Not able to TFTP boot. Invalid Argument Error

hancocza · Dec 7, 2018, 8:46 PM

@george1421 Thanks for that, I’ll look at doing that once I get this up and running again. Once it fails, how can I see what params were passed that might be incorrect? Is there a log file stored anywhere?

george1421 · Dec 7, 2018, 2:50 PM

@hancocza If you are calling boot.php directly from your usb drive then you are not passing any parameters. That is the problem. If you look at the default.ipxe file in /tftpboot of the FOG server you will see what parameters its passing (like mac address, arch, and so on).

Just to save you time:

#!ipxe
cpuid --ext 29 && set arch x86_64 || set arch ${buildarch}
params
param mac0 ${net0/mac}
param arch ${arch}
param platform ${platform}
param product ${product}
param manufacturer ${product}
param ipxever ${version}
param filename ${filename}
param sysuuid ${uuid}
isset ${net1/mac} && param mac1 ${net1/mac} || goto bootme
isset ${net2/mac} && param mac2 ${net2/mac} || goto bootme
:bootme
chain http://192.168.5.22/fog/service/ipxe/boot.php##params

[edit] just for clarity thats from FOG 1.5.4. I haven’t installed 1.5.5 into production yet.

hancocza · Dec 7, 2018, 8:51 PM

@george1421 Oh, got ya. I don’t call it directly. It first goes to default.ipxe and then from there calls the boot.php

george1421 · Dec 7, 2018, 8:56 PM

@hancocza OK so we now know how you got here.

Looking at your picture its making a http call to boot.php. You made reference to using https? You are still at the ipxe prompt so something happened with the chain to boot.php

hancocza · Dec 7, 2018, 8:59 PM

@george1421 Correct. In the past, since I started using HTTPS, I’ve had to change the default.ipxe file to point to http vs https. https never worked for me (I’m guessing because i never compiled the binaries after updating). So I’ve always changed the chain address to be http instead of https. Now that doesn’t work either.

george1421 · Dec 7, 2018, 9:25 PM

@hancocza Ok just to be clear you haven’t changed anything in FOG’s default.ipxe other than http and https?

What do you get if you key the following into a browser?

http://<fog_server_ip>/fog/service/ipxe/boot.php?mac=00:00:00:00:00:01

That should give you a screen of text, which is the FOG ipxe menu.

hancocza · Dec 7, 2018, 5:13 PM

@george1421 said in Not able to TFTP boot. Invalid Argument Error:

http://<fog_server_ip>/fog/service/ipxe/boot.php?mac=00:00:00:00:00:01

Here is what I get. I do change the IP section from a FQDN to the IP. When installing I put the FQDN as the IP address so that I don’t have to change too much.

