My PMS server cannot download update from WS servers after have renewed third part SSL Certificate

SecurMander

Hi,

My Server Policy Manager Server (v.16.03) cannot communicate with WithSecure’ servers anymore after have renewed a third part SSL certificate.

I have 2 Debian based servers for PMS and PMSP (normal mode). I have used a third part SSL certificate for years but after the latest renew the PMS and PMSP cannot communicate with WS Servers anymore. Clients cannot communicate anymore with PMS et PMSP servers.

When I look at the fspms-download-ws-updates.log, it seems like connection is ok with the messages :

[wsDownloadUpdatesLog] - Connected to url="https://guts2.fsapi.com/q" successfully without a proxy
[wsDownloadUpdatesLog] - Update check completed successfullyNo update is downloaded in any case.

On the client' side I have the error 216 ‘untrusted root ca.’ So this confirm a certificate problem.

Let’s focus on the PMS server for the moment. This is how I use to set my 3rd part SSL certificate :

1. Get my Certificate only cer file
2. Get my Intermediate/Root only cer file
3. I delete the root part of the Intermediate/Root cert, usually the last rows
4. I get the p12 file : openssl pkcs12 -export -out fspms.p12 -inkey fspms.key -in fspms.cer -certfile myserver_at_mydomain_interm.cer -name "fspms"
5. I move the fspms.p12 to the fspms.jks’ folder
6. I import the new trusted certificate : /opt/f-secure/fspms/jre/bin/keytool -importkeystore -destkeystore fspms.jks -deststorepass superPASSWORD -destalias fspms -destkeypass superPASSWORD -srckeystore fspms.p12 -srcstoretype PKCS12 -srcstorepass srcpassword -srcalias fspms
7. Migrate to PKCS12 : /opt/f-secure/fspms/jre/bin/keytool -importkeystore -srckeystore fspms.jks -destkeystore fspms.jks -deststoretype pkcs12
8. Restart fspms : systemctl restart fspms
9. Web test is OK, the SSL certificate is installed but clients fail to update from my PMS and my PMS fails to update from WS servers (still error 216).

The "/opt/f-secure/fspms/jre/bin/keytool -list -v -keystore fspms.jks" command shows me the 3 certificates ( MyServerCertificate – 1st intermediate cert – 2nd Intermediate cert). So it seems like it's ok here ?

I actually use the self signed certificate to get things work but I’d like to find a solution for my 3rd part SSL certificate.

Could you help me to find where the mistake has been made please ?

Thanks.

Sethu Laks

Hi @SecurMander

Thank you for reaching out the WithSecure Community,

Based on the provided error, the CA certificate was updated, however, SCEP certificates were not.

Can you try delete the SCEP certificates from fspms-ca.jks to see if that fix the issue?

For Policy Manager installed on a Linux host: :

1. Stop the WithSecure Policy Manager service
2. Delete the fspms.jks file
3. Run the following command folder under data folder (/var/opt/f-secure/fspms/data/)

• /opt/f-secure/fspms/jre/bin/keytool -delete -alias fspm-ra-encryption -keystore fspms-ca.jks
• /opt/f-secure/fspms/jre/bin/keytool -delete -alias fspm-ra-signing -keystore fspms-ca.jks

1. Start WithSecure Policy Manager service
2. On the Policy Manager Proxy machine, run the fspmp-enroll-tls-certificate script from /opt/f-secure/fspms/bin/ 

Please ensure the steps you have performed as instructed in the below article: How to replace default self-signed Policy Manager Linux certificate with trusted CA created certificate - WithSecure Community

Once the steps above are completed, the definition updates should work as expected.

If the issue still remains unresolved, you can collect the wsdiag from server and client then reach our support further investigation.

SecurMander

Hi,

Thanks for reply.

The definition updates work when the self-signed certificate is used only.
If I replace it with trusted CA certificate, it doesn't work and that is really weird because it worked in the past.

I'm in contact with your support but actually no solution has found.