Jump to content

ERA Install and Migration of Clients to new ERA


Recommended Posts

Hello, 

Excuse me if this was already asked and resolved but I'm quite new to the ESET and a bit lost because of that. 

One of our client is having problems with upgrade and migrate from old ERA 6.x to the lastest 6.x one. Newer ERA install is running on a different server and IP. As it seems they have some certificate issues. Even on the old ERA clients stopped responding and connecting to ERA in April 2017. Around then their certificate expired and they forgot to renew the certificate.

Deploying agent from new install of ERA with new certificate for agent doesn’t help, we used the default generated one on ERA install. Machines still don’t connect even tho task detail displays everything was OK and agent was installed. Also pushing the new config and cerificate to agent doesnć't help. We even tried to completely remove ESET products (agent, antivirus etc) from one machine and then re deploy agent from the new ERA. Same thing it will not connect. Firewalls are supposedly off according to them, didn't have chance to check by myself-


Attaching few logs if anyone can help me with this problem:


Client trace log:
2017-08-10 14:25:48 Error: NetworkModule [Thread ad8]: Verify user failed for all computers: 192.168.164.12: NodVerifyCertificateChain failed: NodVerifyTrustResult:
6, NVT_NotTrustedRoot, X509ChainStatus: 0x10000, X509CSF_PartialChain
2017-08-10 14:25:48 Error: NetworkModule [Thread ad8]: Receive: NodSslWriteEncryptedData: Incorrect/unknown certificate or key format., ResolvedIpAddress:192.168.164.12,
ResolvedHostname:, ResolvedPort:2222
2017-08-10 14:25:48 Error: NetworkModule [Thread ad8]: Protocol failure for session id 11, error:Receive: NodSslWriteEncryptedData: Incorrect/unknown certificate
or key format.
2017-08-10 14:25:48 Error: CReplicationModule [Thread 136c]: CReplicationManager: Replication (network)
connection to 'host: "opteset.optisis.si" port: 2222' failed with: Receive: NodSslWriteEncryptedData: Incorrect/unknown certificate
or key format.

Şome server traces:
[root@opteset Agent]# tail trace.log
2017-08-10 11:10:59 Error: CAgentSecurityModule [Thread 7f87ed7fe700]: Certificated user verification failed with: NodVerifyCertificateChain failed: NodVerifyTrustResult: 6, NVT_NotTrustedRoot, X509ChainStatus: 0x1, X509CSF_NotTimeValid
2017-08-10 11:10:59 Error: NetworkModule [Thread 7f87df7fe700]: Verify user failed for all computers: 127.0.0.1: NodVerifyCertificateChain failed: NodVerifyTrustResult: 6, NVT_NotTrustedRoot, X509ChainStatus: 0x1, X509CSF_NotTimeValid
2017-08-10 11:10:59 Error: NetworkModule [Thread 7f87df7fe700]: Receive: NodSslWriteEncryptedData: Internal error in the underlying implementations., ResolvedIpAddress:127.0.0.1, ResolvedHostname:, ResolvedPort:2222
2017-08-10 11:10:59 Error: NetworkModule [Thread 7f87df7fe700]: Protocol failure for session id 559, error:Receive: NodSslWriteEncryptedData: Internal error in the underlying implementations.
2017-08-10 11:10:59 Error: CReplicationModule [Thread 7f8763fff700]: CReplicationManager: Replication (network) connection to 'host: "127.0.0.1" port: 2222' failed with: Receive: NodSslWriteEncryptedData: Internal error in the underlying implementations.
2017-08-10 11:11:19 Error: CAgentSecurityModule [Thread 7f87ed7fe700]: Certificated user verification failed with: NodVerifyCertificateChain failed: NodVerifyTrustResult: 6, NVT_NotTrustedRoot, X509ChainStatus: 0x1, X509CSF_NotTimeValid
2017-08-10 11:11:19 Error: NetworkModule [Thread 7f87df7fe700]: Verify user failed for all computers: 127.0.0.1: NodVerifyCertificateChain failed: NodVerifyTrustResult: 6, NVT_NotTrustedRoot, X509ChainStatus: 0x1, X509CSF_NotTimeValid
2017-08-10 11:11:19 Error: NetworkModule [Thread 7f87df7fe700]: Receive: NodSslWriteEncryptedData: Internal error in the underlying implementations., ResolvedIpAddress:127.0.0.1, ResolvedHostname:, ResolvedPort:2222
2017-08-10 11:11:19 Error: NetworkModule [Thread 7f87df7fe700]: Protocol failure for session id 560, error:Receive: NodSslWriteEncryptedData: Internal error in the underlying implementations.
2017-08-10 11:11:19 Error: CReplicationModule [Thread 7f8763fff700]: CReplicationManager: Replication (network) connection to 'host: "127.0.0.1" port: 2222' failed with: Receive: NodSslWriteEncryptedData: Internal error in the underlying implementations.
[root@opteset Agent]#

