Migrated FOG, Clients Not Happy

Scott B · Dec 18, 2019, 4:55 PM

I migrated out FOG install over to a new server. But the clients are not happy and cannot connect to it. Below is the fog.log file.

I installed the OS (Ubuntu 18.04)
Installed latest SVN
Imported backup of our FOG database
Copied all files from /opt/fog/snapins/ssl to the new server at /opt/fog/snapins/ssl
Ran FOG installer again
Reset encryption data on all clients

 12/18/2019 11:53 AM Main Overriding exception handling
 12/18/2019 11:53 AM Main Bootstrapping Zazzles
 12/18/2019 11:53 AM Controller Initialize
 12/18/2019 11:53 AM Controller Start

 12/18/2019 11:53 AM Service Starting service
 12/18/2019 11:54 AM Bus Became bus server
 12/18/2019 11:54 AM Bus Emmiting message on channel: Status
 12/18/2019 11:54 AM Service Invoking early JIT compilation on needed binaries

------------------------------------------------------------------------------
--------------------------------Authentication--------------------------------
------------------------------------------------------------------------------
 12/18/2019 11:54 AM Client-Info Version: 0.11.17
 12/18/2019 11:54 AM Client-Info OS:      Windows
 12/18/2019 11:54 AM Middleware::Authentication Waiting for authentication timeout to pass
 12/18/2019 11:54 AM Middleware::Communication Download: http://fogserver/fog/management/other/ssl/srvpublic.crt
 12/18/2019 11:54 AM Data::RSA FOG Server CA cert found
 12/18/2019 11:54 AM Data::RSA ERROR: Certificate validation failed
 12/18/2019 11:54 AM Data::RSA ERROR: Trust chain did not complete to the known authority anchor. Errors: The signature of the certificate cannot be verified. (NotSignatureValid)
 12/18/2019 11:54 AM Middleware::Authentication ERROR: Could not authenticate
 12/18/2019 11:54 AM Middleware::Authentication ERROR: Certificate is not from FOG CA

------------------------------------------------------------------------------
--------------------------------Authentication--------------------------------
------------------------------------------------------------------------------
 12/18/2019 11:54 AM Client-Info Version: 0.11.17
 12/18/2019 11:54 AM Client-Info OS:      Windows
 12/18/2019 11:54 AM Middleware::Authentication Waiting for authentication timeout to pass

Sebastian Roth · Dec 18, 2019, 6:48 PM

@Scott-B I pushed out a new fog-client release (0.11.17) a couple of days ago. This is the first time I have done this (took over the work from another person) and seems like something is wrong although we did some thorough testing before the release.

Can you please open the URL http://fogserver/fog/management/other/ssl/srvpublic.crt and make sure it’s a certificate file you get as return? Best if you can use wget command on a Linux command shell so we see if it does some redirecting before the download!

Scott B · Dec 18, 2019, 7:34 PM

@Sebastian-Roth said in Migrated FOG, Clients Not Happy:

Scott-B I pushed out a new fog-client release (0.11.17) a couple of days ago. This is the first time I have done this (took over the work from another person) and seems like something is wrong although we did some thorough testing before the release.

Visiting that URL I am prompted to download a crt file. All the details inside the cert seem to be correct.

Sebastian Roth · Dec 18, 2019, 7:41 PM

@Scott-B said in Migrated FOG, Clients Not Happy:

Visiting that URL I am prompted to download a crt file.

Please try using wget as well just to make sure it’s not a redirect issue.

Scott B · Dec 18, 2019, 7:53 PM

@Sebastian-Roth said in Migrated FOG, Clients Not Happy:

http://fogserver/fog/management/other/ssl/srvpublic.crt

I am able to download the file with wget as well.

Sebastian Roth · Dec 18, 2019, 2:15 PM

@Scott-B said in Migrated FOG, Clients Not Happy:

I am able to download the file with wget as well.

Sorry that I keep asking but does wget do a straight download or is it being redirected to another URL before it can download the cert?

