• Hello,

    I have been trying to install the FOG Client on an iMac that I have running Sierra (10.12.6). It installs fine using the mono SmartInstaller.exe command without any switches. However, I need to specify that the client uses HTTPS for connections. I tried using the -h switch coupled with the --server= switch, but the installer fails at Pinning Server.

    As a work around on PCs, I edit the settings.json file to turn the https switch on. Trying to do that on a Mac so far has not been doable. The file is locked, even when trying to edit from root. I’m hoping to find a solution to this.

    My FOG Server is running 1.5.0 RC-9, client is the latest version.


  • Senior Developer

    @hancocza Most probably your windows PCs have the CA certificate (imported) that was used to sign the other certificates. To be more concrete - the .NET keystore has the right CA cert to verify the other certs. But probably the Mac OS X mono keystore doesn’t!

    Edit: Which version of mono did you install and which version of Mac OS X do you use?

  • @sebastian-roth I didn’t import it on any installs that I’ve done. It always just installs the certificate that is on the server. I believe it’s called srvpublic or something like that, in the SSL folder.

  • Senior Developer

    @hancocza Looking into this in more detail I found out that our current fog-client is not able to handle sub/intermediate CAs. Although this would be the proper way to integrate custom CAs we can’t do this yet.

    So back to your problem I reckon that your company CA cert is not known in the Mac OS X mono keychain and that’s why pinning fails. Did you import the CA cert to your Windows install? Should do this in Mac OS X as well.

  • @sebastian-roth I’m not sure how to do that. We’ve talked about it before on this forum, re-rolling the client, but then i found if i leave the certs that the client looks for in their normal place, and then use the company’s certs for just the web server, it works fine, at least for PC clients which is a majority of what we have. Because of that and the fact that we only have like 5 iMacs, I haven’t really messed with it.

  • Senior Developer

    @hancocza Are you able to create a proper sub CA at all?

  • @sebastian-roth said in FOG Client on a Mac:
    No rush, I leave for a two week vacation tomorrow and it’s not a immediate issue. Thanks!

  • Senior Developer

    @hancocza From my point of view (not being the original developer of the fog-client code) I’d say that the usual way in SSL terms would be to generate a so called sub CA and let that be signed from your main company CA. Put that sub CA certificate and key in the right places, re-run the installer and let it create webserver cert and key from that “custom” sub CA. What you’d have to take care of when generating that sub CA is that it has the correct issuer and subject string:

    openssl x509 -in /var/www/fog/management/other/ca.cert.pem -text -noout
            Version: 3 (0x2)
            Serial Number:
        Signature Algorithm: sha512WithRSAEncryption
            Issuer: CN=FOG Server CA
                Not Before: Feb  3 21:17:05 2017 GMT
                Not After : Feb  1 21:17:05 2027 GMT
            Subject: CN=FOG Server CA
            Subject Public Key Info:
                Public Key Algorithm: rsaEncryption
                    Public-Key: (4096 bit)

    Note that CN=FOG Server CA.

    I’ll try to look into testing the fog-client on a Mac OS machine I have access too sometimes. But can’t promise when that will be.

  • @sebastian-roth
    I only use the CA for the Web GUI. I edited the etc\apache2\sites-enabled\001fog file to point to my company’s CA Cert. The ca.cert.der is still fog’s original cert, which i left in place because at the start of my switch to SSL, moving them caused issues with the SSL version of FOG Client. When I left the original certificates in place and edited the 001fog.conf file to point to the custom ones instead, the client works with SSL. On Windows, I no longer have to change the settings.json file, installing it with the switches works. It’s just on Mac OS that it doesn’t work with the switches.

  • Senior Developer

    @hancocza said in FOG Client on a Mac:

    Also, I pointed the apache config to a different location for certificates for the Web GUI over SSL.

    Well, that is an issue I suppose. The CA (cert) you use does not have the “FOG CA” string in it that the client looks for… The SSL implementation of FOG is made to work out of the box as a self-signed piece but we haven’t made it ready for businesses having their own CA yet. Which cert is your ca.cert.der, it’s that of your company, right?

    Changing the settings.json is a nice hack on windows but I think we should get it right in the first place.

  • @sebastian-roth I am running FOG on Ubuntu 16.04 LTS, Fog version is 1.5.0-RC9. I let FOG setup the apache config on it’s own using the https switch in the installer, but then afterwards I changed the hostname to reflect the FQDN of our server, not the IP Address. Also, I pointed the apache config to a different location for certificates for the Web GUI over SSL. I am also able to access the ca.cert.der file using http.

  • Senior Developer

    @hancocza The HTTPS part of FOG/fog-client is still kind of new and not many people have used it so there might be an issue though the fog-client code is backed by a test framework. But let’s see what we can figure out first.

    • What OS/version is your FOG server running on?
    • Did you let FOG setup the apache config for you or did you set it up yourself?
    • Can you access http://x.x.x.x/fog/management/other/ca.cert.der using your browser (note this is a HTTP URL!)?

  • Hey Tom,

    My FOG server setup is setup to use https. On PC the https switch works fine, have about 200 computers able to install it and communicate with the server. It’s when I try with the same switch on Mac that i have the issue. Granted, when installing on PC i use the MSI installer with switches, not the SmartInstaller.

  • Specifically:

    -S --force-https Force HTTPS for all comunication

    You would run:

    ./installfog.sh -Sy as needed.

  • Is your fogserver installed with the --force-https switch?