Fog Client Certificate Validation Failed
-
I have built a new fog server on our network to replace the old one. It’s running the same version of fog but on a much older server OS. I have installed the client and pointed it to the new fog server however it will not validate the certificate. We did create a new one for our https setup however even when replacing the old one we get the same error. Below is the error in the fog.log.
--------------------------------Authentication--------------------------------
10/15/2021 12:42:17 PM Client-Info Version: 0.12.0
10/15/2021 12:42:17 PM Client-Info OS: Windows
10/15/2021 12:42:17 PM Middleware::Authentication Waiting for authentication timeout to pass
10/15/2021 12:44:17 PM Middleware::Communication Download: http://10.30.12.7/fog/management/other/ssl/srvpublic.crt
10/15/2021 12:44:17 PM Data::RSA FOG Server CA cert found
10/15/2021 12:44:17 PM Data::RSA ERROR: Certificate validation failed
10/15/2021 12:44:17 PM Data::RSA ERROR: Trust chain did not complete to the known authority anchor. Errors: A certificate chain could not be built to a trusted root authority. (PartialChain)
10/15/2021 12:44:17 PM Middleware::Communication SSL certificate chain error: A certificate chain could not be built to a trusted root authority.10/15/2021 12:44:17 PM Middleware::Communication ERROR: Could not download file
10/15/2021 12:44:17 PM Middleware::Communication ERROR: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. -
@brmitmhart said in Fog Client Certificate Validation Failed:
I have installed the client and pointed it to the new fog server however it will not validate the certificate.
This is an important point. The fog-client installs are pinned to a specific FOG server using a certificate that gets loaded from the server once and put into the certificate store. So you seem to go the right way here, installing the client fresh to point to the new server.
We did create a new one for our https setup however even when replacing the old one we get the same error. Below is the error in the fog.log.
What do you mean by that? Did you manually create a certificate somewhere else? Which files on the FOG server have you replaced exactly?
-
@brmitmhart said in Fog Client Certificate Validation Failed:
We generated our own srvpublic.crt based on which certificates are needed so that you can connect to the https:// site without getting an error . https://wiki.fogproject.org/wiki/index.php?title=HTTPS#Custom_CA_and_certificatesWe found that the ca.cert.pem did not work so rolled it back and that fixed the connection errors we were getting. We left the srvpublic.crt file in place and it connects to the HTTPS without error. I downloaded the client through the new fog server as well but had to configure it once installed to point to the same server which is expected however only get the errors above.
I rolled back the srvpublic.crt to the original one that came with the install of Fog on the server but with the same results.
Thank you,
-
@brmitmhart Seems like I wrote this wiki article in a rush when trying to help people work with custom CA/certs but didn’t get to properly test things and correct the article since then. Now that I look at this again I don’t think swapping out the files as described is a great way of doing it. Should have really marked this as “work in progress” in the wiki, sorry about this!
From the top of my head I would say it’s better to leave those files alone, put CA cert/key and webserver cert into other places on the server and edit the Apache config to use your custom CA and cert. This way the fog-client should still use the CA and cert generated by the FOG installer but the webserver itself (Web UI and so on) are handed out using your custom CA. For compiling iPXE you’ll need to point it to the custom ca as well:
./buildipxe.sh /path/to/custom/ca.cert.pem
-
@sebastian-roth I’m actually stuck in the same boat. Did anything ever get sorted out of this as well? I tried manually putting new cert in FOG Client Directory and that didn’t work. I even tried installing a fresh client downloaded from server but fails “Ca Certificate Cannot be installed” with HTTPS enabled. I need to have the server communicate with HTTPS due to our security plan. Any additional advice would be greatly appreciated.
-
@cul3r0 In this topic the issue is very likely due to a custom CA and certificates. When FOG generates self signed certs for you it’s usually working out of the box if you don’t mess with it.
As every case is different I may ask you to open a fresh new topic on your own. Link to this one as reference but then more important give us your details, like FOG version, custom modifications and so on.