Several problems : unable to install CA certificate, userdel fogproject, updating database failed

Sebastian Roth

@Matthieu-Jacquart said in Several problems : unable to install CA certificate, userdel fogproject, updating database failed:

Hi, big problem this morning, after upgrading to 1.5.7.89 yesterday, all computers tried to update fog client to 0.11.17, and it failed for all !
fog.log give me this

Ohhh no! Not good. Hmmmmmm let me think.

 07/01/2020 16:46 Middleware::Authentication Waiting for authentication timeout to pass
 07/01/2020 16:46 Middleware::Communication Download: http://192.168.10.60/fog/management/other/ssl/srvpublic.crt
 07/01/2020 16:46 Data::RSA FOG Server CA cert found
 07/01/2020 16:46 Data::RSA ERROR: Certificate validation failed
 07/01/2020 16:46 Data::RSA ERROR: Trust chain did not complete to the known authority anchor. Errors: La signature du certificat ne peut pas être vérifiée. (NotSignatureValid)
 07/01/2020 16:46 Middleware::Authentication ERROR: Could not authenticate
 07/01/2020 16:46 Middleware::Authentication ERROR: Certificate is not from FOG CA

It’s very strange this client log shows that it wasn’t able to properly communicate with the FOG server in the first place. Do you know why?

And for updating database error I run fog installer once again from scratch (deleted .fogsettings)

Did you just delete that file or the whole /opt/fog directory? Because from the error above it seems like the server CA and certificate was regenerated and that made the clients fail in the first place.

 07/01/2020 16:46 Data::RSA FOG Project cert found
 07/01/2020 16:46 ClientUpdater Update file is authentic
------------------------------------------------------------------------------

 07/01/2020 16:46 Bus Emmiting message on channel: Update
 07/01/2020 16:46 Service-Update Spawning update helper
 07/01/2020 16:46 UpdaterHelper Shutting down service...
 07/01/2020 16:46 UpdaterHelper Killing remaining processes...
 07/01/2020 16:46 UpdaterHelper Applying update...
 07/01/2020 16:47 UpdaterHelper Starting service...

I am sorry to say this but the fog-client is completely uninstalled at this stage. I know this is not a good behaviour and I am trying to change this but this is how 0.11.16 (and 0.11.17 still) worked. So you need to re-deploy the fog-client on all the machines I think. Sorry! Will be back with more informations in a few minutes.

Matthieu Jacquart

@Sebastian-Roth said in Several problems : unable to install CA certificate, userdel fogproject, updating database failed:

It’s very strange this client log shows that it wasn’t able to properly communicate with the FOG server in the first place. Do you know why?

Absolutely not, maybe because I made lot of test yesterday with some VM backup restore so it may have borke something and I had to reset encryption data

Did you just delete that file or the whole /opt/fog directory? Because from the error above it seems like the server CA and certificate was regenerated and that made the clients fail in the first place.

just the .fogsetting file, not the opt/fog folder, but I can see in ssl folder that files have been modified yesteray…

root@FOG:/opt/fog/snapins/ssl$ ls -la
total 28
drwxrwxrwx 3 fogproject www-data 4096 janv. 21  2018 .
drwxrwxrwx 3 fogproject www-data 4096 janv.  7 13:10 ..
drwxrwxrwx 2 fogproject www-data 4096 janv. 21  2018 CA
-rwxrwxrwx 1 fogproject www-data   91 janv.  7 16:52 ca.cnf
-rwxrwxrwx 1 fogproject www-data 1667 janv.  7 15:30 fog.csr
-rwxrwxrwx 1 fogproject www-data  223 janv.  7 15:30 req.cnf
-rwxrwxrwx 1 fogproject www-data 3243 janv.  7 15:30 .srvprivate.key

I am sorry to say this but the fog-client is completely uninstalled at this stage. I know this is not a good behaviour and I am trying to change this but this is how 0.11.16 (and 0.11.17 still) worked. So you need to re-deploy the fog-client on all the machines I think. Sorry! Will be back with more informations in a few minutes.

Not a big deal, I have some software to deploy silently if it’s possible with msi client, do you think I have to regenerate certificate ?

