Problem to join a domain (SSL problem ?)



  • Dear all,

    Before to ask, I made a lot of search (I spent all the day yesterday by searching and reading) but I don’t understand.

    Here is the config :
    Server
    FOG 1.5.7
    OS: Debian 8

    Client
    FOG Client 0.11.16
    OS: Windows 10 1803

    So, I configured my host like this :
    AD Parameter.jpg

    I verified the password, it’s correct but when I deploy my image (without error), the computer don’t join the domain. When I join it “manually” in the machine (via system) it’s working.

    I launched the debugger on the machine, and I have this error :
    PrtScr capture_2.jpg

    The “fog.log” on the machine says that :
    PrtScr capture_3.jpg

    On the machine, I add our own CA in “Trusted Root Certification Authorities”, and it’s working as you can see PrtScr capture.png

    I checked also the log of apache2 and I see always the same error (one error by minute) :

    [Tue Nov 26 10:43:16.407986 2019] [proxy_fcgi:error] [pid 13213] [client 10.0.200.201:54419] AH01071: Got error 'PHP message: PHP Fatal error:  Uncaught exception 'Exception' with message '#!im' in /var/www/html/fog/lib/fog/fogbase.class.php:584\nStack trace:\n#0 /var/www/html/fog/lib/client/registerclient.class.php(47): FOGBase::getHostItem(true, false, false, true)\n#1 /var/www/html/fog/lib/fog/fogpage.class.php(3013): RegisterClient->json()\n#2 /var/www/html/fog/lib/fog/fogpage.class.php(249): FOGPage->requestClientInfo()\n#3 /var/www/html/fog/lib/pages/dashboardpage.class.php(76): FOGPage->__construct('Dashboard')\n#4 /var/www/html/fog/lib/fog/loadglobals.class.php(67): DashboardPage->__construct()\n#5 /var/www/html/fog/lib/fog/loadglobals.class.php(81): LoadGlobals::_init()\n#6 /var/www/html/fog/commons/base.inc.php(49): LoadGlobals->__construct()\n#7 /var/www/html/fog/management/index.php(22): require('/var/www/html/f...')\n#8 {main}\n  thrown in /var/www/html/fog/lib/fog/fogbase.class.php on line 584\n'
    
    

    and also this :

    [Tue Nov 26 06:25:05.307698 2019] [ssl:warn] [pid 27789] AH01909: 10.0.150.15:443:0 server certificate does NOT include an ID which matches the server name
    [Tue Nov 26 06:25:05.308126 2019] [mpm_prefork:notice] [pid 27789] AH00163: Apache/2.4.10 (Debian) OpenSSL/1.0.1t configured -- resuming normal operations
    [Tue Nov 26 06:25:05.308143 2019] [core:notice] [pid 27789] AH00094: Command line: '/usr/sbin/apache2'
    

    You think the problem with the domain can come from the SSL problem ?
    I didn’t specify my CA when I generated the binaries ./opt/fog/utils/FOGiPXE/buildipxe.sh during the install, it can come from there ?

    Thank you for the help !



  • @Sebastian-Roth

    Ohh thank you ! It works now ! :)

    I didn’t know if I had to log on and then reboot manually to join the domain.

    I noticed that I have to wait 3-4 minutes after the first boot for the automatically reboot and then the PC is in the domain !

    Thanks a lot for the help, the problem is now solved !


  • Senior Developer

    @loutrage Yes, you need to install the fog-client on your host(s). It’s not something FOG does automatically. Usually people install the fog-client on the “mother” image and deploy that to all the hosts.

    16/12/2019 10:50 HostnameChanger Users still logged in and enforce is disabled, delaying any further actions

    Now this time the client communication seems fine. But it doesn’t try to join the domain because a user is still logged in to the host and the force option (host’s AD settings -> Name Change/AD Join Forced reboot?) is not enabled.



  • @Sebastian-Roth

    Hello, sorry for the long time to answer : hollidays and a lot of work, I didn’t have time to answer before.

    Thank you for the explanation about the certificates, it’s clear now.

    I’m always trying to connect to my domain when a machine is deploy but I have always the same problem.

    So I checked for the file “fog.log” but it wasn’t there, the fog client isn’t install on the machine.
    Is it normal or do I have to install on my “mother” image before to deploy ?

    To be sure and to begin with a new solid base, I began to zero with a new update machine (Debian 10), so it’s a totally fresh install with the last version of Debian and Fog, without SSL activate.

