Jump to content

"HTTPS certificate chain is incomplete. Enrollment is not allowed" after update to MDM 7.0.394

Maurizio

By Maurizio
in ESET Products for Mobile Devices

 Share

Recommended Posts

Maurizio

Maurizio 0

Posted
Posted

After upgrading MDM to version 7.0.394, I got the critical alert "ESET HTTPS certificate chain is incomplete. Enrollment is not allowed".

I already tried to download the CA .der cerfificate and install it on the server, without success.

These are my installed modules:

ESET Security Management Center (Server), Version 7.0 (7.0.553.0)
ESET Security Management Center (Web Console), Version 7.0 (7.0.413.0)
Copyright (c) 1992-2018 ESET, spol. s r.o. All Rights Reserved.
Microsoft Windows Server 2008 R2 Enterprise (64 bit), Version 6.1.7601 Service Pack 1
 
Installed Components:
 
NAME
 
VERSION
 
 
Update module 1072 (20180813)
Translation support module 1704 (20180725)
Configuration module 1663.13 (20180709)
SysInspector module 1273 (20180523)
SSL module 1028 (20180626)
Push Notification Service module 1047 (20180717)
 
Database info:
DB Name: ERA
DB Version: Microsoft SQL Server 2008 R2 (SP3) Enterprise Edition 10.50.6220.0
DB Size: 191MB
DB Hostname: TITAN7
DB User: ERA
Link to comment
Share on other sites
  • ESET Staff
MichalJ

MichalJ 430

Posted
  • ESET Staff
Posted

Hello, the security requirements have been tightened a bit for MDC 7.0. To improve interoperability with iOS and 3rd-party-signed certificates, the MDC now (7.0) needs the HTTPS certificate to include the complete certificate chain, including the root CA.

A certificate generated by 6.5 ERA does not have the root CA stored inside it, so it will no longer work with MDC 7.0. You can either generate a new HTTPS certificate using the new ESMC 7.0, or you can use tools like OpenSSL to add the ERA CA into the HTTPS certificate PFX file, then apply the new certificate to MDC through a policy.

MDC should perform a cert-change on all currently enrolled devices, so it is not necessary to re-enroll.

Link to comment
Share on other sites
Maurizio

Maurizio 0

Posted
  • Author
Posted

Thank you for the reply.

I've generated a new MDM certificate from the ERA Peer Certificate section, with ERA root authority, but I don't know how to assign and enable it for the MDC https.

Thanks

Maurizio

 

Link to comment
Share on other sites
  • ESET Staff
madmaxoft

madmaxoft 3

Posted
  • ESET Staff
Posted

Hello,

based on your screenshot, I'd say there are two things wrong. @Marcos has pointed you to the wrong certificate - the one you should be modifying is "HTTPS certificate" in "General". And certificate you're trying to set is wrong - it says "Proxy certificate" (which is correct for the Connection's certificate - that's what's used for communication to the ESMC server, but it's wrong for the HTTPS certificate). You need to generate a certificate with hostname matching your MDC's hostname and set it as the HTTPS certificate.

image.png

Link to comment
Share on other sites
  • ESET Staff
madmaxoft

madmaxoft 3

Posted
  • ESET Staff
Posted

No, just MDC, it will distribute the new certificate to all the devices on its own ("CertChange") and clear the warning once it's been done.

Note that MDC will wait for all the devices to connect (because they need to update the certificate to be trusted); there's a timeout setting in the policy next to the HTTPS certificate that specifies when to apply the new certificate even if not all the devices have connected yet (in such a case, the devices that failed to connect will not be able to connect anymore and will need to be re-enrolled; for this reason it's smart to set the timeout quite large, the default is one month).

Link to comment
Share on other sites
Maurizio

Maurizio 0

Posted
  • Author
Posted

 

Thanks you, actually I've this warning, so I think the changes are going on:

"ESET HTTPS certificate change still in progress. The old certificate is still being used"

Link to comment
Share on other sites
Bazze

Bazze 1

Posted
Posted (edited)

I've encountered the same issue when upgrading to version 7. I see from this thread that the root certificate needs to be included, but even after providing such a certificate I'm still getting the same error. Just to ensure that the full certificate chain is there I verified it using openssl verify command. I've also verified that the root certificate is present in /etc/ssl/certs/* folder (Ubuntu). See below.

Verified the certificate: 

$ openssl verify -CAfile comodo-rsa-domain-validation-sha-2-w-root.ca-bundle my.domain.com.crt
my.domain.com.crt: OK

I then produced the pfx file using the following command: 

$ openssl pkcs12 -export -out my.domain.com.pfx -inkey my.domain.com.key -in my.domain.com.crt -certfile comodo-rsa-domain-validation-sha-2-w-root.ca-bundle

Certificate was successfully generated and upon inspection using "openssl pkcs12 -info" command I can see that the full chain is in there. However, after applying this HTTPS certificate to the policy I'm still getting the error below. 

