[Assistance needed] Agent on ERA server having SSL / connection errors

[Adhara-CS 1]

Hi all,

 

As it is important to also manage the server on which "ERA Server" is installed, we are trying to install ERA Agent (on the same machine).

Our ERA server works fine, we allready hae a certain number of devices connected and managed, but when we setup this Agent it doesn't work.

 

For information: This Topic concerns installation on a Debian Server.

 

This is how we proceed:

 

We manually dowload (and put on the server):

• Peer certicate
• CA public key

We download the agent and make it executable:

wget hxxp://download.eset.com/download/ra/v6/standalone-installers/agent/Agent-Linux-x86_64.sh
chmod +x Agent-Linux-x86_64.sh

Then we run setup:

./Agent-Linux-x86_64.sh \
--skip-license \
--cert-path="/etc/ssl/era/Certificate Export CN=Agent at _ BLABLABLA.pfx" \
--cert-password="" \
--cert-auth-path="/etc/ssl/era/Certification Authority BLABLABLA public key.der" \
--hostname="OUR_ERA_DOMAIN" \
--port=2222

The agent setup ends-up fine.

But in the Agent log file we do have several suspect lines:

2015-03-19 12:20:09 Information: ERAG1ClientConnector [Thread 7ff332b6c700]: <CONNECTOR_MODULE> exception N3Era10Connectors17G1ClientConnector20no_installed_productE occurred at /mnt/builds/jenkins/workspace/ERA/release_6.1/37a27c02/src/Products/RemoteAdministrator/Src/Connectors/ERAG1ClientConnector/Agent/ProductOfflineConfiguration/UnixProducts.cpp:160. Product not installed.

2015-03-19 12:20:10 Information: CAgentSecurityModule [Thread 7ff3227fc700]: Agent peer certificate with subject 'CN=Agent at *, BLABLABLA' issued by 'CN=OUR_ER_DOMAIN, BLABLABLA' with serial number 'XXXXX' is invalid now

2015-03-19 12:20:14 Information: CReplicationModule [Thread 7ff3157fa700]: CReplicationManager: Processing client replication task message
2015-03-19 12:20:14 Information: CReplicationModule [Thread 7ff3157fa700]: CReplicationManager: Initiating replication connection to 'host: "OUR_ERA_DOMAIN" port: 2222' (scenario: Regular, data limit: 1024KB)
2015-03-19 12:20:14 Information: NetworkModule [Thread 7ff3147f8700]: Received message: CreateConnectionRequest
2015-03-19 12:20:14 Information: Kernel [Thread 7ff332b6c700]: Used memory after modules start-up is 43680 KB
2015-03-19 12:20:16 Error: CAgentSecurityModule [Thread 7ff3227fc700]: Certificated user verification failed with: NodVerifyCertificateChain failed: NodVerifyTrustResult: 6, NVT_NotTrustedRoot, X509ChainStatus: 0x10000, X509CSF_PartialChain
2015-03-19 12:20:16 Error: NetworkModule [Thread 7ff320ff9700]: Receive: NodSslWriteEncryptedData: Internal error in the underlying implementations., ResolvedIpAddress:OUR_ERA_IP, ResolvedHostname:, ResolvedPort:2222
2015-03-19 12:20:16 Error: NetworkModule [Thread 7ff320ff9700]: Protocol failure for session id 1, error:Receive: NodSslWriteEncryptedData: Internal error in the underlying implementations.
2015-03-19 12:20:16 Error: CReplicationModule [Thread 7ff3157fa700]: CReplicationManager: Replication (network) connection to 'host: "OUR_ERA_DOMAIN" port: 2222' failed with: Receive: NodSslWriteEncryptedData: Internal error in the underlying implementations.

Reading this, there seems to be an error occuring when the agent tries to connect to server (as they are on same machine this is quite strange).

We don't understand why it is said that our "ERAG1ClientConnector" is invalid now... What is that connector and can it possibly be outdated ?

 

We tried to change the "hostname" setting during agent setup to the public or private IP and even localhost but then we have another error that indicates that certifcate and IP doesn't match (plus the actual one).

 

 

Any tips are welcome.

Edited March 19, 2015 by Adhara-CS

[Timos 8]

Is your Sever certificate signed with /etc/ssl/era/Certification Authority BLABLABLA public key.der?

If not, Agent will refuse connection to server. Agent accepts connection only when certificate on other side is signed by ca.der from installation or CA in system (/etc/ssl/certs).

