Problem with some hostname and AD integration

Matthieu Jacquart · Aug 25, 2015, 11:01 AM

Ok

This morning, I reinstall fog with 6C 6K parameters and thse file where created in “/var/www/fog/management/other/”

-rw-r--r--  1 www-data www-data  1287 août  25 08:01 ca.cert.der
-rw-r--r--  1 www-data www-data  1797 août  25 08:01 ca.cert.pem
-rw-r--r--  1 www-data www-data 35147 août  25 08:00 gpl-3.0.txt
-rw-r--r--  1 www-data www-data    89 août  25 08:00 hostimport.csv
-rw-r--r--  1 www-data www-data  4493 août  25 08:00 index.php
drwxr-xr-x  2 www-data www-data  4096 août  25 08:01 ssl

and in ssl folder, I’ve got

-rw-r--r-- 1 www-data www-data 1679 août  25 08:01 srvpublic.crt

With 0.3 client all is ok, with 0.9.4 client all is ok in log for printers or snapin, communication seems good with server, but certificate error…

Tom Elliott · Aug 25, 2015, 11:12 AM

@Matthieu-Jacquart If what I’m reading from the messages is correct, for the authorize section of the log you provided, it’s stating it could not download the .crt file. Followed by, failed to connect to server?

Does this sound accurate?

Tom Elliott · Aug 25, 2015, 11:14 AM

@Matthieu-Jacquart If what I’m reading from the messages is correct, for the authorize section of the log you provided, it’s stating it could not download the .crt file. Followed by, failed to connect to server?

Does this sound accurate?

Does the file exist:

/var/www/html/fog/management/other/ca.cert.der or /var/www/fog/management/other/ca.cert.der

Matthieu Jacquart · Aug 25, 2015, 11:36 AM

Communication with server is good, for exmaple snapin and printers are ok

On the server I’ve got the file ca.cert.der in the 2 folders

In /var/www/fog/management/other/ :
drwxr-xr-x  3 www-data www-data  4096 août  25 08:01 .
drwxr-xr-x 12 www-data www-data  4096 août  25 08:00 ..
-rw-r--r--  1 www-data www-data  1287 août  25 08:01 ca.cert.der
-rw-r--r--  1 www-data www-data  1797 août  25 08:01 ca.cert.pem
-rw-r--r--  1 www-data www-data 35147 août  25 08:00 gpl-3.0.txt
-rw-r--r--  1 www-data www-data    89 août  25 08:00 hostimport.csv
-rw-r--r--  1 www-data www-data  4493 août  25 08:00 index.php
drwxr-xr-x  2 www-data www-data  4096 août  25 08:01 ssl

 In /var/www/html/fog/management/other/ :
drwxr-xr-x  3 www-data www-data  4096 août  25 08:01 .
drwxr-xr-x 12 www-data www-data  4096 août  25 08:00 ..
-rw-r--r--  1 www-data www-data  1287 août  25 08:01 ca.cert.der
-rw-r--r--  1 www-data www-data  1797 août  25 08:01 ca.cert.pem
-rw-r--r--  1 www-data www-data 35147 août  25 08:00 gpl-3.0.txt
-rw-r--r--  1 www-data www-data    89 août  25 08:00 hostimport.csv
-rw-r--r--  1 www-data www-data  4493 août  25 08:00 index.php
drwxr-xr-x  2 www-data www-data  4096 août  25 08:01 ssl

Tom Elliott · Aug 25, 2015, 11:56 AM

The only other thing I can think of them is the client does not have the proper ca certificated stored. This means it cannot verify the servers public key and therefor will not attempt further communication using encryption based protocols. Snapins and maybe printers and possibly all client services beside hostname do not require encryption.

Matthieu Jacquart · Aug 25, 2015, 12:18 PM

@Tom-Elliott I agree with that, question is : how to modidy certificate stored by new client ?

Tom Elliott · Aug 25, 2015, 12:22 PM

@Matthieu-Jacquart There’s a few ways.

The easiest way, supposedly, is to simply uninstall the “new client” fog and reinstall. Another way is to go into the Certificate Store and look for FOG CA Certificate. Or whatever it’s labeled as.

