new install attempt to register host failed



  • 20190723_160329.jpg

    Fresh install over SSL and changed settings to use my wildcard certificate. This was a test to register a host.

    Any ideas?


  • Senior Developer

    @bogle SSL enabled this time or not? Where did you put the certificates?



  • Thanks for your help. I reinstall the FOG Project and it works out of the box. On my test pc it booted successfully to the PXE menu. Tested it twice using legacy mode and uefi mode!


  • Moderator

    @bogle said in new install attempt to register host failed:

    In the meantime whats the best way to get a windows 10 pro image working?

    That site is a good place to start. You can either build the computer in audit mode or use MDT to create your reference image. Either way, don’t connect the reference image computer to your AD domain at all. Run audit mode unconnected to AD. You will have a better reference image in the end. Let FOG or have the unattend.xml file connect the target computer to AD at the end of deployment.


  • Senior Developer

    @bogle said in new install attempt to register host failed:

    I modifed the .fogsettings file portion where SSL Setting is

    Did you re-run the installer after that? The .fogsettings file is only being used by the installer script but not being read at runtime. So changes to this file need to be “populated” by re-running the installer. That said I am not exactly sure if all the things involved to make FOG work with SSL are playing nicely if you change that path. While it definitely should I just wonder if if does because probably not too many people have done this. Usually people using custom certificates simply put those into the places where FOG has it’s cert files by default.

    I know this sounds very 80s, like just keep it all to default because changing settings might break it. 😞 But SSL is still kind of new in FOG, not being used by the mass of people and we have not had the time to make this rock solid in all cases yet.

    It’s interesting you get a page load error when accessing the website using the IP address. Maybe check apache logs (see my signature) to see if there is a hint on why it fails?!

    In the meantime whats the best way to get a windows 10 pro image working?

    Would you mind opening a new topic on this? Best if we don’t mix up things so we don’t get lost and also other people will find answers easier.



  • @bogle

    In the meantime whats the best way to get a windows 10 pro image working?

    I am looking at this site right now

    https://www.ceos3c.com/sysadmin/create-generalized-windows-10-image-deploy-fog-server/



  • @george1421

    Ok I will revert back to a previous vm snapshot so I can use http instead of https and start over.


  • Moderator

    @bogle Well at this point, I’ve hit a wall on my knowledge in regards to SSL and apache. Its either the certificate blocking because its expecting a conical name or in the apache configuration the serveralias needs to have the IP address listed. But you are near the root of your problem. Once you get https working via the IP address it will work.

    There is another way to work around it but I really don’t like that method because it make the client rely on DNS resolution to get imaging to work. You can go into the fog configuration settings and change all references to the IP address to the system’s conical name. You will also have to update the storage node settings too.



  • @george1421

    Good question, I just tried this and it returned results.

    Capture.PNG

    Here is my host file

    <VirtualHost *:80>
        <FilesMatch "\.php$">
            SetHandler "proxy:fcgi://127.0.0.1:9000/"
        </FilesMatch>
        ServerName 10.141.13.96
        ServerAlias fogserver.<redacted>.com
        RewriteEngine On
        RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
        RewriteRule .* - [F]
        RewriteRule /management/other/ca.cert.der$ - [L]
        RewriteCond %{HTTPS} off
        RewriteRule (.*) https://%{HTTP_HOST}/$1 [R,L]
    </VirtualHost>
    <VirtualHost *:443>
        KeepAlive Off
        <FilesMatch "\.php$">
            SetHandler "proxy:fcgi://127.0.0.1:9000/"
        </FilesMatch>
        ServerName 10.141.13.96
        ServerAlias fogserver.<redacted>.com
        DocumentRoot /var/www/html/
        SSLEngine On
        SSLProtocol all -SSLv3 -SSLv2
        SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
        SSLHonorCipherOrder On
        SSLCertificateFile /etc/pki/tls/certs/STAR_grahamrmc_com.crt
        SSLCertificateKeyFile /etc/pki/tls/private/_grahamrmc_com.key
        SSLCertificateChainFile /etc/pki/tls/certs/STAR_grahamrmc_com.ca-bundle
        <Directory /var/www/html/fog/>
            DirectoryIndex index.php index.html index.htm
        </Directory>
        RewriteEngine On
        RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
        RewriteRule .* - [F]
        RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f
        RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-d
        RewriteRule ^/fog/(.*)$ /fog/api/index.php [QSA,L]
    </VirtualHost>
    

    I modifed the .fogsettings file portion where SSL Setting is

    Capture.PNG


  • Moderator

    @bogle Ok now we are getting some place.

    I see your fog server url is at fogserver.<redacted>.com but if you look at your first picture its trying to contact 10.141.13.96 server. Why does the conical name work where the IP address doesn’t?



  • @george1421

    http:// doesn’t work either

    Here is a screenshot of the dashboard with Certificate pulled up.

    Capture.PNG



  • @Sebastian-Roth

    Its a Premium SSL Wildcard Certificate from Sectigo Certification Authority


  • Moderator

    @bogle Well half looks right. The web browser bit doesn’t look good. You should have a web page that starts out like this:

    #!ipxe
    set fog-ip 192.168.1.53
    set fog-webroot fog
    set boot-url http://${fog-ip}/${fog-webroot}
    cpuid --ext 29 && set arch x86_64 || set arch i386
    goto get_console
    :console_set
    colour --rgb 0x00567a 1 ||
    colour --rgb 0x00567a 2 ||
    colour --rgb 0x00567a 4 ||
    cpair --foreground 7 --background 2 2 ||
    goto MENU
    :alt_console
    cpair --background 0 1 ||
    cpair --background 1 2 ||
    goto MENU
    :get_console
    console --picture http://192.168.1.53/fog/service/ipxe/bg.png --left 100 --right 80 && goto console_set || goto alt_console
    :MENU
    menu
    colour --rgb 0xff0000 0 ||
    cpair --foreground 1 1 ||
    cpair --foreground 0 3 ||
    cpair --foreground 4 4 ||
    

    Try the same url but use the http:// instead.




  • Moderator

    While I’m not up to speed on the FOG SSL thing, it does appear that you did not recompile the iPXE boot loaders with your matching certificate that apache is running under -or- apache is not listening on port 443.

    For apache listening on port 443 you can use this command netstat -an |grep :443 You should see something like this returned.

    tcp4       0      0 :::443                  :::*                    LISTEN
    

    You can also test from a browser trying to connect to https://10.141.13.36/fog/service/ipxe/boot.php?mac=00:00:00:00:00 that will/should return the contents of the FOG iPXE menu. We are only concerned about if something is returned or not.

    If both tests above are successful but you can’t connect using iPXE then you need to recompile iPXE with your certificate.


  • Senior Developer

    @bogle What kind of “Wildcard” certificate do you use?? Which certificate authority is this from?

    Be aware that you need to put the certificate into the right plane and re-run the installer or manually run the iPXE build script to have the certificate included into the binaries.

    As well you need to know that the fog-client currently does not work with custom certificates.


Log in to reply
 

280
Online

7.5k
Users

14.6k
Topics

137.6k
Posts