 

Try to use the same ca.der file used for install of "connecting computers"

[Adhara-CS 1]

Hi,

Thank you for your reply.

 

Yes, our server cetificate has been signed with the /etc/ssl/era/Certification Authority BLABLABLA public key.der file...

 

We also tried to use the same cetificate than the one used for client computers deployment, we still have the same error !

 

 

We have another era server on which we don't use the domain name... (only the IPs, it is all on an private network).

And we don't get that error... (all setup steps are exactly the same).

 

Any clue ?

Edited March 20, 2015 by Adhara-CS

[Timos 8]

Is this server certificate set in server configuration? Restart is needed.

Or try to look in server configuration if server certificate contains OUR_ERA_DOMAIN or *

 

From the error it looks, there are some certificates used, which are not signed by CA used on server or agent.

/etc/ssl/era/Certification Authority BLABLABLA public key.der and other certs(agent.pfx, server.pfx) are created in Webconsole, or created manually?

 

What differences are between your working environment and this environment? For example network setup, server machine OS and version, ...

[Adhara-CS 1]

Hi,

 

This server certificate is set in ERA server configuration. We just tried to restart, but it didn't help.

 

Yes, that is also what we also what we understood of the problem... It is just like the peer certificate didn't match the server's certificate !

The /etc/ssl/era/Certification Authority BLABLABLA public key.der and other certs(agent.pfx, server.pfx) cert were created with the use of the webconsole.

 

The differences between test and production only reside in the network:

• Test uses 192.168.1.0/24 / production uses 172.16.0.0/16
• Test: Clients and server are in the same network / Production: Clients and server are on different networks (but I don't think this changes anything).
• Both run on a VM with Debian 3.2.0-4-amd64 #1 SMP Debian 3.2.65-1+deb7u2 x86_64

We are trying with another certificate right now (also generated with the CA in the webconsole).

[Adhara-CS 1]

Hi,

 

It finally works, here is explanation of what we noticed:

 

In the "Peer Certificates" web page, you have by default 3 certificates:

• Server Certificate
• Agent Certififcate
• Agent Certificate for server assisted installation

 

When using "Agent Certificate for server assisted installation" or a certificate that we had generated through web-conosle we did have the problem described previously.

But when using the standard "Agent Certificate" it works fine ! So there is really a difference between those certificates.

 

This means that for the ERA server itself, the "Agent Certificate for server assisted installation" seems not to work...

The remainig question is why didn't it work with another certificate generated and signed by the ERA CA..?

 

Best regards,

Edited March 23, 2015 by Adhara-CS

[Adhara-CS 1]

Well, finally it doesn't seems that good !

 

We just noticed errors in the log file:

2015-03-23 11:01:22 Error: CReplicationModule [Thread 7f0ecd7fa700]: CStepProcessor: Replication slave stopped replication during initialization with reason: UNKNOWN_ORIGIN
2015-03-23 11:01:22 Error: CReplicationModule [Thread 7f0ecd7fa700]: CReplicationManager: Failure of scenario (type=Regular, task_id='00000000-0000-0000-7005-000000000001', link='Automatic replication (REGULAR)' (00000000-0000-0000-7007-000000000001), current_step= [], current_step_phase=, remote_peer=host: "OUR_DOMAIN" port: 2222, remote_peer_type=3, remote_peer_id=XXXXX, remote_realm_id=)

Does anyone knows what that replication process is about ?

[Timos 8]

2015-03-23 11:01:22 Error: CReplicationModule [Thread 7f0ecd7fa700]: CStepProcessor: Replication slave stopped replication during initialization with reason: UNKNOWN_ORIGIN

2015-03-23 11:01:22 Error: CReplicationModule [Thread 7f0ecd7fa700]: CReplicationManager: Failure of scenario (type=Regular, task_id='00000000-0000-0000-7005-000000000001', link='Automatic replication (REGULAR)' (00000000-0000-0000-7007-000000000001), current_step= [], current_step_phase=, remote_peer=host: "OUR_DOMAIN" port: 2222, remote_peer_type=3, remote_peer_id=XXXXX, remote_realm_id=)

 

This error is always in Agent trace log. First replication always fails with "UNKNOWN_ORIGIN" and next replications should be OK. When "UNKNOWN_ORIGIN" is in log, all your certificates are OK and Agent-Server communication is trusted and encrypted.

[Adhara-CS 1]

Okay,

 

Thank you for the information !