    I deploy my image and I had the same problem, no Fog Client so I install it manually with the “Smart Installer”, not the Network Installer. I reboot the machine and here is the content of the fog.txt

     16/12/2019 10:48 Main Overriding exception handling
     16/12/2019 10:48 Main Bootstrapping Zazzles
     16/12/2019 10:48 Controller Initialize
     16/12/2019 10:48 Controller Start
     
     16/12/2019 10:48 Service Starting service
     16/12/2019 10:48 Bus Became bus server
     16/12/2019 10:48 Bus Emmiting message on channel: Status
     16/12/2019 10:48 Service Invoking early JIT compilation on needed binaries
     
    ------------------------------------------------------------------------------
    --------------------------------Authentication--------------------------------
    ------------------------------------------------------------------------------
     16/12/2019 10:48 Client-Info Version: 0.11.16
     16/12/2019 10:48 Client-Info OS:      Windows
     16/12/2019 10:48 Middleware::Authentication Waiting for authentication timeout to pass
     16/12/2019 10:48 Middleware::Communication Download: http://10.0.150.15/fog/management/other/ssl/srvpublic.crt
     16/12/2019 10:48 Data::RSA FOG Server CA cert found
     16/12/2019 10:48 Middleware::Authentication Cert OK
     16/12/2019 10:48 Middleware::Authentication No token found at C:\Program Files (x86)\FOG\token.dat, this is expected if the client has not authenticated before
     16/12/2019 10:48 Middleware::Authentication ERROR: Could not get security token
     16/12/2019 10:48 Middleware::Authentication ERROR: Could not find file 'C:\Program Files (x86)\FOG\token.dat'.
     16/12/2019 10:48 Middleware::Communication POST URL: http://10.0.150.15/fog/management/index.php?sub=requestClientInfo&authorize&newService
     16/12/2019 10:48 Middleware::Response Success
     16/12/2019 10:48 Middleware::Authentication Authenticated
     
     
     16/12/2019 10:48 Middleware::Communication URL: http://10.0.150.15/fog/management/index.php?sub=requestClientInfo&configure&newService&json
     16/12/2019 10:48 Middleware::Response Success
     16/12/2019 10:48 Middleware::Communication URL: http://10.0.150.15/fog/management/index.php?sub=requestClientInfo&mac=00:50:56:87:8F:1A|0A:00:27:00:00:05&newService&json
     16/12/2019 10:48 Middleware::Response Success
     16/12/2019 10:48 Middleware::Communication URL: http://10.0.150.15/fog/service/getversion.php?clientver&newService&json
     16/12/2019 10:48 Middleware::Communication URL: http://10.0.150.15/fog/service/getversion.php?newService&json
     
     16/12/2019 10:48 Service Creating user agent cache
     16/12/2019 10:48 Middleware::Response Invalid time
     16/12/2019 10:48 Middleware::Response No Printers
     16/12/2019 10:48 Middleware::Response Module is disabled globally on the FOG server
     16/12/2019 10:48 Service Initializing modules
     
    ------------------------------------------------------------------------------
    ---------------------------------ClientUpdater--------------------------------
    ------------------------------------------------------------------------------
     16/12/2019 10:48 Client-Info Client Version: 0.11.16
     16/12/2019 10:48 Client-Info Client OS:      Windows
     16/12/2019 10:48 Client-Info Server Version: 1.5.7
     16/12/2019 10:48 Middleware::Response Success
    ------------------------------------------------------------------------------
     
     
    ------------------------------------------------------------------------------
    ----------------------------------TaskReboot----------------------------------
    ------------------------------------------------------------------------------
     16/12/2019 10:48 Client-Info Client Version: 0.11.16
     16/12/2019 10:48 Client-Info Client OS:      Windows
     16/12/2019 10:48 Client-Info Server Version: 1.5.7
     16/12/2019 10:48 Middleware::Response Success
    ------------------------------------------------------------------------------
     
     
    ------------------------------------------------------------------------------
    --------------------------------HostnameChanger-------------------------------
    ------------------------------------------------------------------------------
     16/12/2019 10:48 Client-Info Client Version: 0.11.16
     16/12/2019 10:48 Client-Info Client OS:      Windows
     16/12/2019 10:48 Client-Info Server Version: 1.5.7
     16/12/2019 10:48 Middleware::Response Success
     16/12/2019 10:48 HostnameChanger Users still logged in and enforce is disabled, delaying any further actions
    ------------------------------------------------------------------------------
     
