Failed to get SSL certificate | Cannot verify peer's SSL certificate, unknown CA | Caught Empty IOR string from iiopAddressesInIOR

Hello, I have a couple of servers which on the one hand have Sophos AV fully working, but on the other one they cannot be seen in SEC (Sophos Enterprise Console). After some investigations I found in logs this:

28.06.2018 11:58:47 1E04 W Failed to get certificate, retrying in 600 seconds
28.06.2018 12:08:47 1E04 I Getting parent router IOR from 10.183.173.88:8192
28.06.2018 12:08:47 1E04 I Getting a new router certificate...
28.06.2018 12:09:29 1E04 E Router::GetCertificate: Caught CORBA system exception, ID 'IDL:omg.org/CORBA/TRANSIENT:1.0'
OMG minor code (2), described as '*unknown description*', completed = NO

28.06.2018 12:20:11 1E04 W Failed to get certificate, retrying in 600 seconds
28.06.2018 12:30:11 1E04 I Getting parent router IOR from 10.183.173.88:8192
28.06.2018 12:30:11 1E04 I Getting a new router certificate...
28.06.2018 12:32:39 1E04 W SSL connection alert, peer address 10.183.173.88
28.06.2018 12:32:39 1E04 W Cannot verify peer's SSL certificate, unknown CA
28.06.2018 12:32:39 1E04 E Router::ReportInvalidCertificate: Caught Empty IOR string from iiopAddressesInIOR
28.06.2018 12:32:39 1E04 I This computer is part of the domain EU
28.06.2018 12:32:39 1E04 E ACE_SSL (7964|7684) error code: 336134278 - error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
28.06.2018 12:33:00 1E04 E Router::GetCertificate: Caught CORBA system exception, ID 'IDL:omg.org/CORBA/TRANSIENT:1.0'
OMG minor code (2), described as '*unknown description*', completed = NO

Then I read through several articles and forums which raised some questions for which I couldnt have been able to find answers yet.

1.) How are "ParentAddress" and "ParentPort" (found in HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sophos\Messaging System\Router) related to the IOR port?

2.) What is "http://www2.parc.com/istl/projects/ILU/parseIOR/" used for? I tried to get there IOR but then the page said "Your IOR is misformed. It must begin with either "IOR:" or "IOR2:", and then have an even number of hex digits." It seems as if the IOR wasnt correct.

3.) There are "pkc" and "pkp" missing under HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sophos\Remote Management System\ManagementAgent\Private which should be crucial for a server . How I can get "pkc" and "pkp" back? (There is also no NotifyClientUpdate infound in HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sophos\Messaging System\Router)

4.) All the necessary ports (80,8192,8194) are opened. I can telnet the destination point without a problem. IOR is shown when telneting 8192. How come the router catching empty IOR string then?

5.) Finally. How can it be this whole issue fixed? I won't be able to do it without someone's help.

I would be realy greatful if someone knew what to do, because I have already ran out of all ideas. Thank you.

  • In reply to QC:

    Hi,

    so that "error" is normal, hmm ok good.

    NAHVMMS04 is a common and longtime relay, which is used by many servers. Yes it is visible and up to date.

    The only Router log is this one /pretty similar to the one in the topic description/

    11.07.2018 07:03:32 1BEC W Failed to get certificate, retrying in 600 seconds
    11.07.2018 07:13:32 1BEC I Getting parent router IOR from 10.128.99.126:8192
    11.07.2018 07:13:32 1BEC I Getting a new router certificate...
    11.07.2018 07:13:32 1BEC W SSL connection alert, peer address 10.128.99.126
    11.07.2018 07:13:32 1BEC W Cannot verify peer's SSL certificate, unknown CA
    11.07.2018 07:13:32 1BEC E Router::ReportInvalidCertificate: Caught Empty IOR string from iiopAddressesInIOR
    11.07.2018 07:13:32 1BEC E ACE_SSL (5340|7148) error code: 336134278 - error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
    11.07.2018 07:13:42 1BEC W SSL connection alert, peer address 10.128.99.126
    11.07.2018 07:13:42 1BEC W Cannot verify peer's SSL certificate, unknown CA
    11.07.2018 07:13:42 1BEC E Router::ReportInvalidCertificate: Caught Empty IOR string from iiopAddressesInIOR
    11.07.2018 07:13:42 1BEC E ACE_SSL (5340|7148) error code: 336134278 - error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
    11.07.2018 07:13:42 1BEC E Router::GetCertificate: Caught CORBA system exception, ID 'IDL:omg.org/CORBA/TRANSIENT:1.0'
    OMG minor code (2), described as '*unknown description*', completed = NO

  • In reply to Maros Goc:

    Hello Maros Goc,

    indeed pretty similar. And strange ... strange ...

    Heck! Only now noticed the following in the OpenSSL output you've posted:

    but we expect

    so - who's this nahfw6?

    Christian

  • In reply to QC:

    Hm interesting, i can confirm that all the affected servers have this weird "nahfw6-..." certificate chain, and some chosen servers without this problem really have the "EM2_CA" as shown on your second screen.

    I have absolutely no idea what nahfw6 is. Or it is he/she?

  • In reply to Maros Goc:

    Hello Maros Goc,

    (I assume) a smart firewall that requires secure connections to be signed with "trusted" certificates (i.e. that have a certificate chain with a "known" CA as root).
    You'd have to ask your network/firewall guys.

    Christian

  • In reply to QC:

    Thank you Christian,

    however, since I am no network guy, could you perhaps tell me what exactly should I ask them?

  • In reply to Maros Goc:

    Hello Maros Goc,

    what exactly should I ask them
    good question, neither am I a network guy nor do I know your guys. Apparently SSL Control is in effect, the connection is checked for untrusted certificates (expired, incomplete certificate chain, or - as in this case - untrusted/unknown CAs). Showing them the screenshot in this post should suffice.

    Christian