Endpoint Protection Linux agents fail to connect to the Endpoint Protection Manager when using a custom certificate
search cancel

Endpoint Protection Linux agents fail to connect to the Endpoint Protection Manager when using a custom certificate


Article ID: 203899


Updated On:


Endpoint Protection


When using a certificate signed by an internal Certificate Authority with your Endpoint Protection Manager (SEPM), Linux clients fail to connect to the SEPM.  This error occurs when using the option to "Verify certificate when using HTTPS protocol" in the Management Server List. 

debug.log on the client shows the following error:

2020-11-23T22:16:54.174UTC -239076544 DEBUG cve.sylinkcommunicator [2020-Nov-23 22:16:54.174016] [DEBUG] Attempting connection to server sepm.testnet.work [thread:0x5724e0b0]
2020-11-23T22:16:54.174UTC -239076544 INFO cve.sylinkcommunicator [2020-Nov-23 22:16:54.174063] [INFO ] CallOneServer: Heartbeat pass <1> for sepm.testnet.work [thread:0x5724e0b0]
2020-11-23T22:16:54.174UTC -239076544 DEBUG cve.sylinkcommunicator [2020-Nov-23 22:16:54.174729] [DEBUG] Attempting to get Index2.xml file. [thread:0x5724e0b0]
2020-11-23T22:16:54.174UTC -239076544 DEBUG cve.commchannel [2020-Nov-23 22:16:54.174815] [DEBUG] Current CSN is 52 [thread:0x5724e0b0]
2020-11-23T22:16:54.175UTC -239076544 DEBUG util.httpsender [2020-Nov-23 22:16:54.175116] [DEBUG] setting private CA bundle path = /etc/symantec/sep/sepfl.pem [thread:0x5724e0b0]
2020-11-23T22:16:54.175UTC -239076544 DEBUG util.httpsender [2020-Nov-23 22:16:54.175142] [DEBUG] Providing self signed CA (In-Memory) to CURL library [thread:0x5724e0b0]
2020-11-23T22:16:54.175UTC -239076544 DEBUG util.httpsender [2020-Nov-23 22:16:54.175159] [DEBUG] CURLOPT_SSL_VERIFYPEER option is set to 1 [thread:0x5724e0b0]
2020-11-23T22:16:54.175UTC -239076544 DEBUG util.httpsender [2020-Nov-23 22:16:54.175183] [DEBUG] CURLOPT_SSL_VERIFYHOST option is set to 2 [thread:0x5724e0b0]
2020-11-23T22:16:54.175UTC -239076544 DEBUG util.httpsender [2020-Nov-23 22:16:54.175208] [DEBUG] Setting CURL to use system proxy =  [thread:0x5724e0b0]
2020-11-23T22:16:54.205UTC -239076544 DEBUG util.httpsender [2020-Nov-23 22:16:54.205823] [DEBUG] CertificateProvider Begins [thread:0x5724e0b0]
2020-11-23T22:16:54.205UTC -239076544 DEBUG util.httpsender [2020-Nov-23 22:16:54.205963] [DEBUG] CertificateProvider Finished [thread:0x5724e0b0]
2020-11-23T22:16:54.269UTC -239076544 WARN util.httpsender [2020-Nov-23 22:16:54.269352] [WARN ] Error in sending (60) SSL certificate problem: unable to get local issuer certificate [thread:0x5724e0b0]
2020-11-23T22:16:54.269UTC -239076544 DEBUG cve.commchannel [2020-Nov-23 22:16:54.269839] [DEBUG] Interrupted while downloading /secars/secars.dll?action=12&hostid=F4547D010A20A87A5D1B170D56D4C5E1&chk=41DB3781F2BF56B9E8F99EA76AB07317&ck=A9043D1A2D83D8A2AB33650452963009&uchk=D9C2B0727697CFCA858EECE43E7783D9&uck=4775316E5568969533F2AFB74AD91DF6&hid=98106886DB549C7749272226C18176B1&groupid=5A03D48E0A20A87A41302386B2E70076&ClientProductVersion=14.3.1148.0100&mode=0&hbt=300&as=52&cn=[hex]72656E746573743030343036302E6270632E62726F6164636F6D2E6E6574&lun=[hex]726F6F74&udn=[hex]726F6F74
Downloaded 0 and uploaded 0 bytes. [thread:0x5724e0b0]
2020-11-23T22:16:54.270UTC -239076544 INFO cve.sylinkcommunicator [2020-Nov-23 22:16:54.270020] [INFO ] Heartbeat failed [thread:0x5724e0b0]
2020-11-23T22:16:54.270UTC -239076544 WARN cve.sylinkcommunicator [2020-Nov-23 22:16:54.270133] [WARN ] Failed to connect to server sepm.testnet.work. NetException [thread:0x5724e0b0]


This error occurs because the issuing certificate authority that signed the SEPM's certificate is not trusted by the client.


The Endpoint Protection (SEP) client stores its trusted root certificates in sepfl.pem located in /etc/symantec/sep.  To resolve this issue, ensure that the file exists on the file system and verify that the SEPM's root certificate authority certificate is listed in the file.  (Default sepfl.pem is attached to this article if it is missing.)  If the SEPM's root certificate authority certificate is not in sepfl.pem, append it to the bottom of the file. 

Appending the certificate can be done in many ways. Here is an example of one method that may work for you though we recommend managing the procedure in accordance with your organization's policies and procedures.
First move a copy of the root certificate to the Linux machine.
from the /etc/symantec/sep/ directory:
cp sepfl.pem sepfl.pem.old
cat sepfl.pem rootca.crt > sepfl.pem
Where rootca.crt is the directory and name of the root certificate.
cat sepfl.pem /tmp/rootca.crt > sepfl.pem
You can confirm that the root certificate is added to the sepfl.pem file by using the diff command.
diff --normal sepfl.pem sepfl.pem.old
The difference should be the content of the root certificate.


1607378773789__sepfl.pem get_app