Certificate change stops agent reporting

pederl asked a question.

August 7, 2019 at 7:00 AM

After a change\upgrade of a wildcard certificate for a customer snow agents stopped reporting. It was a few years since I worked with these kind of issues and need to know what needs to be done to remedy this problem.

Do I need to update or do anything with my customers agents? When I check in the IIS the bindings there are generic for the ports used and should not be affected.

Is there anything else that need to be checked?

Agent version is 5.3.0

Certificate is a wildcard SLL (I presume)

BR Peder

Data Services & Inventory

Portal User
7 years ago
Hi Peder, The certificate for the inventory server is not handled by the IIS, it is registered as a part of the Inventory Server installer. To rebind the port used by Inventory server you can either uninstall and reinstall the inventory server service, or run some cmd line commands to reassign the certificate for the inventory server. There is a thread about how to do that here: If you want to check things from the customer side, the easiest way is to use the agent endpoint URL and paste it in to a browser at the customer. If there are any red messages about certificate issues somewhere around the address bar (different for different browsers) you will get a clue to what is wrong. Usually the problem is one of these: 1. Endpoint URL does not match the certificate URL 2. The certificate is OK, but the Certificate Authority (CA) certificate cannot be found. If you ordered the new certificate from another CA than the old one this could be an issue, if the customer does not have an updated register of Certificate Authorities. Hope that helps! / Martin
Expand Post
pederl
7 years ago
Hi Martin, Its partially helpful :-) It works all the way to when I´m trying to add the new certificate binding. For some reason I get the wrong syntax whatever I try to do. Can we set up a ticket for this? Where I can show you the command line I insert and the command line system seem to think I insert. BR Peder
Expand Post
- Portal User
  7 years ago
  Hi Peder, The problem could be that you need to add the appID formatted with "-" on the correct places, like a standard GUID. I realize that the instructions for that is a bit unclear as there is no example in the instructions. Here's how it is supposed to be written in the command prompt, with example data for my local cert: netsh http add sslcert ipport=0.0.0.0:443 certhash=fec2e06fabf9dd0f8d73db8c3340177f93ea0c4a appid={a678a40c-af87-e74d-84d4-425ec03a6b9d} You are of course welcome to file a ticket with the support team, but I am with the enablement team nowadays, so my best way to help you right now is here at the community. :-)
  Expand Post
pederl
7 years ago
Ok this is the commandline im trying to add. netsh http delete sslcert ipport=0.0.0.0:9443 certhash=‎a2 42 11 70 f7 27 6d 92 7d e1 17 48 b1 cb d0 fc f3 f0 0b dfappid={81,e1,c3,4d,4b,e1,21,4a,b0,22,59,fc,66,9b,09,14} notice that the blank space before appid disappears. Appid is also in hex but for some reason they are shown with a comma between each value. Could that be the problem? /Peder
Expand Post
- Portal User
  7 years ago
  Hi Peder, yes there is a couple of things you need to change. 1. In your example you write delete, it should be add. 2. the blank spaces of the certhash needs to go. 3. the commas of the appid needs to go, and the entire string needs to look like a GUID. This should work: netsh http add sslcert ipport=0.0.0.0:9443 certhash=a2421170f7276d927de11748b1cbd0fcf3f00bdf appid={81e1c34d-4be1-214a-b022-59fc669b0914}
  Expand Post

Certificate change stops agent reporting