Problem with HTTPS upgrade

Sebastian Roth

@sbenson So is this solved then?

sbenson

@sebastian-roth No, now the ipxe boot screen says https, and still doesn’t work. I have not re-created the SSL cert as Tom said.

Sebastian Roth

@sbenson What Tom was saying is not re-creating the SSL certs but compiling your own iPXE binaries with the cert included…

sbenson

I am not sure how to recompile ipxe. I did just upgrade from RC4 to RC7 and it didn’t help. I have done a git pull and dont see anywhere to compile it

Sebastian Roth

@sebastian-roth said in Problem with HTTPS upgrade:

@sbenson This command is used to compile an iPXE binary from the source code and add the SSL certificate to it. Instructions on how to do this you can find in the wiki. Those instructions are for legary (undionly.kpxe) as well as for 32 bit UEFI and 64 bit UEFI. make sure you compile and put the correct ones into your /tftpboot directory. Possibly you want to compile all three if you have all those different clients. Let us know if you need help. Please post exact command and steps you tried and the error message you see. Then we will surely be able to help.

sbenson

@sebastian-roth
FYI the wiki is wrong for the efi portion
It has the wgets listed as
http://sourceforge.net/p/freeghost/code/HEAD/tree/trunk/src/ipxe-efi/src/config/…

and should be

http://sourceforge.net/p/freeghost/code/HEAD/tree/trunk/src/ipxe/src-efi/config/…

sbenson

OK, all files compiled with the the certs, now when I select deploy images, it instantly switches back to the fog main screen. I am still trying to figure out why, nothing in /var/log or /var/log/fog.

I am doing a quick registration to see if it deploys through there. And it fails to register

https://www.youtube.com/watch?v=J9UqiiQzvX0

Tom Elliott

@sbenson Can you create a backup of your /tftpboot folder.

I’d also ask that you update to the latest rc please. I added, after rc4 I think, the links will change for the protocol being requested. rc4 still caused defaults to jump to http for internal links.

Tom Elliott

Create a backup of your current /tftpboot say as /tftpboot_persSigned.

Upgrade.

Once upgrade complete do:

mv /tftpboot /tftpboot_orig
mv /tftpboot{_persSigned,}

sbenson

@tom-elliott I said yesterday that I updated to RC7. I have the booting fixed by adding the cert to the files, but now registrations don’t work, and it’s not listing images from the ipxe “Deploy images” menu

sbenson

@tom-elliott
upon doing this now the pxe booting starts, and instantly drops back to the laptop netboot selection

[12:45:21] root@SRO-FOG-01[0]:/$ diff -r tftpboot tftpboot_orig/
Binary files tftpboot/i386-efi/intel.efi and tftpboot_orig/i386-efi/intel.efi differ
Binary files tftpboot/i386-efi/ipxe.efi and tftpboot_orig/i386-efi/ipxe.efi differ
Binary files tftpboot/i386-efi/snponly.efi and tftpboot_orig/i386-efi/snponly.efi differ
Binary files tftpboot/intel.efi and tftpboot_orig/intel.efi differ
Binary files tftpboot/intel.pxe and tftpboot_orig/intel.pxe differ
Binary files tftpboot/ipxe.efi and tftpboot_orig/ipxe.efi differ
Binary files tftpboot/ipxe.pxe and tftpboot_orig/ipxe.pxe differ
Only in tftpboot: pxelinux.0
Only in tftpboot/pxelinux.cfg: default.bad
Only in tftpboot/pxelinux.cfg: default.dist
Binary files tftpboot/snponly.efi and tftpboot_orig/snponly.efi differ
Binary files tftpboot/undionly.kkpxe and tftpboot_orig/undionly.kkpxe differ
Binary files tftpboot/undionly.kpxe and tftpboot_orig/undionly.kpxe differ

Tom Elliott

As to why it keeps redirecting to the main boot system I’m not sure, but seeing as some items are seemingly selectable (such as being able to boot to register hosts?)

I’ve updated the init’s in an attempt to ensure the curl requests follow redirects. Please see if it at least allows you to boot and register a host?

