• Recent
    • Unsolved
    • Tags
    • Popular
    • Users
    • Groups
    • Search
    • Register
    • Login

    FOG-Client suddenly stopped working

    Scheduled Pinned Locked Moved
    Linux Problems
    2
    18
    1.4k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      kek
      last edited by kek

      FOG-Client suddenly stopped working this Year. Nothing was changed. Output of the Client fog.log:

      Middleware::Communication Download: https://<fogdomain>/fog/management/other/ssl/srvpublic.crt
      Middleware::Communication ERROR: Could not download file
      Middleware::Communication ERROR: Error: TrustFailure (Authentication failed, see inner exception.)
      

      On Windows it is working without problems.
      We have about 100 Linux Clients, is there a server solution without touching them all?

      Thanks in advance!

      1 Reply Last reply Reply Quote 0
      • S
        Sebastian Roth Moderator
        last edited by Sebastian Roth

        @kek It’s not even been a whole year but I did not remember we had this error reported before - thanks to the memory of the fourms. It looks like there is an issue in the way Linux Mono is reading the certifcates from the store causing it to fail when matching the CA certificate to the one it loads from your FOG server.

        It’s strange/interesting you get this error just now. Possibly a Mono update on your Linux systems??

        Try the following fix: Download Zazzles.dll and put in /opt/fog-service/Zazzles.dll (rename the original one). Then stop and restart the fog-client or reboot the computer and check the logs.

        We have about 100 Linux Clients, is there a server solution without touching them all?

        Maybe there is. We could come up with a so called “post init” script that could deploy that DLL to selected hosts e.g. via a host inventory task. The hosts would need to PXE boot once to get this done.

        Or I might suggest you use clusterssh to install that fix to all your hosts in batches of 10 or more (depending on the size of screen you have).

        I would say test this first on a couple of hosts if it is actually fixing the issue for you and we’ll take it from there.

        Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)

        Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG

        K 1 Reply Last reply Reply Quote 0
        • K
          kek @Sebastian Roth
          last edited by

          @sebastian-roth said in FOG-Client suddenly stopped working:

          It’s strange/interesting you get this error just now. Possibly a Mono update on your Linux systems??

          No we use a fixed Version of Mono (Mono Repository with specific Version specified), but can’t tell you at the moment what version we are using exactly. We did no Updates on both Server and Client.

          Maybe we can find the Problem, with the new Information provided. I will try to manually replace the Zazzles.dll on one Client just to see if it works. We also have an Internal Repository, we could update the Mono-Package and create a package for the FOG-Client. But because we Updating our Clients also via FOG-Client we still need to touch them all, but with this solution we have at least a GUI to Update.

          1 Reply Last reply Reply Quote 0
          • K
            kek
            last edited by kek

            I re-checked with my colleagues, not all clients have this Problem, just a few servers, so no problem to replace the Zazzles.dll, but with HTTPS, 1 in settings.json, (and newest 0.12.0 Version fog-client) we get:

            ------------------------------------------------------------------------------
            --------------------------------Authentication--------------------------------
            ------------------------------------------------------------------------------
             1/11/2021 12:34:34 PM Client-Info Version: 0.12.0
             1/11/2021 12:34:34 PM Client-Info OS:      Linux
             1/11/2021 12:34:34 PM Middleware::Authentication Waiting for authentication timeout to pass
             1/11/2021 12:34:34 PM Middleware::Communication Download: https://<fogdomain>/fog/management/other/ssl/srvpublic.crt
             1/11/2021 12:34:36 PM Data::RSA FOG Server CA cert found
             1/11/2021 12:34:36 PM Data::RSA ERROR: Certificate validation failed
             1/11/2021 12:34:36 PM Data::RSA ERROR: Trust chain did not complete to the known authority anchor. Errors: PartialChain (PartialChain)
             1/11/2021 12:34:36 PM Middleware::Communication SSL certificate chain error: NotTimeValid
             1/11/2021 12:34:36 PM Middleware::Communication ERROR: Could not download file
             1/11/2021 12:34:36 PM Middleware::Communication ERROR: Error: TrustFailure (Authentication failed, see inner exception.)
            
            1 Reply Last reply Reply Quote 0
            • S
              Sebastian Roth Moderator
              last edited by

              @kek said in FOG-Client suddenly stopped working:

              Middleware::Communication SSL certificate chain error: NotTimeValid

              Seems like you have a different issue here. Is the srvpublic.crt still valid?

              Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)

              Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG

              1 Reply Last reply Reply Quote 0
              • K
                kek
                last edited by

                @sebastian-roth said in FOG-Client suddenly stopped working:

                Is the srvpublic.crt still valid?

                Was the first thought, but no, its valid.

                Sorry for the late answer, very busy at the moment.

                1 Reply Last reply Reply Quote 0
                • S
                  Sebastian Roth Moderator
                  last edited by Sebastian Roth

                  @kek I have that feeling that it might be the CA certificate not being valid anymore. On install the fog-client software grabs that CA cert from your FOG server and installs it into mono’s certificate store.

                  Run certmgr -list -c -v -m Trust as root to see if a CA cert named FOG Server CA is there and still valid.

                  Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)

                  Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG

                  1 Reply Last reply Reply Quote 0
                  • K
                    kek
                    last edited by

                    @sebastian-roth said in FOG-Client suddenly stopped working:

                    Run certmgr -list -c -v -m Trust as root to see if a CA cert named FOG Server CA is there and still valid.

