Migrated FOG, Clients Not Happy
-
I migrated out FOG install over to a new server. But the clients are not happy and cannot connect to it. Below is the fog.log file.
I installed the OS (Ubuntu 18.04)
Installed latest SVN
Imported backup of our FOG database
Copied all files from /opt/fog/snapins/ssl to the new server at /opt/fog/snapins/ssl
Ran FOG installer again
Reset encryption data on all clients12/18/2019 11:53 AM Main Overriding exception handling 12/18/2019 11:53 AM Main Bootstrapping Zazzles 12/18/2019 11:53 AM Controller Initialize 12/18/2019 11:53 AM Controller Start 12/18/2019 11:53 AM Service Starting service 12/18/2019 11:54 AM Bus Became bus server 12/18/2019 11:54 AM Bus Emmiting message on channel: Status 12/18/2019 11:54 AM Service Invoking early JIT compilation on needed binaries ------------------------------------------------------------------------------ --------------------------------Authentication-------------------------------- ------------------------------------------------------------------------------ 12/18/2019 11:54 AM Client-Info Version: 0.11.17 12/18/2019 11:54 AM Client-Info OS: Windows 12/18/2019 11:54 AM Middleware::Authentication Waiting for authentication timeout to pass 12/18/2019 11:54 AM Middleware::Communication Download: http://fogserver/fog/management/other/ssl/srvpublic.crt 12/18/2019 11:54 AM Data::RSA FOG Server CA cert found 12/18/2019 11:54 AM Data::RSA ERROR: Certificate validation failed 12/18/2019 11:54 AM Data::RSA ERROR: Trust chain did not complete to the known authority anchor. Errors: The signature of the certificate cannot be verified. (NotSignatureValid) 12/18/2019 11:54 AM Middleware::Authentication ERROR: Could not authenticate 12/18/2019 11:54 AM Middleware::Authentication ERROR: Certificate is not from FOG CA ------------------------------------------------------------------------------ --------------------------------Authentication-------------------------------- ------------------------------------------------------------------------------ 12/18/2019 11:54 AM Client-Info Version: 0.11.17 12/18/2019 11:54 AM Client-Info OS: Windows 12/18/2019 11:54 AM Middleware::Authentication Waiting for authentication timeout to pass
-
@Scott-B I pushed out a new fog-client release (0.11.17) a couple of days ago. This is the first time I have done this (took over the work from another person) and seems like something is wrong although we did some thorough testing before the release.
Can you please open the URL http://fogserver/fog/management/other/ssl/srvpublic.crt and make sure it’s a certificate file you get as return? Best if you can use
wget
command on a Linux command shell so we see if it does some redirecting before the download! -
@Sebastian-Roth said in Migrated FOG, Clients Not Happy:
Scott-B I pushed out a new fog-client release (0.11.17) a couple of days ago. This is the first time I have done this (took over the work from another person) and seems like something is wrong although we did some thorough testing before the release.
Visiting that URL I am prompted to download a crt file. All the details inside the cert seem to be correct.
-
@Scott-B said in Migrated FOG, Clients Not Happy:
Visiting that URL I am prompted to download a crt file.
Please try using
wget
as well just to make sure it’s not a redirect issue. -
@Sebastian-Roth said in Migrated FOG, Clients Not Happy:
I am able to download the file with wget as well.
-
@Scott-B said in Migrated FOG, Clients Not Happy:
I am able to download the file with wget as well.
Sorry that I keep asking but does
wget
do a straight download or is it being redirected to another URL before it can download the cert?Please take a look at the certificate store on the client. Make sure the “FOG Server CA” does exist and is still valid. (You can ignore the “FOG Project” cert as it is only used by the client updater.) Here you want to take a look at the "FOG Server CA"s thumbprint. Compare that to what you get when running this command on your FOG server console:
openssl x509 -in /opt/fog/snapins/ssl/CA/.fogCA.pem -fingerprint -noout
(see here on where to find the cert store) -
Here is the output when using wget from the server console.
root@fogserver:~/fogproject/bin# wget http://fogserver/fog/management/other/ssl/srvpublic.crt --2019-12-18 20:23:57-- http://fogserver/fog/management/other/ssl/srvpublic.crt Resolving fogserver (fogserver)... 127.0.1.1 Connecting to fogserver (fogserver)|127.0.1.1|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 1757 (1.7K) [application/x-x509-ca-cert] Saving to: ‘srvpublic.crt’ srvpublic.crt 100%[============================================================================>] 1.72K --.-KB/s in 0s 2019-12-18 20:23:57 (189 MB/s) - ‘srvpublic.crt’ saved [1757/1757]
I can try from a different computer if you need me to. Looking at the cert store on the windows device I have both the FOG Server CA which is valid as well as the FOG Project cert.
-
@Scott-B said in Migrated FOG, Clients Not Happy:
Looking at the cert store on the windows device I have both the FOG Server CA which is valid as well as the FOG Project cert.
Did you compare the thumbprint as described below? Sorry I edited the post a few minutes after initially sending it so you might not have seen this.
-
@Sebastian-Roth said in Migrated FOG, Clients Not Happy:
openssl x509 -in /opt/fog/snapins/ssl/CA/.fogCA.pem -fingerprint -noout
Comparing the FOG Server CA on the workstation and the server shows two different thumbprints.
Server:
E5:D3:32:A3:5F:8D:A4:B8:BD:3C:6B:CC:76:A6:A5:F0:85:3C:9B:B8Client:
6B:9D:5B:3F:BC:23:7B:9D:1E:69:46:80:C2:90:CB:9A:BC:97:DD:70 -
@Scott-B said in Migrated FOG, Clients Not Happy:
I migrated out FOG install over to a new server.
