I goofed up the cert for my FOG server(s). Can I recover?
-
This is exactly the sort of thing that is avoided by using DNS names instead of IPs when installing the FOG Client into images/onto hosts.
-
@sebastian-roth Yes, and in the mixup I must have setup FOG when it had a different IP. Oops.
@Wayne-Workman You’re totally right. Old habit from when I first started working with FOG and that’s how the boss wanted it.
-
@themcv said in I goofed up the cert for my FOG server(s). Can I recover?:
I downloaded it and it is looking at the wrong IP. How can I re-issue the cert with it pointing to the right IP?
Make sure you have the IP right in all the places mentioned in the wiki. Then simply re-run the installer and it should issue a new cert for you having the correct IP set in ther cert subject.
-
@sebastian-roth No go.
11/3/2017 1:22 PM Data::RSA FOG Server CA cert found 11/3/2017 1:22 PM Data::RSA ERROR: Certificate validation failed 11/3/2017 1:22 PM Data::RSA ERROR: Trust chain did not complete to the known authority anchor. Errors: The signature of the certificate cannot be verified. (NotSignatureValid) 11/3/2017 1:22 PM Middleware::Authentication ERROR: Could not authenticate 11/3/2017 1:22 PM Middleware::Authentication ERROR: Certificate is not from FOG CA
Getting this still unfortunately. IP address in the cert is correct now, but I’m getting there’s something still up. Is there anything else I can do?
-
@themcv Did you transfer the correct certificate from the old fog server to the new one? I have steps outlined on how to do this here: https://wiki.fogproject.org/wiki/index.php?title=Migrate_FOG#If_old_server_was_FOG_1.3.0.2B There’s also these more generalized steps that describe the same process: https://wiki.fogproject.org/wiki/index.php?title=FOG_Client#Maintain_Control_Of_Hosts_When_Building_New_Server
-
@wayne-workman Errr- no. I actually don’t think I did. I must have missed that.
I will do that as soon as I get back into the office.
-
@themcv said in I goofed up the cert for my FOG server(s). Can I recover?:
How can I re-issue the cert with it pointing to the right IP?
The IP in the cert (if theres even one there, which I don’t remember one being there) does not tell the FOG Client which FOG Server to communicate with, the IP address or DNS name that you enter during the FOG Client installation is what dictates which FOG Server to communicate with.
If your new FOG Server has been given the same IP as the old one, and the old one’s IP has been changed to something else, then you’re close to fixing this. You just need to move the ssl directory from the old fog server to the new one and re-run the installer.
-
@themcv Did you get this fixed?
-
@wayne-workman No, not yet. I’m sorry, I’ve been promoted so I am sorta swamped with a ton of projects. I promise I will update as soon as I can.
-
Well bad news
11/21/2017 2:42 PM Data::RSA FOG Server CA cert found 11/21/2017 2:42 PM Data::RSA ERROR: Certificate validation failed 11/21/2017 2:42 PM Data::RSA ERROR: Trust chain did not complete to the known authority anchor. Errors: The signature of the certificate cannot be verified. (NotSignatureValid) 11/21/2017 2:42 PM Middleware::Authentication ERROR: Could not authenticate 11/21/2017 2:42 PM Middleware::Authentication ERROR: Certificate is not from FOG CA
Looks like this is going to be a case of starting fresh.
-
@themcv I promise the steps to move the cert over work correctly. I’ve done it like 3 times myself.
-
@wayne-workman Hey Wayne, thanks for your help. You can close this. We are migrating to a new image anyways and I don’t have a ton that are deployed out, so I’m just going to start from scratch. Thank you very much. : )