Migrated FOG, Clients Not Happy
-
@Scott-B Can you get the thumbprints on the old server?
-
@Sebastian-Roth said in Migrated FOG, Clients Not Happy:
@Scott-B Can you get the thumbprints on the old server?
The tumbprint from srvpublic.crt in /var/fog/management/other/ssl on the older server is
88901133f4640b294ec5f4538e3f098eccadca45 -
@Scott-B said in Migrated FOG, Clients Not Happy:
The tumbprint from srvpublic.crt in /var/fog/management/other/ssl on the older server is
88901133f4640b294ec5f4538e3f098eccadca45Watch out! You don’t want to compare apples with pears! What you need is the same CA certificate (same thumbprint) that you had on the old server to be used on the new server as well. The CA cert is originally generated in /opt/fog/snapins/ssl/CA/.fogCA.pem and then copied over to /var/www/html/management/other/ssl/ca.cert.pem - those two files should have the exact same thumbprint. The later one is used by the fog-client installer to “pin” itself to this exact FOG server. So the certificate you see as “FOG Server CA” on the client should essentially be the exact same as the two mentioned above.
-
@Scott-B Did you find what was causing this?
-
@Sebastian-Roth said in Migrated FOG, Clients Not Happy:
@Scott-B Did you find what was causing this?
No, I have not. My backup, clients, and current running server all have different thumbprints. I have no idea how that’s happened. Is it possible to take the cert from a client and add it to the server?
-
@Scott-B Do you still have a backup copy of your old server?
Is it possible to take the cert from a client and add it to the server?
Sorry, no. The key needed is only on your server and never transferred to the clients.
-
@Scott-B Do you still struggle to get this to work?
-
We were not able to bring his setup back online and reconnect the client. I ended up building a new fresh FOG install and we will reimport the machines as we go around. It’s not to big a deal as we needed an excuse to clean up the database anyway.
-
@Scott-B But you’ll need to reinstall the fog-client software on all your machines too.
Other than that you might try to use GPO powershell scripting to exchange the certificates on all the machines as well.
-
I’ll have to brush up on the commands for replacing the certs on the clients. Been a long time.