     
    ------------------------------------------------------------------------------
    ---------------------------------SnapinClient---------------------------------
    ------------------------------------------------------------------------------
     16/12/2019 10:48 Client-Info Client Version: 0.11.16
     16/12/2019 10:48 Client-Info Client OS:      Windows
     16/12/2019 10:48 Client-Info Server Version: 1.5.7
     16/12/2019 10:48 Middleware::Response No snapins
    ------------------------------------------------------------------------------
     
     
    ------------------------------------------------------------------------------
    --------------------------------PrinterManager--------------------------------
    ------------------------------------------------------------------------------
     16/12/2019 10:48 Client-Info Client Version: 0.11.16
     16/12/2019 10:48 Client-Info Client OS:      Windows
     16/12/2019 10:48 Client-Info Server Version: 1.5.7
     16/12/2019 10:48 Middleware::Response No Printers
    ------------------------------------------------------------------------------
     
     
    ------------------------------------------------------------------------------
    --------------------------------PowerManagement-------------------------------
    ------------------------------------------------------------------------------
     16/12/2019 10:48 Client-Info Client Version: 0.11.16
     16/12/2019 10:48 Client-Info Client OS:      Windows
     16/12/2019 10:48 Client-Info Server Version: 1.5.7
     16/12/2019 10:48 Middleware::Response Success
     16/12/2019 10:48 PowerManagement Calculating tasks to unschedule
     16/12/2019 10:48 PowerManagement Calculating tasks to schedule
    ------------------------------------------------------------------------------
     
     
    ------------------------------------------------------------------------------
    ----------------------------------UserTracker---------------------------------
    ------------------------------------------------------------------------------
     16/12/2019 10:48 Client-Info Client Version: 0.11.16
     16/12/2019 10:48 Client-Info Client OS:      Windows
     16/12/2019 10:48 Client-Info Server Version: 1.5.7
     16/12/2019 10:48 Middleware::Response Success
     16/12/2019 10:48 Middleware::Communication URL: http://10.0.150.15/fog/service/usertracking.report.php?action=login&user=Corners-Test\Exploitation&mac=00:50:56:87:8F:1A|0A:00:27:00:00:05&newService&json
    ------------------------------------------------------------------------------
     
     16/12/2019 10:48 Service Sleeping for 94 seconds
     16/12/2019 10:50 Middleware::Communication URL: http://10.0.150.15/fog/management/index.php?sub=requestClientInfo&configure&newService&json
     16/12/2019 10:50 Middleware::Response Success
     16/12/2019 10:50 Middleware::Communication URL: http://10.0.150.15/fog/management/index.php?sub=requestClientInfo&mac=00:50:56:87:8F:1A|0A:00:27:00:00:05&newService&json
     16/12/2019 10:50 Middleware::Response Success
     16/12/2019 10:50 Middleware::Communication URL: http://10.0.150.15/fog/service/getversion.php?clientver&newService&json
     16/12/2019 10:50 Middleware::Communication URL: http://10.0.150.15/fog/service/getversion.php?newService&json
     
     16/12/2019 10:50 Service Creating user agent cache
     16/12/2019 10:50 Middleware::Response Invalid time
     16/12/2019 10:50 Middleware::Response No Printers
     16/12/2019 10:50 Middleware::Response Module is disabled globally on the FOG server
     
    ------------------------------------------------------------------------------
    ---------------------------------ClientUpdater--------------------------------
    ------------------------------------------------------------------------------
     16/12/2019 10:50 Client-Info Client Version: 0.11.16
     16/12/2019 10:50 Client-Info Client OS:      Windows
     16/12/2019 10:50 Client-Info Server Version: 1.5.7
     16/12/2019 10:50 Middleware::Response Success
    ------------------------------------------------------------------------------
     
     
    ------------------------------------------------------------------------------
    ----------------------------------TaskReboot----------------------------------
    ------------------------------------------------------------------------------
     16/12/2019 10:50 Client-Info Client Version: 0.11.16
     16/12/2019 10:50 Client-Info Client OS:      Windows
     16/12/2019 10:50 Client-Info Server Version: 1.5.7
     16/12/2019 10:50 Middleware::Response Success
    ------------------------------------------------------------------------------
     
