Several problems : unable to install CA certificate, userdel fogproject, updating database failed
-
@Matthieu-Jacquart said in Several problems : unable to install CA certificate, userdel fogproject, updating database failed:
Hi, big problem this morning, after upgrading to 1.5.7.89 yesterday, all computers tried to update fog client to 0.11.17, and it failed for all !
fog.log give me thisOhhh no! Not good. Hmmmmmm let me think.
07/01/2020 16:46 Middleware::Authentication Waiting for authentication timeout to pass 07/01/2020 16:46 Middleware::Communication Download: http://192.168.10.60/fog/management/other/ssl/srvpublic.crt 07/01/2020 16:46 Data::RSA FOG Server CA cert found 07/01/2020 16:46 Data::RSA ERROR: Certificate validation failed 07/01/2020 16:46 Data::RSA ERROR: Trust chain did not complete to the known authority anchor. Errors: La signature du certificat ne peut pas être vérifiée. (NotSignatureValid) 07/01/2020 16:46 Middleware::Authentication ERROR: Could not authenticate 07/01/2020 16:46 Middleware::Authentication ERROR: Certificate is not from FOG CA
It’s very strange this client log shows that it wasn’t able to properly communicate with the FOG server in the first place. Do you know why?
And for updating database error I run fog installer once again from scratch (deleted .fogsettings)
Did you just delete that file or the whole
/opt/fog
directory? Because from the error above it seems like the server CA and certificate was regenerated and that made the clients fail in the first place.07/01/2020 16:46 Data::RSA FOG Project cert found 07/01/2020 16:46 ClientUpdater Update file is authentic ------------------------------------------------------------------------------ 07/01/2020 16:46 Bus Emmiting message on channel: Update 07/01/2020 16:46 Service-Update Spawning update helper 07/01/2020 16:46 UpdaterHelper Shutting down service... 07/01/2020 16:46 UpdaterHelper Killing remaining processes... 07/01/2020 16:46 UpdaterHelper Applying update... 07/01/2020 16:47 UpdaterHelper Starting service...
I am sorry to say this but the fog-client is completely uninstalled at this stage. I know this is not a good behaviour and I am trying to change this but this is how 0.11.16 (and 0.11.17 still) worked. So you need to re-deploy the fog-client on all the machines I think. Sorry! Will be back with more informations in a few minutes.
-
@Sebastian-Roth said in Several problems : unable to install CA certificate, userdel fogproject, updating database failed:
It’s very strange this client log shows that it wasn’t able to properly communicate with the FOG server in the first place. Do you know why?
Absolutely not, maybe because I made lot of test yesterday with some VM backup restore so it may have borke something and I had to reset encryption data
Did you just delete that file or the whole
/opt/fog
directory? Because from the error above it seems like the server CA and certificate was regenerated and that made the clients fail in the first place.just the .fogsetting file, not the opt/fog folder, but I can see in ssl folder that files have been modified yesteray…
root@FOG:/opt/fog/snapins/ssl$ ls -la total 28 drwxrwxrwx 3 fogproject www-data 4096 janv. 21 2018 . drwxrwxrwx 3 fogproject www-data 4096 janv. 7 13:10 .. drwxrwxrwx 2 fogproject www-data 4096 janv. 21 2018 CA -rwxrwxrwx 1 fogproject www-data 91 janv. 7 16:52 ca.cnf -rwxrwxrwx 1 fogproject www-data 1667 janv. 7 15:30 fog.csr -rwxrwxrwx 1 fogproject www-data 223 janv. 7 15:30 req.cnf -rwxrwxrwx 1 fogproject www-data 3243 janv. 7 15:30 .srvprivate.key
I am sorry to say this but the fog-client is completely uninstalled at this stage. I know this is not a good behaviour and I am trying to change this but this is how 0.11.16 (and 0.11.17 still) worked. So you need to re-deploy the fog-client on all the machines I think. Sorry! Will be back with more informations in a few minutes.
Not a big deal, I have some software to deploy silently if it’s possible with msi client, do you think I have to regenerate certificate ?
-
@Matthieu-Jacquart Can you please run
ls -la /opt/fog/snapins/ssl/CA
so we see if the CA was re-generated as well? Do you have a backup of the old files just in case??As well re-download the updated installer (MSI / EXE), delete the old
C:\Windows\Temp\FOGService.install.log
on the test client, re-run the new MSI/EXE and post log output here again. -
@Sebastian-Roth said in Several problems : unable to install CA certificate, userdel fogproject, updating database failed:
@Matthieu-Jacquart Can you please run
ls -la /opt/fog/snapins/ssl/CA
so we see if the CA was re-generated as well? Do you have a backup of the old files just in case??Yes I still have old files in bakcup
root@FOG:/opt/fogproject/bin$ ls -la /opt/fog/snapins/ssl/CA total 20 drwxrwxrwx 2 fogproject www-data 4096 janv. 21 2018 . drwxrwxrwx 3 fogproject www-data 4096 janv. 21 2018 .. -rwxrwxrwx 1 fogproject www-data 3243 janv. 7 15:30 .fogCA.key -rwxrwxrwx 1 fogproject www-data 1801 janv. 7 15:30 .fogCA.pem -rwxrwxrwx 1 fogproject www-data 17 janv. 8 13:10 .srl root@FOG:/opt/fogproject/bin$
As well re-download the updated installer (MSI / EXE), delete the old
C:\Windows\Temp\FOGService.install.log
on the test client, re-run the new MSI/EXE and post log output here again.Same error
08/01/2020 13:16 Data::RSA FOG Server CA cert found 08/01/2020 13:16 Data::RSA FOG Server CA cert found 08/01/2020 13:16 Installer Starting UnpinServerCert() 08/01/2020 13:16 Installer Trying to open Windows cert store: LocalMachine 08/01/2020 13:16 Installer Trying to remove cert 'CN=FOG Server CA'from cert store 08/01/2020 13:16 Installer ERROR: Could not unpin FOG server CA cert 08/01/2020 13:16 Installer ERROR: Access denied. 08/01/2020 13:16 Installer ERROR: Could not pin server CA 08/01/2020 13:16 Installer ERROR: Access denied. 08/01/2020 13:16 Installer ERROR: Unable to install CA certificate: Access denied.
-
@Matthieu-Jacquart said in Several problems : unable to install CA certificate, userdel fogproject, updating database failed:
-rwxrwxrwx 1 fogproject www-data 3243 janv. 7 15:30 .fogCA.key
-rwxrwxrwx 1 fogproject www-data 1801 janv. 7 15:30 .fogCA.pemOk, seems like you somehow managed to re-generate the CA files. This should not happen unless you tell the installer to do so or delete the files. I am not exactly sure but I think it shouldn’t happen when you only delete /opt/fog/.fogsettings and re-run the installer.
Do you know if there are machines that still have the client installed. Probably some which were not turned on today yet. So my suggestion is you grab your backup, take
/opt/fog/snapins/ssl/
(all files and sub directories):mv /opt/fog/snapins/ssl /opt/fog/snapins/ssl_bak mv /backup/path/opt/fog/snapins/ssl /opt/fog/snapins/ssl chown -R fogproject:www-data /opt/fog/snapins/ssl systemctl restart apache2
08/01/2020 13:16 Installer Trying to open Windows cert store: LocalMachine 08/01/2020 13:16 Installer Trying to remove cert 'CN=FOG Server CA'from cert store
Ok so it’s actually able to open the certificate store but is not able to remove the cert. Can you please open the certificate management UI on this client (run
certmgr. msc
) and navigate to “Trusted Authorities”. Do you see “FOG Server CA” there??I am wondering if you have some kind of strange GPO in place that prevents access to the cert store somehow?!
-
@Sebastian-Roth said in Several problems : unable to install CA certificate, userdel fogproject, updating database failed:
Ok, seems like you somehow managed to re-generate the CA files. This should not happen unless you tell the installer to do so or delete the files. I am not exactly sure but I think it shouldn’t happen when you only delete /opt/fog/.fogsettings and re-run the installer.
Do you know if there are machines that still have the client installed. Probably some which were not turned on today yet. So my suggestion is you grab your backup, take
/opt/fog/snapins/ssl/
(all files and sub directories):mv /opt/fog/snapins/ssl /opt/fog/snapins/ssl_bak mv /backup/path/opt/fog/snapins/ssl /opt/fog/snapins/ssl chown -R fogproject:www-data /opt/fog/snapins/ssl systemctl restart apache2
OK I’ve just I restored older certificate from backup
Ok so it’s actually able to open the certificate store but is not able to remove the cert. Can you please open the certificate management UI on this client (run
certmgr. msc
) and navigate to “Trusted Authorities”. Do you see “FOG Server CA” there??I am wondering if you have some kind of strange GPO in place that prevents access to the cert store somehow?!
YESSSS !!! That’s it, after I tried to install https on fog server few weeks ago, I added fog certificate to GPO «Root Trusted Authorities» and problems began with that mess… so sorry, if I delete fog certificate in GPO I can install client !
But still have this error after install client------------------------------------------------------------------------------ --------------------------------Authentication-------------------------------- ------------------------------------------------------------------------------ 08/01/2020 14:04 Client-Info Version: 0.11.17 08/01/2020 14:04 Client-Info OS: Windows 08/01/2020 14:04 Middleware::Authentication Waiting for authentication timeout to pass 08/01/2020 14:06 Middleware::Communication Download: http://fogserver/fog/management/other/ssl/srvpublic.crt 08/01/2020 14:06 Data::RSA FOG Server CA cert found 08/01/2020 14:06 Middleware::Authentication Cert OK 08/01/2020 14:06 Middleware::Communication POST URL: http://fogserver/fog/management/index.php?sub=requestClientInfo&authorize&newService 08/01/2020 14:06 Middleware::Response Failed to decrypt data on server
-
@Sebastian-Roth I change «fogserver» with IP but still have these error (test on 2 computers), I have reset encryption data) :
------------------------------------------------------------------------------ --------------------------------Authentication-------------------------------- ------------------------------------------------------------------------------ 08/01/2020 14:57 Client-Info Version: 0.11.17 08/01/2020 14:57 Client-Info OS: Windows 08/01/2020 14:57 Middleware::Authentication Waiting for authentication timeout to pass 08/01/2020 14:59 Middleware::Communication Download: http://192.168.10.60/fog/management/other/ssl/srvpublic.crt 08/01/2020 14:59 Data::RSA FOG Server CA cert found 08/01/2020 14:59 Data::RSA ERROR: Certificate validation failed 08/01/2020 14:59 Data::RSA ERROR: Trust chain did not complete to the known authority anchor. Errors: The signature of the certificate cannot be verified. (NotSignatureValid) 08/01/2020 14:59 Middleware::Authentication ERROR: Could not authenticate 08/01/2020 14:59 Middleware::Authentication ERROR: Certificate is not from FOG CA 08/01/2020 14:59 Middleware::Communication URL: http://192.168.10.60/fog/management/index.php?sub=requestClientInfo&configure&newService&json 08/01/2020 14:59 Middleware::Response Success 08/01/2020 14:59 Middleware::Communication URL: http://192.168.10.60/fog/management/index.php?sub=requestClientInfo&mac=74:27:EA:6C:AA:0D&newService&json 08/01/2020 14:59 Middleware::Authentication Waiting for authentication timeout to pass 08/01/2020 15:01 Middleware::Communication Download: http://192.168.10.60/fog/management/other/ssl/srvpublic.crt 08/01/2020 15:01 Data::RSA FOG Server CA cert found 08/01/2020 15:01 Data::RSA ERROR: Certificate validation failed 08/01/2020 15:01 Data::RSA ERROR: Trust chain did not complete to the known authority anchor. Errors: The signature of the certificate cannot be verified. (NotSignatureValid) 08/01/2020 15:01 Middleware::Authentication ERROR: Could not authenticate 08/01/2020 15:01 Middleware::Authentication ERROR: Certificate is not from FOG CA 08/01/2020 15:01 Middleware::Response Success 08/01/2020 15:01 Middleware::Communication URL: http://192.168.10.60/fog/service/getversion.php?clientver&newService&json 08/01/2020 15:01 Middleware::Communication URL: http://192.168.10.60/fog/service/getversion.php?newService&json 08/01/2020 15:01 Service Creating user agent cache 08/01/2020 15:01 Middleware::Response ERROR: Unable to get subsection 08/01/2020 15:01 Middleware::Response ERROR: Object reference not set to an instance of an object. 08/01/2020 15:01 Middleware::Response ERROR: Unable to get subsection 08/01/2020 15:01 Middleware::Response ERROR: Object reference not set to an instance of an object. 08/01/2020 15:01 Middleware::Response ERROR: Unable to get subsection 08/01/2020 15:01 Middleware::Response ERROR: Object reference not set to an instance of an object. 08/01/2020 15:01 Service Initializing modules ------------------------------------------------------------------------------ ----------------------------------UserTracker--------------------------------- ------------------------------------------------------------------------------ 08/01/2020 15:01 Client-Info Client Version: 0.11.17 08/01/2020 15:01 Client-Info Client OS: Windows 08/01/2020 15:01 Client-Info Server Version: 1.5.7.89 08/01/2020 15:01 Middleware::Response ERROR: Unable to get subsection 08/01/2020 15:01 Middleware::Response ERROR: Object reference not set to an instance of an object. 08/01/2020 15:01 Service Sleeping for 145 seconds 08/01/2020 15:03 Middleware::Communication URL: http://192.168.10.60/fog/management/index.php?sub=requestClientInfo&configure&newService&json 08/01/2020 15:03 Middleware::Response Success 08/01/2020 15:03 Middleware::Communication URL: http://192.168.10.60/fog/management/index.php?sub=requestClientInfo&mac=74:27:EA:6C:AA:0D&newService&json 08/01/2020 15:03 Middleware::Authentication Waiting for authentication timeout to pass 08/01/2020 15:03 Middleware::Communication Download: http://192.168.10.60/fog/management/other/ssl/srvpublic.crt 08/01/2020 15:03 Data::RSA FOG Server CA cert found 08/01/2020 15:03 Data::RSA ERROR: Certificate validation failed 08/01/2020 15:03 Data::RSA ERROR: Trust chain did not complete to the known authority anchor. Errors: The signature of the certificate cannot be verified. (NotSignatureValid) 08/01/2020 15:03 Middleware::Authentication ERROR: Could not authenticate 08/01/2020 15:03 Middleware::Authentication ERROR: Certificate is not from FOG CA 08/01/2020 15:03 Middleware::Response Success 08/01/2020 15:03 Middleware::Communication URL: http://192.168.10.60/fog/service/getversion.php?clientver&newService&json 08/01/2020 15:03 Middleware::Communication URL: http://192.168.10.60/fog/service/getversion.php?newService&json 08/01/2020 15:03 Service Creating user agent cache 08/01/2020 15:03 Middleware::Response ERROR: Unable to get subsection 08/01/2020 15:03 Middleware::Response ERROR: Object reference not set to an instance of an object. 08/01/2020 15:03 Middleware::Response ERROR: Unable to get subsection 08/01/2020 15:03 Middleware::Response ERROR: Object reference not set to an instance of an object. 08/01/2020 15:03 Middleware::Response ERROR: Unable to get subsection 08/01/2020 15:03 Middleware::Response ERROR: Object reference not set to an instance of an object.
Do I need to use ./installfog.sh -K option ?
-
@Matthieu-Jacquart Yeah, getting closer!!!
My fault, forgot these commands when I wrote this earlier:
cp /path/of/backup/var/www/html/fog/management/other/ssl/srvpublic.crt /var/www/html/fog/management/other/ssl/srvpublic.crt cp /opt/fog/snapins/ssl/CA/.fogCA.pem /var/www/html/fog/management/other/ca.cert.pem
-
@Sebastian-Roth said in Several problems : unable to install CA certificate, userdel fogproject, updating database failed:
@Matthieu-Jacquart Yeah, getting closer!!!
