Communication problems between fog client and server

Sebastian Roth

@LittleTux Thanks for the update. So we are down to Middleware::Response Failed to decrypt data on server for all the hosts now. Do you see other clients working fine?

Do you have more than one FOG server by any chance or did you re-install (not update) at some point?

Please take a look at the Windows certificate store and see if you have more than one certificate named “FOG Server CA” on those hosts that show the issue.

I will look through the code again later on.

LittleTux

@sebastian-roth Thanks for the answer, actually it’s a fresh new install on a Debian 10.6. I had to delete old FOG server after backup images/hosts/groups because we don’t have enough space on our SAN to have two at the same time (1 tera octects of images).
I just backup the /opt/fog/snapins/ssl directory of the old one in case of certificate client/server issues :-).

So no clients is working fine at this moment.

On the client i got one “FOG Server CA”, “FOG Project CA” & “FOG Project” certificate.

Have a good one, regards

Sebastian Roth

@LittleTux I find it strange we see the “Data::RSA FOG Server CA cert found” and “Middleware::Authentication Cert OK” messages. As far as I see it this would mean the client does use the certificate provided by the new server already.

I just backup the /opt/fog/snapins/ssl directory of the old one in case of certificate client/server issues :-).

Did you copy this backup of the certificate, key and CA of your old server to the new install at some point yet?

Please run the following commands to see if the certs are somehow messed up:

openssl x509 -noout -fingerprint -md5 -in /opt/fog/snapins/ssl/CA/.fogCA.pem
openssl x509 -noout -fingerprint -md5 -in /var/www/html/fog/management/other/ca.cert.pem

openssl x509 -noout -modulus -in /var/www/fog/management/other/ssl/srvpublic.crt | openssl md5
openssl rsa -noout -modulus -in /opt/fog/snapins/ssl/.srvprivate.key | openssl md5

openssl verify -verbose -CAfile /opt/fog/snapins/ssl/CA/.fogCA.pem /var/www/fog/management/other/ssl/srvpublic.crt

LittleTux

@sebastian-roth “Did you copy this backup of the certificate, key and CA of your old server to the new install at some point yet?”

To answer to this point i tried with WinScp from a Windows Server but i have some permissions errors then i don’t try again. I checked file versions and it seems to me that files in this directory was the one created during the installation and not the files of the old one.

I try commands and feedback very soon.

Have a good day, regards.

LittleTux

@sebastian-roth Got this with the command, not sure is a good thing :

root@SRV-IMAGE:/home/administrateur# openssl x509 -noout -fingerprint -md5 -in /opt/fog/snapins/ssl/CA/.fogCA.pem
MD5 Fingerprint=59:28:75:0D:E3:95:B7:93:2E:9C:20:F2:67:3F:EF:70
root@SRV-IMAGE:/home/administrateur# openssl x509 -noout -fingerprint -md5 -in /var/www/html/fog/management/other/ca.cert.pem
MD5 Fingerprint=59:28:75:0D:E3:95:B7:93:2E:9C:20:F2:67:3F:EF:70
root@SRV-IMAGE:/home/administrateur# openssl x509 -noout -modulus -in /var/www/fog/management/other/ssl/srvpublic.crt | openssl md5
(stdin)= 0a10916be9139c568a8450b82b70bb27
root@SRV-IMAGE:/home/administrateur# openssl rsa -noout -modulus -in /opt/fog/snapins/ssl/.srvprivate.key | openssl md5
(stdin)= bb94e9a98c8319baf8e365174cdb262c
root@SRV-IMAGE:/home/administrateur# openssl verify -verbose -CAfile /opt/fog/snapins/ssl/CA/.fogCA.pem /var/www/fog/management/other/ssl/srvpublic.crt
/var/www/fog/management/other/ssl/srvpublic.crt: OK

I manage another school network, FOG is 1.5.9 too on a Debian 9. I checked clients on this network and all seems ok for communication. Is there any way this server can help us ?

Regards

Sebastian Roth

@LittleTux The other server has its own CA and certificates and it’s not a good idea to copy things over from that.

From the output you posted we see that most of the files match (same fingerprints and verify OK) but the key file doesn’t!! This is causing the issue for sure.

So let’s check the backup of the old files you have to see if we can get things back this way. How did you take that backup copy? Does it have the file .srvprivate.key in it (on Linux systems files starting with a dot are kind of hidden)?

LittleTux

@sebastian-roth Ok i see, this a screenshot of the things:

On the left, backup from the old Ubuntu server who is deleted

On the right the actual server.

Actually i see that he new server miss the .srvprivate.key file. But if i copy this one it will works ? This file come from the old server so i don’t know

Important thing to note too is that the CA directory is empty on the new one and have 3 files and the old one :

• .fogCA.key
  -.fogCA.pem
  -.fogCA.srl
  -.srl

So there are two questions :

• If i copy the .srvprivate.key file and the 4 file i nthe CA directory, it will works ?

• Is there a way to relaunch the installation on the server without delete configurations and data (images, hosts, etc…) but with renitialize the certification ?

Regards.

Sebastian Roth

@LittleTux Please check the speech bubble in the top right corner.