                    Output (end):

                    Unhandled Exception:
                    System.Security.Cryptography.CryptographicException: Unsupported hash algorithm: 1.2.840.10045.4.3.3
                      at Mono.Security.X509.X509Certificate.get_Signature () [0x001a1] in <c8dae181eb1743bd94c3ab5b607caeb0>:0
                      at Mono.Tools.CertificateManager.DisplayCertificate (Mono.Security.X509.X509Certificate x509, System.Boolean machine, System.Boolean verbose) [0x00132] in <52d071828ee44ab9ab181a6c5989b2db>:0
                      at Mono.Tools.CertificateManager.List (Mono.Tools.CertificateManager+ObjectType type, Mono.Security.X509.X509Store store, System.Boolean machine, System.String file, System.Boolean verbose) [0x0002b] in <52d071828ee44ab9ab181a6c5989b2db>:0
                      at Mono.Tools.CertificateManager.Main (System.String[] args) [0x00204] in <52d071828ee44ab9ab181a6c5989b2db>:0
                    [ERROR] FATAL UNHANDLED EXCEPTION: System.Security.Cryptography.CryptographicException: Unsupported hash algorithm: 1.2.840.10045.4.3.3
                      at Mono.Security.X509.X509Certificate.get_Signature () [0x001a1] in <c8dae181eb1743bd94c3ab5b607caeb0>:0
                      at Mono.Tools.CertificateManager.DisplayCertificate (Mono.Security.X509.X509Certificate x509, System.Boolean machine, System.Boolean verbose) [0x00132] in <52d071828ee44ab9ab181a6c5989b2db>:0
                      at Mono.Tools.CertificateManager.List (Mono.Tools.CertificateManager+ObjectType type, Mono.Security.X509.X509Store store, System.Boolean machine, System.String file, System.Boolean verbose) [0x0002b] in <52d071828ee44ab9ab181a6c5989b2db>:0
                      at Mono.Tools.CertificateManager.Main (System.String[] args) [0x00204] in <52d071828ee44ab9ab181a6c5989b2db>:0
                    
                    1 Reply Last reply Reply Quote 0
                    • S
                      Sebastian Roth Moderator
                      last edited by Sebastian Roth

                      @kek said in FOG-Client suddenly stopped working:

                      CryptographicException: Unsupported hash algorithm: 1.2.840.10045.4.3.3

                      Do you see any certificate information before the exception happens? Searching the web for this message I found some people reporting the same - very old and newer information as well:

                      • https://github.com/mono/mono/issues/20457
                      • https://stackoverflow.com/questions/31781950/mono-certificate-issue-unsupported-hash-algorithm-1-2-840-10045-4-3-3
                      • https://xamarin.github.io/bugzilla-archives/12/12909/bug.html

                      Which version of mono do you use?

                      I still can’t get my head around why this used to work but now seems to fail so badly. Have you tried installing the fog-client on a fresh new system? As well, what happens if you remove and re-install the fog-client (and mono?) on a system?

                      To me it seems like something might have corrupted the mono certificate store. See if you can find that store in /usr/share/.mono/certs/?! What is the last change date of the files in that directory?

                      Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)

                      Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG

                      1 Reply Last reply Reply Quote 0
                      • K
                        kek
                        last edited by kek

                        UPDATE: followed the tutorial at: https://wiki.fogproject.org/wiki/index.php/FOG_Client#Installing_-_Linux
                        And have now mono-complete Version 6.12.0.107-0xamarin13+debian10b1
                        But same messages in the log…

                        Sorry for the late reply, we are very busy at the moment…

                        So we reinstalled our FOG-Server last week, and now the Server and the Storage-Nodes are up-to-date (1.5.9) from the old Server we copied over /var/www/fog/management/other/ssl/srvpublic.crt, and we have as mentioned earlier no problems with most of the Clients. Only eight of our Servers (total), still have problems… So with Server-Version 1.5.9 and Client version 0.12.0 we still have problems, here the log:

                         2/19/2021 5:18:13 PM Main Overriding exception handling
                         2/19/2021 5:18:13 PM Main Bootstrapping Zazzles
                         2/19/2021 5:18:13 PM Controller Initialize
                         2/19/2021 5:18:13 PM Controller Start
                        
                         2/19/2021 5:18:13 PM Service Starting service
                         2/19/2021 5:18:13 PM Bus Became bus server
                         2/19/2021 5:18:13 PM Bus Emmiting message on channel: Status
                         2/19/2021 5:18:13 PM Service Invoking early JIT compilation on needed binaries
                        
                        ------------------------------------------------------------------------------
                        --------------------------------Authentication--------------------------------
                        ------------------------------------------------------------------------------
                         2/19/2021 5:18:14 PM Client-Info Version: 0.12.0
                         2/19/2021 5:18:14 PM Client-Info OS:      Linux
                         2/19/2021 5:18:14 PM Middleware::Authentication Waiting for authentication timeout to pass
                         2/19/2021 5:18:14 PM Middleware::Communication Download: http://<fogserver>/fog/management/other/ssl/srvpublic.crt
                         2/19/2021 5:18:14 PM Data::RSA FOG Server CA cert found
                         2/19/2021 5:18:14 PM Data::RSA ERROR: Certificate validation failed
                         2/19/2021 5:18:14 PM Data::RSA ERROR: Trust chain did not complete to the known authority anchor. Errors: NotSignatureValid (NotSignatureValid)
                         2/19/2021 5:18:14 PM Middleware::Authentication ERROR: Could not authenticate
                         2/19/2021 5:18:14 PM Middleware::Authentication ERROR: Certificate is not from FOG CA
                        
