Am 26.09.19 um 15:52 schrieb Karol Babioch:
For - as to now - unclear reasons, "kinit" was missing on the machine
responsible for this (crtmgr.infra.opensuse.org
). Kerberos is needed in
some script to update the DNS records needed for authorization.
Thanks for taking care, as I was unable to spare some time for this at
the moment. I'm overwhelmed by a lot of new things and my ToDo-List is
just growing - especially the private one - so some hobbys as openSUSE
need to step back for a while.
Just to explain why kinit / kerberos is needed there.
The public DNS setup of openSUSE is a bit of a mess, due to the domain
handled by MF IT "Infobloxx" network.
For this reason, when we want to push our zone to the public world, we
need to push it against special IP addresses of MicroFocus.
As we decided to use infra.o.o for the internal addressing managed by
FreeIPA - we need to clean-up this somehow, before we push the zone
externally. So what happens is this.
crtmgr got a KerberOS ticket (kinit needed) to identify as a
DNS-Administrator against freeipa.infra.o.o - with "nsupdate -g"  to
update the records in FreeIPA zone
Now we have a shiny FreeIPA zone for .opensuse.org containing all TXT
records we need for Let's Encrypt but as Nameservers it contains (as it
is correct for the internal view) freeipa.infra.opensuse.org
Because of this, there is a PowerDNS script running on chip? I guess it
is chip, but I would need to double-check. This PowerDNS script watches
zone from FreeIPA and whenever there is a change it
gets triggered. The only thing it does is running a small filter-regex
script in Ruby by darix removing the .infra.o.o domain names out of the
.o.o zone file and pushes it with a notification to the MF name servers.
And *tada* we have a working zone file out there.
How you can see this? Easy, compare the zone file records for NS (name
servers) you get on any machine of the infra.o.o network compared to the
public .o.o zone - it differs in exactly the nameserver but both come
from the same machine called FreeIPA - managed in LDAP database and
updated via crtmgr (at least for the text records for Let's Encrypt)
Easy, isn't it? :D
Remember to always have fun ...
 how "nsupdate -g" works
To unsubscribe, e-mail: heroes+unsubscribe(a)opensuse.org
To contact the owner, e-mail: heroes+owner(a)opensuse.org