BaldNerd 3 Posted September 27, 2019 Share Posted September 27, 2019 Hi all, 🤓 I understand MDC requires the certificate fullchain, and since my ESMC is on a subdomain, I am using Let's Encrypt for the console cert. It works great. However, I want to also use this cert for my MDC, and I'm simply unsure how to do this. A little about my setup: This is a Linux-based ESMC server (irrelevant really, but just getting that out of the way before anyone tries to tell me to do some Windows witchcraft 😏) ESMC Server v 7.0.471.0 / ESMC Web Console v 7.0.429.0 / MDC v 7.0.528.0 I have Let's Encrypt certificates generated for the subdomain where my ESMC server resides. It works fine, and the cert shows correctly in the browser (no self-signed cert for my ESMC browser session). I have a Java Keystore, which I use for Tomcat9's server entry. The keystore contains the Let's Encrypt cert. My CSR (which is used to generate the Let's Encrypt cert) is generated from the keystore. I generate a PFX from the Let's Encrypt cert, and this PFX is available if needed (eg., could be used within a config). I've tried adding my Let's Encrypt cert to my system's ca-certificates store, to no effect. The ESMC interface shows that my MDC is in this state: "ESET HTTPS certificate chain is incomplete. Enrollment is not allowed" So, I think I have all the bits and pieces needed, but am unclear how to setup MDC to use my cert. The kbase articles I find are obsolete, with the only one I can find that looks reasonable recent saying not to do the steps on MDC 7+. Thanks in advance for taking the time to assist. Robbie // The Bald Nerd Link to comment Share on other sites More sharing options...
ESET Staff janoo 11 Posted September 30, 2019 ESET Staff Share Posted September 30, 2019 Hi, at first, you can also look at Online Documentation https://help.eset.com/esmc_admin/70/en-US/?mdm_setup_and_settings.html which is more up to date as KBase. What certificates did you use during the MDC installation? Link to comment Share on other sites More sharing options...
ESET Staff Mirek S. 18 Posted September 30, 2019 ESET Staff Share Posted September 30, 2019 (edited) Hello, MDC requires root CA certificate (and entire chain) within PFX file (Certificate authorities usually don't add their root CA). You'll need to convert PFX to PEM, append CA certificate to this PEM and convert it back to PFX. This is required due to fact we need to install root CA onto devices and we have no idea if there is pre-established trust. This changed on v7 where having root CA in windows certificate store was "good enough". Edited September 30, 2019 by Mirek S. Link to comment Share on other sites More sharing options...
BaldNerd 3 Posted October 1, 2019 Author Share Posted October 1, 2019 Thank you @janoo and @Mirek S.. I'll look at the docs provided there which do look more current--great. Re. my certificate, I'm directly using the Let's Encrypt pem files to create the pfx as follows: openssl pkcs12 -inkey privkey.pem -in fullchain.pem -export -out letsencrypt.pfx -password pass:******* Then, that pfx file is passed to mdmcore-linux-x86_64.sh during installation with the 'https-cert-path' switch. From there, I'm not sure where to go - MDC is installed as per my first post, and shows the error in ESMC as per above. Please let me know what you suggest. Thanks, Robbie // The Bald Nerd Link to comment Share on other sites More sharing options...
ESET Staff Mirek S. 18 Posted October 2, 2019 ESET Staff Share Posted October 2, 2019 Hello, Please upload fullchain.pem. I'll determine which root CA is missing (one vendor can have multiple CA) and write here step by step guide. M. Link to comment Share on other sites More sharing options...
