cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
fw_mon
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 1 of 4

generate cluster ca cert via CLI error

Jump to solution
/opt/mwg/bin/mwg-coordinator -c "1234"
Coordinator: [2021-04-19 21:35:43.183 +00:00] [Coordinator] [CMClusterCAKeyNotFound] The key file of the cluster CA could not be found in '/opt/mwg/storage/'.

ok, lets just import new CA cert and a key:

/opt/mwg/bin/mwg-coordinator -A "cmd:trigger_action=cmclusterca;file:ca=/opt/mwg/mwg-cluster-ca.pem,key=/opt/mwg/mwg-cluster-ca.key"
ERROR: could not copy CA file to storage directory

what's wrong?

 tail -f /opt/mwg/log/mwg-errors/mwg-coordinator.errors.log -n1
[2021-04-19 21:52:27.901 +00:00] [Coordinator] [Errno] Error while calling 'rename (old name: /opt/mwg/storage/cmclustercert-cert.pem.old, new name: /opt/mwg/storage/cmclustercert-cert.pem)'. Errorcode: '2' - 'errno: 2 - 'No such file or directory''.

 

please suggest correct CLI commands to generate or to import cluster ca/key. 

1 Solution

Accepted Solutions
asabban
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 4

Re: generate cluster ca cert via CLI error

Jump to solution

Hi,

the command tells the running coordinator to read the files specified. The files must be accessible by the mwg-coordinator process.

I assume the cert and key files cannot be read, causing the import to fail. I have done the following:

cp -Rav cluster.crt cluster.key /opt/mwg/temp/
chown mwgc.mwg /opt/mwg/temp/cluster.*
/opt/mwg/bin/mwg-coordinator -A "cmd:trigger_action=cmclusterca;file:ca=/opt/mwg/temp/cluster.crt,key=/opt/mwg/temp/cluster.key"

The result is:

OK: new CA successfully applied

View solution in original post

3 Replies
asabban
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 4

Re: generate cluster ca cert via CLI error

Jump to solution

Hi,

the command tells the running coordinator to read the files specified. The files must be accessible by the mwg-coordinator process.

I assume the cert and key files cannot be read, causing the import to fail. I have done the following:

cp -Rav cluster.crt cluster.key /opt/mwg/temp/
chown mwgc.mwg /opt/mwg/temp/cluster.*
/opt/mwg/bin/mwg-coordinator -A "cmd:trigger_action=cmclusterca;file:ca=/opt/mwg/temp/cluster.crt,key=/opt/mwg/temp/cluster.key"

The result is:

OK: new CA successfully applied

View solution in original post

fw_mon
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 3 of 4

Re: generate cluster ca cert via CLI error

Jump to solution

Thanks Andre, the permissions were the issue here. 

There are no way to generate/import a cluster cert/key paar using REST API?  

The purpose of the mwg-coordinator -c command seems to be the generation of a certificate for the local coordinator (cmclustercert-cert) from the cluster CA, correct?

 

asabban
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 4

Re: generate cluster ca cert via CLI error

Jump to solution

Hello,

I have checked the internal REST documentation but I did not find a way to import the Cluster CA. There are ways to configure all the "cluster wide" settings, but the Cluster CA is simply put as a file (or two files) to the disk - I don't see a REST endpoint to set this.

Honestly, I have read about the "-c" Option this morning for the first time after you posted it here 😄 Without knowing for sure I assume noone ever used that option.

I don't think it makes sense to generate the Cluster CA on the MWG itself. Since it must be the same CA on all machines you can also create a CA externally with a tool (or create it on the first MWG you installed via the UI, then export certificate and key).

We can file a Service Request and check with engineering what the "-c" is supposed to do and how to use it. 

I assume you are looking for an automated way to enroll/update the Cluster CA. I think replacing the file on the disk and restart the MWG coordinator service could be a way to achieve this. So when automatically deploying a new machine, after applying the initial configuration of IP address etc., I would put the certificate and key file manually with correct permissions to the folder, then restart. The new machine should now use this Cluster CA and should be ready to be joined into the existing central management.

Since I don't know the exact use case this is only a guess, so please excuse if I am wrong.

Andre

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community