Please take a look at the certificate store on the client. Make sure the “FOG Server CA” does exist and is still valid. (You can ignore the “FOG Project” cert as it is only used by the client updater.) Here you want to take a look at the "FOG Server CA"s thumbprint. Compare that to what you get when running this command on your FOG server console: openssl x509 -in /opt/fog/snapins/ssl/CA/.fogCA.pem -fingerprint -noout

(see here on where to find the cert store)

Scott B · Dec 18, 2019, 8:28 PM

Here is the output when using wget from the server console.


root@fogserver:~/fogproject/bin# wget http://fogserver/fog/management/other/ssl/srvpublic.crt
--2019-12-18 20:23:57--  http://fogserver/fog/management/other/ssl/srvpublic.crt
Resolving fogserver (fogserver)... 127.0.1.1
Connecting to fogserver (fogserver)|127.0.1.1|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1757 (1.7K) [application/x-x509-ca-cert]
Saving to: ‘srvpublic.crt’

srvpublic.crt                           100%[============================================================================>]   1.72K  --.-KB/s    in 0s

2019-12-18 20:23:57 (189 MB/s) - ‘srvpublic.crt’ saved [1757/1757]

I can try from a different computer if you need me to. Looking at the cert store on the windows device I have both the FOG Server CA which is valid as well as the FOG Project cert.

Sebastian Roth · Dec 18, 2019, 9:18 PM

@Scott-B said in Migrated FOG, Clients Not Happy:

Looking at the cert store on the windows device I have both the FOG Server CA which is valid as well as the FOG Project cert.

Did you compare the thumbprint as described below? Sorry I edited the post a few minutes after initially sending it so you might not have seen this.

Scott B · Dec 19, 2019, 2:42 PM

@Sebastian-Roth said in Migrated FOG, Clients Not Happy:

openssl x509 -in /opt/fog/snapins/ssl/CA/.fogCA.pem -fingerprint -noout

Comparing the FOG Server CA on the workstation and the server shows two different thumbprints.

Server:
E5:D3:32:A3:5F:8D:A4:B8:BD:3C:6B:CC:76:A6:A5:F0:85:3C:9B:B8

Client:
6B:9D:5B:3F:BC:23:7B:9D:1E:69:46:80:C2:90:CB:9A:BC:97:DD:70

Sebastian Roth · Dec 19, 2019, 4:09 PM

@Scott-B said in Migrated FOG, Clients Not Happy:

I migrated out FOG install over to a new server.

Ohhhhhh my… ! Sorry, I totally missed that in your initial post. I was too scared it had something to do with the 0.11.17 fog-client release…

You need to copy the certificates from your old server to the new one: https://wiki.fogproject.org/wiki/index.php?title=Migrate_FOG#If_old_server_was_FOG_1.3.0.2B

Scott B · Dec 19, 2019, 4:29 PM

@Sebastian-Roth

I did copy them over and ran the installer again. Is it only files in /opt/fog/snapins/ssl/ or do I have to worry about the certs in /var/www/fog/management/other/ as well?

Sebastian Roth · Dec 19, 2019, 4:59 PM

@Scott-B said in Migrated FOG, Clients Not Happy:

I did copy them over and ran the installer again. Is it only files in /opt/fog/snapins/ssl/ or do I have to worry about the certs in /var/www/fog/management/other/ as well?

The installer should take care of the rest (/var/www/fog/management/other/…). Please see if the client’s are happy reconnecting now.

Scott B · Dec 19, 2019, 5:16 PM

@Sebastian-Roth

They are still not happy.

