RE: Certificate issues since moving FOG from Ubuntu to Fedora.

@Hanz sorry didn’t realize it was a hidden file when Wayne Workman showed me where they were.

@Tom-Elliott yes

@Tom-Elliott As of now I have no hosts with any security tokens or pubkeys associated, this is after resetting them Friday. Some have been running all weekend. All I have under /opt/fog/snapins/ssl is a file named fog.csr. The client doesn’t seem to be creating new aes keys, seeing as how they’re all “expired”/blank on server. Am I getting that right ?

This is new, never saw it before so I was worried that it wasn’t working correctly, my apologies.

@Wayne-Workman After clearing all security tokens for hosts, my database shows all hosts with no tokens…When are these tokens supposed to recreate themselves, as it looks like none are being recreated which may be why my clients keep saying invalid host certificate. I don’t know who creates them or when for that matter, but it doesn’t seem to be happening.

Has anyone found a way to successfully pxe boot a machine with Marvel Yukon NIC ?

Image Replication shows

 * Found Image to transfer to 4 group(s)
[11-15-15 10:16:32 pm]  | Image name: HoneycombMarch15
[11-15-15 10:16:33 pm]  * Starting Sync Actions
[11-15-15 10:16:33 pm]  | Replication not complete
[11-15-15 10:16:33 pm]  | PID: 1422
[11-15-15 10:16:33 pm]  * Found Image to transfer to 2 group(s)
[11-15-15 10:16:33 pm]  | Image name: HP 6300-ADI
[11-15-15 10:16:33 pm]  * Starting Sync Actions
[11-15-15 10:16:33 pm]  | Replication not complete
[11-15-15 10:16:33 pm]  | PID: 1422

Snapin Replication shows

* Found Snapin to transfer to 4 group(s)
[11-15-15 10:16:33 pm]  | Snapin name: Office2013_FullInstall
[11-15-15 10:16:33 pm]  * Starting Sync Actions
[11-15-15 10:16:33 pm]  | Replication not complete
[11-15-15 10:16:33 pm]  | PID: 1420
[11-15-15 10:16:33 pm]  | Replication not complete
[11-15-15 10:16:33 pm]  | PID: 1421
[11-15-15 10:16:33 pm]  | Replication not complete
[11-15-15 10:16:33 pm]  | PID: 1423

SVN 5360

0_1447629009513_fog.log

This is a copy of my log on the machine I mentioned that keeps losing security token somehow…at the 1:35 pm mark it shows invalid host certificate, but an Authentication Authenticated statement…

On the next checkin ~ 2:36 it goes to invalid host certificate, invalid security token.

I reset encryption data (again) and restarted service on the local computer @ the 6:00 mark and the final shows it going back to Authentication Authenticated upon restart of the service. (sorry for the uploaded log, but it wouldn’t let me post just the copied code this time.)

This is next checkin

------------------------------------------------------------------------------
----------------------------------TaskReboot----------------------------------
------------------------------------------------------------------------------
 11/15/2015 7:03 PM Client-Info Version: 0.9.7
 11/15/2015 7:03 PM TaskReboot Running...
 11/15/2015 7:03 PM Middleware::Communication URL: http://10.72.3.50/fog/service/servicemodule-active.php?moduleid=taskreboot&mac=B4:99:BA:E9:B8:B8|0A:00:27:00:00:00|CC:52:AF:87:F3:DA||00:00:00:00:00:00:00:E0|00:00:00:00:00:00:00:E0&newService=1
 11/15/2015 7:03 PM Middleware::Communication Response: Success
 11/15/2015 7:03 PM Middleware::Communication URL: http://10.72.3.50/fog/service/jobs.php?mac=B4:99:BA:E9:B8:B8|0A:00:27:00:00:00|CC:52:AF:87:F3:DA||00:00:00:00:00:00:00:E0|00:00:00:00:00:00:00:E0&newService=1
 11/15/2015 7:03 PM Middleware::Communication Response: Invalid host certificate
 11/15/2015 7:03 PM Middleware::Communication URL: http://10.72.3.50/fog/management/other/ssl/srvpublic.crt
 11/15/2015 7:03 PM Data::RSA FOG Server CA cert found
 11/15/2015 7:03 PM Middleware::Authentication Cert OK
 11/15/2015 7:03 PM Middleware::Communication POST URL: http://10.72.3.50/fog/management/index.php?sub=authorize
 11/15/2015 7:03 PM Middleware::Communication Response: Success
 11/15/2015 7:03 PM Middleware::Authentication Authenticated
 11/15/2015 7:03 PM Middleware::Communication URL: http://10.72.3.50/fog/service/jobs.php?mac=B4:99:BA:E9:B8:B8|0A:00:27:00:00:00|CC:52:AF:87:F3:DA||00:00:00:00:00:00:00:E0|00:00:00:00:00:00:00:E0&newService=1&newService=1
 11/15/2015 7:03 PM Middleware::Communication Response: No jobs
------------------------------------------------------------------------------```

Per Jbob I ran the following cmd on fog database to clear security tokens.

UPDATE hosts SET hostPubKey="", hostSecToken="", hostSecTime="0000-00-00 00:00:00";

I also reset encryption data from Web UI on all hosts (which I assume does the same things from different angles)

This seemed to work, as of now my VM host is working correctly (although it has not been up and running as long as my work comp)
BUT
My work computer which has been left on, has gone from “Authentication Authenticated” back to “Invalid host certificate” and “Invalid Security Token”

I restarted the service on the VM in order to force the update to 9.7 from 9.6 and it went through the process without a hitch, through reboots and all. Im running it all day today to see if I can find the point it fails (if it does).