To download please do:

wget https://fogproject.org/inits/init.xz -O /var/www/fog/service/ipxe/init.xz
wget https://fogproject.org/inits/init_32.xz -O /var/www/fog/service/ipxe/init_32.xz

sbenson

@tom-elliott
Weird, now it is booting back to not finding http://10.63.76.44/fog/service/ipxe/boot.php changed the default.pxe and it still doesnt. Now it is using the new build version of ipxe though. oh that might be an RC4 to RC7 change it was on 9ccd8 and is now on 70544

Sebastian Roth

@sbenson said in Problem with HTTPS upgrade:

Weird, now it is booting back to not finding http://10.63.76.44/fog/service/ipxe/boot.php changed the default.pxe and it still doesnt

From what to what did you change the default.ipxe file? Maybe you edited the wrong file - getting confused moving around the /tftpboot directories and files!?

sbenson

@sebastian-roth
This seems to all be stemming from SSL, and I dont know if anyone else is using SSL. I found an issue with the install script previously that would make it so people couldn’t install SSL without fixing it manually. So if that was a problem and no one noticed, I don’t think anyone else uses SSL.

[11:45:12] sbenson@SRO-FOG-01[0]:/tftpboot$ cat default.ipxe
#!ipxe
cpuid --ext 29 && set arch x86_64 || set arch i386
params
param mac0 ${net0/mac}
param arch ${arch}
param platform ${platform}
param product ${product}
param manufacturer ${product}
param ipxever ${version}
param filename ${filename}
param sysuuid ${uuid}
isset ${net1/mac} && param mac1 ${net1/mac} || goto bootme
isset ${net2/mac} && param mac2 ${net2/mac} || goto bootme
:bootme
chain https://10.63.76.44/fog/service/ipxe/boot.php##params

Sebastian Roth

@sbenson Ok, and could you please take a new picture of the current error message you see on screen with this?

sbenson

@sebastian-roth said in Problem with HTTPS upgrade:

@sbenson Ok, and could you please take a new picture of the current error message you see on screen with this?

The screen in sthe same as the previous screen. I even re-made the files suggested in the below code, because I wasn’t sure if the cert was recreated after i reinstalled it. In any case, its not working. Still says
Https://10.63.76.44/fog/service/ipxe/boot.php… No such file or directory

cd ~/projects/ipxe/ipxe-bios/src
make bin/undionly.kpxe EMBED=ipxescript TRUST=/var/www/fog/management/other/ssl/srvpublic.crt
make bin/ipxe.pxe EMBED=ipxescript TRUST=/var/www/fog/management/other/ssl/srvpublic.crt
make bin/undionly.kkpxe EMBED=ipxescript TRUST=/var/www/fog/management/other/ssl/srvpublic.crt
make bin/intel.pxe EMBED=ipxescript TRUST=/var/www/fog/management/other/ssl/srvpublic.crt


# simple 32 bit EFI binaries with embedded script 
cd ~/projects/ipxe/ipxe-efi/src 
make bin-i386-efi/ipxe.efi EMBED=ipxescript TRUST=/var/www/fog/management/other/ssl/srvpublic.crt
make bin-i386-efi/snponly.efi EMBED=ipxescript TRUST=/var/www/fog/management/other/ssl/srvpublic.crt
make bin-i386-efi/intel.efi EMBED=ipxescript TRUST=/var/www/fog/management/other/ssl/srvpublic.crt

# simple 64 bit EFI binaries
cd ~/projects/ipxe/ipxe-efi/src
make bin-x86_64-efi/ipxe.efi EMBED=ipxescript TRUST=/var/www/fog/management/other/ssl/srvpublic.crt
make bin-x86_64-efi/snponly.efi EMBED=ipxescript TRUST=/var/www/fog/management/other/ssl/srvpublic.crt
make bin-x86_64-efi/intel.efi EMBED=ipxescript TRUST=/var/www/fog/management/other/ssl/srvpublic.crt

Tom Elliott

@sbenson but you’re not using the ca for the trust, you’re using the servers public key. That key is trusted by the servers ca key. As ipxe doesn’t have that chain of authority, it cannot confirm if the passed in certificate can be trusted.

sbenson

@tom-elliott ohhh, other posts said to “trust” that cert…so I was confused. So I should have
TRUST=/usr/lib/ssl/certs/ca-certificates.crt instead?

