FOG Server – Full Migration from an old HTTPS‑FOG to a new Server (Debian 12)

FOG Server – Full Migration from an old HTTPS‑FOG to a new Server (Debian 12)

This guide explains how to fully back up an older FOG server and restore it to a freshly installed server – especially for installations using HTTPS communication between server and clients.

️ Note:

• Modern FOG versions only allow TLS 1.2.
• Older Windows FOG clients may not connect anymore → update required!

1. Create backup from the old FOG server

In the old FOG web interface:

FOG Configuration → Configuration Save → Export Database → Export
➜ Save the SQL backup

Backup the SSL certificates:

sudo bash -c '
set -euo pipefail

DEST="/root/fogcerts"
mkdir -p "$DEST/CA"

echo "[1/5] Collecting files …"
# Collect mandatory files (if present)
cp -a /opt/fog/snapins/ssl/.srvprivate.key            "$DEST/"           2>/dev/null || true
cp -a /opt/fog/snapins/ssl/CA/.fogCA.key              "$DEST/CA/"        2>/dev/null || true
cp -a /opt/fog/snapins/ssl/CA/.fogCA.pem              "$DEST/CA/"        2>/dev/null || true
cp -a /opt/fog/snapins/ssl/CA/.fogCA.srl              "$DEST/CA/"        2>/dev/null || true
cp -a /var/www/fog/management/other/ssl/srvpublic.crt "$DEST/"           2>/dev/null || true
cp -a /var/www/fog/management/other/ca.cert.pem       "$DEST/"           2>/dev/null || true
cp -a /var/www/fog/management/other/ca.cert.der       "$DEST/"           2>/dev/null || true

# Optional helpful templates/CSR (if present)
cp -a /opt/fog/snapins/ssl/ca.cnf                     "$DEST/"           2>/dev/null || true
cp -a /opt/fog/snapins/ssl/req.cnf                    "$DEST/"           2>/dev/null || true
cp -a /opt/fog/snapins/ssl/fog.csr                    "$DEST/"           2>/dev/null || true

echo "[2/5] Hardening permissions …"
chown -R root:root "$DEST"
chmod 700 "$DEST"
[ -f "$DEST/.srvprivate.key" ] && chmod 600 "$DEST/.srvprivate.key"
[ -f "$DEST/CA/.fogCA.key"   ] && chmod 600 "$DEST/CA/.fogCA.key"

echo "[3/5] Listing content …"
ls -lah "$DEST" || true
ls -lah "$DEST/CA" || true

echo "[4/5] Creating checksums …"
( cd "$DEST" &&   find . -type f \( -name "*.key" -o -name "*.crt" -o -name "*.pem" -o -name "*.der" \) -print0   | xargs -0 sha256sum > SHA256SUMS.txt )

echo "[5/5] Creating archive …"
ARCH="/root/fogcerts_$(date +%F).tar.gz"
tar -czf "$ARCH" -C /root fogcerts
chmod 600 "$ARCH"

echo
echo "Done. Archive: $ARCH"
echo "To list archive content: tar -tzf $ARCH"
echo "To verify checksums: cat /root/fogcerts/SHA256SUMS.txt"
'

Save the archive (e.g. fogcerts_YYYY-MM-DD.tar.gz) using WinSCP
→ Old server may now be shut down

2. Prepare new Debian-12 server

• Install Debian 12 without GUI but WITH SSH server
• Allow root login via SSH (/etc/ssh/sshd_config)
• Configure IP & reboot
• Connect via PuTTY as root

3. Install FOG server

apt update && apt install git -y
cd /root
cd /root
git clone https://github.com/FOGProject/fogproject.git
cd fogproject/bin
./installfog.sh

Configure FOG as usual

4. Import database from the old server

---

In the new FOG web interface:

• FOG Configuration → FOG Settings

• Save mysqlpass (under Storage Nodes)
• Save TFTP FTP Password (under TFTP Server)

• Storage → DefaultMember → Save Management Password

• Configuration Save → Import Database
→ Select the SQL backup & import it

Afterwards: Enter the three passwords back in their original places

5. Copy certificates to the new server

Transfer the archive to /root
(e.g. fogcerts_2025-10-25.tar.gz)

Stop services:

systemctl stop apache2
systemctl stop FOGImageReplicator
systemctl stop FOGScheduler

Extract archive:

cd /root
tar -xzf fogcerts_*.tar.gz

Copy certificates & set permissions:

# Private Keys & CA
cp -a /root/fogcerts/.srvprivate.key /opt/fog/snapins/ssl/
cp -a /root/fogcerts/CA/.fogCA.key /opt/fog/snapins/ssl/CA/
cp -a /root/fogcerts/CA/.fogCA.pem /opt/fog/snapins/ssl/CA/
[ -f /root/fogcerts/CA/.fogCA.srl ] && cp -a /root/fogcerts/CA/.fogCA.srl /opt/fog/snapins/ssl/CA/

