Migrated FOG, Clients Not Happy



  • I migrated out FOG install over to a new server. But the clients are not happy and cannot connect to it. Below is the fog.log file.

    I installed the OS (Ubuntu 18.04)
    Installed latest SVN
    Imported backup of our FOG database
    Copied all files from /opt/fog/snapins/ssl to the new server at /opt/fog/snapins/ssl
    Ran FOG installer again
    Reset encryption data on all clients

     12/18/2019 11:53 AM Main Overriding exception handling
     12/18/2019 11:53 AM Main Bootstrapping Zazzles
     12/18/2019 11:53 AM Controller Initialize
     12/18/2019 11:53 AM Controller Start
    
     12/18/2019 11:53 AM Service Starting service
     12/18/2019 11:54 AM Bus Became bus server
     12/18/2019 11:54 AM Bus Emmiting message on channel: Status
     12/18/2019 11:54 AM Service Invoking early JIT compilation on needed binaries
    
    ------------------------------------------------------------------------------
    --------------------------------Authentication--------------------------------
    ------------------------------------------------------------------------------
     12/18/2019 11:54 AM Client-Info Version: 0.11.17
     12/18/2019 11:54 AM Client-Info OS:      Windows
     12/18/2019 11:54 AM Middleware::Authentication Waiting for authentication timeout to pass
     12/18/2019 11:54 AM Middleware::Communication Download: http://fogserver/fog/management/other/ssl/srvpublic.crt
     12/18/2019 11:54 AM Data::RSA FOG Server CA cert found
     12/18/2019 11:54 AM Data::RSA ERROR: Certificate validation failed
     12/18/2019 11:54 AM Data::RSA ERROR: Trust chain did not complete to the known authority anchor. Errors: The signature of the certificate cannot be verified. (NotSignatureValid)
     12/18/2019 11:54 AM Middleware::Authentication ERROR: Could not authenticate
     12/18/2019 11:54 AM Middleware::Authentication ERROR: Certificate is not from FOG CA
    
    ------------------------------------------------------------------------------
    --------------------------------Authentication--------------------------------
    ------------------------------------------------------------------------------
     12/18/2019 11:54 AM Client-Info Version: 0.11.17
     12/18/2019 11:54 AM Client-Info OS:      Windows
     12/18/2019 11:54 AM Middleware::Authentication Waiting for authentication timeout to pass
    
    


  • @Sebastian-Roth

    I’ll have to brush up on the commands for replacing the certs on the clients. Been a long time.


  • Senior Developer

    @Scott-B But you’ll need to reinstall the fog-client software on all your machines too.

    Other than that you might try to use GPO powershell scripting to exchange the certificates on all the machines as well.



  • @Sebastian-Roth

    We were not able to bring his setup back online and reconnect the client. I ended up building a new fresh FOG install and we will reimport the machines as we go around. It’s not to big a deal as we needed an excuse to clean up the database anyway.


  • Senior Developer

    @Scott-B Do you still struggle to get this to work?


  • Senior Developer

    @Scott-B Do you still have a backup copy of your old server?

    Is it possible to take the cert from a client and add it to the server?

    Sorry, no. The key needed is only on your server and never transferred to the clients.



  • @Sebastian-Roth said in Migrated FOG, Clients Not Happy:

    @Scott-B Did you find what was causing this?

    No, I have not. My backup, clients, and current running server all have different thumbprints. I have no idea how that’s happened. Is it possible to take the cert from a client and add it to the server?


  • Senior Developer

    @Scott-B Did you find what was causing this?


  • Senior Developer

    @Scott-B said in Migrated FOG, Clients Not Happy:

    The tumbprint from srvpublic.crt in /var/fog/management/other/ssl on the older server is
    88901133f4640b294ec5f4538e3f098eccadca45

    Watch out! You don’t want to compare apples with pears! What you need is the same CA certificate (same thumbprint) that you had on the old server to be used on the new server as well. The CA cert is originally generated in /opt/fog/snapins/ssl/CA/.fogCA.pem and then copied over to /var/www/html/management/other/ssl/ca.cert.pem - those two files should have the exact same thumbprint. The later one is used by the fog-client installer to “pin” itself to this exact FOG server. So the certificate you see as “FOG Server CA” on the client should essentially be the exact same as the two mentioned above.



  • @Sebastian-Roth said in Migrated FOG, Clients Not Happy:

    @Scott-B Can you get the thumbprints on the old server?

    The tumbprint from srvpublic.crt in /var/fog/management/other/ssl on the older server is
    88901133f4640b294ec5f4538e3f098eccadca45


  • Senior Developer

    @Scott-B Can you get the thumbprints on the old server?


  • Senior Developer

    @Scott-B Funny I just got time to look into this again. It’s very strange you still get the “wrong” thumbprint. Are you sure you copied the right files?



  • @Sebastian-Roth said in Migrated FOG, Clients Not Happy:

    systemctl restart apache2

    Restarted apache and rechecked the thumbprints. They are still different. Same thumbprints as before.


  • Senior Developer

    @Scott-B Still the same error. Sounds a bit like it still sends out the old certificate. Re-running the installer should have restarted the Apache webserver. But you might manually restart it (systemctl restart apache2 or systemctl restart httpd) or the whole server.

