Trouble installing SmartClient on MacOS Sierra

Daniel Miller · Sep 12, 2019, 10:38 PM

@Sebastian-Roth it’s almost like an open source project depends on free labor or something …

All right, still don’t see how that gets brought it, but it is building, a healthy 8.75 MB, and the installation process is now happy with the install files segment. But now we’re back to the Cert Pinning issue, however (names changed to protect the guilty).

 9/12/2019 4:28 PM Data::RSA ERROR: Unable to retrieve FOG Server CA
 9/12/2019 4:28 PM Data::RSA ERROR: FOG Server CA NOT found in keystore
 9/12/2019 4:28 PM Middleware::Communication Download: http://fogserver/fog/management/other/ca.cert.der
 9/12/2019 4:28 PM Data::RSA Injecting root CA: 
 9/12/2019 4:28 PM Data::RSA ERROR: Unable to inject CA
 9/12/2019 4:28 PM Data::RSA ERROR: Access to the path '/usr/share/.mono/certs/Trust' is denied.

Which brings us back to GenericSetup and the cert store. Currently the diff between my current and commit b299551 is:

@@ -108,11 +108,11 @@ namespace FOG
             var cert = RSA.ServerCertificate();
             if (cert == null) return false;
 
             try
             {
-                var store = new X509Store(StoreName.Root, StoreLocation.LocalMachine);
+                var store = new X509Store(StoreName.Root, StoreLocation.CurrentUser);
                 store.Open(OpenFlags.ReadWrite);
                 store.Remove(cert);
                 store.Close();
                 return true;
             }
@@ -127,11 +127,11 @@ namespace FOG
         public static bool InstallFOGCert(string location)
         {
             try
             {
                 var cert = new X509Certificate2(location);
-                var store = new X509Store(StoreName.Root, StoreLocation.LocalMachine);
+                var store = new X509Store(StoreName.Root, StoreLocation.CurrentUser);
                 store.Open(OpenFlags.ReadWrite);
                 var cers = store.Certificates.Find(X509FindType.FindBySubjectName, "FOG Project", true);
 
                 var validKeyPresent = false;
                 if (cers.Count > 0)
@@ -166,11 +166,11 @@ namespace FOG
         {
             var cert = new X509Certificate2();
             try
             {
                 X509Certificate2 CAroot = null;
-                var store = new X509Store(StoreName.Root, StoreLocation.LocalMachine);
+                var store = new X509Store(StoreName.Root, StoreLocation.CurrentUser);
                 store.Open(OpenFlags.ReadOnly);
                 var cers = store.Certificates.Find(X509FindType.FindBySubjectName, "FOG Project", true);
 
                 if (cers.Count > 0)
                 {
@@ -189,11 +189,11 @@ namespace FOG
 
             if (cert == null) return;
 
             try
             {
-                var store = new X509Store(StoreName.Root, StoreLocation.LocalMachine);
+                var store = new X509Store(StoreName.Root, StoreLocation.CurrentUser);
                 store.Open(OpenFlags.ReadWrite);
                 store.Remove(cert);
                 store.Close();
             }
             catch (Exception ex)

Unless I’m missing something, those are the changes you made, yes? I am a bit confused about why it is trying to throw it in /usr/share. There has been a change in the version of mono (6.0.0.327), but running the version of SmartInstaller.exe you sent works as expected when executed under the context of root.

There anything else I should need to clean out other than SetupHelper.* in ./bin to make sure it has the right version in the exe build? Other thoughts?

Sebastian Roth · Sep 13, 2019, 6:44 AM

@Daniel-Miller said in Trouble installing SmartClient on MacOS Sierra:

Injecting root CA

Obviously we have missed RSA.cs in Zazzles! There are two places in that code file, line 155 and line 202.

Zazzles is another github repo you need to clone and open in Visual Studio. I’d suggest you don’t use the latest master but checkout commit 0f13a4caf as I have messed with the external libraries here as well. After it’s built you need to manually copy the new Zazzles.dll over to your fog-client\libs (from the top of my head I think this is the correct location) folder, close Zazzles project in Visual Studio, reopen fog-client project and re-build the solution.

