search cancel

LiveUpdate fails on Endpoint Protection Linux clients


Article ID: 186842


Updated On:


Endpoint Protection


Symantec Endpoint Protection (SEP) Linux clients fail to update content through LiveUpdate.


This problem can happen when the SEP client is configured to download content from an internal LiveUpdate server, such as LiveUpdate Administrator (LUA) over an HTTPS connection. 

The LiveUpdate Cross-Platform (LUX) engine used by the SEP Linux client verifies the validity of server certificates when it connects to HTTPS servers. By default LUA uses a self-signed certificate for HTTPS communications. Unless the LUA server is configured to use a certificate signed by a public certificate authority (CA) contained in the certificate store used by LUX, the connection will fail.


1. Ensure any internal LiveUpdate servers are configured with a public CA signed certificate for HTTPS communications.

2. In test environments, add the LiveUpdate server's self-signed certificate, or the internal CA certificate to the SEP client's certificate store at /etc/symantec/sep/sepfl.pem.

Additional Information

Appending the certificate can be done in many ways. Here is an example of one method that may work for you though we recommend managing the procedure in accordance with your organization's policies and procedures.
First move a copy of the LUA certificate to the Linux machine.
from the /etc/symantec/sep/ directory:
cp sepfl.pem sepfl.pem.old
cat sepfl.pem luacrt.crt > sepfl.pem
Where luacrt.crt is the directory and name of the LUA certificate.
cat sepfl.pem /tmp/luacrt.crt > sepfl.pem
You can confirm that the LUA certificate is added to the sepfl.pem file by using the diff command.
diff --normal sepfl.pem sepfl.pem.old
The difference should be the content of the LUA certificate.
Once this is done you can restart the smcd daemon or reboot the machine and confirm if definitions begin to update from the LUA using HTTPS.