Articles in this section

Check MC certificate by hostname instead of fingerprint

Starting with Resilio Connect 3.8.2, a new authentication option allows Agents to verify the Management Console using a certificate chain instead of a certificate fingerprint. This enhancement simplifies certificate updates and rotations for the Management Console. Administrators can update the Management Console certificate at any time without disrupting Agent connectivity, as long as the entire certificate chain remains valid.

This new authentication option applies only to Agent verification with the Management Console and does not affect the certificate used for the Management Console’s web UI.

To use the feature:

  • Ensure that the relevant CA certificate is placed in Agent's operating system trusted root certificate storage. 
  • Add custom parameter to the Agent profile or configuration file: allow_server_trusted_cert_hostname = <name>
    where <name> - is the hostname as seen in the Management Console certificate in "Distinguished Name" or "Subject Alternative Name" sections. Multiple names are allowed, use ; and , as delimiters. 
  • Restart Resilio Agent service

Notes.

Enabling the check by hostname automatically disables the check of certificate by fingerprint. 

Windows-operated computers Trusted root storage is individual for every user, therefore ensure to deploy CA certificate either to the user account that actually runs Resilio Agent service or to "Local machine" certificate storage.

Should your CA certificate stay in non-default location - there is a custom parameter mc_ca_path (can be applied both via Agent Profile or via config file) that allows to specify a custom location for CA certificate on any OS. If defined, it will be the only location to load the CA, other locations won't be prompted. If the path in mc_ca_path is relative, it will be resolved based on the Agent's storage folder.

Full description of the verification algorithm is available here.

The feature will work even when Agents connect to the Management Console over IP address instead of DNS name. The Agent verifies certificate fields against the parameter, not against actual connection.

Resilio Agent only validates certificate at the moment of connection, therefore certificate expiration will not affect Agent's existing connection.

 

Related articles