We are getting there!

If for some reason FOGService is not properly starting or you see some very strange behaviour, then let me know. Don’t waste your time to try and figure it out. It is possible that I got something wrong with the hints here - writing this while sitting in the train and don’t have all my tools here.

Daniel Miller · Sep 13, 2019, 3:58 PM

@Sebastian-Roth Alrightly, rebuilt Zazzles with the change and now the installer is happy. FOGService isn’t starting, however, or at least fog tray isn’t starting and when I manually start it it is complaining about not being able to connect to the bus.

Sebastian Roth · Sep 14, 2019, 6:12 AM

@Daniel-Miller said in Trouble installing SmartClient on MacOS Sierra:

FOGService isn’t starting, however, or at least fog tray isn’t starting and when I manually start it it is complaining about not being able to connect to the bus.

Can you post more details on this? Log output?

Daniel Miller · Nov 6, 2019, 7:00 PM

@Sebastian-Roth
/opt/fog-service/fog.log was an empty file after rebooting the machine. Manually launching the service (sudo /opt/fog-service/control.sh start) produces the familiar logs but complains about FOG Server CA NOT found in keystore:

 9/17/2019 10:09 AM Main Overriding exception handling
 9/17/2019 10:09 AM Main Bootstrapping Zazzles
 9/17/2019 10:09 AM Controller Initialize
 9/17/2019 10:09 AM Controller Start

 9/17/2019 10:09 AM Service Starting service
 9/17/2019 10:09 AM Bus Became bus server
 9/17/2019 10:09 AM Bus Emmiting message on channel: Status
 9/17/2019 10:09 AM Service Invoking early JIT compilation on needed binaries

------------------------------------------------------------------------------
--------------------------------Authentication--------------------------------
------------------------------------------------------------------------------
 9/17/2019 10:09 AM Client-Info Version: 0.11.16
 9/17/2019 10:09 AM Client-Info OS:      Mac
 9/17/2019 10:09 AM Middleware::Authentication Waiting for authentication timeout to pass
 9/17/2019 10:09 AM Middleware::Communication Download: http://10.10.25.15/fog/management/other/ssl/srvpublic.crt
 9/17/2019 10:09 AM Data::RSA ERROR: Unable to retrieve FOG Server CA
 9/17/2019 10:09 AM Data::RSA ERROR: FOG Server CA NOT found in keystore
 9/17/2019 10:09 AM Middleware::Authentication ERROR: Could not authenticate
 9/17/2019 10:09 AM Middleware::Authentication ERROR: Value cannot be null.
Parameter name: authority

Manually relaunching the service under the root user context (sudo -i /opt/fog-service/control.sh start) shows it starting to communicate normally:

------------------------------------------------------------------------------
--------------------------------Authentication--------------------------------
------------------------------------------------------------------------------
 9/17/2019 10:15 AM Client-Info Version: 0.11.16
 9/17/2019 10:15 AM Client-Info OS:      Mac
 9/17/2019 10:15 AM Middleware::Authentication Waiting for authentication timeout to pass
 9/17/2019 10:17 AM Controller Stop
 9/17/2019 10:17 AM Service Stop requested
 9/17/2019 10:17 AM Middleware::Authentication ERROR: Could not authenticate
 9/17/2019 10:17 AM Middleware::Authentication ERROR: Thread was being aborted.
 9/17/2019 10:17 AM Bus Emmiting message on channel: Status
 9/17/2019 10:17 AM Main Overriding exception handling
 9/17/2019 10:17 AM Main Bootstrapping Zazzles
 9/17/2019 10:17 AM Controller Initialize
 9/17/2019 10:17 AM Controller Start

 9/17/2019 10:17 AM Service Starting service
 9/17/2019 10:17 AM Bus Became bus server
 9/17/2019 10:17 AM Bus Emmiting message on channel: Status
 9/17/2019 10:17 AM Service Invoking early JIT compilation on needed binaries

