Using certificate which is not self-signed for HTTPS
-
Hi,
is there any possibility to use a certificate which is not self-signed by the fog CA?
Usually we use ACME to create certificates.If it’s currently not possible, are there any plans to support it?
A possible problem would be that the certificates are only for one year valid. As the fog client AFAIK uses the certificate, it would be necessary to deploy the client with the new certificate.Best regards,
Kai -
@KaiHerlemann
You should be able to do this without too much trouble for just the basic ssl communication like you do for any other linux server. I would suggest at install time NOT selecting ssl and then altering the config to use your custom certificate. I don’t think we’ve implemented custom certs into the install process. I use an internal CA and custom cert on the fog server for https web access, I configured it in apache after installing fog. I think there are some other places that get ssl enabled when you select ssl in the installer.
@Sebastian-Roth might know more on how the client uses certificates. -
@KaiHerlemann Yes, @JJ-Fullmer is right there. The installer is not made to handle custom certificates properly yet. We never found the time to make this work reliably. But if you are good with managing this yourself you can still do it.
The whole topic is a bit complex due to the different tools and layers involved.
- Basic web access to the web UI - just adjust Apache config as you like
- But along with that the iPXE boot loader is using HTTP/HTTPS to load the menu items. So if you switch to HTTPS you also need to compile your own iPXE binaries - not very hard: https://docs.fogproject.org/en/latest/development/fog-release/#ipxe (but use
./buildipxe.sh /path/to/your/CAcert.pem
and skip thearmsupport=1
if you don’t have ARM CPUs) - Now this was the easy part. I started to write about the fog-client here but then realized I did so in the wiki already: https://wiki.fogproject.org/wiki/index.php?title=HTTPS#Custom_CA_and_certificates
I know, this is not ideal having to stich together the pieces from various sources and make up the rest yourself. So if you are keen we would appreciate if you document exactly what you do and we’ll add it to the official documents. That would be really great!
@KaiHerlemann said:
Usually we use ACME to create certificates.
I would not setup a FOG server open to the public. There are ways to get certificates through ACME without facing it to the web, e.g. opening ports only for the time of cert renewal on the firewall, doing cert renewal on a separate machine and copy those over and so on. Please consider wisely because FOG is not made to run on a public IP/hostname safely.
@JJ-Fullmer said:
I would suggest at install time NOT selecting ssl and then altering the config to use your custom certificate.
In the one hand I agree. Doing it this way you can go step by step. On the other hand if you do a fresh install (don’t if you have a running server) then I tend to suggest you enable SSL straight away because it will generate a SSL enabled Apache config for you and save you some time.