RE: Setting up an existing FOG Server installation with a new SSL Certificate

@Sebastian-Roth Web server and snapins seem to be fine. I am having pxe issues, getting an invalid argument error (guessing that’s because it’s using the wrong certificate). What are the steps to recompile it?

@Sebastian-Roth apache_config.txt output for grep was httpproto = https

@Sebastian-Roth Initially i installed it without SSL, correct. Then added the 443 section manually. When I upgraded to 1.5.9-RC2, I decided to let the FOG installer handle the SSL setup by using the -S option on install. Once the install was done and the default certificate for FOG was created, I went into the apache config and pointed the certificate lines to my certificate that i got from GoDaddy. That was fine. I’m just trying to figure out if there are other steps that need to be taken to replace the default certificate that was created by the installer with the certificate I have.

@Sebastian-Roth it is a custom certificate through godaddy. They renew every year, so I need to update the certificate on the server. Previously (before 1.5.8), I would set it up without ssl and then add in the 443 port config to the apache portion of the server. When I did a fresh install of 1.5.8, the installer asked for the certificate location and the key location if I remember correctly. I did that in February of this year. Now the time came to update the certificate, but I’m not exactly sure where I need to make changes to point to the new certificate besides the apache config.

Hello,

I’m currently running FOG 1.5.9 RC2.9 with the SSL option. The certificate that we use for this server was updated, and so now i’m trying to get this new certificate to work with the existing FOG Installation. Are there steps on how to get everything working with it? I know when you do a new installation from scratch, you can choose the certificate and key to use, but there doesn’t seem to be that step when updating to newer versions.

Thanks!

@Sebastian-Roth Hey Sebastian,

Quick note, I had to make an additional change to get mine to work. I’m using a custon wildcard certificate that doesn’t hold the IP of the computer as a DN. So when changing it to https, I got a “RemoteCertificateNameMismatch” error. I changed the php at that section to look like this, and use the hostname instead of the IP. Not sure if there should be a change to use the hostname instead of IP if specified in the .fogsettings file, or maybe you have a better way of doing this?

                $location = sprintf(
                    'https://fogserver.gvsu.edu/%s',
                    #$StorageNode->get('ip'),
                    $StorageNode->get('webroot')
                );

@Sebastian-Roth gotcha, thanks for the fix!

Hello,

I’ve been working on upgrading our production server to FOG 1.5.8, and clients to FOGService 0.11.19. We install the server with SSL enabled and the client with the HTTPS option enabled as well. Since starting the upgrade, snapins don’t seem to be downloading correctly. This is from a log on one of the clients.

------------------------------------------------------------------------------
---------------------------------SnapinClient---------------------------------
------------------------------------------------------------------------------
 2/26/2020 3:16:57 PM Client-Info Client Version: 0.11.19
 2/26/2020 3:16:57 PM Client-Info Client OS:      Windows
 2/26/2020 3:16:57 PM Client-Info Server Version: 1.5.8
 2/26/2020 3:16:57 PM Middleware::Response Success
 2/26/2020 3:16:57 PM SnapinClient Running snapin Chemistry 115 Folder
 **2/26/2020 3:16:57 PM Middleware::Communication Download: http://xx.xx.xx.xx//fog/service/snapins.file.php?mac=B8:CA:3A:8A:C4:F4&taskid=14058**
 2/26/2020 3:17:18 PM Middleware::Communication ERROR: Could not download file
 2/26/2020 3:17:18 PM Middleware::Communication ERROR: Unable to connect to the remote server
 2/26/2020 3:17:18 PM SnapinClient C:\Program Files (x86)\FOG\tmp\CHM_115_Setup.ps1
 2/26/2020 3:17:19 PM Middleware::Communication URL: https://fogserver.gvsu.edu/fog/service/snapins.checkin.php?taskid=14058&exitcode=-1&mac=B8:CA:3A:8A:C4:F4&newService&json
------------------------------------------------------------------------------

From what i’m seeing, it looks like the download of the snapin file is still done over http instead of https? That hasn’t always been the case, correct? We’ve never had 80 open to our server, and were able to do snapins before.

Thanks,
Zach

@Sebastian-Roth No problem. Like I said I’ve got it working without the certificate for now so no big deal. Thanks for being on top of it!

