• Register
    • Login
    • Search
    • Recent
    • Unsolved
    • Tags
    • Popular
    • Users
    • Groups
    • Search

    Solved 2019...a step by step activating ssl and complying iPXE with it

    FOG Problems
    3
    41
    716
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      marted last edited by

      During my setup of new FOG server I came across other issue. I tried to activate https SSL and my ipxe doesn’t boot anymore and the web access got certification problem (not trusted). I saw a lot here in the forum about that but still can not find a place here where it is explained step by step how to activate SSL and got it to work well with iPXE https and access web trusted certificates. Maybe I missed it, but if you can guide me on how to do it I’ll be so helpful.
      Thanks again for all your help!!

      1 Reply Last reply Reply Quote 0
      • M
        marted last edited by

        @Sebastian-Roth Thank you

        1 Reply Last reply Reply Quote 0
        • S
          Sebastian Roth Moderator last edited by

          @marted Yust in case you are still keen to use FOG with HTTPS: https://forums.fogproject.org/topic/14115/boot-php-permission-denied

          Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)

          Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG

          1 Reply Last reply Reply Quote 0
          • S
            Sebastian Roth Moderator last edited by Sebastian Roth

            @marted I just did a plain test:

            1. Clean Debian 10 install (from my point it shouldn’t matter which OS you use but just noting it here in case you’d ask - I had a ready set VM at hand so I took that for testing).
            2. Installed FOG 1.5.7 using no parameters, just ./installfog.sh
            3. Tested PXE boot on http:// works fine
            4. Edited /opt/fog/.fogsettings and changed hostname= as mentioned earlier
            5. Re-ran the installer and let it regenerate CA, key and certs: ./installfog.sh -S -C -K
              (6. Opened web UI, checked the certificate and found the changed alternative name in there - just a test to see of my changed hostname setting results in a changed certificate - it does)
            6. PXE booted client, this time https:// and works perfectly fine!

            I have an impression that iPXE doesn’t get the correct certificate or doesn’t compile it at all.
            How can I checked that?

            I guess you are right with this. Unfortunately I don’t know a method to check if the iPXE binaries do have the right certificates injected other than PXE booting them.

            In some of the pictures you posted I noticed that you seem to run the installer as sudo ./installfog.sh. Please don’t do this! It can have side effects that may cause issues. Change to a proper root shell (using sudo -i or sudo su -, the last hyphen is important!) for running the installer!

            Beside that you might check file modification to see if the iPXE files are being updated properly:

            ls -al /home/foglabunix/Desktop/fogproject/packages/tftp/undionly.kpxe
            ls -al /tftpboot/undionly.kpxe
            

            Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)

            Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG

            1 Reply Last reply Reply Quote 0
            • M
              marted @Sebastian Roth last edited by

              @Sebastian-Roth thank you. Meanwhile I switched to http and continuing with my tests. It works fine like always on http. I have an impression that iPXE doesn’t get the correct certificate or doesn’t compile it at all.
              How can I checked that?

              1 Reply Last reply Reply Quote 0
              • S
                Sebastian Roth Moderator last edited by

                @marted said in 2019...a step by step activating ssl and complying iPXE with it:

                no errors . Do I have to copy the new files compiled manually to /tftpboot ?

                Yes, after manually running the compile script you need to copy the new iPXE files from fogproject/packages/tftp/ to /tftpboot/ directory!

                If you use the installer it will do the copy for you.

                reinstall again only with -S , again the same problem.

                I am wondering if the modification I told you to test is causing the problem. As I said, your setup is special and not something many people have tried before. I will do a test install and see if it works for me.

                Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)

                Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG

                M 1 Reply Last reply Reply Quote 0
                • M
                  marted @Sebastian Roth last edited by Sebastian Roth

                  @Sebastian-Roth reinstalled complitly FOG like http (I deleted everything , left only /images and users). Works fine
                  It boots well in http. reinstall again only with -S , again the same problem.
                  output from https://192.168.149.43/fog/service/ipxe/boot.php in web broser . I even changed the permissions of the boot.php file on the server but no effect

