BaldNerd

Thanks @Mirek S. fullchain.pem is generated by letsencrypt certbot. As you likely already know, this file is the concatenation of cert.pem and chain.pem (the public cert + the chain). So, here is what mine looks like: -----BEGIN CERTIFICATE----- MIIFZzCCBE+gAwIBAgISA6/Knkmocs1B2C4VirBUiSJOMA0GCSqGSIb3DQEBCwUA MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xOTA5MjQxODQyMTFaFw0x OTEyMjMxODQyMTFaMCMxITAfBgNVBAMTGGVzbWMuZW5kcG9pbnRzZWN1cml0eS5j YTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKdBnRW+/xgVeSZ5EMpS AMQeHvW9f6HCrIIZ0WQ8oPqpbBaVpPEAl1q3T21upXuS/kcoaS/6lJn6u8GcHlIq YJsBf1nKajwmIXsiiJkDDE4l9Xmx1lwY+wEOOhTINfB1FnomxX5dalRJw0VFQHL5 kRBtmmI+gIvO6FGh6YoBgDpRUvzhh2Vi8JyAWZ0CvtzVhJEZMKdn0eZ70s7tKIer FJaxfHOwLdvxV7YTCbqW/4DfvtOs1dGJ5JRA67jfl2rDyy3H7sRJ1WYEGAr9Uy41 InG/LyHQ7au6u0gnBfxbJOiZPp1o5rU3MMyajQQ0aaNKbl7P+2E7GZGAb2Ukn6xm WBcCAwEAAaOCAmwwggJoMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEF BQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUZqrYT1wuccSO pljgbKK9fNKWgqIwHwYDVR0jBBgwFoAUqEpqYwR93brm0Tm3pkVl7/Oo7KEwbwYI KwYBBQUHAQEEYzBhMC4GCCsGAQUFBzABhiJodHRwOi8vb2NzcC5pbnQteDMubGV0 c2VuY3J5cHQub3JnMC8GCCsGAQUFBzAChiNodHRwOi8vY2VydC5pbnQteDMubGV0 c2VuY3J5cHQub3JnLzAjBgNVHREEHDAaghhlc21jLmVuZHBvaW50c2VjdXJpdHku Y2EwTAYDVR0gBEUwQzAIBgZngQwBAgEwNwYLKwYBBAGC3xMBAQEwKDAmBggrBgEF BQcCARYaaHR0cDovL2Nwcy5sZXRzZW5jcnlwdC5vcmcwggEDBgorBgEEAdZ5AgQC BIH0BIHxAO8AdQDiaUuuJujpQAnohhu2O4PUPuf+dIj7pI8okwGd3fHb/gAAAW1k y6i/AAAEAwBGMEQCIGxgpcqaauzQxlUFq+Y123y62bsgnIHAU793CyjMpZYWAiBj +B+cb8vAq6WtJINavpOgWMiIjGrg3cwQFzNBTWalDQB2AGPy283oO8wszwtyhCdX azOkjWF3j711pjixx2hUS9iNAAABbWTLqN8AAAQDAEcwRQIgLVW6TbaiVo/y/zcN 30L8tz62bIHdVnY+px9ih4FQf9sCIQCLnE4kKbAlg3A4ajwl39KSkOJqOcOi8rZQ Sn0IQdoktTANBgkqhkiG9w0BAQsFAAOCAQEATKJ/fBxD5lKC6vlyx+Nc8PGDgfNa vTxwdaQdEyHUeWoq4zokWb3/FVMYCRJZmmkNE6dgnMl8B6DM2HjdraLNltRPKnKp Q60xDcPHObPxxbB4SnyTWqzG+l5W0zweaGAL5u8eqta00C79b9wp6fVLllFUiWgX fZ921Il6FJe8H/ys6D6Bfn2binaZ96TIVlLjZZxHMpppHxD+/JD0832Ng3nLi62h ZRJM4qE9gVvZElXFc5MaT7jwqdizT1ojpCJbrG6o15Akr1SJeby+OChXN4WBVyK4 GEhrti8I49CPAWyihzSlpuzKkmJu2Moa1MTpeyJphkA7W5+dZbQ02mbwMA== -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/ MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8 SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0 Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj /PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/ wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6 KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg== -----END CERTIFICATE----- Your comment about a possible missing CA made me think (facepalm) about my CSR: Perhaps I should be using 0001_chain.pem instead of fullchain.pem! After all, I am providing my own CSR as previously stated. I just expected my CSR would be part of the fullchain.pem, but running diff I between the two fullchain pem files (fullchain.pem, 0001_chain.pem), they're not a match. Thoughts? Thanks! Robbie // The Bald Nerd