                        ------------------------------------------------------------------------------
                        --------------------------------Authentication--------------------------------
                        ------------------------------------------------------------------------------
                         2/19/2021 5:18:14 PM Client-Info Version: 0.12.0
                         2/19/2021 5:18:14 PM Client-Info OS:      Linux
                         2/19/2021 5:18:14 PM Middleware::Authentication Waiting for authentication timeout to pass
                        

                        Complete output of certmgr -list -c -v -m Trust:

                        Mono Certificate Manager - version 5.18.0.240
                        Manage X.509 certificates and CRL from stores.
                        Copyright 2002, 2003 Motus Technologies. Copyright 2004-2008 Novell. BSD licensed.
                        
                        Self-signed X.509 v3 Certificate
                          Serial Number: 4AC79159C96A75A1B146429056E03B08
                          Issuer Name:   C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root CA
                          Subject Name:  C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root CA
                          Valid From:    11/10/2006 12:00:00 AM
                          Valid Until:   11/10/2031 12:00:00 AM
                          Unique Hash:   B34DDD372ED92E8F2ABFBB9E20A9D31F204F194B
                          Key Algorithm:        1.2.840.113549.1.1.1
                          Algorithm Parameters: 0500
                          Public Key:         (removed)
                          Signature Algorithm:  1.2.840.113549.1.1.5
                          Algorithm Parameters: 0500
                          Signature:            (removed)
                          Private Key:                  False
                          KeyPair Key:                  False
                        
                        Self-signed X.509 v3 Certificate
                          Serial Number: 2D99D41C39044F7C
                          Issuer Name:   C=US, O=AffirmTrust, CN=AffirmTrust Networking
                          Subject Name:  C=US, O=AffirmTrust, CN=AffirmTrust Networking
                          Valid From:    1/29/2010 2:08:24 PM
                          Valid Until:   12/31/2030 2:08:24 PM
                          Unique Hash:   2110A6E8DA67CEE9D90CCBF913117C60EC31C914
                          Key Algorithm:        1.2.840.113549.1.1.1
                          Algorithm Parameters: 0500
                          Public Key:           (removed)
                          Signature Algorithm:  1.2.840.113549.1.1.5
                          Algorithm Parameters: 0500
                          Signature:            (removed)
                          Private Key:                  False
                          KeyPair Key:                  False
                        
                        Self-signed X.509 v3 Certificate
                          Serial Number: C04404
                          Issuer Name:   C=PL, O=Unizeto Technologies S.A., OU=Certum Certification Authority, CN=Certum Trusted Network CA
                          Subject Name:  C=PL, O=Unizeto Technologies S.A., OU=Certum Certification Authority, CN=Certum Trusted Network CA
                          Valid From:    10/22/2008 12:07:37 PM
                          Valid Until:   12/31/2029 12:07:37 PM
                          Unique Hash:   A8569CCD21EF9CC5737C7A12DF608C2CBC545DF1
                          Key Algorithm:        1.2.840.113549.1.1.1
                          Algorithm Parameters: 0500
                          Public Key:           (removed)
                          Signature Algorithm:  1.2.840.113549.1.1.5
                          Algorithm Parameters: 0500
                          Signature:            (removed)
                          Private Key:                  False
                          KeyPair Key:                  False
                        
                        Self-signed X.509 v3 Certificate
                          Serial Number: 00
                          Issuer Name:   C=JP, O="SECOM Trust Systems CO.,LTD.", OU=Security Communication RootCA2
                          Subject Name:  C=JP, O="SECOM Trust Systems CO.,LTD.", OU=Security Communication RootCA2
                          Valid From:    5/29/2009 5:00:39 AM
                          Valid Until:   5/29/2029 5:00:39 AM
                          Unique Hash:   453ECC5C2C07CCC737ABCA4F06054723F20169FCE993F86657343DB97515C000
                          Key Algorithm:        1.2.840.113549.1.1.1
                          Algorithm Parameters: 0500
                          Public Key:           (removed)
                          Signature Algorithm:  1.2.840.113549.1.1.11
                          Algorithm Parameters: 0500
                          Signature:            (removed)
                          Private Key:                  False
                          KeyPair Key:                  False
                        
                        Self-signed X.509 v3 Certificate
                          Serial Number: 3DE54602353EEE020BE065828A2D814E
                          Issuer Name:   C=GB, S=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO Certification Authority
                          Subject Name:  C=GB, S=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO Certification Authority
                          Valid From:    12/1/2006 12:00:00 AM
                          Valid Until:   12/31/2029 11:59:59 PM
                          Unique Hash:   C1F49DACC04C76C9D07297565C4C2FDA367B90DC
                          Key Algorithm:        1.2.840.113549.1.1.1
                          Algorithm Parameters: 0500
                          Public Key:           (removed)
                          Signature Algorithm:  1.2.840.113549.1.1.5
                          Algorithm Parameters: 0500
                          Signature:            (removed)
                          Private Key:                  False
                          KeyPair Key:                  False
                        
