This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Certificate Errors after Migration

I am having some issues with the endpoint clients not communicating with the Update Manager following a migration to a new server. The clients can install and update properly but the reporting does not work.

From the Client:

19.04.2016 12:50:31 1F74 W SSL connection alert, peer address 192.168.0.13
19.04.2016 12:50:31 1F74 W Cannot verify peer's SSL certificate, unknown CA
19.04.2016 12:50:31 1F74 E Router::ReportInvalidCertificate: Caught Empty IOR string from iiopAddressesInIOR
19.04.2016 12:50:31 1F74 E ACE_SSL (2272|8052) error code: 336134278 - error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
19.04.2016 12:50:31 1F74 E Router::GetCertificate: Caught CORBA system exception, ID 'IDL:omg.org/CORBA/TRANSIENT:1.0'
OMG minor code (2), described as '*unknown description*', completed = NO
19.04.2016 12:50:31 1F74 W Failed to get certificate, retrying in 600 seconds

I have gone through the reinstall process outlined here: https://www.sophos.com/support/knowledgebase/118865.aspx multiple times and it does not make a difference as I continue to receive the same error.

The new Update Manager was the only system properly reporting until I went through the reinstall of the certificates and since then it does not report either. Is there a step I'm possibly missing?



This thread was automatically locked due to age.
Parents
  • Hello Derek Weichenthal,

    did you follow the Migration Guide? If you did correctly import the old certificates before installing the endpoints should "accept" the new server (assuming they can reach it by name or IP - did you change these or reuse the old ones?).
    Anyway, if you completely uninstall the management components (if the endpoint product is already installed you should uninstall this as well) and reinstall (whether with or w/o import) SEC/SUM should be able to "talk to itself". How to redirect Windows endpoints ... addresses the case of new certificates.

    Christian   

  • I had gone through the Migration Guide and I just looked again and there is no step during the guide for export/import of the certificates. The encryption certificates are mentioned but not the registry ones.

    Removed Sophos completely(SEC and AV) from the new server and reinstalled SEC.

    Downloaded the binaries again successfully.

    Deployed AV through SEC to the same server and received error code "80070057 - Installation could not be started. The parameter is incorrect. The computer may need additional configuration before installation"

    Within a few seconds it does install properly and once I opened it the status changes to "Awaiting policy from console" before showing properly a couple minutes later.

    This part looks to be fine now.

    Ran EMU with Reinitialize and the cac, mrinit selected from the new location. Set Force Config. Set the new server address and forced.

    Switched over to the old SEC server and ran the script. This time it went through and is now showing in the console properly.

    Also was able to deploy from the console on a couple new systems that did not have AV installed previously.

    Everything looks to be good now. Before I was trying to restore the certificates from the old server but they never seemed to work so doing it this way is fine. Thanks for the help.

Reply
  • I had gone through the Migration Guide and I just looked again and there is no step during the guide for export/import of the certificates. The encryption certificates are mentioned but not the registry ones.

    Removed Sophos completely(SEC and AV) from the new server and reinstalled SEC.

    Downloaded the binaries again successfully.

    Deployed AV through SEC to the same server and received error code "80070057 - Installation could not be started. The parameter is incorrect. The computer may need additional configuration before installation"

    Within a few seconds it does install properly and once I opened it the status changes to "Awaiting policy from console" before showing properly a couple minutes later.

    This part looks to be fine now.

    Ran EMU with Reinitialize and the cac, mrinit selected from the new location. Set Force Config. Set the new server address and forced.

    Switched over to the old SEC server and ran the script. This time it went through and is now showing in the console properly.

    Also was able to deploy from the console on a couple new systems that did not have AV installed previously.

    Everything looks to be good now. Before I was trying to restore the certificates from the old server but they never seemed to work so doing it this way is fine. Thanks for the help.

Children
No Data