Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 51 replies
  • Answers 1 answer
  • Subscribers 14 subscribers
  • Views 68907 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Failed to get SSL certificate | Cannot verify peer's SSL certificate, unknown CA | Caught Empty IOR string from iiopAddressesInIOR

Maros Goc

Hello, I have a couple of servers which on the one hand have Sophos AV fully working, but on the other one they cannot be seen in SEC (Sophos Enterprise Console). After some investigations I found in logs this:

28.06.2018 11:58:47 1E04 W Failed to get certificate, retrying in 600 seconds
28.06.2018 12:08:47 1E04 I Getting parent router IOR from 10.183.173.88:8192
28.06.2018 12:08:47 1E04 I Getting a new router certificate...
28.06.2018 12:09:29 1E04 E Router::GetCertificate: Caught CORBA system exception, ID 'IDL:omg.org/CORBA/TRANSIENT:1.0'
OMG minor code (2), described as '*unknown description*', completed = NO

28.06.2018 12:20:11 1E04 W Failed to get certificate, retrying in 600 seconds
28.06.2018 12:30:11 1E04 I Getting parent router IOR from 10.183.173.88:8192
28.06.2018 12:30:11 1E04 I Getting a new router certificate...
28.06.2018 12:32:39 1E04 W SSL connection alert, peer address 10.183.173.88
28.06.2018 12:32:39 1E04 W Cannot verify peer's SSL certificate, unknown CA
28.06.2018 12:32:39 1E04 E Router::ReportInvalidCertificate: Caught Empty IOR string from iiopAddressesInIOR
28.06.2018 12:32:39 1E04 I This computer is part of the domain EU
28.06.2018 12:32:39 1E04 E ACE_SSL (7964|7684) error code: 336134278 - error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
28.06.2018 12:33:00 1E04 E Router::GetCertificate: Caught CORBA system exception, ID 'IDL:omg.org/CORBA/TRANSIENT:1.0'
OMG minor code (2), described as '*unknown description*', completed = NO

Then I read through several articles and forums which raised some questions for which I couldnt have been able to find answers yet.

1.) How are "ParentAddress" and "ParentPort" (found in HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sophos\Messaging System\Router) related to the IOR port?

2.) What is "http://www2.parc.com/istl/projects/ILU/parseIOR/" used for? I tried to get there IOR but then the page said "Your IOR is misformed. It must begin with either "IOR:" or "IOR2:", and then have an even number of hex digits." It seems as if the IOR wasnt correct.

3.) There are "pkc" and "pkp" missing under HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sophos\Remote Management System\ManagementAgent\Private which should be crucial for a server . How I can get "pkc" and "pkp" back? (There is also no NotifyClientUpdate infound in HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sophos\Messaging System\Router)

4.) All the necessary ports (80,8192,8194) are opened. I can telnet the destination point without a problem. IOR is shown when telneting 8192. How come the router catching empty IOR string then?

5.) Finally. How can it be this whole issue fixed? I won't be able to do it without someone's help.

I would be realy greatful if someone knew what to do, because I have already ran out of all ideas. Thank you.



This thread was automatically locked due to age.
Parents
  • 0

    Hello Maros Goc,

    first of all, you are using SESC so the Central forum is not the right one - please join the Endpoint Security and Control group and move your post there (I'd have moved it but I can't before you have joined this group).

    IOR is shown when telneting 8192
    using the     10.183.173.88 address? You have to take the whole response starting with IOR: and paste it in the parse box - please note that if you copy it from the cmd window it's broken up into several lines and contains additional CRLFs and this is why the parser complains, so make it one single string first.

    Just saw your new post:
    I have no Enterprise Console folder there
    where's there? You should run the EMU (guess this is what you are referring to) on the management server (SEC) - this folder and the files are there.

    Christian

  • 0 in reply to QC

    Hi Christian,

    oh my god, what a silly am i... I have misinterpreted Barb's hint. I should have used the Migration utility on the relay and then the script on the endpoint. It seems I am a bit overworked lol. I will try it immediately.

