Think I deleted my SSL keys/Failed SSL

Dreded

Series of events…
had to change all computers to a different Subnet…
3 computers in the office have a crappy BIOS and get stuck ina reboot loop because they cannot access the redirect from the TFTP server.

no problem iv had to update fog before this will be easy

[root@CentOS fogproject]# git pull
Already up-to-date.
[root@CentOS fogproject]# cd bin
[root@CentOS bin]# ./
error_logs/    installfog.sh  
[root@CentOS bin]# ./installfog.sh

* Creating SSL Certificate....................................Failed!

ok after some web searching several forum posts say to run

./installfog.sh -K

but still get

* Creating SSL Certificate....................................Failed!

ok… ./installfog.sh --help oh there is an option here to just continue if an error occurs… ill do that as I don’t actually need it to create SSL keys as they already exist.

./installfog.sh -X
.....
* Creating SSL Certificate....................................Failed!
OK
 * Creating auth pub key and cert..............................OK
 * Resetting SSL Permissions...................................OK
 * Setting up Apache virtual host (no SSL).....................OK
 * Starting and checking status of web services................OK
 * Changing permissions on apache log files....................OK
 * Backing up database.........................................Done

all is good my TFTP server is now working and the 3 computers stuck in a reboot loop startup…
I then tell Fog to reboot one as a test and it fails… check its log and it cannot authenticate so reset the encryption keys on that host in the fog management website and it still cannot authenticate…

so I am fairly certain I overwrote my SSL keys and have 30 machines that I cannot control through fog anymore… is there a backup of SSL keys anyplace?

now what?

Sebastian Roth

@Dreded Nottification works great on my side. I hope it does so for all the others as well. When the @name is added in the post it really should! If it does not then you may need to check this topic more often to see if someone replied (usually within 24 hours!) and let us know if the notification is still an issue.

Grabbing through the logs I just found what caused the failure:

Error Loading extension section v3_ca
139681528117136:error:220A4076:X509 V3 routines:a2i_GENERAL_NAME:bad ip address:v3_alt.c:476:value=fogserver.office.companyname.com
139681528117136:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in extension:v3_conf.c:95:name=subjectAltName, value=@alt_names

I entered IP address as the hostname because it seemed to work(maybe not) …

This is actually causing the problem. Go back to IP address in /opt/fog/.fogsettings and re-run the installer as ./installfog.sh -K (do not use -C!) and it should all be fine again.

I will ponder on how to prevent this from happening in the future.

I was doing all of this due to a need to change my entire subnet and referring to things by address is a PITA)

If DNS is properly set up in your network (nothing that FOG can do for you!!) you can happily access the FOG web UI using DNS name. But switching to DNS within the fogsettings is causing major issues as you see.

Sebastian Roth

@Dreded Within the fogproject/bin/ directory you find a sub dir called “error_logs”. Take a look at the fog_error....log file and post the last 20 lines of that here in the forums. Re-reading your post I see that you’ve run the installer with command line option -X in the end to get past the openssl error. So we might need to dig through that whole log to find what’s wrong. Can you upload the whole log file and post a link here?

so I am fairly certain I overwrote my SSL keys and have 30 machines that I cannot control through fog anymore… is there a backup of SSL keys anyplace?

Unless you have run the installer with -C (or --recreate-CA) command line option it should not have touched the important CA cert and key which the fog-client is pinned to. Re-creating the SSL (webserver) certificate should not cause any trouble. Please post the fog-client fog.log here as well so we can have a look.

Dreded

This post is deleted!

Dreded

@Sebastian-Roth
Sorry, I have been busy with other things and for some reason the forum didn’t notify me of a reply(even when checking Notifications in the forum) hopefully this can be solved, or atleast would be nice to know where I went wrong as to not do it again Thanks for the excellent software and any help you can provide.

worth noting one of the main reasons I was upgrading was because I changed the hostname from CentOS to fogserver so that was changed in the /opt/fog/.fogsettings and on the hostname and the ipaddress where touched(I entered IP address as the hostname because it seemed to work(maybe not) and I was doing all of this due to a need to change my entire subnet and referring to things by address is a PITA)

Version: 1.5.8

Install time: Fri 30 Aug 2019 03:38:39 PM PDT

ipaddress=‘fogserver.office.company.com’
copybackold=‘0’
interface=‘eth0’
submask=‘255.255.255.0’
hostname=‘FogServer.office.company.com’

here is my foginstall.log
https://pastebin.com/MK7uqz31

fog_error_1.5.7.log
https://pastebin.com/W1dXHyHZ

fog_error_1.5.8.log
https://pastebin.com/cX3H1Xsq

all of the clients are now not able to communicate to the server, even new registrations. here is alog from a client that was just registered via PXE host registration and the client was installed before imaging it(so… september 2019):
https://pastebin.com/4EE7raNL

and maybe most important of all here is the log file(renamed old one so this is fresh) from that same computer after removing fog client and then downloading and re-installing the smart-installer from fogserver/fog/client I can verify that http://fogserver/fog/management/other/ssl/ is indeed an empty folder

https://pastebin.com/ZX7LUYGS

Sebastian Roth

@Dreded Nottification works great on my side. I hope it does so for all the others as well. When the @name is added in the post it really should! If it does not then you may need to check this topic more often to see if someone replied (usually within 24 hours!) and let us know if the notification is still an issue.

Grabbing through the logs I just found what caused the failure:

Error Loading extension section v3_ca
139681528117136:error:220A4076:X509 V3 routines:a2i_GENERAL_NAME:bad ip address:v3_alt.c:476:value=fogserver.office.companyname.com
139681528117136:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in extension:v3_conf.c:95:name=subjectAltName, value=@alt_names

I entered IP address as the hostname because it seemed to work(maybe not) …

This is actually causing the problem. Go back to IP address in /opt/fog/.fogsettings and re-run the installer as ./installfog.sh -K (do not use -C!) and it should all be fine again.

I will ponder on how to prevent this from happening in the future.

I was doing all of this due to a need to change my entire subnet and referring to things by address is a PITA)

If DNS is properly set up in your network (nothing that FOG can do for you!!) you can happily access the FOG web UI using DNS name. But switching to DNS within the fogsettings is causing major issues as you see.

Dreded

@Sebastian-Roth

Once again thanks for all the hard work,

got a notification this time but no e-mail notifications as is typically default with forums I am sure its just set as opt in here and I never did that…(just changed it now in settings)

makes total sense that a field specifically labeled as IP where I entered a host-name might cause problems, Due to having to move things to different IP addresses over the years due to either poor planning or not foreseeing how many of one type of thing I would end up with I try to avoid referring to things by IP address whenever possible(never had to rename a main server but I have had to move its “address”) so I tried it and it seemed to work(in my defense cause and effect were many steps apart)

thanks again, Ill fix this tomorrow and all should be good.

Dreded

@Sebastian-Roth said in Think I deleted my SSL keys/Failed SSL:

./installfog.sh -K

just wanted to add to anyone else that stumbles across this… the -K was definately needed(guess it resets the encryption keys client side?)

Sebastian Roth

@Dreded said in Think I deleted my SSL keys/Failed SSL:

just wanted to add to anyone else that stumbles across this… the -K was definately needed(guess it resets the encryption keys client side?)

No it regenerates the certificate used by the fog-client (not to confuse with the CA cert the fog-client is pinned to).