Matthieu Jacquart · Aug 25, 2015, 12:25 PM

For uninstalling/reinstalling client, already did (a lot of time ^^)
With rebbot between, and each time douwnloading client from web interface to be sure it is up to date.

For the other solution, where is the certificate store ?

tmerrick · Aug 25, 2015, 1:19 PM

I just upgraded to 4491 and now the hostnamechanger fails on my clients also with an Invalid Host Certificate. I am running on Red Hat 6.6 and it did work before the upgrade. I have taken one client and uninstalled/reinstalled the new client and it still does not work. I am also seeing problems on previously installed new clients when the hostnamechanger runs on them.

Matthieu Jacquart · Aug 25, 2015, 1:27 PM

I feel less alone… ^^
I agree with that, I updated svn each day and trouble began last thursday I think, don’t remember precise svn version at this date.

tmerrick · Aug 25, 2015, 9:58 AM

I have some more information. I deleted the fog certificate and then did a repair on fog and got the message “Failed to download CA certificate”. So it still looks like a problem with the certificate on the server.

Later I uninstalled the fog client, rebooted, and successfully reinstalled it. Still getting the same errors though.

tmerrick · Aug 25, 2015, 3:02 PM

Here is the directory of the fog certificate area on the server:

-rw-r--r-- 1 apache apache  1287 Aug 25 07:51 ca.cert.der
-rw-r--r-- 1 apache apache  1797 Aug 25 07:51 ca.cert.pem
-rw-r--r-- 1 apache apache 35147 Aug 25 07:51 gpl-3.0.txt
-rw-r--r-- 1 apache apache    89 Aug 25 07:51 hostimport.csv
-rw-r--r-- 1 apache apache  4493 Aug 25 07:51 index.php
drwxr-xr-x 2 apache apache  4096 Aug 25 07:51 ssl
[root@clstfogi other]# ls -l ssl
total 4
-rw-r--r-- 1 apache apache 1675 Aug 25 07:51 srvpublic.crt

It looks like all of the files were regenerated when I reinstalled this morning, unless there is one missing. Are the files being created wrong?

Joe Schmitt · Aug 25, 2015, 1:44 PM

I found the issue, a fix has been pushed. A variable was misnamed. Soon as you apply the patch the clients will work again.

tmerrick · Aug 25, 2015, 8:27 PM

It works now in git 4493.

Tom Elliott · Aug 25, 2015, 10:18 PM

Woot woot.

This was particularly problemattic to figure out. I’m sorry I’m such an idiot.

Matthieu Jacquart · Aug 26, 2015, 3:59 AM

It works great, thank you @Tom-Elliott and @Jbob ! You make a great job.
I lost few hours this time but usually I gain so much time thanks to fog, that’s not a big deal.

Oh, is there a difference between git and svn version ?

And last question, I reinstalled computers yesterday with 0.3 client, is there a way to uninstall it in bulk before installing new clients (with command “msiexec /i FOGService.msi /quiet WEBADDRESS=“192.168.1.2” WEBROOT=”")

Wayne Workman · Aug 26, 2015, 12:24 PM

@Matthieu-Jacquart said:

Oh, is there a difference between git and svn version ?

No difference, it just comes from a different place. This explains it: https://wiki.fogproject.org/wiki/index.php/Upgrade_to_trunk#Additional_information_on_svn_and_git_.26_FOG_Trunk

And last question, I reinstalled computers yesterday with 0.3 client, is there a way to uninstall it in bulk before installing new clients (with command “msiexec /i FOGService.msi /quiet WEBADDRESS=“192.168.1.2” WEBROOT=”")

There are many ways to remotely remove and install software. Most of the ways I know use Active Directory with GPO or Scripting or Powershell.

Matthieu Jacquart · Aug 26, 2015, 12:32 PM

Ok thanks

I have software to deploy software (GPO or I prefer PDQ deploy), but I don’t know the tips to remove it, I’m going to search

Problem with some hostname and AD integration

192

12.1k

17.3k

155.3k