Change Server but not change certificate

danilopinotti · Mar 21, 2016, 6:34 PM

How i install the same certificate of other Fog Server?
I’ll migrate the machine and i is not feasible to install Fog client in all machines.
I try this steps: https://forums.fogproject.org/topic/5908/reinstall-fog-server-svn-1-3-certificate-problem/2
But not works. The apache not initialize…

Sebastian Roth · Mar 21, 2016, 7:32 PM

@danilopinotti Please let us know which error you see in /var/log/apache2/error.log (Debian/Ubuntu) or /var/log/httpd/error_log (CentOS/Fedora/RHEL)…

danilopinotti · Mar 21, 2016, 8:01 PM

@Sebastian-Roth

[Mon Mar 21 16:59:14.067146 2016] [ssl:emerg] [pid 19633] AH02565: Certificate and private key 172.20.1.251:443:0 from /var/www/fog/management/other/ssl/srvpublic.crt and /opt/fog/snapins/ssl/.srvprivate.key do not match
AH00016: Configuration Failed

Sebastian Roth · Mar 21, 2016, 2:17 PM

@danilopinotti Please run the following commands:

openssl rsa -modulus -noout -in /opt/fog/snapins/ssl/.srvprivate.key | openssl md5
openssl x509 -modulus -noout -in /var/www/fog/management/other/ssl/srvpublic.crt | openssl md5

The MD5 sums should match!

Did you copy /opt/fog from the old to the new server and then ran the installer on the new server?

danilopinotti · Mar 21, 2016, 8:26 PM

@Sebastian-Roth
Not match!
I tried copy the fog.csr to new and run the script again. Not works too

Joe Schmitt · Mar 21, 2016, 2:45 PM

If you copied over the root CA keys (it sounds like you did), run ./installfog.sh --recreate-keys

danilopinotti · Mar 21, 2016, 8:49 PM

@Jbob
I’ve copied only /opt/fog/snapins/ssl/fog.csr of old to new and re-executed the script.
It has something else to copy or some other procedure to work ?

Tom Elliott · Mar 21, 2016, 8:51 PM

@danilopinotti You need to copy the whole of the SSL folder.

If /opt/fog/snapins/ssl contains .srvprivate.key and the CA folder and fog.csr, why not just copy the WHOLE folder?

For example:

scp -r /opt/fog/snapins/ssl/* fog-server:/opt/fog/snapins/ssl/

danilopinotti · Mar 21, 2016, 9:06 PM

@Tom-Elliott not works!
The same error appears:

[Mon Mar 21 18:05:51.390582 2016] [ssl:emerg] [pid 27939] AH02565: Certificate and private key 172.20.1.251:443:0 from /var/www/fog/management/other/ssl/srvpublic.crt and /opt/fog/snapins/ssl/.srvprivate.key do not match
AH00016: Configuration Failed

Tom Elliott · Mar 21, 2016, 9:08 PM

@danilopinotti So your main server is also having issues?

danilopinotti · Mar 21, 2016, 9:09 PM

@Tom-Elliott said:

So your main server is also having issues?

My old server works perfectly.

Tom Elliott · Mar 21, 2016, 9:11 PM

@danilopinotti After copying the files are you re-running the installer on the place you copied it to?

danilopinotti · Mar 21, 2016, 3:13 PM

@Jbob said:

If you copied over the root CA keys (it sounds like you did), run ./installfog.sh --recreate-keys

With this argument it will take advantage of the old scripts or create new keys?

Tom Elliott · Mar 21, 2016, 9:24 PM

@danilopinotti It will use the old CA to generate a new Private key.

danilopinotti · Mar 21, 2016, 9:27 PM

@Tom-Elliott said:

It will use the old CA to generate a new Private key.

In that case I’ll have to reinstall the client on all computers again?

Tom Elliott · Mar 21, 2016, 9:29 PM

@danilopinotti No. The ca.cert.der and ca.cert.pem files should be identical to what your clients already have.

The clients will need to reget the srvpublic.crt file (which they’ll do automatically anyway). This is checked very pass where the encryption key is no longer valid and on initial authentication.

danilopinotti · Mar 21, 2016, 9:33 PM

@Tom-Elliott
So I will not have to redo the settings in clients?

Tom Elliott · Mar 21, 2016, 9:34 PM

@danilopinotti Correct.

Change Server but not change certificate

263

12.0k

17.3k

155.2k