Failed to get SSL certificate | Cannot verify peer's SSL certificate, unknown CA | Caught Empty IOR string from iiopAddressesInIOR

Question

Hello, I have a couple of servers which on the one hand have Sophos AV fully working, but on the other one they cannot be seen in SEC (Sophos Enterprise Console). After some investigations I found in logs this: 
 28.06.2018 11:58:47 1E04 W Failed to get certificate, retrying in 600 seconds 28.06.2018 12:08:47 1E04 I Getting parent router IOR from 10.183.173.88:8192 28.06.2018 12:08:47 1E04 I Getting a new router certificate... 28.06.2018 12:09:29 1E04 E Router::GetCertificate: Caught CORBA system exception, ID 'IDL:omg.org/CORBA/TRANSIENT:1.0' OMG minor code (2), described as '*unknown description*', completed = NO 
 28.06.2018 12:20:11 1E04 W Failed to get certificate, retrying in 600 seconds 28.06.2018 12:30:11 1E04 I Getting parent router IOR from 10.183.173.88:8192 28.06.2018 12:30:11 1E04 I Getting a new router certificate... 28.06.2018 12:32:39 1E04 W SSL connection alert, peer address 10.183.173.88 28.06.2018 12:32:39 1E04 W Cannot verify peer's SSL certificate, unknown CA 28.06.2018 12:32:39 1E04 E Router::ReportInvalidCertificate: Caught Empty IOR string from iiopAddressesInIOR 28.06.2018 12:32:39 1E04 I This computer is part of the domain EU 28.06.2018 12:32:39 1E04 E ACE_SSL (7964|7684) error code: 336134278 - error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed 28.06.2018 12:33:00 1E04 E Router::GetCertificate: Caught CORBA system exception, ID 'IDL:omg.org/CORBA/TRANSIENT:1.0' OMG minor code (2), described as '*unknown description*', completed = NO 
 Then I read through several articles and forums which raised some questions for which I couldnt have been able to find answers yet. 
 1.) How are "ParentAddress" and "ParentPort" (found in HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sophos\Messaging System\Router) related to the IOR port? 
 2.) What is " http://www2.parc.com/istl/projects/ILU/parseIOR/ " used for? I tried to get there IOR but then the page said "Your IOR is misformed. It must begin with either "IOR:" or "IOR2:", and then have an even number of hex digits." It seems as if the IOR wasnt correct. 
 3.) There are "pkc" and "pkp" missing under HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sophos\Remote Management System\ManagementAgent\Private which should be crucial for a server . How I can get "pkc" and "pkp" back? (There is also no NotifyClientUpdate infound in HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sophos\Messaging System\Router) 
 4.) All the necessary ports (80,8192,8194) are opened. I can telnet the destination point without a problem. IOR is shown when telneting 8192. How come the router catching empty IOR string then? 
 5.) Finally. How can it be this whole issue fixed? I won't be able to do it without someone's help. 
 I would be realy greatful if someone knew what to do, because I have already ran out of all ideas. Thank you.

Barb@Sophos · Answer

Hi Maros, 
 I did some digging and reached out to expert team members regarding your questions. This is the info I was able to gather: 
 1)ParentAddress=Address of the Console Server ParentPort=Port 8192 
 2)ParseIOR=We use this to parse the IOR, which is encoded routing information that is sent when a Sophos-protected machine is contacted over port 8192. We use that information to establish a connection over port 8194. The format goes "IOR:21654894564651ewe84561e89w7r9we84rwe561rwe897re98r4ew32r1we31r" 
 3) pkc/pkp keys - These are the certificates that the client receives from the Console Server. They will only exist if the RMS handshake went through. 
 4) If you're getting "certificate verify failed" it's possible the cac.pem or the mrinit.conf file keys are wrong. 
 5) Please follow this article to fix your issue (NOTE: Those steps will help you create a script on the Console server, but do not run it there, instead run it on the Endpoint ). 
 5a) Additionally, if problems persists, you could use this article to test connectivity over por 8194 with openssl. 
 Please let me know if this information answers your questions, or if additional assistance is required. Regards,