Mac FileVault Client cannot connect to Endpoint Encryption Management Server

book

Article ID: 225093

calendar_today

Updated On:

Products

Endpoint Encryption

Issue/Introduction

The Endpoint Encryption Mac FileVault Client cannot connect to Endpoint Encryption Management Server.

The client does not connect to Endpoint Encryption Management Server directly but through a load balancer or firewall that is doing SSL Offloading. This is where the TLS traffic is terminated at the load balancer or firewall.

The client shows this error when it tries to check-in to the server:

The SEEd.log file shows entries like this referring to unable to get local issuer certificate:

2021-09-22 11:31:04.028794+0200 0x34d6     Default     0x0                  105    0    SEEd: [com.symantec.encryption.SEEd:general] Can not ping the server please check if the server is alive. SSL_ERROR_SSL
error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
unable to get local issuer certificate

Windows clients are able to connect to the Endpoint Encryption Management Server.

Cause

By default, Endpoint Encryption Management Server provides the connecting client with its server certificate and all intermediate certificate(s).

However, the load balancer or firewall that terminates the TLS connection is only providing the connecting clients with the server certificate of the Endpoint Encryption Management Server.

Without the intermediate certificate(s), the Mac FileVault Client is unable to verify the server certificate of the Endpoint Encryption Management Server.

For example, Endpoint Encryption Management Server might have a certificate chain like this:

  1. USERTrust RSA Certification Authority - root certificate.
  2. Sectigo RSA Domain Validation Secure Server CA - intermediate certificate.
  3. see.example.com - server certificate.

However, the load balancer or firewall is only providing this:

  1. see.example.com - server certificate.

If Windows clients do not experience this issue, it is because the intermediate certificate(s) are in their local certificate store.

Environment

Symantec Endpoint Encryption 11.3 and above.

Resolution

There are two possible resolutions to this issue:

  1. Configure the load balancer or firewall so that it provides clients with the intermediate certificate(s) used by Endpoint Encryption Management Server.
  2. Add the intermediate certificate(s) to each client.

To add the intermediate certificate(s) to each client, first confirm that this file contains only the Endpoint Encryption Management Server's root certificate:

/Library/Application Support/Symantec Endpoint Encryption/SEEMs_Cert.pem

Then append the intermediate certificate(s) to the file. For example, if Endpoint Encryption Management Server uses one intermediate certificate, the contents of the file would be like this:

-----BEGIN CERTIFICATE-----
MIIF3jCCA8agAwIBAgIQAf1tMPyjylGoG7xkDjUDLTANBgkqhkiG9w0BAQwFADCB
<snip>
jjxDah2nGN59PRbxYvnKkKj9
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIGEzCCA/ugAwIBAgIQfVtRJrR2uhHbdBYLvFMNpzANBgkqhkiG9w0BAQwFADCB
<snip>
00u/I5sUKUErmgQfky3xxzlIPK1aEn8=
-----END CERTIFICATE-----

After making this change, the client can check-in:

 

Additional Information

EPG-24712

Attachments