SSL server certificate problem occurred Sophos Mobile Control

Hello, our SSL certificate expired last week.  We have renewed the certificate under system settings SSL and deleted the old one. The new certificate is entered correctly and has an expiration date in 2020. Nevertheless, we receive the following error email every day.

 

Warning: One or more devices cannot connect to the Sophos Mobile server (lf-smc.ludwig-freytag.de) because it has an untrusted certificate. Please ensure that the configured list of SSL certificates is up to date.

 

What can we do?

 

Thank you. 

  • Update: We also did the update via the Configuration Wizard, the error persists

  • In reply to JaPi:

    Was wird denn in den Systemeinstellungen als Zertifikat angezeigt, wenn Du "Zertifikate automatisch erkennen" ausführst. Das alte oder das neue Zertifikat?

    Wurde in dem SSL-Assistenten die Chain korrekt eingerichtet (wir haben z.B. immer Zertifikate mit 2 intermediates, das ist immer ein wenig hakelig reinzubringen)?

  • In reply to kerobra:

    Hallo Kerobra, 

     

    danke für die Antwort. Es wird das neue Zertifikat angezeigt. 

    Ich habe die p12 Datei über den Wizard benutzt. Dann sind keine weiteren Einstellungen nötig oder? 

  • In reply to JaPi:

    Nutzt ihr den externen EAS-Proxy? Da würde noch eine URL zum einsatz kommen, aber sonst sollte die hochgeladene vom Wizard generierte eigentlich reichen.

    Welche SM-Version?

  • In reply to kerobra:

    Hallo, 

     

    wir nutzen unsere Sophos UTM als Proxy, die Meldung war das ganze Wochenende nicht aktiv, kam heute morgen aber wieder. 

    Wir haben die Version 8.1.3 (rev 13931)

     

     

     

  • we had the same problem after our SSL cert expired and was renewed, turns out to be 2 devices out of the 4000 we have, if you search the server.log file for certificate error you will find the troublesome devices, what we did was simply unenrol the device and re-enrolled it. problem went away.

  • In reply to Andrew Mullins:

    Hello, thanks for the answer. We found a device that was shown again and again in the logs. We have now removed it and wait, if the error occurs again.

  • In reply to JaPi:

    Hallo JaPi,

    konntest Du das Problem lösen.

    Stehe vor genau dem gleichen thema.

     

    Gruß,

    Knut

  • In reply to Andrew Mullins:

    Andrew Mullins

    "...turns out to be 2 devices out of the 4000 we have, if you search the server.log file for certificate error you will find the troublesome devices...."

     

    How did you identify the devices? By device ID?  We have several thousand and several hundred are being impacted.  Did you reach out to those users and unenroll them or did you unenroll them thru the admin console?

  • In reply to Robyn Smith:

    Hi  

    You can check under the logs with the error and the device ID listed. Also, if you are seeing this on many devices, could you please verify the SSL certificate of the MDM server if it is correctly updated, you will have to check in the console which devices have not connected for a long time with the MDM and then or remove them from the console, possibly by performing an unenroll of the same and then uninstalling the App later or proceed with a new enrollment of the same. 

  • In reply to Shweta:

    Thank you for the quick response.  Yes, the certificate is verified in the admin console, although we do not use the MDM features for devices (we use an inhouse product for MDM instead).  The certificate is correctly updated on the SSL tab in the console.  We have been doing the 'Refresh Data' for the several thousand users out of our tens of thousands of devices, with mostly succeeding. 

     

    I wish there was an easier method to manage thousands of users instead of a hundred in a view/click all/scroll,scroll/Nextpage/scrollscroll/clickall/scrollscroll/nextpage/scrollscroll/clickall/scrol...you get the idea. 

    Also, it is disheartening to use a draconian method of unenroll/re-enroll for hundreds of devices by the certificate update....not a good enduser experience in my humble opinion.

  • In reply to Robyn Smith:

    Hi  

    Within the Sophos Mobile super administrator account, you should make sure that the correct public certificate parts are uploaded at Setup > System setup > SSL/TLS, the Sophos Mobile server provides an "Auto-discover" functionality. This will establish the connection. Inorder to identify the devices, the only option is to check under the server.log with string: requested certificate hashes. You will probably see a warning with the list of the devices which have requested certificate hashes. 

    Once the device is identified, using the device ID the affected device can be looked up within the Sophos Mobile web console, go to devices> browse with the device ID> If the device is shown, try to send a message to the device via the Actions. Together with the message, the device will also receive the list of the new certificate hashes, once received, the connection should work.