tbsky 11 Posted July 29, 2022 Share Posted July 29, 2022 Hi: I create agent+eav all-in-one installer at eset-protect 9.1.2301.0. but the package can not install at win7 (agent install error 1603). but when I try create the same package (same agent version, same eav version) at another host (same 9.1.2301.0 version). the package installed fine at the same win7 machine. the two host are different OS (rhel 9.0 vs rhel 8.6) and different java version (java 11 vs java 1.8). what debug/log message should I check to find out the reason? Link to comment Share on other sites More sharing options...
Administrators Marcos 5,074 Posted July 29, 2022 Administrators Share Posted July 29, 2022 Since this is a very specific issue requiring deeper investigation and further logs, please open a support ticket. Link to comment Share on other sites More sharing options...
tbsky 11 Posted July 29, 2022 Author Share Posted July 29, 2022 5 hours ago, Marcos said: Since this is a very specific issue requiring deeper investigation and further logs, please open a support ticket. May I ask what's the location of installation log? I think maybe there are some hints for what happened.. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,074 Posted July 30, 2022 Administrators Share Posted July 30, 2022 The log is in C:\Users\%User%\AppData\Local\Temp\eset\bts\bootstrapper_*.log As far as I know, ESET Log Collector should collect it by default. Link to comment Share on other sites More sharing options...
tbsky 11 Posted August 3, 2022 Author Share Posted August 3, 2022 Hi: the log didn't said the reason. but after simplify the procedure, I found the problem seems related to the certificate. the brand new eset-protect 9.1 will create many certificate automatically during installation. and windows 7 seems didn't like it. I test it on a full-patched win 7. if I click the agent-x64.msi and doing a server assisted installation, it will complain about the certificate when I click "accept certificate?" (see attached picture). on the other hand, if I change the server to another upgraded eset-protect 9.1 (so the certificate was created several years ago), then the assisted installation works fine. Link to comment Share on other sites More sharing options...
tbsky 11 Posted August 3, 2022 Author Share Posted August 3, 2022 I don't know how Eset use these certificates. I assume the "Agent certificate" was used by agent installation, so I try to export it from 3 servers: 1. oldest server: 2048 bit rsa with sha1 signature => win7 accept it. 2. server last year (eset-protect 9.0) : 2048 bit rsa with sha256 signature => win7 accept it. 3. server last month(eset-protect 9.1): 3072 bit rsa with sha256 signature => win7 refuse it. so "3072 bit" seems hit the problem. how can I make win7/eset agent accept it? I already installed a hundred win10 machines with the certificate. I don't want to reinstall these win10 to use a new certificate if possible. Link to comment Share on other sites More sharing options...
tbsky 11 Posted August 3, 2022 Author Share Posted August 3, 2022 If I double-click the exported 3072 bits certificate at win7 and try to import it, it will show "password incorrect" and can not continue. at win10 double-click the 3072 bit certificate and there is no problem to import it. Link to comment Share on other sites More sharing options...
tbsky 11 Posted August 3, 2022 Author Share Posted August 3, 2022 Hi: ok I think 3072 bit is not the problem. the problem is exported pfx is using AES-256-CBC which win7 is not support. agent installation seems use the exported pfx somewhere so it failed. Link to comment Share on other sites More sharing options...
tbsky 11 Posted August 4, 2022 Author Share Posted August 4, 2022 the problem is indeed AES-256-CBC. since I install eset-protect at RHEL9 with openssl 3.0, the default openssl pfx export format will be AES-256-CBC. I try to downgrade the system to RHEL8 with existing database and configuration. but when I try to export agent certifcate, the format is still AES-256-CBC. so I think the export procedure is not dynamic, the exported result seems already done and stored somewhere at installation stage. then I try a simpler method, I transform the exported AES-256-CBC pfx to another format which win7 will accept. I modify the agent installation config file to use the new pfx and fortunately the installation procedure swallow it then everything seems become normal. next stage I think I should find out where is the exported agent certificate in the system and modify it. is it stored at mysql database or somewhere else? and since openssl 3.0 is coming to every linux distribution, I think eset-protect should modify the openssl pfx export parameter as soon as possible. it seems a one-line thing to support win7 under openssl 3.0. Link to comment Share on other sites More sharing options...
Solution tbsky 11 Posted August 4, 2022 Author Solution Share Posted August 4, 2022 ok. the agent certificate is stored at mysql database under tbl_certificates table. replace the agent "certificate_pfx_blob" column with the transformed pfx then eset-protect can create an all-in-one installer suitable for win7. hope eset-protect can be fixed so we don't need to modify certificate manually under openssl 3.0 linux distribution. Link to comment Share on other sites More sharing options...
Recommended Posts