
>
_______________________________________________
> Func-list mailing list
>
Func-list@xxxxxxxxxx>
https://www.redhat.com/mailman/listinfo/func-listYou should be able to do this out-of-band as a workaround:
1. Start up the minion so that it generates a CSR. Then it will try to
submit to the certmaster and fail in your case.
2. Get a copy of /etc/pki/certmaster/[your-minion-hostname].csr
3. Place the CSR on the certmaster in /var/lib/certmaster/certmaster/csrs/
4. Sign the CSR with certmaster-ca
5. Get the cert from
/var/lib/certmaster/certmaster/certs/[your-minion-hostname].cert
6.. Place the cert on the minion as
/etc/pki/certmaster/[your-minion-hostname].cert
7. Restart funcd on the minion and you should be good to
go.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora -
http://enigmail.mozdev.org/iEYEARECAAYFAkpwYP4ACgkQdxt4pd4ztYtMSgCgojqAKKXt2Cy5nxxr8Egi9YvY
q+kAoLJU1lET9KDmbdBKEfMJclethOHq
=7nqh
-----END PGP SIGNATURE-----
