Login failures and unexpected server errors after upgrading the Endpoint Protection Manager to 14.3 RU8.
search cancel

Login failures and unexpected server errors after upgrading the Endpoint Protection Manager to 14.3 RU8.

book

Article ID: 273159

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

After upgrading the Endpoint Protection Manager (SEPM) to 14.3 RU8, logins fail with the following error: 

"Your server certificate is not valid because the computer hostname or IP address changed.  You need to use a valid hostname or IP address that matches your server certificate to log on Symantec Endpoint Protection Manager." 

In addition, the following error may be seen in the scm-server-0.log:

2023-09-05 14:38:05.177 THREAD 72 SEVERE:  in: com.sygate.scm.server.task.SecurityAlertNotifyTask
javax.net.ssl.SSLHandshakeException: No subject alternative DNS name matching sepm found.
    at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
    at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:360)
    at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:303)
    at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:298)
    at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:654)
    at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:473)
    at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:369)
...
com.sygate.scm.common.communicate.CommunicationException: <html>Your server certificate is not valid because the computer hostname or IP address changed. <br><br>You need to use a valid hostname or IP address that matches your server certificate to log on Symantec Endpoint Protection Manager.<br><br><u><a href="http://ced.broadcom.com/entt?product=sep&version=14.3.8000&language=english&module=doc&error=certificate_reject&build=symantec_ent">Learn more</a></u>.</html> ErrorCode: 0x12910000

Environment

14.3 RU8 or later
A server certificate that is only valid for the fully qualified domain name (FQDN) of the server.  (For example:  A certificate issued from a public certificate authority.)  

Cause

As of 14.3 RU8, the Symantec Endpoint Protection Manager (SEPM) verifies whether the computer host name or IP address matches what is listed in the certificate. If the new host name or IP address does not match, the SEPM blocks you from logging on.

Resolution

For situations where the certificate is only valid for the FQDN, you will need to do the following: 

1.  Verify if the SEPM is currently configured to use the FQDN.  You can do this by checking the value of scm.server.name in the conf.properties configuration file.  (e.g. C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\tomcat\etc\conf.properties)

     If the SEPM is not currently using the FQDN, you will need to run the Management Server Configuration Wizard and change the server name to the FQDN.  Be sure to uncheck the recovery file when running the wizard, otherwise you will not be able to edit the server name. 

2.  You will need to specify the FQDN when logging into the SEPM console. (e.g. <FQDN>:8443)
    
     If you would like to change the default server name listed when launching the local console, add the following to the end of sesm.bat (C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\bin\sesm.bat):

     -s <fqdn>:8443

     For example:

@set PATH=%WINDIR%\System32

@start "SESM" "C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\jre11\bin\javaw.exe" --module-path="C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\tomcat\webapps\ROOT\clientpkg\jmods" --add-modules=javafx.base,javafx.controls,javafx.graphics,javafx.swing,javafx.web --add-opens java.security.jgss/sun.security.jgss=java.base --add-opens java.security.sasl/com.sun.security.sasl=java.base --add-opens java.xml.crypto/org.jcp.xml.dsig.internal.dom=java.base --add-opens java.smartcardio/sun.security.smartcardio=java.base --add-opens jdk.crypto.mscapi/sun.security.mscapi=java.base -Dprism.order=sw -Xms1024m -Xmx2048m -XX:MinHeapFreeRatio=40 -XX:MaxHeapFreeRatio=70 -XX:NewRatio=15 -Djavax.net.ssl.trustStoreType=WINDOWS-ROOT -Djdk.net.allowAmbiguousIPAddressLiterals=true -Djava.locale.providers=COMPAT -Dcatalina.home="C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\tomcat" -Dscm.console.conf="C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\tomcat\etc\conf.properties" -Dsun.locale.formatasdefault=true -Djdk.net.allowAmbiguousIPAddressLiterals=true -cp "C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\tomcat\webapps\ROOT\clientpkg\scm-ui.jar;C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\jre11\lib\*" com.sygate.scm.console.ConsoleMain %* -s sepm.example.com:8443

Additional Information

CRE-15516

Error: "Your server certificate is not valid because the computer hostname or IP address changed" (14.3 RU8 or later)

Powered by Wolken Software