Adoption failed due to unable to check revocation

sasikumar_r · ‎Aug 05, 2020

Hi All,

We are trying to adopt few 2008 R2 servers through discovery & Inventory rule. The device is getting discovered, but failed when it tries to initiate the OSD file download from the beacon server.

Both beacon and 2008 are on LAN.

Beacon is enabled with certificate (https), No proxy in place,CRL distribution point is accessible from the browser & able to download the crl file also. and below is the error on the launcher.log file.

[30/07/2020 04:04:33 (G, 0)] {5556} Download failure: The revocation function was unable to check revocation because the revocation server was offline.
[30/07/2020 04:04:33 (U, 0)] {5556} ERROR: Error (s107m858)
[30/07/2020 04:04:33 (U, 0)] {5556} ----------------
[30/07/2020 04:04:33 (U, 0)] {5556} The following network error occurred while retrieving the application:

The revocation function was unable to check revocation because the revocation server was offline.

Contact your network administrator for assistance.

[30/07/2020 04:04:33 (N, 0)] {5556} Download FAILED for “https://beaconserver.admin.com/ManageSoftDL/Packages/Flexera/Adoption/15.0.0/Rev1.0/Managed%20Device%20Adoption/Managed%20Device%20Adoption.osd”
[30/07/2020 04:04:33 (U, 0)] {5556} QUERY: Cannot download file

If it is a agent based i know we can enable the CheckCertificateRevocation registry to false for bypassing post installation. but here the error occurs before the installation starts.

Could you please help me on the how to fix the issue

1. is there any place on the server that i need to configure to enable to fix the connectivity issue to CA.
2. how to bypass the check revocation list while performing the adoption.

Thank you
sasi

winvarma · ‎Aug 05, 2020

Hi @sasikumar_r ,

Is this issue in a cloud instance? if yes, make sure that the below url's were allowed for certificate revocation checks.

DigiCert certificate authority may use any of the following for revocation checks:

-----------------------------------------------------------

https://docs.flexera.com/fnms/FR/WebHelp/index.html#topics/FIB-PortsAndURLs.html

Also refer to https://community.flexera.com/t5/FlexNet-Manager-Knowledge-Base/ComplianceUpload-fails-to-check-revocation-for-the-certificate/ta-p/1954

Regards,

ChrisG · ‎Aug 05, 2020

Based on your observations here, I understand:

1. You can access the CRL distribution point using a web browser
2. The FlexNet agent is unable to access the CRL distribution point

One possible cause of this is that the CRL distribution point is only accessible through a web proxy. The agent adoption process here will not (cannot) use a web proxy, so you will need to ensure that the CRL distribution point is directly accessible without having to go through a web proxy in order to use this agent deployment approach.

I wonder if it is possible to somehow configure the command line options used by the adoption process. I'm not personally aware of whether that can be done, but if it can be done it would likely be through configuring an appropriate registry entry on the beacon. If it is possible then you could try adding "-o CheckCertificateRevocation=false" to the command line to avoid the revocation check during the adoption.

(Did my reply solve the question? Click "ACCEPT AS SOLUTION" to help others find answers faster. Liked something? Click "KUDO". Anything expressed here is my own view and not necessarily that of my employer, Flexera.)