Jump to content

all-in-one-installer failed at win7


tbsky
 Share

Go to solution Solved by tbsky,

Recommended Posts

Hi:

    I create agent+eav all-in-one installer at eset-protect 9.1.2301.0. but the package can not install at win7 (agent install error 1603).

but when I try  create the same package (same agent version, same eav version) at another host (same 9.1.2301.0 version). the package installed fine at the same win7 machine.

  the two host are different OS (rhel 9.0 vs rhel 8.6) and different java version (java 11 vs java 1.8).  what debug/log message should I check to find out the reason?

Link to comment
Share on other sites

  • Administrators

Since this is a very specific issue requiring deeper investigation and further logs, please open a support ticket.

Link to comment
Share on other sites

5 hours ago, Marcos said:

Since this is a very specific issue requiring deeper investigation and further logs, please open a support ticket.

May I ask what's the location of installation log? I think maybe there are some hints for what happened..

Link to comment
Share on other sites

Hi:

   the log didn't said the reason. but after simplify the procedure, I found the problem seems related to the certificate. the brand new eset-protect 9.1 will create many certificate automatically during installation. and windows 7 seems didn't like it.

I test it on a full-patched win 7. if I click the agent-x64.msi and doing a server assisted installation, it will complain about the certificate when I click "accept certificate?" (see attached picture). on the other hand, if I change the server to another upgraded eset-protect 9.1 (so the certificate was created several years ago), then the assisted installation works fine.

cert-fail.png

Link to comment
Share on other sites

I don't know how Eset use these certificates. I assume the "Agent certificate" was used by agent installation, so I try to export it from 3 servers:

1. oldest server: 2048 bit rsa with sha1 signature => win7 accept it.

2. server last year (eset-protect 9.0) : 2048 bit rsa with sha256 signature => win7 accept it.

3. server last month(eset-protect 9.1):  3072 bit rsa with sha256 signature => win7 refuse it.

so "3072 bit" seems hit the problem. how can I make win7/eset agent accept it? I already installed a hundred win10 machines with the certificate. I don't want to reinstall these win10 to use a new certificate if possible.

Link to comment
Share on other sites

If I double-click the exported 3072 bits certificate at win7 and try to import it, it will show "password incorrect" and can not continue.

at win10 double-click the 3072 bit certificate and there is no problem to import it.

Link to comment
Share on other sites

Hi:

   ok I think 3072 bit is not the problem. the problem is exported pfx is using AES-256-CBC which win7 is not support. agent installation seems use the exported pfx somewhere so it failed.

Link to comment
Share on other sites

the problem is indeed AES-256-CBC. since I install eset-protect at RHEL9 with openssl 3.0, the default openssl pfx export format will be AES-256-CBC.

I try to downgrade the system to RHEL8 with existing database and configuration. but when I try to export agent certifcate, the format is still AES-256-CBC. so I think the export procedure is not dynamic, the exported result  seems already done and stored somewhere at installation stage.

then I try a simpler method, I transform the exported AES-256-CBC pfx to another format which win7 will accept. I modify the agent installation config file to use the new pfx and fortunately the installation procedure swallow it then everything seems become normal.

next stage I think I should find out where is the exported agent certificate in the system and modify it. is it stored at mysql database or somewhere else?

and since openssl 3.0 is coming to every linux distribution, I think eset-protect should modify the openssl pfx export parameter as soon as possible.  it seems a one-line thing to support win7 under openssl 3.0.

Link to comment
Share on other sites

  • Solution

ok. the agent certificate is stored at mysql database under tbl_certificates table. replace the agent "certificate_pfx_blob" column with the transformed pfx then eset-protect can create an all-in-one installer suitable for win7.

hope eset-protect can be fixed so we don't need to modify certificate manually under openssl 3.0 linux distribution.

 

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...