This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Main Location endpoints not reporting "Cannot verify peer's SSL certificate, unknown CA"

I have just migrated our Enterprise Console from one server to another, all seemed to go well. All the endpoints are all reporting back to their local SUM apart from the endpoints in the location of the new Enterprise Console/SUM.

It must be something to do with the certificate on the new server as getting this error below reported in the Router log on the failing endpoints. I've tried reinstalling Sophos endpoint software on the clients, both from the new console and from the new share, it installs fine and updates just doesn't report back to the new server.

23.07.2015 19:56:56 076C W Failed to get certificate, retrying in 600 seconds
23.07.2015 20:07:05 076C I Getting parent router IOR from 200.100.1.28:8192
23.07.2015 20:07:05 076C I Getting a new router certificate...
23.07.2015 20:07:05 076C W SSL connection alert, peer address 200.100.1.28
23.07.2015 20:07:05 076C W Cannot verify peer's SSL certificate, unknown CA
23.07.2015 20:07:05 076C E Router::ReportInvalidCertificate: Caught Empty IOR string from iiopAddressesInIOR
23.07.2015 20:07:05 076C E ACE_SSL (4544|1900) error code: 336134278 - error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
23.07.2015 20:07:05 076C W SSL connection alert, peer address 200.100.1.28
23.07.2015 20:07:05 076C W Cannot verify peer's SSL certificate, unknown CA
23.07.2015 20:07:05 076C E Router::ReportInvalidCertificate: Caught Empty IOR string from iiopAddressesInIOR
23.07.2015 20:07:05 076C E ACE_SSL (4544|1900) error code: 336134278 - error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
23.07.2015 20:07:05 076C E Router::GetCertificate: Caught CORBA system exception, ID 'IDL:omg.org/CORBA/TRANSIENT:1.0'
OMG minor code (2), described as '*unknown description*', completed = NO

How can I fix the certificate on the new server?

Thanks

:58059


This thread was automatically locked due to age.
  • Hello 1heds,

    reporting back to their local SUM

    and showing in the console as connected (together with their SUMs/relays)? Only those updating from the main server (and reporting directly) have no connection?

    Are the .....Key values in the mrinit.conf files from a SUM's share and the ones in the mrinit.conf file of the new share identical?

    But anyway, RMS installed from the main server's default share should be able to connect to the server. Assuming only the "main" endpoints don't connect (but the others do) I'd empty the CID and let the main SUM recreate it (you could copy mrinit.conf and cac.pem to a safe place to compare them to the recreated ones).

    Christian

    :58072
  • Hi Christian,

    Found this article this morning and tried it: https://www.sophos.com/en-us/support/knowledgebase/118865.aspx

    All working now after uninstalling:

    • Sophos Management Server
    • Sophos Update Manager

    Restoring the registry from the old server again and reinstalling Enterprise Console.

    Thanks for your help agian.

    :58074