Problem to join a domain (SSL problem ?)
-
Dear all,
Before to ask, I made a lot of search (I spent all the day yesterday by searching and reading) but I don’t understand.
Here is the config :
Server
FOG 1.5.7
OS: Debian 8Client
FOG Client 0.11.16
OS: Windows 10 1803So, I configured my host like this :
I verified the password, it’s correct but when I deploy my image (without error), the computer don’t join the domain. When I join it “manually” in the machine (via system) it’s working.
I launched the debugger on the machine, and I have this error :
The “fog.log” on the machine says that :
On the machine, I add our own CA in “Trusted Root Certification Authorities”, and it’s working as you can see
I checked also the log of apache2 and I see always the same error (one error by minute) :
[Tue Nov 26 10:43:16.407986 2019] [proxy_fcgi:error] [pid 13213] [client 10.0.200.201:54419] AH01071: Got error 'PHP message: PHP Fatal error: Uncaught exception 'Exception' with message '#!im' in /var/www/html/fog/lib/fog/fogbase.class.php:584\nStack trace:\n#0 /var/www/html/fog/lib/client/registerclient.class.php(47): FOGBase::getHostItem(true, false, false, true)\n#1 /var/www/html/fog/lib/fog/fogpage.class.php(3013): RegisterClient->json()\n#2 /var/www/html/fog/lib/fog/fogpage.class.php(249): FOGPage->requestClientInfo()\n#3 /var/www/html/fog/lib/pages/dashboardpage.class.php(76): FOGPage->__construct('Dashboard')\n#4 /var/www/html/fog/lib/fog/loadglobals.class.php(67): DashboardPage->__construct()\n#5 /var/www/html/fog/lib/fog/loadglobals.class.php(81): LoadGlobals::_init()\n#6 /var/www/html/fog/commons/base.inc.php(49): LoadGlobals->__construct()\n#7 /var/www/html/fog/management/index.php(22): require('/var/www/html/f...')\n#8 {main}\n thrown in /var/www/html/fog/lib/fog/fogbase.class.php on line 584\n'and also this :
[Tue Nov 26 06:25:05.307698 2019] [ssl:warn] [pid 27789] AH01909: 10.0.150.15:443:0 server certificate does NOT include an ID which matches the server name [Tue Nov 26 06:25:05.308126 2019] [mpm_prefork:notice] [pid 27789] AH00163: Apache/2.4.10 (Debian) OpenSSL/1.0.1t configured -- resuming normal operations [Tue Nov 26 06:25:05.308143 2019] [core:notice] [pid 27789] AH00094: Command line: '/usr/sbin/apache2'You think the problem with the domain can come from the SSL problem ?
I didn’t specify my CA when I generated the binaries./opt/fog/utils/FOGiPXE/buildipxe.shduring the install, it can come from there ?Thank you for the help !
-
@loutrage said in Problem to join a domain (SSL problem ?):
On the machine, I add our own CA in “Trusted Root Certification Authorities”, and it’s working as you can see
- Did you manually adjust the Apache config to make it use SSL or did you run the FOG installer using the
--force-httpsoption? - Is this a custom certificate you generated youself and installed into the FOG server?
Probably best if you post your full apache config here so we know what exactly you have.
The fog-client uses certificates to encrypt the communication to the server - similar to what HTTPS does but different. This security model was chosen by the original developer of the fog-client some years ago and eventhough it has it draw backs (and I think about changing it when I have more time) it still works quite well in most cases. But you have to be aware that tangling with the certificates will most probably cause issues with the fog-client.
Please answer the above questions and we’ll see what we can do.
- Did you manually adjust the Apache config to make it use SSL or did you run the FOG installer using the
-
@Sebastian-Roth, thank you for the answer !