BaldNerd 3 Posted October 2, 2019 Author Share Posted October 2, 2019 Thanks @Mirek S. fullchain.pem is generated by letsencrypt certbot. As you likely already know, this file is the concatenation of cert.pem and chain.pem (the public cert + the chain). So, here is what mine looks like: -----BEGIN CERTIFICATE----- MIIFZzCCBE+gAwIBAgISA6/Knkmocs1B2C4VirBUiSJOMA0GCSqGSIb3DQEBCwUA MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xOTA5MjQxODQyMTFaFw0x OTEyMjMxODQyMTFaMCMxITAfBgNVBAMTGGVzbWMuZW5kcG9pbnRzZWN1cml0eS5j YTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKdBnRW+/xgVeSZ5EMpS AMQeHvW9f6HCrIIZ0WQ8oPqpbBaVpPEAl1q3T21upXuS/kcoaS/6lJn6u8GcHlIq YJsBf1nKajwmIXsiiJkDDE4l9Xmx1lwY+wEOOhTINfB1FnomxX5dalRJw0VFQHL5 kRBtmmI+gIvO6FGh6YoBgDpRUvzhh2Vi8JyAWZ0CvtzVhJEZMKdn0eZ70s7tKIer FJaxfHOwLdvxV7YTCbqW/4DfvtOs1dGJ5JRA67jfl2rDyy3H7sRJ1WYEGAr9Uy41 InG/LyHQ7au6u0gnBfxbJOiZPp1o5rU3MMyajQQ0aaNKbl7P+2E7GZGAb2Ukn6xm WBcCAwEAAaOCAmwwggJoMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEF BQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUZqrYT1wuccSO pljgbKK9fNKWgqIwHwYDVR0jBBgwFoAUqEpqYwR93brm0Tm3pkVl7/Oo7KEwbwYI KwYBBQUHAQEEYzBhMC4GCCsGAQUFBzABhiJodHRwOi8vb2NzcC5pbnQteDMubGV0 c2VuY3J5cHQub3JnMC8GCCsGAQUFBzAChiNodHRwOi8vY2VydC5pbnQteDMubGV0 c2VuY3J5cHQub3JnLzAjBgNVHREEHDAaghhlc21jLmVuZHBvaW50c2VjdXJpdHku Y2EwTAYDVR0gBEUwQzAIBgZngQwBAgEwNwYLKwYBBAGC3xMBAQEwKDAmBggrBgEF BQcCARYaaHR0cDovL2Nwcy5sZXRzZW5jcnlwdC5vcmcwggEDBgorBgEEAdZ5AgQC BIH0BIHxAO8AdQDiaUuuJujpQAnohhu2O4PUPuf+dIj7pI8okwGd3fHb/gAAAW1k y6i/AAAEAwBGMEQCIGxgpcqaauzQxlUFq+Y123y62bsgnIHAU793CyjMpZYWAiBj +B+cb8vAq6WtJINavpOgWMiIjGrg3cwQFzNBTWalDQB2AGPy283oO8wszwtyhCdX azOkjWF3j711pjixx2hUS9iNAAABbWTLqN8AAAQDAEcwRQIgLVW6TbaiVo/y/zcN 30L8tz62bIHdVnY+px9ih4FQf9sCIQCLnE4kKbAlg3A4ajwl39KSkOJqOcOi8rZQ Sn0IQdoktTANBgkqhkiG9w0BAQsFAAOCAQEATKJ/fBxD5lKC6vlyx+Nc8PGDgfNa vTxwdaQdEyHUeWoq4zokWb3/FVMYCRJZmmkNE6dgnMl8B6DM2HjdraLNltRPKnKp Q60xDcPHObPxxbB4SnyTWqzG+l5W0zweaGAL5u8eqta00C79b9wp6fVLllFUiWgX fZ921Il6FJe8H/ys6D6Bfn2binaZ96TIVlLjZZxHMpppHxD+/JD0832Ng3nLi62h ZRJM4qE9gVvZElXFc5MaT7jwqdizT1ojpCJbrG6o15Akr1SJeby+OChXN4WBVyK4 GEhrti8I49CPAWyihzSlpuzKkmJu2Moa1MTpeyJphkA7W5+dZbQ02mbwMA== -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/ MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8 SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0 Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj /PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/ wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6 KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg== -----END CERTIFICATE----- Your comment about a possible missing CA made me think (facepalm) about my CSR: Perhaps I should be using 0001_chain.pem instead of fullchain.pem! After all, I am providing my own CSR as previously stated. I just expected my CSR would be part of the fullchain.pem, but running diff I between the two fullchain pem files (fullchain.pem, 0001_chain.pem), they're not a match. Thoughts? Thanks! Robbie // The Bald Nerd Link to comment Share on other sites More sharing options...
