Fog client installation error - Cannot install CA certificate
-
@jonhwood360
fog apache config
-
@jonhwood360 The PCAP looks like the host sends a TLS Client Hello using TLS 1.0 and the Apache server rejects it. Have you disabled newer TLS versions via GPO by any chance??
-
@sebastian-roth said in Fog client installation error - Cannot install CA certificate:
@jonhwood360 The PCAP looks like the host sends a TLS Client Hello using TLS 1.0 and the Apache server rejects it. Have you disabled newer TLS versions via GPO by any chance??
No, no GPOs are applied. The apache server is on ubuntu. I can try to force enable newer TLS versions on the workstations. Is ver 1.2 sufficient?
-
@jonhwood360 said in Fog client installation error - Cannot install CA certificate:
@sebastian-roth said in Fog client installation error - Cannot install CA certificate:
@jonhwood360 The PCAP looks like the host sends a TLS Client Hello using TLS 1.0 and the Apache server rejects it. Have you disabled newer TLS versions via GPO by any chance??
No, no GPOs are applied. The apache server is on ubuntu. I can try to force enable newer TLS versions on the workstations. Is ver 1.2 sufficient?
I reattempted install after hard enabling tls 1.1 and 1.2 in the registry of the machine. No change.
I also took another pcap: https://drive.google.com/file/d/19u1RKug2OwFOHC4S_l0bDT1uK7bbhR0I/view?usp=sharing
-
PCAP from workstation as well - https://drive.google.com/file/d/1y-lML_qrJ18nv3T7HQ3zsW9M9vUD3NOU/view?usp=sharing
-
@sebastian-roth said in Fog client installation error - Cannot install CA certificate:
The PCAP looks like the host sends a TLS Client Hello using TLS 1.0 and the Apache server rejects it. Have you disabled newer TLS versions via GPO by any chance??
Sorry, I wrote this without having had the time to test this on my side. I just found the time to do capture a PCAP in my test setup and it seems to use TLS 1.0 as well. Reading more about this on the we I found that it still seems to be the default in .NET framework 4.5.x which we use since fog-client version 0.12.0 (before we still used .NET 4.0, OMG).
Ok that explains why we both see TLS 1.0 in the PCAP but to it’s still a riddle why your Apache server rejects the request while mine doesn’t. Plus we haven’t heard from other users so far. Maybe this Ubuntu moved to some newer versions of Apache (and maybe openssl) not long ago that now reject TLS 1.0 completely.
I will try to force using of TLS 1.1 and newer in our code and upload a new installer for you to test soon.
Thanks a lot for working on this with me! While at first I thought this is not a general issue it seems to actually be and you are the first one to report it.
-
@jonhwood360 Ok, here you go for another try: https://github.com/FOGProject/fog-client/releases/download/0.12.0/FOGService_enable_TLS12.msi
See if it can successfully pin to the FOG server with that and post a picture of the FOGService.install log as well.
Keep in mind, this is not for official deployment for various reasons.
-
@sebastian-roth said in Fog client installation error - Cannot install CA certificate:
@jonhwood360 Ok, here you go for another try: https://github.com/FOGProject/fog-client/releases/download/0.12.0/FOGService_enable_TLS12.msi
See if it can successfully pin to the FOG server with that and post a picture of the FOGService.install log as well.
Keep in mind, this is not for official deployment for various reasons.
We have a winner!
So it seems that newer apache does not like the 1.0 connections.
-
@jonhwood360 said in Fog client installation error - Cannot install CA certificate:
We have a winner!
So it seems that newer apache does not like the 1.0 connections.Great! Thanks again for testing. I will need to dig through the code and see If there is more adjustment needed (other places in the code needing that fix as well). Allow me a few days and I will release a new 0.12.1 including that fix.
Can you post the latest FOGService.install log as well?
-
@sebastian-roth said in Fog client installation error - Cannot install CA certificate:
@jonhwood360 said in Fog client installation error - Cannot install CA certificate:
We have a winner!
So it seems that newer apache does not like the 1.0 connections.Great! Thanks again for testing. I will need to dig through the code and see If there is more adjustment needed (other places in the code needing that fix as well). Allow me a few days and I will release a new 0.12.1 including that fix.
Can you post the latest FOGService.install log as well?
As requested:
-
@jonhwood360 Thanks! I didn’t get to it over the weekend but hopefully will this upcoming week.
-
I look forward to it!
-
@jonhwood360 Thank’s for help!
-
@jonhwood360 Ok, found the time to properly get this fixed in the code. As there are other things I need to work on before a next official release I decided to build and sign fixed installer binaries for you still as version 0.12.0.
Find FOGService_fixed-tls.msi and SmartInstaller_fixed-tls.exe on https://github.com/FOGProject/fog-client/releases/tag/0.12.0
As mentioned the binaries are signed so auto updating to the next future release will work seamlessly.
-
@sebastian-roth said in Fog client installation error - Cannot install CA certificate:
he next future release will work seamlessly.
Is there a specific place on the fog server I should place these, or just manually distribute them to endpoint clients?
-
@jonhwood360 With this one your need to manually distribute it to the hosts or use some other way of distributed install. The next version will then auto update.
I would suggest you test this on one of your machines - just to make sure I didn’t miss anything. After installation you want to keep an eye on the fog-client log (
C:\fog.logby default) to see if communication works all fine. Then go ahead and install to the other machines. -
@sebastian-roth said in Fog client installation error - Cannot install CA certificate:
@jonhwood360 With this one your need to manually distribute it to the hosts or use some other way of distributed install. The next version will then auto update.
I would suggest you test this on one of your machines - just to make sure I didn’t miss anything. After installation you want to keep an eye on the fog-client log (
C:\fog.logby default) to see if communication works all fine. Then go ahead and install to the other machines.Got it. Install worked fine. Is the superwebsocket defined in the fogservice.exe.config supposed to listen on localhost?
-
@jonhwood360 said in Fog client installation error - Cannot install CA certificate:
Got it. Install worked fine. Is the superwebsocket defined in the fogservice.exe.config supposed to listen on localhost?
Ok, fine. Communication also working I suppose?
Yes the SuperWebSocket stuff is only used for inter process communication.
-
@sebastian-roth said in Fog client installation error - Cannot install CA certificate:
@jonhwood360 said in Fog client installation error - Cannot install CA certificate:
Got it. Install worked fine. Is the superwebsocket defined in the fogservice.exe.config supposed to listen on localhost?
Ok, fine. Communication also working I suppose?
Yes the SuperWebSocket stuff is only used for inter process communication.
Yes communication is working.
-
FOG newbie here. I also had the error “Unable to install CA certificate” when attempting to install the FOG Client 0.12.0 with HTTPS on Windows 10. Bumping this post because it was hard to find since most of the keywords I searched are in the screenshots, not the actual text. Hopefully if anyone else has this issue they’ll find it a bit faster.
The Smartinstaller_fixed-tls.exe corrected the issue on my machines as well.
My logs also showed the same lines:
Middleware::Communication ERROR: Could not download file
Middleware::Communication ERROR: The request was aborted: Could not create SSL/TLS secure channel.