LittleTux

@sebastian-roth Hi again Sebastian, thanks again a lot for the time you spend to fix my issue …

Tried 2 things and get the same result/error :

-Deploy the fresh msi 0.12 client fog installer you download from Github by GPO :

------------------------------------------------------------------------------
--------------------------------Authentication--------------------------------
------------------------------------------------------------------------------
 04/12/2020 13:07 Client-Info Version: 0.11.16
 04/12/2020 13:07 Client-Info OS:      Windows
 04/12/2020 13:07 Middleware::Authentication Waiting for authentication timeout to pass
 04/12/2020 13:07 Controller Stop
 04/12/2020 13:07 Service Stop requested
 04/12/2020 13:07 Middleware::Authentication ERROR: Could not authenticate
 04/12/2020 13:07 Middleware::Authentication ERROR: Le thread a été abandonné.
 04/12/2020 13:07 Bus Emmiting message on channel: Status
 04/12/2020 13:12:44 Main Overriding exception handling
 04/12/2020 13:12:45 Main Bootstrapping Zazzles
 04/12/2020 13:12:45 Controller Initialize
 04/12/2020 13:12:45 Controller Start

 04/12/2020 13:12:45 Service Starting service
 04/12/2020 13:12:50 Bus Became bus server
 04/12/2020 13:12:50 Bus Emmiting message on channel: Status
 04/12/2020 13:12:50 Service Invoking early JIT compilation on needed binaries

------------------------------------------------------------------------------
--------------------------------Authentication--------------------------------
------------------------------------------------------------------------------
 04/12/2020 13:12:50 Client-Info Version: 0.12.0
 04/12/2020 13:12:50 Client-Info OS:      Windows
 04/12/2020 13:12:50 Middleware::Authentication Waiting for authentication timeout to pass
 04/12/2020 13:12:50 Middleware::Communication Download: http://fogserver/fog/management/other/ssl/srvpublic.crt
 04/12/2020 13:12:50 Data::RSA FOG Server CA cert found
 04/12/2020 13:12:50 Data::RSA ERROR: Certificate validation failed
 04/12/2020 13:12:50 Data::RSA ERROR: Trust chain did not complete to the known authority anchor. Errors: La signature du certificat ne peut pas être vérifiée. (NotSignatureValid)
 04/12/2020 13:12:50 Middleware::Authentication ERROR: Could not authenticate
 04/12/2020 13:12:50 Middleware::Authentication ERROR: Certificate is not from FOG CA

------------------------------------------------------------------------------
--------------------------------Authentication--------------------------------
------------------------------------------------------------------------------
 04/12/2020 13:12:50 Client-Info Version: 0.12.0
 04/12/2020 13:12:50 Client-Info OS:      Windows
 04/12/2020 13:12:50 Middleware::Authentication Waiting for authentication timeout to pass
 04/12/2020 13:14:50 Middleware::Communication Download: http://fogserver/fog/management/other/ssl/srvpublic.crt
 04/12/2020 13:14:50 Data::RSA FOG Server CA cert found
 04/12/2020 13:14:50 Data::RSA ERROR: Certificate validation failed
 04/12/2020 13:14:50 Data::RSA ERROR: Trust chain did not complete to the known authority anchor. Errors: La signature du certificat ne peut pas être vérifiée. (NotSignatureValid)
 04/12/2020 13:14:50 Middleware::Authentication ERROR: Could not authenticate
 04/12/2020 13:14:50 Middleware::Authentication ERROR: Certificate is not from FOG CA

------------------------------------------------------------------------------
--------------------------------Authentication--------------------------------
------------------------------------------------------------------------------
 04/12/2020 13:14:50 Client-Info Version: 0.12.0
 04/12/2020 13:14:50 Client-Info OS:      Windows
 04/12/2020 13:14:50 Middleware::Authentication Waiting for authentication timeout to pass
 04/12/2020 13:16:50 Middleware::Communication Download: http://fogserver/fog/management/other/ssl/srvpublic.crt
 04/12/2020 13:16:50 Data::RSA FOG Server CA cert found
 04/12/2020 13:16:50 Data::RSA ERROR: Certificate validation failed
 04/12/2020 13:16:50 Data::RSA ERROR: Trust chain did not complete to the known authority anchor. Errors: La signature du certificat ne peut pas être vérifiée. (NotSignatureValid)
 04/12/2020 13:16:50 Middleware::Authentication ERROR: Could not authenticate
 04/12/2020 13:16:50 Middleware::Authentication ERROR: Certificate is not from FOG CA

------------------------------------------------------------------------------
--------------------------------Authentication--------------------------------
------------------------------------------------------------------------------
 04/12/2020 13:16:50 Client-Info Version: 0.12.0
 04/12/2020 13:16:50 Client-Info OS:      Windows
 04/12/2020 13:16:50 Middleware::Authentication Waiting for authentication timeout to pass

As you see, the GPO is working great as the version is update after a reboot but we got that certificate error

• Tried to desinstall fog client and reinstall with the same the fresh msi 0.12 client fog installer you download from Github on a test pc and have the exact same error about certificate

You have already spend many times on my issue so i don’t want to busy you more …

I assume that my problem is when i tried to copy old “/opt/snapins/ssl” repository to the new one.
So if i install a new server from start without copying nothing, the client downloaded from the new server will work fine so i will deploy this client on my all network by GPO.

Am i right ?

Have a good day, regards.

Sebastian Roth

@LittleTux Before you go ahead an reinstall the whole server let’s take a look at the files the fog-client uses to pin and talk to that server. Possibly I just missed creating one of the files last time or you have a mixed up web root. Please run the following commands and post output here:

ls -alR /var/www/fog/management/other/
ls -alR /var/www/html/fog/management/other/
ls -al /var/www/

LittleTux

@sebastian-roth Well read this kinda too late …
At this moment, fog install is running on a fresh new install.

I will let you know if it’s good for me for client/server communication after.

Have a good day.

LittleTux

@sebastian-roth Thanks again for all the help.

Fresh install is fine, and client is updating well by GPO.

We can pass this to solved :-).

Have a good day, regards.

Sebastian Roth

@LittleTux Thanks for the feedback on this!