This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Failed to get SSL certificate | Cannot verify peer's SSL certificate, unknown CA | Caught Empty IOR string from iiopAddressesInIOR

Hello, I have a couple of servers which on the one hand have Sophos AV fully working, but on the other one they cannot be seen in SEC (Sophos Enterprise Console). After some investigations I found in logs this:

28.06.2018 11:58:47 1E04 W Failed to get certificate, retrying in 600 seconds
28.06.2018 12:08:47 1E04 I Getting parent router IOR from 10.183.173.88:8192
28.06.2018 12:08:47 1E04 I Getting a new router certificate...
28.06.2018 12:09:29 1E04 E Router::GetCertificate: Caught CORBA system exception, ID 'IDL:omg.org/CORBA/TRANSIENT:1.0'
OMG minor code (2), described as '*unknown description*', completed = NO

28.06.2018 12:20:11 1E04 W Failed to get certificate, retrying in 600 seconds
28.06.2018 12:30:11 1E04 I Getting parent router IOR from 10.183.173.88:8192
28.06.2018 12:30:11 1E04 I Getting a new router certificate...
28.06.2018 12:32:39 1E04 W SSL connection alert, peer address 10.183.173.88
28.06.2018 12:32:39 1E04 W Cannot verify peer's SSL certificate, unknown CA
28.06.2018 12:32:39 1E04 E Router::ReportInvalidCertificate: Caught Empty IOR string from iiopAddressesInIOR
28.06.2018 12:32:39 1E04 I This computer is part of the domain EU
28.06.2018 12:32:39 1E04 E ACE_SSL (7964|7684) error code: 336134278 - error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
28.06.2018 12:33:00 1E04 E Router::GetCertificate: Caught CORBA system exception, ID 'IDL:omg.org/CORBA/TRANSIENT:1.0'
OMG minor code (2), described as '*unknown description*', completed = NO

Then I read through several articles and forums which raised some questions for which I couldnt have been able to find answers yet.

1.) How are "ParentAddress" and "ParentPort" (found in HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sophos\Messaging System\Router) related to the IOR port?

2.) What is "http://www2.parc.com/istl/projects/ILU/parseIOR/" used for? I tried to get there IOR but then the page said "Your IOR is misformed. It must begin with either "IOR:" or "IOR2:", and then have an even number of hex digits." It seems as if the IOR wasnt correct.

3.) There are "pkc" and "pkp" missing under HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sophos\Remote Management System\ManagementAgent\Private which should be crucial for a server . How I can get "pkc" and "pkp" back? (There is also no NotifyClientUpdate infound in HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sophos\Messaging System\Router)

4.) All the necessary ports (80,8192,8194) are opened. I can telnet the destination point without a problem. IOR is shown when telneting 8192. How come the router catching empty IOR string then?

5.) Finally. How can it be this whole issue fixed? I won't be able to do it without someone's help.

I would be realy greatful if someone knew what to do, because I have already ran out of all ideas. Thank you.



This thread was automatically locked due to age.
Parents
  • Hello Maros Goc,

    first of all, you are using SESC so the Central forum is not the right one - please join the Endpoint Security and Control group and move your post there (I'd have moved it but I can't before you have joined this group).

    IOR is shown when telneting 8192
    using the
    10.183.173.88 address? You have to take the whole response starting with IOR: and paste it in the parse box - please note that if you copy it from the cmd window it's broken up into several lines and contains additional CRLFs and this is why the parser complains, so make it one single string first.

    Just saw your new post:
    I have no Enterprise Console folder there
    where's there? You should run the EMU (guess this is what you are referring to) on the management server (SEC) - this folder and the files are there.

    Christian

  • Hi Christian,

    oh my god, what a silly am i... I have misinterpreted Barb's hint. I should have used the Migration utility on the relay and then the script on the endpoint. It seems I am a bit overworked lol. I will try it immediately.

    And I will move the topic to the place you suggested. And also yes, i have already noticed that copying an IOR from CMD creates gaps, so that is why it didnt work.

    Thank you very much :)

  • Hi,

    forget those first posts, since i forgot which one used as an example. Since i have a lot of servers with this problem, i picked a different one and that one uses 10.128.99.126.

