Agents can't connect to the Symantec Management Platform when when connecting over CEM
Error type: TLS Handshake error
Error code: The certificate chain was issued by an authority that is not trusted (0x80090325)
Error note: 'IP Address of Server' server's certificate is not valid, thumbprint mismatch
Gateway HTTPS connection info:
Server certificate:
Serial number:
Thumbprint:
Cryptographic protocol: TLS 1.2
Cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Cipher algorithm: AES
Cipher key length: 256
Hash algorithm: SHA384
Hash length: 384
Key exchange algorithm: ECDH
Key length: 256
ITMS 8.5
The gateway had been removed and reinstalled. The gateway was installed with a new thumbprint. The new thumbprint did not match the thumbprint that was listed in the CEM policy on the SMP server.
Copied the thumbprint from the new server and placed it in the CEM policy. However, please note that this will break currently installed CEM machines. They would have to connect internally to get a new CEM policy. It would be a better option if you could find the original Certificate that the gateway was using and install it on the CEM gateway.
Another option is to not modify the existing incorrect entry in the CEM policy, add the same gateway again to the existing policy ensuring the correct thumbprint is used. The policy will not let you save two entries if both FQDN's are the same but it will let you add the gateway again if you use the external IP address of the Gateway (instead of FQDN) with the correct gateway thumbprint. Give this policy some time to populate out to all endpoints and ensure they are connecting before removing/changing the incorrect entry.