#!ipxe
set fog-ip xxx.xxx.xxx.xxx
set fog-webroot fog
set boot-url https://${fog-ip}/${fog-webroot}
cpuid --ext 29 && set arch x86_64 || set arch i386
goto get_console
:console_set
colour --rgb 0x00567a 1 ||
colour --rgb 0x00567a 2 ||
colour --rgb 0x00567a 4 ||
cpair --foreground 7 --background 2 2 ||
goto MENU
:alt_console
cpair --background 0 1 ||
cpair --background 1 2 ||
goto MENU
:get_console
console --picture https://xxx.xxx.xxx.xxx/fog/service/ipxe/bg.png --left 100 --right 80 && goto console_set || goto alt_console
:MENU
menu
colour --rgb 0xff0000 0 ||
cpair --foreground 1 1 ||
cpair --foreground 0 3 ||
cpair --foreground 4 4 ||
item --gap Host is NOT registered!
item --gap -- -------------------------------------
item fog.local Boot from hard disk
item fog.memtest Run Memtest86+
item fog.reginput Perform Full Host Registration and Inventory
item fog.reg Quick Registration and Inventory
item fog.deployimage Deploy Image
item fog.multijoin Join Multicast Session
item fog.sysinfo Client System Information (Compatibility)
choose --default fog.local --timeout 3000 target && goto ${target}
:fog.local
sanboot --no-describe --drive 0x80 || goto MENU
:fog.memtest
kernel memdisk initrd=memtest.bin iso raw
initrd memtest.bin
boot || goto MENU
:fog.reginput
kernel bzImage32 loglevel=4 initrd=init_32.xz root=/dev/ram0 rw ramdisk_size=127000 web=https://xxx.xxx.xxx.xxx/fog/ consoleblank=0 rootfstype=ext4 storage=xxx.xxx.xxx.xxx:/images/ storageip=xxx.xxx.xxx.xxx loglevel=4 mode=manreg
imgfetch init_32.xz
boot || goto MENU
:fog.reg
kernel bzImage32 loglevel=4 initrd=init_32.xz root=/dev/ram0 rw ramdisk_size=127000 web=https://xxx.xxx.xxx.xxx/fog/ consoleblank=0 rootfstype=ext4 storage=xxx.xxx.xxx.xxx:/images/ storageip=xxx.xxx.xxx.xxx loglevel=4 mode=autoreg
imgfetch init_32.xz
boot || goto MENU
:fog.deployimage
login
params
param mac0 ${net0/mac}
param arch ${arch}
param username ${username}
param password ${password}
param qihost 1
isset ${net1/mac} && param mac1 ${net1/mac} || goto bootme
isset ${net2/mac} && param mac2 ${net2/mac} || goto bootme
param sysuuid ${uuid}
:fog.multijoin
login
params
param mac0 ${net0/mac}
param arch ${arch}
param username ${username}
param password ${password}
param sessionJoin 1
isset ${net1/mac} && param mac1 ${net1/mac} || goto bootme
isset ${net2/mac} && param mac2 ${net2/mac} || goto bootme
param sysuuid ${uuid}
:fog.sysinfo
kernel bzImage32 loglevel=4 initrd=init_32.xz root=/dev/ram0 rw ramdisk_size=127000 web=https://xxx.xxx.xxx.xxx/fog/ consoleblank=0 rootfstype=ext4 storage=xxx.xxx.xxx.xxx:/images/ storageip=xxx.xxx.xxx.xxx loglevel=4 mode=sysinfo
imgfetch init_32.xz
boot || goto MENU
:bootme
chain -ar https://xxx.xxx.xxx.xxx/fog/service/ipxe/boot.php##params ||
goto MENU
autoboot

george1421 · Dec 7, 2018, 10:24 PM

@hancocza OK that tells us that boot.php code is working on the fog server. That is the complete iPXE boot menu. So we know its not the fog server causing you pain.

So you haven’t changed the fog default.ipxe, boot.php is working because the menu is created when you call it from a browser.

so the question is what is being passed that is causing boot.php to return an invalid ipxe menu.

The next step is to usb boot again and get the error. Then inspect the apache access log, error log, and php-fpm error log files. These are typically in /var/log directory.

george1421 · Dec 7, 2018, 10:25 PM

@george1421 Just wondering is this fog client computer you are trying to USB boot registered in FOG? If so delete the registration and see if it throws the same error.

Sebastian Roth · Dec 7, 2018, 11:30 PM

@hancocza Your picture shows the iPXE error http://ipxe.org/err/1c0de8 - see this is definitely talking about TLS being the issue. Now having a closer look at the iPXE menu output you posted from “boot.php” I see that i does a chain https://... right at the end as well as console --picture https://... and others which all will likely fail if you don’t have iPXE binaries compiled with your certificate in it.

Those URLs are generated and the http(s) part is derived from the client request itself. So if a client asks for http:// all the URLs in the bootmenu will also be http:// - but we generate an apache config to redirect HTTP to HTTPS and therefore you end up with https:// URLs in the iPXE boot menu. Either you disable the forced HTTPS redirect or you look into compiling correct iPXE binaries. The later should be real easy using the script as I suggested.

hancocza · Dec 10, 2018, 11:54 AM

@Sebastian-Roth I ran the recompiling script last friday. At the end it says it needs to go through the FOG installation again, so i did. After that, it still gave the same error. Should I be allowing it to go through the FOG installation again or does that basically reset the iPXE binaries again?

hancocza · Dec 10, 2018, 12:04 PM

@george1421 said in Not able to TFTP boot. Invalid Argument Error:

@george1421 Just wondering is this fog client computer you are trying to USB boot registered in FOG? If so delete the registration and see if it throws the same error.

