This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Computers stuck in unmanaged section

Hello, I am new to Sophos and this is a new issue that has been happening for the last weeks, whenever I install Sophos on a new computer the installation completes successfully and does get the updates correctly, but when I check on the enterprise console they go to the unmanaged group (not unassigned), and I can't do nothing to them except delete them.

One more thing, the ones I am using as test are running under Windows 10, I don't know if that might be the issue



This thread was automatically locked due to age.
Parents
  • Hello I checked the certification manager log files on the server and this is what i found, it appears there is an error with the key signing. Here's a fragment of the log file for two computers

    27.04.2018 12:09:31 0B00 I [Msgr]Received new message:mid=8E3675B:type=Certification.UniqueTokenRequest:orig=Router$DELP-ANTV-01.Router$DELP-DJFR-EXEC:0
    27.04.2018 12:09:31 0B00 I [Msgr]Sent UniqueToken resp:to=Router$DELP-ANTV-01.Router$DELP-DJFR-EXEC:0:reqmid=8E3675B:tok=3075986:respmid=AE3675B
    27.04.2018 12:09:31 0B00 I [Msgr]Acknowledged message:mid=8E3675B
    27.04.2018 12:09:31 0B00 I [Msgr]Received new message:mid=CE3675B:type=Certification.UniqueTokenRequest:orig=Router$DELP-ANTV-01.Router$CJSIME018:0
    27.04.2018 12:09:31 0B00 I [Msgr]Sent UniqueToken resp:to=Router$DELP-ANTV-01.Router$CJSIME018:0:reqmid=CE3675B:tok=3075987:respmid=EE3675B
    27.04.2018 12:09:31 0B00 I [Msgr]Acknowledged message:mid=CE3675B

    27.04.2018 12:09:33 0B00 I [Msgr]Received new message:mid=CE3675D:type=Certification.CertRequest:orig=Router$DELP-ANTV-01.Router$CJSIME018:0
    27.04.2018 12:09:33 0B00 E [CA]Internal Error signing public key certificate:sts=36:OpenSSLErr=[error:0D0AF0AD:asn1 encoding routines:ASN1_TIME_set:error getting time:at=.\crypto\asn1\a_time.c:109:data=:flags=0]
    27.04.2018 12:09:33 0B00 E [Msgr]Error processing certificate request:CCertificationManagerException:Internal Error:signing public key certificate:mid=CE3675D:orig=Router$DELP-ANTV-01.Router$CJSIME018:0
    27.04.2018 12:09:33 0B00 I [Msgr]Sent Certificate response:failure:to=Router$DELP-ANTV-01.Router$CJSIME018:0:reqmid=CE3675D:respmid=10E3675D
    27.04.2018 12:09:33 0B00 I [Msgr]Acknowledged message:mid=CE3675D
    27.04.2018 12:09:33 0B00 I [Msgr]Received new message:mid=EE3675D:type=Certification.CertRequest:orig=Router$DELP-ANTV-01.Router$DELP-DJFR-EXEC:0
    27.04.2018 12:09:33 0B00 E [CA]Internal Error signing public key certificate:sts=36:OpenSSLErr=[error:0D0AF0AD:asn1 encoding routines:ASN1_TIME_set:error getting time:at=.\crypto\asn1\a_time.c:109:data=:flags=0]
    27.04.2018 12:09:33 0B00 E [Msgr]Error processing certificate request:CCertificationManagerException:Internal Error:signing public key certificate:mid=EE3675D:orig=Router$DELP-ANTV-01.Router$DELP-DJFR-EXEC:0
    27.04.2018 12:09:33 0B00 I [Msgr]Sent Certificate response:failure:to=Router$DELP-ANTV-01.Router$DELP-DJFR-EXEC:0:reqmid=EE3675D:respmid=12E3675D
    27.04.2018 12:09:33 0B00 I [Msgr]Acknowledged message:mid=EE3675D

  • That's a curious error:

    error:0D0AF0AD:asn1 encoding routines:ASN1_TIME_set:error getting time:at=.\crypto\asn1\a_time.c:109:data=:flags=0

    And it seems to be just an OpenSSL error and it can be found online in a few places. E.g.

    https://github.com/pyca/cryptography/issues/3194

    http://openssl.6102.n7.nabble.com/openssl-org-2332-Issue-while-generating-SSL-certificate-using-Apache-2-216-openssl-0-9-8o-td30900.html

    Looking online for crypto\asn1\a_time.c ant line 109 - E.g. https://boringssl.googlesource.com/boringssl/+/2311/crypto/asn1/a_time.c

    ts=OPENSSL_gmtime(&t,&data);
      if (ts == NULL)
      {
      OPENSSL_PUT_ERROR(ASN1, ASN1_TIME_adj, ASN1_R_ERROR_GETTING_TIME);
      return NULL;
      }

    I can only think OPENSSL_gmtime is causing a problem.

    From the logs you have provided it seems like the dates of the computers are as expected.  I assume the CAC.pem, file, if you make a copy and rename it to cac.crt has a expiry 20 years after you installed the management server.  So that all looks good?

    You might have to contact Support with this one.

    Regards,
    Jak

  • I've opened a ticket with the support team alongside with this thread, they responded and I sent some logs they asked for right now I am waiting for their response but in their last message they suggested it might be an error caused to the outdated version of the SEC. When they answer me I'll post their response here.

Reply
  • I've opened a ticket with the support team alongside with this thread, they responded and I sent some logs they asked for right now I am waiting for their response but in their last message they suggested it might be an error caused to the outdated version of the SEC. When they answer me I'll post their response here.

Children
  • I received this same error trying to upgrade an old SEC 4.5 to 5.1.

    [CA]Internal Error signing public key certificate:sts=36:OpenSSLErr=[error:0D0AF0AD:asn1 encoding routines:ASN1_TIME_set:error getting time:at=.\crypto\asn1\a_time.c:109:data=:flags=0]

    In the end, I set the server clock back a few years, I was then able to complete the upgrade! It looks like the version of OpenSSL in older SEC is subject to the year 2038 bug?

    Phil