    I reinstalled Sophos on all these servers many times but the issue has persists.

  • Hello Maros Goc,

    I'm not sure what the issue is, whether there's one issue or several. The common symptom is that the endpoints don't "appear"in the console but, as said, there are various potential causes.

    The Remote Management System (RMS) uses TLS with self-signed certificates for communication. The management server creates a CA certificate that is subsequently used to sign all other certificates. This CA-certificate (cac.pem) is contained in the distribution (install, update) location. It is stored on an endpoint during initial install (initial means: setup.exe is run) and used to verify the certificates used in communication with the management server. mrinit.conf tells an endpoint whom to contact in order to communicate with its server. Whether it's the server itself or a message relay it has to present a certificate signed by the already known CA.
    If an upstream server presents a valid IOR on port 8192 and port 8194 of the host returned in the IOR is reachable then RMS should work, OpenSSL - if instructed to use this CA - should return success. If it doesn't then the cac.pem is from a different management server - OR it is the intended cac.pem but the upstream server tested belongs to a different management server.  

    Christian

  • Could you tell me what should I do in order to fix this hellish problem? What would you do? the reinstallation didnt help at all :(

  • Hello Maros,

    At this point, I would recommend creating a case with support so that they can further assist you in resolving this issue. 

    Please access the support section here. 

    Regards,

    Barb@Sophos
    Community Support Engineer | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.

     

  • If you say that the management server creates a CA certificate which is contained in the distribution location, so why then the logs show "Cannot verify peer's SSL certificate, unknown CA". If a CA is unknown, isnt there because there was an error during the installation via that distribution location.?

  • I have done it. Thank you :)

  • Hello Maros Goc,

    why unknown CA
    exactly, this is the question. During RMS install ClientMRInit.exe is called which processes cac.pem found in %ProgramFiles(x86)%\Sophos\Remote Management System\ which has been downloaded from the distribution location (CID) and stores it under HKLM\SOFTWARE\Wow6432Node\Sophos\Messaging System\\cac in DER format. The stored certificate is used to to verify the server certificate when initiating a connection.
    If for whatever reason the endpoint downloads from a  "foreign" CID the stored certificate is not replaced, thus the endpoint will refuse to talk to a server that uses a different CA to sign its communication. It should be fairly easy to compare the local cac.pem with the one in the CID and also the cac registry value with cac.pem.

    an error during the installation
    should have been logged (e.g. the ClientMRInit logs in %windir%\Temp\). If the cac is missing from the registry the Router refuses to start. Thus it seems a second formally correct cac.pem is in circulation.

    Christian

  • Christian,

    i compared cac.pem in the endpoint and cac.pem in the CID and they are the same. I couldnt have been able to compare it also with the cac registry value, since i didnt know how to convert the binary value into the traditional style.

    However, I checked windir\temp and i think i found something interesting there

    "11.07.2018 06:52:46 19D8 I Opening initialisation file: C:\Program Files (x86)\Sophos\Remote Management System/MRInit.conf
    11.07.2018 06:52:46 19D8 I Opening root certificate initialisation file: C:\Program Files (x86)\Sophos\Remote Management System/cac.pem
    11.07.2018 06:52:46 19D8 I Intelligent updating is: Off
    11.07.2018 06:52:46 19D8 E MRInitData failed with exception: CAccessFailureException:CACertificate not found
    11.07.2018 06:52:46 19D8 D Old certificate not present, using new.
    11.07.2018 06:52:46 19D8 T New Message Router identity key is present.
    11.07.2018 06:52:46 19D8 T New Managed Application identity key is present.
    11.07.2018 06:52:46 19D8 T New Management Agent identity key is present.
    11.07.2018 06:52:46 19D8 D CheckParentAddress( `*** NOT SET ***`->`10.128.99.126,NAHVMMS04.am.boehringer.com` )
    11.07.2018 06:52:46 19D8 D IsThisComputer[10.128.99.126,NAHVMMS04.am.boehringer.com]
    11.07.2018 06:52:51 19D8 D Found 4 addresses
    11.07.2018 06:52:51 19D8 D Just use new parent
    11.07.2018 06:52:51 19D8 I Parent router IOR port: 8192
    11.07.2018 06:52:51 19D8 I New router IOR port: 8192
    11.07.2018 06:52:51 19D8 I Setting router service arguments: "-ORBListenEndpoints iiop://:8193/ssl_port=8194"
    11.07.2018 06:52:51 19D8 I ClientMRInit successful exit"

    I dont know if it explains something but maybe it does.

