Reconfigure FOG Client Service to talk to different FOG server

andrewmoreno1431

Hi there,

I’ve set up a “golden” group of machines that consists of a FOG server and 2 hosts that I’m using to test/capture new images. This group of machines always has the most up-to-date images and is in location A. When these images are ready to be deployed, I’ll export the image and CSV files and transfer them via external hard drive to another FOG server that has been set up in location B. I’ll use that FOG server to deploy the new image to a particular group of machines in location B.

The issue I’m having is that after I deploy the latest image to the machines in location B, the FOG Client Service (which is pre-installed on that new image) can’t communicate to this new FOG server. Instead, I need to remove and reinstall the FOG Client Service on all hosts in location B.

My guess is that when the FOG Client Service is installed on the hosts in location A, it takes note of the FOG server that those hosts are connected to. If this assumption is correct, is there a way I can reconfigure the FOG Client Service to communicate with a new FOG server rather than reinstalling the service? If my guess is way off, can you tell me why I need to reinstall the service before it can function as normal and how I can avoid the reinstallation?

Thanks!

Sebastian Roth

@andrewmoreno1431 said in Reconfigure FOG Client Service to talk to different FOG server:

For consistencies sake, I’ve configured the FOG servers in different locations to run off the same IP as they are isolated from each other. If I were to copy the CA certs from the Master server over to the server in the second location, would I still need to re-create the keys? Or would the keys already be set to match the IP?

My information on this was a bit short handed as I did not expect you to use the same IPs in both locations. This is totally find as they don’t seem to be connected but I just didn’t expect it. So the IP (and hostname) are not actually within the key file but only in the certificate. I just wanted to keep my answer a bit more simple and used the term keys only because re-creating the (webserver key) will also re-create the openssl config file that is used to re-create the webserver certificate that actually includes the IP/hostname. The more I try to explain this the more details I need to bring up which makes it more complicated to comprehend and prone to miss-understandings.

So to finally answer your question. If you have the same IP and hostname for both servers then re-creating the key is not necessary. BUT you still need to re-run the installer for it to re-create the webserver certificate as it’s not matching the CA if you only copy that from the other server. If I had known you have the same IP/hostname on both servers I had suggested a different way: just copy the whole lot over and that would be it: /opt/fog/snapins/ssl (not just sub dir CA but all) and /var/www/html/fog/management/other/

There are 3 files in /opt/fog/snapins/ssl/CA/: .fogCA.key, .fogCA.pem, and .fogCA.srl. Are all these files necessary when copying over the certs to another server?

See my description above. There is more to it than copying just the CA files!

Regarding your second route, would I be able to reverse this and export the CA cert from the location A server and import that into the Windows certificate store on the host in location B?

I would say so, yes. But now that IPs are the same it’s probably easier to make the CA and derived certs identical on both servers as mentioned above.

andrewmoreno1431

@Sebastian-Roth Thanks so much for the detailed explanation. It worked like a charm!

Sebastian Roth

@andrewmoreno1431 said in Reconfigure FOG Client Service to talk to different FOG server:

For consistencies sake, I’ve configured the FOG servers in different locations to run off the same IP as they are isolated from each other. If I were to copy the CA certs from the Master server over to the server in the second location, would I still need to re-create the keys? Or would the keys already be set to match the IP?

My information on this was a bit short handed as I did not expect you to use the same IPs in both locations. This is totally find as they don’t seem to be connected but I just didn’t expect it. So the IP (and hostname) are not actually within the key file but only in the certificate. I just wanted to keep my answer a bit more simple and used the term keys only because re-creating the (webserver key) will also re-create the openssl config file that is used to re-create the webserver certificate that actually includes the IP/hostname. The more I try to explain this the more details I need to bring up which makes it more complicated to comprehend and prone to miss-understandings.

So to finally answer your question. If you have the same IP and hostname for both servers then re-creating the key is not necessary. BUT you still need to re-run the installer for it to re-create the webserver certificate as it’s not matching the CA if you only copy that from the other server. If I had known you have the same IP/hostname on both servers I had suggested a different way: just copy the whole lot over and that would be it: /opt/fog/snapins/ssl (not just sub dir CA but all) and /var/www/html/fog/management/other/

There are 3 files in /opt/fog/snapins/ssl/CA/: .fogCA.key, .fogCA.pem, and .fogCA.srl. Are all these files necessary when copying over the certs to another server?

See my description above. There is more to it than copying just the CA files!

Regarding your second route, would I be able to reverse this and export the CA cert from the location A server and import that into the Windows certificate store on the host in location B?

I would say so, yes. But now that IPs are the same it’s probably easier to make the CA and derived certs identical on both servers as mentioned above.

andrewmoreno1431

@Sebastian-Roth I think both of these solutions could definitely work for this application. I just have a few questions before selecting one over the other:

1. For consistencies sake, I’ve configured the FOG servers in different locations to run off the same IP as they are isolated from each other. If I were to copy the CA certs from the Master server over to the server in the second location, would I still need to re-create the keys? Or would the keys already be set to match the IP?
2. There are 3 files in /opt/fog/snapins/ssl/CA/: .fogCA.key, .fogCA.pem, and .fogCA.srl. Are all these files necessary when copying over the certs to another server?
3. Regarding your second route, would I be able to reverse this and export the CA cert from the location A server and import that into the Windows certificate store on the host in location B?

Thanks for the help!

Sebastian Roth

@andrewmoreno1431 As suggested by @george1421 you can copy over the CA (certificate authority) from one FOG server to the other (/opt/fog/snapins/ssl/CA/ - make sure ownerships are set like before). Though you would need to re-run the installer for it to re-create the rest of the certs and keys to match the other servers IP address after copying it over. Run ./installfog.sh --recreate-keys (do not use the other --recreate-ca option!)

The other route you can go is export the CA cert as PKCS12 file from your location B FOG server and manually import that to the Windows certificate store in your master image.

openssl pkcs12 -export -in /opt/fog/snapins/ssl/CA/.fogCA.pem -out /tmp/fog_locationB.p12

Using an export password is not needed in that case I think. Just hit ENTER twice. Now copy that p12 file to your master image client, open Windows local machine cert store (certlm.msc as Admin) and import the p12 file into the “Trusted Root Certification -> Certificates” section.

Either way you will need to adjust the IP in C:\Program Files (x86)\FOG\settings.json in your master image.

george1421

When the fog client connects to the FOG server for the first time it tattoos itself with the identity of the fog server. That way any rogue fog server can’t take over control of the FOG Client and do bad things to it. That tattoo is based on the FOG SSL certificate stored in /opt/fog/snapins/ssl (I think). If that certificate from the original fog server is copied to the second fog server and the client updated to look at the second fog server everything will be happy. It’s not the recommended approach, but sometimes you have to do what you have to do to make things work.

AlexPDX

Hy , first of all i had the same problem, wel actualy similar ,i use 2 fog servers , one for windows XP (with an old fog ) and antoher for W10 (FOG 1.5.8), therfor i had to redirect the pxe boot for each host.
fix 1 : may sugest that u don’t instal the fog service in the “default” windows image at all…this way , after u deploy the image, u can asign each host to the desire FOG server when u setup the “SmartInstaller” with the fog service
fix 2 : i’v manage to change the FOG server that hosts respond to by editing the “settings.json” from “C:\Program Files (x86)\FOG” …the only problem with this is that i had to click the “reset encription data” from FOG Web manager, of that peculiar host ( and other host’s iv changed from 1 server to another)
In case u wonder why i use 2 fog and why i use windows xp…the company that i work in has around 1700 hosts and old software that work only on win xp