Products & Services
Tuotteet ja palvelut
Produkte und Dienstleistungen
Produits et services
Produkter och tjänster
2022-01-31 10:03:29.554 [0944.42a0] I: Checking for updates from https://F-secure.dist.local:443/guts2
2022-01-31 10:03:29.602 [0944.42a0] I: Update check failed, error=216 (untrusted root ca)
We would propose to try these workaround one by one and check if it helps.
1. Check the client device system date and time
2. Restart the client device and try to reproduce the issue
3. Adding needed CA certificate:
a) There may be some problems adding the needed certificate from third party Root Certification Authorities store. F-Secure currently uses the Digicert Root CA.
You can try to install the certificate manually from here
b) If you are using a third-party Certificate Authority (e.g. Starfield, GlobalSign), ensure this certificates are valid and installed in the host.
c) If choosing the local machine (all users) option doesn't fix it, try to add the certificate to the user's profile option instead.
d) DNS can also be the reason, so try using Google DNS 18.104.22.168 (and 22.214.171.124) and see if it solves the issue. You can check this by using ping to guts2.sp.f-secure.com if it times out, change to Google DNS.
Also the installation can fail in multiple ways if you have the Enabled the "Turn off Automatic Root Certificate Update" and don't have the latest root certificates available.
This problem can be fixed by enabling the automatic root certificate updates via Group Policy: Computer Configuration / Administrative Templates / System / Internet Communication Management / Internet Communication settings / Turn off Automatic Root Certificate Update, which need to be set as Not Configured or Disabled.
Note: The name of the feature starts with "Turn off" so when it is enabled, it prevents the Windows from automatically downloading the needed new root certificates.
We get this warning against our internal Policy Server - updates from F-Secure (as fall back allowed) are working.
So the mentioned steps do not work for us
I have a ticket opend # and also provides a FSDiag from my client system.
Also the F-Secure Server Security on the Policy Manager Server throws the same error message (Untrusted root CA) when searching for updates against the internal Policy Server.
Note: Clients & Servers receive their policy settings without any problems - only update check is not successful
we are facing the same problem:
"2022-03-18 10:17:47.515 [1f2c.0344] I: Checking for updates from https : //de-do-admin2.ads.wilo.de : 443 / guts2
2022-03-18 10:17:50.671 [1f2c.0344] I: Update check failed, error=216 (untrusted root ca)"
We are using our internal CA, which all internal clients and servers trust (windows devcie certificate store - trusted root ca).
Web-Reporting by Edge, F-Secure Console have no problem with this certificate but it seems, new policy setting "Use HTTPS to download updates (15.x hosts only) is not correctly implemented on V15 installations?!
Do Clients/Servers use their own lists of tusted Root CAs?
All documentation i found for using our own certificates mention changes just on Policy Manager Server, but not on any F-Secure on clients/servers?!
You can delete the SCEP certificates from fspms-ca.jks to fix the issue.
For Policy Manager installed on a Linux host: :
For Policy Manager installed on a Windows host:
Once the steps above are completed, the definition updates should work as expected.