Remote Opsi

[siil-itman]

We are testing the free version of Opsi right now with a view to a proper deployment if it ticks most of the boxes.

I've got the opsi-config server running on Debian 12 on our internal network.
I've setup the public DNS to point to our Nginx reverse proxy as per the details here
I can access opsi.example.com:4447 from outside of our network and get the welcome page.
If I try open opsi-configed, it comes up with a certificate error (unable to validate certificate) and asks about trusting the certificate. Clicking on "Always trust" or "Trust once" then states that it can't download the certificate from opsi.example.com:4447/ssl/ca-certs.pem and I can't login.

How can I get around this? Do I need to tweak anything on the reverse proxy?

[j.schneider]

OPSI uses it's own certificate authority and certificate chain.
All OPSI components (opsi-client-agent, opsi-configed, opsi-depotserver, ...) will only trust the OPSI internal chain.

Have a look at the documentation for details:
https://docs.opsi.org/opsi-docs-en/4.3/ ... s/tls.html

In a setup with reverse proxy, I would recommend our extensions Let’s Encrypt or Custom-CA, see:
https://opsi.org/en/product/extensions

But if you want to tinker a bit, you can also use the certificates from the OPSI server (/etc/opsi/ssl) on the proxy.

[siil-itman]

So I should copy the cert and key from the opsi config server and place on my reverse proxy instead of the letsencrypt.

How do I find the password for the default CA key it generates?

[siil-itman]

I'm trialing the custom ca extension and have a few questions...

As per the information here, if we are going to setup the system to use a custom CA, I can declare the ssl-ca-key-passphrase in the opsiconfd.conf for the CA key. How do I declare the passphrase for the opsiconfd-key.pem?

If we are going to use the opsi server as an intermediate CA instead, can you clarify what I need to set in the opsiconfd.conf and the opsi.conf?

[j.schneider]

When a Custom CA is used, the OPSI CA remains on the server (private key in "/etc/opsi/ssl/opsi-ca-key.pem", certificate in "/etc/opsi/ssl/opsi-ca-cert.pem").
The certificate of the Custom CA must be appended to "/etc/opsi/ssl/opsi-ca-cert.pem".

The private key of the Custom CA is not required and must not be stored on the OPSI server.

The server private key and certificate are managed externally by the Custom CA, but must be installed on the OPSI server as "/etc/opsi/ssl/opsiconfd-key.pem" and "/etc/opsi/ssl/opsiconfd-cert.pem". If "opsiconfd-key.pem" is encrypted, the corresponding passphrase must be configured via "ssl-server-key-passphrase".

The procedure for configuring the OPSI CA as an intermediate CA is described here:
https://docs.opsi.org/opsi-docs-en/4.3/ ... termediate

[siil-itman]

Thank you for your guidance. I've done a clean build and reconnecting a client/ access the web interfaces with a lot less problems than last time!

After the rebuild, i'm seeing a warning for SSL and two errors relating to products and packages.

SSL: WARNING
1 issue(s) found.

WARNING - The subject of the CA has changed from {'C': '**', 'ST': '**', 'L': '**', 'O': '**l', 'OU': '** IT', 'CN': 'opsi CA'} to {'C': 'DE', 'ST': 'RP', 'L': 'MAINZ', 'O': 'uib', 'OU': 'opsi@**', 'CN': 'opsi CA', 'emailAddress': 'opsi@**'}.

Is this something I can ignore or is it something that needs fixing. If fixing, how?

The Errors are

System packages: ERROR
Could not find a suitable TLS CA certificate bundle, invalid path: true

Products On Depots: ERROR
Failed to get package info from repository 'https://opsipackages.43.opsi.org/stable ... gpack.zstd': Could not find a suitable TLS CA certificate bundle, invalid path: true

Any advice on fixing the errors?

Once I get feedback on the above, I will look at the remote connection
Thanks

[siil-itman]

Cleared the errors, had a typo in the opsiconfd.conf

[siil-itman]

I've setup our opsi to route from outside via our reverse proxy (nginx) but the external agents are not able to connect.

I'm seeing the traffic hit the reverse proxy but it's not going past the reverse proxy.
This is my conf file for the connection

Code: Alles auswählen

server {
	listen 4447;
	server_name opsi.example.com;
	location / {
		proxy_pass https://***.***.***.***:4447;
		proxy_set_header Upgrade $http_upgrade;
		proxy_set_header Connection "upgrade";
        	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        	proxy_http_version 1.1;
	}
	location ~ /.well-known { 
        allow all; 
        proxy_pass https://***.***.***.***:4447; 
        proxy_http_version 1.1; 
    } 

    listen 443 ssl; # managed by Certbot
#    ssl_certificate /etc/nginx/certs/opsiconfd.pem;
#    ssl_certificate_key /etc/nginx/certs/opsiconfd-k.pem;
    ssl_certificate /etc/letsencrypt/live/opsi.siil.com.qa/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/opsi.siil.com.qa/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}

Note that I've tried using a certbot certificate and I've tried using the opsiconfd certs from the opsi server.
What do I need to tweak in my setup to get this working?