Forums

Kevin B
Kevin B
Offline
Resolved
0 votes
I installed a second server at another site and set it up in slave mode. I then install the Certificate Manager on it and it forever sits at "The system is waiting for a connection to the master node.". The users and groups sync'd immediately.

My goal was to connect the two sites via OpenVPN. But OpenVPN will not start on the slave if I can't get the certificates configured on the slave.

Has anyone been successful with OpenVPN site-to-site connection and slave mode?

Kevin
Saturday, August 08 2015, 09:17 PM
Share this post:
Responses (13)
  • Accepted Answer

    Tuesday, June 05 2018, 10:35 AM - #Permalink
    Resolved
    0 votes
    Thanks for the feedback.

    I think some of the problems came from switching from a Standalone Directory Server to a Primary/Backup model.
    The reply is currently minimized Show
  • Accepted Answer

    tomas
    tomas
    Offline
    Tuesday, June 05 2018, 10:07 AM - #Permalink
    Resolved
    0 votes
    I managed to solve this with help of support staff.

    I have run on the 'Master' instance:

    /usr/clearos/apps/certificate_manager/deploy/master-slave
    /usr/clearos/apps/central_management/deploy/reset-clearsync


    and also I had to restart both servers. Been working nicely so far. Hope this helps anyone facing the same problem.
    The reply is currently minimized Show
  • Accepted Answer

    tomas
    tomas
    Offline
    Friday, May 18 2018, 08:46 AM - #Permalink
    Resolved
    0 votes
    Yes, the certificate manager was initialised on the master when it was in standalone mode and certificates created. Then I changed from standalone to master with a help of support.

    It probably relates to the bug where due to a change in the installer, other certificates such as postfix and proftp were not created on installation either.


    Not sure about this..

    Support have escalated the ticket so hopefully it will get sorted soon.
    The reply is currently minimized Show
  • Accepted Answer

    Friday, May 18 2018, 08:37 AM - #Permalink
    Resolved
    0 votes
    This is a bit beyond my knowledge and Courtney responded to you last night on your ticket. He is waiting a response from the dev who gave the instructions on how to change from Standalone to Master/Slave mode. Hopefully you should get a response when the USA and Canada wake up.

    I think the bug is different as I vaguely remember it being discussed. I think the bug is that you were able to set Master mode without the system certificates having been created. It probably relates to the bug where due to a change in the installer, other certificates such as postfix and proftp were not created on installation either. I think you have initialised the certificate manager on the master.
    The reply is currently minimized Show
  • Accepted Answer

    tomas
    tomas
    Offline
    Friday, May 18 2018, 08:13 AM - #Permalink
    Resolved
    0 votes
    Basically PDC and BDC on the same network. Master as gateway with firewall, slave as standalone - no firewall. The plan is to set up proper backup for master server in case it goes down. No VPNs between servers here. LDAP is syncing - I have tested it already. The certificate manager can't be initialised and throws:

    The system is waiting for a connection to the master node.


    plus plenty of the following entries in messages.log

    AccountsFileSync: Error establishing connection: Connection refused
    CertificateManagerFileSync: Error establishing connection: Connection refused


    Without Certificate Manager app some apps don't work at all like flexshares, which I need to backup purposes. The plan is to backup master flexshare to slave server, probably using rsync and cron.

    Like I said this looks like a bug after reading 0019281
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, May 17 2018, 09:06 PM - #Permalink
    Resolved
    0 votes
    Can you please describe your set up including how the servers are connected? Have any synchronisations worked?

    Is the certificate manager initialised on the Master?
    The reply is currently minimized Show
  • Accepted Answer

    tomas
    tomas
    Offline
    Thursday, May 17 2018, 06:59 PM - #Permalink
    Resolved
    0 votes
    Hi there,

    I also have this problem.

    Master - Slave configuration on 7.4, LDAP syncing but Certificate Manager throws "waiting on master" notice and plenty of the following entries in messages log:


    AccountsFileSync: Error establishing connection: Connection refused
    CertificateManagerFileSync: Error establishing connection: Connection refused


    This means some features don't work on Slave that need a certificate like flexshares etc :(

    I have found this bug 0019281 but no solution. I have contacted the support and been waiting few days already but would like this solved ASAP :(

    Did you sort out your problem with Slave and Certificate Manager? If so, may I ask what did you do?

