Agents not checking into ERA after change of certificates

[rhinopilosaurus 0]

Hi all

 

I have been having issues after doing an upgrade to the latest ERA (6.3.136.0) - which is obviously not the new available ERA as 6.4 was release recently.

 

I have also created new CA and Peer certificates during the various upgrades, which now some of the already installed agents are not referencing.

 

I spoke to ESET South Africa's Support mentioning if there was a way to update/re-install the agents so that they reflect the new certificates, however they suggested a re-install by rerunning the installation either through the ERA or using the Live Agent Installer (batch file). This does not fix anything.

 

They then suggested to either repair the installation manually by referencing the actual exported Peer and CA certificate - which does help, however I have a number of agents that are needing an update.

 

My only alternative was to run an uninstall batch script using Group Policies, which I managed to customise (see attached - both the batch file and a vbs script file), and after some time to remove the GPO, then rerun the deployment either through the ERA or using another GPO with the Live Agent Installer (batch file).

 

Unfortunately, I hoped that perhaps there is a local copy of the Peer and CA certificate that I could replace per PC through a GP or perhaps replace a registry line that contains the certificate information for both the Peer and CA certificate, just so that the current installed Agent would "update itself" and authenticate to the ERA server. This is not the case, as I have not found any other information online mentioning that. The only reference that I found when scouring the whole PC, was a ca.der and peercert.pfx which existed either in the C:\Windows\Temp\EsetRemoteAdminAgent folder, however when I manually tried replacing these files with the newer ones, the Agent still did not authenticate with the ERA server.

 

I was hoping that either the above would work, or perhaps updating the msiexec.exe installation using /fa along with all the installation parameters, the same as that of the actual deployment, but alas, there is nothing again online.

 

Where I am at the moment is that I still have a number of PC's and Servers with either and old or latest Agent version installed, but referencing older certificates, which are no longer on the same ERA server. You would think that ESET would build an update if you were to add newer certificates, that the older ones still exist, but when an Agent checks into the ERA server, it would update itself with the newer certificate.

 

If someone could help and assist me in the right direction as to a quick and easy way to update 100+ Agents with the correct certificate information (without the obvious of uninstalling and reinstalling), then I am all ears!!!

 

Any help would be greatly appreciated.

Uninstall_ERA_Agent.bat.txt

Uninstall_ERA_Agent.vbs.txt

[Marcos 5,069]

Agent Live Installer contains both the peer certificate as well as the CA certificate. The solution should be to generate an Agent Live Installer (ie. do not re-use an older one that contains previous certificates) and deploy it to clients.