• Recent
  • Unsolved
  • Tags
  • Popular
  • Users
  • Groups
  • Search
  • Register
  • Login
  • Recent
  • Unsolved
  • Tags
  • Popular
  • Users
  • Groups
  • Search
  • Register
  • Login

https for preseed cannot verify ssl 'CN=FOG Server Ca'

Scheduled Pinned Locked Moved Unsolved
FOG Problems
2
4
253
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • F
    fogman4
    last edited by fogman4 Apr 22, 2024, 9:31 AM Apr 22, 2024, 3:14 PM

    Re : UEFI boot pxe preseed Ubuntu20.04 via NFS with https preseed.

    Hey folks hope you’re doing well

    I got this problem with my fog server.

    I upgraded debian 10 > 11 > 12 apache is not happy with the CA.

    I reinstalled fog using the already existing .fogsettings and fog seems ok as i access the Webui via https without problem.

    now i got this error when trying to deploy a custom ipxe menu

    here is the menu :

    kernel tftp://${fog-ip}/os/ubuntu/20.04D/vmlinuz
initrd tftp://${fog-ip}/os/ubuntu/20.04D/initrd
imgargs vmlinuz initrd=initrd root=/dev/nfs boot=casper netboot=nfs nfsroot=${fog-ip}:/images/os/ubuntu/ locale=fr_FR.UTF-8 net.ifnames=0 biosdevname=0 ipv6.disable=1 keyboard-configuration/layoutcode=fr ip=dhcp rw hostname=DEPLOY1 domain=my.super.domain automatic-ubiquity url=https://${fog-ip}/autoinstall/ubuntu/ubiseed_20_all.cfg debian-installer/allow_unauthenticated_ssl=true DEBCONF_DEBUG=5
boot || goto MENU

    the preseed need to be fetched via https but fails :

    ERROR : cannot verify 192.168.1.200's certificate, issued by 'CN=FOG Server CA'

    on apache logs i have :

    [Mon Apr 22 16:58:18.308677 2024] [ssl:info] [pid 17451] SSL Library Error: error:0A000076:SSL routines::no suitable signature algorithm
[Mon Apr 22 16:58:18.308736 2024] [ssl:info] [pid 17451] [client 192.168.1.133:50613] AH01998: Connection closed to child 2 with abortive shutdown (server 192.168.1.200:443)
[Mon Apr 22 16:58:18.322694 2024] [ssl:info] [pid 17452] [client 192.168.1.133:50614] AH01964: Connection to child 3 established (server 192.168.1.200:443)
[Mon Apr 22 16:58:18.323173 2024] [ssl:info] [pid 17452] [client 192.168.1.133:50614] AH02008: SSL library error 1 in handshake (server 192.168.1.200:443)

    Do i need to regenerate certificates on fog ?

    when i do a wget from any client :

    wget --connect-timeout=5 -c http://192.168.1.200/autoinstall/ubuntu/ubiseed_20_all.cfg -P Downloads/

    i have :

    --2024-04-22 17:21:32--  http://192.168.1.200/autoinstall/ubuntu/ubiseed_20_all.cfg
Connecting to 192.168.1.200:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://192.168.1.200//autoinstall/ubuntu/ubiseed_20_all.cfg [following]
--2024-04-22 17:21:32--  https://192.168.1.200//autoinstall/ubuntu/ubiseed_20_all.cfg
Connecting to 192.168.1.200:443... connected.
ERROR: The certificate of ‘192.168.1.200’ is not trusted.
ERROR: The certificate of ‘192.168.1.200’ doesn't have a known issuer.

    if i try with :

    wget --no-check-certificate --connect-timeout=5 -c https://192.168.1.200/autoinstall/ubuntu/ubiseed_20_all.cfg -P Downloads/

    it works.

    --2024-04-22 17:24:21--  https://192.168.1.200/autoinstall/ubuntu/ubiseed_20_all.cfg
Connecting to 192.168.1.200:443... connected.
WARNING: The certificate of ‘192.168.1.200’ is not trusted.
WARNING: The certificate of ‘192.168.1.200’ doesn't have a known issuer.
HTTP request sent, awaiting response... 200 OK
Length: 24414 (24K)
Saving to: ‘Downloads/ubiseed_20_all.cfg’

    If some wizard passing by could give me some hints it would be terrific.

    Thanks 😉

    T 1 Reply Last reply Apr 23, 2024, 10:40 AM Reply Quote 0
    • T
      Tom Elliott @fogman4
      last edited by Apr 23, 2024, 10:40 AM

      @fogman4 Well it’s because the certificate of 192.168.1.200 isn’t trusted and when you try going to URL http://192.168.1.200 it’s redirecting you to a secure side.

      If you can get the FOG Server CA certificate trusted on your machine you should be okay (assuming 192.168.1.200 is the fog server address:

      Copy the files in /opt/fog/snapins/ssl/ run: update-ca-certificates I believe.

