After replacing LUA certificate with corporate CA signed certificate Linux systems do not update definitions.
search cancel

After replacing LUA certificate with corporate CA signed certificate Linux systems do not update definitions.

book

Article ID: 371927

calendar_today

Updated On:

Products

Endpoint Security Endpoint Protection

Issue/Introduction

Linux systems can't update definitions if LUA use corporate CA signed certificate.

Lux.log shows:

11:51:50.706775 [Inventory Synchronization - END]
11:51:50.706822 [Server Selection - START]
11:51:50.760190     Result Code: 0x80010830
11:51:50.760275     Result Message: FAIL - failed to select server
11:51:50.760332     [Server - START]
11:51:50.760394         Host ID: {7007012E-74AA-45E5-A6D2-82EF7A14F59B}
11:51:50.760443         Status Code: 1
11:51:50.760489         Status Message: Server was not selected
11:51:50.760540         Transport Return Code: 0x80010731
11:51:50.760586         Transport Return Message: FAIL - download failed
11:51:50.760631         Protocol: HTTPS
11:51:50.760675         Hostname: <name_or_IP_of LUA_Server>
11:51:50.760722         Port: 7073
11:51:50.760769         Path: /clu-prod
11:51:50.760814         Username: ********
11:51:50.760858         Password: ********
11:51:50.760902         Proxy ID: {00000000-0000-0000-0000-000000000000}
11:51:50.760946         Proxy Bypass: false
11:51:50.760990     [Server - END]

Wireshark capture shows:

TLSv1.2             61 Alert (Level: Fatal, Description: Unknown CA)

Environment

LUA configured with corporate CA signed certificate. Linux systems that are configured to download updates from this LUA server.

Cause

Linux systems needs to validate root certificate that signed the LUA certificate. With default configuration Linux systems have public CA included in his trusted CAs store but not corporate CA.

 

Resolution

  • For RHEL based systems add root CA certificate to the system trusted CA certificates in /etc/pki/tls/certs/ca-bundle.crt
    • convert root certificate to pem format
    • place the file in /etc/pki/ca-trust/source/anchors
    • run: update-ca-trust extract
    • verify if certificate is seen in file: cat /etc/pki/tls/certs/ca-bundle.crt | grep '# '

 

  • For other Linux systems we need to manually create file that contains the root certificate - this is because lux does not check system CA storage but have hard-coded check in /etc/pki/tls/certs/ca-bundle.crt
    • go to pki directory: cd /etc/pki/
    • create tls/certs directory: mkdir -p tls/certs
    • if you have working RHEL system copy /etc/pki/tls/certs/ca-bundle.crt file from working RHEL system to SUSE /etc/pki/tls/certs/ca-bundle.crt, otherwise create file by yourself and put root CA certificate there.
    • restart SEP client /usr/lib/symantec/start.sh
            
Powered by Wolken Software