ca fog service "error failed to decrypt" when snapins in non-default directory


  • Testers

    I had set my snapins to a different directory (/images/snapins with /images being a symlink to /home/fogRootSystem/images)
    But the original install had created the /opt/fog/snapins directory and put the ca ssl folders there.
    But then it did it put the CA ssl folders with new keys in the new /images/snapins folder.

    All day today I have been troubleshooting the client wondering why it suddenly stopped authenticating. Uninstalling and reinstalling, re-imaging, modifying the msi, resetting encryption data, running the fog install script with the --recreate-CA and --recreate-keys options. And nothing worked. Then I noticed the duplicate CA and SSL directories and got to thinking that maybe that’s not supposed to be a thing. So I moved the /opt/fog/snapins folder to my /images/snapins directory
    mv -f /opt/fog/snapins /images/snapins then deleted the opt folder rm -fr /opt/fog/snapins then made a symlink ln -s /images/snapins /opt/fog/snapins Then I reran the fog installer like this ./installfog.sh --recreate-CA --recreate-keys -Y and now the client is working again (after reinstall on the client).

    So a fix exists, but it seems that changing the snapins directory doesn’t work for the client and causes weird ca/ssl authentication errors.

    It’s possible that something else I did fixed my issue, but I am 99.9% sure that the symlink and reinstall recreating the CA is what solved it.


  • Testers

    Confirmed working. the CA ssl folders can now be separated from the snap-ins folder


  • Senior Developer

    @Tom-Elliott code added.


  • Senior Developer

    Just bumping so I don’t forget about this.


  • Senior Developer

    @Arrowhead-IT storage nodes now contain their own snapin path, and this is what is used for everything else, it’s only the cert finding that uses the implicit check.


  • Testers

    @Tom-Elliott I’m pretty sure the global value just always being used would work and just never a static directory.
    I had set the global directory originally. I don’t think that I would be able to create or deploy snapins in the gui properly otherwise.


  • Senior Developer

    @Arrowhead-IT I’m aware of what the problem is, and it’s because I am forcing the directory of snapins to contain the ssl files.

    In the code, particularly the decrypt code, I’m specifically searching the /opt/fog/snapins/ssl folder to do the decryption, or the global FOG_SNAPINDIR setting if it is set. Maybe this can help fix the problem? I will see about making an entry to allow for dynamic use and find of the ssl folder/files. For now, I’d recommend adjusting the global value. I’ll work on making it more dynamic and adjustable per node.



406
Online

38993
Users

10713
Topics

101700
Posts

Looks like your connection to FOG Project was lost, please wait while we try to reconnect.