FOG/Apache PKI/Certificate Authentication

Sebastian Roth · Dec 17, 2019, 9:02 AM

@ty900000 Yes, it’d be great if you share your changes with us. Though we probably won’t add this feature to the soon to come 1.5.8 release (only bug fixing) but to FOG 1.6…

ty900000 · Dec 17, 2019, 12:49 PM

@Sebastian-Roth said in FOG/Apache PKI/Certificate Authentication:

@ty900000 Yes, it’d be great if you share your changes with us. Though we probably won’t add this feature to the soon to come 1.5.8 release (only bug fixing) but to FOG 1.6…

Right, sounds good. Do you all have a preferred method as to where I can send stuff?

Thanks again everyone!

Sebastian Roth · Dec 17, 2019, 5:34 PM

@ty900000 Usually opening a pull request on github is the best way. But in this case I am not exactly sure if it is. Do you have an account with github.com yet? Do you know how to fork our project and send a pull request?

ty900000 · Dec 17, 2019, 7:37 PM

@Sebastian-Roth

I think I managed to do it properly. Let me know if I need to change anything. Thanks!

ty900000 · Dec 18, 2019, 4:03 PM

Looks like everything is happy on Github. I see Mr. Tom Elliott has take a quick look at it already.

While that is being looked over and decided on what updates I need to make, I wanted to reach out and see if anyone could help me with the iPXE issue I am still having. If I try to boot iPXE over HTTPS, I get this error http://ipxe.org/err/1c0de8. I don’t know if iPXE technically needs HTTPS? Does that mean the imaging process is unencrypted?

Thanks to everyone for the assistance! I really appreciate all the hard work!

Sebastian Roth · Dec 18, 2019, 7:03 PM

@ty900000 Tom Elliott is FOG’s senior developer. I just send a few more comments.

About the iPXE issue. I think what you are running into is described here as well: https://forums.fogproject.org/topic/12768/not-able-to-tftp-boot-invalid-argument-error

Probably best if we use this forum thread to discuss this iPXE issue to keep things sorted. Read through the whole thread and also check out my posts in the iPXE forums and on the developers mailing list. Unfortunately they haven’t been very active over the last months/year and we’d probably need to fix this ourselves and send in a pull request. Last year I have spent some ours to try and fix this but it’s just over my head and time budged right now.

ty900000 · Dec 18, 2019, 2:59 PM

@Sebastian-Roth

Yes! I’ve seen Mr. Elliott around everywhere on these forums offering his wisdom for years.

I read over that forum post about iPXE and it does seem like you did run into a specific issue and then iPXE (the organization) got busy or disappeared. I have an idea after reading over some iPXE documentation, but I have a question first. When I run buildipxe.sh and it makes the new files and then copies them to the right directories, do I have to restart any services for that to take effect?

The reason I ask is because I modified buildipxe.sh and completely removed the BUILDOPTS from all four make calls (BIOS and EFI, regular and 10secdelay). So, the iPXE that gets created should not have custom certificates loaded into it, right? If that’s true, I am seeing some weird behavior. Even when I reboot the FOG server, attempt to iPXE boot, it fails and I hop into the iPXE shell, I run a certstat and it still displays my custom CA certificates as being [PERMANENT]. That shouldn’t be happening?

Sebastian Roth · Dec 18, 2019, 9:16 PM

@ty900000 said:

When I run buildipxe.sh and it makes the new files and then copies them to the right directories, do I have to restart any services for that to take effect?

No restart needed but you need to manually copy the binaries from fogproject-source/packages/tftp/ to /tftpboot/ directory!

ty900000 · Dec 19, 2019, 3:30 PM

@Sebastian-Roth

Gotcha. Yeah, I feel foolish. I apologize!

I had an idea based off this webpage: http://ipxe.org/crypto#embedded_certificates. I noticed in the client certificate section when making ipxe you can add in a client certificate and its private key. I attempted to do this in various ways, but never got it to work. It did load the client certificate and the chain of CAs, but I still got the same error (http://ipxe.org/err/1c0de8). I saw you previously attempted to comment out the offending lines and then got a “cert too big” error.

The weird thing is I could use the certstore command and the HTTP address of my OCSP server and pull in a random certificate (just to verify) and the command did connect and pull in the certificate. So, there is definitely something strange with iPXE, HTTPS, and connecting to itself.

That was the only idea I really had, unfortunately. I don’t know where to go next or if it should just be counted as a loss.

Sebastian Roth · Dec 19, 2019, 4:00 PM

@ty900000 said in FOG/Apache PKI/Certificate Authentication:

That was the only idea I really had, unfortunately. I don’t know where to go next or if it should just be counted as a loss.

Good question. I would think that someone with a little bit of C programing skills and a fair amount of time could work this out for sure. I just lack the time to work on this. Do you know anyone who’d be keen? I can post all the details I know and give hints when needed.

ty900000 · Dec 20, 2019, 7:19 PM

@Sebastian-Roth said in FOG/Apache PKI/Certificate Authentication:

Do you know anyone who’d be keen?

No, unfortunately I don’t know anyone who is a C programmer. Most of the people I work with are .NET programmers… But, I can ask around to see if there are any other people on different teams who work with C.

I know you guys are super busy and this isn’t super important, so no worries!

ty900000 · Jan 13, 2020, 6:21 PM

@Sebastian-Roth

Yes, sir! My apologies for not doing this sooner.

https://forums.fogproject.org/topic/14116/development-fog-not-capturing-image-partclone-update

FOG/Apache PKI/Certificate Authentication

213

12.0k

17.3k

155.2k