• Recent
    • Unsolved
    • Tags
    • Popular
    • Users
    • Groups
    • Search
    • Register
    • Login

    Setting up trusted SSL certificate

    Scheduled Pinned Locked Moved Solved
    FOG Problems
    4
    13
    3.3k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      Malte Will
      last edited by Malte Will

      I was tasked with setting up a FOG server in our companies installation network.
      I installed FOG 1.5.7 on a ubuntu server 18.04 vm located on our local ESXi server.
      I used the -S option to enforce https on the web-interface.
      Now I am trying to use our companies internal trusted wildcard-certificate.
      I tried modifying the apache2 site configuration located at /etc/apache2/sites-enabled/001-fog.conf.
      When I change the paths of the ssl certificate files I am no longer able to boot over PXE.
      Trying to boot over PXE I get following error:
      https://<fogserverip>/fog/service/ipxe/boot.php… No such file or directory (http://ipxe.org/2d0c618e)

      I am thinking I need to change the certificate path in another file, too.
      If this is true, what file do I need to manipulate?

      1 Reply Last reply Reply Quote 0
      • S
        Sebastian Roth Moderator
        last edited by

        @Malte-Will said in Setting up trusted SSL certificate:

        I am thinking I need to change the certificate path in another file, too.
        If this is true, what file do I need to manipulate?

        The certificate will need to be compiled into the iPXE binaries. You can do this by running the following commands:

        cd /path/to/source/of/fogproject/code/utils/FOGiPXE
        ./buildipxe.sh /path/to/your/wildcard/certificate.pem
        rsync -av /path/to/source/of/fogproject/code/tftp/ /tftpboot/
        

        Please be aware that there is an issue with certificates from some certificate authorities: https://forums.fogproject.org/topic/12768/not-able-to-tftp-boot-invalid-argument-error

        Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)

        Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG

        M 1 Reply Last reply Reply Quote 0
        • M
          Malte Will
          last edited by

          This post is deleted!
          M 1 Reply Last reply Reply Quote 0
          • M
            Malte Will @Malte Will
            last edited by

            This post is deleted!
            1 Reply Last reply Reply Quote 0
            • M
              Malte Will @Sebastian Roth
              last edited by

              @Sebastian-Roth
              I found the tftp directory you specified in the rsync command in the packages folder in the fogproject code directory.
              86699205-315f-4e7a-9082-ed196f005447-grafik.png
              After executing the commands I am still stuck with the same problem.

              1 Reply Last reply Reply Quote 0
              • S
                Sebastian Roth Moderator
                last edited by

                @Malte-Will said in Setting up trusted SSL certificate:

                After executing the commands I am still stuck with the same problem.

                What was the output of the second command?? Any errors??

                Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)

                Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG

                M 1 Reply Last reply Reply Quote 0
                • M
                  Malte Will @Sebastian Roth
                  last edited by

                  @Sebastian-Roth
                  I got no error messages by executing the commands.
                  This is the output of the buildscript: output.txt
                  This is the output from rsync: rsync-out.txt
                  Am I missing anything.

                  1 Reply Last reply Reply Quote 0
                  • S
                    Sebastian Roth Moderator
                    last edited by

                    @Malte-Will Hmmm, my fault, sorry!!

                    The command ./buildipxe.sh /path/to/your/wildcard/certificate.pem should have been ./buildipxe.sh /path/to/the/CA/cert/of/your/wildcard/certificate.pem

                    What that means is, you need to compile iPXE with the certificate authority’s (CA) certificate included that was used to sign your wildcard cert. If you don’t know what that means you might want to tell us more about where you got the certificate from

                    One more thing I missed to tell you. In case you want to use the fog-client software as well you will run into issues with your custom certificate. If you need to know more about this, I can give you the details.

                    Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)

                    Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG

                    M C 2 Replies Last reply Reply Quote 0
                    • M
                      Malte Will @Sebastian Roth
                      last edited by

                      @Sebastian-Roth
                      I tried compiling iPXE with our CAs certificate but still got the same result.
                      We got two certificates in the cert-file, is that a problem?
                      Bild_2020-01-09_09-14.png

                      1 Reply Last reply Reply Quote 0
                      • S
                        Sebastian Roth Moderator
                        last edited by

                        @Malte-Will From what I see I think you should use the Intermediate #2 certificate found here: https://support.comodo.com/index.php?/Knowledgebase/Article/View/978/108/organization-validation-sha-2
                        (direct link)

                        Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)

                        Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG

                        M 1 Reply Last reply Reply Quote 0
                        • M
                          Malte Will @Sebastian Roth
                          last edited by Malte Will

                          @Sebastian-Roth
                          I solved the problem. In the end, the last thing i forgot was to change the ip of the fog server to the fqdn in the ipxe file.
                          We also needed to set the WEB HOST setting in the FOG Configuration to the FQDN.
                          I checked the certificates you send with the ones we have and verified that they are identical.

                          Thanks for your help!

                          S 1 Reply Last reply Reply Quote 1
                          • S
                            symrex @Malte Will
                            last edited by symrex

                            @Malte-Will said in Setting up trusted SSL certificate:

                            @Sebastian-Roth
                            I solved the problem. In the end, the last thing i forgot was to change the ip of the fog server to the fqdn in the ipxe file.

                            Could you please explain in more detail, which ipxe file do you mean?
                            /opt/fog/.fogsettings first line?
                            ipaddress=…

                            We also needed to set the WEB HOST setting in the FOG Configuration to the FQDN.

                            Done.

                            My problem is that after my CA was changed and ipxe was rebuild; iPXE still trying to connect to the bare IP not to the FQDN.

                            1 Reply Last reply Reply Quote 0
                            • C
                              cul3r0 @Sebastian Roth
                              last edited by

                              @sebastian-roth said in Setting up trusted SSL certificate:

                              One more thing I missed to tell you. In case you want to use the fog-client software as well you will run into issues with your custom certificate. If you need to know more about this, I can give you the details.

                              i’d love to know more details about this. Thank you.

                              1 Reply Last reply Reply Quote 0
                              • Tom ElliottT Tom Elliott referenced this topic on
                              • 1 / 1
                              • First post
                                Last post

                              152

                              Online

                              12.0k

                              Users

                              17.3k

                              Topics

                              155.2k

                              Posts
                              Copyright © 2012-2024 FOG Project