- Yes I used the
--force-httpsoption. Here is the steps I used to configure the server
* ./installfog.sh -S * Copy the private key and the PEM file from our CA machine to the repertory /opt/fog/snapins/ssl/ * Replace the CA by default in the directories /etc/apache2/ssl/CA/ and /opt/fog/snapins/ssl/CA/ by our own CA * Edit with vim the config of the webserver with the command vim /etc/apache2/sites-available/001-fog.conf then restart apache2 * Edit the lines with the SSL links by this SSLCertificateFile /opt/fog/snapins/ssl/fog.pem SSLCertificateKeyFile /opt/fog/snapins/ssl/fog.key #SSLCertificateChainFile /var/www/html/fog//management/other/ca.cert.der * Execute the script buildipxe.sh from the directory ./opt/fog/utils/FOGiPXE/buildipxe.sh to create new binaries for the ipxe with the certificate in it. * Copy all the files from /opt/fog/packages/tftp to /tftpboot.- Yes I have a custom certificate
Here is the content of my VHost :
<VirtualHost *:80> <FilesMatch "\.php$"> SetHandler "proxy:fcgi://127.0.0.1:9000/" </FilesMatch> ServerName 10.0.150.15 ServerAlias corners-fog RewriteEngine On RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) RewriteRule .* - [F] RewriteRule /management/other/ca.cert.der$ - [L] RewriteCond %{HTTPS} off RewriteRule (.*) https://%{HTTP_HOST}/$1 [R,L] </VirtualHost> <VirtualHost *:443> KeepAlive Off <FilesMatch "\.php$"> SetHandler "proxy:fcgi://127.0.0.1:9000/" </FilesMatch> ServerName 10.0.150.15 ServerAlias corners-fog DocumentRoot /var/www/html/ SSLEngine On SSLProtocol all -SSLv3 -SSLv2 SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA SSLHonorCipherOrder On SSLCertificateFile /opt/fog/snapins/ssl/fog.pem SSLCertificateKeyFile /opt/fog/snapins/ssl/fog.key #SSLCertificateChainFile /var/www/html/fog//management/other/ca.cert.der <Directory /var/www/html/fog/> DirectoryIndex index.php index.html index.htm </Directory> RewriteEngine On RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) RewriteRule .* - [F] RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-d RewriteRule ^/fog/(.*)$ /fog/api/index.php [QSA,L] </VirtualHost> - Yes I used the
-
@loutrage Thanks for posting all the details. Always good to know what exactly was done to better help.
Yes I have a custom certificate
As mentioned before there is no way you can make this work with the current fog-client as it is.
There should be a way to still get this to work in sort of a hybrid way (own CA for HTTPS web UI but FOG CA for fog-client). But I need a bit more time to think it through and write down all the details for you. I’ll get back to you tomorrow.
-
Ok, thank a lot !
The problem to join the domain can come from there ?
I notice that the machine are wel named with the FOS so I think the fog-client must be able to communicate ?
-
Finally, I made a new fresh install…
I follow your post here : https://forums.fogproject.org/topic/13956/2019-a-step-by-step-activating-ssl-and-complying-ipxe-with-it
So FOS works in SSL now with the certificate generate by the machine.
I have a certificate error with my browsers and it’s not 100% secure but It seems to be too complicated to work with our own self signate certificate.
In fact, my original (and biggest) problem don’t seem come from there.
I install the fog without SSL to try and it still doesn’t work, I can’t join my domain. I changed the password of the account of my Domain Controller to remove all the special characters, I deploy the machine several times, it doesn’t work
And if I join my domain manually, it’s work…
Here is the error with the debugger (Problem with the path)
-
@loutrage Are you sure you used these commands in the debugger session?
middleware configuration server http://x.1x.x.x/fog middleware authentication handshakeActually there is no need to use the fog-client debugger. Just grab the
fog.logon a client that fails to join (either inC:\fog.logorC:\Program Files (x86)\FOG\fog.log) and post that here. The log information will help us find why it does not join the domain!Finally, I made a new fresh install…
So FOS works in SSL now with the certificate generate by the machine.Ok great, I think this is a good starting point!
First let me explain some more things. Let’s assume you only use FOG with plain HTTP. The installer will still generate a CA and cert/key because the fog-client uses those certs to encrypt the communication. But this is not standard HTTPS (HTTP within a SSL tunnel) but more like HTTPF - I just made this term up, it doesn’t really exist but this is kind of what we use, plain HTTP with special FOG encrypted content. So from a network kind of view the communication is still normal HTTP and there is no certificate needed for SSL in Apache but for encrypting the message contents.
