Certificate error after resote database ERA server

[hungtt 1]

HI all,

Today i've been backup SQL database on my ERA server ( win 2k8R2, ERA 6.5, SQL express 2k8R2).

After backup finished.I tried delele some things : Agent certificate, Server certificate, polies, groups,...).After that , i restore my backup database.Every thing is ok, almost clients have been connected again.But one client is fail and alert below log.

And i repair agent on this client, it can connected normal.

Please help me check this issuse.Because if my client about 200 clients, i can not repair agent on each client.

THANKS.

 

 

 

 

errorlog.txt

[janoo 11]

Hi hungtt,

according to your log, you have a problem with certificates.

• Why did you backup DB and  then deleted certificates?
• Was that agent different from others?

 

[hungtt 1]

Hi janoo,

I want ensure my backup database on ERA server can working if i restore database when server crash or die.

1. All clients automatic reconnected on ERA server after restore database , i did not do anything.
2. Some clients have that issue.When i repair agent on clients --> check "Keep currently used certifiates " --> these clients connected ERA server normal.

 

Edited June 27, 2017 by hungtt

[MartinK 378]

What we can see from log is that AGENT's certificate has been revoked, which technically means that this certificate can no longer be used. Not sure what were you trying to achieve by removing/revoking certificates, but seem there are still AGENTs using those certificates.

[janoo 11]

Hi hungtt, what about original ERA server, did you removed it? Or you have just switched it off and created a new one? What about IP address?

[hungtt 1]

Hi Janoo,

When i setup ERA server and clients finished.I backup database era_db on sql.After that, i tried remove something ( polices, agent certificate, group,...) on era web console.After do that, all clients will not connected to ERA -> sure.

I've restore era_db backup before on THIS ERA SERVER ( just restore database) .After restore finish, almost clients connected this ERA server.I mean that : some clients fail and i must repair AGENT on these clients ( just repair and KEEP CURRENTLY USED CERTIFICATES on cliens).

 

[janoo 11]

Hi, I think the problem is, that you deleted (revoked) your peer certificate (agent), this was however replicated to only few agents and after db restore, you can not connect those agents which were revoked.

Solution would be, do not revoke the peer certificate, just restore the db.

[hungtt 1]

Hi janoo,

Why almost clients can connected after restore database ? When i restore database, all certificates have been avaiable.

[janoo 11]

Hi, Clients which got the information about the revoke, those are not working, others are. You should not revoke the certificate which you are planning to use in the future.

Even in the manual, https://help.eset.com/era_admin/65/en-US/index.html?admin_cert_peers.htm

there is information about that:

Quote

The revoke action is irreversible, you will not be able to use a certificate that has been revoked. Make sure there are no ERA Agents left using this certificate before you revoke it.

 

Edited June 27, 2017 by janoo
provide more info

[hungtt 1]

HI janoo,

So how to i use this era_db backup to new ERA server when old ERA server not working ( hardware crash) ?

[janoo 11]

Hi, you can do it in the same way you did it, because if hardware is crashed, certificates are not revoked. When the certificate is revoked, it is put on blacklist. If there is software or hardware crash, revoke is not happening, so db restore would work.