Branch v7-test Sync Failure?

[AndreasMagdeburg]

I test the v7-test branch of ha-mikrotik. All looks good. Configuration is synced correctly. I test this on a CCR2004-1G-12S+2XS router. I access the router via HTTPS. For this on the router is imported a ssl certificate (private and public key). If I sync the standby router and switch the standby to active mode ($HASwitchRole), it is no longer possible to access tne "new" active router (former standby) via HTTPS. I think the certificate is not correctly synced to the standby router. If I delete the certificate and import it again, HTTPS is working again. After importing certificate again on the now active router, I sync back and switch over the original router and then also there HTTPS is not working until I import there the certificate again.

So I think there is a problem with syncing certificates. Public part of certificate looks the same. But if I export certificate as p12 with private key without passphrase the dont look the same. Maybe the syncing of private key is not working correct.

In the log file I cant see any entrys of this failure.

[nathanfaber]

I actually only explicitly handle SSH certificates. When you "import the certificate again" - are you doing this from a local certificate file after uploading it?

There are a lot of certificates that could be on a device, I don't currently enumerate them all and RouterOS doesn't let me export the entire keystore easily. I have historically handled this by having an "on_startup" script for a specific pair that imports them from the flash after boot.

See attached picture. Let me know if this method might solve your problem.

[AndreasMagdeburg]

Works not realy... If I remove the certificate and reimport the certificate, all configurations witch use this certificate are broken. Webfig looses his certificate and dont work anymore, also sstp-server, ovpn-server and all ipsec users.

[nathanfaber]

What is the procedure to get it working again?

[AndreasMagdeburg]

I have to import the .p12 certificate from file on the router with the same name. the .p12 file is synced corectly between th routers. after tha I have to fix all configurations witch uses this certificate www-ssl service, ovpn-server and sstp-server. Then I habe ro delete all ipsec identitys and reimport them, because they use certificate authentification.

[nathanfaber]

So if you put all of your configuration fixes in a startup scheduler script like I have above - does it work like expected? Or are you saying that is what doesn't work? I realize it is not ideal to have configuration in that script though.

I am able to delete and re-import my certificates for an OpenVPN server without reconfiguration of it. That screen shot is exactly what I do to bring the certificate back into the standby for OpenVPN. You are saying that doesn't work for you? As for the other certificate uses, I haven't tested those.

[AndreasMagdeburg]

www-ssl, ovpn-server and sstp-server have no certificates after remove and reimport the certificate. /certificate remove vpn.xyz.de /certificate import file-name=vpn.xyz.de.p12 passphrase=xyz123 name=vpn.xyz.de

www-ssl, ovpn-server and sstp-server maybe can also be fixed with startup script. maybe: /ip service set www-ssl certificate=vpn.xyz.de /interface ovpn-server server set certificate=vpn.xyz.de /interface sstp-server server set certificate=vpn.xyz.de

Bit for IPsec identitys this is no good idea, because the change more often and then I habe fo change everytime also the script.

[nathanfaber]

Do you have this on a production setup or test setup?

[AndreasMagdeburg]

at the moment test-setup, but it should go in production on 06. April ...

ovpn-server and sstp-server is not important, because we sont use it. but IPsec VPN is important ...

[nathanfaber]

Is this something we can do a shared screen session to take a look at together?

[AndreasMagdeburg]

we can, but not now. I am not i n office now. teamviewer?

[nathanfaber]

Sure, I can do Team Viewer. Shoot me an email at my github username at gmail and we can coordinate.

[AndreasMagdeburg]

Thank you for your help. It is working now.