Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 16 replies
  • Subscribers 4 subscribers
  • Views 22740 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Computers stuck in unmanaged section

Jonathan Ramirez

Hello, I am new to Sophos and this is a new issue that has been happening for the last weeks, whenever I install Sophos on a new computer the installation completes successfully and does get the updates correctly, but when I check on the enterprise console they go to the unmanaged group (not unassigned), and I can't do nothing to them except delete them.

One more thing, the ones I am using as test are running under Windows 10, I don't know if that might be the issue



This thread was automatically locked due to age.
  • 0 in reply to jak

    Hello Jak

    I'll check the logs on the servers.

    And by Are any clients working from the management server? do you mean if there are computers that are being managed by the console?, if yes, the answer is YES, but these computers are the ones that had Sophos for some months now, we have installed Sophos on about 20 to 30 computers now and these are the ones not communicating properly with the server.

    Regards.

  • 0

    Hello I checked the certification manager log files on the server and this is what i found, it appears there is an error with the key signing. Here's a fragment of the log file for two computers

    27.04.2018 12:09:31 0B00 I [Msgr]Received new message:mid=8E3675B:type=Certification.UniqueTokenRequest:orig=Router$DELP-ANTV-01.Router$DELP-DJFR-EXEC:0
    27.04.2018 12:09:31 0B00 I [Msgr]Sent UniqueToken resp:to=Router$DELP-ANTV-01.Router$DELP-DJFR-EXEC:0:reqmid=8E3675B:tok=3075986:respmid=AE3675B
    27.04.2018 12:09:31 0B00 I [Msgr]Acknowledged message:mid=8E3675B
    27.04.2018 12:09:31 0B00 I [Msgr]Received new message:mid=CE3675B:type=Certification.UniqueTokenRequest:orig=Router$DELP-ANTV-01.Router$CJSIME018:0
    27.04.2018 12:09:31 0B00 I [Msgr]Sent UniqueToken resp:to=Router$DELP-ANTV-01.Router$CJSIME018:0:reqmid=CE3675B:tok=3075987:respmid=EE3675B
    27.04.2018 12:09:31 0B00 I [Msgr]Acknowledged message:mid=CE3675B

    27.04.2018 12:09:33 0B00 I [Msgr]Received new message:mid=CE3675D:type=Certification.CertRequest:orig=Router$DELP-ANTV-01.Router$CJSIME018:0
    27.04.2018 12:09:33 0B00 E [CA]Internal Error signing public key certificate:sts=36:OpenSSLErr=[error:0D0AF0AD:asn1 encoding routines:ASN1_TIME_set:error getting time:at=.\crypto\asn1\a_time.c:109:data=:flags=0]
    27.04.2018 12:09:33 0B00 E [Msgr]Error processing certificate request:CCertificationManagerException:Internal Error:signing public key certificate:mid=CE3675D:orig=Router$DELP-ANTV-01.Router$CJSIME018:0
    27.04.2018 12:09:33 0B00 I [Msgr]Sent Certificate response:failure:to=Router$DELP-ANTV-01.Router$CJSIME018:0:reqmid=CE3675D:respmid=10E3675D
    27.04.2018 12:09:33 0B00 I [Msgr]Acknowledged message:mid=CE3675D
    27.04.2018 12:09:33 0B00 I [Msgr]Received new message:mid=EE3675D:type=Certification.CertRequest:orig=Router$DELP-ANTV-01.Router$DELP-DJFR-EXEC:0
    27.04.2018 12:09:33 0B00 E [CA]Internal Error signing public key certificate:sts=36:OpenSSLErr=[error:0D0AF0AD:asn1 encoding routines:ASN1_TIME_set:error getting time:at=.\crypto\asn1\a_time.c:109:data=:flags=0]
    27.04.2018 12:09:33 0B00 E [Msgr]Error processing certificate request:CCertificationManagerException:Internal Error:signing public key certificate:mid=EE3675D:orig=Router$DELP-ANTV-01.Router$DELP-DJFR-EXEC:0
    27.04.2018 12:09:33 0B00 I [Msgr]Sent Certificate response:failure:to=Router$DELP-ANTV-01.Router$DELP-DJFR-EXEC:0:reqmid=EE3675D:respmid=12E3675D
    27.04.2018 12:09:33 0B00 I [Msgr]Acknowledged message:mid=EE3675D

  • 0 in reply to Jonathan Ramirez

    That's a curious error:

    error:0D0AF0AD:asn1 encoding routines:ASN1_TIME_set:error getting time:at=.\crypto\asn1\a_time.c:109:data=:flags=0

    And it seems to be just an OpenSSL error and it can be found online in a few places. E.g.

    https://github.com/pyca/cryptography/issues/3194

    http://openssl.6102.n7.nabble.com/openssl-org-2332-Issue-while-generating-SSL-certificate-using-Apache-2-216-openssl-0-9-8o-td30900.html

    Looking online for crypto\asn1\a_time.c ant line 109 - E.g. https://boringssl.googlesource.com/boringssl/+/2311/crypto/asn1/a_time.c

    ts=OPENSSL_gmtime(&t,&data);
      if (ts == NULL)
      {
      OPENSSL_PUT_ERROR(ASN1, ASN1_TIME_adj, ASN1_R_ERROR_GETTING_TIME);
      return NULL;
      }

    I can only think OPENSSL_gmtime is causing a problem.

    From the logs you have provided it seems like the dates of the computers are as expected.  I assume the CAC.pem, file, if you make a copy and rename it to cac.crt has a expiry 20 years after you installed the management server.  So that all looks good?

    You might have to contact Support with this one.

    Regards,
    Jak

  • 0 in reply to jak

    I've opened a ticket with the support team alongside with this thread, they responded and I sent some logs they asked for right now I am waiting for their response but in their last message they suggested it might be an error caused to the outdated version of the SEC. When they answer me I'll post their response here.

  • 0 in reply to Jonathan Ramirez

    I received this same error trying to upgrade an old SEC 4.5 to 5.1.

    [CA]Internal Error signing public key certificate:sts=36:OpenSSLErr=[error:0D0AF0AD:asn1 encoding routines:ASN1_TIME_set:error getting time:at=.\crypto\asn1\a_time.c:109:data=:flags=0]

    In the end, I set the server clock back a few years, I was then able to complete the upgrade! It looks like the version of OpenSSL in older SEC is subject to the year 2038 bug?

    Phil

  • +1

    Hello first of all thanks for you help, I got the issue resolved and I thought I might share what worked for me.

    So, besides the unmanaged pc's the main issue was that new computers in which we installed Sophos weren't reporting to the console but they did update and run scans, checking the logs that I have already shared with you guys, the Sophos support told me that it was a certificate error, my SEC was a retired version that used TLS 1.0 and the newer clients were using TLS 1.2, so they suggested I did an upgrade on the console, so after the upgrade all the computers that didn't show up on the console were there, also new computers are showing up instantly. (I had SEC 5.2.1 and upgraded to 5.5.1)

    Again thanks for the help, regards.

Unfiltered HTML