cdfosburg 0 Posted April 12, 2016 Share Posted April 12, 2016 Hello, We have certain situations where we want to protect remote computers that will not be part of the LAN or VPN. I have setup a public ip on my firewall and NATs as well. Pings and telnets to ports 2222 and 2221 tell me this is working. I am having issues with the certificate. I created a cert with the outside dns name of my eset, however the agent installer is throwing the error that host name does not match. Do I need to create a new cert and bind that to an agent installer in these cases? I also cannot create a peer cert, eset is giving me a long winded message about that as well. Thank you, Chris Link to comment Share on other sites More sharing options...
ESET Staff MartinK 378 Posted April 12, 2016 ESET Staff Share Posted April 12, 2016 Hello, We have certain situations where we want to protect remote computers that will not be part of the LAN or VPN. I have setup a public ip on my firewall and NATs as well. Pings and telnets to ports 2222 and 2221 tell me this is working. I am having issues with the certificate. I created a cert with the outside dns name of my eset, however the agent installer is throwing the error that host name does not match. Do I need to create a new cert and bind that to an agent installer in these cases? I also cannot create a peer cert, eset is giving me a long winded message about that as well. Thank you, Chris Error you mentioned contains lboth: hostnames that is AGENT configured to connect to list of hostnames that are in SERVER's certificate and most probably AGENT is configured to connect to hostname (or IP) that is not in list of SERVER's certificate. Names must match exactly. After changing SERVER's certificate, restart will be required (not sure about this). New AGENT certificate should not be required in case it was created with default settings (i.e. * as hostname). Link to comment Share on other sites More sharing options...
cdfosburg 0 Posted April 12, 2016 Author Share Posted April 12, 2016 I created both a new CA and a new CERT. These are the errors we are getting now. Error: CReplicationManager: Replication (network) connection to 'host: "204.186.2.60" port: 2222' failed with: Receive: NodSslWriteEncryptedData: Incorrect/unknown certificate or key format. Error Agent peer certificate with subject 'CN=Agent certificate for host 204.186.2.60' issued by 'CN=CA for Outside Computers, C=US' with serial number '01ccaa780f61734724b7d8db1070c26d0801' is invalid now (NodVerifyTrustResult: 6, NVT_NotTrustedRoot, X509ChainStatus: 0x10000, X509CSF_PartialChain) Peer certificate may be valid but can not be verified on this machine Check time validity and presence of issuing certification authority Error: VerifyDnsSubjectAltName: Hostname does not match any supported record in certificate SubjectAltName extension (dmi1-eset.corp.lehighgas.local,10.10.10.179,127.0.0.1) Remote host: 204.186.2.60 Link to comment Share on other sites More sharing options...
cdfosburg 0 Posted April 12, 2016 Author Share Posted April 12, 2016 When I attempt to create a new Server Cert using the existing CA, I get the below. Failed to create certificate: Creating and signing peer certificate failed. Check input parameters for invalid or reserved characters, check certification authority pfx/pkcs12 signing certificate and corresponding password.: Trace info: ParsePkcs12: Could not verify password (invalid password or corrupted pkcs12 structure Link to comment Share on other sites More sharing options...
ESET Staff MartinK 378 Posted April 12, 2016 ESET Staff Share Posted April 12, 2016 (edited) Error: VerifyDnsSubjectAltName: Hostname does not match any supported record in certificate SubjectAltName extension (dmi1-eset.corp.lehighgas.local,10.10.10.179,127.0.0.1) Remote host: 204.186.2.60 This is error I mentioned previously -> AGENT seems to be configured to connect to "204.186.2.60" BUT this IP/hostname is not present in SERVER's certificate which contains only dmi1-eset.corp.lehighgas.local,10.10.10.179 and 127.0.0.1. When I attempt to create a new Server Cert using the existing CA, I get the below. Failed to create certificate: Creating and signing peer certificate failed. Check input parameters for invalid or reserved characters, check certification authority pfx/pkcs12 signing certificate and corresponding password.: Trace info: ParsePkcs12: Could not verify password (invalid password or corrupted pkcs12 structure This means password for CA certificate you provided during SERVER's certificate signing is not correct. What type of SERVER installation you used? I am currently not sure what password is actually used in case of all-in-one or appliance installations. Error: CReplicationManager: Replication (network) connection to 'host: "204.186.2.60" port: 2222' failed with: Receive: NodSslWriteEncryptedData: Incorrect/unknown certificate or key format. it indicates unsupported certificate type. All certificates (also CA certificates) were created in ERA? Agent peer certificate with subject 'CN=Agent certificate for host 204.186.2.60' issued by 'CN=CA for Outside Computers, C=US' with serial number '01ccaa780f61734724b7d8db1070c26d0801' is invalid now (NodVerifyTrustResult: 6, NVT_NotTrustedRoot, X509ChainStatus: 0x10000, X509CSF_PartialChain) Last error/warning is caused by fact that you are using two different CA certificates for SERVER and AGENT certificate. You are able to provide only one CA certificate during AGENT installation and obviously it must be CA certificate used to sign SERVER's peer certificate -> therefore until AGENT successfully connects to SERVER, it will be missing second CA certificate (certificate used to sign AGENT's peer certificate) and until that it won't be able to verify it's own peer certificate. This error has no impact on AGENT->SERVER connection, therefore I would focus on creating new SERVER certificate signed by original CA certificate, as that would be simplest solution. In case you create new CA certificate and use it to sign new SERVER's certificate, be careful as you may cut-off all other AGENT's -> you should give them enough time to connect and fetch newly created CA certificates before you actually start using it. Edited April 12, 2016 by MartinK Link to comment Share on other sites More sharing options...
cdfosburg 0 Posted April 12, 2016 Author Share Posted April 12, 2016 I am using the Virtual Appliance 6.x so I am not sure of the self signed password that was given to the CA during creation. Link to comment Share on other sites More sharing options...
ESET Staff MartinK 378 Posted April 12, 2016 ESET Staff Share Posted April 12, 2016 I am using the Virtual Appliance 6.x so I am not sure of the self signed password that was given to the CA during creation. Please try password you used to configure appliance (the same as for Administrator user if you have not changed it). Link to comment Share on other sites More sharing options...
Recommended Posts