Jump to content

Certificate Trust Issue


Go to solution Solved by Mohsen Ghaffari,

Recommended Posts

Posted

Hello ESET Community,

 I have encountered a certificate trust issue with one specific agent on RHEL out of a group of 2500. While the majority of agents are working perfectly fine, this isolated incident has left me scratching my head.

Issue Description:

One of our agents is experiencing a certificate trust problem. We are receiving the following error message: 

Error: CAgentSecurityModule [Thread 7f9d66670700]: Certificated user verification failed with: NodVerifyCertificateChain failed: NodVerifyTrustResult: 6, NVT_NotTrustedRoot, X509ChainStatus: 0x0, X509CSF_NoError, certificate: [Subject='CN=Server at *, OU=***, O=****, L=****, S=NRW', Issuer='CN=**-******, OU=****, O=***, L=****, S=***', NotBefore=2021-Jun-01 22:00:00, NotAfter:2031-May-30 22:00:00, Serial=01d3da62fe1dab43008b274a19efe1029901, SHA256=d5801adae786af6987838b61c4a84b5ff9127528aecf754989946f192d17a6ad, SubjectKeyIdentifier=212b12601936b997d44efae7e8ab355e23d9d13b, AuthorityKeyIdentifier=2f2fd47cde0486750146f4df43aef26b832d4acc]
EraGrpc [Thread 7f9d5ca3e700]: EraGrpc: EraTsiHandshaker::VerifyCertChainHandler untrusted certificate Peer: *****:2222 Code 

 

This is puzzling to us, as the affected agent is the only one experiencing this problem out of our substantial agent pool. 

Troubleshooting Steps Taken:


We have taken the following steps in an attempt to resolve the issue:

  1.  Agent Reinstallation: We uninstalled the ESET agent from the affected machine and then reinstalled it in hopes of resolving any potential installation-related problems. Unfortunately, the issue persisted.
  2.  Network and Firewall Checks: We have reviewed our network settings and firewall rules to ensure that they are not causing any interference with the agent's communication. All settings appear to be in line with the rest of the agents.
  3.  Time Synchronization: We verified that the system time on the affected machine is accurate and synchronized with the network time.
  4. Openssl version check: in line with other agents (openssl 1.1.1) 
  5. Exporting the ca cert and importing under /etc/ssl/certs

Despite our efforts, we have not been able to pinpoint the exact cause of the certificate trust issue on this specific agent.

Thank you in advance for your assistance.

  • Administrators
Posted

Do you use ESET PROTECT Cloud or ESET PROTECT on-premise? Make sure that "Digicert Global Root G2" certificate is present in the system Trusted Root certificate store.

Posted

we actually use on-prem ESET Protect. Do I need to add the Digicert Global Root G2 to the trusted cert store too? 

where does eraagent store  and access the agent and ca cert? 

  • Solution
Posted

copied the the ca cert to  /etc/pki/ca-trust/source/anchors and did an update-ca-trust afterwards. the agent started successfully. 

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...