Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 51 replies
  • Answers 1 answer
  • Subscribers 14 subscribers
  • Views 69005 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Failed to get SSL certificate | Cannot verify peer's SSL certificate, unknown CA | Caught Empty IOR string from iiopAddressesInIOR

Maros Goc

Hello, I have a couple of servers which on the one hand have Sophos AV fully working, but on the other one they cannot be seen in SEC (Sophos Enterprise Console). After some investigations I found in logs this:

28.06.2018 11:58:47 1E04 W Failed to get certificate, retrying in 600 seconds
28.06.2018 12:08:47 1E04 I Getting parent router IOR from 10.183.173.88:8192
28.06.2018 12:08:47 1E04 I Getting a new router certificate...
28.06.2018 12:09:29 1E04 E Router::GetCertificate: Caught CORBA system exception, ID 'IDL:omg.org/CORBA/TRANSIENT:1.0'
OMG minor code (2), described as '*unknown description*', completed = NO

28.06.2018 12:20:11 1E04 W Failed to get certificate, retrying in 600 seconds
28.06.2018 12:30:11 1E04 I Getting parent router IOR from 10.183.173.88:8192
28.06.2018 12:30:11 1E04 I Getting a new router certificate...
28.06.2018 12:32:39 1E04 W SSL connection alert, peer address 10.183.173.88
28.06.2018 12:32:39 1E04 W Cannot verify peer's SSL certificate, unknown CA
28.06.2018 12:32:39 1E04 E Router::ReportInvalidCertificate: Caught Empty IOR string from iiopAddressesInIOR
28.06.2018 12:32:39 1E04 I This computer is part of the domain EU
28.06.2018 12:32:39 1E04 E ACE_SSL (7964|7684) error code: 336134278 - error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
28.06.2018 12:33:00 1E04 E Router::GetCertificate: Caught CORBA system exception, ID 'IDL:omg.org/CORBA/TRANSIENT:1.0'
OMG minor code (2), described as '*unknown description*', completed = NO

Then I read through several articles and forums which raised some questions for which I couldnt have been able to find answers yet.

1.) How are "ParentAddress" and "ParentPort" (found in HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sophos\Messaging System\Router) related to the IOR port?

2.) What is "http://www2.parc.com/istl/projects/ILU/parseIOR/" used for? I tried to get there IOR but then the page said "Your IOR is misformed. It must begin with either "IOR:" or "IOR2:", and then have an even number of hex digits." It seems as if the IOR wasnt correct.

3.) There are "pkc" and "pkp" missing under HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sophos\Remote Management System\ManagementAgent\Private which should be crucial for a server . How I can get "pkc" and "pkp" back? (There is also no NotifyClientUpdate infound in HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sophos\Messaging System\Router)

4.) All the necessary ports (80,8192,8194) are opened. I can telnet the destination point without a problem. IOR is shown when telneting 8192. How come the router catching empty IOR string then?

5.) Finally. How can it be this whole issue fixed? I won't be able to do it without someone's help.

I would be realy greatful if someone knew what to do, because I have already ran out of all ideas. Thank you.



This thread was automatically locked due to age.
Parents
  • 0

    Hello Maros Goc,

    first of all, you are using SESC so the Central forum is not the right one - please join the Endpoint Security and Control group and move your post there (I'd have moved it but I can't before you have joined this group).

    IOR is shown when telneting 8192
    using the     10.183.173.88 address? You have to take the whole response starting with IOR: and paste it in the parse box - please note that if you copy it from the cmd window it's broken up into several lines and contains additional CRLFs and this is why the parser complains, so make it one single string first.

    Just saw your new post:
    I have no Enterprise Console folder there
    where's there? You should run the EMU (guess this is what you are referring to) on the management server (SEC) - this folder and the files are there.

    Christian

  • 0 in reply to QC

    Hi Christian,

    oh my god, what a silly am i... I have misinterpreted Barb's hint. I should have used the Migration utility on the relay and then the script on the endpoint. It seems I am a bit overworked lol. I will try it immediately.

    And I will move the topic to the place you suggested. And also yes, i have already noticed that copying an IOR from CMD creates gaps, so that is why it didnt work.

    Thank you very much :)

  • 0 in reply to QC

    It is totally the same. Ok I will try that.

  • 0 in reply to QC

    Nah, I cannot do it. I am just a Windows Administrator and I dont own those servers thus I am not allowed to install OpenSSL there. Geez, this is a neverending story.

  • 0 in reply to Maros Goc

    Hello Maros Goc,

    won't suggest you do something you're not allowed to do.
    OpenSSL doesn't necessarily need to be installed, e.g. these archives contain all you need.  

    Christian

  • 0 in reply to QC

    Hi,

    I am back at work so I tried to the openssl thing, which i dont know if i managed to do it correctly, but his is the result:

     

    I tried the same thing on the server with no Sophos problem and it returned 0, so I guess i managed to do it correctly. But in both cases there is "9072:error:02001002:system library:.." which I dont know what it means.

  • 0 in reply to Maros Goc

    Hello Maros Goc,

    0.9.8r is outdated (the "oldest current" available at this site), please should use a newer version (note that they are alphabetically sorted and the newset are at the bottom).

