IPXE Boot Problem - No such file or directory after installation of SSL
-
Hello !
I have a fog server 1.5.7 who turn on a Debian 8.11 (Jessie).
I configured the SSL on the server and since, I have the error : “https://10.0.150.15/fog/service/ipxe/boot.php… No such file or directory” when one of the machine starts.
Here is the error :
I have my own CA deployed on my network. I generate a private key/certificate signed by this custom CA and I replaced the CA in the directories /opt/fog/snapins/ssl/ and I created a directory in /etc/apache2/ssl with the files. Here is the content of the folder
root@fog:/etc/apache2/ssl# ls -la total 40 drwxr-xr-x 3 root root 4096 Sep 26 14:02 . drwxr-xr-x 9 root root 4096 Sep 20 17:00 .. drwxr-xr-x 2 root root 4096 Sep 26 13:42 CA -rw-r--r-- 1 root root 80 Sep 23 11:01 ca.cnf -rw------- 1 root root 3243 Sep 26 14:02 fog.key -rw------- 1 root root 3244 Sep 26 13:42 fog.key.bkp -rw------- 1 root root 7510 Sep 26 14:02 fog.pem -rw------- 1 root root 7510 Sep 26 13:43 fog.pem.bkp lrwxrwxrwx 1 root root 37 Sep 23 11:01 .srvprivate.key -> /opt/fog/snapins/ssl//.srvprivate.keyand
root@fog:/etc/apache2/ssl/CA# ls -la total 20 drwxr-xr-x 2 root root 4096 Sep 26 13:42 . drwxr-xr-x 3 root root 4096 Sep 26 14:02 .. -rw-r--r-- 1 root root 3247 Sep 23 11:01 .fogCA.key.bkp -rw-r--r-- 1 root root 2086 Sep 26 13:42 .fogCA.pem -rw-r--r-- 1 root root 1797 Sep 23 11:01 .fogCA.pem.bkpAt the webmin level, everything is okay, the https works correctly (“Green lock” in the browser).
I saw this post https://forums.fogproject.org/topic/12908/ipxe-could-not-boot-no-such-file-or-directory and I tried the solution of @Sebastian-Roth but nothing change.
I checked the log of “error” from Apache and there is no error in it.
For information, here is the content of my virtualhost
<VirtualHost *:80> <FilesMatch "\.php$"> SetHandler "proxy:fcgi://127.0.0.1:9000/" </FilesMatch> ServerName 10.0.150.15 ServerAlias fog RewriteEngine On RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) RewriteRule .* - [F] RewriteRule /management/other/ca.cert.der$ - [L] RewriteCond %{HTTPS} off RewriteRule (.*) https://%{HTTP_HOST}/$1 [R,L] </VirtualHost> <VirtualHost *:443> KeepAlive Off <FilesMatch "\.php$"> SetHandler "proxy:fcgi://127.0.0.1:9000/" </FilesMatch> ServerName 10.0.150.15 ServerAlias fog DocumentRoot /var/www/html/ SSLEngine On SSLProtocol all -SSLv3 -SSLv2 SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA SSLHonorCipherOrder On SSLCertificateFile /etc/apache2/ssl/fog.pem SSLCertificateKeyFile /etc/apache2/ssl/fog.key #SSLCertificateChainFile /var/www/html/fog//management/other/ca.cert.der <Directory /var/www/html/fog/> DirectoryIndex index.php index.html index.htm </Directory> RewriteEngine On RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) RewriteRule .* - [F] RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-d RewriteRule ^/fog/(.*)$ /fog/api/index.php [QSA,L] </VirtualHost>Thank you for your answer !
-
@loutrage said in IPXE Boot Problem - No such file or directory after installation of SSL:
I have my own CA deployed on my network.
Are you aware of the fact that the fog-client won’t work with your certificate? It’s not impossible to make it work but it’s not easy.
I saw this post https://forums.fogproject.org/topic/12908/ipxe-could-not-boot-no-such-file-or-directory and I tried the solution of @Sebastian-Roth but nothing change.
What exactly did you do and what was the outcome? You need to recompile the iPXE binaries to include your certificate to make this work. The
buildipxe.shscript mentioned does this for you. After that you either need to rerun the installer (not sure if it’s wise in your situation with a highly customized setup) or manually copy the new binaries from/path/to/fogproject_git_repo/packages/tftpto/tftpboot. -
Thank you for the answer.
We tried a lot of things and we have always the same problem.
We launched for example the command
buildipxe.sh /home/user/CA.PEMto incorporate our own CA. There is no error to build the binaries but we have always the same error.We also replaced the file
/opt/fog/snapins/ssl/CA/.fogCA.pemby our own CA before to launch the command buildipxe.We haven’t problem with the webadmin, just with the ipxe.
Is there a way to see if our CA is correctly import in the binaries
-
@loutrage said in IPXE Boot Problem - No such file or directory after installation of SSL:
We tried a lot of things and we have always the same problem.
This is not going to help any. Give us more details on what exactly you have tried and what happened. Otherwise we can’t help you properly.
Is there a way to see if our CA is correctly import in the binaries
Yes there is but it’s a bit of work:
cd /path/to/fogproject mv src/ipxe/src/ipxescript src/ipxe/src/ipxescript.orig mv src/ipxe/src-efi/ipxescript src/ipxe/src-efi/ipxescript.orig echo -e '#!ipxe\nshell' > src/ipxe/src/ipxescript echo -e '#!ipxe\nshell' > src/ipxe/src-efi/ipxescript cd utils/FOGiPXE/ ./buildipxe.sh cd ../.. sudo cp packages/tftp/*.* /tftbootNow when you boot a client it won’t go to the menu but drop to the iPXE shell.
iPXE> certstat ...This should give you the certificate it has embedded in it’s store within the binary.
-
First, sorry for the delay of the answer, it was a busy day and I hadn’t access to the network this weekend.
We continued to search for the problem and finally, we found there was a problem with the copy of a file from /path/to/fogproject_git_repo/packages/tftp to /tftpboot. The file “default.ipxe” was missing. We saw that with a capture of the trafic and the analyze of the pcap.
So finally, everything works !
To be sure to well understand, we made a new install from scratch and it’s work perfectly (Fog server & the SSL) !
In resume, here is the steps I made :
- Install of fog with the “-S” option to activate SSL
- Copy of the certificate and the private key on the machine
- Edit the Vhost file with the path of the private key and the certificate (with a restart of Apache2)
- Modify the CA by default in the directories /etc/apache2/ssl/CA/ and /opt/fog/snapins/ssl/CA/ with our own CA
- Execute the script buildipxe.sh from the directory /path/to/fogproject_git_repo/utils/FOGiPXE/
- And finally, copy the new binaries from /path/to/fogproject_git_repo/packages/tftp to /tftpboot (The step I missed
)
Now the server is secured and, incidentally, it’s working !
Thank you for the support !