Mohsen Ghaffari 0 Posted August 31, 2023 Share Posted August 31, 2023 Hello ESET Community, I have encountered a certificate trust issue with one specific agent on RHEL out of a group of 2500. While the majority of agents are working perfectly fine, this isolated incident has left me scratching my head. Issue Description: One of our agents is experiencing a certificate trust problem. We are receiving the following error message: Error: CAgentSecurityModule [Thread 7f9d66670700]: Certificated user verification failed with: NodVerifyCertificateChain failed: NodVerifyTrustResult: 6, NVT_NotTrustedRoot, X509ChainStatus: 0x0, X509CSF_NoError, certificate: [Subject='CN=Server at *, OU=***, O=****, L=****, S=NRW', Issuer='CN=**-******, OU=****, O=***, L=****, S=***', NotBefore=2021-Jun-01 22:00:00, NotAfter:2031-May-30 22:00:00, Serial=01d3da62fe1dab43008b274a19efe1029901, SHA256=d5801adae786af6987838b61c4a84b5ff9127528aecf754989946f192d17a6ad, SubjectKeyIdentifier=212b12601936b997d44efae7e8ab355e23d9d13b, AuthorityKeyIdentifier=2f2fd47cde0486750146f4df43aef26b832d4acc] EraGrpc [Thread 7f9d5ca3e700]: EraGrpc: EraTsiHandshaker::VerifyCertChainHandler untrusted certificate Peer: *****:2222 Code This is puzzling to us, as the affected agent is the only one experiencing this problem out of our substantial agent pool. Troubleshooting Steps Taken: We have taken the following steps in an attempt to resolve the issue: Agent Reinstallation: We uninstalled the ESET agent from the affected machine and then reinstalled it in hopes of resolving any potential installation-related problems. Unfortunately, the issue persisted. Network and Firewall Checks: We have reviewed our network settings and firewall rules to ensure that they are not causing any interference with the agent's communication. All settings appear to be in line with the rest of the agents. Time Synchronization: We verified that the system time on the affected machine is accurate and synchronized with the network time. Openssl version check: in line with other agents (openssl 1.1.1) Exporting the ca cert and importing under /etc/ssl/certs Despite our efforts, we have not been able to pinpoint the exact cause of the certificate trust issue on this specific agent. Thank you in advance for your assistance. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,085 Posted August 31, 2023 Administrators Share Posted August 31, 2023 Do you use ESET PROTECT Cloud or ESET PROTECT on-premise? Make sure that "Digicert Global Root G2" certificate is present in the system Trusted Root certificate store. Link to comment Share on other sites More sharing options...
Mohsen Ghaffari 0 Posted August 31, 2023 Author Share Posted August 31, 2023 we actually use on-prem ESET Protect. Do I need to add the Digicert Global Root G2 to the trusted cert store too? where does eraagent store and access the agent and ca cert? Link to comment Share on other sites More sharing options...
Solution Mohsen Ghaffari 0 Posted August 31, 2023 Author Solution Share Posted August 31, 2023 copied the the ca cert to /etc/pki/ca-trust/source/anchors and did an update-ca-trust afterwards. the agent started successfully. Link to comment Share on other sites More sharing options...
Recommended Posts