From 9afe5e46407af2613ae55b89ae9abafd7d7de6e1 Mon Sep 17 00:00:00 2001 From: Sol Jerome Date: Mon, 11 Jan 2010 19:20:16 +0000 Subject: doc: Add note about certificate creation when using SSL Signed-off-by: Sol Jerome git-svn-id: https://svn.mcs.anl.gov/repos/bcfg/trunk/bcfg2@5670 ce84e21b-d406-0410-9b95-82705330c041 --- doc/authentication.txt | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) (limited to 'doc') diff --git a/doc/authentication.txt b/doc/authentication.txt index 2a72917a3..56cb7ce3e 100644 --- a/doc/authentication.txt +++ b/doc/authentication.txt @@ -77,8 +77,8 @@ per-client passwords set will not be able to connect. SSL Cert-based client authentication ==================================== -As of 1.0pre3, SSL-based client authentication is supported. This -requires several things: +SSL-based client authentication is supported. This requires several +things: #. Certificate Authority (to sign all keys) @@ -98,6 +98,21 @@ using the following set of steps: http://www.flatmtn.com/article/setting-ssl-certificates-apache + .. note:: + The client CN must be the FQDN of the client (as returned by a + reverse DNS lookup of the ip address. Otherwise, you will end up + with an error message on the client that looks like:: + + Server failure: Protocol Error: 401 Unauthorized + Failed to download probes from bcfg2 + Server Failure + + on the client. You will also see an error message on the server + that looks something like:: + + cmssrv01 bcfg2-server[9785]: Got request for cmssrv115 from incorrect address 131.225.206.122 + cmssrv01 bcfg2-server[9785]: Resolved to cmssrv115.fnal.gov + #. Distribute the keys and certs to the appropriate locations #. Copy the ca cert to clients, so that the server can be authenticated -- cgit v1.2.3-1-g7c22