@Tom-Elliott Thanks, @Jbob instructed me to

“Just wipe all the security tokens
That will fix it”

@Tom-Elliott Doesn’t look like snapins are going to deploy. This is even after resetting encryption data, unless it takes until next check-in to reset encryption data.

------------------------------------------------------------------------------
---------------------------------SnapinClient---------------------------------
------------------------------------------------------------------------------
 11/13/2015 9:53 AM Client-Info Version: 0.9.6
 11/13/2015 9:53 AM SnapinClient Running...
 11/13/2015 9:53 AM Middleware::Communication URL: http://10.72.3.50/fog/service/servicemodule-active.php?moduleid=snapinclient&mac=B4:99:BA:E9:B8:B8|0A:00:27:00:00:00|CC:52:AF:87:F3:DA||00:00:00:00:00:00:00:E0|00:00:00:00:00:00:00:E0&newService=1
 11/13/2015 9:53 AM Middleware::Communication Response: Success
 11/13/2015 9:53 AM Middleware::Communication URL: http://10.72.3.50/fog/service/snapins.checkin.php?mac=B4:99:BA:E9:B8:B8|0A:00:27:00:00:00|CC:52:AF:87:F3:DA||00:00:00:00:00:00:00:E0|00:00:00:00:00:00:00:E0&newService=1
 11/13/2015 9:53 AM Middleware::Communication Response: Invalid host certificate
 11/13/2015 9:53 AM Middleware::Communication URL: http://10.72.3.50/fog/management/other/ssl/srvpublic.crt
 11/13/2015 9:53 AM Data::RSA FOG Server CA cert found
 11/13/2015 9:53 AM Middleware::Authentication Cert OK
 11/13/2015 9:53 AM Middleware::Communication POST URL: http://10.72.3.50/fog/management/index.php?sub=authorize
 11/13/2015 9:53 AM Middleware::Communication Response: Invalid security token
------------------------------------------------------------------------------```

@Tom-Elliott FYI SVN 5315 doesn’t have the location setting under groups. Thanks, I have the repin .exe, so I will attempt to get clients repinned…Do I need to reset encryption data first ?

@Wayne-Workman Unfortunately it looks like my old server was “re-purposed” for a lab, so no chance to retrieve old ssl keys. Is there any way to remove the old keys from machines and install the newly generated keys, from new Fedora based server ?

I have Fedora 22 running SVN 5315 now…I’ve had previous verisons of SVN running on Ubuntu, until I just got fed up with the “workarounds” Now I have most clients running 9.6 client, but I’m concerned with “invalid security token” and “certificate not from FOG CA” breaking things moving forward. I’m not sure what to do as I’ve uninstalled/re-installed fogservice (some wouldn’t even let me reinstall), reset encryption data, re-pinned via @Jbob fix, there has to be an easier way to just remove fogservice (gpo won’t actually uninstall, even after several reboots) and start over somehow. Can anyone please advise…I have Teamviewer and am willing to let a developer look sometime during my work hours. Thanks

@Tom-Elliott yes i went from Ubuntu to fedora and started over basically(for which I’m thankful). Any new install, I thought, created a new cert…I reinstalled once before with the -c to create a new cert…not knowing that it was disastrous… Jbob gave me a snap-in to repin, and that makes everything ok on older clients, circa first server, now it seems like fresh installs need repinned.

@Jbob I’d also like to add that I had an existing cert from FOG, but something other than FOG CA…it was dated from 9/2015 thru 9/2025. I deleted this “old” cert as it could have been from my previous FOG server that was Ubuntu based. Now I guess there is a possibility that this old cert is on some of my machines as well, causing issues with authentication. I’ll look into this further.

@Jbob I’m having a similar issue…this output is from a vm that I registered and deployed sysprep to via Quick Image…

------------------------------------------------------------------------------
--------------------------------Authentication--------------------------------
------------------------------------------------------------------------------
 11/8/2015 12:52 AM Client-Info Version: 0.9.5
 11/8/2015 12:52 AM Middleware::Communication URL: http://10.72.3.50/fog/management/other/ssl/srvpublic.crt
 11/8/2015 12:54 AM Middleware::Authentication ERROR: Could not get security token
 11/8/2015 12:54 AM Middleware::Authentication ERROR: Could not find file 'C:\Windows\system32\token.dat'.
 11/8/2015 12:54 AM Data::RSA CA cert found
 11/8/2015 12:54 AM Middleware::Authentication Cert OK
 11/8/2015 12:54 AM Middleware::Communication POST URL: http://10.72.3.50/fog/management/index.php?sub=authorize
 11/8/2015 12:54 AM Middleware::Communication Response: Invalid security token
 11/8/2015 12:54 AM Bus Registering ParseBus in channel Power

This is after a reboot, which I’m assuming should succeed.

Fedora 22 SVN 5229 client 9.5

Token.dat is not present under /windows/system32 this after I reset encryption data

I used this, and it solved my issue…not as many steps nor as dangerous it seemed.

http://linuxmanpages.net/manpages/fedora20/man1/avahi-browse-domains.1.html