FOG Client on a Mac
-
Is your fogserver installed with the --force-https switch?
-
Specifically:
-S --force-https Force HTTPS for all comunication
You would run:
./installfog.sh -Sy
as needed. -
Hey Tom,
My FOG server setup is setup to use https. On PC the https switch works fine, have about 200 computers able to install it and communicate with the server. It’s when I try with the same switch on Mac that i have the issue. Granted, when installing on PC i use the MSI installer with switches, not the SmartInstaller.
-
@hancocza The HTTPS part of FOG/fog-client is still kind of new and not many people have used it so there might be an issue though the fog-client code is backed by a test framework. But let’s see what we can figure out first.
- What OS/version is your FOG server running on?
- Did you let FOG setup the apache config for you or did you set it up yourself?
- Can you access http://x.x.x.x/fog/management/other/ca.cert.der using your browser (note this is a HTTP URL!)?
-
@sebastian-roth I am running FOG on Ubuntu 16.04 LTS, Fog version is 1.5.0-RC9. I let FOG setup the apache config on it’s own using the https switch in the installer, but then afterwards I changed the hostname to reflect the FQDN of our server, not the IP Address. Also, I pointed the apache config to a different location for certificates for the Web GUI over SSL. I am also able to access the ca.cert.der file using http.
-
@hancocza said in FOG Client on a Mac:
Also, I pointed the apache config to a different location for certificates for the Web GUI over SSL.
Well, that is an issue I suppose. The CA (cert) you use does not have the “FOG CA” string in it that the client looks for… The SSL implementation of FOG is made to work out of the box as a self-signed piece but we haven’t made it ready for businesses having their own CA yet. Which cert is your ca.cert.der, it’s that of your company, right?
Changing the settings.json is a nice hack on windows but I think we should get it right in the first place.
-
@sebastian-roth
I only use the CA for the Web GUI. I edited the etc\apache2\sites-enabled\001fog file to point to my company’s CA Cert. The ca.cert.der is still fog’s original cert, which i left in place because at the start of my switch to SSL, moving them caused issues with the SSL version of FOG Client. When I left the original certificates in place and edited the 001fog.conf file to point to the custom ones instead, the client works with SSL. On Windows, I no longer have to change the settings.json file, installing it with the switches works. It’s just on Mac OS that it doesn’t work with the switches. -
@hancocza From my point of view (not being the original developer of the fog-client code) I’d say that the usual way in SSL terms would be to generate a so called sub CA and let that be signed from your main company CA. Put that sub CA certificate and key in the right places, re-run the installer and let it create webserver cert and key from that “custom” sub CA. What you’d have to take care of when generating that sub CA is that it has the correct issuer and subject string:
openssl x509 -in /var/www/fog/management/other/ca.cert.pem -text -noout Certificate: Data: Version: 3 (0x2) Serial Number: b2:19:a9:4d:35:bd:a6:f7 Signature Algorithm: sha512WithRSAEncryption Issuer: CN=FOG Server CA Validity Not Before: Feb 3 21:17:05 2017 GMT Not After : Feb 1 21:17:05 2027 GMT Subject: CN=FOG Server CA Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (4096 bit) ...
Note that
CN=FOG Server CA
.I’ll try to look into testing the fog-client on a Mac OS machine I have access too sometimes. But can’t promise when that will be.
-
@sebastian-roth said in FOG Client on a Mac:
No rush, I leave for a two week vacation tomorrow and it’s not a immediate issue. Thanks! -
@hancocza Are you able to create a proper sub CA at all?
-
@sebastian-roth I’m not sure how to do that. We’ve talked about it before on this forum, re-rolling the client, but then i found if i leave the certs that the client looks for in their normal place, and then use the company’s certs for just the web server, it works fine, at least for PC clients which is a majority of what we have. Because of that and the fact that we only have like 5 iMacs, I haven’t really messed with it.
-
@hancocza Looking into this in more detail I found out that our current fog-client is not able to handle sub/intermediate CAs. Although this would be the proper way to integrate custom CAs we can’t do this yet.
So back to your problem I reckon that your company CA cert is not known in the Mac OS X mono keychain and that’s why pinning fails. Did you import the CA cert to your Windows install? Should do this in Mac OS X as well.
-
@sebastian-roth I didn’t import it on any installs that I’ve done. It always just installs the certificate that is on the server. I believe it’s called srvpublic or something like that, in the SSL folder.
-
@hancocza Most probably your windows PCs have the CA certificate (imported) that was used to sign the other certificates. To be more concrete - the .NET keystore has the right CA cert to verify the other certs. But probably the Mac OS X mono keystore doesn’t!
Edit: Which version of mono did you install and which version of Mac OS X do you use?