Web interface SSL

  • It would be great to add SSL for the web interface. Both self signed as a default and an option to add your own 3rd existing cert.

  • Senior Developer

    @astrugatch all -S does is setup the vhost file so it will redirect to requests to https. The -c specifies which private key to use. If you need the installer to create keys for you, you can use the -K switch, and if you need a new CA you can use -C switch.

    The installer already creates the keys for you by default, and the fog client looks for the servers CA key for validating the client is talking to the proper server.

    If you want to use your own self signed cert, I might recommend using the servers CA so it works with that being the only difference you use.

    As we do create the keys, if you’d like to use the fog generated key, the installer can just be ran with the -S argument. The only thing is recommend for that case is to import the ca cert so you dont have the self signed error. Machines with the fog client installed should see the green padlock as we do import the ca as I said earlier.

  • @tom-elliott

    Using my key isn’t really a high priority as only I and the other admin will be using it so self signed is OK.

    On the install process for self signed is it just -S and -c or is there something else I need to do for the installer to generate its own key?

  • Senior Developer

    @astrugatch setting your private key would not help much if you’re requiring specifics. The -S would force https I believe and -c would inform what private key to use, but it wouldn’t specify the server ca as the authority and would likely break the fog client. It’s for this reason I would recommend creating your own vhost file. Or you could sign your crt using the servers ca? But doing your own file I think would be the sinolest, just document it and why. In the near future we hope to be able to do away with the ca but for right now it’s kind of needed.

  • @tom-elliott

    So if I put my domain cert.key file in /opt/fog/snapins/ssl and use the -S and -c modifiers would that take my cert?

    If that doesn’t work I’m OK with making my own conf file, I’m just trying to make this as hand-offable as possible so someone doesn’t need to know a ton of unique specifics to work with my environment.

  • Senior Developer

    @astrugatch It works only for the private key.

    The full setup, however:

    Usage: ./installfog.sh [-h?dEUuHSCKYXT] [-f <filename>]
                    [-D </directory/to/document/root/>] [-c <sslPath>]
                    [-W <webroot/to/fog/after/docroot/>] [-B </backup/path/>]
                    [-s <>] [-e <>] [-b <undionly.kpxe>]
            -h -? --help                    Display this info
            -o    --oldcopy                 Copy back old data
            -d    --no-defaults             Don't guess defaults
            -U    --no-upgrade              Don't attempt to upgrade
            -H    --no-htmldoc              No htmldoc, means no PDFs
            -S    --force-https             Force HTTPS for all comunication
            -C    --recreate-CA             Recreate the CA Keys
            -K    --recreate-keys           Recreate the SSL Keys
            -Y -y --autoaccept              Auto accept defaults and install
            -f    --file                    Use different update file
            -c    --ssl-file                Specify the ssl path
                                                    defaults to /opt/fog/snapins/ssl
            -D    --docroot                 Specify the Apache Docroot for fog
                                                    defaults to OS DocumentRoot
            -W    --webroot                 Specify the web root url want fog to use
                                                    Defaults to /fog/
            -B    --backuppath              Specify the backup path
                  --uninstall               Uninstall FOG
            -s    --startrange              DHCP Start range
            -e    --endrange                DHCP End range
            -b    --bootfile                DHCP Boot file
            -E    --no-exportbuild          Skip building nfs file
            -X    --exitFail                Do not exit if item fails
            -T    --no-tftpbuild            Do not rebuild the tftpd config file
            -P    --no-pxedefault           Do not overwrite pxe default file
            -F    --no-vhost                Do not overwrite vhost file

    What might work better is for you to create your own type of “fog.conf” file and install with the -F or --no-vhost switches. This way you don’t have to worry about updates breaking/potentially losing your cert information.

  • -c    --ssl-file		Specify the ssl path
    	               		defaults to /opt/fog/snapins/ssl

    I see this in the --help does the cert need to have a particular name or will any *.crt be recognized?

  • @tom-elliott said in Web interface SSL:


    Is there a way to add a cert post install that will survive updates or will I need to run the installer again to add my cert?

    Does the modifier take both the .key and the .crt?

  • Senior Developer

    Both of these already exist.

    Look at ./installfog.sh --help to see all the arguments you can pass.

Log in to reply