connection between ERA server and agents fail

[Qmarsm 0]

Hi, I have serious problem that the ERA server (centos7) can not see any of agents.

I attached the trace.log file of one of my agents which is a Win server 2012.

It shows that :

2020-09-01 12:01:25 Error: NetworkModule [Thread 984]: Verify user failed for all computers: 10.10.101.222: NodVerifyCertificateChain failed: NodVerifyTrustResult: 42, NVT_NotTrusted, X509ChainStatus: 0x10000, X509CSF_PartialChain
2020-09-01 12:01:25 Error: NetworkModule [Thread 984]: Receive: NodSslWriteEncryptedData: Incorrect/unknown certificate or key format., ResolvedIpAddress:10.10.101.222, ResolvedHostname:, ResolvedPort:2222
2020-09-01 12:01:25 Error: NetworkModule [Thread 984]: Protocol failure for session id 319649, error:Receive: NodSslWriteEncryptedData: Incorrect/unknown certificate or key format.
2020-09-01 12:01:25 Error: CReplicationModule [Thread 13fc]: CReplicationManager: Replication (network) connection to 'host: "eset.lavego.de" port: 2222' failed with: Receive: NodSslWriteEncryptedData: Incorrect/unknown certificate or key format.

I think this problem is because of my last try to deploy a new CA for my server, but I think I made a mistake.

Please help me to solve the issue... thanks

trace.log

[Qmarsm 0]

I will add the Status Log of one of the clients

[Marcos 4,720]

The CA certificate is not trusted. Try creating a new live agent installer via ESMC and run it on the troublesome client so that the CA and agent peer certificates are updated.

[Qmarsm 0]

Please help me how to create Live agent installer and is it possible to deploy it to client from Era server? because there are 91 clients and some of them are Linux and the others are Windows.

 

[Qmarsm 0]

What if I click on add Rogue computers? (I attached the page)

[Marcos 4,720]

You can create one in the Installers panel:

For deployment use GPO or the ESET Remote Deployment tool to deploy it on Windows:

https://help.eset.com/esmc_smb/72/en-US/deployment_tool.html

 

[Qmarsm 0]

when I try to create it I see this error:

 

[Marcos 4,720]

What CA did you choose in the Certificate panel?

[Qmarsm 0]

This one:

[Qmars 0]

Hi, Do you have any idea how to get rid of this error?

 

[MartinK 375]

Error means that there is no CA certificate suitable for verification of ESMC Server certificate (as currently used for connection AGENTs) - do you use some custom certificate or were there any changes in ESMC configuration?

[Qmars 0]

Yes before doing this mess-up. I try to change my server CA using our custom certificate. and after uploading that in ERA web server this problems begins.

Please help me to solve this situation. I'm really in bad situation.

[Qmars 0]

Is it possible to create a new one... what's the consequences?

Please help me...

[Qmars 0]

I am not satisfied with your support...

[Marcos 4,720]

I'm afraid that we won't be able to help here any further and a ticket with your local support will need to be created. Note that this forum is not meant to be a substitute to contacting your local customer care but rather for sharing knowledge with moderators and advanced users. Even though an ESMC developer chimed in, the root cause was not obvious and more iterations and possibly logs too will be needed for further analysis. As for the response time, complaining after 2 hours of not receiving a response is not appropriate. Such short response time is provided by customer care and is guaranteed by SLA only for customers who pay for premium support.

[MartinK 375]

5 hours ago, Qmars said:

Yes before doing this mess-up. I try to change my server CA using our custom certificate. and after uploading that in ERA web server this problems begins.

Please help me to solve this situation. I'm really in bad situation.

So now I realized that two different issues are mentioned in this topic and I do reply to the one which is less critical (creation of installer).

Errors from AGENT's status logs is clear - it is not able to verify ESMC Server's certificate, because AGENT is missing CA certificate hat was used to sign this new certificate.

In case you have not removed original CA certificate from ESMC, solution might be to either create new ESMC certificate signed with CA certificate that is present in ESMC, or return back to use original ESMC certificate, which should be trusted by AGENTs. Just be aware that this might not be true if also other changes in certificates were made - your environment might be even in a state where it won't be possible to restore AGENTs connectivity and manual repair of clients will be required.

[Qmars 0]

Hi, thanks for your response.

You mean using the old one in the attached pictures?

[MartinK 375]

Yes, I think it will work, as CA certificate for this SERVER certificate is present and thus available on client devices. Also this certificate is signed for host "*", so without any restrictions.

In case there was no other reason why you chose to change it, reverting back to this one should resolve issues.

[Qmars 0]

Would you please tell me how reverting back and resolve the issue? Pleaseeeeeee

 

[MartinK 375]

26 minutes ago, Qmars said:

Would you please tell me how reverting back and resolve the issue? Pleaseeeeeee

 

Changing certificate to original in ESMC' settings should be enough:

When you click "Open certificate list", you should be able to select original certificate, the one as shown in your previous screenshots. Just be aware that change will require restart of ESMC service.

[Qmars 0]

Hi Martink, it works... I just want to thank you for your help... you help me alot... 

Is it ok to work with this Server certificate our I have to create another Agent certificate and change it?

Now I have two tasks:

1. Update the ESMC to 7.2 and my current version is ESET Security Management Center (Server), Version 7.1 (7.1.503.0)
ESET Security Management Center (Web Console), Version 7.1 (7.1.393.0)

2. Add our company certificate for the Https web browser

Would you please help me with these two tasks.

My current server is:

CentOS (64-bit), Version 7.7.1908  

Thank you again and looking forward to hearing from you.