Sebastian Roth

@Matthieu-Jacquart Can you please run ls -la /opt/fog/snapins/ssl/CA so we see if the CA was re-generated as well? Do you have a backup of the old files just in case??

As well re-download the updated installer (MSI / EXE), delete the old C:\Windows\Temp\FOGService.install.log on the test client, re-run the new MSI/EXE and post log output here again.

Matthieu Jacquart

@Sebastian-Roth said in Several problems : unable to install CA certificate, userdel fogproject, updating database failed:

@Matthieu-Jacquart Can you please run ls -la /opt/fog/snapins/ssl/CA so we see if the CA was re-generated as well? Do you have a backup of the old files just in case??

Yes I still have old files in bakcup

root@FOG:/opt/fogproject/bin$ ls -la /opt/fog/snapins/ssl/CA
total 20
drwxrwxrwx 2 fogproject www-data 4096 janv. 21  2018 .
drwxrwxrwx 3 fogproject www-data 4096 janv. 21  2018 ..
-rwxrwxrwx 1 fogproject www-data 3243 janv.  7 15:30 .fogCA.key
-rwxrwxrwx 1 fogproject www-data 1801 janv.  7 15:30 .fogCA.pem
-rwxrwxrwx 1 fogproject www-data   17 janv.  8 13:10 .srl
root@FOG:/opt/fogproject/bin$

As well re-download the updated installer (MSI / EXE), delete the old C:\Windows\Temp\FOGService.install.log on the test client, re-run the new MSI/EXE and post log output here again.

Same error

 08/01/2020 13:16 Data::RSA FOG Server CA cert found
 08/01/2020 13:16 Data::RSA FOG Server CA cert found
 08/01/2020 13:16 Installer Starting UnpinServerCert()
 08/01/2020 13:16 Installer Trying to open Windows cert store: LocalMachine
 08/01/2020 13:16 Installer Trying to remove cert 'CN=FOG Server CA'from cert store
 08/01/2020 13:16 Installer ERROR: Could not unpin FOG server CA cert
 08/01/2020 13:16 Installer ERROR: Access denied.
 08/01/2020 13:16 Installer ERROR: Could not pin server CA
 08/01/2020 13:16 Installer ERROR: Access denied.
 08/01/2020 13:16 Installer ERROR: Unable to install CA certificate: Access denied.

Sebastian Roth

@Matthieu-Jacquart said in Several problems : unable to install CA certificate, userdel fogproject, updating database failed:

-rwxrwxrwx 1 fogproject www-data 3243 janv. 7 15:30 .fogCA.key
-rwxrwxrwx 1 fogproject www-data 1801 janv. 7 15:30 .fogCA.pem

Ok, seems like you somehow managed to re-generate the CA files. This should not happen unless you tell the installer to do so or delete the files. I am not exactly sure but I think it shouldn’t happen when you only delete /opt/fog/.fogsettings and re-run the installer.

Do you know if there are machines that still have the client installed. Probably some which were not turned on today yet. So my suggestion is you grab your backup, take /opt/fog/snapins/ssl/ (all files and sub directories):

mv /opt/fog/snapins/ssl /opt/fog/snapins/ssl_bak
mv /backup/path/opt/fog/snapins/ssl /opt/fog/snapins/ssl
chown -R fogproject:www-data /opt/fog/snapins/ssl
systemctl restart apache2

08/01/2020 13:16 Installer Trying to open Windows cert store: LocalMachine
08/01/2020 13:16 Installer Trying to remove cert 'CN=FOG Server CA'from cert store

Ok so it’s actually able to open the certificate store but is not able to remove the cert. Can you please open the certificate management UI on this client (run certmgr. msc) and navigate to “Trusted Authorities”. Do you see “FOG Server CA” there??

I am wondering if you have some kind of strange GPO in place that prevents access to the cert store somehow?!

Matthieu Jacquart

@Sebastian-Roth said in Several problems : unable to install CA certificate, userdel fogproject, updating database failed:

Ok, seems like you somehow managed to re-generate the CA files. This should not happen unless you tell the installer to do so or delete the files. I am not exactly sure but I think it shouldn’t happen when you only delete /opt/fog/.fogsettings and re-run the installer.

