Installing FOG Client with HTTPS, unable to install CA Certificate from Server
-
Hello,
I’m running FOG 1.5.0-RC 12 with Ubuntu 16.04 LTS. When i upgraded, the server pushed out the update to 11.13 for the FOG client. I assume when it tried to install the new version, it was unable to since the clients could not install the CA certificate and as such I now have no client on any of my hosts. From wireshark, I found that they install the CA Certificate over port 80. In our network setup, we use HTTPS instead of HTTP, and as such we block communication on port 80. Is there any way that if the server and clients are installed with the HTTPS options selected, if the client could also search for the CA Certificate over HTTPS as opposed to HTTP?
-
@hancocza let me remote in and debug the issue. The installer had a bug which prevented it from pinning a server over https if port 80 was blocked. This has been fixed in v0.11.14, which will be released with the next server RC.
-
@hancocza The issue here is that the client will only connect with SSL if the https certificate is trusted by the computer – which in your case its not, but once the client installs, then the SSL cert will be trusted. This is something I’ve been considering changing, but honestly there’s a much easier solution for you: exclude the
ca.cert.derfile from the SSL redirect in your apache configHere’s an example, that should work, if not you should be able to get the general idea from it:
<VirtualHost *:80> DocumentRoot /var/www/html/ ServerName xxx.xxx.xxx.xxx # Your other lines # RewriteEngine On RewriteCond %{HTTPS} !=on RewriteCond %{REQUEST_URI} !=(/fog/management/other/ca.cert.der) RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [R,L] </VirtualHost>@Tom-Elliott maybe we should include the exemption in the default Apache files if ssl-only is selected on install?
-
These are the exact lines that are added for http/https mode.
echo "NameVirtualHost *:80" > "$etcconf" echo "NameVirtualHost *:443" >> "$etcconf" echo "<VirtualHost *:80>" >> "$etcconf" echo " ServerName $ipaddress" >> "$etcconf" echo " RewriteEngine On" >> "$etcconf" echo " RewriteRule /management/other/ca.cert.der$ - [L]" >> "$etcconf" echo " RewriteCond %{HTTPS} off" >> "$etcconf" echo " RewriteRule (.*) https://%{HTTP_HOST}/\$1 [R,L]" >> "$etcconf" echo "</VirtualHost>" >> "$etcconf"This would produce a https install of FOG beginning with:
NameVirtualHost *:80 NameVirtualHost *:443 <VirtualHost *:80> ServerName <fogip/hostname> RewriteEngine On RewriteRule /management/other/ca.cert.der$ - [L] RewriteCond %{HTTPS} off RewriteRule (.*) https://%{HTTP_HOST}/$1 [R,L] </VirtualHost>This should do the same thing as what @Joe-Schmitt Suggested, though maybe something is off here? I don’t play too much with https side of things during installation, I manually handle my stuff to more quickly develop the GUI.
-
Hey Guys,
Thanks for answering. Would this be the sites-enabled config? I tried changing that but still am getting the unable to install CA certificate issue, even after restarting the apache server.
-
@hancocza if I read the issue correctly, the problem is your network doesn’t allow port 80 at all, correct?
-
@tom-elliott Correct. So i have edited the web server to redirect to https and that works fine, its just that the fog client cannot reach the certificate when installing on host computers.
-
@hancocza are you using the default SSL cert generated by the FOG server?
-
@joe-schmitt For the apache web server? No. We use a custom one. From what I understood though was that the installer is just looking for the srvpublic.crt, which is still in it’s original place.
-
@hancocza does the computer you’re trying to install the client on trust that SSL certificate? (e.g. if you go to your fog server in a browser, is there a certificate error?).
-
@joe-schmitt Yes. I go to the browser and it doesn’t throw any warnings. The address bar has the green secure lock on it.
-
@hancocza alright, then this is definitely a client bug. The functions we created to download files did not adhere to redirect requests. I’m working on patching that now.
-
@hancocza Can you try installing this build: https://build.jbob.io/Client/nightly/02-13-downloadredirect-01/SmartInstaller.exe ? It should follow your SSL redirect.
Please note that it is a nightly build and so should not be used in production, as the binaries are unsigned and can cause unforeseen issues.
-
@joe-schmitt Do you have an MSI version of it? If not, do you know what the parameter is to install this with https?
-
You can browse all the files here: https://build.jbob.io/Client/nightly/02-13-downloadredirect-01/
Here is the MSI: https://build.jbob.io/Client/nightly/02-13-downloadredirect-01/FOGService.msi
-
@joe-schmitt Hey Joe,
Just tried to install it with the HTTPS switch. Still getting the Unable to install CA Certificate issue.
-
@hancocza Can you try again with this build? https://build.jbob.io/Client/release-candidate/0.11.14-RC-03/FOGService.msi
-
@joe-schmitt Still a no go. Still trying to reach over 80.
-
Moved to bug reports as it seems to be one. Thanks @Joe-Schmitt for looking into this!
-
@hancocza let me remote in and debug the issue. The installer had a bug which prevented it from pinning a server over https if port 80 was blocked. This has been fixed in v0.11.14, which will be released with the next server RC.
