Solved IPXE Boot Problem - No such file or directory after installation of SSL

loutrage

Hello !

I have a fog server 1.5.7 who turn on a Debian 8.11 (Jessie).

I configured the SSL on the server and since, I have the error : “https://10.0.150.15/fog/service/ipxe/boot.php… No such file or directory” when one of the machine starts.
Here is the error :

I have my own CA deployed on my network. I generate a private key/certificate signed by this custom CA and I replaced the CA in the directories /opt/fog/snapins/ssl/ and I created a directory in /etc/apache2/ssl with the files. Here is the content of the folder

root@fog:/etc/apache2/ssl# ls -la
total 40
drwxr-xr-x 3 root root 4096 Sep 26 14:02 .
drwxr-xr-x 9 root root 4096 Sep 20 17:00 ..
drwxr-xr-x 2 root root 4096 Sep 26 13:42 CA
-rw-r--r-- 1 root root   80 Sep 23 11:01 ca.cnf
-rw------- 1 root root 3243 Sep 26 14:02 fog.key
-rw------- 1 root root 3244 Sep 26 13:42 fog.key.bkp
-rw------- 1 root root 7510 Sep 26 14:02 fog.pem
-rw------- 1 root root 7510 Sep 26 13:43 fog.pem.bkp
lrwxrwxrwx 1 root root   37 Sep 23 11:01 .srvprivate.key -> /opt/fog/snapins/ssl//.srvprivate.key

and

root@fog:/etc/apache2/ssl/CA# ls -la
total 20
drwxr-xr-x 2 root root 4096 Sep 26 13:42 .
drwxr-xr-x 3 root root 4096 Sep 26 14:02 ..
-rw-r--r-- 1 root root 3247 Sep 23 11:01 .fogCA.key.bkp
-rw-r--r-- 1 root root 2086 Sep 26 13:42 .fogCA.pem
-rw-r--r-- 1 root root 1797 Sep 23 11:01 .fogCA.pem.bkp

At the webmin level, everything is okay, the https works correctly (“Green lock” in the browser).

I saw this post https://forums.fogproject.org/topic/12908/ipxe-could-not-boot-no-such-file-or-directory and I tried the solution of @Sebastian-Roth but nothing change.

I checked the log of “error” from Apache and there is no error in it.

For information, here is the content of my virtualhost

<VirtualHost *:80>
    <FilesMatch "\.php$">
        SetHandler "proxy:fcgi://127.0.0.1:9000/"
    </FilesMatch>
    ServerName 10.0.150.15
    ServerAlias fog
    RewriteEngine On
    RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
    RewriteRule .* - [F]
    RewriteRule /management/other/ca.cert.der$ - [L]
    RewriteCond %{HTTPS} off
    RewriteRule (.*) https://%{HTTP_HOST}/$1 [R,L]
</VirtualHost>
<VirtualHost *:443>
    KeepAlive Off
    <FilesMatch "\.php$">
        SetHandler "proxy:fcgi://127.0.0.1:9000/"
    </FilesMatch>
    ServerName 10.0.150.15
    ServerAlias fog
    DocumentRoot /var/www/html/
    SSLEngine On
    SSLProtocol all -SSLv3 -SSLv2
    SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
    SSLHonorCipherOrder On
    SSLCertificateFile /etc/apache2/ssl/fog.pem
    SSLCertificateKeyFile /etc/apache2/ssl/fog.key
    #SSLCertificateChainFile /var/www/html/fog//management/other/ca.cert.der
    <Directory /var/www/html/fog/>
        DirectoryIndex index.php index.html index.htm
    </Directory>
    RewriteEngine On
    RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
    RewriteRule .* - [F]
    RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f
    RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-d
    RewriteRule ^/fog/(.*)$ /fog/api/index.php [QSA,L]
</VirtualHost>

Thank you for your answer !

loutrage

@Sebastian-Roth

First, sorry for the delay of the answer, it was a busy day and I hadn’t access to the network this weekend.

We continued to search for the problem and finally, we found there was a problem with the copy of a file from /path/to/fogproject_git_repo/packages/tftp to /tftpboot. The file “default.ipxe” was missing. We saw that with a capture of the trafic and the analyze of the pcap.

So finally, everything works !

To be sure to well understand, we made a new install from scratch and it’s work perfectly (Fog server & the SSL) !

In resume, here is the steps I made :

• Install of fog with the “-S” option to activate SSL
• Copy of the certificate and the private key on the machine
• Edit the Vhost file with the path of the private key and the certificate (with a restart of Apache2)
• Modify the CA by default in the directories /etc/apache2/ssl/CA/ and /opt/fog/snapins/ssl/CA/ with our own CA
• Execute the script buildipxe.sh from the directory /path/to/fogproject_git_repo/utils/FOGiPXE/
• And finally, copy the new binaries from /path/to/fogproject_git_repo/packages/tftp to /tftpboot (The step I missed )

Now the server is secured and, incidentally, it’s working !

Thank you for the support !

Sebastian Roth

@loutrage said in IPXE Boot Problem - No such file or directory after installation of SSL:

We tried a lot of things and we have always the same problem.

This is not going to help any. Give us more details on what exactly you have tried and what happened. Otherwise we can’t help you properly.

Is there a way to see if our CA is correctly import in the binaries

Yes there is but it’s a bit of work:

cd /path/to/fogproject
mv src/ipxe/src/ipxescript src/ipxe/src/ipxescript.orig
mv src/ipxe/src-efi/ipxescript src/ipxe/src-efi/ipxescript.orig
echo -e '#!ipxe\nshell' > src/ipxe/src/ipxescript
echo -e '#!ipxe\nshell' > src/ipxe/src-efi/ipxescript
cd utils/FOGiPXE/
./buildipxe.sh
cd ../..
sudo cp packages/tftp/*.* /tftboot

Now when you boot a client it won’t go to the menu but drop to the iPXE shell.

iPXE> certstat
...

This should give you the certificate it has embedded in it’s store within the binary.

loutrage

Thank you for the answer.

We tried a lot of things and we have always the same problem.

We launched for example the command buildipxe.sh /home/user/CA.PEM to incorporate our own CA. There is no error to build the binaries but we have always the same error.

We also replaced the file /opt/fog/snapins/ssl/CA/.fogCA.pem by our own CA before to launch the command buildipxe.

We haven’t problem with the webadmin, just with the ipxe.

Is there a way to see if our CA is correctly import in the binaries

Sebastian Roth

@loutrage said in IPXE Boot Problem - No such file or directory after installation of SSL:

I have my own CA deployed on my network.

Are you aware of the fact that the fog-client won’t work with your certificate? It’s not impossible to make it work but it’s not easy.

I saw this post https://forums.fogproject.org/topic/12908/ipxe-could-not-boot-no-such-file-or-directory and I tried the solution of @Sebastian-Roth but nothing change.

What exactly did you do and what was the outcome? You need to recompile the iPXE binaries to include your certificate to make this work. The buildipxe.sh script mentioned does this for you. After that you either need to rerun the installer (not sure if it’s wise in your situation with a highly customized setup) or manually copy the new binaries from /path/to/fogproject_git_repo/packages/tftp to /tftpboot.