How do I setup Let's Encrypt for MDC?

[BaldNerd 3]

Hi all,

🤓

I understand MDC requires the certificate fullchain, and since my ESMC is on a subdomain, I am using Let's Encrypt for the console cert. It works great. However, I want to also use this cert for my MDC, and I'm simply unsure how to do this.

A little about my setup:

1. This is a Linux-based ESMC server (irrelevant really, but just getting that out of the way before anyone tries to tell me to do some Windows witchcraft 😏)
2. ESMC Server v 7.0.471.0 / ESMC Web Console v 7.0.429.0 / MDC v 7.0.528.0
3. I have Let's Encrypt certificates generated for the subdomain where my ESMC server resides. It works fine, and the cert shows correctly in the browser (no self-signed cert for my ESMC browser session).
4. I have a Java Keystore, which I use for Tomcat9's server entry. The keystore contains the Let's Encrypt cert.
5. My CSR (which is used to generate the Let's Encrypt cert) is generated from the keystore.
6. I generate a PFX from the Let's Encrypt cert, and this PFX is available if needed (eg., could be used within a config).

I've tried adding my Let's Encrypt cert to my system's ca-certificates store, to no effect.

The ESMC interface shows that my MDC is in this state: "ESET HTTPS certificate chain is incomplete. Enrollment is not allowed"

So, I think I have all the bits and pieces needed, but am unclear how to setup MDC to use my cert. The kbase articles I find are obsolete, with the only one I can find that looks reasonable recent saying not to do the steps on MDC 7+.

Thanks in advance for taking the time to assist.

Robbie // The Bald Nerd

[janoo 11]

Hi, at first, you can also look at Online Documentation https://help.eset.com/esmc_admin/70/en-US/?mdm_setup_and_settings.html which is more up to date as KBase.

What certificates did you use during the MDC installation?

[Mirek S. 18]

Hello,

MDC requires root CA certificate (and entire chain) within PFX file (Certificate authorities usually don't add their root CA). You'll need to convert PFX to PEM, append CA certificate to this PEM and convert it back to PFX.

This is required due to fact we need to install root CA onto devices and we have no idea if there is pre-established trust. This changed on v7 where having root CA in windows certificate store was "good enough".

 

Edited September 30, 2019 by Mirek S.

[BaldNerd 3]

Thank you @janoo and @Mirek S..

I'll look at the docs provided there which do look more current--great.

Re. my certificate, I'm directly using the Let's Encrypt pem files to create the pfx as follows:

openssl pkcs12 -inkey privkey.pem -in fullchain.pem -export -out letsencrypt.pfx -password pass:*******

Then, that pfx file is passed to mdmcore-linux-x86_64.sh during installation with the 'https-cert-path' switch.

From there, I'm not sure where to go - MDC is installed as per my first post, and shows the error in ESMC as per above.

Please let me know what you suggest.

Thanks,
Robbie // The Bald Nerd

[Mirek S. 18]

Hello,

Please upload fullchain.pem. I'll determine which root CA is missing (one vendor can have multiple CA) and write here step by step guide.

M.

[BaldNerd 3]

Thanks @Mirek S.

fullchain.pem is generated by letsencrypt certbot. As you likely already know, this file is the concatenation of cert.pem and chain.pem (the public cert + the chain).

So, here is what mine looks like:

-----BEGIN CERTIFICATE-----
MIIFZzCCBE+gAwIBAgISA6/Knkmocs1B2C4VirBUiSJOMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xOTA5MjQxODQyMTFaFw0x
OTEyMjMxODQyMTFaMCMxITAfBgNVBAMTGGVzbWMuZW5kcG9pbnRzZWN1cml0eS5j
YTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKdBnRW+/xgVeSZ5EMpS
AMQeHvW9f6HCrIIZ0WQ8oPqpbBaVpPEAl1q3T21upXuS/kcoaS/6lJn6u8GcHlIq
YJsBf1nKajwmIXsiiJkDDE4l9Xmx1lwY+wEOOhTINfB1FnomxX5dalRJw0VFQHL5
kRBtmmI+gIvO6FGh6YoBgDpRUvzhh2Vi8JyAWZ0CvtzVhJEZMKdn0eZ70s7tKIer
FJaxfHOwLdvxV7YTCbqW/4DfvtOs1dGJ5JRA67jfl2rDyy3H7sRJ1WYEGAr9Uy41
InG/LyHQ7au6u0gnBfxbJOiZPp1o5rU3MMyajQQ0aaNKbl7P+2E7GZGAb2Ukn6xm
WBcCAwEAAaOCAmwwggJoMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEF
BQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUZqrYT1wuccSO
pljgbKK9fNKWgqIwHwYDVR0jBBgwFoAUqEpqYwR93brm0Tm3pkVl7/Oo7KEwbwYI
KwYBBQUHAQEEYzBhMC4GCCsGAQUFBzABhiJodHRwOi8vb2NzcC5pbnQteDMubGV0
c2VuY3J5cHQub3JnMC8GCCsGAQUFBzAChiNodHRwOi8vY2VydC5pbnQteDMubGV0
c2VuY3J5cHQub3JnLzAjBgNVHREEHDAaghhlc21jLmVuZHBvaW50c2VjdXJpdHku
Y2EwTAYDVR0gBEUwQzAIBgZngQwBAgEwNwYLKwYBBAGC3xMBAQEwKDAmBggrBgEF
BQcCARYaaHR0cDovL2Nwcy5sZXRzZW5jcnlwdC5vcmcwggEDBgorBgEEAdZ5AgQC
BIH0BIHxAO8AdQDiaUuuJujpQAnohhu2O4PUPuf+dIj7pI8okwGd3fHb/gAAAW1k
y6i/AAAEAwBGMEQCIGxgpcqaauzQxlUFq+Y123y62bsgnIHAU793CyjMpZYWAiBj
+B+cb8vAq6WtJINavpOgWMiIjGrg3cwQFzNBTWalDQB2AGPy283oO8wszwtyhCdX
azOkjWF3j711pjixx2hUS9iNAAABbWTLqN8AAAQDAEcwRQIgLVW6TbaiVo/y/zcN
30L8tz62bIHdVnY+px9ih4FQf9sCIQCLnE4kKbAlg3A4ajwl39KSkOJqOcOi8rZQ
Sn0IQdoktTANBgkqhkiG9w0BAQsFAAOCAQEATKJ/fBxD5lKC6vlyx+Nc8PGDgfNa
vTxwdaQdEyHUeWoq4zokWb3/FVMYCRJZmmkNE6dgnMl8B6DM2HjdraLNltRPKnKp
Q60xDcPHObPxxbB4SnyTWqzG+l5W0zweaGAL5u8eqta00C79b9wp6fVLllFUiWgX
fZ921Il6FJe8H/ys6D6Bfn2binaZ96TIVlLjZZxHMpppHxD+/JD0832Ng3nLi62h
ZRJM4qE9gVvZElXFc5MaT7jwqdizT1ojpCJbrG6o15Akr1SJeby+OChXN4WBVyK4
GEhrti8I49CPAWyihzSlpuzKkmJu2Moa1MTpeyJphkA7W5+dZbQ02mbwMA==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF
q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8
SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0
Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA
a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj
/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T
AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG
CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC
ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
-----END CERTIFICATE-----