                  #!ipxe
                  set fog-ip 192.168.149.43
                  set fog-webroot fog
                  set boot-url https://${fog-ip}/${fog-webroot}
                  cpuid --ext 29 && set arch x86_64 || set arch i386
                  goto get_console
                  :console_set
                  colour --rgb 0x00567a 1 ||
                  colour --rgb 0x00567a 2 ||
                  colour --rgb 0x00567a 4 ||
                  cpair --foreground 7 --background 2 2 ||
                  goto MENU
                  :alt_console
                  cpair --background 0 1 ||
                  cpair --background 1 2 ||
                  goto MENU
                  :get_console
                  console --picture https://192.168.149.43/fog/service/ipxe/bg.png --left 100 --right 80 && goto console_set || goto alt_console
                  :MENU
                  menu
                  colour --rgb 0xff0000 0 ||
                  cpair --foreground 1 1 ||
                  cpair --foreground 0 3 ||
                  cpair --foreground 4 4 ||
                  item --gap Host is NOT registered!
                  item --gap -- -------------------------------------
                  item fog.local Boot from hard disk
                  item fog.memtest Run Memtest86+
                  item fog.reginput Perform Full Host Registration and Inventory
                  item fog.reg Quick Registration and Inventory
                  item fog.deployimage Deploy Image
                  item fog.multijoin Join Multicast Session
                  item fog.sysinfo Client System Information (Compatibility)
                  choose --default fog.local --timeout 3000 target && goto ${target}
                  :fog.local
                  sanboot --no-describe --drive 0x80 || goto MENU
                  :fog.memtest
                  kernel memdisk initrd=memtest.bin iso raw
                  initrd memtest.bin
                  boot || goto MENU
                  :fog.reginput
                  kernel bzImage32 loglevel=4 initrd=init_32.xz root=/dev/ram0 rw ramdisk_size=275000 web=https://192.168.149.43/fog/ consoleblank=0 rootfstype=ext4 storage=192.168.149.43:/images/ storageip=192.168.149.43 loglevel=4 mode=manreg
                  imgfetch init_32.xz
                  boot || goto MENU
                  :fog.reg
                  kernel bzImage32 loglevel=4 initrd=init_32.xz root=/dev/ram0 rw ramdisk_size=275000 web=https://192.168.149.43/fog/ consoleblank=0 rootfstype=ext4 storage=192.168.149.43:/images/ storageip=192.168.149.43 loglevel=4 mode=autoreg
                  imgfetch init_32.xz
                  boot || goto MENU
                  :fog.deployimage
                  login
                  params
                  param mac0 ${net0/mac}
                  param arch ${arch}
                  param username ${username}
                  param password ${password}
                  param qihost 1
                  isset ${net1/mac} && param mac1 ${net1/mac} || goto bootme
                  isset ${net2/mac} && param mac2 ${net2/mac} || goto bootme
                  param sysuuid ${uuid}
                  :fog.multijoin
                  login
                  params
                  param mac0 ${net0/mac}
                  param arch ${arch}
                  param username ${username}
                  param password ${password}
                  param sessionJoin 1
                  isset ${net1/mac} && param mac1 ${net1/mac} || goto bootme
                  isset ${net2/mac} && param mac2 ${net2/mac} || goto bootme
                  param sysuuid ${uuid}
                  :fog.sysinfo
                  kernel bzImage32 loglevel=4 initrd=init_32.xz root=/dev/ram0 rw ramdisk_size=275000 web=https://192.168.149.43/fog/ consoleblank=0 rootfstype=ext4 storage=192.168.149.43:/images/ storageip=192.168.149.43 loglevel=4 mode=sysinfo
                  imgfetch init_32.xz
                  boot || goto MENU
                  :bootme
                  chain -ar https://192.168.149.43/fog/service/ipxe/boot.php##params ||
                  goto MENU
                  autoboot
                  
                  1 Reply Last reply Reply Quote 0
                  • M
                    marted @Sebastian Roth last edited by

                    @Sebastian-Roth no errors . Do I have to copy the new files compiled manually to /tftpboot ?

                    1 Reply Last reply Reply Quote 0
                    • S
                      Sebastian Roth Moderator last edited by

                      @marted Manually run the compile script to see if it throws any errors:

                      cd fogproject/utils/FOGiPXE
                      ./buildipxe.sh
                      

                      Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)

                      Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG

                      M 2 Replies Last reply Reply Quote 0
                      • M
                        marted @Sebastian Roth last edited by marted

                        @Sebastian-Roth I reinstalled With the options you suggested -S -K -C and web aces fro my home worked fine but this morning when I tried to boot a computer in my lab it gives permission denied error. I checked the error on the website of iPXE it says problem with the certificate. I reinstalled the server two times once only with -S only (same error) and second time with -S -C - K I thought maybe iPXE was not compiled well , but still same error. Before l’installation I fixed the .fogsetings with the real IP 192.168…
                        the permissions are correct for iPXE in var/www
                        Any suggestions? Thanks!
                        e63cab9c-e318-4422-aebd-e89489e0a1fd.jpeg

                        1 Reply Last reply Reply Quote 0
                        • M
                          marted @Sebastian Roth last edited by

                          @Sebastian-Roth thanks for the complete explanation about reverse VPN. Maybe me with my poor English, I’m not capable to explain you in details like I want the network configuration in the university (unfortunately we speak french here in Quebec, Canada better than English:) ), but I truly understand what you wrote and I appreciate the time you spent for that.
                          Everything works fine now, I was capable to generate a second certificate with 132.208 and I installed in my access computer. Thanks again.

                          1 Reply Last reply Reply Quote 0
                          • Tom Elliott
                            Tom Elliott last edited by

                            Understand:

                            VPN is intended to allow external access to internal resources. Maybe I don’t understand your situation. That’s okay, I don’t need to, but this is seeming to be extremely convoluted.

