The Symantec Endpoint Encryption Mac FileVault Client cannot connect to Symantec Endpoint Encryption Management Server.
The client does not connect to Symantec Endpoint Encryption Management Server directly but through a load balancer or firewall that is doing SSL Offloading. This is where the TLS traffic is terminated at the load balancer or firewall.
The client shows this error when it tries to check-in to the server:
The SEEd.log file shows entries like this referring to unable to get local issuer certificate:
2021-09-22 11:31:04.028794+0200 0x34d6 Default 0x0 105 0 SEEd: [com.symantec.encryption.SEEd:general] Can not ping the server please check if the server is alive. SSL_ERROR_SSL
error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
unable to get local issuer certificate
Windows clients are able to connect to the Symantec Endpoint Encryption Management Server.
Symantec Endpoint Encryption 11.3 and above.
By default, Symantec Endpoint Encryption Management Server provides the connecting client with its server certificate and all intermediate certificate(s).
However, the load balancer or firewall that terminates the TLS connection is only providing the connecting clients with the server certificate of the Symantec Endpoint Encryption Management Server.
Without the intermediate certificate(s), the Symantec Mac FileVault Client is unable to verify the server certificate of the Symantec Endpoint Encryption Management Server.
For example, Symantec Endpoint Encryption Management Server might have a certificate chain like this:
However, the load balancer or firewall is only providing this:
If Windows clients do not experience this issue, it is because the intermediate certificate(s) are in their local certificate store.
There are two possible resolutions to this issue:
To add the intermediate certificate(s) to each client, first confirm that this file contains only the Symantec Endpoint Encryption Management Server's root certificate:
/Library/Application Support/Symantec Endpoint Encryption/SEEMs_Cert.pem
Then append the intermediate certificate(s) to the file. For example, if Symantec Endpoint Encryption Management Server uses one intermediate certificate, the contents of the file would be like this:
-----BEGIN CERTIFICATE-----
MIIF3jCCA8agAwIBAgIQAf1tMPyjylGoG7xkDjUDLTANBgkqhkiG9w0BAQwFADCB
<snip>
jjxDah2nGN59PRbxYvnKkKj9
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIGEzCCA/ugAwIBAgIQfVtRJrR2uhHbdBYLvFMNpzANBgkqhkiG9w0BAQwFADCB
<snip>
00u/I5sUKUErmgQfky3xxzlIPK1aEn8=
-----END CERTIFICATE-----
After making this change, the client can check-in:
EPG-24712