To stay updated on your favorite discussions, please create an account or log in. Then, click the Bookmark icon to subscribe and receive notifications.

FSPMC 15.30 Clients can't update (untrusted root ca)

cajkod
cajkod W/ Alumni Posts: 14 Security Scout
edited January 2023 in WithSecure Business Suite

2022-01-31 10:03:29.554 [0944.42a0]  I: Checking for updates from https://F-secure.dist.local:443/guts2

2022-01-31 10:03:29.602 [0944.42a0] I: Update check failed, error=216 (untrusted root ca)




Answers

  • MonikaL
    MonikaL W/ Alumni Posts: 206 W/ Former Staff

    Hi,

    We would propose to try these workaround one by one and check if it helps.

    1. Check the client device system date and time

    2. Restart the client device and try to reproduce the issue

    3. Adding needed CA certificate: 


    a) There may be some problems adding the needed certificate from third party Root Certification Authorities store. F-Secure currently uses the Digicert Root CA.

    You can try to install the certificate manually from here


    b) If you are using a third-party Certificate Authority (e.g. Starfield, GlobalSign), ensure this certificates are valid and installed in the host.


    c) If choosing the local machine (all users) option doesn't fix it, try to add the certificate to the user's profile option instead.


    d) DNS can also be the reason, so try using Google DNS 8.8.8.8 (and 8.8.4.4) and see if it solves the issue. You can check this by using ping to guts2.sp.f-secure.com if it times out, change to Google DNS.


    Also the installation can fail in multiple ways if you have the Enabled the "Turn off Automatic Root Certificate Update" and don't have the latest root certificates available.


    This problem can be fixed by enabling the automatic root certificate updates via Group Policy: Computer Configuration / Administrative Templates / System / Internet Communication Management / Internet Communication settings / Turn off Automatic Root Certificate Update, which need to be set as Not Configured or Disabled.


    Note: The name of the feature starts with "Turn off" so when it is enabled, it prevents the Windows from automatically downloading the needed new root certificates.

  • RobKlar
    RobKlar W/ Alumni Posts: 2 Security Scout

    We get this warning against our internal Policy Server - updates from F-Secure (as fall back allowed) are working.

    So the mentioned steps do not work for us

    I have a ticket opend # and also provides a FSDiag from my client system.

    Also the F-Secure Server Security on the Policy Manager Server throws the same error message (Untrusted root CA) when searching for updates against the internal Policy Server.

  • RobKlar
    RobKlar W/ Alumni Posts: 2 Security Scout

    Note: Clients & Servers receive their policy settings without any problems - only update check is not successful

  • ksam
    ksam W/ Alumni Posts: 1 Security Scout

    Hi, 

    we are facing the same problem:

    "2022-03-18 10:17:47.515 [1f2c.0344] I: Checking for updates from https : //de-do-admin2.ads.wilo.de : 443 / guts2

    2022-03-18 10:17:50.671 [1f2c.0344] I: Update check failed, error=216 (untrusted root ca)"

    We are using our internal CA, which all internal clients and servers trust (windows devcie certificate store - trusted root ca).

    Web-Reporting by Edge, F-Secure Console have no problem with this certificate but it seems, new policy setting "Use HTTPS to download updates (15.x hosts only) is not correctly implemented on V15 installations?!

    Do Clients/Servers use their own lists of tusted Root CAs?

    All documentation i found for using our own certificates mention changes just on Policy Manager Server, but not on any F-Secure on clients/servers?!


    Best regards,

    Klaus

  • MonikaL
    MonikaL W/ Alumni Posts: 206 W/ Former Staff

    Hi,

    You can delete the SCEP certificates from fspms-ca.jks to fix the issue.


    For Policy Manager installed on a Linux host: :

    1. Stop the F-Secure Policy Manager service
    2. Delete the fspms.jks file
    3. Run the following command folder under data folder (/var/opt/f-secure/fspms/data/)
    • /opt/f-secure/fspms/jre/bin/keytool -delete -alias fspm-ra-encryption -keystore fspms-ca.jks
    • /opt/f-secure/fspms/jre/bin/keytool -delete -alias fspm-ra-signing -keystore fspms-ca.jks
    1. Start F-Secure Policy Manager service
    2. On the Policy Manager Proxy machine, run the fspmp-enroll-tls-certificate script from /opt/f-secure/fspms/bin/ 

    For Policy Manager installed on a Windows host:

    1. Stop the F-Secure Policy Manager Server service from services.msc > F-Secure Policy Manager Server
    2. Delete the fspms.jks in <Installation folder>\F-Secure\Management Server 5\data)  Note: Make a backup of this file
    3. Launch Command Prompt as administrator
    4. Navigate to \F-Secure\Management Server 5\jre\bin\ folder in the Command Prompt
    5. Run the following command:
    • "C:\Program Files (x86)\F-Secure\Management Server 5\jre\bin\keytool.exe" -delete -alias fspm-ra-encryption -keystore fspms-ca.jks
    • "C:\Program Files (x86)\F-Secure\Management Server 5\jre\bin\keytool.exe" -delete -alias fspm-ra-signing -keystore fspms-ca.jks 
    1. Start the F-Secure Policy Manager Server service from services.msc
    2. Upon launching the Policy Manager Console, you will be prompted to accept the new certificate. You can click Accept to continue
    3. Run the fspmp-enrol- tls-certificate.bat script on the Policy Manager Proxy machine.
    • (...\F-Secure\Management Server 5\bin\fspmp-enroll-tls-certificate.bat)

    Once the steps above are completed, the definition updates should work as expected. 

This discussion has been closed.