Custom SSL Certificate with Fog Client Service

hancocza

Hello,

Recently, I purchased an SSL certificate from GoDaddy, for use with a few of the servers that I manage. I’ve gotten the certificate to work with the web server portion of FOG, but I’m trying to figure out how to get it to work with the fog client so that i can continue to send snapins and printers. When using the GoDaddy certificate, i get an error from the fog client stating that the CA is not a FOG CA.

Thanks for any help.

Wayne Workman

You would need to re-compile the FOG Client, but with your new certificate in the correct place - not only this time but every time there’s a new version. The script that builds it is here: https://github.com/FOGProject/fog-client/blob/master/build.ps1
Let us know if you hit any bumps.

hancocza

Hi Wayne,

Thanks for replying. So from what I understand, I place the certificate, chain and key into the www/var/fog/management/other/ subfolder, then updated the apache fog site config to point to those certificates. Then I just need to rerun this script? Or do I need to edit this script to point to the new certificates? Is there another place that the certificates need to be updated separately of the web server section?

Thanks!

Wayne Workman

@hancocza No idea. I know that HTTPS certs are implimented seperately and differently than the FOG Client certs - and that they don’t need to match. Perhaps other @Developers or @Moderators or @Testers have a better answer and can chime in.

hancocza

Thanks for the help Wayne. I still have had no luck. Hopefully some others will be able to assist.

hancocza

I ended up getting it to work. The issue was that instead of keeping the new certificate and key files in a separate place, i copied them in and replaced the old private key with my new one. This set off all kinds of issues. I ended up recreating the keys and CA, and then left my certificate files in a separate folder, just for the web server to access. Then you also need to make sure that the fog client is installed using the https switch.

Sebastian Roth

@hancocza Thanks for reporting back! I was gonna look into this but didn’t have enough time yet. I am wondering if FOG/client is really using your CA/key/cert now??

I have to admit that I don’t know the client code well enough but knowing a bit about cryptography I really wonder if it’s that easy to trick the FOG client into using custom SSL certs.

I ended up recreating the keys and CA, and then left my certificate files in a separate folder, just for the web server to access.

From this and as well re-reading your topic I think I might have misunderstood at first. You just wanted to use a custom SSL cert for the FOG web GUI (apache)? While I (and Wayne) thought that you wanted to have this custom cert being used also for the FOG client communication.

x23piracy

@Sebastian-Roth interesting @hancocza could you point that out exactly please?

hancocza

@Sebastian-Roth My FOG server’s web GUI is using the custom SSL certificate. I couldn’t figure out how to edit the client in order to also use that certificate. I did find though that if you are forcing https on the server, you also have to force https on the clients, otherwise it won’t connect. I would love to just use the one certificate, private key, and chain.pem file to work with the client and GUI together, but editing the client was a bit above my knowledge.

The only downside of doing this the way that I’m doing it is that every time i update the server, i have to replace the 001-fog.conf file in the etc/apache2/sites-enabled/ folder with one that points to my custom certificate files.

Sebastian Roth

@hancocza Ok, so I got this. I am looking into the building process of the FOG client right now as our client developer is absent right now. I might come up with a description of how to custom build the client (e.g. for custom SSL cert). I am still trying to get things sorted with the building tools. Let’s hope I get this fixed soon.