@Sebastian-Roth Thanks for checking it out. In the meantime, I ended up migrating the database to another build, and then instead of installing fog with https, I stuck with a normal install, and then reconfigured the apache2 config to redirect to https and use my certificates. Everything is working correctly now, but eventually it’d be nice to run it all in https again.

@Sebastian-Roth Awesome, thank you!

@Sebastian-Roth Ah, Gotcha. I didn’t see that one. We can delete this one then. Thanks!

Hello,

When trying to schedule a single snapin task for a group, it only creates the task for machines that have snapins associated with them (at least in my experience). I was trying to push a single snapin to a group of 10 machines. Only one of those machines has snapins associated with it, and that was the only one that was able to get the task. I added snapins to one of the other machines in that group, and tried to schedule the task again. This time both of those were able to have the task added, but the other 8 were not.

I’m running FOG 1.5.5, on Ubuntu 18.04 LTS.

@Sebastian-Roth Just tested, still the same. I ran the certstat command in the ipxe shell and it only listed the fogcert.crt certificate. Should it also have the other ones listed?

@Sebastian-Roth Looks like i didn’t need to convert the root certificate, it was already in pem format. I ran the openssl verify command, and it returned an ‘OK’. I’ll insert that into the trust and recompile. I wont be able to test until tomorrow morning, so I’ll update you then. Thanks for all the help!

@Sebastian-Roth It wasn’t the one you mentioned. I downloaded the correct one and put it in place, still got an invalid argument error. Do i need to append my certificate to the trust as well, so that it looks like:

TRUST=/home/fogserver/Desktop/gdig2.crt.pem,/home/fogserver/Documents/csims.clas.gvsu.edu/fogcert.crt

I was looking at this website when I came across that: https://ipxe.org/crypto

@Sebastian-Roth Just tested, still a no go. Trust line looks like this with the intermediate cert:

BUILDOPTS=“CERT=/home/fogserver/Documents/csims.clas.gvsu.edu/fogcert.pem TRUST=/home/fogserver/Documents/csims.clas.gvsu.edu/GoDaddyCA.pem”

@Sebastian-Roth said in Not able to TFTP boot. Invalid Argument Error:

@hancocza Please check to see if you have also set the FQDN in FOG configuration -> FOG settings -> Web Server -> WEB HOST! Writing my last messages in the train where I don’t have good access to the code I forgot about this.

From the information you posted I would expect you’d need to use the GoDaddy Secure Server Certificate (Intermediate Certificate) - G2 as TRUST. This (or more precisely its private key) should be exactly the one that was used to sign your certificate.

I had the IP set in the WEB HOST field. I switched that now. Also updated the TRUST parameter in buildipxe.sh to have that cert. I’ll test tomorrow and see what happens!

@Sebastian-Roth the default.ipxe file already specifies the fqdn of fogserver.gvsu.edu. on 1.5.0, I would just change it to the IP and change https to http and not recompile, and it all worked fine. Since we’ve been doing this, I’ve left it as https://fogserver.gvsu.edu/…

If it could still be an issue of the two separate certs (ca and server) in the buildipxe.sh, I’m not sure what to use as the ca one. Go Daddy uses an intermediate cert instead of a CA, but that was the chain one that we weren’t sure if it’d work.

@Sebastian-Roth
Darn.

The certificate was purchase through Go Daddy. The CN is associated with our main web server. I added the domain name of the fog server to the “other names” section in order to cover that as well. I don’t believe it has any extensions enabled.

