[Csync2] Re: csync2 & ssl problems
Clifford Wolf
clifford at clifford.at
Fri Nov 25 13:40:37 CET 2005
Hi,
On Fri, Nov 25, 2005 at 01:19:56PM +0100, Lenaerts Jan wrote:
> node2:~/csync2-1.24# csync2 -xv
> Connecting to host node0 (SSL) ...
> Peer did provide a wrong SSL X509 cetrificate.
csync2 stores the public keys (in fact the sha-1 hash of the public key) in
its database. when the key of a server is changing, csync2 thinks that
someone is trying the fake the servers ip address and stops talking to the
peer. (you might know this behavior already from ssh)
as said, the keys of the peers are stored in the csync2 database. the only
way to remove them is to eighter remove the database file (which isn't such
a great idea) or by using SQL statements. E.g. for flushing all keys from the
database:
sqlite /var/lib/csync2/$(hostname).db 'delete from x509_sha1'
> I'm using openssl-0.9.7e-3, public key's are the same on node0 and
> node2, the /etc/csync2_ssl_cert.pem & /etc/csync2_ssl_key.pem have to
> be different on each node, right?
yes. each host has it's own SSL certificate and key file. But the csync2
key file (the one generated using 'csync2 -k') is a shared secret and must
be identical on all hosts.
yours,
- clifford
--
_ _ _ Nerds on Air - Radio for Geeks _ __ ___
| \| |___ /_\ On 1st and 3rd Friday of the month / |/ /__ / _ |
| .` / _ \/ _ \ 21:00-22:00 CET on Radio Orange / / _ \/ __ |
|_|\_\___/_/ \_\ http://www.clifford.at/noa/ /_/|_/\___/_/ |_|
Life is not fair, but the root password helps!
More information about the Csync2
mailing list