    Christian

  • 0 in reply to QC

    Hi Christian,

    this is the result.

  • 0 in reply to Maros Goc

    Hello Maros Goc,

    the fopen() error suggests that you did not put cac.pem into the \openssl...-win64\ folder.
    Doesn't matter though as apparently it can't connect to the specified address/port at all. If this 10.x.x.12 is indeed the host return in the IOR string I wonder why the connection doesn't succeed.

    To make sure: telnet to the same address and port does connect? Normally I'd use Wireshark to verify that no connection is established but this is probably not an option for you. I mention it because in a post from a recent thread it seemed that telnet didn't return an error even though it simply timed out and failed to connect.

    Christian   

  • 0 in reply to QC

    Hi,

    telneting 80, 8192 ad 8194 works absolutely fine.

    This is how it looks after cac.pem was placed in the right directory.

  • 0 in reply to Maros Goc

    Hello Maros Goc,

    8194 works absolutely fine
    I don't think so but I might be wrong. What's the output if you try s_client -connect 127.0.0.1:8194? Dunno if the local Router is already in the state to answer requests but it's worth a try.

    Christian

  • 0 in reply to QC

    The result was the same as above.

Reply Children
  • 0 in reply to Maros Goc

    Hello Maros Goc,

    might be that the Router does not yet listen.

    Well, there's a small utility from Microsoft which should give a definite answer whether you can connect to the server's 8194: PortQry.exe.

    Christian

  • 0 in reply to QC

    Hi,

    it seems it is not supported when it comes to Windows Server 2008 R2, thus it cannot be ran :(

  • 0 in reply to Maros Goc

    Hello Maros Goc,

    not supported when it comes to Windows Server 2008 R2
    you mean:

    Applies to: Microsoft Windows Server 2003 Standard Edition (32-bit x86)Microsoft Windows Server 2003 Enterprise Edition (32-bit x86)Microsoft Windows XP Home Edition More

    ? Did you click more?

    Applies to: Microsoft Windows Server 2003 Standard Edition (32-bit x86)Microsoft Windows Server 2003 Enterprise Edition (32-bit x86)Microsoft Windows XP Home EditionMicrosoft Windows XP ProfessionalWindows Server 2008 StandardWindows Server 2008 EnterpriseWindows Server 2008 R2 StandardWindows Server 2008 R2 EnterpriseWindows Server 2012 StandardWindows Server 2012 StandardWindows Server 2012 R2 StandardWindows Server 2012 R2 DatacenterWindows Server 2012 DatacenterWindows Server 2012 DatacenterWindows 8.1 EnterpriseWindows 8 EnterpriseWindows 10, version 1607Windows 10, version 1511

    Christian

  • 0 in reply to QC

    Look at this, 8194 seems OK

  • 0 in reply to Maros Goc

    Hello Maros Goc,

    obviously 10.128.99.125 works - but you tried a different address (10.255.x.x) with OpenSSL, didn't you?

    Christian

  • 0 in reply to QC

    Jesus Christ!! I have been using the wrong IP all the time when using OpenSSL....So this is the correct result of the OpenSSL testing (with cac.pem).

  • 0 in reply to Maros Goc

    Hello Maros Goc,

    if I'm not misinterpreting the output it could read cac.pem but nevertheless verify returns 19 meaning the certificate used by the server to sign the communication is not the one in cac.pem (or better, the cac.pem you used here). So it boils down to running the EMU with the cac.pem the server actually uses.

    Christian

  • 0 in reply to QC

    I used the correct cac.pem. I found it in "C:\ProgramData\Sophos\AutoUpdate\Cache"

    Anyways maybe you could find interesting the registry keys. I am comparing here the one with this Sophos/router problem and the one with absolutely no issue and the server with the problem misses some keys. The missing keys are highlighted by red colour in the picture showing the server with no problem. Maybe this could help you with your investigation.

    Server with the problem

     

    Server with no problem

     

  • 0 in reply to Maros Goc

    Hello Maros Goc,

    I found it in "C:\ProgramData\Sophos\AutoUpdate\Cache"
     you can run the EMU more or less on whatever machine you like. cac.pem should be the one from the management server - the correct one could (and should)  be in the cache but the one you provided to OpenSSL is apparently not the one 10.128.99.125 uses. The ParentAddress bad attempts to use is, BTW, 10.128.99.126.

    The difference in the keys is the result of the fact that one endpoint is able to connect to  its router (and indirectly the management server) and the other not - not the cause.

    cac.pem is created when a management server is installed for the first time, I wonder where to other one comes from?

    In order to make your bad machines talk to their respective relay either use EMU with the correct cac.pem and the applicable mrinit.conf. I'd recommend though to reinstall (running setup.exe) from the appropriate CID (i.e. the one the relay is updating from).

    Christian

  • 0 in reply to QC

    Hi,

    forget those first posts, since i forgot which one used as an example. Since i have a lot of servers with this problem, i picked a different one and that one uses 10.128.99.126.

    I reinstalled Sophos on all these servers many times but the issue has persists.

Unfiltered HTML