https for preseed cannot verify ssl 'CN=FOG Server Ca'
-
Re : UEFI boot pxe preseed Ubuntu20.04 via NFS with https preseed.
Hey folks hope you’re doing well
I got this problem with my fog server.
I upgraded debian 10 > 11 > 12 apache is not happy with the CA.
I reinstalled fog using the already existing .fogsettings and fog seems ok as i access the Webui via https without problem.
now i got this error when trying to deploy a custom ipxe menu
here is the menu :
kernel tftp://${fog-ip}/os/ubuntu/20.04D/vmlinuz initrd tftp://${fog-ip}/os/ubuntu/20.04D/initrd imgargs vmlinuz initrd=initrd root=/dev/nfs boot=casper netboot=nfs nfsroot=${fog-ip}:/images/os/ubuntu/ locale=fr_FR.UTF-8 net.ifnames=0 biosdevname=0 ipv6.disable=1 keyboard-configuration/layoutcode=fr ip=dhcp rw hostname=DEPLOY1 domain=my.super.domain automatic-ubiquity url=https://${fog-ip}/autoinstall/ubuntu/ubiseed_20_all.cfg debian-installer/allow_unauthenticated_ssl=true DEBCONF_DEBUG=5 boot || goto MENUthe preseed need to be fetched via https but fails :
ERROR : cannot verify 192.168.1.200's certificate, issued by 'CN=FOG Server CA'on apache logs i have :
[Mon Apr 22 16:58:18.308677 2024] [ssl:info] [pid 17451] SSL Library Error: error:0A000076:SSL routines::no suitable signature algorithm [Mon Apr 22 16:58:18.308736 2024] [ssl:info] [pid 17451] [client 192.168.1.133:50613] AH01998: Connection closed to child 2 with abortive shutdown (server 192.168.1.200:443) [Mon Apr 22 16:58:18.322694 2024] [ssl:info] [pid 17452] [client 192.168.1.133:50614] AH01964: Connection to child 3 established (server 192.168.1.200:443) [Mon Apr 22 16:58:18.323173 2024] [ssl:info] [pid 17452] [client 192.168.1.133:50614] AH02008: SSL library error 1 in handshake (server 192.168.1.200:443)Do i need to regenerate certificates on fog ?
when i do a wget from any client :
wget --connect-timeout=5 -c http://192.168.1.200/autoinstall/ubuntu/ubiseed_20_all.cfg -P Downloads/i have :
--2024-04-22 17:21:32-- http://192.168.1.200/autoinstall/ubuntu/ubiseed_20_all.cfg Connecting to 192.168.1.200:80... connected. HTTP request sent, awaiting response... 302 Found Location: https://192.168.1.200//autoinstall/ubuntu/ubiseed_20_all.cfg [following] --2024-04-22 17:21:32-- https://192.168.1.200//autoinstall/ubuntu/ubiseed_20_all.cfg Connecting to 192.168.1.200:443... connected. ERROR: The certificate of ‘192.168.1.200’ is not trusted. ERROR: The certificate of ‘192.168.1.200’ doesn't have a known issuer.if i try with :
wget --no-check-certificate --connect-timeout=5 -c https://192.168.1.200/autoinstall/ubuntu/ubiseed_20_all.cfg -P Downloads/it works.
--2024-04-22 17:24:21-- https://192.168.1.200/autoinstall/ubuntu/ubiseed_20_all.cfg Connecting to 192.168.1.200:443... connected. WARNING: The certificate of ‘192.168.1.200’ is not trusted. WARNING: The certificate of ‘192.168.1.200’ doesn't have a known issuer. HTTP request sent, awaiting response... 200 OK Length: 24414 (24K) Saving to: ‘Downloads/ubiseed_20_all.cfg’If some wizard passing by could give me some hints it would be terrific.
Thanks
-
@fogman4 Well it’s because the certificate of 192.168.1.200 isn’t trusted and when you try going to URL http://192.168.1.200 it’s redirecting you to a secure side.