Now if you switch to HTTPS using the install option
--force-httpsthe Apache webserver config is changed to use the same certificate that is used for encrypting the fog-client messages. Important thing is, that it does also add a forced redirect from HTTP to HTTPS to the Apache config. I have seen this causing problems with the fog-client and so I’d advise you to manually editC:\Program Files (x86)\FOG\settings.jsonand change the optionHTTPSto1.After we get this working for you we can come back and try to have you use your custom certificate for the FOG web UI. Remember, the fog-client (as it is right now) needs to use the certificate generated by the installer to encrypt its messages. But that doesn’t mean that it also needs to use the same cert for the HTTPS connection. That’s two different things.
-
Hello, sorry for the long time to answer : hollidays and a lot of work, I didn’t have time to answer before.
Thank you for the explanation about the certificates, it’s clear now.
I’m always trying to connect to my domain when a machine is deploy but I have always the same problem.
So I checked for the file “fog.log” but it wasn’t there, the fog client isn’t install on the machine.
Is it normal or do I have to install on my “mother” image before to deploy ?To be sure and to begin with a new solid base, I began to zero with a new update machine (Debian 10), so it’s a totally fresh install with the last version of Debian and Fog, without SSL activate.
I deploy my image and I had the same problem, no Fog Client so I install it manually with the “Smart Installer”, not the Network Installer. I reboot the machine and here is the content of the fog.txt
16/12/2019 10:48 Main Overriding exception handling 16/12/2019 10:48 Main Bootstrapping Zazzles 16/12/2019 10:48 Controller Initialize 16/12/2019 10:48 Controller Start 16/12/2019 10:48 Service Starting service 16/12/2019 10:48 Bus Became bus server 16/12/2019 10:48 Bus Emmiting message on channel: Status 16/12/2019 10:48 Service Invoking early JIT compilation on needed binaries ------------------------------------------------------------------------------ --------------------------------Authentication-------------------------------- ------------------------------------------------------------------------------ 16/12/2019 10:48 Client-Info Version: 0.11.16 16/12/2019 10:48 Client-Info OS: Windows 16/12/2019 10:48 Middleware::Authentication Waiting for authentication timeout to pass 16/12/2019 10:48 Middleware::Communication Download: http://10.0.150.15/fog/management/other/ssl/srvpublic.crt 16/12/2019 10:48 Data::RSA FOG Server CA cert found 16/12/2019 10:48 Middleware::Authentication Cert OK 16/12/2019 10:48 Middleware::Authentication No token found at C:\Program Files (x86)\FOG\token.dat, this is expected if the client has not authenticated before 16/12/2019 10:48 Middleware::Authentication ERROR: Could not get security token 16/12/2019 10:48 Middleware::Authentication ERROR: Could not find file 'C:\Program Files (x86)\FOG\token.dat'. 16/12/2019 10:48 Middleware::Communication POST URL: http://10.0.150.15/fog/management/index.php?sub=requestClientInfo&authorize&newService 16/12/2019 10:48 Middleware::Response Success 16/12/2019 10:48 Middleware::Authentication Authenticated 16/12/2019 10:48 Middleware::Communication URL: http://10.0.150.15/fog/management/index.php?sub=requestClientInfo&configure&newService&json 16/12/2019 10:48 Middleware::Response Success 16/12/2019 10:48 Middleware::Communication URL: http://10.0.150.15/fog/management/index.php?sub=requestClientInfo&mac=00:50:56:87:8F:1A|0A:00:27:00:00:05&newService&json 16/12/2019 10:48 Middleware::Response Success 16/12/2019 10:48 Middleware::Communication URL: http://10.0.150.15/fog/service/getversion.php?clientver&newService&json 16/12/2019 10:48 Middleware::Communication URL: http://10.0.150.15/fog/service/getversion.php?newService&json 16/12/2019 10:48 Service Creating user agent cache 16/12/2019 10:48 Middleware::Response Invalid time 16/12/2019 10:48 Middleware::Response No Printers 16/12/2019 10:48 Middleware::Response Module is disabled globally on the FOG server 16/12/2019 10:48 Service Initializing modules ------------------------------------------------------------------------------ ---------------------------------ClientUpdater-------------------------------- ------------------------------------------------------------------------------ 16/12/2019 10:48 Client-Info Client Version: 0.11.16 16/12/2019 10:48 Client-Info Client OS: Windows 16/12/2019 10:48 Client-Info Server Version: 1.5.7 16/12/2019 10:48 Middleware::Response