Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

openvpn-service should re-run os-config if root ca is expired #2569

Closed
klutchell opened this issue Mar 31, 2022 · 1 comment · Fixed by #2587
Closed

openvpn-service should re-run os-config if root ca is expired #2569

klutchell opened this issue Mar 31, 2022 · 1 comment · Fixed by #2587
Assignees
@mtoman

Comments

@klutchell
Copy link
Collaborator

From brainstorm topic (restricted access)
https://jel.ly.fish/brainstorm-topic-6bb0fc78-cc85-496b-ab8c-65b1d58709e3

We currently run os-config to ensure the VPN certificates are up-to-date on a daily schedule, as per
https://github.com/balena-os/meta-balena/tree/master/meta-balena-common/recipes-core/os-config/os-config

This issue is to validate the root certificate with openssh utils prior to openvpn service restarts to ensure that an expired certificate will trigger a new os-config pull, rather than waiting up to 24-hours.
@mtoman mtoman self-assigned this Apr 1, 2022
@alexgg
Copy link
Contributor

alexgg commented Apr 18, 2022

This is being addressed in #2587

ab77 added a commit that referenced this issue Apr 18, 2022
@ab77
Refresh PKI assets from config endpoint
5f85a85 
* Fixes #2569
* ensure OpenVPN client always starts with the latest CA certificate
  from API config endpoint as this certificate may have changed and
  we don't want VPN to be down for ~24 hours until os-config is triggered
  by systemd timer

Change-type: minor
klutchell pushed a commit that referenced this issue Apr 21, 2022
@ab77 @klutchell
Refresh PKI assets from config endpoint
07fac02 
* Fixes #2569
* ensure OpenVPN client always starts with the latest CA certificate
  from API config endpoint as this certificate may have changed and
  we don't want VPN to be down for ~24 hours until os-config is triggered
  by systemd timer

Change-type: minor
klutchell pushed a commit that referenced this issue Apr 22, 2022
@ab77 @klutchell
Refresh PKI assets from config endpoint
947943a 
* Fixes #2569
* ensure OpenVPN client always starts with the latest CA certificate
  from API config endpoint as this certificate may have changed and
  we don't want VPN to be down for ~24 hours until os-config is triggered
  by systemd timer

Change-type: minor
klutchell pushed a commit that referenced this issue Apr 22, 2022
@ab77 @klutchell
Refresh PKI assets from config endpoint
d6ca972 
* Fixes #2569
* ensure OpenVPN client always starts with the latest CA certificate
  from API config endpoint as this certificate may have changed and
  we don't want VPN to be down for ~24 hours until os-config is triggered
  by systemd timer

Change-type: minor
@klutchell klutchell mentioned this issue Apr 22, 2022
Merged
ghost pushed a commit that referenced this issue Apr 23, 2022
@ab77 @klutchell
Refresh PKI assets from config endpoint
081fca8 
* Fixes #2569
* ensure OpenVPN client always starts with the latest CA certificate
  from API config endpoint as this certificate may have changed and
  we don't want VPN to be down for ~24 hours until os-config is triggered
  by systemd timer

Change-type: minor
@ghost ghost closed this as completed in #2587 Apr 23, 2022
This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mtoman mtoman

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Refresh PKI assets from config endpoint balena-os/meta-balena
3 participants
@alexgg @mtoman @klutchell