      You may have to make some adjustments but the source I’m using (assuming you’re running on ubuntu) is:
      https://superuser.com/questions/54615/how-to-install-a-ca-key-self-signed-ssl-on-ubuntu

      Another place to attempt trying would be:
      https://www.baeldung.com/linux/add-self-signed-certificate-trusted-list

      But this is more about getting your browser to accept things.

      Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG! Get in contact with me (chat bubble in the top right corner) if you want to join in.

      Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)

      Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG

      1 Reply Last reply Reply Quote 0
      • F
        fogman4
        last edited by fogman4 Apr 23, 2024, 7:45 AM Apr 23, 2024, 1:12 PM

        thanks @Tom-Elliott for your answer.

        I’m confused i think i did not explained my problem clearly.

        Debian 12 is my fog server 192.168.1.200

        It serves ubuntu iso’s files via nfs , kernels initramfs via tftp and preseed via http(s).

        Ubuntu are workstations i need to deploy Ubuntu iso files are on nfs si i don’t really understand.

        Should i copy the fog ca in the iso’s nfs directory ?

        Looks weird because i never needed this.

        My browser works flawlessly with the certificate.

        The only problem is when the boot option tries to get the preseed file via https.

        the folder /opt/fog/snapins/ssl contains :

        drwxrwxrwx 3 fogproject www-data 4,0K  4 juin   2020 .
drwxrwxrwx 3 fogproject www-data 4,0K  4 juin   2020 ..
drwxrwxrwx 2 fogproject www-data 4,0K  4 juin   2020 CA
-rwxrwxrwx 1 fogproject www-data   98 22 avril 14:13 ca.cnf
-rwxrwxrwx 1 fogproject www-data 1,7K  4 juin   2020 fog.csr
-rwxrwxrwx 1 fogproject www-data  232  4 juin   2020 req.cnf
-rwxrwxrwx 1 fogproject www-data 3,2K  4 juin   2020 .srvprivate.key

        If i need to regenerate cert i don’t want to mess somewhere.

        i tried to copy the file : /opt/fog/snapins/ssl/CA/.fogCA.pem in /etc/ssl/certs/ and /usr/local/share/ca-certificates/ on the server and update-ca-certificates with no success.

        i’m puzzled. Maybe it’s an algorith problem as openssl seems to warn

        1 Reply Last reply Reply Quote 0
        • F
          fogman4
          last edited by Apr 23, 2024, 2:35 PM

          I tried to change my apache conf from :

          <VirtualHost *:80>
    <FilesMatch "\.php$">
        SetHandler "proxy:fcgi://127.0.0.1:9000/"
    </FilesMatch>
    KeepAlive Off
    ServerName 192.168.1.200
    ServerAlias fog-pi.ad.atdqm.tech
    DocumentRoot /var/www/
    RewriteEngine On
    RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
    RewriteRule .* - [F]
    RewriteRule /management/other/ca.cert.der$ - [L]
    RewriteCond %{HTTPS} off
    RewriteRule (.*) https://%{HTTP_HOST}/$1 [R,L]
</VirtualHost>
<VirtualHost *:443>
    KeepAlive Off
    <FilesMatch "\.php$">
        SetHandler "proxy:fcgi://127.0.0.1:9000/"
    </FilesMatch>
    ServerName 192.168.1.200
    ServerAlias fog-pi.ad.atdqm.tech
    DocumentRoot /var/www/
    SSLEngine On
    SSLProtocol all -SSLv3 -SSLv2
    SSLCipherSuite ALL:!aNULL:RC4+RSA:+HIGH:+MEDIUM:+LOW:+EXP:+eNULL
#    SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
    SSLHonorCipherOrder On
    SSLCertificateFile /var/www/fog//management/other/ssl/srvpublic.crt
    SSLCertificateKeyFile /opt/fog/snapins/ssl//.srvprivate.key
    SSLCACertificateFile /var/www/fog//management/other/ca.cert.pem
    <Directory /var/www/fog/>
        DirectoryIndex index.php index.html index.htm
    </Directory>
    RewriteEngine On
    RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
    RewriteRule .* - [F]
    RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f
    RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-d
    RewriteRule ^/fog/(.*)$ /fog/api/index.php [QSA,L]
</VirtualHost>

          by allowing all cipher/algo with this

          SSLCipherSuite ALL:!aNULL:RC4+RSA:+HIGH:+MEDIUM:+LOW:+EXP:+eNULL

          didn’t work.

          1 Reply Last reply Reply Quote 0
          • 1 / 1
          1 / 1
          • First post
            1/4
            Last post

          192

          Online

          12.1k

          Users

          17.3k

          Topics

          155.3k

          Posts
          Copyright © 2012-2024 FOG Project