                            1. You have local private spaces machines who access fog via local private calls: eg foglabunix or 192.168.x.x

                            2. You have VPN to access public up space with no DNS and only accessible through VPN connectivity? Why this? If the purpose of the VPN public IP is to get access to the fog server, why do VPN to a public IP that’s only accessible when VPN is enabled? Why not have the VPN connect so you can reach the local resources as they stand.

                            3. Reverse proxy != to proxy. It works in reverse. Meaning instead of all internal to external traffic being filtered to it, all external requests come to it and send to internal resources. It shouldn’t require login as it’s meant to be a central request point. Meaning it doesn’t give away local resources but provides the local resources you are requesting through the reverse proxy. So you don’t run risk of ssh attacks to multiple machines and whatnot.

                            Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG! Get in contact with me (chat bubble in the top right corner) if you want to join in.

                            Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)

                            Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG

                            1 Reply Last reply Reply Quote 0
                            • S
                              Sebastian Roth Moderator last edited by

                              @marted Your setup is kind of special so there is no common solution to it. But we can try some workaround:

                              1. edit /opt/fog/.fogsettings and change the line hostname=foglabunix to hostname=132.208.x.y
                              2. re-run the installer this time using the command line parameters to re-create CA keys: ./installfog.sh -S -C -K
                              3. download and import the newly generated https://132.208.x.y/fog/management/other/ca.cert.der into your browser

                              Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)

                              Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG

                              M 2 Replies Last reply Reply Quote 1
                              • Tom Elliott
                                Tom Elliott @marted last edited by

                                @marted if you’re connecting over vpn, why would need to assign a public ip to the fogserver?

                                I guess I don’t understand the complexity involved here. If you have to access vpn to reach the fog server, why would you access it over public up spaces? VPN puts you to the internal network. You should be able to access the machine locally when connecting over VPN.

                                I understand security and all but this seems more complicated than secure.

                                Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG! Get in contact with me (chat bubble in the top right corner) if you want to join in.

                                Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)

                                Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG

                                1 Reply Last reply Reply Quote 0
                                • M
                                  marted @Tom Elliott last edited by

                                  @Tom-Elliott we have a restrict proxy installed in our university. To access 132.208 network to the university I need to use private VPN configured and managed by the university. Once I activated the VPN with a private password now I have access to my 132.208 NAT. without VPN nobody from the network cannot access it. All I show you is with a VPN to the university ON. The point is to use 132.208 with VPN on and ssl not to use a computer in the lab 192.168

                                  Tom Elliott 1 Reply Last reply Reply Quote 0
                                  • Tom Elliott
                                    Tom Elliott @marted last edited by

                                    @marted you tell Apache using a namedvirtualhost config. So 192.x and foglabunix are handled by the fog ca certificate and the nat ip request is handled by the 3rd party certificate.

                                    Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG! Get in contact with me (chat bubble in the top right corner) if you want to join in.

                                    Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)

                                    Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG

                                    1 Reply Last reply Reply Quote 0
                                    • Tom Elliott
                                      Tom Elliott @Tom Elliott last edited by

                                      @Tom-Elliott even better, use a reverse proxy for internet to redirect into your internal network and present the certificate at the reverse proxy. This way you can use a dns name that points to a machine within your dmz, that can be restricted to internal machines. And you aren’t putting your actual fog server in any risk as all things requesting your fog server from the internet won’t actually give access to your fog server files. At least not by simply pointing to your nat side ip. You could, essentially, get rid of the nat network for your fog server in this way too.

                                      Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG! Get in contact with me (chat bubble in the top right corner) if you want to join in.

                                      Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)

                                      Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG

                                      M 1 Reply Last reply Reply Quote 0
                                      • M
                                        marted @Tom Elliott last edited by

                                        @Tom-Elliott if I get a 3rd party certificate which I can do, how can I replace the fog certificate?

                                        Tom Elliott 1 Reply Last reply Reply Quote 0
                                        • Tom Elliott
                                          Tom Elliott @marted last edited by

                                          @marted can you add a dns entry on the nat side to get you access? For internet proper links I wouldn’t recommend using the fog ca, you should probably get a proper certificate from a 3rd party to present for internet based sites.

                                          Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG! Get in contact with me (chat bubble in the top right corner) if you want to join in.

                                          Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)

                                          Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG

                                          M Tom Elliott 2 Replies Last reply Reply Quote 0
                                          • M
                                            marted @Tom Elliott last edited by

                                            @Tom-Elliott it doesn’t work
                                            it passed only with the IP NAT 132.208
                                            screenshot_5.png
                                            screenshot_6.png

                                            Tom Elliott 1 Reply Last reply Reply Quote 0
                                            • 1
                                            • 2
                                            • 3
                                            • 1 / 3
                                            • First post
                                              Last post

                                            221
                                            Online

                                            10.4k
                                            Users

                                            16.4k
                                            Topics

                                            150.6k
                                            Posts

                                            Copyright © 2012-2023 FOG Project