Problem to join a domain (SSL problem ?)

  • Dear all,

    Before to ask, I made a lot of search (I spent all the day yesterday by searching and reading) but I don’t understand.

    Here is the config :
    FOG 1.5.7
    OS: Debian 8

    FOG Client 0.11.16
    OS: Windows 10 1803

    So, I configured my host like this :
    AD Parameter.jpg

    I verified the password, it’s correct but when I deploy my image (without error), the computer don’t join the domain. When I join it “manually” in the machine (via system) it’s working.

    I launched the debugger on the machine, and I have this error :
    PrtScr capture_2.jpg

    The “fog.log” on the machine says that :
    PrtScr capture_3.jpg

    On the machine, I add our own CA in “Trusted Root Certification Authorities”, and it’s working as you can see PrtScr capture.png

    I checked also the log of apache2 and I see always the same error (one error by minute) :

    [Tue Nov 26 10:43:16.407986 2019] [proxy_fcgi:error] [pid 13213] [client] AH01071: Got error 'PHP message: PHP Fatal error:  Uncaught exception 'Exception' with message '#!im' in /var/www/html/fog/lib/fog/fogbase.class.php:584\nStack trace:\n#0 /var/www/html/fog/lib/client/registerclient.class.php(47): FOGBase::getHostItem(true, false, false, true)\n#1 /var/www/html/fog/lib/fog/fogpage.class.php(3013): RegisterClient->json()\n#2 /var/www/html/fog/lib/fog/fogpage.class.php(249): FOGPage->requestClientInfo()\n#3 /var/www/html/fog/lib/pages/dashboardpage.class.php(76): FOGPage->__construct('Dashboard')\n#4 /var/www/html/fog/lib/fog/loadglobals.class.php(67): DashboardPage->__construct()\n#5 /var/www/html/fog/lib/fog/loadglobals.class.php(81): LoadGlobals::_init()\n#6 /var/www/html/fog/commons/ LoadGlobals->__construct()\n#7 /var/www/html/fog/management/index.php(22): require('/var/www/html/f...')\n#8 {main}\n  thrown in /var/www/html/fog/lib/fog/fogbase.class.php on line 584\n'

    and also this :

    [Tue Nov 26 06:25:05.307698 2019] [ssl:warn] [pid 27789] AH01909: server certificate does NOT include an ID which matches the server name
    [Tue Nov 26 06:25:05.308126 2019] [mpm_prefork:notice] [pid 27789] AH00163: Apache/2.4.10 (Debian) OpenSSL/1.0.1t configured -- resuming normal operations
    [Tue Nov 26 06:25:05.308143 2019] [core:notice] [pid 27789] AH00094: Command line: '/usr/sbin/apache2'

    You think the problem with the domain can come from the SSL problem ?
    I didn’t specify my CA when I generated the binaries ./opt/fog/utils/FOGiPXE/ during the install, it can come from there ?

    Thank you for the help !

  • Developer

    @loutrage Are you sure you used these commands in the debugger session?

    middleware configuration server http://x.1x.x.x/fog
    middleware authentication handshake

    Actually there is no need to use the fog-client debugger. Just grab the fog.log on a client that fails to join (either in C:\fog.log or C:\Program Files (x86)\FOG\fog.log) and post that here. The log information will help us find why it does not join the domain!

    Finally, I made a new fresh install…
    So FOS works in SSL now with the certificate generate by the machine.

    Ok great, I think this is a good starting point!

    First let me explain some more things. Let’s assume you only use FOG with plain HTTP. The installer will still generate a CA and cert/key because the fog-client uses those certs to encrypt the communication. But this is not standard HTTPS (HTTP within a SSL tunnel) but more like HTTPF - I just made this term up, it doesn’t really exist but this is kind of what we use, plain HTTP with special FOG encrypted content. So from a network kind of view the communication is still normal HTTP and there is no certificate needed for SSL in Apache but for encrypting the message contents.

    Now if you switch to HTTPS using the install option --force-https the Apache webserver config is changed to use the same certificate that is used for encrypting the fog-client messages. Important thing is, that it does also add a forced redirect from HTTP to HTTPS to the Apache config. I have seen this causing problems with the fog-client and so I’d advise you to manually edit C:\Program Files (x86)\FOG\settings.json and change the option HTTPS to 1.

    After we get this working for you we can come back and try to have you use your custom certificate for the FOG web UI. Remember, the fog-client (as it is right now) needs to use the certificate generated by the installer to encrypt its messages. But that doesn’t mean that it also needs to use the same cert for the HTTPS connection. That’s two different things.

