I installed a second server at another site and set it up in slave mode. I then install the Certificate Manager on it and it forever sits at "The system is waiting for a connection to the master node.". The users and groups sync'd immediately.
My goal was to connect the two sites via OpenVPN. But OpenVPN will not start on the slave if I can't get the certificates configured on the slave.
Has anyone been successful with OpenVPN site-to-site connection and slave mode?
Kevin
My goal was to connect the two sites via OpenVPN. But OpenVPN will not start on the slave if I can't get the certificates configured on the slave.
Has anyone been successful with OpenVPN site-to-site connection and slave mode?
Kevin
Share this post:
Responses (13)
-
Accepted Answer
-
Accepted Answer
I managed to solve this with help of support staff.
I have run on the 'Master' instance:
/usr/clearos/apps/certificate_manager/deploy/master-slave
/usr/clearos/apps/central_management/deploy/reset-clearsync
and also I had to restart both servers. Been working nicely so far. Hope this helps anyone facing the same problem. -
Accepted Answer
Yes, the certificate manager was initialised on the master when it was in standalone mode and certificates created. Then I changed from standalone to master with a help of support.
It probably relates to the bug where due to a change in the installer, other certificates such as postfix and proftp were not created on installation either.
Not sure about this..
Support have escalated the ticket so hopefully it will get sorted soon. -
Accepted Answer
This is a bit beyond my knowledge and Courtney responded to you last night on your ticket. He is waiting a response from the dev who gave the instructions on how to change from Standalone to Master/Slave mode. Hopefully you should get a response when the USA and Canada wake up.
I think the bug is different as I vaguely remember it being discussed. I think the bug is that you were able to set Master mode without the system certificates having been created. It probably relates to the bug where due to a change in the installer, other certificates such as postfix and proftp were not created on installation either. I think you have initialised the certificate manager on the master. -
Accepted Answer
Basically PDC and BDC on the same network. Master as gateway with firewall, slave as standalone - no firewall. The plan is to set up proper backup for master server in case it goes down. No VPNs between servers here. LDAP is syncing - I have tested it already. The certificate manager can't be initialised and throws:
The system is waiting for a connection to the master node.
plus plenty of the following entries in messages.log
AccountsFileSync: Error establishing connection: Connection refused
CertificateManagerFileSync: Error establishing connection: Connection refused
Without Certificate Manager app some apps don't work at all like flexshares, which I need to backup purposes. The plan is to backup master flexshare to slave server, probably using rsync and cron.
Like I said this looks like a bug after reading 0019281 -
Accepted Answer
-
Accepted Answer
Hi there,
I also have this problem.
Master - Slave configuration on 7.4, LDAP syncing but Certificate Manager throws "waiting on master" notice and plenty of the following entries in messages log:
AccountsFileSync: Error establishing connection: Connection refused
CertificateManagerFileSync: Error establishing connection: Connection refused
This means some features don't work on Slave that need a certificate like flexshares etc
I have found this bug 0019281 but no solution. I have contacted the support and been waiting few days already but would like this solved ASAP
Did you sort out your problem with Slave and Certificate Manager? If so, may I ask what did you do?
Thanks. -
Accepted Answer
Looks like my reply yesterday got eaten.
I don't like certificate stuff so I cheated. I set up another user with OpenVPN and Certificate management access. I then logged on to the webconfig as that user and downloaded the certificates as you would with a roarwarrior. Having said that the certificates are alse in /etc/pki/CA. You put those certificates wherever you have set up your client configuration file to look for them. -
Accepted Answer
Nick, when you say copy the certificates are you referring to the VPN certificate from the command "openvpn --genkey --secret /etc/openvpn/static.key" or the system certificates the Certificate Manager creates? Where do I copy these from and to where?
Peter, I tried this two different ways:
1.) I created a temporary VPN tunnel with another system and connected the slave to the master via the internal master host name. Then configured the COS OpenVPN.
2.) I opened the required sync ports to the internet and connected the slave to the master via the external master host name. Then closed the ports and added a DNS record on the slave to point the external master host name to the internal address.
In both cases I got OpenVPN working but had install and configuring it manually. The COS OpenVPN install required the Certificate Manager to get setup and this is what prompted this thread.
System 1.) has a good VPN connection but I am having connectivity problems with the master server. This may be an issue with how I have Windows Network setup.
System 2.) seems to be working OK.
The Master is directly on the internet but both the slaves are behind NAT's and are in the DMZ.
Kevin -
Accepted Answer
Nick Howitt wrote:
This sounds like a catch 22. Because he does not have the OpenVPN connection running he cannot sync so cannot generate the certificate on the slave. Hence my suggestion to generate it on the master and copy them across.
Yes, it's a crappy usability problem. ClearOS does not support OpenVPN site-to-site connections yet, so dropping to the command line is the only way to do it - howto here. That step does not require certificates unless desired.
We started building out built-in OpenVPN connections with the master/slave infrastructure, but that's not yet complete. Right now, master/slave usability is fine in a LAN environment (typically 1 master server, 1 slave firewall). However, there are too many hoops to connect a slave to a master across the Internet. We always have to design with a "nobody reads documentation" state of mind and we fall flat in this scenario. -
Accepted Answer
-
Accepted Answer
Kevin B wrote:Has anyone been successful with OpenVPN site-to-site connection and slave mode?
Yup! ClearOS slaves were designed to handle it. The public half of the relevant certificates are synchronized from the master to slaves automatically. The error message that you see is a reference to the synchronization process not working:
The system is waiting for a connection to the master node.
The synchronization issue is usually a firewall / connection problem. Feel free to generate a support ticket on the topic, even if you have a subscription without support. It's very likely a quick resolution and we'll point you in the right direction. -
Accepted Answer
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »