Change existing Fog server to force HTTPS using Enterprise CA for certs

Sebastian Roth

@64bitfury While it’s totally correct what @JJ-Fullmer suggests in his post I would still argue to stick to how I outlined in the wiki to keep the existing file locations and just replace the cert and key files. There is nothing wrong about doing it different but I try to give instructions on how to get it as close to what the FOG installer is doing anyway so when re-running the installer later on you will have to tinker with less things.

64bitfury

@Sebastian-Roth First let me say thank you for helping me with this. I will answer your questions below.

Which version of FOG do you currently run?
1.5.8

Did you run the installer plain as ./installfog.sh or using any of the command line switches? If you don’t remember it’s probably just plain.
Did not use any switches

Is it just one FOG server or do you have storage nodes as well?
Just one

How many hosts with fog-client already installed do you have?
11

Which version of the fog-client is running?
0.11.19

Where is your enterprise CA from? Is it a CA setup by your own company or something where you receive certificates from a third party?
Windows Enterprise CA with offline root

Sebastian Roth

@64bitfury said:

Where is your enterprise CA from? Is it a CA setup by your own company or something where you receive certificates from a third party?
Windows Enterprise CA with offline root

You mean something along these lines? https://www.starwindsoftware.com/blog/using-the-microsoft-certificate-authority-to-get-rid-of-those-self-signed-certs

64bitfury

@Sebastian-Roth Yes, We have setup a Microsoft CA for use in our domain. We are working on a NIST 800-171 project and I wanted to get ahead of it with Fog by putting HTTPS in place using our internal CA.

64bitfury

@Sebastian-Roth We didn’t use that guide though. Not sure if that is worth mentioning.

Sebastian Roth

@64bitfury Switching to chat!? See the speech bubble in the top right corner.

Gabor

@Sebastian-Roth Hi,
is there any progress on this topic?
I would like to achieve the same.

I am thinking in this:

1. make a snipet, which installs my ca to all registered client (about 100 in my case)
2. sign a cert with my ca for fog server
3. replace the cert in the fog server

causing some trouble to myself, when i try to update? will it even work?
Fog generated it’s own ca maybe it uses it for generating more certs?

Thanks.

Sebastian Roth

@Gabor Back then we talked a lot in chat and also did a remote session to set things up for him. Though I have to say that this topic is complex and therefore it’s not easy to give you a straight guideline. But let me outline a few things here:

As far as I remember 64bitfury did not use the fog-client. At least not up to that time when we worked on this together. So it was mainly to get FOG web UI and PXE boot working with the custom CA. It is possible to setup FOG with a custom CA but let the fog-client use the FOG internal CA and I have tried to come up with a guide on this in the wiki. But it’s definitely not finished yet and I would need more time to test things and work on this.

So as a first consideration I may ask you, if you really want to use your custom CA for the fog-client communication as well - read the linked wiki article to understand the different options you have and let’s discuss things here in the forums.

I would also suggest you open a new topic posting your own details, like FOG version, node setup (single node or storage nodes as well) and so on. This way we don’t mix up things to prevent confusion and errors.

Gabor

@Sebastian-Roth Thank you for your reply.
I only want to reach the website with own cert, so I followed the steps from wiki from this section “Use your custom CA for Apache configuration only but stick to FOG CA…”

I generated and signed a cert with the same data (CN=<IP>, subjAltname=IP:<IP>,DNS:<domain>) as in the original and did everything exactly as in the wiki.

The only thing is working now with the new cert is the website.
I am not at my workplace but because of the long booting time I can tell that something wrong with the pxe boot as well as with fog client, because I can’t send a shutdown command to the clients. (I can login via RDP)
Fog client doesn’t work even after reinstall.

I see know it is too complicated (as you mentioned) so I rather rollback everything and wait until this custom ca will be supported by the project.

Now I am thinking on some reverse proxy solution to reach the fog web with company cert.
UPDATE: I messed up the apache config, maybe that’s why the pxe and fog client doesnt worked. sorry, I’ll try it again

Gabor

This post is deleted!

Gabor

@Sebastian-Roth UPDATE2: I tried again with correct apache config this time, but doesn’t work. no pxe boot, no fog client

Gabor

@Gabor Ok I definitely can’t understand how this forum works

Sebastian Roth

@Gabor This is a complex topic as I already mentioned! You need a lot of knowledge on different technologies and be able to debug things thoroughly. While we work on making this easier I am not sure it will ever be fail proof for everyone just because of the complexity.

Anyhow, I may ask you to re-read the wiki page. There is one part showing you how to re-build iPXE binaries using your custom CA. Whenever you change the CA and/or certs you need to recompile your iPXE binaries.