If you can get the FOG Server CA certificate trusted on your machine you should be okay (assuming 192.168.1.200 is the fog server address:
Copy the files in /opt/fog/snapins/ssl/ run:
update-ca-certificatesI believe.You may have to make some adjustments but the source I’m using (assuming you’re running on ubuntu) is:
https://superuser.com/questions/54615/how-to-install-a-ca-key-self-signed-ssl-on-ubuntuAnother place to attempt trying would be:
https://www.baeldung.com/linux/add-self-signed-certificate-trusted-listBut this is more about getting your browser to accept things.
-
thanks @Tom-Elliott for your answer.
I’m confused i think i did not explained my problem clearly.
Debian 12 is my fog server 192.168.1.200
It serves ubuntu iso’s files via nfs , kernels initramfs via tftp and preseed via http(s).
Ubuntu are workstations i need to deploy Ubuntu iso files are on nfs si i don’t really understand.
Should i copy the fog ca in the iso’s nfs directory ?
Looks weird because i never needed this.
My browser works flawlessly with the certificate.
The only problem is when the boot option tries to get the preseed file via https.
the folder /opt/fog/snapins/ssl contains :
drwxrwxrwx 3 fogproject www-data 4,0K 4 juin 2020 . drwxrwxrwx 3 fogproject www-data 4,0K 4 juin 2020 .. drwxrwxrwx 2 fogproject www-data 4,0K 4 juin 2020 CA -rwxrwxrwx 1 fogproject www-data 98 22 avril 14:13 ca.cnf -rwxrwxrwx 1 fogproject www-data 1,7K 4 juin 2020 fog.csr -rwxrwxrwx 1 fogproject www-data 232 4 juin 2020 req.cnf -rwxrwxrwx 1 fogproject www-data 3,2K 4 juin 2020 .srvprivate.keyIf i need to regenerate cert i don’t want to mess somewhere.
i tried to copy the file : /opt/fog/snapins/ssl/CA/.fogCA.pem in /etc/ssl/certs/ and /usr/local/share/ca-certificates/ on the server and update-ca-certificates with no success.
i’m puzzled. Maybe it’s an algorith problem as openssl seems to warn
-
I tried to change my apache conf from :
<VirtualHost *:80> <FilesMatch "\.php$"> SetHandler "proxy:fcgi://127.0.0.1:9000/" </FilesMatch> KeepAlive Off ServerName 192.168.1.200 ServerAlias fog-pi.ad.atdqm.tech DocumentRoot /var/www/ RewriteEngine On RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) RewriteRule .* - [F] RewriteRule /management/other/ca.cert.der$ - [L] RewriteCond %{HTTPS} off RewriteRule (.*) https://%{HTTP_HOST}/$1 [R,L] </VirtualHost> <VirtualHost *:443> KeepAlive Off <FilesMatch "\.php$"> SetHandler "proxy:fcgi://127.0.0.1:9000/" </FilesMatch> ServerName 192.168.1.200 ServerAlias fog-pi.ad.atdqm.tech DocumentRoot /var/www/ SSLEngine On SSLProtocol all -SSLv3 -SSLv2 SSLCipherSuite ALL:!aNULL:RC4+RSA:+HIGH:+MEDIUM:+LOW:+EXP:+eNULL # SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA SSLHonorCipherOrder On SSLCertificateFile /var/www/fog//management/other/ssl/srvpublic.crt SSLCertificateKeyFile /opt/fog/snapins/ssl//.srvprivate.key SSLCACertificateFile /var/www/fog//management/other/ca.cert.pem <Directory /var/www/fog/> DirectoryIndex index.php index.html index.htm </Directory> RewriteEngine On RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) RewriteRule .* - [F] RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-d RewriteRule ^/fog/(.*)$ /fog/api/index.php [QSA,L] </VirtualHost>by allowing all cipher/algo with this
SSLCipherSuite ALL:!aNULL:RC4+RSA:+HIGH:+MEDIUM:+LOW:+EXP:+eNULLdidn’t work.
