DLP 16.x Endpoint Agent fails to connect with Libcurl Error: 60
search cancel

DLP 16.x Endpoint Agent fails to connect with Libcurl Error: 60

book

Article ID: 389391

calendar_today

Updated On:

Products

Data Loss Prevention Data Loss Prevention Discover Suite Data Loss Prevention Endpoint Discover Data Loss Prevention Endpoint Prevent Data Loss Prevention Endpoint Suite Data Loss Prevention Enforce Data Loss Prevention Enterprise Suite Data Loss Prevention Network Discover

Issue/Introduction

After installing a new DLP 16.x Endpoint Agent, the agent fails to appear in the Enforce Console.
The following errors appears in edpa0.log on the workstation.

"Libcurl Error: '60'. Error Message: SSL peer certificate or SSH remote key was not OK. Last Error String: SSL certificate problem: self-signed certificate in certificate chain"
"Libcurl Debug Trace: SSL certificate problem: self-signed certificate in certificate chain"

 

Troubleshooting:

  1. Confirm if the default certificates are set for both the Endpoint Detection Server and when the Agent was built.
    1. For the Endpoint Detection server:
      In the Enforce Console, navigate to System > Servers and Detectors > Overview > Select the Endpoint Detection Server > Configure > Certificate Configuration

    2. For the Endpoint Agent, what certificate was selected when building the Agent in the Enforce Console > System > Agents > Agent Packaging?

  2. Nslookup, ping, and telnet from the Endpoint Agent to the Endpoint Server are successful.
  3. Endpoint Agent edpa logs show successfull "hello" handshakes to and from the Endpoint Detection Server
  4. Compare the Enforce Server, Endpoint Server, and Agent certificates
    1. The Enforce and Agent certificates match
    2. The Endpoint Server certificate does not match the Enforce Server. 

Environment

Symantec Data Loss Prevention 16.0 GA
Using Default DLP Certificates. No custom certificates.

Cause

After upgrading the environment to DLP 16.0 GA, the Endpoint Detection Server certificate failed to update to match the new Enforce certificate. The Detection Server will show as connected and running in the Enforce Console, however new DLP 16.x agents will not be able to connect. 

Resolution

  1. Confirm with your network team that SSL intercept is not in use on the network.
  2. Compare the certificate details between the Enforce Server, Endpoint Detection Server and the DLP Agent Install Package
    1. Confirm the Enforce certificate name
      • In the Enforce Console, the certificate name can be found by navigating to System > Settings > General > Endpoint and Network Discover Communication Settings
    2. The Enforce certificate can be found locally on the Enforce Server in the following directory:
      • Windows: <Install Dir>\ProgramData\Symantec\DataLossPrevention\EnforceServer\16.xxxxx\keystore
      • Default certificate name if the environment was updated to DLP 16.x is: certificate_authority_v1.jks
    3. Compare the "endpoint_truststore.pem" from the Agent Package to the Enforce Server "certificate_authority_v1.jks" keystore (Enforce file from step #1 & 2 above).
      • You can do this by comparing the "fingerprints" between the two certificates, they should be identical
    4. Next confirm the "endpoint_cert.pem"  from the Agent Package was signed by the appropriate authority.
      • You can do this by comparing the "AuthorityKeyIdentifier" from the endpoint_cert.pem, to the "SubjectKeyIdentifier" from the endpoint_truststore.pem (or the Enforce Server "certificate_authority_v1.jks", as this should be identical to the endpoint_truststore.pem). The AuthroityKey from the endpoint_cert should match the SubjectKey from the endpoint_truststore.pem
    5. Next confirm the "endpoint_cert.pem"  from the Agent Package was signed by the appropriate authority.
      • You can do this by comparing the "AuthorityKeyIdentifier" from the endpoint_cert.pem, to the "SubjectKeyIdentifier" from the endpoint_truststore.pem (or the Enforce Server certificate_authority_v1.jks, as this should be identical to the endpoint_truststore.pem). The AuthorityKey from the endpoint_cert should match the SubjectKey from the endpoint_truststore.pem
    6. Next confirm that the Endpoint Detection Server Certificate is signed by the same authority. This allows it to trust and talk to the endpoint certificates.
      • This can be done by comparing the "AuthorityKeyIdentifier" from the Endpoint Detection Server Certificate, to the "SubjectKeyIdentifier" from the Enforce Server certificate_authority_v1.jks. These should be identical.
      • Note that the AuthorityKeyIdentifier specified in the Agent Package endpoint_cert.pem and the Endpoint Detection Server Certificate should be the same, they need to both be signed by the same authority in order to properly trust each other.
      • You can collect a copy of the Endpoint Detection Server Certificate by connecting to the Endpoint Detection Server's ipaddress and port in a URL. The default port is 10443.

        Example: https://xxx.xx.xxx.xx:10443
  3. If the Endpoint Detection Server certificate does not match the Enforce Server certificate, then the Endpoint Detection Server certificate needs to be updated
    1.  In the Enforce Console, navigate to System > Servers and Detectors > Overview
    2. Delete the target Endpoint Detection Server. Select the red 'x' on the right side of the page.
    3. Re-add the Endpoint Detection Server. On the System > Servers and Detectors > Overview page, select "Add Server" > Software Server > Select "Endpoint Prevent" as the type > fill out the "Server Name" and "Host Name". These can match the previous settings the server had before it was deleted.
    4. Save your settings.

Additional Information

The certificates.bat, found in Example Script to automate keytool commands can be used to extract the certificate data into a viewable format.

Powered by Wolken Software