Your comment about a possible missing CA made me think (facepalm) about my CSR: Perhaps I should be using 0001_chain.pem instead of fullchain.pem! After all, I am providing my own CSR as previously stated. I just expected my CSR would be part of the fullchain.pem, but running diff I between the two fullchain pem files (fullchain.pem, 0001_chain.pem), they're not a match.

Thoughts?

Thanks!

Robbie // The Bald Nerd

[Mirek S. 18]

Hello,

Your chain is missing root CA - in this case it's "DST Root CA X3".

https://www.identrust.com/dst-root-ca-x3

You can simply append it to your chain and convert to PFX again. For "simplicity" we decided both root CA and chain have to be in configured PKCS#12 (PFX) as most customers use ESMC generated certificates. This added some overhead for those who have their certificates signed by third party certification authorities as those usually don't include root CA (there is no reason to for them) in files they provide to their customers.

HTH,

M.

Edited October 2, 2019 by Mirek S.

[BaldNerd 3]

Thanks @Mirek S.

I've added the root CA to my fullchain as instructed, re-created the PFX, and even re-compiled MDC against the new PFX just to be sure... restarted eraserver, tomcat9 and eramdmcore services, sent a wakeup call, and still see the same error after several minutes of waiting: HTTPS certificate chain is incomplete. Enrollment is not allowed.

I even rebooted the entire server just to ensure it wasn't a service I missed caching the old chain.

Any suggestions?

Thanks!

Robbie // The Bald Nerd

[Mirek S. 18]

Unsure we can solve this here, better option would be customer care ticket

Some possible issues preventing new certificate being applied coming to mind.

- connectivity between MDM management Agent and Server (policy was not applied)

- you have some devices enrolled into MDM which causes previous certificate being still used. You can enforce immediate certificate switch via timeout in policy (next to HTTPS certificate upload in policy editor). Premature change could however break connectivity for devices which don't manage to update their trust settings with MDM server.

What is possible is "-in" openssl argument of pkcs12 works differently across different openssl versions and didn't actually add chain (but only certificate). Please verify that there are 3 certificates printed out with "openssl pkcs12 -in yourpkcs12.pfx"

HTH,

M.

Edited October 2, 2019 by Mirek S.

[BaldNerd 3]

Thanks @Mirek S.

Once again, pointed me toward the right direction. My immediate thought reading your reply was to check the policy. Sure enough, the policy itself requires I manually re-upload the PFX file. It doesn't link to the file on disk, but rather uses the web interface to replace the cert manually.

Uploaded the new file that way, and it worked. Problem fixed.

So, the question now is, do I need to manually upload my PFX file like that every 3 months (Let's Encrypt certs are valid for 90 days) or can it be done from the Linux shell so I can script it into the cronjob? It'd be REALLY nice to not have to manually do the cert.

Thanks,
Robbie // The Bald Nerd

[Mirek S. 18]

There is ServerAPI which allows for some level of automation.

I believe we have pythonian interface for it as well, however unsure if it's published (if you are interested in it I'll check with guys who created it if it's in stable enough state to be published).

Last but not least there is customer feedback topic which is watched by PMs.

HTH.

[BaldNerd 3]

Thanks @Mirek S.

Any chance you have a Linux binary that uses the API to output JSON via command switches? From a quick glance at the docs it looks like it's to allow writing API functionality into my own apps. But I'd much prefer a simple terminal command I can run with some arguments, if possible. I do not know C\C++.

Robbie // The Bald Nerd

[Mirek S. 18]

I'm not aware of command line tool to edit policies, and policies are somewhat blackbox so supporting such tool would take some effort which isn't my decision to make.

Please post suggestion into customer feedback or contact Your local customer care.

HTH.