This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Failed to get SSL certificate | Cannot verify peer's SSL certificate, unknown CA | Caught Empty IOR string from iiopAddressesInIOR

Hello, I have a couple of servers which on the one hand have Sophos AV fully working, but on the other one they cannot be seen in SEC (Sophos Enterprise Console). After some investigations I found in logs this:

28.06.2018 11:58:47 1E04 W Failed to get certificate, retrying in 600 seconds
28.06.2018 12:08:47 1E04 I Getting parent router IOR from 10.183.173.88:8192
28.06.2018 12:08:47 1E04 I Getting a new router certificate...
28.06.2018 12:09:29 1E04 E Router::GetCertificate: Caught CORBA system exception, ID 'IDL:omg.org/CORBA/TRANSIENT:1.0'
OMG minor code (2), described as '*unknown description*', completed = NO

28.06.2018 12:20:11 1E04 W Failed to get certificate, retrying in 600 seconds
28.06.2018 12:30:11 1E04 I Getting parent router IOR from 10.183.173.88:8192
28.06.2018 12:30:11 1E04 I Getting a new router certificate...
28.06.2018 12:32:39 1E04 W SSL connection alert, peer address 10.183.173.88
28.06.2018 12:32:39 1E04 W Cannot verify peer's SSL certificate, unknown CA
28.06.2018 12:32:39 1E04 E Router::ReportInvalidCertificate: Caught Empty IOR string from iiopAddressesInIOR
28.06.2018 12:32:39 1E04 I This computer is part of the domain EU
28.06.2018 12:32:39 1E04 E ACE_SSL (7964|7684) error code: 336134278 - error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
28.06.2018 12:33:00 1E04 E Router::GetCertificate: Caught CORBA system exception, ID 'IDL:omg.org/CORBA/TRANSIENT:1.0'
OMG minor code (2), described as '*unknown description*', completed = NO

Then I read through several articles and forums which raised some questions for which I couldnt have been able to find answers yet.

1.) How are "ParentAddress" and "ParentPort" (found in HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sophos\Messaging System\Router) related to the IOR port?

2.) What is "http://www2.parc.com/istl/projects/ILU/parseIOR/" used for? I tried to get there IOR but then the page said "Your IOR is misformed. It must begin with either "IOR:" or "IOR2:", and then have an even number of hex digits." It seems as if the IOR wasnt correct.

3.) There are "pkc" and "pkp" missing under HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sophos\Remote Management System\ManagementAgent\Private which should be crucial for a server . How I can get "pkc" and "pkp" back? (There is also no NotifyClientUpdate infound in HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sophos\Messaging System\Router)

4.) All the necessary ports (80,8192,8194) are opened. I can telnet the destination point without a problem. IOR is shown when telneting 8192. How come the router catching empty IOR string then?

5.) Finally. How can it be this whole issue fixed? I won't be able to do it without someone's help.

I would be realy greatful if someone knew what to do, because I have already ran out of all ideas. Thank you.



This thread was automatically locked due to age.
Parents
  • Hi Maros,

    I did some digging and reached out to expert team members regarding your questions. This is the info I was able to gather:

    1)ParentAddress=Address of the Console Server
    ParentPort=Port 8192

    2)ParseIOR=We use this to parse the IOR, which is encoded routing information that is sent when a Sophos-protected machine is contacted over port 8192. We use that information to establish a connection over port 8194. The format goes "IOR:21654894564651ewe84561e89w7r9we84rwe561rwe897re98r4ew32r1we31r"

    3) pkc/pkp keys - These are the certificates that the client receives from the Console Server. They will only exist if the RMS handshake went through.

    4) If you're getting "certificate verify failed" it's possible the cac.pem or the mrinit.conf file keys are wrong.

    5) Please follow this article to fix your issue (NOTE: Those steps will help you create a script on the Console server, but do not run it there, instead run it on the Endpoint).

    5a) Additionally, if problems persists, you could use this article to test connectivity over por 8194 with openssl.

    Please let me know if this information answers your questions, or if additional assistance is required.

    Regards,

    Barb@Sophos
    Community Support Engineer | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.

     

Reply
  • Hi Maros,

    I did some digging and reached out to expert team members regarding your questions. This is the info I was able to gather:

    1)ParentAddress=Address of the Console Server
    ParentPort=Port 8192

    2)ParseIOR=We use this to parse the IOR, which is encoded routing information that is sent when a Sophos-protected machine is contacted over port 8192. We use that information to establish a connection over port 8194. The format goes "IOR:21654894564651ewe84561e89w7r9we84rwe561rwe897re98r4ew32r1we31r"

    3) pkc/pkp keys - These are the certificates that the client receives from the Console Server. They will only exist if the RMS handshake went through.

    4) If you're getting "certificate verify failed" it's possible the cac.pem or the mrinit.conf file keys are wrong.

    5) Please follow this article to fix your issue (NOTE: Those steps will help you create a script on the Console server, but do not run it there, instead run it on the Endpoint).

    5a) Additionally, if problems persists, you could use this article to test connectivity over por 8194 with openssl.

    Please let me know if this information answers your questions, or if additional assistance is required.

    Regards,

    Barb@Sophos
    Community Support Engineer | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.

     

Children
  • Hi Borb, thank you for your great answer! But unfortunately it seems the created script hasnt done anything. Or maybe i did something wrong.

    The RMS section is OK i think, there is nothing to it. I found the paths and checked "RMS required".