ModSslCertTools: P12 verification failed with error: unable to get local issuer certificate

Any input on where I'm doing wrong would be much appreciated.

Edited by Bazze
Link to comment
Share on other sites
Bazze

Bazze 1

Posted
Posted
On 9/17/2018 at 4:40 PM, Bazze said:

I've encountered the same issue when upgrading to version 7. I see from this thread that the root certificate needs to be included, but even after providing such a certificate I'm still getting the same error. Just to ensure that the full certificate chain is there I verified it using openssl verify command. I've also verified that the root certificate is present in /etc/ssl/certs/* folder (Ubuntu). See below.

Verified the certificate: 


$ openssl verify -CAfile comodo-rsa-domain-validation-sha-2-w-root.ca-bundle my.domain.com.crt
my.domain.com.crt: OK

I then produced the pfx file using the following command: 


$ openssl pkcs12 -export -out my.domain.com.pfx -inkey my.domain.com.key -in my.domain.com.crt -certfile comodo-rsa-domain-validation-sha-2-w-root.ca-bundle

Certificate was successfully generated and upon inspection using "openssl pkcs12 -info" command I can see that the full chain is in there. However, after applying this HTTPS certificate to the policy I'm still getting the error below. 


ModSslCertTools: P12 verification failed with error: unable to get local issuer certificate

Any input on where I'm doing wrong would be much appreciated.

Update: Today the warnings and errors are gone and no longer showing up. So seems that my certificate generated according to my last post worked fine after all, just took some time for the warnings & errors to clear...

Link to comment
Share on other sites
  • ESET Staff
Mirek S.

Mirek S. 18

Posted
  • ESET Staff
Posted

HTTPS certificate isn't changed immediately. In settings where You change certificate is also timeout to apply this certificate.

MDM does this delayed exchange because devices need to be applied new trust (essentially CA from the certificate is first distributed to devices then MDM switches to new certificate)

We'll look into how to communicate this more clearly.

Link to comment
Share on other sites
  • 3 weeks later...
jethro

jethro 0

Posted
Posted
On 9/11/2018 at 11:15 PM, MichalJ said:

Hello, the security requirements have been tightened a bit for MDC 7.0. To improve interoperability with iOS and 3rd-party-signed certificates, the MDC now (7.0) needs the HTTPS certificate to include the complete certificate chain, including the root CA.

A certificate generated by 6.5 ERA does not have the root CA stored inside it, so it will no longer work with MDC 7.0. You can either generate a new HTTPS certificate using the new ESMC 7.0, or you can use tools like OpenSSL to add the ERA CA into the HTTPS certificate PFX file, then apply the new certificate to MDC through a policy.

MDC should perform a cert-change on all currently enrolled devices, so it is not necessary to re-enroll.''

Hi Michal,

Am i able to import my internal CA certificate and use it to sign the newly generated MDC certificate?

Link to comment
Share on other sites
  • ESET Staff
madmaxoft

madmaxoft 3

Posted
  • ESET Staff
Posted

Hello jethro,

You can do that, but then the certificate won't be trusted by default by the mobile devices, so upon enrollment every device's user will have to click "trust this certificate".

Link to comment
Share on other sites
  • 1 month later...
Saumitra Rathi

Saumitra Rathi 0

Posted
Posted

Hi,

I am using ESET ERA on a VPS with Ubuntu 16.04 x64. and I used Letsencrypt certificate for https.

While on version 6 of ESET, i used the following command to generate the required .pfx file for MDC:

sudo openssl pkcs12 -inkey /etc/letsencrypt/live/my.domain/privkey.pem -in /etc/letsencrypt/live/my.domain/fullchain.pem -export -out /etc/letsencrypt/live/my.domain/certificate.pfx -password pass:pass123

 

However, now that I am on version 7, ESET gives an alert that 'HTTPS certificate chain is incomplete. Enrollment is not allowed' Can anyone please give a step by step guide on how to include the root CA certificate of Letsencrypt in the .pfx file so that it is accepted by ESET 7.

 

Thanks

Link to comment
Share on other sites
  • ESET Staff
Mirek S.

Mirek S. 18

Posted
  • ESET Staff
Posted (edited)

Hello,

I would have to see /etc/letsencrypt/live/my.domain/fullchain.pem, however I assume it's doesn't really contain CA certficate.

I think enough would be to append CA certificate in above mentioned file and run same command. CA certificate in this case would be at 1)

HTH.

1) https://letsencrypt.org/certs/isrgrootx1.pem.txt

Edited by Mirek S.
Link to comment
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...