new install attempt to register host failed
-
Fresh install over SSL and changed settings to use my wildcard certificate. This was a test to register a host.
Any ideas?
-
@bogle What kind of “Wildcard” certificate do you use?? Which certificate authority is this from?
Be aware that you need to put the certificate into the right plane and re-run the installer or manually run the iPXE build script to have the certificate included into the binaries.
As well you need to know that the fog-client currently does not work with custom certificates.
-
While I’m not up to speed on the FOG SSL thing, it does appear that you did not recompile the iPXE boot loaders with your matching certificate that apache is running under -or- apache is not listening on port 443.
For apache listening on port 443 you can use this command
netstat -an |grep :443You should see something like this returned.tcp4 0 0 :::443 :::* LISTENYou can also test from a browser trying to connect to
https://10.141.13.36/fog/service/ipxe/boot.php?mac=00:00:00:00:00that will/should return the contents of the FOG iPXE menu. We are only concerned about if something is returned or not.If both tests above are successful but you can’t connect using iPXE then you need to recompile iPXE with your certificate.
-
-
@bogle Well half looks right. The web browser bit doesn’t look good. You should have a web page that starts out like this:
#!ipxe set fog-ip 192.168.1.53 set fog-webroot fog set boot-url http://${fog-ip}/${fog-webroot} cpuid --ext 29 && set arch x86_64 || set arch i386 goto get_console :console_set colour --rgb 0x00567a 1 || colour --rgb 0x00567a 2 || colour --rgb 0x00567a 4 || cpair --foreground 7 --background 2 2 || goto MENU :alt_console cpair --background 0 1 || cpair --background 1 2 || goto MENU :get_console console --picture http://192.168.1.53/fog/service/ipxe/bg.png --left 100 --right 80 && goto console_set || goto alt_console :MENU menu colour --rgb 0xff0000 0 || cpair --foreground 1 1 || cpair --foreground 0 3 || cpair --foreground 4 4 ||Try the same url but use the
http://instead. -
Its a Premium SSL Wildcard Certificate from Sectigo Certification Authority
-
http:// doesn’t work either
Here is a screenshot of the dashboard with Certificate pulled up.
-
@bogle Ok now we are getting some place.
I see your fog server url is at
fogserver.<redacted>.combut if you look at your first picture its trying to contact10.141.13.96server. Why does the conical name work where the IP address doesn’t? -
Good question, I just tried this and it returned results.
Here is my host file
<VirtualHost *:80> <FilesMatch "\.php$"> SetHandler "proxy:fcgi://127.0.0.1:9000/" </FilesMatch> ServerName 10.141.13.96 ServerAlias fogserver.<redacted>.com RewriteEngine On RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) RewriteRule .* - [F] RewriteRule /management/other/ca.cert.der$ - [L] RewriteCond %{HTTPS} off RewriteRule (.*) https://%{HTTP_HOST}/$1 [R,L] </VirtualHost> <VirtualHost *:443> KeepAlive Off <FilesMatch "\.php$"> SetHandler "proxy:fcgi://127.0.0.1:9000/" </FilesMatch> ServerName 10.141.13.96 ServerAlias fogserver.<redacted>.com DocumentRoot /var/www/html/ SSLEngine On SSLProtocol all -SSLv3 -SSLv2 SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA SSLHonorCipherOrder On SSLCertificateFile /etc/pki/tls/certs/STAR_grahamrmc_com.crt SSLCertificateKeyFile /etc/pki/tls/private/_grahamrmc_com.key SSLCertificateChainFile /etc/pki/tls/certs/STAR_grahamrmc_com.ca-bundle <Directory /var/www/html/fog/> DirectoryIndex index.php index.html index.htm </Directory> RewriteEngine On RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) RewriteRule .* - [F] RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-d RewriteRule ^/fog/(.*)$ /fog/api/index.php [QSA,L] </VirtualHost>I modifed the .fogsettings file portion where SSL Setting is
-
@bogle Well at this point, I’ve hit a wall on my knowledge in regards to SSL and apache. Its either the certificate blocking because its expecting a conical name or in the apache configuration the serveralias needs to have the IP address listed. But you are near the root of your problem. Once you get https working via the IP address it will work.
There is another way to work around it but I really don’t like that method because it make the client rely on DNS resolution to get imaging to work. You can go into the fog configuration settings and change all references to the IP address to the system’s conical name. You will also have to update the storage node settings too.
-
Ok I will revert back to a previous vm snapshot so I can use http instead of https and start over.
-
In the meantime whats the best way to get a windows 10 pro image working?
I am looking at this site right now
https://www.ceos3c.com/sysadmin/create-generalized-windows-10-image-deploy-fog-server/
-
@bogle said in new install attempt to register host failed:
I modifed the .fogsettings file portion where SSL Setting is
Did you re-run the installer after that? The .fogsettings file is only being used by the installer script but not being read at runtime. So changes to this file need to be “populated” by re-running the installer. That said I am not exactly sure if all the things involved to make FOG work with SSL are playing nicely if you change that path. While it definitely should I just wonder if if does because probably not too many people have done this. Usually people using custom certificates simply put those into the places where FOG has it’s cert files by default.
I know this sounds very 80s, like just keep it all to default because changing settings might break it.
But SSL is still kind of new in FOG, not being used by the mass of people and we have not had the time to make this rock solid in all cases yet.It’s interesting you get a page load error when accessing the website using the IP address. Maybe check apache logs (see my signature) to see if there is a hint on why it fails?!
In the meantime whats the best way to get a windows 10 pro image working?
Would you mind opening a new topic on this? Best if we don’t mix up things so we don’t get lost and also other people will find answers easier.
-
@bogle said in new install attempt to register host failed:
In the meantime whats the best way to get a windows 10 pro image working?
That site is a good place to start. You can either build the computer in audit mode or use MDT to create your reference image. Either way, don’t connect the reference image computer to your AD domain at all. Run audit mode unconnected to AD. You will have a better reference image in the end. Let FOG or have the unattend.xml file connect the target computer to AD at the end of deployment.
-
Thanks for your help. I reinstall the FOG Project and it works out of the box. On my test pc it booted successfully to the PXE menu. Tested it twice using legacy mode and uefi mode!
-
@bogle SSL enabled this time or not? Where did you put the certificates?