This happened on both laptops that were registered as well as a few that were not.

I also checked all of the logs after attempting to boot, and it didn’t update any of those logs. I assume that means it’s in line with what Sebastian said about the TLS error.

Sebastian Roth · Dec 10, 2018, 2:51 PM

@hancocza said in Not able to TFTP boot. Invalid Argument Error:

Should I be allowing it to go through the FOG installation again or does that basically reset the iPXE binaries again?

When you run the buidlipxe.sh Script it compiles new binaries including the correct SSL cert and puts them in the “installer directory”. From now on you can run the FOG installer as often as you want, it should always install those HTTPS-enabled iPXE binaries!

hancocza · Dec 10, 2018, 2:53 PM

@Sebastian-Roth Hmm… I did that and still get the same error after. Same error code as well, pointing at the TLS handshake.

Sebastian Roth · Dec 10, 2018, 3:06 PM

@hancocza Sure you don’t get any error from the iPXE build script?

Do you use a custom SSL certificate for the FOG web server?

hancocza · Dec 10, 2018, 3:08 PM

@Sebastian-Roth I don’t think i get one from the script. How could i check?

I do use a custom SSL cert for the web server. In the apache2 site config, it points to the correct cert and key. That’s also why I get the password prompts during installation.

Sebastian Roth · Dec 10, 2018, 3:19 PM

@hancocza said in Not able to TFTP boot. Invalid Argument Error:

I do use a custom SSL cert for the web server.

Ah sorry, I missed that. Then you need to adjust the utils/FOGiPXE/buildipxe.sh Script to point to those custom certs as well. Edit that file and put in the correct paths for CA cert and server cert:

#!/bin/bash
BUILDOPTS="TRUST=/var/www/fog/management/other/ca.cert.pem CERT=/var/www/fog/management/other/ca.cert.pem"
IPXEGIT="https://git.ipxe.org/ipxe.git"
...

This is the default. Change to where you have your custom cert files and compile again! Then rerun the installer as well.

hancocza · Dec 10, 2018, 3:52 PM

@Sebastian-Roth Tried that with our cert that we use. I replaced both the path for both TRUST= and CERT= with the certificate path, compiled and ran the installer. I tried it with the default.ipxe unchanged, as well as with the IP in place of the FQDN in the chain line.

My buildipxe.sh looks like:

#!/bin/bash
BUILDOPTS=“TRUST=/home/fogserver/Documents/fogcert.crt CERT=/home/fogserver/Documents/fogcert.crt”
IPXEGIT=“https://git.ipxe.org/ipxe.git”

The chain line of the default.ipxe looks like this:

chain https://xxx.xxx.xxx.xxx/fog/service/ipxe/boot.php##params

Am I messing up the placement of the certificate? Apache asks for three separate certificate components (certificate, key, chain), am I supposed to have two different certificates specified in the buildipxe.sh?
…

Sebastian Roth · Dec 10, 2018, 4:30 PM

@hancocza said in Not able to TFTP boot. Invalid Argument Error:

am I supposed to have two different certificates specified in the buildipxe.sh?

Yes! The one going in TRUST is the CA cert or possibly what you use in Chain parameter in the apache config. If it is a real chain of two or more certs in the chain I am not sure if iPXE can handle it this way. Give it a try. The CERT is just that, the webserver certificate.

By the way, keeping the certs in the home directory might not be a wise idea. Someone comes along and cleans up the home dir one day and boom all is gone.

hancocza · Dec 11, 2018, 12:25 PM

@Sebastian-Roth I’m kind of at a loss on this. I have tried many different combinations of the certs that I have, have tried using the one fog uses, and have tried the ones provided by iPXE. They all continue to give me invalid argument error. I added the DEBUG=tls line to the buildipxe.sh file, and tried booting. It said my cert was added to the certstore, and then ran through what I’m guessing are handshakes. In the end I still get the invalid argument error.

Is there a way to use my ssl certs for just the web server? Then all of the fog functions would use the supplied fog certs?

Not able to TFTP boot. Invalid Argument Error

194

12.0k

17.3k

155.2k