Receiving Curl Error: Verify the agent certificate matches the server on Symantec Critical System Protection

book

Article ID: 158719

calendar_today

Updated On:

Products

Critical System Protection Data Center Security Server Advanced

Issue/Introduction

The SCSP Agent cannot communicate with the SCSP Management server due to the following error-"Curl Error: Verify the agent certificate matches the server"

When running the "sisipsconfig.exe -t" command to test the connection between the SCSP Agent and SCSP Manager, the following error is present.

 

C:\Program Files\Symantec\Critical System Protection\Agent\IPS\bin>sisipsconfig.exe -t

-----------------------------------------------------------------------------
Agent Configuration Tool version 5.2.9.739
-----------------------------------------------------------------------------

Testing connection to server <SCSP Manager IP>

Could not connect to server:  Verify the agent certificate matches the server.

C:\Program Files\Symantec\Critical System Protection\Agent\IPS\bin>

 

When reviewing the SCSP Agent logs (i.e. the "SISIDSEvents.csv" file) the following error is present.

C:\Program Files\Symantec\Critical System Protection\Agent\scsplog\SISIDSEvents.csv

Starting Symantec IPS Utility Service
Starting Symantec Critical System Protection Server 5.2.9.739
Management Server URL: https://<SCSP Manager IP>:443/sis-agent/
Curl Error: Verify the agent certificate matches the server..
Starting Symantec Critical System Protection Server 5.2.9.739

 

Cause

This issue can occur due to the following reasons:

- The "agent-cert.ssl" file has become corrupted
- The "agent-cert.ssl" file is not the correct certificate for the SCSP Manager the SCSP Agent is trying to connect to
- The time and time zone settings are different on the SCSP Manager and the SCSP Agent machine (i.e. the UTC settings do not match)
 

Environment

Symantec Critical System Protection

Resolution

Ensure the time and time zone settings on the SCSP Manager and the SCSP Agent machine are the same, specifically the UTC settings.

The SCSP Manager and SCSP Agent can be in different time zones, but the UTC settings should be the same.

Example:

10:30 AM (IST) is (UTC + 5:30) is 5:00 AM (UTC)
12:00 AM (EST) is (UTC - 5:00) is 5:00 AM (UTC)

** NOTE:  Ensure you change the time settings on the SCSP Agent machine to match the SCSP Manager machine.  If you change the time settings on the SCSP Manager machine, it can effect other certificates.

 

Applies To:

SCSP Manager: 5.2.9.739+
SCSP Agent: 5.2.9.739+