FOG Server – Full Migration from an old HTTPS‑FOG to a new Server (Debian 12)

PCF24

FOG Server – Full Migration from an old HTTPS‑FOG to a new Server (Debian 12)

This guide explains how to fully back up an older FOG server and restore it to a freshly installed server – especially for installations using HTTPS communication between server and clients.

️ Note:

• Modern FOG versions only allow TLS 1.2.
• Older Windows FOG clients may not connect anymore → update required!

1. Create backup from the old FOG server

In the old FOG web interface:

FOG Configuration → Configuration Save → Export Database → Export
➜ Save the SQL backup

Backup the SSL certificates:

sudo bash -c '
set -euo pipefail

DEST="/root/fogcerts"
mkdir -p "$DEST/CA"

echo "[1/5] Collecting files …"
# Collect mandatory files (if present)
cp -a /opt/fog/snapins/ssl/.srvprivate.key            "$DEST/"           2>/dev/null || true
cp -a /opt/fog/snapins/ssl/CA/.fogCA.key              "$DEST/CA/"        2>/dev/null || true
cp -a /opt/fog/snapins/ssl/CA/.fogCA.pem              "$DEST/CA/"        2>/dev/null || true
cp -a /opt/fog/snapins/ssl/CA/.fogCA.srl              "$DEST/CA/"        2>/dev/null || true
cp -a /var/www/fog/management/other/ssl/srvpublic.crt "$DEST/"           2>/dev/null || true
cp -a /var/www/fog/management/other/ca.cert.pem       "$DEST/"           2>/dev/null || true
cp -a /var/www/fog/management/other/ca.cert.der       "$DEST/"           2>/dev/null || true

# Optional helpful templates/CSR (if present)
cp -a /opt/fog/snapins/ssl/ca.cnf                     "$DEST/"           2>/dev/null || true
cp -a /opt/fog/snapins/ssl/req.cnf                    "$DEST/"           2>/dev/null || true
cp -a /opt/fog/snapins/ssl/fog.csr                    "$DEST/"           2>/dev/null || true

echo "[2/5] Hardening permissions …"
chown -R root:root "$DEST"
chmod 700 "$DEST"
[ -f "$DEST/.srvprivate.key" ] && chmod 600 "$DEST/.srvprivate.key"
[ -f "$DEST/CA/.fogCA.key"   ] && chmod 600 "$DEST/CA/.fogCA.key"

echo "[3/5] Listing content …"
ls -lah "$DEST" || true
ls -lah "$DEST/CA" || true

echo "[4/5] Creating checksums …"
( cd "$DEST" &&   find . -type f \( -name "*.key" -o -name "*.crt" -o -name "*.pem" -o -name "*.der" \) -print0   | xargs -0 sha256sum > SHA256SUMS.txt )

echo "[5/5] Creating archive …"
ARCH="/root/fogcerts_$(date +%F).tar.gz"
tar -czf "$ARCH" -C /root fogcerts
chmod 600 "$ARCH"

echo
echo "Done. Archive: $ARCH"
echo "To list archive content: tar -tzf $ARCH"
echo "To verify checksums: cat /root/fogcerts/SHA256SUMS.txt"
'

Save the archive (e.g. fogcerts_YYYY-MM-DD.tar.gz) using WinSCP
→ Old server may now be shut down

2. Prepare new Debian-12 server

• Install Debian 12 without GUI but WITH SSH server
• Allow root login via SSH (/etc/ssh/sshd_config)
• Configure IP & reboot
• Connect via PuTTY as root

3. Install FOG server

apt update && apt install git -y
cd /root
cd /root
git clone https://github.com/FOGProject/fogproject.git
cd fogproject/bin
./installfog.sh

Configure FOG as usual

4. Import database from the old server

---

In the new FOG web interface:

• FOG Configuration → FOG Settings

• Save mysqlpass (under Storage Nodes)
• Save TFTP FTP Password (under TFTP Server)

• Storage → DefaultMember → Save Management Password

• Configuration Save → Import Database
→ Select the SQL backup & import it

Afterwards: Enter the three passwords back in their original places

5. Copy certificates to the new server

Transfer the archive to /root
(e.g. fogcerts_2025-10-25.tar.gz)

Stop services:

systemctl stop apache2
systemctl stop FOGImageReplicator
systemctl stop FOGScheduler

Extract archive:

cd /root
tar -xzf fogcerts_*.tar.gz

Copy certificates & set permissions:

# Private Keys & CA
cp -a /root/fogcerts/.srvprivate.key /opt/fog/snapins/ssl/
cp -a /root/fogcerts/CA/.fogCA.key /opt/fog/snapins/ssl/CA/
cp -a /root/fogcerts/CA/.fogCA.pem /opt/fog/snapins/ssl/CA/
[ -f /root/fogcerts/CA/.fogCA.srl ] && cp -a /root/fogcerts/CA/.fogCA.srl /opt/fog/snapins/ssl/CA/

# Server Public Cert & CA Public
cp -a /root/fogcerts/srvpublic.crt /var/www/fog/management/other/ssl/
cp -a /root/fogcerts/ca.cert.pem /var/www/fog/management/other/
cp -a /root/fogcerts/ca.cert.der /var/www/fog/management/other/

chown -R fogproject:www-data /opt/fog/snapins/ssl
chmod 600 /opt/fog/snapins/ssl/.srvprivate.key
chmod 600 /opt/fog/snapins/ssl/CA/.fogCA.key

chown -R www-data:www-data /var/www/fog/management/other

Start services:

systemctl start apache2
systemctl start FOGImageReplicator
systemctl start FOGScheduler

6. Rebuild boot images (with certificate)

Install required software:

apt-get update
apt-get install -y git build-essential gcc make binutils perl mtools   liblzma-dev libssl-dev zlib1g-dev pkg-config nasm libiberty-dev uuid-dev   xz-utils cpio gcc-aarch64-linux-gnu

Rebuild PXE boot loaders:

cd /root/fogproject/utils/FOGiPXE
# Select one CA certificate path:
CA=/var/www/fog/management/other/ca.cert.pem
# or:
# CA=/opt/fog/snapins/ssl/CA/.fogCA.pem

bash ./buildipxe.sh "$CA"

Copy new files:

# Standard loader (without 10s delay)
cp -av /root/fogproject/packages/tftp/* /tftpboot/

# Optional 10s-delay loaders:
# cp -av /root/fogproject/packages/tftp/10secdelay/* /tftpboot/

Restart TFTP service:

systemctl restart tftpd-hpa

FINISHED
If all steps were successful, clients will securely reconnect using HTTPS again.