Incorrect CA after migration
-
I recently performed a migration to 1.5 following all the steps in the Migrate FOG document. I copied over the /snapins/ssl directory as indicated, but this does not include the ca.cert.der, this may not be relevant.
Existing hosts are under control, but new hosts, and new images, are pulling a newer CA, which is halting host control. My best guess is that the new installation created that ca.cert.der file and uses it to pass to a client. I’m at a loss. My workaround has been to import a copy of the old certificate onto the new hosts, and delete the newer incorrect one. This gives me back host control. How do I get this correct, older certificate to install on new hosts and new images moving forward? -
@bballmcoe said in Incorrect CA after migration:
I recently performed a migration to 1.5
Which version do you mean? We never released 1.5 - there is 1.5.0 which is really old and 1.5.9 which is kind of old as well.
Please post the instructions you followed as well as what you did exactly.
-
1.5.9. However, I believe I just fixed my issue. I won’t be able to confirm until my tech creates a new image, but uninstalling the client from a bad host and reinstalling the client caused it to pull the proper cert. That host is now under control.
What I did:
I found an old CA file, fogCA.pem, in /snapins/ssl/CA. Then performed this:
mv /var/www/html/fog/management/other/ca.cert.der /var/www/html/fog/management/other/ca.cert.der_orig
openssl x509 -in /opt/fog/snapins/ssl/CA/fogCA.pem -out /var/www/html/fog/management/other/ca.cert.der -outform DER
Courtesy of: https://forums.fogproject.org/topic/15908/fog-server-ca-download -
@bballmcoe Can you please let us know which FOG migration doc you used? Wiki article on migrating FOG?
-
Yes, that is the article I used. The migration went seemingly well, until my tech started to create an image. That’s when we noticed the CA issues. Upon further investigation, some hosts were no longer under control. My tech discovered that deleting the certificate the client was given, and importing the old certificate (from my backup), corrected communication. I was then able to determine that FOG was giving new hosts a new certificate dated back to the day of migration. Which led me to the article that caused me to convert my old FogCA.pem to a .der file, and overwrite the newer ca.cert.der.
-
@bballmcoe said in Incorrect CA after migration:
I was then able to determine that FOG was giving new hosts a new certificate dated back to the day of migration.
Definitely something that went wrong when migrating. Could be our manual or the scripts or something you did. If I had to guess I’d guess it’s something in the installer scripts. Shall look into this when I have more time (will keep this on my list).
-
Thank you sir