2019...a step by step activating ssl and complying iPXE with it

marted

@Sebastian-Roth thanks for the complete explanation about reverse VPN. Maybe me with my poor English, I’m not capable to explain you in details like I want the network configuration in the university (unfortunately we speak french here in Quebec, Canada better than English:) ), but I truly understand what you wrote and I appreciate the time you spent for that.
Everything works fine now, I was capable to generate a second certificate with 132.208 and I installed in my access computer. Thanks again.

marted

@Sebastian-Roth I reinstalled With the options you suggested -S -K -C and web aces fro my home worked fine but this morning when I tried to boot a computer in my lab it gives permission denied error. I checked the error on the website of iPXE it says problem with the certificate. I reinstalled the server two times once only with -S only (same error) and second time with -S -C - K I thought maybe iPXE was not compiled well , but still same error. Before l’installation I fixed the .fogsetings with the real IP 192.168…
the permissions are correct for iPXE in var/www
Any suggestions? Thanks!

Sebastian Roth

@marted Manually run the compile script to see if it throws any errors:

cd fogproject/utils/FOGiPXE
./buildipxe.sh

marted

@Sebastian-Roth no errors . Do I have to copy the new files compiled manually to /tftpboot ?

marted

@Sebastian-Roth reinstalled complitly FOG like http (I deleted everything , left only /images and users). Works fine
It boots well in http. reinstall again only with -S , again the same problem.
output from https://192.168.149.43/fog/service/ipxe/boot.php in web broser . I even changed the permissions of the boot.php file on the server but no effect

#!ipxe
set fog-ip 192.168.149.43
set fog-webroot fog
set boot-url https://${fog-ip}/${fog-webroot}
cpuid --ext 29 && set arch x86_64 || set arch i386
goto get_console
:console_set
colour --rgb 0x00567a 1 ||
colour --rgb 0x00567a 2 ||
colour --rgb 0x00567a 4 ||
cpair --foreground 7 --background 2 2 ||
goto MENU
:alt_console
cpair --background 0 1 ||
cpair --background 1 2 ||
goto MENU
:get_console
console --picture https://192.168.149.43/fog/service/ipxe/bg.png --left 100 --right 80 && goto console_set || goto alt_console
:MENU
menu
colour --rgb 0xff0000 0 ||
cpair --foreground 1 1 ||
cpair --foreground 0 3 ||
cpair --foreground 4 4 ||
item --gap Host is NOT registered!
item --gap -- -------------------------------------
item fog.local Boot from hard disk
item fog.memtest Run Memtest86+
item fog.reginput Perform Full Host Registration and Inventory
item fog.reg Quick Registration and Inventory
item fog.deployimage Deploy Image
item fog.multijoin Join Multicast Session
item fog.sysinfo Client System Information (Compatibility)
choose --default fog.local --timeout 3000 target && goto ${target}
:fog.local
sanboot --no-describe --drive 0x80 || goto MENU
:fog.memtest
kernel memdisk initrd=memtest.bin iso raw
initrd memtest.bin
boot || goto MENU
:fog.reginput
kernel bzImage32 loglevel=4 initrd=init_32.xz root=/dev/ram0 rw ramdisk_size=275000 web=https://192.168.149.43/fog/ consoleblank=0 rootfstype=ext4 storage=192.168.149.43:/images/ storageip=192.168.149.43 loglevel=4 mode=manreg
imgfetch init_32.xz
boot || goto MENU
:fog.reg
kernel bzImage32 loglevel=4 initrd=init_32.xz root=/dev/ram0 rw ramdisk_size=275000 web=https://192.168.149.43/fog/ consoleblank=0 rootfstype=ext4 storage=192.168.149.43:/images/ storageip=192.168.149.43 loglevel=4 mode=autoreg
imgfetch init_32.xz
boot || goto MENU
:fog.deployimage
login
params
param mac0 ${net0/mac}
param arch ${arch}
param username ${username}
param password ${password}
param qihost 1
isset ${net1/mac} && param mac1 ${net1/mac} || goto bootme
isset ${net2/mac} && param mac2 ${net2/mac} || goto bootme
param sysuuid ${uuid}
:fog.multijoin
login
params
param mac0 ${net0/mac}
param arch ${arch}
param username ${username}
param password ${password}
param sessionJoin 1
isset ${net1/mac} && param mac1 ${net1/mac} || goto bootme
isset ${net2/mac} && param mac2 ${net2/mac} || goto bootme
param sysuuid ${uuid}
:fog.sysinfo
kernel bzImage32 loglevel=4 initrd=init_32.xz root=/dev/ram0 rw ramdisk_size=275000 web=https://192.168.149.43/fog/ consoleblank=0 rootfstype=ext4 storage=192.168.149.43:/images/ storageip=192.168.149.43 loglevel=4 mode=sysinfo
imgfetch init_32.xz
boot || goto MENU
:bootme
chain -ar https://192.168.149.43/fog/service/ipxe/boot.php##params ||
goto MENU
autoboot

Sebastian Roth

@marted said in 2019...a step by step activating ssl and complying iPXE with it:

no errors . Do I have to copy the new files compiled manually to /tftpboot ?

Yes, after manually running the compile script you need to copy the new iPXE files from fogproject/packages/tftp/ to /tftpboot/ directory!

If you use the installer it will do the copy for you.

reinstall again only with -S , again the same problem.

I am wondering if the modification I told you to test is causing the problem. As I said, your setup is special and not something many people have tried before. I will do a test install and see if it works for me.

marted

@Sebastian-Roth thank you. Meanwhile I switched to http and continuing with my tests. It works fine like always on http. I have an impression that iPXE doesn’t get the correct certificate or doesn’t compile it at all.
How can I checked that?

Sebastian Roth

@marted I just did a plain test:

1. Clean Debian 10 install (from my point it shouldn’t matter which OS you use but just noting it here in case you’d ask - I had a ready set VM at hand so I took that for testing).
2. Installed FOG 1.5.7 using no parameters, just ./installfog.sh
3. Tested PXE boot on http:// works fine
4. Edited /opt/fog/.fogsettings and changed hostname= as mentioned earlier
5. Re-ran the installer and let it regenerate CA, key and certs: ./installfog.sh -S -C -K
   (6. Opened web UI, checked the certificate and found the changed alternative name in there - just a test to see of my changed hostname setting results in a changed certificate - it does)
6. PXE booted client, this time https:// and works perfectly fine!

I have an impression that iPXE doesn’t get the correct certificate or doesn’t compile it at all.
How can I checked that?

I guess you are right with this. Unfortunately I don’t know a method to check if the iPXE binaries do have the right certificates injected other than PXE booting them.

In some of the pictures you posted I noticed that you seem to run the installer as sudo ./installfog.sh. Please don’t do this! It can have side effects that may cause issues. Change to a proper root shell (using sudo -i or sudo su -, the last hyphen is important!) for running the installer!

Beside that you might check file modification to see if the iPXE files are being updated properly:

ls -al /home/foglabunix/Desktop/fogproject/packages/tftp/undionly.kpxe
ls -al /tftpboot/undionly.kpxe

Sebastian Roth

@marted Yust in case you are still keen to use FOG with HTTPS: https://forums.fogproject.org/topic/14115/boot-php-permission-denied

marted

@Sebastian-Roth Thank you