ESET Staff Mirek S. 18 Posted October 2, 2019 ESET Staff Share Posted October 2, 2019 (edited) Hello, Your chain is missing root CA - in this case it's "DST Root CA X3". https://www.identrust.com/dst-root-ca-x3 You can simply append it to your chain and convert to PFX again. For "simplicity" we decided both root CA and chain have to be in configured PKCS#12 (PFX) as most customers use ESMC generated certificates. This added some overhead for those who have their certificates signed by third party certification authorities as those usually don't include root CA (there is no reason to for them) in files they provide to their customers. HTH, M. Edited October 2, 2019 by Mirek S. Link to comment Share on other sites More sharing options...
BaldNerd 3 Posted October 2, 2019 Author Share Posted October 2, 2019 Thanks @Mirek S. I've added the root CA to my fullchain as instructed, re-created the PFX, and even re-compiled MDC against the new PFX just to be sure... restarted eraserver, tomcat9 and eramdmcore services, sent a wakeup call, and still see the same error after several minutes of waiting: HTTPS certificate chain is incomplete. Enrollment is not allowed. I even rebooted the entire server just to ensure it wasn't a service I missed caching the old chain. Any suggestions? Thanks! Robbie // The Bald Nerd Link to comment Share on other sites More sharing options...
ESET Staff Mirek S. 18 Posted October 2, 2019 ESET Staff Share Posted October 2, 2019 (edited) Unsure we can solve this here, better option would be customer care ticket Some possible issues preventing new certificate being applied coming to mind. - connectivity between MDM management Agent and Server (policy was not applied) - you have some devices enrolled into MDM which causes previous certificate being still used. You can enforce immediate certificate switch via timeout in policy (next to HTTPS certificate upload in policy editor). Premature change could however break connectivity for devices which don't manage to update their trust settings with MDM server. What is possible is "-in" openssl argument of pkcs12 works differently across different openssl versions and didn't actually add chain (but only certificate). Please verify that there are 3 certificates printed out with "openssl pkcs12 -in yourpkcs12.pfx" HTH, M. Edited October 2, 2019 by Mirek S. Link to comment Share on other sites More sharing options...
BaldNerd 3 Posted October 2, 2019 Author Share Posted October 2, 2019 Thanks @Mirek S. Once again, pointed me toward the right direction. My immediate thought reading your reply was to check the policy. Sure enough, the policy itself requires I manually re-upload the PFX file. It doesn't link to the file on disk, but rather uses the web interface to replace the cert manually. Uploaded the new file that way, and it worked. Problem fixed. So, the question now is, do I need to manually upload my PFX file like that every 3 months (Let's Encrypt certs are valid for 90 days) or can it be done from the Linux shell so I can script it into the cronjob? It'd be REALLY nice to not have to manually do the cert. Thanks, Robbie // The Bald Nerd Link to comment Share on other sites More sharing options...
ESET Staff Mirek S. 18 Posted October 3, 2019 ESET Staff Share Posted October 3, 2019 There is ServerAPI which allows for some level of automation. I believe we have pythonian interface for it as well, however unsure if it's published (if you are interested in it I'll check with guys who created it if it's in stable enough state to be published). Last but not least there is customer feedback topic which is watched by PMs. HTH. Link to comment Share on other sites More sharing options...
BaldNerd 3 Posted October 4, 2019 Author Share Posted October 4, 2019 Thanks @Mirek S. Any chance you have a Linux binary that uses the API to output JSON via command switches? From a quick glance at the docs it looks like it's to allow writing API functionality into my own apps. But I'd much prefer a simple terminal command I can run with some arguments, if possible. I do not know C\C++. Robbie // The Bald Nerd Link to comment Share on other sites More sharing options...
ESET Staff Mirek S. 18 Posted October 9, 2019 ESET Staff Share Posted October 9, 2019 I'm not aware of command line tool to edit policies, and policies are somewhat blackbox so supporting such tool would take some effort which isn't my decision to make. Please post suggestion into customer feedback or contact Your local customer care. HTH. Link to comment Share on other sites More sharing options...
Recommended Posts