# Server Public Cert & CA Public
cp -a /root/fogcerts/srvpublic.crt /var/www/fog/management/other/ssl/
cp -a /root/fogcerts/ca.cert.pem /var/www/fog/management/other/
cp -a /root/fogcerts/ca.cert.der /var/www/fog/management/other/

chown -R fogproject:www-data /opt/fog/snapins/ssl
chmod 600 /opt/fog/snapins/ssl/.srvprivate.key
chmod 600 /opt/fog/snapins/ssl/CA/.fogCA.key

chown -R www-data:www-data /var/www/fog/management/other

Start services:

systemctl start apache2
systemctl start FOGImageReplicator
systemctl start FOGScheduler

6. Rebuild boot images (with certificate)

Install required software:

apt-get update
apt-get install -y git build-essential gcc make binutils perl mtools   liblzma-dev libssl-dev zlib1g-dev pkg-config nasm libiberty-dev uuid-dev   xz-utils cpio gcc-aarch64-linux-gnu

Rebuild PXE boot loaders:

cd /root/fogproject/utils/FOGiPXE
# Select one CA certificate path:
CA=/var/www/fog/management/other/ca.cert.pem
# or:
# CA=/opt/fog/snapins/ssl/CA/.fogCA.pem

bash ./buildipxe.sh "$CA"

Copy new files:

# Standard loader (without 10s delay)
cp -av /root/fogproject/packages/tftp/* /tftpboot/

# Optional 10s-delay loaders:
# cp -av /root/fogproject/packages/tftp/10secdelay/* /tftpboot/

Restart TFTP service:

systemctl restart tftpd-hpa

FINISHED
If all steps were successful, clients will securely reconnect using HTTPS again.

FOG Server – Full Migration from an old HTTPS‑FOG to a new Server (Debian 12)

This guide explains how to fully back up an older FOG server and restore it to a freshly installed server – especially for installations using HTTPS communication between server and clients.

️ Note:

• Modern FOG versions only allow TLS 1.2.
• Older Windows FOG clients may not connect anymore → update required!

1. Create backup from the old FOG server

In the old FOG web interface:

FOG Configuration → Configuration Save → Export Database → Export
➜ Save the SQL backup

Backup the SSL certificates:

sudo bash -c '
set -euo pipefail

DEST="/root/fogcerts"
mkdir -p "$DEST/CA"

echo "[1/5] Collecting files …"
# Collect mandatory files (if present)
cp -a /opt/fog/snapins/ssl/.srvprivate.key            "$DEST/"           2>/dev/null || true
cp -a /opt/fog/snapins/ssl/CA/.fogCA.key              "$DEST/CA/"        2>/dev/null || true
cp -a /opt/fog/snapins/ssl/CA/.fogCA.pem              "$DEST/CA/"        2>/dev/null || true
cp -a /opt/fog/snapins/ssl/CA/.fogCA.srl              "$DEST/CA/"        2>/dev/null || true
cp -a /var/www/fog/management/other/ssl/srvpublic.crt "$DEST/"           2>/dev/null || true
cp -a /var/www/fog/management/other/ca.cert.pem       "$DEST/"           2>/dev/null || true
cp -a /var/www/fog/management/other/ca.cert.der       "$DEST/"           2>/dev/null || true

# Optional helpful templates/CSR (if present)
cp -a /opt/fog/snapins/ssl/ca.cnf                     "$DEST/"           2>/dev/null || true
cp -a /opt/fog/snapins/ssl/req.cnf                    "$DEST/"           2>/dev/null || true
cp -a /opt/fog/snapins/ssl/fog.csr                    "$DEST/"           2>/dev/null || true

echo "[2/5] Hardening permissions …"
chown -R root:root "$DEST"
chmod 700 "$DEST"
[ -f "$DEST/.srvprivate.key" ] && chmod 600 "$DEST/.srvprivate.key"
[ -f "$DEST/CA/.fogCA.key"   ] && chmod 600 "$DEST/CA/.fogCA.key"

echo "[3/5] Listing content …"
ls -lah "$DEST" || true
ls -lah "$DEST/CA" || true

echo "[4/5] Creating checksums …"
( cd "$DEST" &&   find . -type f \( -name "*.key" -o -name "*.crt" -o -name "*.pem" -o -name "*.der" \) -print0   | xargs -0 sha256sum > SHA256SUMS.txt )

echo "[5/5] Creating archive …"
ARCH="/root/fogcerts_$(date +%F).tar.gz"
tar -czf "$ARCH" -C /root fogcerts
chmod 600 "$ARCH"

echo
echo "Done. Archive: $ARCH"
echo "To list archive content: tar -tzf $ARCH"
echo "To verify checksums: cat /root/fogcerts/SHA256SUMS.txt"
'

Save the archive (e.g. fogcerts_YYYY-MM-DD.tar.gz) using WinSCP
→ Old server may now be shut down

2. Prepare new Debian-12 server

• Install Debian 12 without GUI but WITH SSH server
• Allow root login via SSH (/etc/ssh/sshd_config)
• Configure IP & reboot
• Connect via PuTTY as root