     
    ------------------------------------------------------------------------------
    --------------------------------HostnameChanger-------------------------------
    ------------------------------------------------------------------------------
     16/12/2019 10:50 Client-Info Client Version: 0.11.16
     16/12/2019 10:50 Client-Info Client OS:      Windows
     16/12/2019 10:50 Client-Info Server Version: 1.5.7
     16/12/2019 10:50 Middleware::Response Success
     16/12/2019 10:50 HostnameChanger Users still logged in and enforce is disabled, delaying any further actions
    ------------------------------------------------------------------------------
     
     
    ------------------------------------------------------------------------------
    ---------------------------------SnapinClient---------------------------------
    ------------------------------------------------------------------------------
     16/12/2019 10:50 Client-Info Client Version: 0.11.16
     16/12/2019 10:50 Client-Info Client OS:      Windows
     16/12/2019 10:50 Client-Info Server Version: 1.5.7
     16/12/2019 10:50 Middleware::Response No snapins
    ------------------------------------------------------------------------------
     
     
    ------------------------------------------------------------------------------
    --------------------------------PrinterManager--------------------------------
    ------------------------------------------------------------------------------
     16/12/2019 10:50 Client-Info Client Version: 0.11.16
     16/12/2019 10:50 Client-Info Client OS:      Windows
     16/12/2019 10:50 Client-Info Server Version: 1.5.7
     16/12/2019 10:50 Middleware::Response No Printers
    ------------------------------------------------------------------------------
     
     
    ------------------------------------------------------------------------------
    --------------------------------PowerManagement-------------------------------
    ------------------------------------------------------------------------------
     16/12/2019 10:50 Client-Info Client Version: 0.11.16
     16/12/2019 10:50 Client-Info Client OS:      Windows
     16/12/2019 10:50 Client-Info Server Version: 1.5.7
     16/12/2019 10:50 Middleware::Response Success
     16/12/2019 10:50 PowerManagement Calculating tasks to unschedule
     16/12/2019 10:50 PowerManagement Calculating tasks to schedule
    ------------------------------------------------------------------------------
     
     
    ------------------------------------------------------------------------------
    ----------------------------------UserTracker---------------------------------
    ------------------------------------------------------------------------------
     16/12/2019 10:50 Client-Info Client Version: 0.11.16
     16/12/2019 10:50 Client-Info Client OS:      Windows
     16/12/2019 10:50 Client-Info Server Version: 1.5.7
     16/12/2019 10:50 Middleware::Response Success
    ------------------------------------------------------------------------------```

  • Senior Developer

    @loutrage Are you sure you used these commands in the debugger session?

    middleware configuration server http://x.1x.x.x/fog
    middleware authentication handshake
    

    Actually there is no need to use the fog-client debugger. Just grab the fog.log on a client that fails to join (either in C:\fog.log or C:\Program Files (x86)\FOG\fog.log) and post that here. The log information will help us find why it does not join the domain!

    Finally, I made a new fresh install…
    So FOS works in SSL now with the certificate generate by the machine.

    Ok great, I think this is a good starting point!

    First let me explain some more things. Let’s assume you only use FOG with plain HTTP. The installer will still generate a CA and cert/key because the fog-client uses those certs to encrypt the communication. But this is not standard HTTPS (HTTP within a SSL tunnel) but more like HTTPF - I just made this term up, it doesn’t really exist but this is kind of what we use, plain HTTP with special FOG encrypted content. So from a network kind of view the communication is still normal HTTP and there is no certificate needed for SSL in Apache but for encrypting the message contents.

    Now if you switch to HTTPS using the install option --force-https the Apache webserver config is changed to use the same certificate that is used for encrypting the fog-client messages. Important thing is, that it does also add a forced redirect from HTTP to HTTPS to the Apache config. I have seen this causing problems with the fog-client and so I’d advise you to manually edit C:\Program Files (x86)\FOG\settings.json and change the option HTTPS to 1.

    After we get this working for you we can come back and try to have you use your custom certificate for the FOG web UI. Remember, the fog-client (as it is right now) needs to use the certificate generated by the installer to encrypt its messages. But that doesn’t mean that it also needs to use the same cert for the HTTPS connection. That’s two different things.



  • @Sebastian-Roth

    Finally, I made a new fresh install…

    I follow your post here : https://forums.fogproject.org/topic/13956/2019-a-step-by-step-activating-ssl-and-complying-ipxe-with-it

    So FOS works in SSL now with the certificate generate by the machine.

    I have a certificate error with my browsers and it’s not 100% secure but It seems to be too complicated to work with our own self signate certificate.

    In fact, my original (and biggest) problem don’t seem come from there.