Do you know if there are machines that still have the client installed. Probably some which were not turned on today yet. So my suggestion is you grab your backup, take /opt/fog/snapins/ssl/ (all files and sub directories):

mv /opt/fog/snapins/ssl /opt/fog/snapins/ssl_bak
mv /backup/path/opt/fog/snapins/ssl /opt/fog/snapins/ssl
chown -R fogproject:www-data /opt/fog/snapins/ssl
systemctl restart apache2

OK I’ve just I restored older certificate from backup

Ok so it’s actually able to open the certificate store but is not able to remove the cert. Can you please open the certificate management UI on this client (run certmgr. msc) and navigate to “Trusted Authorities”. Do you see “FOG Server CA” there??

I am wondering if you have some kind of strange GPO in place that prevents access to the cert store somehow?!

YESSSS !!! That’s it, after I tried to install https on fog server few weeks ago, I added fog certificate to GPO «Root Trusted Authorities» and problems began with that mess… so sorry, if I delete fog certificate in GPO I can install client !
But still have this error after install client

------------------------------------------------------------------------------
--------------------------------Authentication--------------------------------
------------------------------------------------------------------------------
 08/01/2020 14:04 Client-Info Version: 0.11.17
 08/01/2020 14:04 Client-Info OS:      Windows
 08/01/2020 14:04 Middleware::Authentication Waiting for authentication timeout to pass
 08/01/2020 14:06 Middleware::Communication Download: http://fogserver/fog/management/other/ssl/srvpublic.crt
 08/01/2020 14:06 Data::RSA FOG Server CA cert found
 08/01/2020 14:06 Middleware::Authentication Cert OK
 08/01/2020 14:06 Middleware::Communication POST URL: http://fogserver/fog/management/index.php?sub=requestClientInfo&authorize&newService
 08/01/2020 14:06 Middleware::Response Failed to decrypt data on server

Matthieu Jacquart

@Sebastian-Roth I change «fogserver» with IP but still have these error (test on 2 computers), I have reset encryption data) :

------------------------------------------------------------------------------
--------------------------------Authentication--------------------------------
------------------------------------------------------------------------------
 08/01/2020 14:57 Client-Info Version: 0.11.17
 08/01/2020 14:57 Client-Info OS:      Windows
 08/01/2020 14:57 Middleware::Authentication Waiting for authentication timeout to pass
 08/01/2020 14:59 Middleware::Communication Download: http://192.168.10.60/fog/management/other/ssl/srvpublic.crt
 08/01/2020 14:59 Data::RSA FOG Server CA cert found
 08/01/2020 14:59 Data::RSA ERROR: Certificate validation failed
 08/01/2020 14:59 Data::RSA ERROR: Trust chain did not complete to the known authority anchor. Errors: The signature of the certificate cannot be verified. (NotSignatureValid)
 08/01/2020 14:59 Middleware::Authentication ERROR: Could not authenticate
 08/01/2020 14:59 Middleware::Authentication ERROR: Certificate is not from FOG CA


 08/01/2020 14:59 Middleware::Communication URL: http://192.168.10.60/fog/management/index.php?sub=requestClientInfo&configure&newService&json
 08/01/2020 14:59 Middleware::Response Success
 08/01/2020 14:59 Middleware::Communication URL: http://192.168.10.60/fog/management/index.php?sub=requestClientInfo&mac=74:27:EA:6C:AA:0D&newService&json
 08/01/2020 14:59 Middleware::Authentication Waiting for authentication timeout to pass
 08/01/2020 15:01 Middleware::Communication Download: http://192.168.10.60/fog/management/other/ssl/srvpublic.crt
 08/01/2020 15:01 Data::RSA FOG Server CA cert found
 08/01/2020 15:01 Data::RSA ERROR: Certificate validation failed
 08/01/2020 15:01 Data::RSA ERROR: Trust chain did not complete to the known authority anchor. Errors: The signature of the certificate cannot be verified. (NotSignatureValid)
 08/01/2020 15:01 Middleware::Authentication ERROR: Could not authenticate
 08/01/2020 15:01 Middleware::Authentication ERROR: Certificate is not from FOG CA
 08/01/2020 15:01 Middleware::Response Success
 08/01/2020 15:01 Middleware::Communication URL: http://192.168.10.60/fog/service/getversion.php?clientver&newService&json
 08/01/2020 15:01 Middleware::Communication URL: http://192.168.10.60/fog/service/getversion.php?newService&json

