Are there currently any options or plans in future for alternate authentication methods while uploading images?
Unfortunately, due to compliance my business is moving towards password-less environments which is causing issues in using FOG.
Thank you.
This is the result from Nessus Vulnerability scanner when it comes to port 80 “not redirecting” to https 443
@JJ-Fullmer so i didn’t notice but thats the same original file. Your config is the one i have but Nessus vuln scanner and curl command as well do not have a redirect going from http to https. We do get a 302 redirect but unfortunately its redirecting back to http
@JJ-Fullmer Does this affect you pxe booting into fog from asset? I do have SSL configured cert on https port for web gui.
Is there any way to write a port 80 > 443 redirect affecting only the web gui? Due to my customers security requirements i need a redirect to ssl secured port 443 for web gui. But i know the fog client stops working and that’s an entirely different beast. I tried adding the redirect shown here which worked for web gui but then didn’t allow ipxe boot to work and got error with “Operation Permitted”. I imagine just like stated in this previous post has to do with redirect. Any advice on a redirect only affecting web gui?
@sebastian-roth this was before i figured out how to view my open forums. I apoligize , please delete or ignore or mark skip. Thank you
@sebastian-roth said in Setting up trusted SSL certificate:
One more thing I missed to tell you. In case you want to use the fog-client software as well you will run into issues with your custom certificate. If you need to know more about this, I can give you the details.
i’d love to know more details about this. Thank you.
Once you install a Certificate the Fog Client fails to authenticate.
RSA FOG Server CA cert found
RSA ERROR Certificate validation failed
RSA ERROR Trust chain did not complete to the known authority anchor. Thumbprints did not match
Authentication ERROR Could not Authenticate
Authentication ERROR Certificate is not from FOG CA
I can pxe boot to server, and apply image but once it turns on and loads it can’t proceed to task to join domain or change hostname since it cannot authenticate.
We are using HTTPS and a SSL Certificate for web gui. I’ve also confirmed all files match and followed accordingly to:
https://wiki.fogproject.org/HTTPS
@sebastian-roth is there a way to keep track of open forums i’ve openned? I’m still having this trouble hoping someone could point me in the right direction.
How do you recompile your own client binaries? Is there documentation on that?
@sebastian-roth If i am using a custom SSL Cert can we bypass it needed FOG Server CA to authenticate?
Implementing Custom SSL Cert has been a little bit of trouble. I’m soo close i can taste it. I can ipxe from machines. Machine takes the image. But then authenticating there to begin tasks is where i start having trouble.
Where does the client installer pull the Fog Server CA download its cert from when pinning the server?
My thumbprints are not matching with the cert installed. I have confirmed these 2 thumbprints match:
openssl x509 -noout -fingerprint -sha1 -inform pem -in /opt/fog/snapins/ssl/CA/.fogCA.pem
openssl x509 -noout -fingerprint -sha1 -inform pem -in /var/www/html/fog/management/other/ca.cert.pem
But when i look in the cert store of windows machine the Fog Server CA has a different thumbprint.
Due to compliance reasons i need to setup HTTPS and SSL certificate on Fog Server. I am having issues with the fog client not communicating properly with fog server once image is applied.
I have followed this guide:
https://wiki.fogproject.org/HTTPS
If i try to reinstall fog client it states cannot cannot install CA Certificate.
Logs show SSL trust chain cannot be completed. I’ve almost given up.
I’ve also restored server to before i install SSL cert and re installed fog client with HTTPS enabled and it works then and communicates. Not sure what happens once i swap it out with my cert. Per instructions i’ve recompiled ipxe binaries which really wouldn’t affect client since this is after the fact.
Was wondering if there was a way to just leave the client and fog server config alone without modifying and have the web server setup with the SSL cert we have. I even tried pointing the apache config file to somewhere else with new cert and left default locations alone hoping the client would communicate there and work and no luck.
I’m desperate for any other ideas…
@sebastian-roth I’m actually stuck in the same boat. Did anything ever get sorted out of this as well? I tried manually putting new cert in FOG Client Directory and that didn’t work. I even tried installing a fresh client downloaded from server but fails “Ca Certificate Cannot be installed” with HTTPS enabled. I need to have the server communicate with HTTPS due to our security plan. Any additional advice would be greatly appreciated.