Can't install snapins. Certification validation failed
-
Hey,
I am currently unable to deploy snapins to my clients. This is the error I get on the client:
------------------------------------------------------------------------------ ---------------------------------SnapinClient--------------------------------- ------------------------------------------------------------------------------ 5/19/2023 2:40:12 PM Client-Info Client Version: 0.13.0 5/19/2023 2:40:12 PM Client-Info Client OS: Windows 5/19/2023 2:40:12 PM Client-Info Server Version: 1.5.10 5/19/2023 2:40:12 PM Middleware::Response Success 5/19/2023 2:40:12 PM SnapinClient Running snapin <snapinname> 5/19/2023 2:40:12 PM Middleware::Communication Download: https://x.x.x.2//fog/service/snapins.file.php?mac=B0:0C:D1:6B:46:C1&taskid=901 5/19/2023 2:40:12 PM Data::RSA ERROR: Certificate validation failed 5/19/2023 2:40:12 PM Data::RSA ERROR: Trust chain did not complete to the known authority anchor. Errors: The signature of the certificate cannot be verified. (NotSignatureValid) 5/19/2023 2:40:12 PM Middleware::Communication SSL certificate chain error: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider. 5/19/2023 2:40:12 PM Middleware::Communication ERROR: Could not download file 5/19/2023 2:40:12 PM Middleware::Communication ERROR: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. 5/19/2023 2:40:12 PM SnapinClient C:\Program Files (x86)\FOG\tmp\snapinname.exe 5/19/2023 2:40:12 PM Middleware::Communication URL: https://x.x.x.2/fog/service/snapins.checkin.php?taskid=901&exitcode=-1&mac=B0:0C:D1:6B:46:C1&newService&json ------------------------------------------------------------------------------The server is Ubuntu 22.04. Fog version is 1.5.10.
I have 2 servers. fog server (x.x.x.1) and a storage node (x.x.x.2). The snapin is being deploy from the storage node (x.x.x.2)
I have reinstalled fog and recreated the keys and CA on both servers, which didn’t do anything.
I’m not sure if this will help but the certs match on both servers:
user@x.x.x.1:~$ openssl rsa -noout -modulus -in /opt/fog/snapins/ssl/.srvprivate.key | openssl md5 MD5(stdin)= 95e3734643ded6f39dxa34sac2767508 user@x.x.x.1:~$ openssl x509 -noout -modulus -in /var/www/fog/management/other/ssl/srvpublic.crt | openssl md5 MD5(stdin)= 95e3734643ded6f39dxa34sac2767508 user@x.x.x.2:~$ openssl rsa -noout -modulus -in /opt/fog/snapins/ssl/.srvprivate.key | openssl md5 MD5(stdin)= 95e3734643ded6f39dxa34sac2767508 user@x.x.x.2:~$ openssl x509 -noout -modulus -in /var/www/fog/management/other/ssl/srvpublic.crt | openssl md5 MD5(stdin)= 95e3734643ded6f39dxa34sac2767508I’m not really sure where to go from here.
-
@capitald you would likely need to take the public certificate and put it on your systems certificate store. HTTPS is fun but also meant to be a trusted source before going out and doing things. So when we work with self signed certificates, the system has no base knowledge that they can trust them.
-
@Tom-Elliott Thanks for the reply. Do you mean to take the public cert and add it to all my clients certificate store? That would be a process but possibly doable.
Though we are not using a self signed cert. We are using the ones FOG creates upon installation.
-
@capitald Those are still self signed certificates.
The keys work find for the client itself, but you’re also using ssl to the server directly.
-
@capitald Let’s take a step back. Before we get into this any further we need to think about the whole connection between fog-client and the FOG server. The fog-client wouldn’t get as far as loading a snapin if there was a general problem with the SSL certs and trust.
So is must be very specific some issue at this stage. So you use the location plugin? Were both nodes setup with HTTPS (which is not the same encryption layer we are looking at here)?