    The Sophos Patch Agent section seems to be a bit confusing. Is Management server address an adress of the Sophos relay which my endpoint server connects to? If yes, I have it OK. I didnt change Management server port since i think 80 should be good. I used the script with Force configuration checked and unchecked but the result were same.

    Finally, the last section Script configuration options section. I didnt toucht it at all.

    The result is that neither cac.pem nor mrinit.conf had any data changed, so it seems as if the script didnt do anything.

    Did i use the tool correctly?

    This is how ClientMRInit.log looks like. As if something was really happening there during the time when the script ran.

    03.04.2018 13:57:17 F244 I SOF: C:\WINDOWS\TEMP/ClientMRInit-20180403-115717.log
    03.04.2018 13:57:17 F244 D ClientMRInit installing
    03.04.2018 13:57:17 F244 D mrfile=`MRInit.conf`
    cafile=`cac.pem`
    filepath=`C:\Program Files (x86)\Sophos\Remote Management System\`
    rtrname=`Router`
    logpath=`C:\WINDOWS\TEMP`
    03.04.2018 13:57:17 F244 I Opening initialisation file: C:\Program Files (x86)\Sophos\Remote Management System/MRInit.conf
    03.04.2018 13:57:17 F244 I Opening root certificate initialisation file: C:\Program Files (x86)\Sophos\Remote Management System/cac.pem
    03.04.2018 13:57:17 F244 I Intelligent updating is: Off
    03.04.2018 13:57:17 F244 E MRInitData failed with exception: CAccessFailureException:CACertificate not found
    03.04.2018 13:57:17 F244 D Old certificate not present, using new.
    03.04.2018 13:57:17 F244 T New Message Router identity key is present.
    03.04.2018 13:57:17 F244 T New Managed Application identity key is present.
    03.04.2018 13:57:17 F244 T New Management Agent identity key is present.
    03.04.2018 13:57:17 F244 D CheckParentAddress( `*** NOT SET ***`->`10.128.99.125,NAHVMMS03.am.boehringer.com` )
    03.04.2018 13:57:17 F244 D IsThisComputer[10.128.99.125,NAHVMMS03.am.boehringer.com]
    03.04.2018 13:57:17 F244 D Found 4 addresses
    03.04.2018 13:57:17 F244 D Just use new parent
    03.04.2018 13:57:17 F244 I Parent router IOR port: 8192
    03.04.2018 13:57:17 F244 I New router IOR port: 8192
    03.04.2018 13:57:17 F244 I Setting router service arguments: "-ORBListenEndpoints iiop://:8193/ssl_port=8194"
    03.04.2018 13:57:17 F244 I ClientMRInit successful exit

    Interestingly, the same log on another server which have the same problem looks really different.

    25.10.2017 06:34:15 07F8 I SOF: C:\WINDOWS\TEMP/ClientMRInit-20171025-103415.log
    25.10.2017 06:34:15 07F8 D ClientMRInit updating
    25.10.2017 06:34:15 07F8 D mrfile=`MRInit.conf`
    cafile=`cac.pem`
    filepath=`C:\Program Files (x86)\Sophos\Remote Management System\`
    rtrname=`Router`
    logpath=`C:\WINDOWS\TEMP`
    25.10.2017 06:34:15 07F8 I Opening initialisation file: C:\Program Files (x86)\Sophos\Remote Management System/MRInit.conf
    25.10.2017 06:34:15 07F8 I Opening root certificate initialisation file: C:\Program Files (x86)\Sophos\Remote Management System/cac.pem
    25.10.2017 06:34:15 07F8 I Intelligent updating is: Off
    25.10.2017 06:34:15 07F8 D CA certificates are the same, no action taken.
    25.10.2017 06:34:15 07F8 I Message Router identity keys match.
    25.10.2017 06:34:15 07F8 I Managed Application identity keys match.
    25.10.2017 06:34:15 07F8 I Management Agent identity keys match.
    25.10.2017 06:34:15 07F8 D CheckParentAddress( `10.128.99.126,NAHVMMS04.am.boehringer.com`->`10.183.173.5,inhas60989.eu.boehringer.com` )
    25.10.2017 06:34:15 07F8 D IsThisComputer[10.183.173.5,inhas60989.eu.boehringer.com]
    25.10.2017 06:34:15 07F8 D Found 3 addresses
    25.10.2017 06:34:15 07F8 I Connection cache size for endpoint will be set to 10 , NumSenderThreads will be set to 3, NumORBThreads will be set to 4
    25.10.2017 06:34:15 07F8 I Parent router ports match, no action taken: 8192
    25.10.2017 06:34:15 07F8 I Router IOR ports match, no action taken: 8192
    25.10.2017 06:34:15 07F8 D Router service args are the same (-ORBListenEndpoints iiop://:8193/ssl_port=8194), no change.
    25.10.2017 06:34:15 07F8 D Apply operating in update-only mode
    25.10.2017 06:34:15 07F8 I ClientMRInit successful exit

  • Hi Maros,

    I got additional updates for you:

    Looks our KB needs to be updated (we will work on that): 

    The cac.pem and mrinit.conf should point to the following location:
    C:\Program Files (x86)\Sophos\Enterprise Console\   

    Also, Force Configuration should be selected for RMS,  and ignore the Patch agent part entirely.   

    Let me know if how it goes. 

    Regards,

    Barb@Sophos
    Community Support Engineer | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.

     

  • Thanks for the clarification Barb, but there is a problem. I have no Enterprise Console folder there. Maybe I forgot to mention that our machines have no common Windows installed but Windows Server 2008 R2 or Windows Server 2016. I dont know if it makes a difference for you but maybe it does.