This article applies to the following F-Secure products: Policy Manager Server, Policy Manager Proxy
The Client Security failed to download definition updates from Policy Manager Proxy (PMP) and Policy Manager Server (PMS) with "certificate expired" and "untrusted root ca" errors.
Host using PMP
2022-02-01 09:32:21.040 [1454.1a68] I: Checking for updates from https://xxxx.xxxxx.xxxxx.de:488/guts2
2022-02-01 09:32:21.040 [1454.1a68] I: Update check failed, error=221 (certificate expired)
Host using PMS directly
2022-01-31 16:32:22.806 [0f54.1300] I: Checking for updates from https://xxxxx.xxxxx.xxx.de:443/guts2
2022-01-31 16:32:22.884 [0f54.1300] I: Update check failed, error=216 (untrusted root ca)
The problem occurred after updating to Policy Manager Server 15.30
Based on data from the Java KeyStore (.jks) files, the certificates on the Policy Manager Proxy was renewed, however, it was not included in the logs. The CA certificate was updated, however, SCEP certificates were not.
You can delete the SCEP certificates from fspms-ca.jks to fix the issue.
For Policy Manager installed on a Linux host: :
- Stop the F-Secure Policy Manager service
- Delete the fspms.jks file
- Run the following command folder under data folder (/var/opt/f-secure/fspms/data/)
- /opt/f-secure/fspms/jre/bin/keytool -delete -alias fspm-ra-encryption -keystore fspms-ca.jks
- /opt/f-secure/fspms/jre/bin/keytool -delete -alias fspm-ra-signing -keystore fspms-ca.jks
- Start F-Secure Policy Manager service
- On the Policy Manager Proxy machine, run the fspmp-enroll-tls-certificate script from /opt/f-secure/fspms/bin/
For Policy Manager installed on a Windows host:
- Stop the F-Secure Policy Manager Server service from services.msc > F-Secure Policy Manager Server
- Delete the fspms.jks in <Installation folder>\F-Secure\Management Server 5\data) Note: Make a backup of this file
- Launch Command Prompt as administrator
- Navigate to C:\Program Files (x86)\F-Secure\Management Server 5\data folder in the Command Prompt
- Run the following command:
- "C:\Program Files (x86)\F-Secure\Management Server 5\jre\bin\keytool.exe" -delete -alias fspm-ra-encryption -keystore fspms-ca.jks
- "C:\Program Files (x86)\F-Secure\Management Server 5\jre\bin\keytool.exe" -delete -alias fspm-ra-signing -keystore fspms-ca.jks
- Start the F-Secure Policy Manager Server service from services.msc
- Upon launching the Policy Manager Console, you will be prompted to accept the new certificate. You can click Accept to continue
- Run the fspmp-enrol- tls-certificate.bat script on the Policy Manager Proxy machine.
- (...\F-Secure\Management Server 5\bin\fspmp-enroll-tls-certificate.bat)
Once the steps above are completed, the definition updates should work as expected.
Article no: 000038287