Jump to content
Maurizio

"HTTPS certificate chain is incomplete. Enrollment is not allowed" after update to MDM 7.0.394

Recommended Posts

After upgrading MDM to version 7.0.394, I got the critical alert "ESET HTTPS certificate chain is incomplete. Enrollment is not allowed".

I already tried to download the CA .der cerfificate and install it on the server, without success.

These are my installed modules:

ESET Security Management Center (Server), Version 7.0 (7.0.553.0)
ESET Security Management Center (Web Console), Version 7.0 (7.0.413.0)
Copyright (c) 1992-2018 ESET, spol. s r.o. All Rights Reserved.
Microsoft Windows Server 2008 R2 Enterprise (64 bit), Version 6.1.7601 Service Pack 1
 
Installed Components:
 
NAME
 
VERSION
 
 
Update module 1072 (20180813)
Translation support module 1704 (20180725)
Configuration module 1663.13 (20180709)
SysInspector module 1273 (20180523)
SSL module 1028 (20180626)
Push Notification Service module 1047 (20180717)
 
Database info:
DB Name: ERA
DB Version: Microsoft SQL Server 2008 R2 (SP3) Enterprise Edition 10.50.6220.0
DB Size: 191MB
DB Hostname: TITAN7
DB User: ERA

Share this post


Link to post
Share on other sites

Hello, the security requirements have been tightened a bit for MDC 7.0. To improve interoperability with iOS and 3rd-party-signed certificates, the MDC now (7.0) needs the HTTPS certificate to include the complete certificate chain, including the root CA.

A certificate generated by 6.5 ERA does not have the root CA stored inside it, so it will no longer work with MDC 7.0. You can either generate a new HTTPS certificate using the new ESMC 7.0, or you can use tools like OpenSSL to add the ERA CA into the HTTPS certificate PFX file, then apply the new certificate to MDC through a policy.

MDC should perform a cert-change on all currently enrolled devices, so it is not necessary to re-enroll.

Share this post


Link to post
Share on other sites

Thank you for the reply.

I've generated a new MDM certificate from the ERA Peer Certificate section, with ERA root authority, but I don't know how to assign and enable it for the MDC https.

Thanks

Maurizio

 

Share this post


Link to post
Share on other sites

I've created the new policy, but I still have the same critical alert. Mobile devices are connecting, without errors, like before.

policy.thumb.png.c9052b703996bf82cdea56b7092fab9d.png

alert.png

Share this post


Link to post
Share on other sites

Hello,

based on your screenshot, I'd say there are two things wrong. @Marcos has pointed you to the wrong certificate - the one you should be modifying is "HTTPS certificate" in "General". And certificate you're trying to set is wrong - it says "Proxy certificate" (which is correct for the Connection's certificate - that's what's used for communication to the ESMC server, but it's wrong for the HTTPS certificate). You need to generate a certificate with hostname matching your MDC's hostname and set it as the HTTPS certificate.

image.png

Share this post


Link to post
Share on other sites

 

Hello, thank you for the reply.

The policy has to be applied only to the mdc server or also to all the mobile devices?

Thanks

Maurizio

 

Share this post


Link to post
Share on other sites

No, just MDC, it will distribute the new certificate to all the devices on its own ("CertChange") and clear the warning once it's been done.

Note that MDC will wait for all the devices to connect (because they need to update the certificate to be trusted); there's a timeout setting in the policy next to the HTTPS certificate that specifies when to apply the new certificate even if not all the devices have connected yet (in such a case, the devices that failed to connect will not be able to connect anymore and will need to be re-enrolled; for this reason it's smart to set the timeout quite large, the default is one month).

Share this post


Link to post
Share on other sites

 

Thanks you, actually I've this warning, so I think the changes are going on:

"ESET HTTPS certificate change still in progress. The old certificate is still being used"

Share this post


Link to post
Share on other sites

I've encountered the same issue when upgrading to version 7. I see from this thread that the root certificate needs to be included, but even after providing such a certificate I'm still getting the same error. Just to ensure that the full certificate chain is there I verified it using openssl verify command. I've also verified that the root certificate is present in /etc/ssl/certs/* folder (Ubuntu). See below.