                        Self-signed X.509 v3 Certificate
                          Serial Number: 4AE671E3D889CA4C003FED73A0F98054
                          Issuer Name:   C=EE, O=AS Sertifitseerimiskeskus, CN=EE Certification Centre Root CA, E=pki@sk.ee
                          Subject Name:  C=EE, O=AS Sertifitseerimiskeskus, CN=EE Certification Centre Root CA, E=pki@sk.ee
                          Valid From:    10/30/2010 10:10:30 AM
                          Valid Until:   12/17/2030 11:59:59 PM
                          Unique Hash:   3FD9A3751E2081CB6BF65CCEBD588623D20D9A61
                          Key Algorithm:        1.2.840.113549.1.1.1
                          Algorithm Parameters: 0500
                          Public Key:           (removed)
                          Signature Algorithm:  1.2.840.113549.1.1.5
                          Algorithm Parameters: 0500
                          Signature:            (removed)
                          Private Key:                  False
                          KeyPair Key:                  False
                        
                        Self-signed X.509 v3 Certificate
                          Serial Number: A45A1CB823AEC6C4DF4093C900ECA54C8A5F1608
                          Issuer Name:   C=HK, S=Hong Kong, L=Hong Kong, O=Hongkong Post, CN=Hongkong Post Root CA 3
                          Subject Name:  C=HK, S=Hong Kong, L=Hong Kong, O=Hongkong Post, CN=Hongkong Post Root CA 3
                          Valid From:    6/3/2017 2:29:46 AM
                          Valid Until:   6/3/2042 2:29:46 AM
                          Unique Hash:   D6ED17A5F51972C262E2D3A8677577857C6A85700A2D22E0A4F87948D6834F63
                          Key Algorithm:        1.2.840.113549.1.1.1
                          Algorithm Parameters: 0500
                          Public Key:           (removed)
                          Signature Algorithm:  1.2.840.113549.1.1.11
                          Algorithm Parameters: 0500
                          Signature:            (removed)
                          Private Key:                  False
                          KeyPair Key:                  False
                        
                        Self-signed X.509 v3 Certificate
                          Serial Number: 4B2FBB542FD41B4F
                          Issuer Name:   C=CH, O=SwissSign AG, CN=SwissSign Silver CA - G2
                          Subject Name:  C=CH, O=SwissSign AG, CN=SwissSign Silver CA - G2
                          Valid From:    10/25/2006 8:32:46 AM
                          Valid Until:   10/25/2036 8:32:46 AM
                          Unique Hash:   526AAA5D52A07C057AD6E17522FB678A3E154558
                          Key Algorithm:        1.2.840.113549.1.1.1
                          Algorithm Parameters: 0500
                          Public Key:           (removed)
                          Signature Algorithm:  1.2.840.113549.1.1.5
                          Algorithm Parameters: 0500
                          Signature:            (removed)
                          Private Key:                  False
                          KeyPair Key:                  False
                        
                        Self-signed X.509 v3 Certificate
                          Serial Number: E1A6E3C46D41E6A30D0355F1891BE9CA00
                          Issuer Name:   C=FR, O=Dhimyotis, OU=0002 48146308100036, CN=Certigna Root CA
                          Subject Name:  C=FR, O=Dhimyotis, OU=0002 48146308100036, CN=Certigna Root CA
                          Valid From:    10/1/2013 8:32:27 AM
                          Valid Until:   10/1/2033 8:32:27 AM
                          Unique Hash:   9668D6C44B5F62EE4A56423640D93D45A2C772C6D42ED178978AF5ADDB15FDAE
                          Key Algorithm:        1.2.840.113549.1.1.1
                          Algorithm Parameters: 0500
                          Public Key:           (removed)
                          Signature Algorithm:  1.2.840.113549.1.1.11
                          Algorithm Parameters: 0500
                          Signature:            (removed)
                          Private Key:                  False
                          KeyPair Key:                  False
                        
                        Self-signed X.509 v3 Certificate
                          Serial Number: 0905
                          Issuer Name:   C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 2
                          Subject Name:  C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 2
                          Valid From:    11/24/2006 6:27:00 PM
                          Valid Until:   11/24/2031 6:23:33 PM
                          Unique Hash:   C8F8A3C6BF401D34E6F1D8F8E1DDD08BBB934626
                          Key Algorithm:        1.2.840.113549.1.1.1
                          Algorithm Parameters: 0500
                          Public Key:           (removed)
                          Signature Algorithm:  1.2.840.113549.1.1.5
                          Algorithm Parameters: 0500
                          Signature:            (removed)
                          Private Key:                  False
                          KeyPair Key:                  False
                        
                        Self-signed X.509 v3 Certificate
                          Serial Number: FF48C90F01E3DCFE00
                          Issuer Name:   C=FR, O=Dhimyotis, CN=Certigna
                          Subject Name:  C=FR, O=Dhimyotis, CN=Certigna
                          Valid From:    6/29/2007 3:13:05 PM
                          Valid Until:   6/29/2027 3:13:05 PM
                          Unique Hash:   D49BA8CA0DB5E6C661B57B56F33B4F05163FF8F2
                          Key Algorithm:        1.2.840.113549.1.1.1
                          Algorithm Parameters: 0500
                          Public Key:           (removed)
                          Signature Algorithm:  1.2.840.113549.1.1.5
                          Algorithm Parameters: 0500
                          Signature:            (removed)
                          Private Key:                  False
                          KeyPair Key:                  False
                        
