Installing FOG Client with HTTPS, unable to install CA Certificate from Server
-
@hancocza The issue here is that the client will only connect with SSL if the https certificate is trusted by the computer – which in your case its not, but once the client installs, then the SSL cert will be trusted. This is something I’ve been considering changing, but honestly there’s a much easier solution for you: exclude the
ca.cert.derfile from the SSL redirect in your apache configHere’s an example, that should work, if not you should be able to get the general idea from it:
<VirtualHost *:80> DocumentRoot /var/www/html/ ServerName xxx.xxx.xxx.xxx # Your other lines # RewriteEngine On RewriteCond %{HTTPS} !=on RewriteCond %{REQUEST_URI} !=(/fog/management/other/ca.cert.der) RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [R,L] </VirtualHost>@Tom-Elliott maybe we should include the exemption in the default Apache files if ssl-only is selected on install?
-
These are the exact lines that are added for http/https mode.
echo "NameVirtualHost *:80" > "$etcconf" echo "NameVirtualHost *:443" >> "$etcconf" echo "<VirtualHost *:80>" >> "$etcconf" echo " ServerName $ipaddress" >> "$etcconf" echo " RewriteEngine On" >> "$etcconf" echo " RewriteRule /management/other/ca.cert.der$ - [L]" >> "$etcconf" echo " RewriteCond %{HTTPS} off" >> "$etcconf" echo " RewriteRule (.*) https://%{HTTP_HOST}/\$1 [R,L]" >> "$etcconf" echo "</VirtualHost>" >> "$etcconf"This would produce a https install of FOG beginning with:
NameVirtualHost *:80 NameVirtualHost *:443 <VirtualHost *:80> ServerName <fogip/hostname> RewriteEngine On RewriteRule /management/other/ca.cert.der$ - [L] RewriteCond %{HTTPS} off RewriteRule (.*) https://%{HTTP_HOST}/$1 [R,L] </VirtualHost>This should do the same thing as what @Joe-Schmitt Suggested, though maybe something is off here? I don’t play too much with https side of things during installation, I manually handle my stuff to more quickly develop the GUI.
-
Hey Guys,
Thanks for answering. Would this be the sites-enabled config? I tried changing that but still am getting the unable to install CA certificate issue, even after restarting the apache server.
-
@hancocza if I read the issue correctly, the problem is your network doesn’t allow port 80 at all, correct?
-
@tom-elliott Correct. So i have edited the web server to redirect to https and that works fine, its just that the fog client cannot reach the certificate when installing on host computers.
-
@hancocza are you using the default SSL cert generated by the FOG server?
-
@joe-schmitt For the apache web server? No. We use a custom one. From what I understood though was that the installer is just looking for the srvpublic.crt, which is still in it’s original place.
-
@hancocza does the computer you’re trying to install the client on trust that SSL certificate? (e.g. if you go to your fog server in a browser, is there a certificate error?).
-
@joe-schmitt Yes. I go to the browser and it doesn’t throw any warnings. The address bar has the green secure lock on it.
-
@hancocza alright, then this is definitely a client bug. The functions we created to download files did not adhere to redirect requests. I’m working on patching that now.
-
@hancocza Can you try installing this build: https://build.jbob.io/Client/nightly/02-13-downloadredirect-01/SmartInstaller.exe ? It should follow your SSL redirect.
Please note that it is a nightly build and so should not be used in production, as the binaries are unsigned and can cause unforeseen issues.
-
@joe-schmitt Do you have an MSI version of it? If not, do you know what the parameter is to install this with https?
-
You can browse all the files here: https://build.jbob.io/Client/nightly/02-13-downloadredirect-01/
Here is the MSI: https://build.jbob.io/Client/nightly/02-13-downloadredirect-01/FOGService.msi
-
@joe-schmitt Hey Joe,
Just tried to install it with the HTTPS switch. Still getting the Unable to install CA Certificate issue.
-
@hancocza Can you try again with this build? https://build.jbob.io/Client/release-candidate/0.11.14-RC-03/FOGService.msi
-
@joe-schmitt Still a no go. Still trying to reach over 80.
-
Moved to bug reports as it seems to be one. Thanks @Joe-Schmitt for looking into this!
-
@hancocza let me remote in and debug the issue. The installer had a bug which prevented it from pinning a server over https if port 80 was blocked. This has been fixed in v0.11.14, which will be released with the next server RC.
