Adding https support to FOG server with Centos 7

george1421

This guide is to show how to add https support (simple mode) to your fog server. These instructions assume you know how to request a certificate and to interact with the fog server and its configuration.

NOTE: This approach is not supported by the fog developers

But the intent is to simply show a hack to add https support with self signed enterprise certificates. Understand with this approach the http web interface will remain operational for pxe booting and FOG client communications. If you need these features also protected within the https protocol, please follow the officially supported process to activate https on your fog server.

The first thing you will need, is of course your enterprise signed certificates with the subject that matches the dns name of your fog server. This certificate needs to be in .pem format. You will need 2 files you need the server private key and public certificate files. The certificate must be issued to the FQDN name of your FOG server. IP addresses are not allowed by the CA (certificate authority) for many years now.

Understand these instructions are for Centos 7. You will to adapt them for your FOG server host OS.

Place the private key file in /etc/pki/tls/private
Place the public key file in /etc/pki/tls/certs

For this tutorial lets call the private key server.key and the public certificate server.crt.

Now that the certificates are in place lets work on the apache server configuration. For Centos we need to install the apache mod_ssl package. So as root (or sudo) install the mod_ssl package with yum install mod_ssl -y

Change into the apache configuration directory with

cd /etc/httpd/conf.d

Copy the existing FOG configuration file to the ssl modifed version.

cp fog.conf fogssl.conf

Edit the file /etc/httpd/conf.d/fogssl.conf

At the top change the port from 80 to the ssl port of 443

<VirtualHost *:80>

Change to

<VirtualHost *:443>

Just below the <VirtualHost *:443> line insert the following lines of text:

    SSLEngine on

    SSLProtocol all -SSLv2 -SSLv3 -TLSv1
    SSLCipherSuite      ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
    SSLHonorCipherOrder on

    #   Server Certificate:
    SSLCertificateFile /etc/pki/tls/certs/server.crt
    #   Server Private Key:
    SSLCertificateKeyFile /etc/pki/tls/private/server.key

Save the configuration file

Restart apache with the following command

systemctl restart httpd

If the system restarts cleanly then your configuration changes should be good.

Now open a browser and key in https://<fog_server_dns_name>/fog if everything is good you should see the login page for FOG.

Things that still need to be worked out:

1. http redirect to https without breaking pxe booting and fog client interaction with the fog server.

ref: https://revocent.com/configuring-apache-httpd-tls-using-microsoft-adcs-certificates/