Flexera Cloud Beacon Settings: CheckCertificateRevocation=True(not working) False(working)
I'm working in a customer environment experiencing an issue I haven't before and haven't been able to pinpoint why it's happening.
- Customer environment very locked down so worked closely with firewall team to open up everything required based on Flexera's documentation (firewall audit logs show nothing being dropped)
- External Firewall rules created based on
- TLS 1.1 and 1.2 Client/Server enabled and SSL 2.0 disabled by default, use strong crypto turned on, (standard beacon settings based on Flexera KB https://community.flexera.com/t5/FlexNet-Manager-Knowledge-Base/Transport-Layer-Security-TLS-1-1-1-2...
When CheckCertificateRevocation=True, all files collected on the Beacon servers will not be transmitted to the FNMS Cloud. (assuming because the check against CRL is not happening so file transmission is being denied)
When CheckCertificateRevocation=False, all pending files collected are transmitted.
I have not experienced this issue with any other customer to date. All are using the default configuration of CheckCertificateRevocation=True with no issues.
My question is, what is happening with =True vs =False that is causing files from the Beacon server to not send to the FNMS Cloud, and what needs to happen for =True to work as expected?
upload.log states the following:
Error 0x80092012: The revocation function was unable to check revocation for the certificate.
Error 0xE050044D: Failed to create remote directory /ManageSoftRL
Error 0xE0690099: Specified remote directory is invalid, or could not be created
ERROR: Remote directory is invalid
Upload failed due to a server side issue. This server may be retried during this upload session.
Ignoring failover locations for upload on an inventory beacon
WARNING: FlexNet Manager Platform has failed to upload a file to all configured upload servers; aborting attempt to upload these file(s)
I'm at a loss as Firewall logs show nothing being blocked or dropped.
The following is explained by providers of SSL certificates, like by DigiCert:
To check the revocation status of an SSL Certificate, a client connects to the URL of the Certficate Authority (CA) and downloads the CA's Certificate Revocation List (CLR). Then, the client searches through the CRL for the serial number of the certificate to make sure that it hasn't been revoked.
So you need to know the URL of the Certficate Authority (CA). For the US FNMS Cloud and Cloud Beacons, the CA happens to be issued by DigiCert. The client needs to have access to all DigiCert SSL CLR IP Adresses. This list is available on the Internet.
Basically, you need the firewalls to be reconfigured for allowing the local Beacon(s) access to DigiCert CLR IP Adresses.
@erwinlindemann thank you for this. I will test this out and if it works, mark your comment as the solution.
I think adding this information would be an excellent addition to Flexera's Web Help article around this topic:
While these online help pages have a couple certificate and CRL related links, including something like the link to the full list of CRL's to whitelist would make it a one stop shop.
In the URL https://helpnet.flexerasoftware.com/fnms/EN/WebHelp/index.html#topics/FIB-PortsAndURLs.html in Ref #2 and Ref #5 it does list the digicert URLs we use for the CRLs.
Are you able to confirm what other URLs are needed going forward and I can pass that on to our documentation team.
Thanks in advance.
If the solution provided has helped, please mark it as such as this helps everyone to know what works.