EDIT: That didnt work…

Tom Elliott

To help out with rebuilding here’s my “build” layout.
/root/fogproject Location of repo data as required.
/root/ipxe = bios
/root/ipxe-efi = uefi/efi building.

buildIpxe shell script:

NOTE: call the script as buildIpxe TRUST=/var/www/fog/management/other/ca.cert.pem (It will pass the additional arguments into ipxe building for you)

#!/bin/bash
# Change directory to base ipxe files
cd /root/ipxe

# Pull in new data
[[ -z $nopull ]] && git pull

# Change to the proper build directory
cd /root/ipxe/src/

# Build the files
make -j $(nproc) bin/ipxe.iso bin/{undionly,ipxe,intel,realtek}.{,k,kk}pxe bin/ipxe.lkrn EMBED=ipxescript $*

# Copy files to repo location as required.
cp /root/ipxe/src/bin/undionly.pxe /root/fogproject/packages/tftp/
cp /root/ipxe/src/bin/ipxe.pxe /root/fogproject/packages/tftp/
cp /root/ipxe/src/bin/intel.pxe /root/fogproject/packages/tftp/
cp /root/ipxe/src/bin/realtek.pxe /root/fogproject/packages/tftp/
cp /root/ipxe/src/bin/undionly.kpxe /root/fogproject/packages/tftp/
cp /root/ipxe/src/bin/ipxe.kpxe /root/fogproject/packages/tftp/
cp /root/ipxe/src/bin/intel.kpxe /root/fogproject/packages/tftp/
cp /root/ipxe/src/bin/realtek.kpxe /root/fogproject/packages/tftp/
cp /root/ipxe/src/bin/undionly.kkpxe /root/fogproject/packages/tftp/
cp /root/ipxe/src/bin/ipxe.kkpxe /root/fogproject/packages/tftp/
cp /root/ipxe/src/bin/intel.kkpxe /root/fogproject/packages/tftp/
cp /root/ipxe/src/bin/realtek.kkpxe /root/fogproject/packages/tftp/

# Copy lkrn and iso files to repo.
cp /root/ipxe/src/bin/ipxe.lkrn /root/fogproject/packages/tftp/ipxe.krn
cp /root/ipxe/src/bin/ipxe.iso /root/fogproject/packages/tftp/ipxe.iso

# Copy the configuration for our stuff to repo
cp /root/ipxe/src/ipxescript /root/fogproject/src/ipxe/src/ipxescript
cp /root/ipxe/src/config/general.h /root/fogproject/src/ipxe/src/config/general.h
cp /root/ipxe/src/config/settings.h /root/fogproject/src/ipxe/src/config/settings.h
cp /root/ipxe/src/config/console.h /root/fogproject/src/ipxe/src/config/console.h

# Build with 10 second delay
make -j $(nproc) bin/ipxe.iso bin/{undionly,ipxe,intel,realtek}.{,k,kk}pxe bin/ipxe.lkrn EMBED=ipxescript10sec $*

# Copy the files to upload to repository for GIT
cp /root/ipxe/src/bin/undionly.pxe /root/fogproject/packages/tftp/10secdelay
cp /root/ipxe/src/bin/ipxe.pxe /root/fogproject/packages/tftp/10secdelay
cp /root/ipxe/src/bin/intel.pxe /root/fogproject/packages/tftp/10secdelay
cp /root/ipxe/src/bin/realtek.pxe /root/fogproject/packages/tftp/10secdelay
cp /root/ipxe/src/bin/undionly.kpxe /root/fogproject/packages/tftp/10secdelay
cp /root/ipxe/src/bin/ipxe.kpxe /root/fogproject/packages/tftp/10secdelay
cp /root/ipxe/src/bin/intel.kpxe /root/fogproject/packages/tftp/10secdelay
cp /root/ipxe/src/bin/realtek.kpxe /root/fogproject/packages/tftp/10secdelay
cp /root/ipxe/src/bin/undionly.kkpxe /root/fogproject/packages/tftp/10secdelay
cp /root/ipxe/src/bin/ipxe.kkpxe /root/fogproject/packages/tftp/10secdelay
cp /root/ipxe/src/bin/intel.kkpxe /root/fogproject/packages/tftp/10secdelay
cp /root/ipxe/src/bin/realtek.kkpxe /root/fogproject/packages/tftp/10secdelay

cp /root/ipxe/src/bin/ipxe.lkrn /root/fogproject/packages/tftp/10secdelay/ipxe.krn
cp /root/ipxe/src/bin/ipxe.iso /root/fogproject/packages/tftp/10secdelay/ipxe.iso
cp /root/ipxe/src/ipxescript10sec /root/fogproject/src/ipxe/src/ipxescript10sec

