Adding https support to FOG server with Centos 7
-
This guide is to show how to add https support (simple mode) to your fog server. These instructions assume you know how to request a certificate and to interact with the fog server and its configuration.
NOTE: This approach is not supported by the fog developersBut the intent is to simply show a hack to add https support with self signed enterprise certificates. Understand with this approach the http web interface will remain operational for pxe booting and FOG client communications. If you need these features also protected within the https protocol, please follow the officially supported process to activate https on your fog server.
The first thing you will need, is of course your enterprise signed certificates with the subject that matches the dns name of your fog server. This certificate needs to be in .pem format. You will need 2 files you need the server private key and public certificate files. The certificate must be issued to the FQDN name of your FOG server. IP addresses are not allowed by the CA (certificate authority) for many years now.
Understand these instructions are for Centos 7. You will to adapt them for your FOG server host OS.Place the private key file in
/etc/pki/tls/private
Place the public key file in/etc/pki/tls/certsFor this tutorial lets call the private key server.key and the public certificate server.crt.
Now that the certificates are in place lets work on the apache server configuration. For Centos we need to install the apache mod_ssl package. So as root (or sudo) install the mod_ssl package with
yum install mod_ssl -yChange into the apache configuration directory with
cd /etc/httpd/conf.dCopy the existing FOG configuration file to the ssl modifed version.
cp fog.conf fogssl.confEdit the file
/etc/httpd/conf.d/fogssl.confAt the top change the port from 80 to the ssl port of 443
<VirtualHost *:80>Change to
<VirtualHost *:443>Just below the
<VirtualHost *:443>line insert the following lines of text:SSLEngine on SSLProtocol all -SSLv2 -SSLv3 -TLSv1 SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 SSLHonorCipherOrder on # Server Certificate: SSLCertificateFile /etc/pki/tls/certs/server.crt # Server Private Key: SSLCertificateKeyFile /etc/pki/tls/private/server.keySave the configuration file
Restart apache with the following command
systemctl restart httpdIf the system restarts cleanly then your configuration changes should be good.
Now open a browser and key in
https://<fog_server_dns_name>/fogif everything is good you should see the login page for FOG.Things that still need to be worked out:- http redirect to https without breaking pxe booting and fog client interaction with the fog server.
ref: https://revocent.com/configuring-apache-httpd-tls-using-microsoft-adcs-certificates/