Under Advanced Server Settings:

When you first setup the VA there was a checkbox to enable it. You mustn't have spotted it during setup. It's easy to enable in the settings after the fact though, so no harm done. No, I don't think it should be on by default. If the user is setting up the ESMC server behind a VPN or on the WAN, that would create a lot of unnecessary traffic as the devices check in. It's better to let the devices by default get their definitions directly from ESET's servers, and only proxy (mirror) them if specifically enabled by the admin. Hope that helps! Robbie // The Bald Nerd

On ESET Security Management Center the mirror has been replaced with an Apache HTTP Proxy. Please see https://help.eset.com/esmc_install/70/en-US/apache_http_proxy.html I think that is what you are looking for. Let me know. Robbie // The Bald Nerd

Thank you @janoo and @Mirek S.. I'll look at the docs provided there which do look more current--great. Re. my certificate, I'm directly using the Let's Encrypt pem files to create the pfx as follows: openssl pkcs12 -inkey privkey.pem -in fullchain.pem -export -out letsencrypt.pfx -password pass:******* Then, that pfx file is passed to mdmcore-linux-x86_64.sh during installation with the 'https-cert-path' switch. From there, I'm not sure where to go - MDC is installed as per my first post, and shows the error in ESMC as per above. Please let me know what you suggest. Thanks, Robbie // The Bald Nerd

Sad. Perhaps an "Advanced User" mode to put it back again? Can't always just cater to those who refuse to read the manual.

I don't see that as an unfair request. The addition of a column "Priority" would alleviate the issue. It would be sane from a UX perspective to allow clicking the headings to sort by Name, Enabled, Protocol, Profile, etc. with the addition of a new column, Priority. The headings even highlight when you mouseover, and UX principles tell the user that they should click to sort, but it doesn't... so it just seems broken. PS - ESET should change the forum Rank names. As far as I'm concerned, it appears as though @arsini was just trolled by an ESET Trainee 🤣

Please add me to the beta list, and let me know if you want anything specific tested. I administer hundreds of Linux servers. Thanks

I'd suggest KB6820 instead, since KB6097 is for an old version and contains some inaccuracies. @Arekn stated they are on ESMC (not ERA).

That's how it looks to me too. During [re]installation of MDM you can use --mdm-port= to define the MDM port to use (normally the default is 9981) and --mdm-enrollment-port= to set the MDM enrollment port (default is 9980). On the VA, you can just login to the Linux terminal and reinstall MDM with https://download.eset.com/com/eset/apps/business/era/mdm/latest/mdmcore-linux-x86_64.sh I'd simply suggest taking a snapshot of the appliance first, just in case - will save you a ton of headaches if you break something while tinkering since you can quickly revert and try again. It's indeed surprising this is not an included feature (ie., setting) within ESMC. Seems you can change other ports, just not the MDM. Good luck! Robbie // The Bald Nerd 🤓

Hi all, 🤓 I understand MDC requires the certificate fullchain, and since my ESMC is on a subdomain, I am using Let's Encrypt for the console cert. It works great. However, I want to also use this cert for my MDC, and I'm simply unsure how to do this. A little about my setup: This is a Linux-based ESMC server (irrelevant really, but just getting that out of the way before anyone tries to tell me to do some Windows witchcraft 😏) ESMC Server v 7.0.471.0 / ESMC Web Console v 7.0.429.0 / MDC v 7.0.528.0 I have Let's Encrypt certificates generated for the subdomain where my ESMC server resides. It works fine, and the cert shows correctly in the browser (no self-signed cert for my ESMC browser session). I have a Java Keystore, which I use for Tomcat9's server entry. The keystore contains the Let's Encrypt cert. My CSR (which is used to generate the Let's Encrypt cert) is generated from the keystore. I generate a PFX from the Let's Encrypt cert, and this PFX is available if needed (eg., could be used within a config). I've tried adding my Let's Encrypt cert to my system's ca-certificates store, to no effect. The ESMC interface shows that my MDC is in this state: "ESET HTTPS certificate chain is incomplete. Enrollment is not allowed" So, I think I have all the bits and pieces needed, but am unclear how to setup MDC to use my cert. The kbase articles I find are obsolete, with the only one I can find that looks reasonable recent saying not to do the steps on MDC 7+. Thanks in advance for taking the time to assist. Robbie // The Bald Nerd