Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Each client can be connected from mulitiple servers where each server ca... #104

Merged
merged 1 commit into from
Oct 28, 2014

Conversation

mginx
Copy link
Contributor

@mginx mginx commented Oct 13, 2014

Each client can be connected from multiple servers where each server can have its own CA

@mginx
Copy link
Contributor Author

mginx commented Oct 13, 2014

In cases where each client can be connected from multiple servers and each server has its own CA keys and CA certs need to be separated

@mginx mginx closed this Oct 13, 2014
@mginx mginx reopened this Oct 13, 2014
@luxflux
Copy link
Contributor

luxflux commented Oct 17, 2014

Thanks for your work! Sorry, but I don't understand the benefit of your changes. What does this change allow you to do?

@mginx
Copy link
Contributor Author

mginx commented Oct 17, 2014

Hi,
This change allows to store each server CA generated for the same client to store in a separate subdirectory. Without this change CA from one server would overwrite CA from another server (assuming each CA is distinct).
The issue here is that download_configs tar file from more than one server installed on the same client will overwrite previously installed ca.crt from another server.
There is no problem if all servers are using the same CA. But if e.g., one cluster of servers is using one CA and another cluster is using another CA then ca.crt will be overwritten.
I.e., if you're to put ca.crt from server1 on client X under X/keys/ca.crt then server2 that needs to connect to the same client X with a different CA would put put ca.crt under the same X/keys/ca.crt and thus overwriting server1 ca.crt.
Alternatively, one could resolve this issue with assigning distinct ca.crt name like e.g., ca_server1.crt ca_server2.crt etc.
Thus this was one of the available alternatives. If you see a better way to resolve this issue, by all means go ahead add your own.

Mark

From: Raffael Schmid [notifications@github.com]
Sent: Friday, October 17, 2014 1:45 AM
To: luxflux/puppet-openvpn
Cc: Ginalski, Mark M
Subject: Re: [puppet-openvpn] Each client can be connected from mulitiple servers where each server ca... (#104)

Thanks for your work! Sorry, but I don't understand the benefit of your changes. What does this change allow you to do?


Reply to this email directly or view it on GitHubhttps://github.com//pull/104#issuecomment-59468957.

@luxflux
Copy link
Contributor

luxflux commented Oct 28, 2014

Okay, got it. You were talking about the client side, I somehow missed this when reading your explanation 😄

luxflux added a commit that referenced this pull request Oct 28, 2014
Each client can be connected from mulitiple servers where each server ca...
@luxflux luxflux merged commit 4d395dd into voxpupuli:master Oct 28, 2014
luxflux added a commit that referenced this pull request Oct 28, 2014
@peterbeck
Copy link
Contributor

will this result in recreating all existing certificates on running servers ? that means we have to manually create the folder structure on running servers to prevent getting new certificates for all users ?

@mginx
Copy link
Contributor Author

mginx commented Oct 28, 2014

Thanks for the merge.
-Mark


From: Raffael Schmid [notifications@github.com]
Sent: Tuesday, October 28, 2014 3:08 PM
To: luxflux/puppet-openvpn
Cc: Ginalski, Mark M
Subject: Re: [puppet-openvpn] Each client can be connected from mulitiple servers where each server ca... (#104)

Okay, got it. You were talking about the client side, I somehow missed this when reading your explanation [:smile:]


Reply to this email directly or view it on GitHubhttps://github.com//pull/104#issuecomment-60813454.

@luxflux
Copy link
Contributor

luxflux commented Oct 28, 2014

@peterbeck I don't think this will be a problem. The keys and certificates are just linked out of the easy-rsa directory: https://github.com/luxflux/puppet-openvpn/blob/master/manifests/client.pp#L183-L193

Even though, the tarball will be recreated.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants