Several problems : unable to install CA certificate, userdel fogproject, updating database failed

Sebastian Roth

@Matthieu-Jacquart Can you please run ls -la /opt/fog/snapins/ssl/CA so we see if the CA was re-generated as well? Do you have a backup of the old files just in case??

As well re-download the updated installer (MSI / EXE), delete the old C:\Windows\Temp\FOGService.install.log on the test client, re-run the new MSI/EXE and post log output here again.

Matthieu Jacquart

@Sebastian-Roth said in Several problems : unable to install CA certificate, userdel fogproject, updating database failed:

@Matthieu-Jacquart Can you please run ls -la /opt/fog/snapins/ssl/CA so we see if the CA was re-generated as well? Do you have a backup of the old files just in case??

Yes I still have old files in bakcup

root@FOG:/opt/fogproject/bin$ ls -la /opt/fog/snapins/ssl/CA
total 20
drwxrwxrwx 2 fogproject www-data 4096 janv. 21  2018 .
drwxrwxrwx 3 fogproject www-data 4096 janv. 21  2018 ..
-rwxrwxrwx 1 fogproject www-data 3243 janv.  7 15:30 .fogCA.key
-rwxrwxrwx 1 fogproject www-data 1801 janv.  7 15:30 .fogCA.pem
-rwxrwxrwx 1 fogproject www-data   17 janv.  8 13:10 .srl
root@FOG:/opt/fogproject/bin$

As well re-download the updated installer (MSI / EXE), delete the old C:\Windows\Temp\FOGService.install.log on the test client, re-run the new MSI/EXE and post log output here again.

Same error

 08/01/2020 13:16 Data::RSA FOG Server CA cert found
 08/01/2020 13:16 Data::RSA FOG Server CA cert found
 08/01/2020 13:16 Installer Starting UnpinServerCert()
 08/01/2020 13:16 Installer Trying to open Windows cert store: LocalMachine
 08/01/2020 13:16 Installer Trying to remove cert 'CN=FOG Server CA'from cert store
 08/01/2020 13:16 Installer ERROR: Could not unpin FOG server CA cert
 08/01/2020 13:16 Installer ERROR: Access denied.
 08/01/2020 13:16 Installer ERROR: Could not pin server CA
 08/01/2020 13:16 Installer ERROR: Access denied.
 08/01/2020 13:16 Installer ERROR: Unable to install CA certificate: Access denied.

Sebastian Roth

@Matthieu-Jacquart said in Several problems : unable to install CA certificate, userdel fogproject, updating database failed:

-rwxrwxrwx 1 fogproject www-data 3243 janv. 7 15:30 .fogCA.key
-rwxrwxrwx 1 fogproject www-data 1801 janv. 7 15:30 .fogCA.pem

Ok, seems like you somehow managed to re-generate the CA files. This should not happen unless you tell the installer to do so or delete the files. I am not exactly sure but I think it shouldn’t happen when you only delete /opt/fog/.fogsettings and re-run the installer.

Do you know if there are machines that still have the client installed. Probably some which were not turned on today yet. So my suggestion is you grab your backup, take /opt/fog/snapins/ssl/ (all files and sub directories):

mv /opt/fog/snapins/ssl /opt/fog/snapins/ssl_bak
mv /backup/path/opt/fog/snapins/ssl /opt/fog/snapins/ssl
chown -R fogproject:www-data /opt/fog/snapins/ssl
systemctl restart apache2

08/01/2020 13:16 Installer Trying to open Windows cert store: LocalMachine
08/01/2020 13:16 Installer Trying to remove cert 'CN=FOG Server CA'from cert store

Ok so it’s actually able to open the certificate store but is not able to remove the cert. Can you please open the certificate management UI on this client (run certmgr. msc) and navigate to “Trusted Authorities”. Do you see “FOG Server CA” there??

I am wondering if you have some kind of strange GPO in place that prevents access to the cert store somehow?!

Matthieu Jacquart

@Sebastian-Roth said in Several problems : unable to install CA certificate, userdel fogproject, updating database failed:

Ok, seems like you somehow managed to re-generate the CA files. This should not happen unless you tell the installer to do so or delete the files. I am not exactly sure but I think it shouldn’t happen when you only delete /opt/fog/.fogsettings and re-run the installer.

Do you know if there are machines that still have the client installed. Probably some which were not turned on today yet. So my suggestion is you grab your backup, take /opt/fog/snapins/ssl/ (all files and sub directories):

mv /opt/fog/snapins/ssl /opt/fog/snapins/ssl_bak
mv /backup/path/opt/fog/snapins/ssl /opt/fog/snapins/ssl
chown -R fogproject:www-data /opt/fog/snapins/ssl
systemctl restart apache2

OK I’ve just I restored older certificate from backup

Ok so it’s actually able to open the certificate store but is not able to remove the cert. Can you please open the certificate management UI on this client (run certmgr. msc) and navigate to “Trusted Authorities”. Do you see “FOG Server CA” there??

I am wondering if you have some kind of strange GPO in place that prevents access to the cert store somehow?!

YESSSS !!! That’s it, after I tried to install https on fog server few weeks ago, I added fog certificate to GPO «Root Trusted Authorities» and problems began with that mess… so sorry, if I delete fog certificate in GPO I can install client !
But still have this error after install client

------------------------------------------------------------------------------
--------------------------------Authentication--------------------------------
------------------------------------------------------------------------------
 08/01/2020 14:04 Client-Info Version: 0.11.17
 08/01/2020 14:04 Client-Info OS:      Windows
 08/01/2020 14:04 Middleware::Authentication Waiting for authentication timeout to pass
 08/01/2020 14:06 Middleware::Communication Download: http://fogserver/fog/management/other/ssl/srvpublic.crt
 08/01/2020 14:06 Data::RSA FOG Server CA cert found
 08/01/2020 14:06 Middleware::Authentication Cert OK
 08/01/2020 14:06 Middleware::Communication POST URL: http://fogserver/fog/management/index.php?sub=requestClientInfo&authorize&newService
 08/01/2020 14:06 Middleware::Response Failed to decrypt data on server

Matthieu Jacquart

@Sebastian-Roth I change «fogserver» with IP but still have these error (test on 2 computers), I have reset encryption data) :

------------------------------------------------------------------------------
--------------------------------Authentication--------------------------------
------------------------------------------------------------------------------
 08/01/2020 14:57 Client-Info Version: 0.11.17
 08/01/2020 14:57 Client-Info OS:      Windows
 08/01/2020 14:57 Middleware::Authentication Waiting for authentication timeout to pass
 08/01/2020 14:59 Middleware::Communication Download: http://192.168.10.60/fog/management/other/ssl/srvpublic.crt
 08/01/2020 14:59 Data::RSA FOG Server CA cert found
 08/01/2020 14:59 Data::RSA ERROR: Certificate validation failed
 08/01/2020 14:59 Data::RSA ERROR: Trust chain did not complete to the known authority anchor. Errors: The signature of the certificate cannot be verified. (NotSignatureValid)
 08/01/2020 14:59 Middleware::Authentication ERROR: Could not authenticate
 08/01/2020 14:59 Middleware::Authentication ERROR: Certificate is not from FOG CA


 08/01/2020 14:59 Middleware::Communication URL: http://192.168.10.60/fog/management/index.php?sub=requestClientInfo&configure&newService&json
 08/01/2020 14:59 Middleware::Response Success
 08/01/2020 14:59 Middleware::Communication URL: http://192.168.10.60/fog/management/index.php?sub=requestClientInfo&mac=74:27:EA:6C:AA:0D&newService&json
 08/01/2020 14:59 Middleware::Authentication Waiting for authentication timeout to pass
 08/01/2020 15:01 Middleware::Communication Download: http://192.168.10.60/fog/management/other/ssl/srvpublic.crt
 08/01/2020 15:01 Data::RSA FOG Server CA cert found
 08/01/2020 15:01 Data::RSA ERROR: Certificate validation failed
 08/01/2020 15:01 Data::RSA ERROR: Trust chain did not complete to the known authority anchor. Errors: The signature of the certificate cannot be verified. (NotSignatureValid)
 08/01/2020 15:01 Middleware::Authentication ERROR: Could not authenticate
 08/01/2020 15:01 Middleware::Authentication ERROR: Certificate is not from FOG CA
 08/01/2020 15:01 Middleware::Response Success
 08/01/2020 15:01 Middleware::Communication URL: http://192.168.10.60/fog/service/getversion.php?clientver&newService&json
 08/01/2020 15:01 Middleware::Communication URL: http://192.168.10.60/fog/service/getversion.php?newService&json

 08/01/2020 15:01 Service Creating user agent cache
 08/01/2020 15:01 Middleware::Response ERROR: Unable to get subsection
 08/01/2020 15:01 Middleware::Response ERROR: Object reference not set to an instance of an object.
 08/01/2020 15:01 Middleware::Response ERROR: Unable to get subsection
 08/01/2020 15:01 Middleware::Response ERROR: Object reference not set to an instance of an object.
 08/01/2020 15:01 Middleware::Response ERROR: Unable to get subsection
 08/01/2020 15:01 Middleware::Response ERROR: Object reference not set to an instance of an object.
 08/01/2020 15:01 Service Initializing modules

------------------------------------------------------------------------------
----------------------------------UserTracker---------------------------------
------------------------------------------------------------------------------
 08/01/2020 15:01 Client-Info Client Version: 0.11.17
 08/01/2020 15:01 Client-Info Client OS:      Windows
 08/01/2020 15:01 Client-Info Server Version: 1.5.7.89
 08/01/2020 15:01 Middleware::Response ERROR: Unable to get subsection
 08/01/2020 15:01 Middleware::Response ERROR: Object reference not set to an instance of an object.
 08/01/2020 15:01 Service Sleeping for 145 seconds
 08/01/2020 15:03 Middleware::Communication URL: http://192.168.10.60/fog/management/index.php?sub=requestClientInfo&configure&newService&json
 08/01/2020 15:03 Middleware::Response Success
 08/01/2020 15:03 Middleware::Communication URL: http://192.168.10.60/fog/management/index.php?sub=requestClientInfo&mac=74:27:EA:6C:AA:0D&newService&json
 08/01/2020 15:03 Middleware::Authentication Waiting for authentication timeout to pass
 08/01/2020 15:03 Middleware::Communication Download: http://192.168.10.60/fog/management/other/ssl/srvpublic.crt
 08/01/2020 15:03 Data::RSA FOG Server CA cert found
 08/01/2020 15:03 Data::RSA ERROR: Certificate validation failed
 08/01/2020 15:03 Data::RSA ERROR: Trust chain did not complete to the known authority anchor. Errors: The signature of the certificate cannot be verified. (NotSignatureValid)
 08/01/2020 15:03 Middleware::Authentication ERROR: Could not authenticate
 08/01/2020 15:03 Middleware::Authentication ERROR: Certificate is not from FOG CA
 08/01/2020 15:03 Middleware::Response Success
 08/01/2020 15:03 Middleware::Communication URL: http://192.168.10.60/fog/service/getversion.php?clientver&newService&json
 08/01/2020 15:03 Middleware::Communication URL: http://192.168.10.60/fog/service/getversion.php?newService&json

 08/01/2020 15:03 Service Creating user agent cache
 08/01/2020 15:03 Middleware::Response ERROR: Unable to get subsection
 08/01/2020 15:03 Middleware::Response ERROR: Object reference not set to an instance of an object.
 08/01/2020 15:03 Middleware::Response ERROR: Unable to get subsection
 08/01/2020 15:03 Middleware::Response ERROR: Object reference not set to an instance of an object.
 08/01/2020 15:03 Middleware::Response ERROR: Unable to get subsection
 08/01/2020 15:03 Middleware::Response ERROR: Object reference not set to an instance of an object.

Do I need to use ./installfog.sh -K option ?

Sebastian Roth

@Matthieu-Jacquart Yeah, getting closer!!!

My fault, forgot these commands when I wrote this earlier:

cp /path/of/backup/var/www/html/fog/management/other/ssl/srvpublic.crt /var/www/html/fog/management/other/ssl/srvpublic.crt
cp /opt/fog/snapins/ssl/CA/.fogCA.pem /var/www/html/fog/management/other/ca.cert.pem

Matthieu Jacquart

@Sebastian-Roth said in Several problems : unable to install CA certificate, userdel fogproject, updating database failed:

@Matthieu-Jacquart Yeah, getting closer!!!

My fault, forgot these commands when I wrote this earlier:

cp /path/of/backup/var/www/html/fog/management/other/ssl/srvpublic.crt /var/www/html/fog/management/other/ssl/srvpublic.crt
cp /opt/fog/snapins/ssl/CA/.fogCA.pem /var/www/html/fog/management/other/ca.cert.pem

Unfortunately, I follow your 2 commands but stil this error even after restarting fog server :

------------------------------------------------------------------------------
----------------------------------UserTracker---------------------------------
------------------------------------------------------------------------------
 08/01/2020 16:59 Client-Info Client Version: 0.11.17
 08/01/2020 16:59 Client-Info Client OS:      Windows
 08/01/2020 16:59 Client-Info Server Version: 1.5.7.89
 08/01/2020 16:59 Middleware::Response ERROR: Unable to get subsection
 08/01/2020 16:59 Middleware::Response ERROR: La référence d'objet n'est pas définie à une instance d'un objet.
 08/01/2020 16:59 Service Sleeping for 102 seconds
 08/01/2020 17:01 Middleware::Communication URL: http://192.168.10.60/fog/management/index.php?sub=requestClientInfo&configure&newService&json
 08/01/2020 17:01 Middleware::Response Success
 08/01/2020 17:01 Middleware::Communication URL: http://192.168.10.60/fog/management/index.php?sub=requestClientInfo&mac=74:27:EA:6C:AA:0D&newService&json
 08/01/2020 17:01 Middleware::Authentication Waiting for authentication timeout to pass
 08/01/2020 17:01 Middleware::Communication Download: http://192.168.10.60/fog/management/other/ssl/srvpublic.crt
 08/01/2020 17:01 Data::RSA FOG Server CA cert found
 08/01/2020 17:01 Data::RSA ERROR: Certificate validation failed
 08/01/2020 17:01 Data::RSA ERROR: Trust chain did not complete to the known authority anchor. Errors: The signature of the certificate cannot be verified. (NotSignatureValid)
 08/01/2020 17:01 Middleware::Authentication ERROR: Could not authenticate
 08/01/2020 17:01 Middleware::Authentication ERROR: Certificate is not from FOG CA
 08/01/2020 17:01 Middleware::Response Success
 08/01/2020 17:01 Middleware::Communication URL: http://192.168.10.60/fog/service/getversion.php?clientver&newService&json
 08/01/2020 17:01 Middleware::Communication URL: http://192.168.10.60/fog/service/getversion.php?newService&json

 08/01/2020 17:01 Service Creating user agent cache
 08/01/2020 17:01 Middleware::Response ERROR: Unable to get subsection
 08/01/2020 17:01 Middleware::Response ERROR: Object reference not set to an instance of an object.
 08/01/2020 17:01 Middleware::Response ERROR: Unable to get subsection
 08/01/2020 17:01 Middleware::Response ERROR: Object reference not set to an instance of an object.
 08/01/2020 17:01 Middleware::Response ERROR: Unable to get subsection
 08/01/2020 17:01 Middleware::Response ERROR: Object reference not set to an instance of an object.

Sebastian Roth

@Matthieu-Jacquart probably some cert mess we have now but I am sure we can figure this out. Please run:

ls -alR /var/www/html/fog/management/other
ls -alR /opt/fog/snapins/ssl
md5sum /opt/fog/snapins/ssl/CA/.fogCA.pem /var/www/html/fog/management/other/ca.cert.pem
openssl verify -CAfile /var/www/html/fog/management/other/ca.cert.pem /var/www/html/fog/management/other/ssl/srvpublic.crt

Matthieu Jacquart

@Sebastian-Roth Nope I just found answer, I had to run installer once again and re-download client after restoring cert, now everything seems great, I just have to redeploy client on all computers
Many thanks for your help Sebastian !

Sebastian Roth

@Matthieu-Jacquart Sure right. If one client was pinned to the re-newed server CA cert then it can’t connect to the old original one. I missed that point! Good you figured it out!!!

Great we got that worked out.