cancel
Showing results forĀ 
ShowĀ Ā onlyĀ  | Search instead forĀ 
Did you mean:Ā 

FlexNet Agent cert error and timeout error

Good day

We are experiencing an issue with FlexNet Agents on a Windows server reporting to a beacon. The following has been checked:

  1. Beacon has been configured with correct TLS settings
  2. All beacon services are running, no errors (see attached as far as we can see)
  3. URL https://beaconname/ManageSoftDL/test - works - this tells me the server where we installing an agent can see the beacon
  4. We have configured the mgssetup.ini to bypass the SSL certificates, same has been done on the beacon.
  5. telnet on port 443  from the server where an agent is installed  to the beacon work
  6. After the install we receive an error (see attached logs) - Download failure: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
  7. We then ensured that the certs are bypassed as mentioned above
  8. We then ran a mgspolicy -t machine  and we then received the error (see attached logs)- Error 0xE0500013: Timeout on connection

What could be the issue and what should we check.

(6) Replies

Additional log files attached

Beacon  Log files also attached

The verification you've done appears to confirm that the agent computer can connect to port 443 on the beacon OK, so I wonder if the timeout is occurring trying to connect to the certificate's certification revocation list (CRL) URL.

What value do you have configured for the CheckCertificateRevocation agent preference setting? Does it help to set this to "false"? For example, run the following to attempt to update policy:

start mgspolicy -t Machine -o CheckCertificateRevocation=false -o DownloadRootURL=https://JMNGD1BAW50V02.rjil.ril.com/ManageSoftDL
(Did my reply solve the question? Click "ACCEPT AS SOLUTION" to help others find answers faster. Liked something? Click "KUDO". Anything expressed here is my own view and not necessarily that of my employer, Flexera.)

@ChrisG  -   CheckCertificateRevocation has been set to False in the mgssetup.ini already. I will test the command below and will provide you feedback.

A quick Google search on the error message indicates an issue with the certificates installed on your client computer(s).

A valid trusted root certification authority (CA) certificate has not been found in the Trusted Root Certification Authorities store. Check the following sites please:


https://knowledge.digicert.com/solution/SO13755.html
https://social.msdn.microsoft.com/Forums/ie/en-US/5ed119ef-1704-4be4-8a4f-ef11de7c8f34/a-certificate-chain-processed-but-terminated-in-a-root-certificate-which-is-not-trusted-by-the?forum=WAVirtualMachinesVirtualNetwork

Hi,

You can use the following option CheckServerCertificate =false

According to documentation:

When transferring data to or from an inventory beacon using the HTTPS protocol, a web server certificate is applied to
the data being transferred. All component agents can (and by default do) validate the public certificates received from
the inventory beacon against their local copy (on Windows, in the certificate store; and on UNIX in the PEM file).
If you wish, you can use the CheckServerCertificate preference to prevent agents from performing the certificate
check. (Without this check, the certificate is ignored, and the HTTPS protocol provides only encryption as security on the
transfer, without validating that the agent is contacting the correct inventory beacon server.)
You can set this as a common registry entry, so that the same behavior occurs across all agents; and you can override the
common behavior by setting an overriding registry entry for any individual agent if required. By default, this preference
is set so that all agents check the inventory beacon server certificate against the root CA certificate.

Also other question, when you installed the agent on unix/linux did you put before installation the certificate on server?

Also according to documentation:

If the target computer device is to use the HTTPS protocol to communicate with an inventory beacon, and you
require certificate checking to validate that the device is talking to the correct inventory beacon (for details, see
Agent third-party deployment: Enabling the HTTPS Protocol on UNIX Agents):
a. Prepare a summary HTTPS CA certificate for the target device(s) (see notes in Agent third-party
deployment: HTTPS CA Certificate File Format (UNIX))
b. Configure your deployment/installation tool to deliver the certificate file as /var/tmp/
mgsft_rollout_cert on the target device.
This file must be in place on the device before you run the installer for FlexNet inventory agent. During
installation, the /var/tmp/mgsft_rollout_cert file is copied to /var/opt/managesoft/etc/
ssl/cert.pem.
Tip: If you do not complete this as part of the deployment and installation process, after installation
you can simply copy the completed certificate to /var/opt/managesoft/etc/ssl/cert.pem on
a device where FlexNet inventory agent is locally installed.

If you did the previous step correctly then probably there is a issue with your certificate, may be you can recreate it.