Change existing Fog server to force HTTPS using Enterprise CA for certs
-
@Sebastian-Roth In your Wiki you discuss two options for SSL certs to be used. I would like to implement the web ui cert only option but not sure where to start. I know I need to update apache with the cert i want to use but I am running this on Ubuntu server with no GUI so not sure on how to get my cert onto the box or what to do with it once I do.
-
@64bitfury Ok, now I see. Please don’t get me wrong when I say that I am a little bit confused about you asking this very advanced question on how to add an enterprise CA to your FOG server but seem to struggle with the basics on how to do it. I want to apologize if this sounds rude. It’s not meant to and I will try to help you make this work. But I want you to see that this is a complex and quite advanced topic that might need some intense debugging to find issues that can occur when you change your FOG server to force HTTPS!
So let’s start by asking a few questions:
- Which version of FOG do you currently run?
- Did you run the installer plain as
./installfog.sh
or using any of the command line switches? If you don’t remember it’s probably just plain. - Is it just one FOG server or do you have storage nodes as well?
- How many hosts with fog-client already installed do you have?
- Which version of the fog-client is running?
- Where is your enterprise CA from? Is it a CA setup by your own company or something where you receive certificates from a third party?
- More question will arise while we discuss this I am sure…
Depending on your answers I will try to give very detailed instructions to help you set this up without running into too many issues. Hopefully I can lead you without much problems at all bit I can’t promise you that.
-
@64bitfury your comment about there being no gui leads me to believe you just haven’t had the chance to work with a command line only linux os before, at least in this context.
I could also be wrong but wanted to try and help when I saw this, as I use an internal CA.To answer your questions on a basic level
you want an ftp client such as winscp, filezilla, or cyberduck to connect to the fog server and copy over your server cert, private key, and your ca cert.
Where you put them depends on your OS, you’ll want to google something likeinsert linux os here
ssl cert directoriesThen you configure apache to point to the cert and private key in a virtualhost on port 443.
i.e.<VirtualHost *:443> SSLEngine on SSLCertificateFile /etc/pki/tls/certs/fog.crt SSLCertificateKeyFile /etc/pki/tls/private/fog.key #other virtual host stuff </VirtualHost>
You can also usually set a default cert and key file in a
ssl.conf
file, but that file can be overwritten by yum/apt updates of apache.But maybe that’s enough to point you in the right direction. There’s quite a few possibilities for how to configure it and more information is needed that @Sebastian-Roth has already requested to give you full on step by step directions. But it sounds like you might just need these couple little things to help you along the way. My apologies if I’m wrong, just wanting to help.
-
@64bitfury While it’s totally correct what @JJ-Fullmer suggests in his post I would still argue to stick to how I outlined in the wiki to keep the existing file locations and just replace the cert and key files. There is nothing wrong about doing it different but I try to give instructions on how to get it as close to what the FOG installer is doing anyway so when re-running the installer later on you will have to tinker with less things.
-
@Sebastian-Roth First let me say thank you for helping me with this. I will answer your questions below.
Which version of FOG do you currently run?
1.5.8Did you run the installer plain as ./installfog.sh or using any of the command line switches? If you don’t remember it’s probably just plain.
Did not use any switchesIs it just one FOG server or do you have storage nodes as well?
Just oneHow many hosts with fog-client already installed do you have?
11Which version of the fog-client is running?
0.11.19Where is your enterprise CA from? Is it a CA setup by your own company or something where you receive certificates from a third party?
Windows Enterprise CA with offline root -
@64bitfury said:
Where is your enterprise CA from? Is it a CA setup by your own company or something where you receive certificates from a third party?
Windows Enterprise CA with offline rootYou mean something along these lines? https://www.starwindsoftware.com/blog/using-the-microsoft-certificate-authority-to-get-rid-of-those-self-signed-certs
-
@Sebastian-Roth Yes, We have setup a Microsoft CA for use in our domain. We are working on a NIST 800-171 project and I wanted to get ahead of it with Fog by putting HTTPS in place using our internal CA.
-
@Sebastian-Roth We didn’t use that guide though. Not sure if that is worth mentioning.
-
@64bitfury Switching to chat!? See the speech bubble in the top right corner.
-
@Sebastian-Roth Hi,
is there any progress on this topic?
I would like to achieve the same.I am thinking in this:
- make a snipet, which installs my ca to all registered client (about 100 in my case)
- sign a cert with my ca for fog server
- replace the cert in the fog server
causing some trouble to myself, when i try to update? will it even work?
Fog generated it’s own ca maybe it uses it for generating more certs?Thanks.
-
@Gabor Back then we talked a lot in chat and also did a remote session to set things up for him. Though I have to say that this topic is complex and therefore it’s not easy to give you a straight guideline. But let me outline a few things here:
As far as I remember 64bitfury did not use the fog-client. At least not up to that time when we worked on this together. So it was mainly to get FOG web UI and PXE boot working with the custom CA. It is possible to setup FOG with a custom CA but let the fog-client use the FOG internal CA and I have tried to come up with a guide on this in the wiki. But it’s definitely not finished yet and I would need more time to test things and work on this.
So as a first consideration I may ask you, if you really want to use your custom CA for the fog-client communication as well - read the linked wiki article to understand the different options you have and let’s discuss things here in the forums.
I would also suggest you open a new topic posting your own details, like FOG version, node setup (single node or storage nodes as well) and so on. This way we don’t mix up things to prevent confusion and errors.
-
@Sebastian-Roth Thank you for your reply.
I only want to reach the website with own cert, so I followed the steps from wiki from this section “Use your custom CA for Apache configuration only but stick to FOG CA…”I generated and signed a cert with the same data (CN=<IP>, subjAltname=IP:<IP>,DNS:<domain>) as in the original and did everything exactly as in the wiki.
The only thing is working now with the new cert is the website.
I am not at my workplace but because of the long booting time I can tell that something wrong with the pxe boot as well as with fog client, because I can’t send a shutdown command to the clients. (I can login via RDP)
Fog client doesn’t work even after reinstall.I see know it is too complicated (as you mentioned) so I rather rollback everything and wait until this custom ca will be supported by the project.
Now I am thinking on some reverse proxy solution to reach the fog web with company cert.
UPDATE: I messed up the apache config, maybe that’s why the pxe and fog client doesnt worked. sorry, I’ll try it again -
This post is deleted! -
@Sebastian-Roth UPDATE2: I tried again with correct apache config this time, but doesn’t work. no pxe boot, no fog client
-
@Gabor Ok I definitely can’t understand how this forum works
-
@Gabor This is a complex topic as I already mentioned! You need a lot of knowledge on different technologies and be able to debug things thoroughly. While we work on making this easier I am not sure it will ever be fail proof for everyone just because of the complexity.
Anyhow, I may ask you to re-read the wiki page. There is one part showing you how to re-build iPXE binaries using your custom CA. Whenever you change the CA and/or certs you need to recompile your iPXE binaries.