search cancel

Mac FileVault Client cannot connect to Symantec Endpoint Encryption Management Server

book

Article ID: 225093

calendar_today

Updated On:

Products

Endpoint Encryption

Issue/Introduction

The Symantec Endpoint Encryption Mac FileVault Client cannot connect to Symantec Endpoint Encryption Management Server.

The client does not connect to Symantec Endpoint Encryption Management Server directly but through a load balancer or firewall that is doing SSL Offloading. This is where the TLS traffic is terminated at the load balancer or firewall.

The client shows this error when it tries to check-in to the server:

The SEEd.log file shows entries like this referring to unable to get local issuer certificate:

2021-09-22 11:31:04.028794+0200 0x34d6     Default     0x0                  105    0    SEEd: [com.symantec.encryption.SEEd:general] Can not ping the server please check if the server is alive. SSL_ERROR_SSL
error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
unable to get local issuer certificate

Windows clients are able to connect to the Symantec Endpoint Encryption Management Server.

Environment

Symantec Endpoint Encryption 11.3 and above.

Cause

By default, Symantec Endpoint Encryption Management Server provides the connecting client with its server certificate and all intermediate certificate(s).

However, the load balancer or firewall that terminates the TLS connection is only providing the connecting clients with the server certificate of the Symantec Endpoint Encryption Management Server.

Without the intermediate certificate(s), the Symantec Mac FileVault Client is unable to verify the server certificate of the Symantec Endpoint Encryption Management Server.

For example, Symantec Endpoint Encryption Management Server might have a certificate chain like this:

  1. USERTrust RSA Certification Authority - root certificate.
  2. Sectigo RSA Domain Validation Secure Server CA - intermediate certificate.
  3. see.example.com - server certificate.

However, the load balancer or firewall is only providing this:

  1. see.example.com - server certificate.

If Windows clients do not experience this issue, it is because the intermediate certificate(s) are in their local certificate store.

Resolution

There are two possible resolutions to this issue:

  1. Configure the load balancer or firewall so that it provides clients with the intermediate certificate(s) used by Symantec Endpoint Encryption Management Server.
  2. Add the intermediate certificate(s) to each client.

To add the intermediate certificate(s) to each client, first confirm that this file contains only the Symantec Endpoint Encryption Management Server's root certificate:

/Library/Application Support/Symantec Endpoint Encryption/SEEMs_Cert.pem

Then append the intermediate certificate(s) to the file. For example, if Symantec Endpoint Encryption Management Server uses one intermediate certificate, the contents of the file would be like this:

-----BEGIN CERTIFICATE-----
MIIF3jCCA8agAwIBAgIQAf1tMPyjylGoG7xkDjUDLTANBgkqhkiG9w0BAQwFADCB
<snip>
jjxDah2nGN59PRbxYvnKkKj9
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIGEzCCA/ugAwIBAgIQfVtRJrR2uhHbdBYLvFMNpzANBgkqhkiG9w0BAQwFADCB
<snip>
00u/I5sUKUErmgQfky3xxzlIPK1aEn8=
-----END CERTIFICATE-----

After making this change, the client can check-in:

 

Additional Information

EPG-24712

Attachments