bcfg2 client fails if run on bcfg2 server which uses a certificate with a CN for a DNS cname

[https://www.google.com/accounts/o8/id?id=AItOawndHbt6oQD5o4llC_tsXLYSWsFqERWT0_Q]

Hi,

our bcfg2 server has a DNS cname 'bcfg2.uni-paderborn.de'. We have a proper SSL certificate for this name issued by a real CA. The server itself has another name, just to make the migration to another server easier.

/etc/bcfg2.conf contains the lines

[communication] certificate = /etc/ssl/certs/bcfg2.uni-paderborn.de.pem key = /etc/ssl/private/bcfg2.uni-paderborn.de.key

All clients use passwords for authentication.

Now if I run the bcfg2 client on the server the client tries to use the server certificate for client authentication. But this fails as the CN in the certificate is not the fqdn of the client, just a cname. It would also fail if we used an additional interface with an A-record in DNS.

As a workaround I have to install two config files: one for the server containing the certificate lines, and one for the client, without certificate lines. That is ugly.

A solution would be to either fall back to password authentication or better to split up the communication config into the server part and the client part.

By the way, the client does not report any clear error message when failing:

[email protected][etc]# bcfg2 -vqn Failed to download probes from bcfg2: [email protected][etc]#

That should be fixed.

Thanks,

Christopher