ca fog service "error failed to decrypt" when snapins in non-default directory
-
I had set my snapins to a different directory (/images/snapins with /images being a symlink to /home/fogRootSystem/images)
But the original install had created the /opt/fog/snapins directory and put the ca ssl folders there.
But then it did it put the CA ssl folders with new keys in the new /images/snapins folder.All day today I have been troubleshooting the client wondering why it suddenly stopped authenticating. Uninstalling and reinstalling, re-imaging, modifying the msi, resetting encryption data, running the fog install script with the --recreate-CA and --recreate-keys options. And nothing worked. Then I noticed the duplicate CA and SSL directories and got to thinking that maybe that’s not supposed to be a thing. So I moved the /opt/fog/snapins folder to my /images/snapins directory
mv -f /opt/fog/snapins /images/snapins
then deleted the opt folderrm -fr /opt/fog/snapins
then made a symlinkln -s /images/snapins /opt/fog/snapins
Then I reran the fog installer like this./installfog.sh --recreate-CA --recreate-keys -Y
and now the client is working again (after reinstall on the client).So a fix exists, but it seems that changing the snapins directory doesn’t work for the client and causes weird ca/ssl authentication errors.
It’s possible that something else I did fixed my issue, but I am 99.9% sure that the symlink and reinstall recreating the CA is what solved it.
-
@Arrowhead-IT I’m aware of what the problem is, and it’s because I am forcing the directory of snapins to contain the ssl files.
In the code, particularly the decrypt code, I’m specifically searching the /opt/fog/snapins/ssl folder to do the decryption, or the global FOG_SNAPINDIR setting if it is set. Maybe this can help fix the problem? I will see about making an entry to allow for dynamic use and find of the ssl folder/files. For now, I’d recommend adjusting the global value. I’ll work on making it more dynamic and adjustable per node.
-
@Tom-Elliott I’m pretty sure the global value just always being used would work and just never a static directory.
I had set the global directory originally. I don’t think that I would be able to create or deploy snapins in the gui properly otherwise. -
@Arrowhead-IT storage nodes now contain their own snapin path, and this is what is used for everything else, it’s only the cert finding that uses the implicit check.
-
Just bumping so I don’t forget about this.
-
@Tom-Elliott code added.
-
Confirmed working. the CA ssl folders can now be separated from the snap-ins folder