I goofed up the cert for my FOG server(s). Can I recover?
-
@themcv Turn off the old server, and reset the encryption on all hosts. They should be fine.
-
@wayne-workman Is there a way to do all of them at once?
-
@themcv said in I goofed up the cert for my FOG server(s). Can I recover?:
So now my FOG clients are not trusting the new FOG server.
What makes you think this is the case? Anything in the fog-client log? The encryption data on the server is more or less and entry in the DB so you can reset all at once by issuing a SQL update command but first let’s see what the actual issue is (logs…) before we are heading the wrong way with this.
-
@sebastian-roth said in I goofed up the cert for my FOG server(s). Can I recover?:
Yep, sorry should have included that.
10/31/2017 1:12 PM Data::RSA FOG Server CA cert found 10/31/2017 1:12 PM Data::RSA ERROR: Certificate validation failed 10/31/2017 1:12 PM Data::RSA ERROR: Trust chain did not complete to the known authority anchor. Errors: The signature of the certificate cannot be verified. (NotSignatureValid) 10/31/2017 1:12 PM Middleware::Authentication ERROR: Could not authenticate 10/31/2017 1:12 PM Middleware::Authentication ERROR: Certificate is not from FOG CA
-
@THEMCV Where is the certificate on the new FOG server from? Should be accessible via http://x.x.x.x/fog/management/other/ssl/srvpublic.crt. Is this a generated certificate from the FOG installer or a custom certificate?
Does this happen on all your client? How many have you checked?
The error
Certificate is not from FOG CA
indicates that something is wrong with that certificate. For now I don’t see this being an issue where clients need a reset on the encryption data… -
@sebastian-roth Ooohh wait. I downloaded it and it is looking at the wrong IP. How can I re-issue the cert with it pointing to the right IP?
-
@THEMCV Wrong IP?!? Did you move that FOG server from hardware to Hyper-V and change the IP address as well? I hope you’re aware of this wiki article: https://wiki.fogproject.org/wiki/index.php/Change_FOG_Server_IP_Address
Is this certificate being generated by FOG?
-
This is exactly the sort of thing that is avoided by using DNS names instead of IPs when installing the FOG Client into images/onto hosts.
-
@sebastian-roth Yes, and in the mixup I must have setup FOG when it had a different IP. Oops.
@Wayne-Workman You’re totally right. Old habit from when I first started working with FOG and that’s how the boss wanted it.
-
@themcv said in I goofed up the cert for my FOG server(s). Can I recover?:
I downloaded it and it is looking at the wrong IP. How can I re-issue the cert with it pointing to the right IP?
Make sure you have the IP right in all the places mentioned in the wiki. Then simply re-run the installer and it should issue a new cert for you having the correct IP set in ther cert subject.
-
@sebastian-roth No go.
11/3/2017 1:22 PM Data::RSA FOG Server CA cert found 11/3/2017 1:22 PM Data::RSA ERROR: Certificate validation failed 11/3/2017 1:22 PM Data::RSA ERROR: Trust chain did not complete to the known authority anchor. Errors: The signature of the certificate cannot be verified. (NotSignatureValid) 11/3/2017 1:22 PM Middleware::Authentication ERROR: Could not authenticate 11/3/2017 1:22 PM Middleware::Authentication ERROR: Certificate is not from FOG CA
Getting this still unfortunately. IP address in the cert is correct now, but I’m getting there’s something still up. Is there anything else I can do?
-
@themcv Did you transfer the correct certificate from the old fog server to the new one? I have steps outlined on how to do this here: https://wiki.fogproject.org/wiki/index.php?title=Migrate_FOG#If_old_server_was_FOG_1.3.0.2B There’s also these more generalized steps that describe the same process: https://wiki.fogproject.org/wiki/index.php?title=FOG_Client#Maintain_Control_Of_Hosts_When_Building_New_Server
-
@wayne-workman Errr- no. I actually don’t think I did. I must have missed that.
I will do that as soon as I get back into the office.
-
@themcv said in I goofed up the cert for my FOG server(s). Can I recover?:
How can I re-issue the cert with it pointing to the right IP?
The IP in the cert (if theres even one there, which I don’t remember one being there) does not tell the FOG Client which FOG Server to communicate with, the IP address or DNS name that you enter during the FOG Client installation is what dictates which FOG Server to communicate with.
If your new FOG Server has been given the same IP as the old one, and the old one’s IP has been changed to something else, then you’re close to fixing this. You just need to move the ssl directory from the old fog server to the new one and re-run the installer.
-
@themcv Did you get this fixed?
-
@wayne-workman No, not yet. I’m sorry, I’ve been promoted so I am sorta swamped with a ton of projects. I promise I will update as soon as I can.
-
Well bad news
11/21/2017 2:42 PM Data::RSA FOG Server CA cert found 11/21/2017 2:42 PM Data::RSA ERROR: Certificate validation failed 11/21/2017 2:42 PM Data::RSA ERROR: Trust chain did not complete to the known authority anchor. Errors: The signature of the certificate cannot be verified. (NotSignatureValid) 11/21/2017 2:42 PM Middleware::Authentication ERROR: Could not authenticate 11/21/2017 2:42 PM Middleware::Authentication ERROR: Certificate is not from FOG CA
Looks like this is going to be a case of starting fresh.
-
@themcv I promise the steps to move the cert over work correctly. I’ve done it like 3 times myself.
-
@wayne-workman Hey Wayne, thanks for your help. You can close this. We are migrating to a new image anyways and I don’t have a ton that are deployed out, so I’m just going to start from scratch. Thank you very much. : )