# Change to the efi layout
cd /root/ipxe-efi
# Pull in the new data
[[ -z $nopull ]] && git pull

# Change to the proper build directory
cd /root/ipxe-efi/src/

# Build the files
make -j $(nproc) bin-{i386,x86_64}-efi/{snp{,only},ipxe,intel,realtek}.efi EMBED=ipxescript $*

# Copy the files to upload to the repository for GIT
cp /root/ipxe-efi/src/bin-i386-efi/snp.efi /root/fogproject/packages/tftp/i386-efi/
cp /root/ipxe-efi/src/bin-i386-efi/snponly.efi /root/fogproject/packages/tftp/i386-efi/
cp /root/ipxe-efi/src/bin-i386-efi/ipxe.efi /root/fogproject/packages/tftp/i386-efi/
cp /root/ipxe-efi/src/bin-i386-efi/intel.efi /root/fogproject/packages/tftp/i386-efi/
cp /root/ipxe-efi/src/bin-i386-efi/realtek.efi /root/fogproject/packages/tftp/i386-efi/

cp /root/ipxe-efi/src/bin-x86_64-efi/snp.efi /root/fogproject/packages/tftp/
cp /root/ipxe-efi/src/bin-x86_64-efi/snponly.efi /root/fogproject/packages/tftp/
cp /root/ipxe-efi/src/bin-x86_64-efi/ipxe.efi /root/fogproject/packages/tftp/
cp /root/ipxe-efi/src/bin-x86_64-efi/intel.efi /root/fogproject/packages/tftp/
cp /root/ipxe-efi/src/bin-x86_64-efi/realtek.efi /root/fogproject/packages/tftp/

# Copy the configuration for our stuff to GIT
cp /root/ipxe-efi/src/ipxescript /root/fogproject/src/ipxe/src-efi/ipxescript
cp /root/ipxe-efi/src/config/general.h /root/fogproject/src/ipxe/src-efi/config/general.h
cp /root/ipxe-efi/src/config/settings.h /root/fogproject/src/ipxe/src-efi/config/settings.h
cp /root/ipxe-efi/src/config/console.h /root/fogproject/src/ipxe/src-efi/config/console.h

# Build with 10 second delay
make -j $(nproc) bin-{i386,x86_64}-efi/{snp{,only},ipxe,intel,realtek}.efi EMBED=ipxescript10sec $*

# Copy the files to upload to the repository for GIT
cp /root/ipxe-efi/src/bin-i386-efi/snp.efi /root/fogproject/packages/tftp/10secdelay/i386-efi/
cp /root/ipxe-efi/src/bin-i386-efi/snponly.efi /root/fogproject/packages/tftp/10secdelay/i386-efi/
cp /root/ipxe-efi/src/bin-i386-efi/ipxe.efi /root/fogproject/packages/tftp/10secdelay/i386-efi/
cp /root/ipxe-efi/src/bin-i386-efi/intel.efi /root/fogproject/packages/tftp/10secdelay/i386-efi/
cp /root/ipxe-efi/src/bin-i386-efi/realtek.efi /root/fogproject/packages/tftp/10secdelay/i386-efi/

cp /root/ipxe-efi/src/bin-x86_64-efi/snp.efi /root/fogproject/packages/tftp/10secdelay/
cp /root/ipxe-efi/src/bin-x86_64-efi/snponly.efi /root/fogproject/packages/tftp/10secdelay/
cp /root/ipxe-efi/src/bin-x86_64-efi/ipxe.efi /root/fogproject/packages/tftp/10secdelay/
cp /root/ipxe-efi/src/bin-x86_64-efi/intel.efi /root/fogproject/packages/tftp/10secdelay/
cp /root/ipxe-efi/src/bin-x86_64-efi/realtek.efi /root/fogproject/packages/tftp/10secdelay/

# Copy the 10 sec delay configuration script.
cp /root/ipxe-efi/src/ipxescript10sec /root/fogproject/src/ipxe/src-efi/ipxescript10sec