I have my FOG server (1.5.9) configured with a Sectigo-issued TLS certificate per https://wiki.fogproject.org/HTTPS#Custom_CA_and_certificates using option #2 (Use your custom CA for Apache configuration only but stick to FOG CA for fog-client internal encryption.)
Per the instructions I’ve placed my CA certificate chain (3 certificates), server certificate, and private key at /var/www/html/fog/management/other/ca.cert.pem
, /var/www/html/fog/management/other/ssl/srvpublic.crt
, and /opt/fog/snapins/ssl/.srvprivate.key
, respectively.
I’ve rebuilt the iPXE clients and they work just fine. When I install FOG client (0.12.0) with HTTPS enabled, it validates and PINs the certificate as well. However, when it comes to the client actually connecting to the FOG server, I receive the following error in the log:
------------------------------------------------------------------------------
--------------------------------Authentication--------------------------------
------------------------------------------------------------------------------
2022-09-07 4:01:26 PM Client-Info Version: 0.12.0
2022-09-07 4:01:26 PM Client-Info OS: Windows
2022-09-07 4:01:26 PM Middleware::Authentication Waiting for authentication timeout to pass
2022-09-07 4:01:26 PM Middleware::Communication Download: https://fog.example.com/fog/management/other/ssl/srvpublic.crt
2022-09-07 4:01:27 PM Data::RSA FOG Server CA cert found
2022-09-07 4:01:27 PM Data::RSA ERROR: Certificate validation failed
2022-09-07 4:01:27 PM Data::RSA ERROR: Trust chain did not complete to the known authority anchor. Thumbprints did not match.
2022-09-07 4:01:27 PM Middleware::Authentication ERROR: Could not authenticate
2022-09-07 4:01:27 PM Middleware::Authentication ERROR: Certificate is not from FOG CA
Apache is currently configured to redirect all HTTP requests to HTTPS (and I’d prefer to keep it that way). How do I go about correcting this so that the FOG client and actually connect?
I wouldn’t be opposed to migrating FOG client-only connections to HTTP (since it’s protected already) but would prefer not to give up my HTTPS redirection for UI connections.