Unable to get CD 1.4.0 to work with HTTPS



  • I think this is an issue with HTTPS but I'm not 100% sure.

    First of all I set Base Url to

    https://OURITSTOR.AD.QUEENSU.CA/clonedeploy/
    

    with Manual Override API Url checked.

    In this case, if Ipxe Use SSL is checked, then the :clonedeploy section of

    /tftboot/proxy/efi/pxelinux.cfg/default.ipxe
    

    comes out as follows:

    :clonedeploy
    kernel httpss://ouritstor.ad.queensu.ca/clonedeploy/api/clientimaging/IpxeBoot?filename=4.20.10x64&type=kernel initrd=initrd.xz root=/dev/ram0 rw ramdisk_size=156000  web=https://OURITSTOR.AD.QUEENSU.CA/clonedeploy/api/ClientImaging/ USER_TOKEN= consoleblank=0
    imgfetch --name initrd.xz httpss://ouritstor.ad.queensu.ca/clonedeploy/api/clientimaging/IpxeBoot?filename=initrd.xz&type=bootimage
    boot
    

    Note that two of the URLs are malformed with httpss as opposed to just https.

    If I do not check Ipxe Use SSL, the section that gets generated is this:

    :clonedeploy
    kernel http://ouritstor.ad.queensu.ca/clonedeploy/api/clientimaging/IpxeBoot?filename=4.20.10x64&type=kernel initrd=initrd.xz root=/dev/ram0 rw ramdisk_size=156000  web=https://OURITSTOR.AD.QUEENSU.CA/clonedeploy/api/ClientImaging/ USER_TOKEN= consoleblank=0
    imgfetch --name initrd.xz http://ouritstor.ad.queensu.ca/clonedeploy/api/clientimaging/IpxeBoot?filename=initrd.xz&type=bootimage
    boot
    

    Note that two of the URL's in the section have http as opposed to https (the web= switch still respsects my specified base URL but the other two URL's do not). I don't know when the base url setting is supposed to be used but in my case I want https all the time.

    Anyway I fixed the URL's in the file and kept the base URL (in the settings) set to

    https://OURITSTOR.AD.QUEENSU.CA/clonedeploy/
    

    Edit: I stand by my contention (for now) that I'm unable to generate a proper ipxe file, but the remaining bit of this post was my bad (wrong file ownership on a custom script).



  • Thanks for discovering this. It's been fixed in https://github.com/cdadmin/clonedeploy/commit/b583f8a3321d08bffcc7e398acdb8d2cb36f3d63

    It will be available in the next release.

    Ipxe https is handled differently by design. Ipxe won't support self signed certs or certs signed by an internal CA. That's why it's not enabled by default for ipxe. Also there isn't really a need because nothing confidential is sent when booting from ipxe.

    If you haven't already discovered it, you can easily modify the boot menu from the WebUI to remove the extra s.



  • @clonedeploy_admin said in Unable to get CD 1.4.0 to work with HTTPS:

    Thanks for discovering this. It's been fixed in https://github.com/cdadmin/clonedeploy/commit/b583f8a3321d08bffcc7e398acdb8d2cb36f3d63

    It will be available in the next release.

    Ipxe https is handled differently by design. Ipxe won't support self signed certs or certs signed by an internal CA. That's why it's not enabled by default for ipxe. Also there isn't really a need because nothing confidential is sent when booting from ipxe.

    I already had a custom-build ipxe with my own internal cert built in so I know all about this. THe way I configured my web server it was basically configured exclusively for https but I'll make the necessary adjustments and then set it back when clonedeploy is ready.

    If you haven't already discovered it, you can easily modify the boot menu from the WebUI to remove the extra s.

    I don't see how this bug can be entirely fixed unless you make a similar fix to TaskBootMenu.cs. The individually generated task boot menus have the same problem which makes it arduous to manually fix upon the start of each server-initiated task.

    FOr the time being, I'll just make the necessary adjustments to my webserver and look forward to the next version. Thanks for looking into this so promtply BTW.



  • @clonedeploy_admin I still thihnk you need to fix TaskBootMenu.cs.