    Then do a comparison of the thumbprints again. Sorry again, I think I have messed up

    openssl x509 -in /opt/fog/snapins/ssl/CA/.fogCA.pem -fingerprint -noout
    openssl x509 -in /var/www/html/management/other/ssl/ca.cert.pem -fingerprint -noout
    

    Compare those to the thumbprint you find in the certificate management in Windows from the “FOG Server CA”.



  • @Sebastian-Roth

    They are still not happy.

    ------------------------------------------------------------------------------
    ----------------------------------UserTracker---------------------------------
    ------------------------------------------------------------------------------
     12/19/2019 12:14 PM Client-Info Client Version: 0.11.17
     12/19/2019 12:14 PM Client-Info Client OS:      Windows
     12/19/2019 12:14 PM Client-Info Server Version: 1.5.7.86
     12/19/2019 12:14 PM Middleware::Response ERROR: Unable to get subsection
     12/19/2019 12:14 PM Middleware::Response ERROR: Object reference not set to an instance of an object.
     12/19/2019 12:14 PM Service Sleeping for 84 seconds
     12/19/2019 12:15 PM Middleware::Communication URL: http://fogserver/fog/management/index.php?sub=requestClientInfo&configure&newService&json
     12/19/2019 12:15 PM Middleware::Response Success
     12/19/2019 12:15 PM Middleware::Communication URL: http://fogserver/fog/management/index.php?sub=requestClientInfo&mac=2C:41:38:8F:55:FF&newService&json
     12/19/2019 12:15 PM Middleware::Authentication Waiting for authentication timeout to pass
     12/19/2019 12:15 PM Middleware::Communication Download: http://fogserver/fog/management/other/ssl/srvpublic.crt
     12/19/2019 12:16 PM Data::RSA FOG Server CA cert found
     12/19/2019 12:16 PM Data::RSA ERROR: Certificate validation failed
     12/19/2019 12:16 PM Data::RSA ERROR: Trust chain did not complete to the known authority anchor. Errors: The signature of the certificate cannot be verified. (NotSignatureValid)
     12/19/2019 12:16 PM Middleware::Authentication ERROR: Could not authenticate
     12/19/2019 12:16 PM Middleware::Authentication ERROR: Certificate is not from FOG CA
     12/19/2019 12:16 PM Middleware::Response Success
     12/19/2019 12:16 PM Middleware::Communication URL: http://fogserver/fog/service/getversion.php?clientver&newService&json
     12/19/2019 12:16 PM Middleware::Communication URL: http://fogserver/fog/service/getversion.php?newService&json
    
     12/19/2019 12:16 PM Service Creating user agent cache
     12/19/2019 12:16 PM Middleware::Response ERROR: Unable to get subsection
     12/19/2019 12:16 PM Middleware::Response ERROR: Object reference not set to an instance of an object.
     12/19/2019 12:16 PM Middleware::Response ERROR: Unable to get subsection
     12/19/2019 12:16 PM Middleware::Response ERROR: Object reference not set to an instance of an object.
     12/19/2019 12:16 PM Middleware::Response ERROR: Unable to get subsection
     12/19/2019 12:16 PM Middleware::Response ERROR: Object reference not set to an instance of an object.
    
    

  • Senior Developer

    @Scott-B said in Migrated FOG, Clients Not Happy:

    I did copy them over and ran the installer again. Is it only files in /opt/fog/snapins/ssl/ or do I have to worry about the certs in /var/www/fog/management/other/ as well?

    The installer should take care of the rest (/var/www/fog/management/other/…). Please see if the client’s are happy reconnecting now.



  • @Sebastian-Roth

    I did copy them over and ran the installer again. Is it only files in /opt/fog/snapins/ssl/ or do I have to worry about the certs in /var/www/fog/management/other/ as well?


  • Senior Developer

    @Scott-B said in Migrated FOG, Clients Not Happy:

    I migrated out FOG install over to a new server.

    Ohhhhhh my… ! Sorry, I totally missed that in your initial post. I was too scared it had something to do with the 0.11.17 fog-client release…

    You need to copy the certificates from your old server to the new one: https://wiki.fogproject.org/wiki/index.php?title=Migrate_FOG#If_old_server_was_FOG_1.3.0.2B



  • @Sebastian-Roth said in Migrated FOG, Clients Not Happy:

    openssl x509 -in /opt/fog/snapins/ssl/CA/.fogCA.pem -fingerprint -noout

    Comparing the FOG Server CA on the workstation and the server shows two different thumbprints.

    Server:
    E5:D3:32:A3:5F:8D:A4:B8:BD:3C:6B:CC:76:A6:A5:F0:85:3C:9B:B8

    Client:
    6B:9D:5B:3F:BC:23:7B:9D:1E:69:46:80:C2:90:CB:9A:BC:97:DD:70


  • Senior Developer

    @Scott-B said in Migrated FOG, Clients Not Happy:

    Looking at the cert store on the windows device I have both the FOG Server CA which is valid as well as the FOG Project cert.

    Did you compare the thumbprint as described below? Sorry I edited the post a few minutes after initially sending it so you might not have seen this.


Log in to reply
 

268
Online

7.2k
Users

14.4k
Topics

135.5k
Posts