                        Self-signed X.509 v3 Certificate
                          Serial Number: 7DE619D78BF5CBE1BF5F48165AB7B000
                          Issuer Name:   C=ES, O=IZENPE S.A., CN=Izenpe.com
                          Subject Name:  C=ES, O=IZENPE S.A., CN=Izenpe.com
                          Valid From:    12/13/2007 1:08:28 PM
                          Valid Until:   12/13/2037 8:27:25 AM
                          Unique Hash:   9E5428441BEFFA8BCFD95D3272309D63A6AB83812A09D6D7A71B514408AF47A1
                          Key Algorithm:        1.2.840.113549.1.1.1
                          Algorithm Parameters: 0500
                          Public Key:           (removed)
                          Signature Algorithm:  1.2.840.113549.1.1.11
                          Algorithm Parameters: 0500
                          Signature:            (removed)
                          Private Key:                  False
                          KeyPair Key:                  False
                        
                        Self-signed X.509 v3 Certificate
                          Serial Number: 9DBCD206E45E0097B8AF5C4765BDC815
                          Issuer Name:   C=TW, O="Chunghwa Telecom Co., Ltd.", OU=ePKI Root Certification Authority
                          Subject Name:  C=TW, O="Chunghwa Telecom Co., Ltd.", OU=ePKI Root Certification Authority
                          Valid From:    12/20/2004 2:31:27 AM
                          Valid Until:   12/20/2034 2:31:27 AM
                          Unique Hash:   E2D1E7E0391A13E13A9759961938A4FAAB8DEA65
                          Key Algorithm:        1.2.840.113549.1.1.1
                          Algorithm Parameters: 0500
                          Public Key:           (removed)
                          Signature Algorithm:  1.2.840.113549.1.1.5
                          Algorithm Parameters: 0500
                          Signature:            (removed)
                          Private Key:                  False
                          KeyPair Key:                  False
                        
                        Self-signed X.509 v3 Certificate
                          Serial Number: E0683190E3171647E6165CC26F33CB57
                          Issuer Name:   C=US, O=Network Solutions L.L.C., CN=Network Solutions Certificate Authority
                          Subject Name:  C=US, O=Network Solutions L.L.C., CN=Network Solutions Certificate Authority
                          Valid From:    12/1/2006 12:00:00 AM
                          Valid Until:   12/31/2029 11:59:59 PM
                          Unique Hash:   930DBFC5830B7BFD486F9056FCB8751F3D21BF12
                          Key Algorithm:        1.2.840.113549.1.1.1
                          Algorithm Parameters: 0500
                          Public Key:           3082010A0282010100E4BC7E92306DC6D88E2B0BBC46CEE02796DEDEF9FA12D33C3373B3042FBC718CE59FB622603E5F5DCE09FF820C1B9A51501A2689DDD5615D19DC120F2D0AA2435D17D0349220EA73CF382C0626097A72F7FA5032F8C293D369A223CE41B1CCE4D51F36D18A3AF88C63E2145969ED0DD37F6BE8B803E54F6AE59863694805BE2EFF33B6E9975969F86719AE9361964415D372B03FBC6A7DEC487F8DC3ABAA712B5369415334B5B0B9C5060AC4B045F5415D6E89457B3D3B268C74C2E5D2D17DB211D4FB5832229A80C9DCFD0CE97F5E0397CE3B001487277038A98E6EB327769851E005E321AB1AD585223C29B59A16C580A8F4BB6B308F2F4602A2B10C22E0D30203010001
                          Signature Algorithm:  1.2.840.113549.1.1.5
                          Algorithm Parameters: 0500
                          Signature:            BBAE4BE7B757EB7FAA2DB77347856AC1E4A51DE4E73CE9F4596577B57A5B5A8D2536E07A972E38C05760839806839FB9767A6E50E0BA882CFC45CC18B09995510EEC1DB888FF87501C82C2E3E03280BFA00B47C8C331EF996732804F1721790C695CDE5E34AE02B526EA50DF7F18652CC9F263E1A907FE7C711F6B33246A1E05F70568C06A12CB2E5E61CBAE28D37EC2B46691265F3C2E245FCB580FEB28ECAF1196F3DC7B6FC0A788F25377B3605EAEAE28DA352C6F3445D326E1DEEC5B4F276B167CBD44041882B389791710713D7AA2164EF501CDA46C6568A149765C43C9D8BC36676CA594B5D4CCB9BD6A355621DED8C3EBFBCBA4604CB055A0A07B57B2
                          Private Key:                  False
                          KeyPair Key:                  False
                        
                        Self-signed X.509 v3 Certificate
                          Serial Number: E4D6E4DC2DEB015FB6E3B7D532D255EC075D8A3E
                          Issuer Name:   C=PL, O=Krajowa Izba Rozliczeniowa S.A., CN=SZAFIR ROOT CA2
                          Subject Name:  C=PL, O=Krajowa Izba Rozliczeniowa S.A., CN=SZAFIR ROOT CA2
                          Valid From:    10/19/2015 7:43:30 AM
                          Valid Until:   10/19/2035 7:43:30 AM
                          Unique Hash:   8F65AB514D193E1BC2C69D82520F73C4E3255744356064E9859107F26C0EFD5C
                          Key Algorithm:        1.2.840.113549.1.1.1
                          Algorithm Parameters: 0500
                          Public Key:           3082010A0282010100B7BC3E50A84BCD40B5CE61E796CAB4A1DA0C22B0FAB57B7600778C0BCF7DA886CC2651E4203D850CD658E3E7F42A189DDAD1AE26EEEB53DCF490D6134A0C903CC3F4DAD28E0D923ADCB1B1FF38DEC3BA2D5F80B902BD4A9D1B0FB4C3C2C16703DDDC1B9C3DB3B0DE001EA83447BB9AEBFE0B14BD3684DA0D20BFFA5BCBA91620AD3960EE2F75B6E7979CF93EFD7E4D6F4D2FEF880D6AFADDF13D6E20A5A012B44D70B9CED7723B8993A780841C27497249B5FF3B959EC1CCC801ECE80E8A0A96E7B3A687E5D6F9052B0D9740703CBAAC755A9CD54D9D020AD24B9B664B46071765AD9F6C8800DC2289E0E164D467BC3179613CBBCA41CD5C6A00C83C388E58AF0203010001
                          Signature Algorithm:  1.2.840.113549.1.1.11
                          Algorithm Parameters: 0500
                          Signature:            (removed)
                          Private Key:                  False
                          KeyPair Key:                  False
                        