    And I will move the topic to the place you suggested. And also yes, i have already noticed that copying an IOR from CMD creates gaps, so that is why it didnt work.

    Thank you very much :)

  • 0 in reply to QC

    Look at this, 8194 seems OK

  • 0 in reply to Maros Goc

    Hello Maros Goc,

    obviously 10.128.99.125 works - but you tried a different address (10.255.x.x) with OpenSSL, didn't you?

    Christian

  • 0 in reply to QC

    Jesus Christ!! I have been using the wrong IP all the time when using OpenSSL....So this is the correct result of the OpenSSL testing (with cac.pem).

  • 0 in reply to Maros Goc

    Hello Maros Goc,

    if I'm not misinterpreting the output it could read cac.pem but nevertheless verify returns 19 meaning the certificate used by the server to sign the communication is not the one in cac.pem (or better, the cac.pem you used here). So it boils down to running the EMU with the cac.pem the server actually uses.

    Christian

  • 0 in reply to QC

    I used the correct cac.pem. I found it in "C:\ProgramData\Sophos\AutoUpdate\Cache"

    Anyways maybe you could find interesting the registry keys. I am comparing here the one with this Sophos/router problem and the one with absolutely no issue and the server with the problem misses some keys. The missing keys are highlighted by red colour in the picture showing the server with no problem. Maybe this could help you with your investigation.

    Server with the problem

     

    Server with no problem

     

  • 0 in reply to Maros Goc

    Hello Maros Goc,

    I found it in "C:\ProgramData\Sophos\AutoUpdate\Cache"
     you can run the EMU more or less on whatever machine you like. cac.pem should be the one from the management server - the correct one could (and should)  be in the cache but the one you provided to OpenSSL is apparently not the one 10.128.99.125 uses. The ParentAddress bad attempts to use is, BTW, 10.128.99.126.

    The difference in the keys is the result of the fact that one endpoint is able to connect to  its router (and indirectly the management server) and the other not - not the cause.

    cac.pem is created when a management server is installed for the first time, I wonder where to other one comes from?

    In order to make your bad machines talk to their respective relay either use EMU with the correct cac.pem and the applicable mrinit.conf. I'd recommend though to reinstall (running setup.exe) from the appropriate CID (i.e. the one the relay is updating from).

    Christian

  • 0 in reply to QC

    Hi,

    forget those first posts, since i forgot which one used as an example. Since i have a lot of servers with this problem, i picked a different one and that one uses 10.128.99.126.

    I reinstalled Sophos on all these servers many times but the issue has persists.

  • 0 in reply to Maros Goc

    Hello Maros Goc,

    I'm not sure what the issue is, whether there's one issue or several. The common symptom is that the endpoints don't "appear"in the console but, as said, there are various potential causes.

    The Remote Management System (RMS) uses TLS with self-signed certificates for communication. The management server creates a CA certificate that is subsequently used to sign all other certificates. This CA-certificate (cac.pem) is contained in the distribution (install, update) location. It is stored on an endpoint during initial install (initial means: setup.exe is run) and used to verify the certificates used in communication with the management server. mrinit.conf tells an endpoint whom to contact in order to communicate with its server. Whether it's the server itself or a message relay it has to present a certificate signed by the already known CA.
    If an upstream server presents a valid IOR on port 8192 and port 8194 of the host returned in the IOR is reachable then RMS should work, OpenSSL - if instructed to use this CA - should return success. If it doesn't then the cac.pem is from a different management server - OR it is the intended cac.pem but the upstream server tested belongs to a different management server.  

    Christian

  • 0 in reply to QC

    Could you tell me what should I do in order to fix this hellish problem? What would you do? the reinstallation didnt help at all :(

  • 0 in reply to Maros Goc

    Hello Maros,

    At this point, I would recommend creating a case with support so that they can further assist you in resolving this issue. 

    Please access the support section here. 

    Regards,

    Barb@Sophos
    Community Support Engineer | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.

     

Reply Children
Unfiltered HTML