Hi all, Am 26.09.19 um 15:52 schrieb Karol Babioch:
Hi all,
For - as to now - unclear reasons, "kinit" was missing on the machine responsible for this (crtmgr.infra.opensuse.org). Kerberos is needed in some script to update the DNS records needed for authorization.
Thanks for taking care, as I was unable to spare some time for this at the moment. I'm overwhelmed by a lot of new things and my ToDo-List is just growing - especially the private one - so some hobbys as openSUSE need to step back for a while. Just to explain why kinit / kerberos is needed there. The public DNS setup of openSUSE is a bit of a mess, due to the domain handled by MF IT "Infobloxx" network. For this reason, when we want to push our zone to the public world, we need to push it against special IP addresses of MicroFocus. As we decided to use infra.o.o for the internal addressing managed by FreeIPA - we need to clean-up this somehow, before we push the zone externally. So what happens is this. crtmgr got a KerberOS ticket (kinit needed) to identify as a DNS-Administrator against freeipa.infra.o.o - with "nsupdate -g" [1] to update the records in FreeIPA zone Now we have a shiny FreeIPA zone for .opensuse.org containing all TXT records we need for Let's Encrypt but as Nameservers it contains (as it is correct for the internal view) freeipa.infra.opensuse.org Because of this, there is a PowerDNS script running on chip? I guess it is chip, but I would need to double-check. This PowerDNS script watches the openSUSE.org zone from FreeIPA and whenever there is a change it gets triggered. The only thing it does is running a small filter-regex script in Ruby by darix removing the .infra.o.o domain names out of the .o.o zone file and pushes it with a notification to the MF name servers. And *tada* we have a working zone file out there. How you can see this? Easy, compare the zone file records for NS (name servers) you get on any machine of the infra.o.o network compared to the public .o.o zone - it differs in exactly the nameserver but both come from the same machine called FreeIPA - managed in LDAP database and updated via crtmgr (at least for the text records for Let's Encrypt) Easy, isn't it? :D Remember to always have fun ... [1] how "nsupdate -g" works https://gist.github.com/genadipost/2d5eb75e0a46ca4e5ac756d640b2da5a Best regards, Thorsten -- To unsubscribe, e-mail: heroes+unsubscribe@opensuse.org To contact the owner, e-mail: heroes+owner@opensuse.org