Success ------------------------------------------------------------------------------ ------------------------------------------------------------------------------ ----------------------------------TaskReboot---------------------------------- ------------------------------------------------------------------------------ 16/12/2019 10:48 Client-Info Client Version: 0.11.16 16/12/2019 10:48 Client-Info Client OS: Windows 16/12/2019 10:48 Client-Info Server Version: 1.5.7 16/12/2019 10:48 Middleware::Response Success ------------------------------------------------------------------------------ ------------------------------------------------------------------------------ --------------------------------HostnameChanger------------------------------- ------------------------------------------------------------------------------ 16/12/2019 10:48 Client-Info Client Version: 0.11.16 16/12/2019 10:48 Client-Info Client OS: Windows 16/12/2019 10:48 Client-Info Server Version: 1.5.7 16/12/2019 10:48 Middleware::Response Success 16/12/2019 10:48 HostnameChanger Users still logged in and enforce is disabled, delaying any further actions ------------------------------------------------------------------------------ ------------------------------------------------------------------------------ ---------------------------------SnapinClient--------------------------------- ------------------------------------------------------------------------------ 16/12/2019 10:48 Client-Info Client Version: 0.11.16 16/12/2019 10:48 Client-Info Client OS: Windows 16/12/2019 10:48 Client-Info Server Version: 1.5.7 16/12/2019 10:48 Middleware::Response No snapins ------------------------------------------------------------------------------ ------------------------------------------------------------------------------ --------------------------------PrinterManager-------------------------------- ------------------------------------------------------------------------------ 16/12/2019 10:48 Client-Info Client Version: 0.11.16 16/12/2019 10:48 Client-Info Client OS: Windows 16/12/2019 10:48 Client-Info Server Version: 1.5.7 16/12/2019 10:48 Middleware::Response No Printers ------------------------------------------------------------------------------ ------------------------------------------------------------------------------ --------------------------------PowerManagement------------------------------- ------------------------------------------------------------------------------ 16/12/2019 10:48 Client-Info Client Version: 0.11.16 16/12/2019 10:48 Client-Info Client OS: Windows 16/12/2019 10:48 Client-Info Server Version: 1.5.7 16/12/2019 10:48 Middleware::Response Success 16/12/2019 10:48 PowerManagement Calculating tasks to unschedule 16/12/2019 10:48 PowerManagement Calculating tasks to schedule ------------------------------------------------------------------------------ ------------------------------------------------------------------------------ ----------------------------------UserTracker--------------------------------- ------------------------------------------------------------------------------ 16/12/2019 10:48 Client-Info Client Version: 0.11.16 16/12/2019 10:48 Client-Info Client OS: Windows 16/12/2019 10:48 Client-Info Server Version: 1.5.7 16/12/2019 10:48 Middleware::Response Success 16/12/2019 10:48 Middleware::Communication URL: http://10.0.150.15/fog/service/usertracking.report.php?action=login&user=Corners-Test\Exploitation&mac=00:50:56:87:8F:1A|0A:00:27:00:00:05&newService&json ------------------------------------------------------------------------------ 16/12/2019 10:48 Service Sleeping for 94 seconds 16/12/2019 10:50 Middleware::Communication URL: http://10.0.150.15/fog/management/index.php?sub=requestClientInfo&configure&newService&json 16/12/2019 10:50 Middleware::Response Success 16/12/2019 10:50 Middleware::Communication URL: http://10.0.150.15/fog/management/index.php?sub=requestClientInfo&mac=00:50:56:87:8F:1A|0A:00:27:00:00:05&newService&json 16/12/2019 10:50 Middleware::Response Success 16/12/2019 10:50 Middleware::Communication URL: http://10.0.150.15/fog/service/getversion.php?clientver&newService&json 16/12/2019 10:50 Middleware::Communication URL: http://10.0.150.15/fog/service/getversion.php?newService&json 16/12/2019 10:50 Service Creating user agent cache 16/12/2019 10:50 Middleware::Response Invalid time 16/12/2019 10:50 Middleware::Response No Printers 16/12/2019 10:50 Middleware::Response Module is disabled globally on the FOG server ------------------------------------------------------------------------------ ---------------------------------ClientUpdater-------------------------------- ------------------------------------------------------------------------------ 16/12/2019 10:50 Client-Info Client Version: 0.11.16 16/12/2019 10:50 Client-Info Client OS: Windows 16/12/2019 10:50 Client-Info Server Version: 1.5.7 16/12/2019 10:50 Middleware::Response Success ------------------------------------------------------------------------------ ------------------------------------------------------------------------------ ----------------------------------TaskReboot---------------------------------- ------------------------------------------------------------------------------ 16/12/2019 10:50 Client-Info Client Version: 0.11.16 16/12/2019 10:50 Client-Info Client OS: Windows 16/12/2019 10:50 Client-Info Server Version: 1.5.7 16/12/2019 10:50 Middleware::Response Success ------------------------------------------------------------------------------ ------------------------------------------------------------------------------ --------------------------------HostnameChanger------------------------------- ------------------------------------------------------------------------------ 16/12/2019 10:50 Client-Info Client Version: 0.11.16 16/12/2019 10:50 Client-Info Client OS: Windows 16/12/2019 10:50 Client-Info Server Version: 1.5.7 16/12/2019 10:50 Middleware::Response Success 16/12/2019 10:50 HostnameChanger Users still logged in and enforce is disabled, delaying any further actions ------------------------------------------------------------------------------ ------------------------------------------------------------------------------ ---------------------------------SnapinClient--------------------------------- ------------------------------------------------------------------------------ 16/12/2019 10:50 Client-Info Client Version: 0.11.16 16/12/2019 10:50 Client-Info Client OS: Windows 16/12/2019 10:50 Client-Info Server Version: 1.5.7 16/12/2019 10:50 Middleware::Response No snapins ------------------------------------------------------------------------------ ------------------------------------------------------------------------------ --------------------------------PrinterManager-------------------------------- ------------------------------------------------------------------------------ 16/12/2019 10:50 Client-Info Client Version: 0.11.16 16/12/2019 10:50 Client-Info Client OS: Windows 16/12/2019 10:50 Client-Info Server Version: 1.5.7 16/12/2019 10:50 Middleware::Response No Printers ------------------------------------------------------------------------------ ------------------------------------------------------------------------------ --------------------------------PowerManagement------------------------------- ------------------------------------------------------------------------------ 16/12/2019 10:50 Client-Info Client Version: 0.11.16 16/12/2019 10:50 Client-Info Client OS: Windows 16/12/2019 10:50 Client-Info Server Version: 1.5.7 16/12/2019 10:50 Middleware::Response Success 16/12/2019 10:50 PowerManagement Calculating tasks to unschedule 16/12/2019 10:50 PowerManagement Calculating tasks to schedule ------------------------------------------------------------------------------ ------------------------------------------------------------------------------ ----------------------------------UserTracker--------------------------------- ------------------------------------------------------------------------------ 16/12/2019 10:50 Client-Info Client Version: 0.11.16 16/12/2019 10:50 Client-Info Client OS: Windows 16/12/2019 10:50 Client-Info Server Version: 1.5.7 16/12/2019 10:50 Middleware::Response Success ------------------------------------------------------------------------------``` -
@loutrage Yes, you need to install the fog-client on your host(s). It’s not something FOG does automatically. Usually people install the fog-client on the “mother” image and deploy that to all the hosts.
16/12/2019 10:50 HostnameChanger Users still logged in and enforce is disabled, delaying any further actions
Now this time the client communication seems fine. But it doesn’t try to join the domain because a user is still logged in to the host and the force option (host’s AD settings -> Name Change/AD Join Forced reboot?) is not enabled.
-
Ohh thank you ! It works now !
I didn’t know if I had to log on and then reboot manually to join the domain.
I noticed that I have to wait 3-4 minutes after the first boot for the automatically reboot and then the PC is in the domain !
Thanks a lot for the help, the problem is now solved !