This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Failed to get SSL certificate | Cannot verify peer's SSL certificate, unknown CA | Caught Empty IOR string from iiopAddressesInIOR

Hello, I have a couple of servers which on the one hand have Sophos AV fully working, but on the other one they cannot be seen in SEC (Sophos Enterprise Console). After some investigations I found in logs this:

28.06.2018 11:58:47 1E04 W Failed to get certificate, retrying in 600 seconds
28.06.2018 12:08:47 1E04 I Getting parent router IOR from 10.183.173.88:8192
28.06.2018 12:08:47 1E04 I Getting a new router certificate...
28.06.2018 12:09:29 1E04 E Router::GetCertificate: Caught CORBA system exception, ID 'IDL:omg.org/CORBA/TRANSIENT:1.0'
OMG minor code (2), described as '*unknown description*', completed = NO

28.06.2018 12:20:11 1E04 W Failed to get certificate, retrying in 600 seconds
28.06.2018 12:30:11 1E04 I Getting parent router IOR from 10.183.173.88:8192
28.06.2018 12:30:11 1E04 I Getting a new router certificate...
28.06.2018 12:32:39 1E04 W SSL connection alert, peer address 10.183.173.88
28.06.2018 12:32:39 1E04 W Cannot verify peer's SSL certificate, unknown CA
28.06.2018 12:32:39 1E04 E Router::ReportInvalidCertificate: Caught Empty IOR string from iiopAddressesInIOR
28.06.2018 12:32:39 1E04 I This computer is part of the domain EU
28.06.2018 12:32:39 1E04 E ACE_SSL (7964|7684) error code: 336134278 - error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
28.06.2018 12:33:00 1E04 E Router::GetCertificate: Caught CORBA system exception, ID 'IDL:omg.org/CORBA/TRANSIENT:1.0'
OMG minor code (2), described as '*unknown description*', completed = NO

Then I read through several articles and forums which raised some questions for which I couldnt have been able to find answers yet.

1.) How are "ParentAddress" and "ParentPort" (found in HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sophos\Messaging System\Router) related to the IOR port?

2.) What is "http://www2.parc.com/istl/projects/ILU/parseIOR/" used for? I tried to get there IOR but then the page said "Your IOR is misformed. It must begin with either "IOR:" or "IOR2:", and then have an even number of hex digits." It seems as if the IOR wasnt correct.

3.) There are "pkc" and "pkp" missing under HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sophos\Remote Management System\ManagementAgent\Private which should be crucial for a server . How I can get "pkc" and "pkp" back? (There is also no NotifyClientUpdate infound in HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sophos\Messaging System\Router)

4.) All the necessary ports (80,8192,8194) are opened. I can telnet the destination point without a problem. IOR is shown when telneting 8192. How come the router catching empty IOR string then?

5.) Finally. How can it be this whole issue fixed? I won't be able to do it without someone's help.

I would be realy greatful if someone knew what to do, because I have already ran out of all ideas. Thank you.



This thread was automatically locked due to age.
Parents
  • Hello Maros Goc,

    first of all, you are using SESC so the Central forum is not the right one - please join the Endpoint Security and Control group and move your post there (I'd have moved it but I can't before you have joined this group).

    IOR is shown when telneting 8192
    using the
    10.183.173.88 address? You have to take the whole response starting with IOR: and paste it in the parse box - please note that if you copy it from the cmd window it's broken up into several lines and contains additional CRLFs and this is why the parser complains, so make it one single string first.

    Just saw your new post:
    I have no Enterprise Console folder there
    where's there? You should run the EMU (guess this is what you are referring to) on the management server (SEC) - this folder and the files are there.

    Christian

  • Hi Christian,

    oh my god, what a silly am i... I have misinterpreted Barb's hint. I should have used the Migration utility on the relay and then the script on the endpoint. It seems I am a bit overworked lol. I will try it immediately.

    And I will move the topic to the place you suggested. And also yes, i have already noticed that copying an IOR from CMD creates gaps, so that is why it didnt work.

