Solved ca fog service "error failed to decrypt" when snapins in non-default directory

JJ Fullmer

I had set my snapins to a different directory (/images/snapins with /images being a symlink to /home/fogRootSystem/images)
But the original install had created the /opt/fog/snapins directory and put the ca ssl folders there.
But then it did it put the CA ssl folders with new keys in the new /images/snapins folder.

All day today I have been troubleshooting the client wondering why it suddenly stopped authenticating. Uninstalling and reinstalling, re-imaging, modifying the msi, resetting encryption data, running the fog install script with the --recreate-CA and --recreate-keys options. And nothing worked. Then I noticed the duplicate CA and SSL directories and got to thinking that maybe that’s not supposed to be a thing. So I moved the /opt/fog/snapins folder to my /images/snapins directory
mv -f /opt/fog/snapins /images/snapins then deleted the opt folder rm -fr /opt/fog/snapins then made a symlink ln -s /images/snapins /opt/fog/snapins Then I reran the fog installer like this ./installfog.sh --recreate-CA --recreate-keys -Y and now the client is working again (after reinstall on the client).

So a fix exists, but it seems that changing the snapins directory doesn’t work for the client and causes weird ca/ssl authentication errors.

It’s possible that something else I did fixed my issue, but I am 99.9% sure that the symlink and reinstall recreating the CA is what solved it.

JJ Fullmer

Confirmed working. the CA ssl folders can now be separated from the snap-ins folder

Tom Elliott

@Tom-Elliott code added.

Tom Elliott

Just bumping so I don’t forget about this.

Tom Elliott

@Arrowhead-IT storage nodes now contain their own snapin path, and this is what is used for everything else, it’s only the cert finding that uses the implicit check.

JJ Fullmer

@Tom-Elliott I’m pretty sure the global value just always being used would work and just never a static directory.
I had set the global directory originally. I don’t think that I would be able to create or deploy snapins in the gui properly otherwise.

Tom Elliott

@Arrowhead-IT I’m aware of what the problem is, and it’s because I am forcing the directory of snapins to contain the ssl files.

In the code, particularly the decrypt code, I’m specifically searching the /opt/fog/snapins/ssl folder to do the decryption, or the global FOG_SNAPINDIR setting if it is set. Maybe this can help fix the problem? I will see about making an entry to allow for dynamic use and find of the ssl folder/files. For now, I’d recommend adjusting the global value. I’ll work on making it more dynamic and adjustable per node.