                        Self-signed X.509 v3 Certificate
                          Serial Number: 53CB9B519C3E686A
                          Issuer Name:   C=TR, L=Ankara, O=E-Tuğra EBG Bilişim Teknolojileri ve Hizmetleri A.Ş., OU=E-Tugra Sertifikasyon Merkezi, CN=E-Tugra Certification Authority
                          Subject Name:  C=TR, L=Ankara, O=E-Tuğra EBG Bilişim Teknolojileri ve Hizmetleri A.Ş., OU=E-Tugra Sertifikasyon Merkezi, CN=E-Tugra Certification Authority
                          Valid From:    3/5/2013 12:09:48 PM
                          Valid Until:   3/3/2023 12:09:48 PM
                          Unique Hash:   AE284D570FF1601F3D9E2067F8B5D44E58B49D5142A2D888235926E44B49A1EB
                          Key Algorithm:        1.2.840.113549.1.1.1
                          Algorithm Parameters: 0500
                          Public Key:           (removed)
                          Signature Algorithm:  1.2.840.113549.1.1.11
                          Algorithm Parameters: 0500
                          Signature:            (removed)
                          Private Key:                  False
                          KeyPair Key:                  False
                        
                        Self-signed X.509 v3 Certificate
                          Serial Number: C54AEFA1421099D600
                          Issuer Name:   C=US, S=Illinious, L=Chicago, O=FOG Project, CN=FOG Project, E=noreply@fogproject.org
                          Subject Name:  C=US, S=Illinious, L=Chicago, O=FOG Project, CN=FOG Project, E=noreply@fogproject.org
                          Valid From:    9/9/2015 1:04:11 AM
                          Valid Until:   9/7/2020 1:04:11 AM
                          Unique Hash:   A2401FF1B2C3528B250FBA08FEF97C19E570D35C
                          Key Algorithm:        1.2.840.113549.1.1.1
                          Algorithm Parameters: 0500
                          Public Key:           (removed)
                          Signature Algorithm:  1.2.840.113549.1.1.5
                          Algorithm Parameters: 0500
                          Signature:            (removed)
                          Private Key:                  False
                          KeyPair Key:                  False
                        
                        Self-signed X.509 v3 Certificate
                          Serial Number: C0C2F61A23F8B3468785F0745220B176
                          Issuer Name:   C=CH, O=WISeKey, OU=OISTE Foundation Endorsed, CN=OISTE WISeKey Global Root GB CA
                          Subject Name:  C=CH, O=WISeKey, OU=OISTE Foundation Endorsed, CN=OISTE WISeKey Global Root GB CA
                          Valid From:    12/1/2014 3:00:32 PM
                          Valid Until:   12/1/2039 3:10:31 PM
                          Unique Hash:   04524E82755B1E36393B942C01DEE51978C032D7D4519F7DA6C964ABF89C5EA9
                          Key Algorithm:        1.2.840.113549.1.1.1
                          Algorithm Parameters: 0500
                          Public Key:           (removed)
                          Signature Algorithm:  1.2.840.113549.1.1.11
                          Algorithm Parameters: 0500
                          Signature:            (removed)
                          Private Key:                  False
                          KeyPair Key:                  False
                        
                        Self-signed X.509 v3 Certificate
                          Serial Number: 00
                          Issuer Name:   C=US, S=Arizona, L=Scottsdale, O="GoDaddy.com, Inc.", CN=Go Daddy Root Certificate Authority - G2
                          Subject Name:  C=US, S=Arizona, L=Scottsdale, O="GoDaddy.com, Inc.", CN=Go Daddy Root Certificate Authority - G2
                          Valid From:    9/1/2009 12:00:00 AM
                          Valid Until:   12/31/2037 11:59:59 PM
                          Unique Hash:   3560E45B41E46B8F36537025D1D5BC02D9652A10645B0EFF69E8B6A52191F335
                          Key Algorithm:        1.2.840.113549.1.1.1
                          Algorithm Parameters: 0500
                          Public Key:           (removed)
                          Signature Algorithm:  1.2.840.113549.1.1.11
                          Algorithm Parameters: 0500
                          Signature:            (removed)
                          Private Key:                  False
                          KeyPair Key:                  False
                        
                        X.509 v3 Certificate
                          Serial Number: 26CC8089CDDE5671D2C5945AC5998B5C
                          Issuer Name:   C=US, S=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust ECC Certification Authority
                          Subject Name:  C=US, S=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust ECC Certification Authority
                          Valid From:    2/1/2010 12:00:00 AM
                          Valid Until:   1/18/2038 11:59:59 PM
                          Unique Hash:
                          Key Algorithm:        1.2.840.10045.2.1
                          Algorithm Parameters: 06052B81040022
                          Public Key:           (removed)
                          Signature Algorithm:  1.2.840.10045.4.3.3
                          Algorithm Parameters: None
                        
