Snapin download HTTP

[xeebuc]

Describe the bug Snapin are downloaded with the wrong url / protocol Http://ip of the server is used instead of the https://fqdn. (config file is properly set up) Bug is present in version 0.12.X and 0.13.0 of Fog client (network or smartinstaller)

During a test I allowed HTTP communication and the installation work well.. but it can't stay like that.

To Reproduce

1. Install FOG client 0.13 on you r OS
   1. Configure your client to use the FQDN of your server (eg : fogsrv.domain.tld)
   2. Check : use HTTPS
2. Start the Service
3. Go to your FOG server
   1. Select you host
   2. Tab : Basic Task
   3. Advanced
   4. Single Snapin
   5. Select your snapin
      1. Schedule instant
      2. And click "Task"
   6. Go to your Active Snapin Tasks
      1. You should see the snapin the Queue
   7. After few minutes go back to the host and select the Snapin history tab
      1. At that point The return code is -1, something went wrong.
      2. See picture bellow

Expected behavior Snapin should be downloaded over HTTPS

Screenshots

**Software :

• FOG version : 1.5.9
• OS: Debian 10, kernel 4.19

[darksidemilk]

My first suggestion is to update your FOG server to the latest stable version 1.5.10.1566 (We are currently trying to do a new stable release around the 15th of every month with any stable updates added) Many feature and security updates have been added since 1.5.9 (which is almost 4 years old now) and its likely that this issue is already resolved. If you need install/update instructions see https://docs.fogproject.org/en/latest/install-fog-server

I just tested it in the latest 1.6 beta and it does use https to download the snapin file. It pulls the hostname from the storagenode IP value (so in my case it downloaded from the storagenode IP on https) rather than the server specified in the client.

i.e. my service server settings are set to fog.domain.tld but my storage node IP where the snapins are is set to say 192.168.0.123 under storage node management.

my communication download line would look like

 8/13/2024 7:54:32 AM Middleware::Communication Download: https://192.168.0.123//fog/service/snapins.file.php?...

my communication URL would look like

8/13/2024 7:54:47 AM Middleware::Communication URL: https://fog.domain.tld/fog/service/snapins.checkin.php?

I am pretty sure it will work this same way in the latest stable release

[xeebuc]

Hi thanks for your response.

yeah I plane to update it soon. But if the IP is still used for the download we have another issue ... SSL missmatch name.

[darksidemilk]

Are you using the built-in https enable at install time? The installer creates a cert with the hostname (or a single given alias) as well as the ip address. So this is handled automatically with the built-in system. You just have to be sure the gerneated CA is trusted in your environment.

If you create your own cert and don't use https in ipxe boot, then you just need to make a cert with the ip subject alternative name. i.e. for windows you'd have this inf to create the certificate request

[NewRequest]
Subject = "CN=fog,O=YourOrg,OU=YourDept,L=YourCity,S=YourStateOrProvince,C=YourCountryCode"
Exportable = TRUE
KeyLength = 2048
[RequestAttributes]
CertificateTemplate=TemplateNameInYourCA
[Extensions]
2.5.29.17 = "{text}dns=fog&dns=fog.domain.tld&IPAddress=192.168.0.123"

CertReq -new -q "path\to\request.inf" "path\to\csr.req"

Then you'd use your req file to request the cert from the CA. This isn't a complete example, if you manage your own CA and need more info I am happy to help further.

[xeebuc]

We have our own certificate, We use https in iPXE

And our certiticate is in our trust store

It's already deployed and everything works. expect the snapin

[darksidemilk]

Well then as long as the cert/ca you use when you compile ipxe (unless you're using a publicly trusted cert and ipxe trusts it by default) has the IP designation you'll be fine. You can also just set the storagenode IP to the hostname of fqdn, I've just seen that sometimes the internal fog services can't resolve the hostname or fqdn (one or the other, different in different situations) which is why IP is asked for. But I've also seen it work with that set to a hostname.

If you look on your fog server at the logs in /opt/fog/log/fog* each starts with something like [08-13-24 3:38:49 pm] Interface Ready with IP Address: 127.0.0.1 amongst the tested interfaces is the storagenode ip, which can also be set to a hostname. If you change that setting to a hostname or fqdn trusted by your cert and the service logs don't get stuck waiting for that interface, then problem solved.

Let me know once you've updated and we'll make sure it's all working as expected.

[xeebuc]

Are you talking about that settings ?

[darksidemilk]

Correct. If you change that IP Address to a hostname or fqdn in your cert and those service logs are still running after you restart the services i.e. FOGFileDeleter FOGImageReplicator FOGImageSize FOGMulticastManager FOGPingHosts FOGScheduler FOGSnapinHash FOGSnapinReplicator (you can just pick one for testing) Then after updating you should be able to maintain the same thing and the https should work as expected.

[darksidemilk]

You may also need to adjust the value of FOG_TFTP_HOST and FOG_WEB_HOST settings in fog configuration to be same fqdn

I just adjusted in all 3 places where I had IP and switched to my fqdn (actually a cname/alias fqdn not the actual hostname of the server, just for reference, i.e. fog.domain.tld) My services are all running and the snapin log entry looks like this

------------------------------------------------------------------------------
---------------------------------SnapinClient---------------------------------
------------------------------------------------------------------------------
 8/13/2024 10:47:36 AM Client-Info Client Version: 0.13.0
 8/13/2024 10:47:36 AM Client-Info Client OS:      Windows
 8/13/2024 10:47:36 AM Client-Info Server Version: 1.6.0-beta.2082
 8/13/2024 10:47:36 AM Middleware::Response Success
 8/13/2024 10:47:36 AM SnapinClient Running snapin someSnapin
 8/13/2024 10:47:37 AM Middleware::Communication Download: https://fog.domain.tld//fog/service/snapins.file.php?mac={macList}&taskid=53
 8/13/2024 10:47:37 AM SnapinClient C:\Program Files (x86)\FOG\tmp\Snapin.ps1
 8/13/2024 10:47:37 AM Bus Emmiting message on channel: Notification
 8/13/2024 10:47:37 AM SnapinClient Starting snapin
 8/13/2024 10:47:50 AM SnapinClient Snapin finished
 8/13/2024 10:47:50 AM SnapinClient Return Code: 0
 8/13/2024 10:47:50 AM Bus Emmiting message on channel: Notification
 8/13/2024 10:47:50 AM Middleware::Communication URL: https://fog.domain.tld/fog/service/snapins.checkin.php?taskid=53&exitcode=0&mac={macList}8&newService&json
------------------------------------------------------------------------------

[xeebuc]

Alright,

I'm gonna test later today and let you know if everything is still working. FOG_TFTP_HOST & FOG_WEB_HOST are already set with the hostname.

Thanks.

[xeebuc]

Almost there ... still using http ... but this time I had the fqdn

[darksidemilk]

The update to FOG will still be required to get https. There may be some special steps if you have a custom cert as FOG doesn't natively support an external CA and custom cert just yet.

[xeebuc]

hooooooo i see. my bad.

Thanks