RE: Fog client installation error - Cannot install CA certificate

@sebastian-roth

I look forward to it!

@sebastian-roth said in Fog client installation error - Cannot install CA certificate:

@jonhwood360 said in Fog client installation error - Cannot install CA certificate:

We have a winner!
So it seems that newer apache does not like the 1.0 connections.

Great! Thanks again for testing. I will need to dig through the code and see If there is more adjustment needed (other places in the code needing that fix as well). Allow me a few days and I will release a new 0.12.1 including that fix.

Can you post the latest FOGService.install log as well?

As requested:

@sebastian-roth said in Fog client installation error - Cannot install CA certificate:

@jonhwood360 Ok, here you go for another try: https://github.com/FOGProject/fog-client/releases/download/0.12.0/FOGService_enable_TLS12.msi

See if it can successfully pin to the FOG server with that and post a picture of the FOGService.install log as well.

Keep in mind, this is not for official deployment for various reasons.

We have a winner!

So it seems that newer apache does not like the 1.0 connections.

@Sebastian-Roth

PCAP from workstation as well - https://drive.google.com/file/d/1y-lML_qrJ18nv3T7HQ3zsW9M9vUD3NOU/view?usp=sharing

@jonhwood360 said in Fog client installation error - Cannot install CA certificate:

@sebastian-roth said in Fog client installation error - Cannot install CA certificate:

@jonhwood360 The PCAP looks like the host sends a TLS Client Hello using TLS 1.0 and the Apache server rejects it. Have you disabled newer TLS versions via GPO by any chance??

No, no GPOs are applied. The apache server is on ubuntu. I can try to force enable newer TLS versions on the workstations. Is ver 1.2 sufficient?

@sebastian-roth,

I reattempted install after hard enabling tls 1.1 and 1.2 in the registry of the machine. No change.

I also took another pcap: https://drive.google.com/file/d/19u1RKug2OwFOHC4S_l0bDT1uK7bbhR0I/view?usp=sharing

@sebastian-roth said in Fog client installation error - Cannot install CA certificate:

@jonhwood360 The PCAP looks like the host sends a TLS Client Hello using TLS 1.0 and the Apache server rejects it. Have you disabled newer TLS versions via GPO by any chance??

No, no GPOs are applied. The apache server is on ubuntu. I can try to force enable newer TLS versions on the workstations. Is ver 1.2 sufficient?

@jonhwood360
fog apache config

@sebastian-roth said in Fog client installation error - Cannot install CA certificate:

@jonhwood360 Didn’t expect it to bail out that early. So it doesn’t even get to where I expected it to fail (SSL/TLS cert validity check).

Could you please try installing the fog-client on a system that is not in audit mode? Just want to make sure this has no effect.

The other thing we might take a look at is a network packet capture.

Here is the packet capture:
https://drive.google.com/file/d/1KM4WAsPPF43tVDomDUuR_HOEU_4bZ6oB/view?usp=sharing

@sebastian-roth said in Fog client installation error - Cannot install CA certificate:

@jonhwood360 Quickly added some debugging output and compiled a fresh MSI for you: https://github.com/FOGProject/fog-client/releases/download/0.12.0/FOGService_debug_CAcert.msi

This is not an official build but it will do a good job finding out what’s going wrong in your case I hope. Try installing with that MSI and then check the FOGService.install.log again. You should see more output in there than you had before. Post the new log output here.

Here you go.

@sebastian-roth said in Fog client installation error - Cannot install CA certificate:

Did you manually edit the Apache configuration or left it as generated by the FOG installer?

No I did not.

@sebastian-roth

So as a test I manually installed the certificate into the certificate store. I confirmed it was in fact installed through the certificate snapin in mmc. When I try to install the client, the certificate disappears from the store once it says it can’t install the certificate.

Pre-install

Post-Install

@sebastian-roth said in Fog client installation error - Cannot install CA certificate:

@jonhwood360 I just quickly tested on Windows 10 2004 (latest updates installed including 2021-01 .NET updates) and it installs and downloads the certs just fine.

