2019...a step by step activating ssl and complying iPXE with it

marted

@Tom-Elliott said in 2019...a step by step activating ssl and complying iPXE with it:

TO get rid of the “not secure” you see, you need to download the ca.cert from the FOG Server.
https://foglabunix/fog/management/other/ca.cert.der
And put that in your machine’s trust root authority.

Could you tell me where to put exactly the certificate on my server root ?

marted

@Tom-Elliott said in 2019...a step by step activating ssl and complying iPXE with it:

As to making iPXE obtain from https, you should be able to do this by reinstalling fog (assuming you didn’t reinstall when building the ipxe binaries)?

The iPXE was recompiled at the end of the new installation with success. Do I have to start again the installation?

Tom Elliott

@marted Your local machine (the one you’re accessing the FOG GUI from) Trusted Root Authority.

This is either Certlm.msc or certmgr.msc (LM = Local Machine, MGR = Current User) in windows.

Tom Elliott

When running the installer, you should only need to use the -S argument. -C forces the installer to recreate the CA certificates. -K forces regenerating the keys for the fog server. the -K won’t be overly problematic but the -C will cause issues

the -S just forces HTTPS.

As @Sebastian-Roth as requested, please provide a photo of the tftp trying to use http instead of https

Thank you,

marted

@Tom-Elliott got this. Thanks

marted

@Tom-Elliott said in 2019...a step by step activating ssl and complying iPXE with it:

@marted TO get rid of the “not secure” you see, you need to download the ca.cert from the FOG Server.
https://foglabunix/fog/management/other/ca.cert.der
And put that in your machine’s trust root authority.
As to making iPXE obtain from https, you should be able to do this by reinstalling fog (assuming you didn’t reinstall when building the ipxe binaries)?

Tom I have a little bit different configuration from the standard. My FOG server is in private network 192. and I have a NAT IP 132. 1:1 only for my server for accessing it from internet. Even with certificate installed it says that the certificate is only for 192.168 and name foglabunix and not for my address 132.208, which is normal. How can i pass to the certificate my second IP 132.208?
Is there a way to add it in fogconfig file in the variable ipaddress both with the private IP or there is other way?
By the way in MAC OS when I installed the certificate, even with 132.208 it accepted it and I have a SSL connection with no error.

Tom Elliott

@marted why not access the fog server using foglabunix? The cert is valid for that name

marted

@Tom-Elliott I run the installation only with -S and root like @Sebastian-Roth Sebastian offered. The installation passed with no problems. Monday morning will try the boot and will post it here

marted

@Tom-Elliott it doesn’t work
it passed only with the IP NAT 132.208

Tom Elliott

@marted can you add a dns entry on the nat side to get you access? For internet proper links I wouldn’t recommend using the fog ca, you should probably get a proper certificate from a 3rd party to present for internet based sites.

marted

@Tom-Elliott if I get a 3rd party certificate which I can do, how can I replace the fog certificate?

Tom Elliott

@Tom-Elliott even better, use a reverse proxy for internet to redirect into your internal network and present the certificate at the reverse proxy. This way you can use a dns name that points to a machine within your dmz, that can be restricted to internal machines. And you aren’t putting your actual fog server in any risk as all things requesting your fog server from the internet won’t actually give access to your fog server files. At least not by simply pointing to your nat side ip. You could, essentially, get rid of the nat network for your fog server in this way too.

Tom Elliott

@marted you tell Apache using a namedvirtualhost config. So 192.x and foglabunix are handled by the fog ca certificate and the nat ip request is handled by the 3rd party certificate.

marted

@Tom-Elliott we have a restrict proxy installed in our university. To access 132.208 network to the university I need to use private VPN configured and managed by the university. Once I activated the VPN with a private password now I have access to my 132.208 NAT. without VPN nobody from the network cannot access it. All I show you is with a VPN to the university ON. The point is to use 132.208 with VPN on and ssl not to use a computer in the lab 192.168

Tom Elliott

@marted if you’re connecting over vpn, why would need to assign a public ip to the fogserver?

I guess I don’t understand the complexity involved here. If you have to access vpn to reach the fog server, why would you access it over public up spaces? VPN puts you to the internal network. You should be able to access the machine locally when connecting over VPN.

I understand security and all but this seems more complicated than secure.

Sebastian Roth

@marted Your setup is kind of special so there is no common solution to it. But we can try some workaround:

1. edit /opt/fog/.fogsettings and change the line hostname=foglabunix to hostname=132.208.x.y
2. re-run the installer this time using the command line parameters to re-create CA keys: ./installfog.sh -S -C -K
3. download and import the newly generated https://132.208.x.y/fog/management/other/ca.cert.der into your browser

Tom Elliott

Understand:

VPN is intended to allow external access to internal resources. Maybe I don’t understand your situation. That’s okay, I don’t need to, but this is seeming to be extremely convoluted.

1. You have local private spaces machines who access fog via local private calls: eg foglabunix or 192.168.x.x

2. You have VPN to access public up space with no DNS and only accessible through VPN connectivity? Why this? If the purpose of the VPN public IP is to get access to the fog server, why do VPN to a public IP that’s only accessible when VPN is enabled? Why not have the VPN connect so you can reach the local resources as they stand.

3. Reverse proxy != to proxy. It works in reverse. Meaning instead of all internal to external traffic being filtered to it, all external requests come to it and send to internal resources. It shouldn’t require login as it’s meant to be a central request point. Meaning it doesn’t give away local resources but provides the local resources you are requesting through the reverse proxy. So you don’t run risk of ssh attacks to multiple machines and whatnot.

marted

@Sebastian-Roth thanks for the complete explanation about reverse VPN. Maybe me with my poor English, I’m not capable to explain you in details like I want the network configuration in the university (unfortunately we speak french here in Quebec, Canada better than English:) ), but I truly understand what you wrote and I appreciate the time you spent for that.
Everything works fine now, I was capable to generate a second certificate with 132.208 and I installed in my access computer. Thanks again.

marted

@Sebastian-Roth I reinstalled With the options you suggested -S -K -C and web aces fro my home worked fine but this morning when I tried to boot a computer in my lab it gives permission denied error. I checked the error on the website of iPXE it says problem with the certificate. I reinstalled the server two times once only with -S only (same error) and second time with -S -C - K I thought maybe iPXE was not compiled well , but still same error. Before l’installation I fixed the .fogsetings with the real IP 192.168…
the permissions are correct for iPXE in var/www
Any suggestions? Thanks!

Sebastian Roth

@marted Manually run the compile script to see if it throws any errors:

cd fogproject/utils/FOGiPXE
./buildipxe.sh