Migrated FOG, Clients Not Happy
-
I did copy them over and ran the installer again. Is it only files in /opt/fog/snapins/ssl/ or do I have to worry about the certs in /var/www/fog/management/other/ as well?
-
@Scott-B said in Migrated FOG, Clients Not Happy:
I did copy them over and ran the installer again. Is it only files in /opt/fog/snapins/ssl/ or do I have to worry about the certs in /var/www/fog/management/other/ as well?
The installer should take care of the rest (/var/www/fog/management/other/…). Please see if the client’s are happy reconnecting now.
Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)
Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG
-
They are still not happy.
------------------------------------------------------------------------------ ----------------------------------UserTracker--------------------------------- ------------------------------------------------------------------------------ 12/19/2019 12:14 PM Client-Info Client Version: 0.11.17 12/19/2019 12:14 PM Client-Info Client OS: Windows 12/19/2019 12:14 PM Client-Info Server Version: 1.5.7.86 12/19/2019 12:14 PM Middleware::Response ERROR: Unable to get subsection 12/19/2019 12:14 PM Middleware::Response ERROR: Object reference not set to an instance of an object. 12/19/2019 12:14 PM Service Sleeping for 84 seconds 12/19/2019 12:15 PM Middleware::Communication URL: http://fogserver/fog/management/index.php?sub=requestClientInfo&configure&newService&json 12/19/2019 12:15 PM Middleware::Response Success 12/19/2019 12:15 PM Middleware::Communication URL: http://fogserver/fog/management/index.php?sub=requestClientInfo&mac=2C:41:38:8F:55:FF&newService&json 12/19/2019 12:15 PM Middleware::Authentication Waiting for authentication timeout to pass 12/19/2019 12:15 PM Middleware::Communication Download: http://fogserver/fog/management/other/ssl/srvpublic.crt 12/19/2019 12:16 PM Data::RSA FOG Server CA cert found 12/19/2019 12:16 PM Data::RSA ERROR: Certificate validation failed 12/19/2019 12:16 PM Data::RSA ERROR: Trust chain did not complete to the known authority anchor. Errors: The signature of the certificate cannot be verified. (NotSignatureValid) 12/19/2019 12:16 PM Middleware::Authentication ERROR: Could not authenticate 12/19/2019 12:16 PM Middleware::Authentication ERROR: Certificate is not from FOG CA 12/19/2019 12:16 PM Middleware::Response Success 12/19/2019 12:16 PM Middleware::Communication URL: http://fogserver/fog/service/getversion.php?clientver&newService&json 12/19/2019 12:16 PM Middleware::Communication URL: http://fogserver/fog/service/getversion.php?newService&json 12/19/2019 12:16 PM Service Creating user agent cache 12/19/2019 12:16 PM Middleware::Response ERROR: Unable to get subsection 12/19/2019 12:16 PM Middleware::Response ERROR: Object reference not set to an instance of an object. 12/19/2019 12:16 PM Middleware::Response ERROR: Unable to get subsection 12/19/2019 12:16 PM Middleware::Response ERROR: Object reference not set to an instance of an object. 12/19/2019 12:16 PM Middleware::Response ERROR: Unable to get subsection 12/19/2019 12:16 PM Middleware::Response ERROR: Object reference not set to an instance of an object. -
@Scott-B Still the same error. Sounds a bit like it still sends out the old certificate. Re-running the installer should have restarted the Apache webserver. But you might manually restart it (
systemctl restart apache2orsystemctl restart httpd) or the whole server.Then do a comparison of the thumbprints again. Sorry again, I think I have messed up
openssl x509 -in /opt/fog/snapins/ssl/CA/.fogCA.pem -fingerprint -noout openssl x509 -in /var/www/html/management/other/ssl/ca.cert.pem -fingerprint -nooutCompare those to the thumbprint you find in the certificate management in Windows from the “FOG Server CA”.
-
@Sebastian-Roth said in Migrated FOG, Clients Not Happy:
systemctl restart apache2
Restarted apache and rechecked the thumbprints. They are still different. Same thumbprints as before.
-
@Scott-B Funny I just got time to look into this again. It’s very strange you still get the “wrong” thumbprint. Are you sure you copied the right files?
-
@Scott-B Can you get the thumbprints on the old server?
Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)
Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG
-
@Sebastian-Roth said in Migrated FOG, Clients Not Happy:
@Scott-B Can you get the thumbprints on the old server?
The tumbprint from srvpublic.crt in /var/fog/management/other/ssl on the older server is
88901133f4640b294ec5f4538e3f098eccadca45 -
@Scott-B said in Migrated FOG, Clients Not Happy:
The tumbprint from srvpublic.crt in /var/fog/management/other/ssl on the older server is
88901133f4640b294ec5f4538e3f098eccadca45Watch out! You don’t want to compare apples with pears! What you need is the same CA certificate (same thumbprint) that you had on the old server to be used on the new server as well. The CA cert is originally generated in /opt/fog/snapins/ssl/CA/.fogCA.pem and then copied over to /var/www/html/management/other/ssl/ca.cert.pem - those two files should have the exact same thumbprint. The later one is used by the fog-client installer to “pin” itself to this exact FOG server. So the certificate you see as “FOG Server CA” on the client should essentially be the exact same as the two mentioned above.
-
@Scott-B Did you find what was causing this?
Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)
Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG
-
@Sebastian-Roth said in Migrated FOG, Clients Not Happy:
@Scott-B Did you find what was causing this?
No, I have not. My backup, clients, and current running server all have different thumbprints. I have no idea how that’s happened. Is it possible to take the cert from a client and add it to the server?
-
@Scott-B Do you still have a backup copy of your old server?
Is it possible to take the cert from a client and add it to the server?
Sorry, no. The key needed is only on your server and never transferred to the clients.
-
@Scott-B Do you still struggle to get this to work?
Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)
Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG
-
We were not able to bring his setup back online and reconnect the client. I ended up building a new fresh FOG install and we will reimport the machines as we go around. It’s not to big a deal as we needed an excuse to clean up the database anyway.
-
@Scott-B But you’ll need to reinstall the fog-client software on all your machines too.
Other than that you might try to use GPO powershell scripting to exchange the certificates on all the machines as well.
Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)
Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG
-
I’ll have to brush up on the commands for replacing the certs on the clients. Been a long time.