Here is the output:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1807900440220026086 (0x1916f3df289644e6)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certs.godaddy.com/repository/, CN = Go Daddy Secure Certificate Authority - G2
        Validity
            Not Before: Mar 15 18:52:13 2018 GMT
            Not After : Jul 13 16:53:00 2019 GMT
        Subject: OU = Domain Control Validated, CN = csims.clas.gvsu.edu
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:e2:79:a6:3f:ac:83:5a:ec:97:ab:2c:74:95:a5:
                    2e:cc:30:41:f6:32:f0:4f:e5:2a:fb:c7:dd:7d:52:
                    9b:a0:8c:20:4e:1d:c2:7f:d5:99:ca:3b:b7:f5:ca:
                    05:dc:f6:85:a8:e5:99:03:95:77:6b:49:67:fe:b9:
                    cb:78:8c:da:9f:3b:89:db:46:7a:c7:e2:ed:22:04:
                    84:f5:61:2f:58:9d:0a:ee:66:9e:26:40:fe:54:8f:
                    a8:44:fd:75:16:dd:1a:24:d5:77:28:8f:f5:79:76:
                    ab:9f:92:f2:fe:e1:f5:1e:17:e6:7f:d3:b2:07:52:
                    8f:60:94:28:3a:48:e6:8a:3b:57:0c:6d:4d:30:d3:
                    23:de:76:07:3a:f3:bf:60:ef:26:47:c4:17:45:54:
                    71:d7:ce:c0:e8:ef:c3:f8:42:d5:3c:47:1b:5d:97:
                    96:a6:2a:3d:dd:ac:d7:4e:38:03:68:f4:29:eb:80:
                    fb:48:04:40:f6:f7:4d:19:34:a5:d8:6e:ec:5b:15:
                    e1:97:42:17:4c:bc:c2:55:cf:44:80:ca:0d:5f:20:
                    fb:98:c6:25:e3:12:19:a0:bb:b2:e8:b1:cf:fc:2e:
                    00:10:ab:e6:7b:da:85:01:6d:0b:d7:ed:53:c8:ae:
                    d4:18:e4:52:ab:86:aa:c1:14:e3:6c:47:fe:0b:a2:
                    9c:db
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 CRL Distribution Points: 

                Full Name:
                  URI:http://crl.godaddy.com/gdig2s1-815.crl

            X509v3 Certificate Policies: 
                Policy: 2.16.840.1.114413.1.7.23.1
                  CPS: http://certificates.godaddy.com/repository/
                Policy: 2.23.140.1.2.1

            Authority Information Access: 
                OCSP - URI:http://ocsp.godaddy.com/
                CA Issuers - URI:http://certificates.godaddy.com/repository/gdig2.crt

            X509v3 Authority Key Identifier: 
                keyid:40:C2:BD:27:8E:CC:34:83:30:A2:33:D7:FB:6C:B3:F0:B4:2C:80:CE

            X509v3 Subject Alternative Name: 
                DNS:csims.clas.gvsu.edu, DNS:www.csims.clas.gvsu.edu, DNS:fogserver.gvsu.edu, DNS:csimsweb.clas.gvsu.edu, DNS:viewlinc.clas.gvsu.edu
            X509v3 Subject Key Identifier: 
                AB:E1:0F:46:89:C4:69:F7:D0:6E:C6:A1:40:E4:C5:70:7A:EA:C4:74
    Signature Algorithm: sha256WithRSAEncryption
         2a:1a:42:5a:21:ba:ac:81:cd:6e:7b:6f:73:55:92:5b:cc:d5:
         93:de:32:7c:b7:56:53:d5:8c:7c:4c:5d:4b:6e:cd:d9:2c:8e:
         a4:87:39:9d:85:05:3f:c8:12:fc:c0:d2:b3:c8:de:67:15:02:
         b9:22:5a:6d:f1:6a:f7:12:a0:28:b8:e6:69:c6:82:c5:61:ce:
         ff:cf:a5:9c:f3:6c:08:51:04:c8:4f:8a:28:08:be:a4:06:d7:
         54:26:91:9f:3b:76:7f:cb:7c:71:63:e3:54:f0:d4:8a:f9:a2:
         06:cb:11:dd:a4:4c:5d:c1:9a:5d:bb:96:6f:13:90:56:e4:e2:
         bd:11:b2:83:67:c2:9f:99:9b:60:10:40:c8:8b:56:5c:3d:95:
         2d:24:d8:7d:53:2d:2f:eb:fe:73:c4:54:ff:fc:73:12:51:b4:
         86:16:64:56:bf:4c:99:96:d3:2e:0e:d5:33:58:84:09:6b:ce:
         16:f1:b8:91:2f:cd:8b:35:52:e7:3d:d1:83:b8:5e:d9:9b:ce:
         8c:f8:0f:80:5c:23:60:5a:91:07:45:e2:fc:8d:0c:ee:c6:56:
         8c:76:c4:23:33:14:e6:80:56:33:d1:ef:30:b1:26:be:9f:34:
         ac:b9:74:ae:9c:89:d5:b7:76:f0:cb:88:bb:7c:41:fc:d5:70:
         16:98:0a:a7