Ticket #1104 (new defect)

Opened 11 years ago

Last modified 11 years ago

bcfg2 client fails if run on bcfg2 server which uses a certificate with a CN for a DNS cname

Reported by: Owned by: desai
Priority: minor Milestone:
Component: bcfg2-client Version: 1.0
Keywords: Cc: [email protected]



our bcfg2 server has a DNS cname ''. We have a proper SSL certificate for this name issued by a real CA. The server itself has another name, just to make the migration to another server easier.

/etc/bcfg2.conf contains the lines

[communication] certificate = /etc/ssl/certs/ key = /etc/ssl/private/

All clients use passwords for authentication.

Now if I run the bcfg2 client on the server the client tries to use the server certificate for client authentication. But this fails as the CN in the certificate is not the fqdn of the client, just a cname. It would also fail if we used an additional interface with an A-record in DNS.

As a workaround I have to install two config files: one for the server containing the certificate lines, and one for the client, without certificate lines. That is ugly.

A solution would be to either fall back to password authentication or better to split up the communication config into the server part and the client part.

By the way, the client does not report any clear error message when failing:

[email protected][etc]# bcfg2 -vqn Failed to download probes from bcfg2: [email protected][etc]#

That should be fixed.




Change History

comment:1 Changed 11 years ago by m4z <[email protected]…>

WARNING! You need to establish a session before you can create or edit tickets. Otherwise the ticket will get treated as spam.


Add a comment

Modify Ticket

Change Properties
<Author field>
as new

E-mail address and user name can be saved in the Preferences.

Note: See TracTickets for help on using tickets.