• Recent
    • Unsolved
    • Tags
    • Popular
    • Users
    • Groups
    • Search
    • Register
    • Login

    https for preseed cannot verify ssl 'CN=FOG Server Ca'

    Scheduled Pinned Locked Moved Unsolved
    FOG Problems
    2
    4
    241
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • fogman4F
      fogman4
      last edited by fogman4

      Re : UEFI boot pxe preseed Ubuntu20.04 via NFS with https preseed.

      Hey folks hope you’re doing well

      I got this problem with my fog server.

      I upgraded debian 10 > 11 > 12 apache is not happy with the CA.

      I reinstalled fog using the already existing .fogsettings and fog seems ok as i access the Webui via https without problem.

      now i got this error when trying to deploy a custom ipxe menu

      here is the menu :

      kernel tftp://${fog-ip}/os/ubuntu/20.04D/vmlinuz
initrd tftp://${fog-ip}/os/ubuntu/20.04D/initrd
imgargs vmlinuz initrd=initrd root=/dev/nfs boot=casper netboot=nfs nfsroot=${fog-ip}:/images/os/ubuntu/ locale=fr_FR.UTF-8 net.ifnames=0 biosdevname=0 ipv6.disable=1 keyboard-configuration/layoutcode=fr ip=dhcp rw hostname=DEPLOY1 domain=my.super.domain automatic-ubiquity url=https://${fog-ip}/autoinstall/ubuntu/ubiseed_20_all.cfg debian-installer/allow_unauthenticated_ssl=true DEBCONF_DEBUG=5
boot || goto MENU

      the preseed need to be fetched via https but fails :

      ERROR : cannot verify 192.168.1.200's certificate, issued by 'CN=FOG Server CA'

      on apache logs i have :

      [Mon Apr 22 16:58:18.308677 2024] [ssl:info] [pid 17451] SSL Library Error: error:0A000076:SSL routines::no suitable signature algorithm
[Mon Apr 22 16:58:18.308736 2024] [ssl:info] [pid 17451] [client 192.168.1.133:50613] AH01998: Connection closed to child 2 with abortive shutdown (server 192.168.1.200:443)
[Mon Apr 22 16:58:18.322694 2024] [ssl:info] [pid 17452] [client 192.168.1.133:50614] AH01964: Connection to child 3 established (server 192.168.1.200:443)
[Mon Apr 22 16:58:18.323173 2024] [ssl:info] [pid 17452] [client 192.168.1.133:50614] AH02008: SSL library error 1 in handshake (server 192.168.1.200:443)

      Do i need to regenerate certificates on fog ?

      when i do a wget from any client :

      wget --connect-timeout=5 -c http://192.168.1.200/autoinstall/ubuntu/ubiseed_20_all.cfg -P Downloads/

      i have :

      --2024-04-22 17:21:32--  http://192.168.1.200/autoinstall/ubuntu/ubiseed_20_all.cfg
Connecting to 192.168.1.200:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://192.168.1.200//autoinstall/ubuntu/ubiseed_20_all.cfg [following]
--2024-04-22 17:21:32--  https://192.168.1.200//autoinstall/ubuntu/ubiseed_20_all.cfg
Connecting to 192.168.1.200:443... connected.
ERROR: The certificate of ‘192.168.1.200’ is not trusted.
ERROR: The certificate of ‘192.168.1.200’ doesn't have a known issuer.

      if i try with :

      wget --no-check-certificate --connect-timeout=5 -c https://192.168.1.200/autoinstall/ubuntu/ubiseed_20_all.cfg -P Downloads/

      it works.

      --2024-04-22 17:24:21--  https://192.168.1.200/autoinstall/ubuntu/ubiseed_20_all.cfg
Connecting to 192.168.1.200:443... connected.
WARNING: The certificate of ‘192.168.1.200’ is not trusted.
WARNING: The certificate of ‘192.168.1.200’ doesn't have a known issuer.
HTTP request sent, awaiting response... 200 OK
Length: 24414 (24K)
Saving to: ‘Downloads/ubiseed_20_all.cfg’

      If some wizard passing by could give me some hints it would be terrific.

      Thanks 😉

      Tom ElliottT 1 Reply Last reply Reply Quote 0
      • Tom ElliottT
        Tom Elliott @fogman4
        last edited by

        @fogman4 Well it’s because the certificate of 192.168.1.200 isn’t trusted and when you try going to URL http://192.168.1.200 it’s redirecting you to a secure side.

        If you can get the FOG Server CA certificate trusted on your machine you should be okay (assuming 192.168.1.200 is the fog server address:

        Copy the files in /opt/fog/snapins/ssl/ run: update-ca-certificates I believe.

