Jump to content

ERA MDM is not working - client can't connect


Recommended Posts

2017-03-20 08:50:47 E [139953414354688] Uncaught exception: Connection reset by peer,
2017-03-20 08:50:47 E [139953405961984] Uncaught exception: Connection reset by peer,
2017-03-20 08:50:48 E [139953414354688] Uncaught exception: Connection reset by peer,
2017-03-20 08:50:48 E [139953405961984] Uncaught exception: Connection reset by peer,
2017-03-20 08:50:50 E [139953414354688] Uncaught exception: Connection reset by peer,
2017-03-20 08:50:50 E [139953405961984] Uncaught exception: Connection reset by peer,
2017-03-20 08:50:51 E [139953414354688] Uncaught exception: Connection reset by peer,
2017-03-20 08:50:51 E [139953405961984] Uncaught exception: NodSslException, NodSsl function completeHandshake.RecvEncryptedData returned an error (Internal error in the underlying implementations) for peer 37.47.152.237:8595, local 10.2
.1.22:9981:
+ Error message: SSL: fatal:certificate unknown
+ Error message: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
+ Error message: error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure
 

I have a new SSL CA signed certificate and i made a new pfx file and reinstalled MDMcore with the new cert everything went ok with the installer.

But in logs i can see errors as above. 

Link to comment
Share on other sites

  • ESET Staff

Can you please provide more information ? 
Is this a fresh ERA 6.5 installation or an upgrade from 6.4 to 6.5 ? 
What is the status of MDM component in webconsole ? are there any Warning / Error messages ? 
Are you using ERA CA + ERA-generated certificate or a 3rd party CA and a certificate signed by 3rd party CA ? 
 

Link to comment
Share on other sites

ESET Remote Administrator Agent   6.5.417.0 129        
ESET Remote Administrator Server   6.5.417.0 272        
ESET Remote Administrator Mobile Device Connector   6.5.449.0 201        

 

This was an upgrade from previous version.

No warnings / Error messages in webconsole.

I have a wildcard company SSL certificate for domain *.s?????h.com.pl and our mdm is visible to mobile clients by https://mdm.s?????h.com.pl with default ports.

This certificate had two years and got outdated on 16 march. Now i got renewed one and i made reinstalation of mdmcore with the new server.pfx i made from the new certificate.

Maybe i'm doing something wrong but two years go i did this the same way and everything worked.

I have no idea about ERA CA + ERA-generated,  i did not changed anything since install.

 

Link to comment
Share on other sites

  • ESET Staff

EESA (Android application) uses certificate pinning - ie any change of server certificate invalidates trust between devices and mdm server. Bunch of errors are "most" likely devices refusing to talk to MDM.

Quote

+ Error message: SSL: fatal:certificate unknown
+ Error message: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown

I'm sorry but You'll have to re-enroll devices (You can do this via re-enrollment task to keep history and configuration for devices)

In 6.5 there was added functionality for certificate change with timeout - enrollment profiles are replaced in this timeout with updated certificate, I assume You didn't use this functionality to replace server certificate ?

As a sidenote - log files could contain sensitive information, when asked for them please send them via PM. Please also erase those You uploaded (You took care to not mention domain while it's present in log files)

HTH,

M.

Edited by LegacyConnectorSupport
Link to comment
Share on other sites

OMG - that is a bad joke to reenrol devices.

How to use it in 6.5 for next time.

I tried to reenrol my own device again and when i click it want an admin password? 

Seriously? I can't even reenrol devices without telling them admin password?

If i tell them password they will unistall it all from smartphones. And maybe this is the best option.

 

Edited by SilentDave
Link to comment
Share on other sites

  • ESET Staff

Well, the re-enrollment is not that extreme. You just go to webconsole and send email to all Your users (assuming You connected MDM with user management in ERA) and hope they click on the link...

Certificate change with enrollment profile replacement is in same place certificate change used to be, in policy (It's new in 6.5 so You probably changed certificate in 6.4 where it happened immediately)

You just specify till when can old certificate be used instead of new one You provide.

AXh9zp8pEkFYAAAAAElFTkSuQmCCAA==

Link to comment
Share on other sites

2 minutes ago, LegacyConnectorSupport said:

 

Well, the re-enrollment is not that extreme. You just go to webconsole and send email to all Your users (assuming You connected MDM with user management in ERA) and hope they click on the link...

 

I don't have that hope anymore because that requires a admin password and i'm not going to give the password to them.

i'm f.....ed.

Link to comment
Share on other sites

  • ESET Staff

Is Your previous certificate still valid ?

If Yes - You can change to previous certificate (immediate timeout)

Then start normal certificate change process with timeout and devices should be able to reconnect. Theoreticaly that is. (Unsure if certificate change process handles this scenario well)

Edited by LegacyConnectorSupport
Link to comment
Share on other sites

  • ESET Staff

Possibly last idea if You're willing to accept giving users old password to EESA - You can immediately enforce new password via policy. So they will have rights to re-enroll however don't have rights to manipulate EESA afterwards.

I'll send here someone from droid team if they can suggest any workaround for password requirement.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...