                        Unhandled Exception:
                        System.Security.Cryptography.CryptographicException: Unsupported hash algorithm: 1.2.840.10045.4.3.3
                          at Mono.Security.X509.X509Certificate.get_Signature () [0x001a1] in <c8dae181eb1743bd94c3ab5b607caeb0>:0
                          at Mono.Tools.CertificateManager.DisplayCertificate (Mono.Security.X509.X509Certificate x509, System.Boolean machine, System.Boolean verbose) [0x00132] in <52d071828ee44ab9ab181a6c5989b2db>:0
                          at Mono.Tools.CertificateManager.List (Mono.Tools.CertificateManager+ObjectType type, Mono.Security.X509.X509Store store, System.Boolean machine, System.String file, System.Boolean verbose) [0x0002b] in <52d071828ee44ab9ab181a6c5989b2db>:0
                          at Mono.Tools.CertificateManager.Main (System.String[] args) [0x00204] in <52d071828ee44ab9ab181a6c5989b2db>:0
                        [ERROR] FATAL UNHANDLED EXCEPTION: System.Security.Cryptography.CryptographicException: Unsupported hash algorithm: 1.2.840.10045.4.3.3
                          at Mono.Security.X509.X509Certificate.get_Signature () [0x001a1] in <c8dae181eb1743bd94c3ab5b607caeb0>:0
                          at Mono.Tools.CertificateManager.DisplayCertificate (Mono.Security.X509.X509Certificate x509, System.Boolean machine, System.Boolean verbose) [0x00132] in <52d071828ee44ab9ab181a6c5989b2db>:0
                          at Mono.Tools.CertificateManager.List (Mono.Tools.CertificateManager+ObjectType type, Mono.Security.X509.X509Store store, System.Boolean machine, System.String file, System.Boolean verbose) [0x0002b] in <52d071828ee44ab9ab181a6c5989b2db>:0
                          at Mono.Tools.CertificateManager.Main (System.String[] args) [0x00204] in <52d071828ee44ab9ab181a6c5989b2db>:0
                        

                        mono-complete Version: 5.18.0.240+dfsg-3

                        Strange thing: Same server (from a software perspective) with all versions the same, it´s working fine…

                        Mono certificate store: (/usr/share/.mono/certs/) :

                        ls -lah /usr/share/.mono/certs/
                        drwxr-xr-x 3 root root 4.0K Feb 19 14:17 .
                        drwxr-xr-x 5 root root 4.0K Feb 19 14:20 ..
                        drwxr-xr-x 2 root root  20K Feb 19 17:18 Trust
                        
                        1 Reply Last reply Reply Quote 0
                        • S
                          Sebastian Roth Moderator
                          last edited by Sebastian Roth

                          @kek said in FOG-Client suddenly stopped working:

                          Self-signed X.509 v3 Certificate
                          Serial Number: C54AEFA1421099D600
                          Issuer Name: C=US, S=Illinious, L=Chicago, O=FOG Project, CN=FOG Project, E=noreply@fogproject.org
                          Subject Name: C=US, S=Illinious, L=Chicago, O=FOG Project, CN=FOG Project, E=noreply@fogproject.org
                          Valid From: 9/9/2015 1:04:11 AM
                          Valid Until: 9/7/2020 1:04:11 AM
                          Unique Hash: A2401FF1B2C3528B250FBA08FEF97C19E570D35C
                          Key Algorithm: 1.2.840.113549.1.1.1
                          Algorithm Parameters: 0500
                          Public Key: (removed)
                          Signature Algorithm: 1.2.840.113549.1.1.5
                          Algorithm Parameters: 0500
                          Signature: (removed)
                          Private Key: False
                          KeyPair Key: False

                          The Valid Until: 9/7/2020 1:04:11 AM portion tells me this is not a properly installed fog-client 0.12.0 as it would install the more recent “FOG Project CA” being valid for way longer! As we see you have 0.12.0 from the logs I would think it just can’t properly install the certificates to the key store.

                          Strange thing: Same server (from a software perspective) with all versions the same, it´s working fine…

                          What do you mean by that? This particular client you posted the information here can communicate with a different FOG server just fine?

                          You need to know that on installation the fog-client will download the specific server CA cert (http://…/fog/management/other/ca.cert.der) and pinn that client to this server. So copying /var/www/fog/management/other/ssl/srvpublic.crt to a different server is not enough!

                          Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)

                          Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG

                          1 Reply Last reply Reply Quote 0
                          • K
                            kek
                            last edited by

                            @sebastian-roth said in FOG-Client suddenly stopped working:

                            What do you mean by that? This particular client you posted the information here can communicate with a different FOG server just fine?