  • Hello Maros Goc,

    the error is normal for a new install and the correct certificate should then have been stored. Everything seems normal (BTW: The CheckParentAddress sets one IP and one name for the potential parent, IsThisComputer checks whether this computer should configure itself as relay).
    convert - No Hex editor/viewer available?

    There should be Router log that started shortly after, normally communication is established in the first 50 lines or so. Does this one also show the SSL error?
    Is 10.128.99.126/NAHVMMS04 visible in the console and is it up to date?

    Christian

  • Hi,

    so that "error" is normal, hmm ok good.

    NAHVMMS04 is a common and longtime relay, which is used by many servers. Yes it is visible and up to date.

    The only Router log is this one /pretty similar to the one in the topic description/

    11.07.2018 07:03:32 1BEC W Failed to get certificate, retrying in 600 seconds
    11.07.2018 07:13:32 1BEC I Getting parent router IOR from 10.128.99.126:8192
    11.07.2018 07:13:32 1BEC I Getting a new router certificate...
    11.07.2018 07:13:32 1BEC W SSL connection alert, peer address 10.128.99.126
    11.07.2018 07:13:32 1BEC W Cannot verify peer's SSL certificate, unknown CA
    11.07.2018 07:13:32 1BEC E Router::ReportInvalidCertificate: Caught Empty IOR string from iiopAddressesInIOR
    11.07.2018 07:13:32 1BEC E ACE_SSL (5340|7148) error code: 336134278 - error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
    11.07.2018 07:13:42 1BEC W SSL connection alert, peer address 10.128.99.126
    11.07.2018 07:13:42 1BEC W Cannot verify peer's SSL certificate, unknown CA
    11.07.2018 07:13:42 1BEC E Router::ReportInvalidCertificate: Caught Empty IOR string from iiopAddressesInIOR
    11.07.2018 07:13:42 1BEC E ACE_SSL (5340|7148) error code: 336134278 - error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
    11.07.2018 07:13:42 1BEC E Router::GetCertificate: Caught CORBA system exception, ID 'IDL:omg.org/CORBA/TRANSIENT:1.0'
    OMG minor code (2), described as '*unknown description*', completed = NO

Reply
  • Hi,

    so that "error" is normal, hmm ok good.

    NAHVMMS04 is a common and longtime relay, which is used by many servers. Yes it is visible and up to date.

    The only Router log is this one /pretty similar to the one in the topic description/

    11.07.2018 07:03:32 1BEC W Failed to get certificate, retrying in 600 seconds
    11.07.2018 07:13:32 1BEC I Getting parent router IOR from 10.128.99.126:8192
    11.07.2018 07:13:32 1BEC I Getting a new router certificate...
    11.07.2018 07:13:32 1BEC W SSL connection alert, peer address 10.128.99.126
    11.07.2018 07:13:32 1BEC W Cannot verify peer's SSL certificate, unknown CA
    11.07.2018 07:13:32 1BEC E Router::ReportInvalidCertificate: Caught Empty IOR string from iiopAddressesInIOR
    11.07.2018 07:13:32 1BEC E ACE_SSL (5340|7148) error code: 336134278 - error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
    11.07.2018 07:13:42 1BEC W SSL connection alert, peer address 10.128.99.126
    11.07.2018 07:13:42 1BEC W Cannot verify peer's SSL certificate, unknown CA
    11.07.2018 07:13:42 1BEC E Router::ReportInvalidCertificate: Caught Empty IOR string from iiopAddressesInIOR
    11.07.2018 07:13:42 1BEC E ACE_SSL (5340|7148) error code: 336134278 - error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
    11.07.2018 07:13:42 1BEC E Router::GetCertificate: Caught CORBA system exception, ID 'IDL:omg.org/CORBA/TRANSIENT:1.0'
    OMG minor code (2), described as '*unknown description*', completed = NO

Children