    Thanks.
    The reply is currently minimized Show
  • Accepted Answer

    Tuesday, August 11 2015, 07:23 AM - #Permalink
    Resolved
    0 votes
    Looks like my reply yesterday got eaten.

    I don't like certificate stuff so I cheated. I set up another user with OpenVPN and Certificate management access. I then logged on to the webconfig as that user and downloaded the certificates as you would with a roarwarrior. Having said that the certificates are alse in /etc/pki/CA. You put those certificates wherever you have set up your client configuration file to look for them.
    The reply is currently minimized Show
  • Accepted Answer

    Kevin B
    Kevin B
    Offline
    Monday, August 10 2015, 08:58 PM - #Permalink
    Resolved
    0 votes
    Nick, when you say copy the certificates are you referring to the VPN certificate from the command "openvpn --genkey --secret /etc/openvpn/static.key" or the system certificates the Certificate Manager creates? Where do I copy these from and to where?

    Peter, I tried this two different ways:
    1.) I created a temporary VPN tunnel with another system and connected the slave to the master via the internal master host name. Then configured the COS OpenVPN.
    2.) I opened the required sync ports to the internet and connected the slave to the master via the external master host name. Then closed the ports and added a DNS record on the slave to point the external master host name to the internal address.

    In both cases I got OpenVPN working but had install and configuring it manually. The COS OpenVPN install required the Certificate Manager to get setup and this is what prompted this thread.

    System 1.) has a good VPN connection but I am having connectivity problems with the master server. This may be an issue with how I have Windows Network setup.
    System 2.) seems to be working OK.

    The Master is directly on the internet but both the slaves are behind NAT's and are in the DMZ.

    Kevin
    The reply is currently minimized Show
  • Accepted Answer

    Monday, August 10 2015, 02:39 PM - #Permalink
    Resolved
    0 votes
    Nick Howitt wrote:

    This sounds like a catch 22. Because he does not have the OpenVPN connection running he cannot sync so cannot generate the certificate on the slave. Hence my suggestion to generate it on the master and copy them across.

    Yes, it's a crappy usability problem. ClearOS does not support OpenVPN site-to-site connections yet, so dropping to the command line is the only way to do it - howto here. That step does not require certificates unless desired.

    We started building out built-in OpenVPN connections with the master/slave infrastructure, but that's not yet complete. Right now, master/slave usability is fine in a LAN environment (typically 1 master server, 1 slave firewall). However, there are too many hoops to connect a slave to a master across the Internet. We always have to design with a "nobody reads documentation" state of mind and we fall flat in this scenario.
    The reply is currently minimized Show
  • Accepted Answer

    Monday, August 10 2015, 11:16 AM - #Permalink
    Resolved
    0 votes
    This sounds like a catch 22. Because he does not have the OpenVPN connection running he cannot sync so cannot generate the certificate on the slave. Hence my suggestion to generate it on the master and copy them across.
    The reply is currently minimized Show
  • Accepted Answer

    Sunday, August 09 2015, 11:22 PM - #Permalink
    Resolved
    0 votes
    Kevin B wrote:Has anyone been successful with OpenVPN site-to-site connection and slave mode?


    Yup! ClearOS slaves were designed to handle it. The public half of the relevant certificates are synchronized from the master to slaves automatically. The error message that you see is a reference to the synchronization process not working:

    The system is waiting for a connection to the master node.

    The synchronization issue is usually a firewall / connection problem. Feel free to generate a support ticket on the topic, even if you have a subscription without support. It's very likely a quick resolution and we'll point you in the right direction.
    The reply is currently minimized Show
  • Accepted Answer

    Sunday, August 09 2015, 06:22 AM - #Permalink
    Resolved
    0 votes
    For OpenVPN site-to-site, generate the slave certificates on the master and copy them to the slave.
    The reply is currently minimized Show
Your Reply