                            Update:

                            We are updating also the storage nodes after the master-server. The problem seems to come from the update, we also updated this storage node that worked before, and now we have the same problem… But the mono-complete Version seems not to change… so it must be another packet… (Both the Server that has a not working Client and the Server that had a working Client before are Storage nodes)

                            But the Server that had before the Update a working client has Version 0.11.18 installed, and the log is different:

                            ------------------------------------------------------------------------------
                            --------------------------------Authentication--------------------------------
                            ------------------------------------------------------------------------------
                             2/19/2021 9:26:03 PM Client-Info Version: 0.11.18
                             2/19/2021 9:26:03 PM Client-Info OS:      Linux
                             2/19/2021 9:26:03 PM Middleware::Authentication Waiting for authentication timeout to pass
                             2/19/2021 9:28:03 PM Middleware::Communication Download: http://<fogserver>/fog/management/other/ssl/srvpublic.crt
                             2/19/2021 9:28:03 PM Data::RSA ERROR: FOG Server CA NOT found in keystore - needs to be installed
                             2/19/2021 9:28:03 PM Middleware::Authentication ERROR: Could not authenticate
                             2/19/2021 9:28:03 PM Middleware::Authentication ERROR: Value cannot be null.
                            Parameter name: authority
                            
                            1 Reply Last reply Reply Quote 0
                            • S
                              Sebastian Roth Moderator
                              last edited by

                              @kek said in FOG-Client suddenly stopped working:

                              RSA ERROR: FOG Server CA NOT found in keystore - needs to be installed

                              I still think someting is messing up your certificate store.

                              Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)

                              Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG

                              1 Reply Last reply Reply Quote 0
                              • K
                                kek
                                last edited by

                                @sebastian-roth said in FOG-Client suddenly stopped working:

                                You need to know that on installation the fog-client will download the specific server CA cert (http://…/fog/management/other/ca.cert.der) and pinn that client to this server. So copying /var/www/fog/management/other/ssl/srvpublic.crt to a different server is not enough!

                                SOLVED!

                                Copied /fog/management/other/ca.cert.der from old to new server, and it works! Also works with HTTPS: 1 in /opt/fog-service/settings.json! I just need to bring all the clients on the Server to version 0.12.0 ( only 8 ). So solution is update/recreate the Server, copy over the all the certs from the old server and install newest FOG-Client on all Hosts.

                                Can be marked as solved!

                                1 Reply Last reply Reply Quote 0
                                • S
                                  Sebastian Roth Moderator
                                  last edited by Sebastian Roth

                                  @kek said in FOG-Client suddenly stopped working:

                                  install newest FOG-Client on all Hosts.

                                  Unless there is really something strange going on with the CA and certificate generation on the new server I can’t see why you would need to copy the certs from the old server to the new one when you actually run the fog-client installer to the hosts anyway. That would pull down and pin to the (CA) cert of the new server.

                                  Ok, not that I write this I could see what I might have missed so far. Did you do a fresh install of the fog-client on those hosts before? Because when you initially said “FOG-Client suddenly stopped working this Year. Nothing was changed.” I expected this to be hosts with already installed fog-client that stopped to talk to the FOG server. But I might have misunderstood this point?!

                                  So are you saying a fresh install of the fog-client on Linux is not able to communicate with an up to date FOG server?

                                  Which OS and version exactly do you use on the hosts? Sounds like Debian Buster but I want to make sure I can setup the same scenario that you have. As well please let me know which OS and version you use on the server. I will see if I can replicate the issue and think about how to fix this.

                                  The keystore has caused us trouble in the past but it seemed to work fine when I looked at it more than a year ago. Now if it does cause problems again we might think about adding an alternative to the keystore finally: https://github.com/FOGProject/zazzles/issues/23

                                  Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)

                                  Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG

                                  1 Reply Last reply Reply Quote 0
                                  • K
                                    kek
                                    last edited by kek

                                    @sebastian-roth said in FOG-Client suddenly stopped working:

                                    Unless there is really something strange going on with the CA and certificate generation on the new server I can’t see why you would need to copy the certs from the old server to the new one when you actually run the fog-client installer to the hosts anyway.

                                    I think there is something strange going on, it only worked with the old certificate, also don‘t know why, reinstalled client and mono and also deleted all residual folders after uninstallation of mono.
                                    But it only happened after Storage Node update (1.5.8 to 1.5.9). (We have 8 linux servers, 3 of them are Storage nodes. All have Debian Buster OS)
                                    But most of our linux machines with client (~150) had never problems, but they use all a old fixed version of mono, because they are Lubuntu 18.04 LTS OS and the Ubuntu repo has no mono included (They are also using some old version of the Client (0.11.1x). Master-Server is also Debian 10.

                                    So are you saying a fresh install of the fog-client on Linux is not able to communicate with an up to date FOG server?

                                    Yes. Unless you copy over the cert from the old server. (ca.cert.der)

                                    1 Reply Last reply Reply Quote 0
                                    • S
                                      Sebastian Roth Moderator
                                      last edited by

                                      @kek said in FOG-Client suddenly stopped working:

                                      but they use all a old fixed version of mono, because they are Lubuntu 18.04 LTS OS and the Ubuntu repo has no mono included

                                      That is 5.18.0.240+dfsg-3 as you posted earlier??

                                      Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)

                                      Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG

                                      1 Reply Last reply Reply Quote 0
                                      • S
                                        Sebastian Roth Moderator
                                        last edited by

                                        @kek Just a quick update as I got to work allowing the fog-client to use a simple local CA certificate file instead of the mono keystore stuff. Would you be interested to test?

                                        Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)

                                        Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG

                                        1 Reply Last reply Reply Quote 0
                                        • 1 / 1
                                        • First post
                                          Last post

                                        173

                                        Online

                                        12.0k

                                        Users

                                        17.3k

                                        Topics

                                        155.2k

                                        Posts
                                        Copyright © 2012-2024 FOG Project