3. Install FOG server

apt update && apt install git -y
cd /root
cd /root
git clone https://github.com/FOGProject/fogproject.git
cd fogproject/bin
./installfog.sh

Configure FOG as usual

4. Import database from the old server

---

In the new FOG web interface:

• FOG Configuration → FOG Settings

• Save mysqlpass (under Storage Nodes)
• Save TFTP FTP Password (under TFTP Server)

• Storage → DefaultMember → Save Management Password

• Configuration Save → Import Database
→ Select the SQL backup & import it

Afterwards: Enter the three passwords back in their original places

5. Copy certificates to the new server

Transfer the archive to /root
(e.g. fogcerts_2025-10-25.tar.gz)

Stop services:

systemctl stop apache2
systemctl stop FOGImageReplicator
systemctl stop FOGScheduler

Extract archive:

cd /root
tar -xzf fogcerts_*.tar.gz

Copy certificates & set permissions:

# Private Keys & CA
cp -a /root/fogcerts/.srvprivate.key /opt/fog/snapins/ssl/
cp -a /root/fogcerts/CA/.fogCA.key /opt/fog/snapins/ssl/CA/
cp -a /root/fogcerts/CA/.fogCA.pem /opt/fog/snapins/ssl/CA/
[ -f /root/fogcerts/CA/.fogCA.srl ] && cp -a /root/fogcerts/CA/.fogCA.srl /opt/fog/snapins/ssl/CA/

# Server Public Cert & CA Public
cp -a /root/fogcerts/srvpublic.crt /var/www/fog/management/other/ssl/
cp -a /root/fogcerts/ca.cert.pem /var/www/fog/management/other/
cp -a /root/fogcerts/ca.cert.der /var/www/fog/management/other/

chown -R fogproject:www-data /opt/fog/snapins/ssl
chmod 600 /opt/fog/snapins/ssl/.srvprivate.key
chmod 600 /opt/fog/snapins/ssl/CA/.fogCA.key

chown -R www-data:www-data /var/www/fog/management/other

Start services:

systemctl start apache2
systemctl start FOGImageReplicator
systemctl start FOGScheduler

6. Rebuild boot images (with certificate)

Install required software:

apt-get update
apt-get install -y git build-essential gcc make binutils perl mtools   liblzma-dev libssl-dev zlib1g-dev pkg-config nasm libiberty-dev uuid-dev   xz-utils cpio gcc-aarch64-linux-gnu

Rebuild PXE boot loaders:

cd /root/fogproject/utils/FOGiPXE
# Select one CA certificate path:
CA=/var/www/fog/management/other/ca.cert.pem
# or:
# CA=/opt/fog/snapins/ssl/CA/.fogCA.pem

bash ./buildipxe.sh "$CA"

Copy new files:

# Standard loader (without 10s delay)
cp -av /root/fogproject/packages/tftp/* /tftpboot/

# Optional 10s-delay loaders:
# cp -av /root/fogproject/packages/tftp/10secdelay/* /tftpboot/

Restart TFTP service:

systemctl restart tftpd-hpa

FINISHED
If all steps were successful, clients will securely reconnect using HTTPS again.

Hello everyone,
I would also pay for the effort if one of you sent me a script that I could run via crontab.
Thanks

@Tom-Elliott
Something like that would be extremely helpful to me. I don’t know enough about the backend. Maybe some of you have more information about this.
Thanks

@Tom-Elliott
Thank you very much for your reply.
The Fog Client definitely makes sense for software distribution. The image is rolled out once, after which the software should be kept up to date via the software distribution. This means that the software on the computers is more up-to-date and you hardly have to do any work. This is how we currently do it with a different software distribution. But I would like to use the software distribution from FOG.

I just don’t understand why the FOG client has to update the token every time the computer starts.
If the Fog Client only did this once at the very beginning (first commissioning), security would also be guaranteed. The Token.dat is currently updated every time a user logs in.
Even with Windows you can define that the computer account should not be updated so that the computer does not fall out of the domain. Otherwise Deep Freeze would not work at all in a Windows domain.
If necessary, I have to move the FOGClient to an unprotected partition. But that would be a lot of work with 1500 computers.

Is there perhaps a way that I could automatically run “Reset Encryption Data”. That would save me a lot of work.
Thanks

Hello everyone,
We would like to install software on the student computers in the future. Unfortunately we have a problem with the FOG Client Token. We use Deep Freeze as protection software. This software does not allow changes to be retained on the hard drive. After a restart, all changes to the operating system are reset.
The token.dat is also reset and the FOG client can no longer communicate with the server. Invalid Token.dat appears in the log.
If we go to “Reset Encryption Data” on the host in the FOG server, it works again.
Can you switch off token renewal on the client?
Or perhaps you can simply use the FOG API to automatically “Reset Encryption Data” on all clients every DAY.
Or can you switch off the checking of the token?
Thanks in advance.
Heinz