Fog client installation error - Cannot install CA certificate
-
@jonhwood360 Didn’t expect it to bail out that early. So it doesn’t even get to where I expected it to fail (SSL/TLS cert validity check).
Could you please try installing the fog-client on a system that is not in audit mode? Just want to make sure this has no effect.
The other thing we might take a look at is a network packet capture. Get the fog-client setup ready to the same point as last time when we looked at the Apache log files. Then run the following commands on your FOG server:
sudo -i apt install tcpdump tcpdump -nn -w /tmp/ssl.pcap host 10.40.40.14Make sure you put in the IP address of the host you are trying to install fog-client on. Now leave the command sit there and finish the fog-client setup. After it failed, stop tcpdump (ctrl-c) and use WinSCP (or another secure copy tool) to copy the binary file /tmp/ssl.pcap over to another computer. Upload to any filesharing service you have access to and post a link here.
-
@sebastian-roth said in Fog client installation error - Cannot install CA certificate:
@jonhwood360 Didn’t expect it to bail out that early. So it doesn’t even get to where I expected it to fail (SSL/TLS cert validity check).
Could you please try installing the fog-client on a system that is not in audit mode? Just want to make sure this has no effect.
The other thing we might take a look at is a network packet capture.
Here is the packet capture:
https://drive.google.com/file/d/1KM4WAsPPF43tVDomDUuR_HOEU_4bZ6oB/view?usp=sharing -
@jonhwood360
fog apache config
-
@jonhwood360 The PCAP looks like the host sends a TLS Client Hello using TLS 1.0 and the Apache server rejects it. Have you disabled newer TLS versions via GPO by any chance??
-
@sebastian-roth said in Fog client installation error - Cannot install CA certificate:
@jonhwood360 The PCAP looks like the host sends a TLS Client Hello using TLS 1.0 and the Apache server rejects it. Have you disabled newer TLS versions via GPO by any chance??
No, no GPOs are applied. The apache server is on ubuntu. I can try to force enable newer TLS versions on the workstations. Is ver 1.2 sufficient?
-
@jonhwood360 said in Fog client installation error - Cannot install CA certificate:
@sebastian-roth said in Fog client installation error - Cannot install CA certificate:
@jonhwood360 The PCAP looks like the host sends a TLS Client Hello using TLS 1.0 and the Apache server rejects it. Have you disabled newer TLS versions via GPO by any chance??
No, no GPOs are applied. The apache server is on ubuntu. I can try to force enable newer TLS versions on the workstations. Is ver 1.2 sufficient?
I reattempted install after hard enabling tls 1.1 and 1.2 in the registry of the machine. No change.
I also took another pcap: https://drive.google.com/file/d/19u1RKug2OwFOHC4S_l0bDT1uK7bbhR0I/view?usp=sharing
-
PCAP from workstation as well - https://drive.google.com/file/d/1y-lML_qrJ18nv3T7HQ3zsW9M9vUD3NOU/view?usp=sharing
-
@sebastian-roth said in Fog client installation error - Cannot install CA certificate:
The PCAP looks like the host sends a TLS Client Hello using TLS 1.0 and the Apache server rejects it. Have you disabled newer TLS versions via GPO by any chance??
Sorry, I wrote this without having had the time to test this on my side. I just found the time to do capture a PCAP in my test setup and it seems to use TLS 1.0 as well. Reading more about this on the we I found that it still seems to be the default in .NET framework 4.5.x which we use since fog-client version 0.12.0 (before we still used .NET 4.0, OMG).
Ok that explains why we both see TLS 1.0 in the PCAP but to it’s still a riddle why your Apache server rejects the request while mine doesn’t. Plus we haven’t heard from other users so far. Maybe this Ubuntu moved to some newer versions of Apache (and maybe openssl) not long ago that now reject TLS 1.0 completely.
I will try to force using of TLS 1.1 and newer in our code and upload a new installer for you to test soon.
Thanks a lot for working on this with me! While at first I thought this is not a general issue it seems to actually be and you are the first one to report it.
-
@jonhwood360 Ok, here you go for another try: https://github.com/FOGProject/fog-client/releases/download/0.12.0/FOGService_enable_TLS12.msi
See if it can successfully pin to the FOG server with that and post a picture of the FOGService.install log as well.
Keep in mind, this is not for official deployment for various reasons.
-
@sebastian-roth said in Fog client installation error - Cannot install CA certificate:
@jonhwood360 Ok, here you go for another try: https://github.com/FOGProject/fog-client/releases/download/0.12.0/FOGService_enable_TLS12.msi
See if it can successfully pin to the FOG server with that and post a picture of the FOGService.install log as well.
Keep in mind, this is not for official deployment for various reasons.
We have a winner!
So it seems that newer apache does not like the 1.0 connections.
-
@jonhwood360 said in Fog client installation error - Cannot install CA certificate:
We have a winner!
So it seems that newer apache does not like the 1.0 connections.Great! Thanks again for testing. I will need to dig through the code and see If there is more adjustment needed (other places in the code needing that fix as well). Allow me a few days and I will release a new 0.12.1 including that fix.
Can you post the latest FOGService.install log as well?
-
@sebastian-roth said in Fog client installation error - Cannot install CA certificate:
@jonhwood360 said in Fog client installation error - Cannot install CA certificate:
We have a winner!
So it seems that newer apache does not like the 1.0 connections.Great! Thanks again for testing. I will need to dig through the code and see If there is more adjustment needed (other places in the code needing that fix as well). Allow me a few days and I will release a new 0.12.1 including that fix.
Can you post the latest FOGService.install log as well?
As requested:
-
@jonhwood360 Thanks! I didn’t get to it over the weekend but hopefully will this upcoming week.
-
I look forward to it!
-
@jonhwood360 Thank’s for help!
-
@jonhwood360 Ok, found the time to properly get this fixed in the code. As there are other things I need to work on before a next official release I decided to build and sign fixed installer binaries for you still as version 0.12.0.
Find FOGService_fixed-tls.msi and SmartInstaller_fixed-tls.exe on https://github.com/FOGProject/fog-client/releases/tag/0.12.0
As mentioned the binaries are signed so auto updating to the next future release will work seamlessly.
-
@sebastian-roth said in Fog client installation error - Cannot install CA certificate:
he next future release will work seamlessly.
Is there a specific place on the fog server I should place these, or just manually distribute them to endpoint clients?
-
@jonhwood360 With this one your need to manually distribute it to the hosts or use some other way of distributed install. The next version will then auto update.
I would suggest you test this on one of your machines - just to make sure I didn’t miss anything. After installation you want to keep an eye on the fog-client log (
C:\fog.logby default) to see if communication works all fine. Then go ahead and install to the other machines. -
@sebastian-roth said in Fog client installation error - Cannot install CA certificate:
@jonhwood360 With this one your need to manually distribute it to the hosts or use some other way of distributed install. The next version will then auto update.
I would suggest you test this on one of your machines - just to make sure I didn’t miss anything. After installation you want to keep an eye on the fog-client log (
C:\fog.logby default) to see if communication works all fine. Then go ahead and install to the other machines.Got it. Install worked fine. Is the superwebsocket defined in the fogservice.exe.config supposed to listen on localhost?
-
@jonhwood360 said in Fog client installation error - Cannot install CA certificate:
Got it. Install worked fine. Is the superwebsocket defined in the fogservice.exe.config supposed to listen on localhost?
Ok, fine. Communication also working I suppose?
Yes the SuperWebSocket stuff is only used for inter process communication.