PXE Boot not working properly from Storage Node after Upgrade to 1.5.8
-
@Silv4n Still all good. We shall find it soon I am sure. Try these commands:
openssl x509 -noout -fingerprint -sha1 -in /var/www/html/fog/management/other/ssl/srvpublic.crt echo -n | openssl s_client -CAfile /var/www/html/fog/management/other/ca.cert.pem -connect 10.144.1.22:443 | head -
@Silv4n And here is one more command:
echo -n | openssl s_client -CAfile /var/www/html/fog/management/other/ca.cert.pem -connect 10.144.1.22:443 | openssl x509 -noout -fingerprint -
fogadmin@v-fogsrv02:~$ openssl x509 -noout -fingerprint -sha1 -in /var/www/html/fog/management/other/ssl/srvpublic.crt SHA1 Fingerprint=83:7B:9D:57:E9:11:51:83:46:20:7F:81:04:A2:23:44:A7:68:34:93 fogadmin@v-fogsrv02:~$ echo -n | openssl s_client -CAfile /var/www/html/fog/management/other/ca.cert.pem -connect 10.144.1.22:443 | head depth=1 CN = FOG Server CA verify return:1 depth=0 CN = 10.144.1.22 verify return:1 DONE CONNECTED(00000005) --- Certificate chain 0 s:CN = 10.144.1.22 i:CN = FOG Server CA 1 s:CN = FOG Server CA i:CN = FOG Server CA --- Server certificate -----BEGIN CERTIFICATE----- fogadmin@v-fogsrv02:~$ echo -n | openssl s_client -CAfile /var/www/html/fog/management/other/ca.cert.pem -connect 10.144.1.22:443 | openssl x509 -noout -fingerprint depth=1 CN = FOG Server CA verify return:1 depth=0 CN = 10.144.1.22 verify return:1 DONE SHA1 Fingerprint=83:7B:9D:57:E9:11:51:83:46:20:7F:81:04:A2:23:44:A7:68:34:93 -
@Silv4n This is really strange. All the certificates seem perfectly fine and match the fingerprints we see in the picture you posted initially. I just did a fresh clean install here and it worked out of the box. Though this is a master server only. Let me try adding a storage node and see if that makes a difference.
-
@Sebastian-Roth That’s the storage node
-
@Silv4n Let’s switch over to chat (chat bubble in the top right corner).
-
@Sebastian-Roth unfortunatly the can’t display all of it: https://imgur.com/a/OKdQzwh
-
@Silv4n Ok, unfortunately not of much help yet. Please recompile but leave out the
tls,in DEBUG parameter…make EMBED=ipxescript DEBUG=x509,validator bin/undionly.kpxe CERT=/opt/fog/snapins/ssl/CA/.fogCA.pem TRUST=/opt/fog/snapins/ssl/CA/.fogCA.pem cp bin/undionly.kpxe /tftpboot -
-
After some extended research I figured out this was caused by the build script not re-generating the trusted root part of the code compiled into the iPXE binaries. It’s really easy to fix and I pushed a fix to both
dev-branchandworking-1.6so we hopefully never run into this again.cd path/to/fogproject/bin/ touch ../../ipxe/src/crypto/rootcert.c rm /tftpboot/undionly.kkpxe ./installfog.shOn that way I learned a couple of things about iPXE booting over HTTPS and so I hope we can find most upcoming issues more quickly from now on.