I goofed up the cert for my FOG server(s). Can I recover?

THEMCV

FOG Server Ver: Working 69

FOG Client: 0.11.12

I was following the process lined out in the documentation for transferring everything to a new FOG server. For context, I moved from a physical machine to a Hyper-V Host.

Everything was good until I powered up the old server again thinking I had changed the IP of it. I hadn’t. So now my FOG clients are not trusting the new FOG server.

Hopefully this isn’t a start from scratch problem.

THEMCV

@wayne-workman Hey Wayne, thanks for your help. You can close this. We are migrating to a new image anyways and I don’t have a ton that are deployed out, so I’m just going to start from scratch. Thank you very much. : )

Wayne Workman

@themcv Turn off the old server, and reset the encryption on all hosts. They should be fine.

THEMCV

@wayne-workman Is there a way to do all of them at once?

Sebastian Roth

@themcv said in I goofed up the cert for my FOG server(s). Can I recover?:

So now my FOG clients are not trusting the new FOG server.

What makes you think this is the case? Anything in the fog-client log? The encryption data on the server is more or less and entry in the DB so you can reset all at once by issuing a SQL update command but first let’s see what the actual issue is (logs…) before we are heading the wrong way with this.

THEMCV

@sebastian-roth said in I goofed up the cert for my FOG server(s). Can I recover?:

Yep, sorry should have included that.

 10/31/2017 1:12 PM Data::RSA FOG Server CA cert found
 10/31/2017 1:12 PM Data::RSA ERROR: Certificate validation failed
 10/31/2017 1:12 PM Data::RSA ERROR: Trust chain did not complete to the known authority anchor. Errors: The signature of the certificate cannot be verified. (NotSignatureValid)
 10/31/2017 1:12 PM Middleware::Authentication ERROR: Could not authenticate
 10/31/2017 1:12 PM Middleware::Authentication ERROR: Certificate is not from FOG CA

Sebastian Roth

@THEMCV Where is the certificate on the new FOG server from? Should be accessible via http://x.x.x.x/fog/management/other/ssl/srvpublic.crt. Is this a generated certificate from the FOG installer or a custom certificate?

Does this happen on all your client? How many have you checked?

The error Certificate is not from FOG CA indicates that something is wrong with that certificate. For now I don’t see this being an issue where clients need a reset on the encryption data…

THEMCV

@sebastian-roth Ooohh wait. I downloaded it and it is looking at the wrong IP. How can I re-issue the cert with it pointing to the right IP?

Sebastian Roth

@THEMCV Wrong IP?!? Did you move that FOG server from hardware to Hyper-V and change the IP address as well? I hope you’re aware of this wiki article: https://wiki.fogproject.org/wiki/index.php/Change_FOG_Server_IP_Address

Is this certificate being generated by FOG?

Wayne Workman

This is exactly the sort of thing that is avoided by using DNS names instead of IPs when installing the FOG Client into images/onto hosts.

THEMCV

@sebastian-roth Yes, and in the mixup I must have setup FOG when it had a different IP. Oops.

@Wayne-Workman You’re totally right. Old habit from when I first started working with FOG and that’s how the boss wanted it.

Sebastian Roth

@themcv said in I goofed up the cert for my FOG server(s). Can I recover?:

I downloaded it and it is looking at the wrong IP. How can I re-issue the cert with it pointing to the right IP?

Make sure you have the IP right in all the places mentioned in the wiki. Then simply re-run the installer and it should issue a new cert for you having the correct IP set in ther cert subject.

THEMCV

@sebastian-roth No go.

 11/3/2017 1:22 PM Data::RSA FOG Server CA cert found
 11/3/2017 1:22 PM Data::RSA ERROR: Certificate validation failed
 11/3/2017 1:22 PM Data::RSA ERROR: Trust chain did not complete to the known authority anchor. Errors: The signature of the certificate cannot be verified. (NotSignatureValid)
 11/3/2017 1:22 PM Middleware::Authentication ERROR: Could not authenticate
 11/3/2017 1:22 PM Middleware::Authentication ERROR: Certificate is not from FOG CA

Getting this still unfortunately. IP address in the cert is correct now, but I’m getting there’s something still up. Is there anything else I can do?

Wayne Workman

@themcv Did you transfer the correct certificate from the old fog server to the new one? I have steps outlined on how to do this here: https://wiki.fogproject.org/wiki/index.php?title=Migrate_FOG#If_old_server_was_FOG_1.3.0.2B There’s also these more generalized steps that describe the same process: https://wiki.fogproject.org/wiki/index.php?title=FOG_Client#Maintain_Control_Of_Hosts_When_Building_New_Server

THEMCV

@wayne-workman Errr- no. I actually don’t think I did. I must have missed that.

I will do that as soon as I get back into the office.

Wayne Workman

@themcv said in I goofed up the cert for my FOG server(s). Can I recover?:

How can I re-issue the cert with it pointing to the right IP?

The IP in the cert (if theres even one there, which I don’t remember one being there) does not tell the FOG Client which FOG Server to communicate with, the IP address or DNS name that you enter during the FOG Client installation is what dictates which FOG Server to communicate with.

If your new FOG Server has been given the same IP as the old one, and the old one’s IP has been changed to something else, then you’re close to fixing this. You just need to move the ssl directory from the old fog server to the new one and re-run the installer.

Wayne Workman

@themcv Did you get this fixed?

THEMCV

@wayne-workman No, not yet. I’m sorry, I’ve been promoted so I am sorta swamped with a ton of projects. I promise I will update as soon as I can.

THEMCV

Well bad news

 11/21/2017 2:42 PM Data::RSA FOG Server CA cert found
 11/21/2017 2:42 PM Data::RSA ERROR: Certificate validation failed
 11/21/2017 2:42 PM Data::RSA ERROR: Trust chain did not complete to the known authority anchor. Errors: The signature of the certificate cannot be verified. (NotSignatureValid)
 11/21/2017 2:42 PM Middleware::Authentication ERROR: Could not authenticate
 11/21/2017 2:42 PM Middleware::Authentication ERROR: Certificate is not from FOG CA

Looks like this is going to be a case of starting fresh.

Wayne Workman

@themcv I promise the steps to move the cert over work correctly. I’ve done it like 3 times myself.

THEMCV

@wayne-workman Hey Wayne, thanks for your help. You can close this. We are migrating to a new image anyways and I don’t have a ton that are deployed out, so I’m just going to start from scratch. Thank you very much. : )