My fault, forgot these commands when I wrote this earlier:
cp /path/of/backup/var/www/html/fog/management/other/ssl/srvpublic.crt /var/www/html/fog/management/other/ssl/srvpublic.crt cp /opt/fog/snapins/ssl/CA/.fogCA.pem /var/www/html/fog/management/other/ca.cert.pem
Unfortunately, I follow your 2 commands but stil this error even after restarting fog server :
------------------------------------------------------------------------------ ----------------------------------UserTracker--------------------------------- ------------------------------------------------------------------------------ 08/01/2020 16:59 Client-Info Client Version: 0.11.17 08/01/2020 16:59 Client-Info Client OS: Windows 08/01/2020 16:59 Client-Info Server Version: 1.5.7.89 08/01/2020 16:59 Middleware::Response ERROR: Unable to get subsection 08/01/2020 16:59 Middleware::Response ERROR: La référence d'objet n'est pas définie à une instance d'un objet. 08/01/2020 16:59 Service Sleeping for 102 seconds 08/01/2020 17:01 Middleware::Communication URL: http://192.168.10.60/fog/management/index.php?sub=requestClientInfo&configure&newService&json 08/01/2020 17:01 Middleware::Response Success 08/01/2020 17:01 Middleware::Communication URL: http://192.168.10.60/fog/management/index.php?sub=requestClientInfo&mac=74:27:EA:6C:AA:0D&newService&json 08/01/2020 17:01 Middleware::Authentication Waiting for authentication timeout to pass 08/01/2020 17:01 Middleware::Communication Download: http://192.168.10.60/fog/management/other/ssl/srvpublic.crt 08/01/2020 17:01 Data::RSA FOG Server CA cert found 08/01/2020 17:01 Data::RSA ERROR: Certificate validation failed 08/01/2020 17:01 Data::RSA ERROR: Trust chain did not complete to the known authority anchor. Errors: The signature of the certificate cannot be verified. (NotSignatureValid) 08/01/2020 17:01 Middleware::Authentication ERROR: Could not authenticate 08/01/2020 17:01 Middleware::Authentication ERROR: Certificate is not from FOG CA 08/01/2020 17:01 Middleware::Response Success 08/01/2020 17:01 Middleware::Communication URL: http://192.168.10.60/fog/service/getversion.php?clientver&newService&json 08/01/2020 17:01 Middleware::Communication URL: http://192.168.10.60/fog/service/getversion.php?newService&json 08/01/2020 17:01 Service Creating user agent cache 08/01/2020 17:01 Middleware::Response ERROR: Unable to get subsection 08/01/2020 17:01 Middleware::Response ERROR: Object reference not set to an instance of an object. 08/01/2020 17:01 Middleware::Response ERROR: Unable to get subsection 08/01/2020 17:01 Middleware::Response ERROR: Object reference not set to an instance of an object. 08/01/2020 17:01 Middleware::Response ERROR: Unable to get subsection 08/01/2020 17:01 Middleware::Response ERROR: Object reference not set to an instance of an object.
-
@Matthieu-Jacquart probably some cert mess we have now but I am sure we can figure this out. Please run:
ls -alR /var/www/html/fog/management/other ls -alR /opt/fog/snapins/ssl md5sum /opt/fog/snapins/ssl/CA/.fogCA.pem /var/www/html/fog/management/other/ca.cert.pem openssl verify -CAfile /var/www/html/fog/management/other/ca.cert.pem /var/www/html/fog/management/other/ssl/srvpublic.crt
-
@Sebastian-Roth Nope I just found answer, I had to run installer once again and re-download client after restoring cert, now everything seems great, I just have to redeploy client on all computers
Many thanks for your help Sebastian ! -
@Matthieu-Jacquart Sure right. If one client was pinned to the re-newed server CA cert then it can’t connect to the old original one. I missed that point! Good you figured it out!!!
Great we got that worked out.