win10 1909 fogserver 1.5.7 debian (might have screwed something up?)

p4cm4n

for whatever reason - when i have been deploying 1909 the following appears in the log:
RSA FOG Server CA cert found
RSA ERROR Certificate validation failed
RSA ERROR Trust Chain did not complete to the known authority anchor. Errors: The signature of the certificate cannot be verified. NotSignatureValid
Authentication ERROR Could not authenticate
Authentication ERROR Certificate is not from FOG CA

This could be something I messed up as I haven’t prepped my images since 1903 over the summer. Workflow is as follows:
Created base 1909 in ESXi, installed scripts and such.
Ran FOG installation, set service to disabled, injected firstlogin script to run installation again, with all quiet batch strings.
Sysprep.
Capture image, then deploy to new machine.
Machine boots, script runs and installs fog successfully. Starts service. Error above appears.

This hasn’t happened on my previous images.

Sebastian Roth

@p4cm4n May I ask if you use the exact same FOG server that you ever have or did you switch to a different server at some point??

p4cm4n

i have many - one at most of the sites i support.

the one at the site i created the original image ( home ) is 1.5.6, most of my sites are 1.5.6. i have not changed them any time recently.
in fact, the one where i noticed this was a brand new install that day of 1.5.7.

could it be that pre-image, when i installed fog, it has some sort of file in a local directory that doesn’t get replaced when fog gets reinstalled?
i’d thought this be possible but typically reinstalling the client fixes the issue anyways. since my first run script does that, i’ve been confused.

Sebastian Roth

@p4cm4n said in win10 1909 fogserver 1.5.7 debian (might have screwed something up?):

could it be that pre-image, when i installed fog, it has some sort of file in a local directory that doesn’t get replaced when fog gets reinstalled?
i’d thought this be possible but typically reinstalling the client fixes the issue anyways. since my first run scriphttps://forums.fogproject.org/topic/12119/domain-join-not-working/14t does that, i’ve been confused.

Yes and yes. When installing the fog-client it pulls the FOG server SSL certificate from the server it is configured to talk to. Now if you change the configuration of the client to talk to a different server later on it will fail! But as you say your first run script would do a re-install anyway this shouldn’t be a problem.

FOG server version should not plhttps://forums.fogproject.org/topic/12119/domain-join-not-working/14ay a role. As long as you don’t re-run the installer using the command line switch to re-issue a new FOG Server CA (-C) there should not be a problem. On the client where you see the issue, you might want to take a look at the Windows certificate store. Find the “FOG Server CA” cert and note down the thumbprint. Now on your FOG server run the following commands and compare all the thumbprints:

openssl x509 -noout  -fingerprint -sha1 -inform pem -in /opt/fog/snapins/ssl/CA/.fogCA.pem 
openssl x509 -noout  -fingerprint -sha1 -inform pem -in /var/www/html/fog/management/other/ca.cert.pem

Also see my last posts here: https://forums.fogproject.org/topic/12870/web-interface-slowdown-and-fog-client-authentication-issues

p4cm4n

@Sebastian-Roth i apologize for the assumptions.

after further reviewing, and testing - it seems that for whatever reason, my scripts are not running at boot.

it is trying to find the old server, and the new installation never happens - just the enabling of the service - hence the errors i’ve been seeing.

not sure why, but win10 1909 is causing it for some reason. might be the computers and their speed but i don’t think so. i’m testing more.

bottom line - it is not a fog issue.
thanks for your assistance however.

Sebastian Roth

@p4cm4n Good to hear it’s not caused by the fog-client. Keeping my fingers crossed that you find what broke the install on 1909 soon! Please let us know what you find.