Ohhhhhh my… ! Sorry, I totally missed that in your initial post. I was too scared it had something to do with the 0.11.17 fog-client release…
You need to copy the certificates from your old server to the new one: https://wiki.fogproject.org/wiki/index.php?title=Migrate_FOG#If_old_server_was_FOG_1.3.0.2B
-
I did copy them over and ran the installer again. Is it only files in /opt/fog/snapins/ssl/ or do I have to worry about the certs in /var/www/fog/management/other/ as well?
-
@Scott-B said in Migrated FOG, Clients Not Happy:
I did copy them over and ran the installer again. Is it only files in /opt/fog/snapins/ssl/ or do I have to worry about the certs in /var/www/fog/management/other/ as well?
The installer should take care of the rest (/var/www/fog/management/other/…). Please see if the client’s are happy reconnecting now.
-
They are still not happy.
------------------------------------------------------------------------------ ----------------------------------UserTracker--------------------------------- ------------------------------------------------------------------------------ 12/19/2019 12:14 PM Client-Info Client Version: 0.11.17 12/19/2019 12:14 PM Client-Info Client OS: Windows 12/19/2019 12:14 PM Client-Info Server Version: 1.5.7.86 12/19/2019 12:14 PM Middleware::Response ERROR: Unable to get subsection 12/19/2019 12:14 PM Middleware::Response ERROR: Object reference not set to an instance of an object. 12/19/2019 12:14 PM Service Sleeping for 84 seconds 12/19/2019 12:15 PM Middleware::Communication URL: http://fogserver/fog/management/index.php?sub=requestClientInfo&configure&newService&json 12/19/2019 12:15 PM Middleware::Response Success 12/19/2019 12:15 PM Middleware::Communication URL: http://fogserver/fog/management/index.php?sub=requestClientInfo&mac=2C:41:38:8F:55:FF&newService&json 12/19/2019 12:15 PM Middleware::Authentication Waiting for authentication timeout to pass 12/19/2019 12:15 PM Middleware::Communication Download: http://fogserver/fog/management/other/ssl/srvpublic.crt 12/19/2019 12:16 PM Data::RSA FOG Server CA cert found 12/19/2019 12:16 PM Data::RSA ERROR: Certificate validation failed 12/19/2019 12:16 PM Data::RSA ERROR: Trust chain did not complete to the known authority anchor. Errors: The signature of the certificate cannot be verified. (NotSignatureValid) 12/19/2019 12:16 PM Middleware::Authentication ERROR: Could not authenticate 12/19/2019 12:16 PM Middleware::Authentication ERROR: Certificate is not from FOG CA 12/19/2019 12:16 PM Middleware::Response Success 12/19/2019 12:16 PM Middleware::Communication URL: http://fogserver/fog/service/getversion.php?clientver&newService&json 12/19/2019 12:16 PM Middleware::Communication URL: http://fogserver/fog/service/getversion.php?newService&json 12/19/2019 12:16 PM Service Creating user agent cache 12/19/2019 12:16 PM Middleware::Response ERROR: Unable to get subsection 12/19/2019 12:16 PM Middleware::Response ERROR: Object reference not set to an instance of an object. 12/19/2019 12:16 PM Middleware::Response ERROR: Unable to get subsection 12/19/2019 12:16 PM Middleware::Response ERROR: Object reference not set to an instance of an object. 12/19/2019 12:16 PM Middleware::Response ERROR: Unable to get subsection 12/19/2019 12:16 PM Middleware::Response ERROR: Object reference not set to an instance of an object.
-
@Scott-B Still the same error. Sounds a bit like it still sends out the old certificate. Re-running the installer should have restarted the Apache webserver. But you might manually restart it (
systemctl restart apache2
orsystemctl restart httpd
) or the whole server.Then do a comparison of the thumbprints again. Sorry again, I think I have messed up
openssl x509 -in /opt/fog/snapins/ssl/CA/.fogCA.pem -fingerprint -noout openssl x509 -in /var/www/html/management/other/ssl/ca.cert.pem -fingerprint -noout
Compare those to the thumbprint you find in the certificate management in Windows from the “FOG Server CA”.
-
@Sebastian-Roth said in Migrated FOG, Clients Not Happy:
systemctl restart apache2
Restarted apache and rechecked the thumbprints. They are still different. Same thumbprints as before.
-
@Scott-B Funny I just got time to look into this again. It’s very strange you still get the “wrong” thumbprint. Are you sure you copied the right files?
-
@Scott-B Can you get the thumbprints on the old server?
-
@Sebastian-Roth said in Migrated FOG, Clients Not Happy:
@Scott-B Can you get the thumbprints on the old server?
The tumbprint from srvpublic.crt in /var/fog/management/other/ssl on the older server is
88901133f4640b294ec5f4538e3f098eccadca45 -
@Scott-B said in Migrated FOG, Clients Not Happy:
The tumbprint from srvpublic.crt in /var/fog/management/other/ssl on the older server is
88901133f4640b294ec5f4538e3f098eccadca45Watch out! You don’t want to compare apples with pears! What you need is the same CA certificate (same thumbprint) that you had on the old server to be used on the new server as well. The CA cert is originally generated in /opt/fog/snapins/ssl/CA/.fogCA.pem and then copied over to /var/www/html/management/other/ssl/ca.cert.pem - those two files should have the exact same thumbprint. The later one is used by the fog-client installer to “pin” itself to this exact FOG server. So the certificate you see as “FOG Server CA” on the client should essentially be the exact same as the two mentioned above.
-
@Scott-B Did you find what was causing this?