search cancel

LiveUpdate fails on 14.2 RU1 Mac clients when using the default source of https://liveupdate.symantec.com

book

Article ID: 175549

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

Symantec Endpoint Protection (SEP) for Mac clients running build 14.2 RU1 show intermittent failures to download the latest content. Review of LUX.log shows when the source server https://liveupdate.symantec.com:443 is used, LiveUpdate fails to select a LiveUpdate sever. When this happens LiveUpdate fails over to use http://liveupdate.symantec.com:80 and succeeds.

lux.log:

10:17:03.189074 [Server Selection - START]
10:17:03.846198  Result Code: 0x80010830
10:17:03.846395  Result Message: FAIL - failed to select server
10:17:03.846457  [Server - START]
10:17:03.846518  Host ID: {432B9A39-0ECF-4ADA-B01E-B0FDA92D2F70}
10:17:03.846602  Status Code: 1
10:17:03.846662  Status Message: Server was not selected
10:17:03.846877  Transport Return Code: 0x80010731
10:17:03.846940  Transport Return Message: FAIL - download failed
10:17:03.846993  Protocol: HTTPS
10:17:03.847043  Hostname: liveupdate.symantec.com
10:17:03.847091  Port: 443

 
devlux.log:

curlTransport.cpp:174 07/29/19 16:37:05.050494 GMT [DEBUG] :  :  : Encoded URL: https://liveupdate.symantec.com:443//minitri.flg
curlTransport.cpp:103 07/29/19 16:37:05.068157 GMT [DEBUG] :  :  : Added /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root G2:033AF1E6A711A9A0BB2864B11D09FAE5 to the certificate store for SSL
curlTransport.cpp:103 07/29/19 16:37:05.068365 GMT [DEBUG] :  :  : Added /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5:18DAD19E267DE8BB4A2158CDCC6B3B4A to the certificate store for SSL
curlTransport.cpp:599 07/29/19 16:37:05.082749 GMT [ERROR] :  :  : Failed to download file: error 60, SSL certificate problem: unable to get local issuer certificate
ServerSelector.cpp:331 07/29/19 16:37:05.082808 GMT [WARNING] :  :  : Server could not be selected

Environment

macOS 10.14.x
SEP 14.2 RU1 (build 3332 and 3335)

Cause

The required DigiCert root CA used by Symantec's HTTPS LiveUpdate server is not the same root certificate registered in the LUX engine datastore on the local client. This mismatch results in a mistrust between the client and server and thus fails LiveUpdate.

Resolution

This issue is fixed in Symantec Endpoint Protection 14.2 RU1 MP1. For information on how to obtain the latest build of Symantec Endpoint Protection, see Download the latest version of Symantec software here.