  • @Sebastian-Roth

    Finally, I made a new fresh install…

    I follow your post here :

    So FOS works in SSL now with the certificate generate by the machine.

    I have a certificate error with my browsers and it’s not 100% secure but It seems to be too complicated to work with our own self signate certificate.

    In fact, my original (and biggest) problem don’t seem come from there.

    I install the fog without SSL to try and it still doesn’t work, I can’t join my domain. I changed the password of the account of my Domain Controller to remove all the special characters, I deploy the machine several times, it doesn’t work :/

    And if I join my domain manually, it’s work…

    Here is the error with the debugger (Problem with the path)
    PrtScr capture_2.jpg

  • @Sebastian-Roth

    Ok, thank a lot !

    The problem to join the domain can come from there ?

    I notice that the machine are wel named with the FOS so I think the fog-client must be able to communicate ?

  • Developer

    @loutrage Thanks for posting all the details. Always good to know what exactly was done to better help.

    Yes I have a custom certificate

    As mentioned before there is no way you can make this work with the current fog-client as it is.

    There should be a way to still get this to work in sort of a hybrid way (own CA for HTTPS web UI but FOG CA for fog-client). But I need a bit more time to think it through and write down all the details for you. I’ll get back to you tomorrow.

  • @Sebastian-Roth, thank you for the answer !

    • Yes I used the --force-https option. Here is the steps I used to configure the server
    * ./ -S
    * Copy the private key and the PEM file from our CA machine to the repertory /opt/fog/snapins/ssl/
    * Replace the CA by default in the directories /etc/apache2/ssl/CA/ and /opt/fog/snapins/ssl/CA/ by our own CA
    * Edit with vim the config of the webserver with the command vim /etc/apache2/sites-available/001-fog.conf then restart apache2
    * Edit the lines with the SSL links by this
        SSLCertificateFile /opt/fog/snapins/ssl/fog.pem
        SSLCertificateKeyFile /opt/fog/snapins/ssl/fog.key
        #SSLCertificateChainFile /var/www/html/fog//management/other/ca.cert.der
    * Execute the script from the directory ./opt/fog/utils/FOGiPXE/ to create new binaries for the ipxe with the certificate in it.
    * Copy all the files from /opt/fog/packages/tftp to /tftpboot.
    • Yes I have a custom certificate

    Here is the content of my VHost :

    <VirtualHost *:80>
        <FilesMatch "\.php$">
            SetHandler "proxy:fcgi://"
        ServerAlias corners-fog
        RewriteEngine On
        RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
        RewriteRule .* - [F]
        RewriteRule /management/other/ca.cert.der$ - [L]
        RewriteCond %{HTTPS} off
        RewriteRule (.*) https://%{HTTP_HOST}/$1 [R,L]
    <VirtualHost *:443>
        KeepAlive Off
        <FilesMatch "\.php$">
            SetHandler "proxy:fcgi://"
        ServerAlias corners-fog
        DocumentRoot /var/www/html/
        SSLEngine On
        SSLProtocol all -SSLv3 -SSLv2
        SSLHonorCipherOrder On
        SSLCertificateFile /opt/fog/snapins/ssl/fog.pem
        SSLCertificateKeyFile /opt/fog/snapins/ssl/fog.key
        #SSLCertificateChainFile /var/www/html/fog//management/other/ca.cert.der
        <Directory /var/www/html/fog/>
            DirectoryIndex index.php index.html index.htm
        RewriteEngine On
        RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
        RewriteRule .* - [F]
        RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f
        RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-d
        RewriteRule ^/fog/(.*)$ /fog/api/index.php [QSA,L]

  • Developer

    @loutrage said in Problem to join a domain (SSL problem ?):

    On the machine, I add our own CA in “Trusted Root Certification Authorities”, and it’s working as you can see

    • Did you manually adjust the Apache config to make it use SSL or did you run the FOG installer using the --force-https option?
    • Is this a custom certificate you generated youself and installed into the FOG server?

    Probably best if you post your full apache config here so we know what exactly you have.

    The fog-client uses certificates to encrypt the communication to the server - similar to what HTTPS does but different. This security model was chosen by the original developer of the fog-client some years ago and eventhough it has it draw backs (and I think about changing it when I have more time) it still works quite well in most cases. But you have to be aware that tangling with the certificates will most probably cause issues with the fog-client.

    Please answer the above questions and we’ll see what we can do.

Log in to reply