[root@opteset Server]# tail trace.log
2017-08-10 10:33:07 Error: CRepositoryModule [Thread 7f415c7f0700]: OnlineInstallers: exception on certificate issuer request: GetCertificateIssuer: First try failed with: GetCertificationAuthorityCertificate: certificate record was not uniquely identified by serial number '01e728fabbc4a94ea586d5d62b1d64835501' (found=0), Second try failed with: Build chain failed with NodVerifyTrustResult: 0, NVT_Trusted, X509ChainStatus: 0x1, X509CSF_NotTimeValid
2017-08-10 10:33:48 Error: CRepositoryModule [Thread 7f415c7f0700]: OnlineInstallers: exception on certificate issuer request: GetCertificateIssuer: First try failed with: GetCertificationAuthorityCertificate: certificate record was not uniquely identified by serial number '01e728fabbc4a94ea586d5d62b1d64835501' (found=0), Second try failed with: Build chain failed with NodVerifyTrustResult: 0, NVT_Trusted, X509ChainStatus: 0x1, X509CSF_NotTimeValid
2017-08-10 10:34:27 Error: CRepositoryModule [Thread 7f415c7f0700]: OnlineInstallers: exception on certificate issuer request: GetCertificateIssuer: First try failed with: GetCertificationAuthorityCertificate: certificate record was not uniquely identified by serial number '01e728fabbc4a94ea586d5d62b1d64835501' (found=0), Second try failed with: Build chain failed with NodVerifyTrustResult: 0, NVT_Trusted, X509ChainStatus: 0x1, X509CSF_NotTimeValid
2017-08-10 10:35:08 Error: CRepositoryModule [Thread 7f415c7f0700]: OnlineInstallers: exception on certificate issuer request: GetCertificateIssuer: First try failed with: GetCertificationAuthorityCertificate: certificate record was not uniquely identified by serial number '01e728fabbc4a94ea586d5d62b1d64835501' (found=0), Second try failed with: Build chain failed with NodVerifyTrustResult: 0, NVT_Trusted, X509ChainStatus: 0x1, X509CSF_NotTimeValid
2017-08-10 10:53:44 Error: CRepositoryModule [Thread 7f415c7f0700]: OnlineInstallers: exception on certificate issuer request: GetCertificateIssuer: First try failed with: GetCertificationAuthorityCertificate: certificate record was not uniquely identified by serial number '01e728fabbc4a94ea586d5d62b1d64835501' (found=0), Second try failed with: Build chain failed with NodVerifyTrustResult: 0, NVT_Trusted, X509ChainStatus: 0x1, X509CSF_NotTimeValid
2017-08-10 11:09:07 Error: CRepositoryModule [Thread 7f415c7f0700]: Error retrieving packages: No such product 'com.eset.apps.business.eslc.linux'
[root@opteset Server]#
 

 

Best regards,

Gregor

Link to comment
Share on other sites

  • ESET Staff

I will add some hints/question as it is almost impossible to understand what is going on without more details.

  • in log from so called "managing" AGENT (installed on the same masine as SERVER), we can see:
    2017-08-10 11:11:19 Error: NetworkModule [Thread 7f87df7fe700]: Verify user failed for all computers: 127.0.0.1: NodVerifyCertificateChain failed: NodVerifyTrustResult: 6, NVT_NotTrustedRoot, X509ChainStatus: 0x1, X509CSF_NotTimeValid

    which tells us that AGENT is not able to connect to SERVER on localhost because SERVER's certificate or CA certificate used to sign it is valid in terms of time (X509CSF_NotTimeValid).

  • In SERVER's log there are multiple failures of installer creation. During installer preparation, it is required to find CA certificate that was used so sign currently used SERVER certificate (i.e. the one set in server settings), and this fails with:
    2017-08-10 10:33:07 Error: CRepositoryModule [Thread 7f415c7f0700]: OnlineInstallers: exception on certificate issuer request: GetCertificateIssuer: First try failed with: GetCertificationAuthorityCertificate: certificate record was not uniquely identified by serial number '01e728fabbc4a94ea586d5d62b1d64835501' (found=0), Second try failed with: Build chain failed with NodVerifyTrustResult: 0, NVT_Trusted, X509ChainStatus: 0x1, X509CSF_NotTimeValid

    the same problem = CA certificate that was found is currentl not valid, it is expired.

You mentioned, that this server is newly installed, and I would expect that newly generated certificate will be valid -> this brings us to question: have you changed SERVER certificate in server settings of newly installed SERVER? Or this is not even log from newly installed SERVER? Have you imported old CA certificate from old SERVER to newly installed one?

Regarding of error on remote client, following entry:

2017-08-10 14:25:48 Error: NetworkModule [Thread ad8]: Verify user failed for all computers: 192.168.164.12: NodVerifyCertificateChain failed: NodVerifyTrustResult:
6, NVT_NotTrustedRoot, X509ChainStatus: 0x10000, X509CSF_PartialChain

means that AGENT is not able to connect to SERVER hosted on 192.168.164.12 because it is missing correct CA certificate, i.e. AGENT is missing CA certificate used to sign SERVER certificate. Is this client reinstalled? Is it connecting to correct IP address of new SERVER?

Regardless of possible issues, in case AGENT are no longer able to connect to old SERVER because of invalidated or expired certificate, there won't be any simple migration possible -> those AGENT's has to be "repaired" so that new hostname and certificates are applied. Repair may be performed by running AGENT installer (live, bundle) with new certificate. Just be aware, that new certificate won't be applied during upgrade. For example if youy "lost" AGENT have version 6.4 and you are using installer of 6.5, upgrade will be performed, not repair. For repairing, another execution of installer will be required.

Link to comment
Share on other sites

Yes got that far from logs and everything that there are outdated certificates from old server. 

Not really sure from which server logs were provided. I suppose they are from new server but I'll check tomorrow with client for sure.

Yes the new server is fresh install beside the old one on another server or VM. As far I know nothing was migrated. I'm sure certificates were not imported since I checked that by myself.

For testing purpose on one of the machines we pushed new agent deployment with newly generated certificate which is valid. Task said agent was installed successfully but computer never appeared as managed in ERA

Client also tried to uninstall everything ESET related from the test machine and pushed install again without any luck. That part they did on their own, so I'm not that sure what was actually performed. 

Link to comment
Share on other sites

We fixed the new ERA install. Somehow the certificate on the new server was also wrong. Probably they had imported some old certificates. We changed server certificate and redeployed agents with new certificates. That solved our problem, and clients stareted talking to the server. 

Case closed, thank you for help.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...