    I install the fog without SSL to try and it still doesn’t work, I can’t join my domain. I changed the password of the account of my Domain Controller to remove all the special characters, I deploy the machine several times, it doesn’t work :/

    And if I join my domain manually, it’s work…

    Here is the error with the debugger (Problem with the path)
    PrtScr capture_2.jpg



  • @Sebastian-Roth

    Ok, thank a lot !

    The problem to join the domain can come from there ?

    I notice that the machine are wel named with the FOS so I think the fog-client must be able to communicate ?


  • Senior Developer

    @loutrage Thanks for posting all the details. Always good to know what exactly was done to better help.

    Yes I have a custom certificate

    As mentioned before there is no way you can make this work with the current fog-client as it is.

    There should be a way to still get this to work in sort of a hybrid way (own CA for HTTPS web UI but FOG CA for fog-client). But I need a bit more time to think it through and write down all the details for you. I’ll get back to you tomorrow.



  • @Sebastian-Roth, thank you for the answer !

    • Yes I used the --force-https option. Here is the steps I used to configure the server
    * ./installfog.sh -S
    * Copy the private key and the PEM file from our CA machine to the repertory /opt/fog/snapins/ssl/
    * Replace the CA by default in the directories /etc/apache2/ssl/CA/ and /opt/fog/snapins/ssl/CA/ by our own CA
    * Edit with vim the config of the webserver with the command vim /etc/apache2/sites-available/001-fog.conf then restart apache2
    * Edit the lines with the SSL links by this
        SSLCertificateFile /opt/fog/snapins/ssl/fog.pem
        SSLCertificateKeyFile /opt/fog/snapins/ssl/fog.key
        #SSLCertificateChainFile /var/www/html/fog//management/other/ca.cert.der
    * Execute the script buildipxe.sh from the directory ./opt/fog/utils/FOGiPXE/buildipxe.sh to create new binaries for the ipxe with the certificate in it.
    * Copy all the files from /opt/fog/packages/tftp to /tftpboot.
    
    • Yes I have a custom certificate

    Here is the content of my VHost :

    <VirtualHost *:80>
        <FilesMatch "\.php$">
            SetHandler "proxy:fcgi://127.0.0.1:9000/"
        </FilesMatch>
        ServerName 10.0.150.15
        ServerAlias corners-fog
        RewriteEngine On
        RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
        RewriteRule .* - [F]
        RewriteRule /management/other/ca.cert.der$ - [L]
        RewriteCond %{HTTPS} off
        RewriteRule (.*) https://%{HTTP_HOST}/$1 [R,L]
    </VirtualHost>
    <VirtualHost *:443>
        KeepAlive Off
        <FilesMatch "\.php$">
            SetHandler "proxy:fcgi://127.0.0.1:9000/"
        </FilesMatch>
        ServerName 10.0.150.15
        ServerAlias corners-fog
        DocumentRoot /var/www/html/
        SSLEngine On
        SSLProtocol all -SSLv3 -SSLv2
        SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
        SSLHonorCipherOrder On
        SSLCertificateFile /opt/fog/snapins/ssl/fog.pem
        SSLCertificateKeyFile /opt/fog/snapins/ssl/fog.key
        #SSLCertificateChainFile /var/www/html/fog//management/other/ca.cert.der
        <Directory /var/www/html/fog/>
            DirectoryIndex index.php index.html index.htm
        </Directory>
        RewriteEngine On
        RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
        RewriteRule .* - [F]
        RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f
        RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-d
        RewriteRule ^/fog/(.*)$ /fog/api/index.php [QSA,L]
    </VirtualHost>
    

  • Senior Developer

    @loutrage said in Problem to join a domain (SSL problem ?):

    On the machine, I add our own CA in “Trusted Root Certification Authorities”, and it’s working as you can see

    • Did you manually adjust the Apache config to make it use SSL or did you run the FOG installer using the --force-https option?
    • Is this a custom certificate you generated youself and installed into the FOG server?

    Probably best if you post your full apache config here so we know what exactly you have.

    The fog-client uses certificates to encrypt the communication to the server - similar to what HTTPS does but different. This security model was chosen by the original developer of the fog-client some years ago and eventhough it has it draw backs (and I think about changing it when I have more time) it still works quite well in most cases. But you have to be aware that tangling with the certificates will most probably cause issues with the fog-client.

    Please answer the above questions and we’ll see what we can do.


Log in to reply
 

339
Online

7.1k
Users

14.3k
Topics

135.1k
Posts