Change existing Fog server to force HTTPS using Enterprise CA for certs
-
I have had no luck finding any articles or guides discussing this topic. Basically we would like to change our existing Fog server to force HTTPS for web service and clients. We would like to use our internal CA for the certs. Any help would greatly be appreciated.
-
No one has done this before?
-
Do you mean just securing the web UI with a certificate? Or do you mean securing the client communication between the server and the client with a cert? I have done the former.
-
@rogalskij I would like help with both if possible.
-
@64bitfury Sorry this topic has not received much attention yet.
Changing to HTTPS for the web UI implies a few more things that might not be as obvious. I’ll give you some more details when I find a bit more time later on.
-
@64bitfury We only did the web UI. We ended up giving it a DNS entry, getting our commercial certificate, and then installing the cert in Apache on the server. It wasn’t FOG specific, it was more installing a cert on Apache that you have to go through. Have you had much experience in commercial certificates?
-
@64bitfury Eventuelly found the time to proceed on the wiki article. Find information on your question here: https://wiki.fogproject.org/wiki/index.php?title=HTTPS#Custom_CA_and_certificates
Please let us know if the instructions are clear (and do work)! We can only improve things as much as we get feedback from users.
-
@Sebastian-Roth I will review and provide feedback. Thank you
-
@rogalskij I have a enterprise CA that I am going to use to generate the cert. Do you have the steps you used to replace the apache cert?
-
@64bitfury said in Change existing Fog server to force HTTPS using Enterprise CA for certs:
Do you have the steps you used to replace the apache cert?
What do you mean by that?
-
@64bitfury Oh well, I just remembered something that I was going to add to the wiki article soon as well. Wee have seen issues with PXE booting when certificates from a certain vendor were used. Find details here:
https://forums.fogproject.org/topic/12768/not-able-to-tftp-boot-invalid-argument-error
http://forum.ipxe.org/showthread.php?tid=16998Even posting to the iPXE developers list I did not receive an answer on how to fix this issue within iPXE.
I am fairly sure this is not going to happen with most custom/enterprise CAs but it’s definitely possible. I am still not sure what exactly is causing this. Possibly the size/length of the certification chain?!
-
@Sebastian-Roth In your Wiki you discuss two options for SSL certs to be used. I would like to implement the web ui cert only option but not sure where to start. I know I need to update apache with the cert i want to use but I am running this on Ubuntu server with no GUI so not sure on how to get my cert onto the box or what to do with it once I do.
-
@64bitfury Ok, now I see. Please don’t get me wrong when I say that I am a little bit confused about you asking this very advanced question on how to add an enterprise CA to your FOG server but seem to struggle with the basics on how to do it. I want to apologize if this sounds rude. It’s not meant to and I will try to help you make this work. But I want you to see that this is a complex and quite advanced topic that might need some intense debugging to find issues that can occur when you change your FOG server to force HTTPS!
So let’s start by asking a few questions:
- Which version of FOG do you currently run?
- Did you run the installer plain as
./installfog.shor using any of the command line switches? If you don’t remember it’s probably just plain. - Is it just one FOG server or do you have storage nodes as well?
- How many hosts with fog-client already installed do you have?
- Which version of the fog-client is running?
- Where is your enterprise CA from? Is it a CA setup by your own company or something where you receive certificates from a third party?
- More question will arise while we discuss this I am sure…
Depending on your answers I will try to give very detailed instructions to help you set this up without running into too many issues. Hopefully I can lead you without much problems at all bit I can’t promise you that.
-
@64bitfury your comment about there being no gui leads me to believe you just haven’t had the chance to work with a command line only linux os before, at least in this context.
I could also be wrong but wanted to try and help when I saw this, as I use an internal CA.To answer your questions on a basic level
you want an ftp client such as winscp, filezilla, or cyberduck to connect to the fog server and copy over your server cert, private key, and your ca cert.
Where you put them depends on your OS, you’ll want to google something likeinsert linux os heressl cert directoriesThen you configure apache to point to the cert and private key in a virtualhost on port 443.
i.e.<VirtualHost *:443> SSLEngine on SSLCertificateFile /etc/pki/tls/certs/fog.crt SSLCertificateKeyFile /etc/pki/tls/private/fog.key #other virtual host stuff </VirtualHost>You can also usually set a default cert and key file in a
ssl.conffile, but that file can be overwritten by yum/apt updates of apache.But maybe that’s enough to point you in the right direction. There’s quite a few possibilities for how to configure it and more information is needed that @Sebastian-Roth has already requested to give you full on step by step directions. But it sounds like you might just need these couple little things to help you along the way. My apologies if I’m wrong, just wanting to help.
-
@64bitfury While it’s totally correct what @JJ-Fullmer suggests in his post I would still argue to stick to how I outlined in the wiki to keep the existing file locations and just replace the cert and key files. There is nothing wrong about doing it different but I try to give instructions on how to get it as close to what the FOG installer is doing anyway so when re-running the installer later on you will have to tinker with less things.
-
@Sebastian-Roth First let me say thank you for helping me with this. I will answer your questions below.
Which version of FOG do you currently run?
1.5.8Did you run the installer plain as ./installfog.sh or using any of the command line switches? If you don’t remember it’s probably just plain.
Did not use any switchesIs it just one FOG server or do you have storage nodes as well?
Just oneHow many hosts with fog-client already installed do you have?
11Which version of the fog-client is running?
0.11.19Where is your enterprise CA from? Is it a CA setup by your own company or something where you receive certificates from a third party?
Windows Enterprise CA with offline root -
@64bitfury said:
Where is your enterprise CA from? Is it a CA setup by your own company or something where you receive certificates from a third party?
Windows Enterprise CA with offline rootYou mean something along these lines? https://www.starwindsoftware.com/blog/using-the-microsoft-certificate-authority-to-get-rid-of-those-self-signed-certs
-
@Sebastian-Roth Yes, We have setup a Microsoft CA for use in our domain. We are working on a NIST 800-171 project and I wanted to get ahead of it with Fog by putting HTTPS in place using our internal CA.
-
@Sebastian-Roth We didn’t use that guide though. Not sure if that is worth mentioning.
-
@64bitfury Switching to chat!? See the speech bubble in the top right corner.
