Primarily a note for my future self so I don't have to find out what I did in the past once more.
If you're running some smaller systems scattered around the internet, without connecting them with a VPN, you might want your munin master and nodes to communicate with TLS and validate certificates. If you remember what to do it's a rather simple and straight forward process. To manage the PKI I'll utilize the well known easyrsa script collection. For this special purpose CA I'll go with a flat layout. So it's one root certificate issuing all server and client certificates directly. Some very basic docs can be also found in the munin wiki.
master setup
For your '/etc/munin/munin.conf':
tls paranoid
tls_verify_certificate yes
tls_private_key /etc/munin/master.key
tls_certificate /etc/munin/master.crt
tls_ca_certificate /etc/munin/ca.crt
tls_verify_depth 1
A node entry with TLS will look like this:
[node1.stormbind.net]
address [2001:db8::]
use_node_name yes
Important points here:
- "tls_certificate" is a Web Client Authentication certificate. The master connects to the nodes as a client.
- "tls_ca_certificate" is the root CA certificate.
- If you'd like to disable TLS connections, for example for localhost, set "tls disabled" in the node block.
For easy-rsa the following command invocations are relevant:
./easyrsa init-pki
./easyrsa build-ca
./easrsa gen-req master
./easyrsa sign-req client master
./easyrsa set-rsa-pass master nopass
node setup
For your '/etc/munin/munin-node.conf':
tls paranoid
tls_verify_certificate yes
tls_private_key /etc/munin/node1.key
tls_certificate /etc/munin/node1.crt
tls_ca_certificate /etc/munin/ca.crt
tls_verify_depth 1
For easy-rsa the following command invocations are relevant:
./easyrsa gen-req node1
./easyrsa sign-req server node1
./easyrsa set-rsa-pass node1 nopass
Important points here:
- "tls_certificate" on the node must be a server certificate.
- You've to provide the CA here as well so we can verify the client certificate provided by the munin master.