------------------------------------------------------------------------------
----------------------------------UserTracker---------------------------------
------------------------------------------------------------------------------
 12/19/2019 12:14 PM Client-Info Client Version: 0.11.17
 12/19/2019 12:14 PM Client-Info Client OS:      Windows
 12/19/2019 12:14 PM Client-Info Server Version: 1.5.7.86
 12/19/2019 12:14 PM Middleware::Response ERROR: Unable to get subsection
 12/19/2019 12:14 PM Middleware::Response ERROR: Object reference not set to an instance of an object.
 12/19/2019 12:14 PM Service Sleeping for 84 seconds
 12/19/2019 12:15 PM Middleware::Communication URL: http://fogserver/fog/management/index.php?sub=requestClientInfo&configure&newService&json
 12/19/2019 12:15 PM Middleware::Response Success
 12/19/2019 12:15 PM Middleware::Communication URL: http://fogserver/fog/management/index.php?sub=requestClientInfo&mac=2C:41:38:8F:55:FF&newService&json
 12/19/2019 12:15 PM Middleware::Authentication Waiting for authentication timeout to pass
 12/19/2019 12:15 PM Middleware::Communication Download: http://fogserver/fog/management/other/ssl/srvpublic.crt
 12/19/2019 12:16 PM Data::RSA FOG Server CA cert found
 12/19/2019 12:16 PM Data::RSA ERROR: Certificate validation failed
 12/19/2019 12:16 PM Data::RSA ERROR: Trust chain did not complete to the known authority anchor. Errors: The signature of the certificate cannot be verified. (NotSignatureValid)
 12/19/2019 12:16 PM Middleware::Authentication ERROR: Could not authenticate
 12/19/2019 12:16 PM Middleware::Authentication ERROR: Certificate is not from FOG CA
 12/19/2019 12:16 PM Middleware::Response Success
 12/19/2019 12:16 PM Middleware::Communication URL: http://fogserver/fog/service/getversion.php?clientver&newService&json
 12/19/2019 12:16 PM Middleware::Communication URL: http://fogserver/fog/service/getversion.php?newService&json

 12/19/2019 12:16 PM Service Creating user agent cache
 12/19/2019 12:16 PM Middleware::Response ERROR: Unable to get subsection
 12/19/2019 12:16 PM Middleware::Response ERROR: Object reference not set to an instance of an object.
 12/19/2019 12:16 PM Middleware::Response ERROR: Unable to get subsection
 12/19/2019 12:16 PM Middleware::Response ERROR: Object reference not set to an instance of an object.
 12/19/2019 12:16 PM Middleware::Response ERROR: Unable to get subsection
 12/19/2019 12:16 PM Middleware::Response ERROR: Object reference not set to an instance of an object.

Sebastian Roth · Dec 19, 2019, 2:48 PM

@Scott-B Still the same error. Sounds a bit like it still sends out the old certificate. Re-running the installer should have restarted the Apache webserver. But you might manually restart it (systemctl restart apache2 or systemctl restart httpd) or the whole server.

Then do a comparison of the thumbprints again. Sorry again, I think I have messed up

openssl x509 -in /opt/fog/snapins/ssl/CA/.fogCA.pem -fingerprint -noout
openssl x509 -in /var/www/html/management/other/ssl/ca.cert.pem -fingerprint -noout

Compare those to the thumbprint you find in the certificate management in Windows from the “FOG Server CA”.

Scott B · Dec 19, 2019, 8:47 PM

@Sebastian-Roth said in Migrated FOG, Clients Not Happy:

systemctl restart apache2

Restarted apache and rechecked the thumbprints. They are still different. Same thumbprints as before.

Sebastian Roth · Dec 19, 2019, 2:49 PM

@Scott-B Funny I just got time to look into this again. It’s very strange you still get the “wrong” thumbprint. Are you sure you copied the right files?

Sebastian Roth · Dec 19, 2019, 8:49 PM

@Scott-B Can you get the thumbprints on the old server?

Scott B · Dec 19, 2019, 8:54 PM

@Sebastian-Roth said in Migrated FOG, Clients Not Happy:

@Scott-B Can you get the thumbprints on the old server?

The tumbprint from srvpublic.crt in /var/fog/management/other/ssl on the older server is
88901133f4640b294ec5f4538e3f098eccadca45

Sebastian Roth · Dec 19, 2019, 10:04 PM

@Scott-B said in Migrated FOG, Clients Not Happy:

The tumbprint from srvpublic.crt in /var/fog/management/other/ssl on the older server is
88901133f4640b294ec5f4538e3f098eccadca45

Watch out! You don’t want to compare apples with pears! What you need is the same CA certificate (same thumbprint) that you had on the old server to be used on the new server as well. The CA cert is originally generated in /opt/fog/snapins/ssl/CA/.fogCA.pem and then copied over to /var/www/html/management/other/ssl/ca.cert.pem - those two files should have the exact same thumbprint. The later one is used by the fog-client installer to “pin” itself to this exact FOG server. So the certificate you see as “FOG Server CA” on the client should essentially be the exact same as the two mentioned above.

Sebastian Roth · Jan 2, 2020, 5:31 PM

@Scott-B Did you find what was causing this?

Migrated FOG, Clients Not Happy

194

12.0k

17.3k

155.2k