------------------------------------------------------------------------------
--------------------------------Authentication--------------------------------
------------------------------------------------------------------------------
 9/17/2019 10:17 AM Client-Info Version: 0.11.16
 9/17/2019 10:17 AM Client-Info OS:      Mac
 9/17/2019 10:17 AM Middleware::Authentication Waiting for authentication timeout to pass
 9/17/2019 10:17 AM Middleware::Communication Download: http://10.10.25.15/fog/management/other/ssl/srvpublic.crt
 9/17/2019 10:17 AM Data::RSA FOG Server CA cert found
 9/17/2019 10:17 AM Middleware::Authentication Cert OK
 9/17/2019 10:17 AM Middleware::Authentication No token found at /opt/fog-service/token.dat, this is expected if the client has not authenticated before
 9/17/2019 10:17 AM Middleware::Authentication ERROR: Could not get security token
 9/17/2019 10:17 AM Middleware::Authentication ERROR: Could not find file "/opt/fog-service/token.dat"
 9/17/2019 10:17 AM Middleware::Communication POST URL: http://fogserver/fog/management/index.php?sub=requestClientInfo&authorize&newService
 9/17/2019 10:17 AM Middleware::Response Invalid host
 9/17/2019 10:17 AM Middleware::Communication URL: http://fogserver/fog/service/register.php?hostname=ASCAS-TestImac.local&mac=38:C9:86:4F:EE:1E|28:F0:76:49:AD:70|0A:F0:76:49:AD:70|26:EA:E7:94:F6:3A|1A:00:01:E3:00:70|1A:00:01:E3:00:71|1A:00:01:E3:00:70&newService&json

So, it looks like the service works, but the daemon and user agent aren’t loaded correctly. I actually don’t see where those service loads happen during install. I would expect they would be handled in Install() in MacInstall.cs as Uninstall() calls unload for the services, but the only reference I see to the load call are in StartService() in MacUpdate.cs and the OnUpdate event handler in FogUserService.cs.

Sebastian Roth · Sep 17, 2019, 6:34 PM

@Daniel-Miller Hmm, making progress!

It’s strange you get the Middleware::Response Invalid host when starting as root. Is this host registered with FOG yet? If not, manually register it. If it is, then reset encryption data in the FOG web UI settings for this particular host.

I actually don’t see where those service loads happen during install.

I think this is what you are looking for: https://github.com/FOGProject/fog-client/blob/master/UniversalInstaller/UniversalInstaller.cs#L418 (called here I suppose)

Daniel Miller · Sep 18, 2019, 5:49 PM

@Sebastian-Roth The Middleware::Response Invalid host was expected; the host wasn’t registered at the time of the initial query. It is now and producing logs like:

9/17/2019 10:29 AM Middleware::Communication URL: http://10.10.25.15/fog/management/index.php?sub=requestClientInfo&configure&newService&json
 9/17/2019 10:29 AM Middleware::Response Success
 9/17/2019 10:29 AM Middleware::Communication URL: http://10.10.25.15/fog/management/index.php?sub=requestClientInfo&mac=38:C9:86:4F:EE:1E|28:F0:76:49:AD:70|0A:F0:76:49:AD:70|26:EA:E7:94:F6:3A|1A:00:01:E3:00:70|1A:00:01:E3:00:71|1A:00:01:E3:00:70&newService&json
 9/17/2019 10:29 AM Middleware::Authentication Waiting for authentication timeout to pass
 9/17/2019 10:29 AM Middleware::Communication Download: http://10.10.25.15/fog/management/other/ssl/srvpublic.crt
 9/17/2019 10:29 AM Data::RSA FOG Server CA cert found
 9/17/2019 10:29 AM Middleware::Authentication Cert OK
 9/17/2019 10:29 AM Middleware::Authentication No token found at /opt/fog-service/token.dat, this is expected if the client has not authenticated before
 9/17/2019 10:29 AM Middleware::Authentication ERROR: Could not get security token
 9/17/2019 10:29 AM Middleware::Authentication ERROR: Could not find file "/opt/fog-service/token.dat"
 9/17/2019 10:29 AM Middleware::Communication POST URL: http://10.10.25.15/fog/management/index.php?sub=requestClientInfo&authorize&newService
 9/17/2019 10:29 AM Middleware::Response Success
 9/17/2019 10:29 AM Middleware::Authentication Authenticated
 9/17/2019 10:29 AM Middleware::Communication URL: http://10.10.25.15/fog/management/index.php?sub=requestClientInfo&mac=38:C9:86:4F:EE:1E|28:F0:76:49:AD:70|0A:F0:76:49:AD:70|26:EA:E7:94:F6:3A|1A:00:01:E3:00:70|1A:00:01:E3:00:71|1A:00:01:E3:00:70&newService&json
 9/17/2019 10:29 AM Middleware::Response Success
 9/17/2019 10:29 AM Middleware::Communication URL: http://10.10.25.15/fog/service/getversion.php?clientver&newService&json
 9/17/2019 10:29 AM Middleware::Communication URL: http://10.10.25.15/fog/service/getversion.php?newService&json

