Change existing Fog server to force HTTPS using Enterprise CA for certs



  • I have had no luck finding any articles or guides discussing this topic. Basically we would like to change our existing Fog server to force HTTPS for web service and clients. We would like to use our internal CA for the certs. Any help would greatly be appreciated.


  • Testers

    @64bitfury your comment about there being no gui leads me to believe you just haven’t had the chance to work with a command line only linux os before, at least in this context.
    I could also be wrong but wanted to try and help when I saw this, as I use an internal CA.

    To answer your questions on a basic level
    you want an ftp client such as winscp, filezilla, or cyberduck to connect to the fog server and copy over your server cert, private key, and your ca cert.
    Where you put them depends on your OS, you’ll want to google something like insert linux os here ssl cert directories

    Then you configure apache to point to the cert and private key in a virtualhost on port 443.
    i.e.

    <VirtualHost *:443>
    SSLEngine on
    SSLCertificateFile /etc/pki/tls/certs/fog.crt
    SSLCertificateKeyFile /etc/pki/tls/private/fog.key
    #other virtual host stuff
    </VirtualHost>
    

    You can also usually set a default cert and key file in a ssl.conf file, but that file can be overwritten by yum/apt updates of apache.

    But maybe that’s enough to point you in the right direction. There’s quite a few possibilities for how to configure it and more information is needed that @Sebastian-Roth has already requested to give you full on step by step directions. But it sounds like you might just need these couple little things to help you along the way. My apologies if I’m wrong, just wanting to help.


  • Developer

    @64bitfury Ok, now I see. Please don’t get me wrong when I say that I am a little bit confused about you asking this very advanced question on how to add an enterprise CA to your FOG server but seem to struggle with the basics on how to do it. I want to apologize if this sounds rude. It’s not meant to and I will try to help you make this work. But I want you to see that this is a complex and quite advanced topic that might need some intense debugging to find issues that can occur when you change your FOG server to force HTTPS!

    So let’s start by asking a few questions:

    • Which version of FOG do you currently run?
    • Is it just one FOG server or do you have storage nodes as well?
    • How many hosts with fog-client already installed do you have?
    • Which version of the fog-client is running?
    • Where is your enterprise CA from? Is it a CA setup by your own company or something where you receive certificates from a third party?
    • More question will arise while we discuss this I am sure…

    Depending on your answers I will try to give very detailed instructions to help you set this up without running into too many issues. Hopefully I can lead you without much problems at all bit I can’t promise you that.



  • @Sebastian-Roth In your Wiki you discuss two options for SSL certs to be used. I would like to implement the web ui cert only option but not sure where to start. I know I need to update apache with the cert i want to use but I am running this on Ubuntu server with no GUI so not sure on how to get my cert onto the box or what to do with it once I do.


  • Developer

    @64bitfury Oh well, I just remembered something that I was going to add to the wiki article soon as well. Wee have seen issues with PXE booting when certificates from a certain vendor were used. Find details here:
    https://forums.fogproject.org/topic/12768/not-able-to-tftp-boot-invalid-argument-error
    http://forum.ipxe.org/showthread.php?tid=16998

    Even posting to the iPXE developers list I did not receive an answer on how to fix this issue within iPXE.

    I am fairly sure this is not going to happen with most custom/enterprise CAs but it’s definitely possible. I am still not sure what exactly is causing this. Possibly the size/length of the certification chain?!


  • Developer

    @64bitfury said in Change existing Fog server to force HTTPS using Enterprise CA for certs:

    Do you have the steps you used to replace the apache cert?

    What do you mean by that?



  • @rogalskij I have a enterprise CA that I am going to use to generate the cert. Do you have the steps you used to replace the apache cert?



  • @Sebastian-Roth I will review and provide feedback. Thank you


  • Developer

    @64bitfury Eventuelly found the time to proceed on the wiki article. Find information on your question here: https://wiki.fogproject.org/wiki/index.php?title=HTTPS#Custom_CA_and_certificates

    Please let us know if the instructions are clear (and do work)! We can only improve things as much as we get feedback from users. :-)



  • @64bitfury We only did the web UI. We ended up giving it a DNS entry, getting our commercial certificate, and then installing the cert in Apache on the server. It wasn’t FOG specific, it was more installing a cert on Apache that you have to go through. Have you had much experience in commercial certificates?


  • Developer

    @64bitfury Sorry this topic has not received much attention yet.

    Changing to HTTPS for the web UI implies a few more things that might not be as obvious. I’ll give you some more details when I find a bit more time later on.



  • @rogalskij I would like help with both if possible.



  • Do you mean just securing the web UI with a certificate? Or do you mean securing the client communication between the server and the client with a cert? I have done the former.



  • No one has done this before?


Log in to reply
 

407
Online

6.6k
Users

14.0k
Topics

132.4k
Posts