Verified the certificate:

$ openssl verify -CAfile comodo-rsa-domain-validation-sha-2-w-root.ca-bundle my.domain.com.crt
my.domain.com.crt: OK

I then produced the pfx file using the following command:

$ openssl pkcs12 -export -out my.domain.com.pfx -inkey my.domain.com.key -in my.domain.com.crt -certfile comodo-rsa-domain-validation-sha-2-w-root.ca-bundle

Certificate was successfully generated and upon inspection using "openssl pkcs12 -info" command I can see that the full chain is in there. However, after applying this HTTPS certificate to the policy I'm still getting the error below.

ModSslCertTools: P12 verification failed with error: unable to get local issuer certificate

Any input on where I'm doing wrong would be much appreciated.

Edited by Bazze

Share this post


Link to post
Share on other sites
On 9/17/2018 at 4:40 PM, Bazze said:

I've encountered the same issue when upgrading to version 7. I see from this thread that the root certificate needs to be included, but even after providing such a certificate I'm still getting the same error. Just to ensure that the full certificate chain is there I verified it using openssl verify command. I've also verified that the root certificate is present in /etc/ssl/certs/* folder (Ubuntu). See below.

Verified the certificate:


$ openssl verify -CAfile comodo-rsa-domain-validation-sha-2-w-root.ca-bundle my.domain.com.crt
my.domain.com.crt: OK

I then produced the pfx file using the following command:


$ openssl pkcs12 -export -out my.domain.com.pfx -inkey my.domain.com.key -in my.domain.com.crt -certfile comodo-rsa-domain-validation-sha-2-w-root.ca-bundle

Certificate was successfully generated and upon inspection using "openssl pkcs12 -info" command I can see that the full chain is in there. However, after applying this HTTPS certificate to the policy I'm still getting the error below.


ModSslCertTools: P12 verification failed with error: unable to get local issuer certificate

Any input on where I'm doing wrong would be much appreciated.

Update: Today the warnings and errors are gone and no longer showing up. So seems that my certificate generated according to my last post worked fine after all, just took some time for the warnings & errors to clear...

Share this post


Link to post
Share on other sites

HTTPS certificate isn't changed immediately. In settings where You change certificate is also timeout to apply this certificate.

MDM does this delayed exchange because devices need to be applied new trust (essentially CA from the certificate is first distributed to devices then MDM switches to new certificate)

We'll look into how to communicate this more clearly.

Share this post


Link to post
Share on other sites
On 9/11/2018 at 11:15 PM, MichalJ said:

Hello, the security requirements have been tightened a bit for MDC 7.0. To improve interoperability with iOS and 3rd-party-signed certificates, the MDC now (7.0) needs the HTTPS certificate to include the complete certificate chain, including the root CA.

A certificate generated by 6.5 ERA does not have the root CA stored inside it, so it will no longer work with MDC 7.0. You can either generate a new HTTPS certificate using the new ESMC 7.0, or you can use tools like OpenSSL to add the ERA CA into the HTTPS certificate PFX file, then apply the new certificate to MDC through a policy.

MDC should perform a cert-change on all currently enrolled devices, so it is not necessary to re-enroll.''

Hi Michal,

Am i able to import my internal CA certificate and use it to sign the newly generated MDC certificate?

Share this post


Link to post
Share on other sites

Hello jethro,

You can do that, but then the certificate won't be trusted by default by the mobile devices, so upon enrollment every device's user will have to click "trust this certificate".

Share this post


Link to post
Share on other sites

Hi,

I am using ESET ERA on a VPS with Ubuntu 16.04 x64. and I used Letsencrypt certificate for https.

While on version 6 of ESET, i used the following command to generate the required .pfx file for MDC:

sudo openssl pkcs12 -inkey /etc/letsencrypt/live/my.domain/privkey.pem -in /etc/letsencrypt/live/my.domain/fullchain.pem -export -out /etc/letsencrypt/live/my.domain/certificate.pfx -password pass:pass123

 

However, now that I am on version 7, ESET gives an alert that 'HTTPS certificate chain is incomplete. Enrollment is not allowed' Can anyone please give a step by step guide on how to include the root CA certificate of Letsencrypt in the .pfx file so that it is accepted by ESET 7.

 

Thanks

Share this post


Link to post
Share on other sites

Hello,

I would have to see /etc/letsencrypt/live/my.domain/fullchain.pem, however I assume it's doesn't really contain CA certficate.

I think enough would be to append CA certificate in above mentioned file and run same command. CA certificate in this case would be at 1)

HTH.

1) https://letsencrypt.org/certs/isrgrootx1.pem.txt

Edited by Mirek S.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×