FOG Server – Full Migration from an old HTTPS‑FOG to a new Server (Debian 12)
This guide explains how to fully back up an older FOG server and restore it to a freshly installed server – especially for installations using HTTPS communication between server and clients.
⚠️ Note:
Modern FOG versions only allow TLS 1.2.
Older Windows FOG clients may not connect anymore → update required!
Create backup from the old FOG server
In the old FOG web interface:
FOG Configuration → Configuration Save → Export Database → Export
➜ Save the SQL backup
Backup the SSL certificates:
sudo bash -c '
set -euo pipefail
DEST="/root/fogcerts"
mkdir -p "$DEST/CA"
echo "[1/5] Collecting files …"
# Collect mandatory files (if present)
cp -a /opt/fog/snapins/ssl/.srvprivate.key "$DEST/" 2>/dev/null || true
cp -a /opt/fog/snapins/ssl/CA/.fogCA.key "$DEST/CA/" 2>/dev/null || true
cp -a /opt/fog/snapins/ssl/CA/.fogCA.pem "$DEST/CA/" 2>/dev/null || true
cp -a /opt/fog/snapins/ssl/CA/.fogCA.srl "$DEST/CA/" 2>/dev/null || true
cp -a /var/www/fog/management/other/ssl/srvpublic.crt "$DEST/" 2>/dev/null || true
cp -a /var/www/fog/management/other/ca.cert.pem "$DEST/" 2>/dev/null || true
cp -a /var/www/fog/management/other/ca.cert.der "$DEST/" 2>/dev/null || true
# Optional helpful templates/CSR (if present)
cp -a /opt/fog/snapins/ssl/ca.cnf "$DEST/" 2>/dev/null || true
cp -a /opt/fog/snapins/ssl/req.cnf "$DEST/" 2>/dev/null || true
cp -a /opt/fog/snapins/ssl/fog.csr "$DEST/" 2>/dev/null || true
echo "[2/5] Hardening permissions …"
chown -R root:root "$DEST"
chmod 700 "$DEST"
[ -f "$DEST/.srvprivate.key" ] && chmod 600 "$DEST/.srvprivate.key"
[ -f "$DEST/CA/.fogCA.key" ] && chmod 600 "$DEST/CA/.fogCA.key"
echo "[3/5] Listing content …"
ls -lah "$DEST" || true
ls -lah "$DEST/CA" || true
echo "[4/5] Creating checksums …"
( cd "$DEST" && find . -type f \( -name "*.key" -o -name "*.crt" -o -name "*.pem" -o -name "*.der" \) -print0 | xargs -0 sha256sum > SHA256SUMS.txt )
echo "[5/5] Creating archive …"
ARCH="/root/fogcerts_$(date +%F).tar.gz"
tar -czf "$ARCH" -C /root fogcerts
chmod 600 "$ARCH"
echo
echo "Done. Archive: $ARCH"
echo "To list archive content: tar -tzf $ARCH"
echo "To verify checksums: cat /root/fogcerts/SHA256SUMS.txt"
'
Save the archive (e.g. fogcerts_YYYY-MM-DD.tar.gz) using WinSCP
→ Old server may now be shut down
Prepare new Debian-12 server
Install Debian 12 without GUI but WITH SSH server
Allow root login via SSH (/etc/ssh/sshd_config)
Configure IP & reboot
Connect via PuTTY as root
Install FOG server
apt update && apt install git -y
cd /root
cd /root
git clone https://github.com/FOGProject/fogproject.git
cd fogproject/bin
./installfog.sh
Configure FOG as usual
Import database from the old server
In the new FOG web interface:
• FOG Configuration → FOG Settings
Save mysqlpass (under Storage Nodes)
Save TFTP FTP Password (under TFTP Server)
• Storage → DefaultMember → Save Management Password
• Configuration Save → Import Database
→ Select the SQL backup & import it
Afterwards: Enter the three passwords back in their original places
Copy certificates to the new server
Transfer the archive to /root
(e.g. fogcerts_2025-10-25.tar.gz)
Stop services:
systemctl stop apache2
systemctl stop FOGImageReplicator
systemctl stop FOGScheduler
Extract archive:
cd /root
tar -xzf fogcerts_*.tar.gz
Copy certificates & set permissions:
# Private Keys & CA
cp -a /root/fogcerts/.srvprivate.key /opt/fog/snapins/ssl/
cp -a /root/fogcerts/CA/.fogCA.key /opt/fog/snapins/ssl/CA/
cp -a /root/fogcerts/CA/.fogCA.pem /opt/fog/snapins/ssl/CA/
[ -f /root/fogcerts/CA/.fogCA.srl ] && cp -a /root/fogcerts/CA/.fogCA.srl /opt/fog/snapins/ssl/CA/
# Server Public Cert & CA Public
cp -a /root/fogcerts/srvpublic.crt /var/www/fog/management/other/ssl/
cp -a /root/fogcerts/ca.cert.pem /var/www/fog/management/other/
cp -a /root/fogcerts/ca.cert.der /var/www/fog/management/other/
chown -R fogproject:www-data /opt/fog/snapins/ssl
chmod 600 /opt/fog/snapins/ssl/.srvprivate.key
chmod 600 /opt/fog/snapins/ssl/CA/.fogCA.key
chown -R www-data:www-data /var/www/fog/management/other
Start services:
systemctl start apache2
systemctl start FOGImageReplicator
systemctl start FOGScheduler
Rebuild boot images (with certificate)
Install required software:
apt-get update
apt-get install -y git build-essential gcc make binutils perl mtools liblzma-dev libssl-dev zlib1g-dev pkg-config nasm libiberty-dev uuid-dev xz-utils cpio gcc-aarch64-linux-gnu
Rebuild PXE boot loaders:
cd /root/fogproject/utils/FOGiPXE
# Select one CA certificate path:
CA=/var/www/fog/management/other/ca.cert.pem
# or:
# CA=/opt/fog/snapins/ssl/CA/.fogCA.pem
bash ./buildipxe.sh "$CA"
Copy new files:
# Standard loader (without 10s delay)
cp -av /root/fogproject/packages/tftp/* /tftpboot/
# Optional 10s-delay loaders:
# cp -av /root/fogproject/packages/tftp/10secdelay/* /tftpboot/
Restart TFTP service:
systemctl restart tftpd-hpa
FINISHED
If all steps were successful, clients will securely reconnect using HTTPS again.