        You may have to make some adjustments but the source I’m using (assuming you’re running on ubuntu) is:
        https://superuser.com/questions/54615/how-to-install-a-ca-key-self-signed-ssl-on-ubuntu

        Another place to attempt trying would be:
        https://www.baeldung.com/linux/add-self-signed-certificate-trusted-list

        But this is more about getting your browser to accept things.

        Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG! Get in contact with me (chat bubble in the top right corner) if you want to join in.

        Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)

        Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG

        1 Reply Last reply Reply Quote 0
        • fogman4F
          fogman4
          last edited by fogman4

          thanks @Tom-Elliott for your answer.

          I’m confused i think i did not explained my problem clearly.

          Debian 12 is my fog server 192.168.1.200

          It serves ubuntu iso’s files via nfs , kernels initramfs via tftp and preseed via http(s).

          Ubuntu are workstations i need to deploy Ubuntu iso files are on nfs si i don’t really understand.

          Should i copy the fog ca in the iso’s nfs directory ?

          Looks weird because i never needed this.

          My browser works flawlessly with the certificate.

          The only problem is when the boot option tries to get the preseed file via https.

          the folder /opt/fog/snapins/ssl contains :

          drwxrwxrwx 3 fogproject www-data 4,0K  4 juin   2020 .
drwxrwxrwx 3 fogproject www-data 4,0K  4 juin   2020 ..
drwxrwxrwx 2 fogproject www-data 4,0K  4 juin   2020 CA
-rwxrwxrwx 1 fogproject www-data   98 22 avril 14:13 ca.cnf
-rwxrwxrwx 1 fogproject www-data 1,7K  4 juin   2020 fog.csr
-rwxrwxrwx 1 fogproject www-data  232  4 juin   2020 req.cnf
-rwxrwxrwx 1 fogproject www-data 3,2K  4 juin   2020 .srvprivate.key

          If i need to regenerate cert i don’t want to mess somewhere.

          i tried to copy the file : /opt/fog/snapins/ssl/CA/.fogCA.pem in /etc/ssl/certs/ and /usr/local/share/ca-certificates/ on the server and update-ca-certificates with no success.

          i’m puzzled. Maybe it’s an algorith problem as openssl seems to warn

          1 Reply Last reply Reply Quote 0
          • fogman4F
            fogman4
            last edited by

            I tried to change my apache conf from :

            <VirtualHost *:80>
    <FilesMatch "\.php$">
        SetHandler "proxy:fcgi://127.0.0.1:9000/"
    </FilesMatch>
    KeepAlive Off
    ServerName 192.168.1.200
    ServerAlias fog-pi.ad.atdqm.tech
    DocumentRoot /var/www/
    RewriteEngine On
    RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
    RewriteRule .* - [F]
    RewriteRule /management/other/ca.cert.der$ - [L]
    RewriteCond %{HTTPS} off
    RewriteRule (.*) https://%{HTTP_HOST}/$1 [R,L]
</VirtualHost>
<VirtualHost *:443>
    KeepAlive Off
    <FilesMatch "\.php$">
        SetHandler "proxy:fcgi://127.0.0.1:9000/"
    </FilesMatch>
    ServerName 192.168.1.200
    ServerAlias fog-pi.ad.atdqm.tech
    DocumentRoot /var/www/
    SSLEngine On
    SSLProtocol all -SSLv3 -SSLv2
    SSLCipherSuite ALL:!aNULL:RC4+RSA:+HIGH:+MEDIUM:+LOW:+EXP:+eNULL
#    SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
    SSLHonorCipherOrder On
    SSLCertificateFile /var/www/fog//management/other/ssl/srvpublic.crt
    SSLCertificateKeyFile /opt/fog/snapins/ssl//.srvprivate.key
    SSLCACertificateFile /var/www/fog//management/other/ca.cert.pem
    <Directory /var/www/fog/>
        DirectoryIndex index.php index.html index.htm
    </Directory>
    RewriteEngine On
    RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
    RewriteRule .* - [F]
    RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f
    RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-d
    RewriteRule ^/fog/(.*)$ /fog/api/index.php [QSA,L]
</VirtualHost>

            by allowing all cipher/algo with this

            SSLCipherSuite ALL:!aNULL:RC4+RSA:+HIGH:+MEDIUM:+LOW:+EXP:+eNULL

            didn’t work.

            1 Reply Last reply Reply Quote 0
            • 1 / 1
            • First post
              Last post

            160

            Online

            12.0k

            Users

            17.3k

            Topics

            155.2k

            Posts
            Copyright © 2012-2024 FOG Project