I know this is not of much help to you yet but from that I would expect this to not be a general issue for everyone.

As I said, I will try to add some more debug output and compile a custom installer for you to test - probably not today though.

Just another question that came to my mind. You use the SmartInstaller.exe. Have you tried the MSI yet? Essentially the SmartInstaller has the MSI included, will extract it and call msiexec to install it. So there should be really no difference at all but please give it a try to make sure we see the same issue with both.

Yes I have tried the MSI as well. I’ve tried running the smartinstaller as administrator, and installing the msi from an elevated command prompt as well.

I too am surprised about this. I wonder if this is a function of it the computer being in Audit mode (ctrl-shift-F3 at OS first boot right after install from media)?

@sebastian-roth

I expect you are using the fog-client version 0.12.0 that comes with the FOG server 1.5.9, right?

Yes

Possibly some .NET update broke our client lately?! When initially installing the fog-client we make it ignore that it doesn’t know the SSL CA yet ([see code on github] https://github.com/FOGProject/zazzles/blob/master/Zazzles/Middleware/Communication.cs#L300)). So I could imagine some .NET update code changed the behavior. But on the other hand you said:

I’ve also downloaded and manually installed the CA cert into the machine’s trusted root certificate store with no effect. In this case the SSL trust relationship should be all right with the CA (manually) installed and it would not need to rely on that code mentioned above.

I have tried manually importing the CA certificate and rerunning the install, and it fails at the same task. If you’d like I can retry this and screenshot the logs?

I have to say that I have not tested on fully patched Windows 10 2004 lately but I can do so.

I might provide a binary with more debug output enabled for you to test and get more information. But will need a bit of time for that.

Again, any assistance is greatly appreciated!

@sebastian-roth:

1.) @jonhwood360 Do you have a GPO forcing an install of a particular certificate in place?
1a.) Nope, I do not.

2.) And it’s probably not a firewall issue as you are able to manually download the cert files from that very same computer, right?
2a.) Correct I can download the cert manually through a web browser on the computer I am attempting to install the client on.

3.) Though you might still check the Apache logs on your FOG server if it seems to properly answer the request. Prepare the fog-client installer but don’t go to the last step where it would download the cert. Now in your FOG server console run: tail -f /var/log/apache2/*.log. Press ENTER twice and leave that command waiting while you quickly finish the fog-client installer. Now stop the tail command in the server (ctrl-c) and post all the new output lines that were added after you hit ENTER.

3a.) See screenshot(s) of apache logs below.

Pre install

Failure

The log was from my other windows box on the network that has the fog admin console open. It does not appear that the installer is even reaching out to fogserver for the license. There is no firewall between the two VMs.

Thanks for helping troubleshoot this.

@sebastian-roth Thanks for the suggestion. I have disabled defender completely (via local GPO setting) and it made no difference in being able to run.

Hello,

I’m attempting to setup a test lab for FOG, and am having no luck with the client install on Windows 10. I have tried searching this forum for info, and haven’t found any solutions that have worked for me yet.

Fog Server:
Fog 1.5.9
Ubuntu 20.04 Server LTS

Installed using HTTPS option during guided setup.

Windows 10
Windows 10 version 2004

Currently booted into Audit Mode for Configuration.

So I’m attempting to install the client using the SmartInstaller, with it always failing unable to install the CA certificate. Installation log is as follows:

Here is the Certificate itself:

I am able to download the certificates manually. I am also able to install the client without checking the “HTTPS” option, and then alter the operating mode to https in the service config json file, however that seems to start another problem with downloading another certificate (Middleware::Communication Download: https://10.40.40.5/fog/management/other/ssl/srvpublic.crt) and being unable to do so. I’ve also downloaded and manually installed the CA cert into the machine’s trusted root certificate store with no effect.

A side note, the smartinstaller download and execution triggered windows defender smartscreen.

Any ideas?