    Thank you very much :)

  • Hello Maros Goc,

    oops, I see I've missed the reference to the relay - naturally it doesn't have the Enterprise Console folder.
    cac.pem should be the same on all machines, the mrinit.conf should be taken from the (configured) CID the endpoints will update from.

    Christian

  • Hi,

    now I am completely confused. :D

    Barb said "Force Configuration should be selected for RMS", but in the manual  (https://community.sophos.com/kb/en-us/116737) there is "WARNING: This can damage the SEC Server or a Relay if run with this option. This script should not be run with force on either of these two servers as it can cause high amounts of damage."

    You said that cac.pem should be the same on all machines and the mrinit.conf should be taken from the CID. So it means that i dont have to create a script and what I should do is just to copy the mrinit.conf to the endpoint?

    But, if you say I should create the script, then i have a question: What is a "Management server adress"? Is it an adress of my endpoint or an adress of the relay where I am running the Migration utility?

  • Hello Maros Goc,

    I'm not sure I understand your setup and what it is you think you have to do.

    You have the management server, the console works fine. It is protected (i.e. the Endpoint software installed). Are there already other endpoints where Sophos is installed and do they communicate as expected? I think so.

    You say Sophos is installed a couple of servers but they can't communicate. Where does the relay come into play here, why do you (think you) need it? Is 10.183.173.88 your management server or some other machine?
    You don't need the script if you add a relay to an existing setup, normally you need it if you install a completely new management server (or migrate the existing one) and can't or don't want to use Protect Computers or to reinstall the Endpoint software on your endpoints.

    Christian
    P.S.: please take the time to join the SESC group

  • Christian,

    Sophos AV works fine on those servers, but they dont appear in the Sophos Enterprise Console and i have to find out why and fix it. I have been told that the issue can be caused by incorrect mrinit.conf and cac.pem and Barb suggested to use the Migration utility to fix the problem. And now I am collecting info how to use the utility the correct way (hoping it will fix the issue).

    That is basically all what I am doing.

  • Hello Maros Goc,

    I have been told by whom? that the issue can be caused can or is - it's quite dangerous to apply a fix for a potential cause that's not applicable because the cause is another one (pardon the puns).

    Taking a closer look at your logs:
    In the original post the endpoint tries to connect to
    10.183.173.88 from where it allegedly receives an invalid IOR. What's the role of 10.183.173.88 - management server, relay or something else?

    The two ClientMRInit logs show:
    the first endpoint has not yet a Parent Address set, from the mrinit.conf it gets an IP and a FQDN: 10.128.99.125,NAHVMMS03.am.boehringer.com
    the second one had 10.128.99.126,NAHVMMS04.am.boehringer.com but from the new mrinit.conf it sets 10.183.173.5,inhas60989.eu.boehringer.com

    Three different addresses. Apparently relays are in use, naturally you have to use an mrinit.conf that has a correct relay (Parent Address) address. Another important point is the method used to apply the relay configuration. Usually this is done as described in section 1.2 in Configuring Message Relay Computers. If it has been done this way and the endpoint updates from another CID with a different configuration changes applied with the ReInit.vbs will get reverted. 

    So: You can use the EMU if an incorrect Parent Address is the cause of the communication problems, and you use the correct mrinit.conf, and the incorrect address hasn't been set because the endpoint is updating from a wrong (configured with an inappropriate mrinit.conf) CID. 

    Christian

  • Hi,

    10.183.173.88 is an IP of the relay which one of the servers connects to during the installation process or when updating.

    How can i set a ParentAdress for the first endpoint?

  • Hello Maros Goc,

    then the address in your first post is the correct one.

    Hm, looking again at the initial log - the Caught Empty IOR string might be a red herring as the preceding line says: Cannot verify peer's SSL certificate, unknown CA.
    Are other endpoints successfully using this relay?

    Christian

Reply
  • Hello Maros Goc,

    then the address in your first post is the correct one.

    Hm, looking again at the initial log - the Caught Empty IOR string might be a red herring as the preceding line says: Cannot verify peer's SSL certificate, unknown CA.
    Are other endpoints successfully using this relay?

    Christian

Children