 9/17/2019 10:29 AM Service Creating user agent cache
 9/17/2019 10:29 AM Middleware::Response Invalid time
 9/17/2019 10:29 AM Middleware::Response No Printers
 9/17/2019 10:29 AM Middleware::Response Module is disabled globally on the FOG server

Fair warning: some of this is likely just me getting familiar with the code base… correct me as necessary.

That code segment kicks off the script that starts fogservice.exe after installation, but it is only executed when the OS is linux (UniversalInstaller.cs#L308). But if fogservice.exe were to start for macOS, I don’t see any place in fogservice that registers org.freeghost.daemon.plist as something to be started automatically by the operating system.

The (limited) documentation (Apple Terminal Users Guide, launchctl man page), a blog post, and more misc. google-foo seems to show a consensus that services are loaded via launchctl. I do see that the expected calls to launchctl exist in UpdateHelper (using the legacy load/unload invocations), but I am having some difficulty tracing the execution back through Zazzles updater abstraction to there. On the surface it appears to rely on the existence of SmartInstaller.exe, so I would assume (possibly incorrectly) that the update code is only invoked when an update is called for by the fog server. In this case, the call to launchctl never happens, the services (system daemon and user agent) are never registered, and the daemon doesn’t start on reboot. That would be consistent with an empty fog.log as I found.

This is of course assuming there isn’t another means of registering the daemons in use, in which case It would be helpful to know what the intended implementation was so I can take a look at how it’s breaking. Otherwise, I will likely try adding in the launchctl invocations to Install() when I have some time to test again.

Sebastian Roth · Sep 19, 2019, 6:56 AM

@Daniel-Miller Thanks for the update. I myself have not used fog-client on Mac OS X yet I have to admit. So I can’t say for sure it should load after install and on reboots or not. In the wiki it says it should: https://wiki.fogproject.org/wiki/index.php/FOG_Client#Installing_-_OSX

But an older forum topic tells me that someone had this kind of issue before and here it doesn’t look like this was solved really: https://forums.fogproject.org/topic/7403/fog-client-on-mac-os-x

Daniel Miller · Sep 24, 2019, 2:17 PM

@Sebastian-Roth Added in the launchctl invocation for org.freeghost.daemon.plist at the end of Install() and things now appear to be behaving per the Wiki; the system daemon and user agent start automatically on reboot. It should be noted that the launchctl invocation both starts the system daemon and registers it for restart, but the user service won’t appear until reboot. Probably should have someone look to style and location of the logic. It may make sense to add something to the IInstall interface in case other environmental issues need to be addressed for other OSs later. Likely should add something to capture the relevant environment elements that trigger the relaunch for troubleshooting, particularly to capture the state during automated installs, but the Log class wasn’t cooperating with me. Otherwise, it should be ready for some sort of functional review and testing.

How would you like to proceed?

Sebastian Roth · Sep 24, 2019, 5:23 PM

@Daniel-Miller Great! Do you have a github account? Would be great if we could work it in that way. Probably good to change to chat for that now. Check the speech bubble in the top right corner.

ismith.hpu · Nov 6, 2019, 7:00 PM

@Daniel-Miller

I am at this specific point with regards to attempting to download the cert.

Trouble installing SmartClient on MacOS Sierra

179

12.0k

17.3k

155.2k