search cancel

Server's certificate is not valid, thumbprint mismatch

book

Article ID: 175176

calendar_today

Updated On:

Products

IT Management Suite

Issue/Introduction

Agents can't connect to the Symantec Management Platform when when connecting over CEM

Error type: TLS Handshake error 
Error code: The certificate chain was issued by an authority that is not trusted (0x80090325) 
Error note: 'IP Address of Server' server's certificate is not valid, thumbprint mismatch 
Gateway HTTPS connection info: 
   Server certificate: 
      Serial number:
      Thumbprint: 
   Cryptographic protocol: TLS 1.2 
   Cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 
   Cipher algorithm: AES 
   Cipher key length: 256 
   Hash algorithm: SHA384 
   Hash length: 384 
   Key exchange algorithm: ECDH 
   Key length: 256

 

Environment

ITMS 8.5 

Cause

The gateway had been removed and reinstalled. The gateway was installed with a new thumbprint. The new thumbprint did not match the thumbprint that was listed in the CEM policy on the SMP server.

Resolution

Copied the thumbprint from the new server and placed it in the CEM policy.   However,  please note that this will break currently installed CEM machines.  They would have to connect internally to get a new CEM policy.  It would be a better option if you could find the original Certificate that the gateway was using and install it on the CEM gateway.   

Another option is to not modify the existing incorrect entry in the CEM policy, add the same gateway again to the existing policy ensuring the correct thumbprint is used. The policy will not let you save two entries if both FQDN's are the same but it will let you add the gateway again if you use the external IP address of the Gateway (instead of FQDN) with the correct gateway thumbprint. Give this policy some time to populate out to all endpoints and ensure they are connecting before removing/changing the incorrect entry.