 08/01/2020 15:01 Service Creating user agent cache
 08/01/2020 15:01 Middleware::Response ERROR: Unable to get subsection
 08/01/2020 15:01 Middleware::Response ERROR: Object reference not set to an instance of an object.
 08/01/2020 15:01 Middleware::Response ERROR: Unable to get subsection
 08/01/2020 15:01 Middleware::Response ERROR: Object reference not set to an instance of an object.
 08/01/2020 15:01 Middleware::Response ERROR: Unable to get subsection
 08/01/2020 15:01 Middleware::Response ERROR: Object reference not set to an instance of an object.
 08/01/2020 15:01 Service Initializing modules

------------------------------------------------------------------------------
----------------------------------UserTracker---------------------------------
------------------------------------------------------------------------------
 08/01/2020 15:01 Client-Info Client Version: 0.11.17
 08/01/2020 15:01 Client-Info Client OS:      Windows
 08/01/2020 15:01 Client-Info Server Version: 1.5.7.89
 08/01/2020 15:01 Middleware::Response ERROR: Unable to get subsection
 08/01/2020 15:01 Middleware::Response ERROR: Object reference not set to an instance of an object.
 08/01/2020 15:01 Service Sleeping for 145 seconds
 08/01/2020 15:03 Middleware::Communication URL: http://192.168.10.60/fog/management/index.php?sub=requestClientInfo&configure&newService&json
 08/01/2020 15:03 Middleware::Response Success
 08/01/2020 15:03 Middleware::Communication URL: http://192.168.10.60/fog/management/index.php?sub=requestClientInfo&mac=74:27:EA:6C:AA:0D&newService&json
 08/01/2020 15:03 Middleware::Authentication Waiting for authentication timeout to pass
 08/01/2020 15:03 Middleware::Communication Download: http://192.168.10.60/fog/management/other/ssl/srvpublic.crt
 08/01/2020 15:03 Data::RSA FOG Server CA cert found
 08/01/2020 15:03 Data::RSA ERROR: Certificate validation failed
 08/01/2020 15:03 Data::RSA ERROR: Trust chain did not complete to the known authority anchor. Errors: The signature of the certificate cannot be verified. (NotSignatureValid)
 08/01/2020 15:03 Middleware::Authentication ERROR: Could not authenticate
 08/01/2020 15:03 Middleware::Authentication ERROR: Certificate is not from FOG CA
 08/01/2020 15:03 Middleware::Response Success
 08/01/2020 15:03 Middleware::Communication URL: http://192.168.10.60/fog/service/getversion.php?clientver&newService&json
 08/01/2020 15:03 Middleware::Communication URL: http://192.168.10.60/fog/service/getversion.php?newService&json

 08/01/2020 15:03 Service Creating user agent cache
 08/01/2020 15:03 Middleware::Response ERROR: Unable to get subsection
 08/01/2020 15:03 Middleware::Response ERROR: Object reference not set to an instance of an object.
 08/01/2020 15:03 Middleware::Response ERROR: Unable to get subsection
 08/01/2020 15:03 Middleware::Response ERROR: Object reference not set to an instance of an object.
 08/01/2020 15:03 Middleware::Response ERROR: Unable to get subsection
 08/01/2020 15:03 Middleware::Response ERROR: Object reference not set to an instance of an object.

Do I need to use ./installfog.sh -K option ?

Sebastian Roth

@Matthieu-Jacquart Yeah, getting closer!!!

My fault, forgot these commands when I wrote this earlier:

cp /path/of/backup/var/www/html/fog/management/other/ssl/srvpublic.crt /var/www/html/fog/management/other/ssl/srvpublic.crt
cp /opt/fog/snapins/ssl/CA/.fogCA.pem /var/www/html/fog/management/other/ca.cert.pem

Matthieu Jacquart

@Sebastian-Roth said in Several problems : unable to install CA certificate, userdel fogproject, updating database failed:

@Matthieu-Jacquart Yeah, getting closer!!!

