IPXE Boot Problem - No such file or directory after installation of SSL



  • Hello !

    I have a fog server 1.5.7 who turn on a Debian 8.11 (Jessie).

    I configured the SSL on the server and since, I have the error : “https://10.0.150.15/fog/service/ipxe/boot.php… No such file or directory” when one of the machine starts.
    Here is the error :
    Corners-Motherimage - VMware Remote Console.jpg

    I have my own CA deployed on my network. I generate a private key/certificate signed by this custom CA and I replaced the CA in the directories /opt/fog/snapins/ssl/ and I created a directory in /etc/apache2/ssl with the files. Here is the content of the folder

    root@fog:/etc/apache2/ssl# ls -la
    total 40
    drwxr-xr-x 3 root root 4096 Sep 26 14:02 .
    drwxr-xr-x 9 root root 4096 Sep 20 17:00 ..
    drwxr-xr-x 2 root root 4096 Sep 26 13:42 CA
    -rw-r--r-- 1 root root   80 Sep 23 11:01 ca.cnf
    -rw------- 1 root root 3243 Sep 26 14:02 fog.key
    -rw------- 1 root root 3244 Sep 26 13:42 fog.key.bkp
    -rw------- 1 root root 7510 Sep 26 14:02 fog.pem
    -rw------- 1 root root 7510 Sep 26 13:43 fog.pem.bkp
    lrwxrwxrwx 1 root root   37 Sep 23 11:01 .srvprivate.key -> /opt/fog/snapins/ssl//.srvprivate.key
    
    

    and

    root@fog:/etc/apache2/ssl/CA# ls -la
    total 20
    drwxr-xr-x 2 root root 4096 Sep 26 13:42 .
    drwxr-xr-x 3 root root 4096 Sep 26 14:02 ..
    -rw-r--r-- 1 root root 3247 Sep 23 11:01 .fogCA.key.bkp
    -rw-r--r-- 1 root root 2086 Sep 26 13:42 .fogCA.pem
    -rw-r--r-- 1 root root 1797 Sep 23 11:01 .fogCA.pem.bkp
    
    

    At the webmin level, everything is okay, the https works correctly (“Green lock” in the browser).

    I saw this post https://forums.fogproject.org/topic/12908/ipxe-could-not-boot-no-such-file-or-directory and I tried the solution of @Sebastian-Roth but nothing change.

    I checked the log of “error” from Apache and there is no error in it.

    For information, here is the content of my virtualhost

    <VirtualHost *:80>
        <FilesMatch "\.php$">
            SetHandler "proxy:fcgi://127.0.0.1:9000/"
        </FilesMatch>
        ServerName 10.0.150.15
        ServerAlias fog
        RewriteEngine On
        RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
        RewriteRule .* - [F]
        RewriteRule /management/other/ca.cert.der$ - [L]
        RewriteCond %{HTTPS} off
        RewriteRule (.*) https://%{HTTP_HOST}/$1 [R,L]
    </VirtualHost>
    <VirtualHost *:443>
        KeepAlive Off
        <FilesMatch "\.php$">
            SetHandler "proxy:fcgi://127.0.0.1:9000/"
        </FilesMatch>
        ServerName 10.0.150.15
        ServerAlias fog
        DocumentRoot /var/www/html/
        SSLEngine On
        SSLProtocol all -SSLv3 -SSLv2
        SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
        SSLHonorCipherOrder On
        SSLCertificateFile /etc/apache2/ssl/fog.pem
        SSLCertificateKeyFile /etc/apache2/ssl/fog.key
        #SSLCertificateChainFile /var/www/html/fog//management/other/ca.cert.der
        <Directory /var/www/html/fog/>
            DirectoryIndex index.php index.html index.htm
        </Directory>
        RewriteEngine On
        RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
        RewriteRule .* - [F]
        RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f
        RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-d
        RewriteRule ^/fog/(.*)$ /fog/api/index.php [QSA,L]
    </VirtualHost>
    
    

    Thank you for your answer !



  • @Sebastian-Roth

    First, sorry for the delay of the answer, it was a busy day and I hadn’t access to the network this weekend.

    We continued to search for the problem and finally, we found there was a problem with the copy of a file from /path/to/fogproject_git_repo/packages/tftp to /tftpboot. The file “default.ipxe” was missing. We saw that with a capture of the trafic and the analyze of the pcap.

    So finally, everything works !

    To be sure to well understand, we made a new install from scratch and it’s work perfectly (Fog server & the SSL) !

    In resume, here is the steps I made :

    • Install of fog with the “-S” option to activate SSL
    • Copy of the certificate and the private key on the machine
    • Edit the Vhost file with the path of the private key and the certificate (with a restart of Apache2)
    • Modify the CA by default in the directories /etc/apache2/ssl/CA/ and /opt/fog/snapins/ssl/CA/ with our own CA
    • Execute the script buildipxe.sh from the directory /path/to/fogproject_git_repo/utils/FOGiPXE/
    • And finally, copy the new binaries from /path/to/fogproject_git_repo/packages/tftp to /tftpboot (The step I missed 🙂 )

    Now the server is secured and, incidentally, it’s working !

    Thank you for the support !


  • Senior Developer

    @loutrage said in IPXE Boot Problem - No such file or directory after installation of SSL:

    We tried a lot of things and we have always the same problem.

    This is not going to help any. Give us more details on what exactly you have tried and what happened. Otherwise we can’t help you properly.

    Is there a way to see if our CA is correctly import in the binaries

    Yes there is but it’s a bit of work:

    cd /path/to/fogproject
    mv src/ipxe/src/ipxescript src/ipxe/src/ipxescript.orig
    mv src/ipxe/src-efi/ipxescript src/ipxe/src-efi/ipxescript.orig
    echo -e '#!ipxe\nshell' > src/ipxe/src/ipxescript
    echo -e '#!ipxe\nshell' > src/ipxe/src-efi/ipxescript
    cd utils/FOGiPXE/
    ./buildipxe.sh
    cd ../..
    sudo cp packages/tftp/*.* /tftboot
    

    Now when you boot a client it won’t go to the menu but drop to the iPXE shell.

    iPXE> certstat
    ...
    

    This should give you the certificate it has embedded in it’s store within the binary.



  • Thank you for the answer.

    We tried a lot of things and we have always the same problem.

    We launched for example the command buildipxe.sh /home/user/CA.PEM to incorporate our own CA. There is no error to build the binaries but we have always the same error.

    We also replaced the file /opt/fog/snapins/ssl/CA/.fogCA.pem by our own CA before to launch the command buildipxe.

    We haven’t problem with the webadmin, just with the ipxe.

    Is there a way to see if our CA is correctly import in the binaries


  • Senior Developer

    @loutrage said in IPXE Boot Problem - No such file or directory after installation of SSL:

    I have my own CA deployed on my network.

    Are you aware of the fact that the fog-client won’t work with your certificate? It’s not impossible to make it work but it’s not easy.

    I saw this post https://forums.fogproject.org/topic/12908/ipxe-could-not-boot-no-such-file-or-directory and I tried the solution of @Sebastian-Roth but nothing change.

    What exactly did you do and what was the outcome? You need to recompile the iPXE binaries to include your certificate to make this work. The buildipxe.sh script mentioned does this for you. After that you either need to rerun the installer (not sure if it’s wise in your situation with a highly customized setup) or manually copy the new binaries from /path/to/fogproject_git_repo/packages/tftp to /tftpboot.


Log in to reply
 

282
Online

7.4k
Users

14.5k
Topics

136.5k
Posts