Jump to content

ERA Proxy Certificate Problem


ernestodelisi
 Share

Recommended Posts

Good afternoon,

We have a problem with one of our ERA Proxy, we have an ERA Server on another server.

Scope Time Text
Last replication 2017-Apr-05 14:11:03 Error: CReplicationManager: Replication (network) connection to 'host: "10.100.8.65" port: 2222' failed with: Receive: NodSslWriteEncryptedData: Incorrect/unknown certificate or key format.
Replication security 2017-Apr-05 14:11:03 Error: NodVerifyCertificateChain failed: NodVerifyTrustResult: 6, NVT_NotTrustedRoot, X509ChainStatus: 0x10000, X509CSF_PartialChain
  • Remote host: 10.100.8.65
  • Remote machine certificate is not trusted because signing certificates (CAs) are not trusted or found in system/proxy database
  • Check if signing certificate authority was used during installation of proxy or installed in system

I leave a screenshot of the error and the trace.log attached.

Era Server 10.100.8.65
Era Server 10.100.8.67

Regards!

 

 

 

 

trace.log

Picture 2017-04-05 13_10_36.png

Link to comment
Share on other sites

  • ESET Staff

Technically this error means that PROXY does not trust SERVER's certificate because it is missing CA certificate that was used to sign SERVER certificate. In standard scenario, this CA certificate is part of PROXY installation (provided as parameter) and it is also distributed by SERVER itself.

You mentioned that only one proxy has problems - is there any difference in configuration? Or this PROXY never worked since it was installed? Have you made any changes in ERA certificates since installation, i.e. have you changed SERVER certificate in configuration, or have you remove or revoked any CA certificate?

Link to comment
Share on other sites

  • ESET Staff
2 minutes ago, ernestodelisi said:

It is a new facility, with a new trust certificate. The CA used is the one that was created during the installation.

When installing PROXY, you have to provide CA certificate, that was used to sign currently used SERVER certificate (not CA certificate that was used to sign/create PROXY certificate). From screenshot it is not clear, but my guess is that SERVER certificate was signed by authority named "CA ERA Server", or maybe SERVER is still using certificate created during installation which was most probably signed by "ERA Certification authority"?

Could you please check SERVER configuration (WebConsole -> Admin -> Server Settings) for exact identification of currently used certificate (beware that changes of this setting requires restart to take effect) and matching CA certificate (issuer) has to be used to install PROXY. There does not seems to be SERVER certificate in certificate list you provided, which is non standard and also it prevents us to verify what CA certificate it could be possibly using.

Link to comment
Share on other sites

On 5/4/2017 at 2:42 PM, MartinK said:

When installing PROXY, you have to provide CA certificate, that was used to sign currently used SERVER certificate (not CA certificate that was used to sign/create PROXY certificate). From screenshot it is not clear, but my guess is that SERVER certificate was signed by authority named "CA ERA Server", or maybe SERVER is still using certificate created during installation which was most probably signed by "ERA Certification authority"?

Could you please check SERVER configuration (WebConsole -> Admin -> Server Settings) for exact identification of currently used certificate (beware that changes of this setting requires restart to take effect) and matching CA certificate (issuer) has to be used to install PROXY. There does not seems to be SERVER certificate in certificate list you provided, which is non standard and also it prevents us to verify what CA certificate it could be possibly using.

Thanks you, the problem is solved!

Picture 2017-04-11 12_30_14.png

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...