My fault, forgot these commands when I wrote this earlier:

cp /path/of/backup/var/www/html/fog/management/other/ssl/srvpublic.crt /var/www/html/fog/management/other/ssl/srvpublic.crt
cp /opt/fog/snapins/ssl/CA/.fogCA.pem /var/www/html/fog/management/other/ca.cert.pem

Unfortunately, I follow your 2 commands but stil this error even after restarting fog server :

------------------------------------------------------------------------------
----------------------------------UserTracker---------------------------------
------------------------------------------------------------------------------
 08/01/2020 16:59 Client-Info Client Version: 0.11.17
 08/01/2020 16:59 Client-Info Client OS:      Windows
 08/01/2020 16:59 Client-Info Server Version: 1.5.7.89
 08/01/2020 16:59 Middleware::Response ERROR: Unable to get subsection
 08/01/2020 16:59 Middleware::Response ERROR: La référence d'objet n'est pas définie à une instance d'un objet.
 08/01/2020 16:59 Service Sleeping for 102 seconds
 08/01/2020 17:01 Middleware::Communication URL: http://192.168.10.60/fog/management/index.php?sub=requestClientInfo&configure&newService&json
 08/01/2020 17:01 Middleware::Response Success
 08/01/2020 17:01 Middleware::Communication URL: http://192.168.10.60/fog/management/index.php?sub=requestClientInfo&mac=74:27:EA:6C:AA:0D&newService&json
 08/01/2020 17:01 Middleware::Authentication Waiting for authentication timeout to pass
 08/01/2020 17:01 Middleware::Communication Download: http://192.168.10.60/fog/management/other/ssl/srvpublic.crt
 08/01/2020 17:01 Data::RSA FOG Server CA cert found
 08/01/2020 17:01 Data::RSA ERROR: Certificate validation failed
 08/01/2020 17:01 Data::RSA ERROR: Trust chain did not complete to the known authority anchor. Errors: The signature of the certificate cannot be verified. (NotSignatureValid)
 08/01/2020 17:01 Middleware::Authentication ERROR: Could not authenticate
 08/01/2020 17:01 Middleware::Authentication ERROR: Certificate is not from FOG CA
 08/01/2020 17:01 Middleware::Response Success
 08/01/2020 17:01 Middleware::Communication URL: http://192.168.10.60/fog/service/getversion.php?clientver&newService&json
 08/01/2020 17:01 Middleware::Communication URL: http://192.168.10.60/fog/service/getversion.php?newService&json

 08/01/2020 17:01 Service Creating user agent cache
 08/01/2020 17:01 Middleware::Response ERROR: Unable to get subsection
 08/01/2020 17:01 Middleware::Response ERROR: Object reference not set to an instance of an object.
 08/01/2020 17:01 Middleware::Response ERROR: Unable to get subsection
 08/01/2020 17:01 Middleware::Response ERROR: Object reference not set to an instance of an object.
 08/01/2020 17:01 Middleware::Response ERROR: Unable to get subsection
 08/01/2020 17:01 Middleware::Response ERROR: Object reference not set to an instance of an object.

Sebastian Roth

@Matthieu-Jacquart probably some cert mess we have now but I am sure we can figure this out. Please run:

ls -alR /var/www/html/fog/management/other
ls -alR /opt/fog/snapins/ssl
md5sum /opt/fog/snapins/ssl/CA/.fogCA.pem /var/www/html/fog/management/other/ca.cert.pem
openssl verify -CAfile /var/www/html/fog/management/other/ca.cert.pem /var/www/html/fog/management/other/ssl/srvpublic.crt

Matthieu Jacquart

@Sebastian-Roth Nope I just found answer, I had to run installer once again and re-download client after restoring cert, now everything seems great, I just have to redeploy client on all computers
Many thanks for your help Sebastian !

Sebastian Roth

@Matthieu-Jacquart Sure right. If one client was pinned to the re-newed server CA cert then it can’t connect to the old original one. I missed that point! Good you figured it out!!!

Great we got that worked out.