Hi Guys!
one short question for linux coders here:
I want to implement a custom command at network connection finalization to check for the right SCEP certificate. sometimes at rollout there is the issue that the clien got a wrong DNS name and due this it pulls for the wrong CN at SCEP-Request. 802.1x isn’t perfect then.
What i want to do:
_if[[(openssl x509 -noout -in /wfs/scep_certificates/cert0/client.cert -text -noout | grep DNS)=$HOSTNAME]];echo “correct name”_
I check on hostname and scep DNS line if it matches. But it gives me back a _No such file or directory._
does anybody know what the reason is here?
.. for sure in the end it won’t be a “echo correct name” but a scep mkrequest and enroll cert π
What happens if you put your command in a Bash file and execute it from CLI, does it work there?
… had a syntax problem finally. now it works – it’s a nice thing for checking if SCEP certificate is on the right hostname (if you do so):
if [[ $(openssl x509 -noout -in /wfs/scep_certificates/cert0/client.cert -text -noout | grep DNS) != “$HOSTNAME” ]]; then scep_mkrequest 0 && scep_enroll 0; fi
I got one more “problem” or question in that sadly.
we implemented this command as custom command as “final network command” in firmware customization in the profile.
sadly it seems that it isn’t run by that at the end of network initialization. When i run the command manually per command line it works perfectly.
do you got any idea why it seems to be not performed automatically?
Thanks in advance!!
Hi, you could redirect the command into a Script and start the script instead of a single command, here is a sample:
github.com/IGEL-Community/IGEL-Community.github.io/wiki/Scripts:-Custom-Commands#lx10-and-os11 github.com/IGEL-Community/IGEL-Community.github.io/wiki/Scripts:-Custom-Commands#lx10-and-os11
Thanks for your reply.
I did it exactly like this, pushed a checkcert.sh to /wfs/ by UMS files and just put the “/wfs/checkcert.sh” to commands at finalize desktop.
the mysterious is, that it seems to run only sometimes (??). modified the script for testing to
echo “testoutput” >> /wfs/echotest.log
and it doesn’t appear every time at all… cannot understand this
Okay i got news!
i tested it with renaming the igel in UMS, that it gets a new DNS name. then rebooted it. seems, it needs two reboots – one for finally changing the DNS name (so the script will function) and the next for checking cert by script.
…. annoying situation for this behaviour and all these question, but finally it’s solved now I think!
Thanks again for all your input! π
Maybe you got a tip for me again: is it possible to make a custom application (which can be called per hotkey) which runs some commands like scep_mkrequest or scep_enroll ? tried to just perform this command in settings of the application but nothing happens… maybe you got a hint for me again… π
looks like it’s a permission problem because of the user context the app is run maybe
Thatβs exactly the reason! The /wfs mountpoint, the openssl requests are mostly binded to the root / system context.
I mean from a custom app, it might get hard to achieve but you could write a βdaemonβ that watches for a command or file, that could be triggered by you Custom Application. Then, if it matches your loop, execute the scep_ commands. Does that make sense?
Thanks , I thought so… okay, that would be an option but for our scenario too much trouble I think π
It would’ve been nice if it worked more or less easily because in some situation the igel needs two reboots after DNS renaming to pull the right cert name (context above) – maybe because some time dependencies or something….
And with this custom app by hotkey the service team could renew it directly at the client at the desktop and make the process even more efficient and clear. Now we’ll do so, that the service team can check it by custom app IF the cert is correct and if not they can restart it again. It’s okay as well π
thanks anyway for your help again!
Continue reading and comment on the thread ‘Custom command at network connection finalization to check for the right SCEP certificate’. Not a member? Join Here!
Learn more, search the IGEL Knowledge Base
Ask a question or comment on the above message thread?
Join or log in to the IGEL Community to ask us anything and meet other IGEL customers, partners, and EUC enthusiasts.Submit a question, or Join Today!