Client Security failed to download definition updates from Policy Manager Proxy and Policy Manager Server with "certificate expired" and "untrusted root ca" errors.

Issue:

This article applies to the following WithSecure products: Policy Manager Server, Policy Manager Proxy

The Client Security failed to download definition updates from Policy Manager Proxy (PMP) and Policy Manager Server (PMS) with "certificate expired" and "untrusted root ca" errors.

Host using PMP
2022-02-01 09:32:21.040 [1454.1a68] I: Checking for updates from https://xxxx.xxxxx.xxxxx.de:488/guts2
2022-02-01 09:32:21.040 [1454.1a68] I: Update check failed, error=221 (certificate expired)

Host using PMS directly
2022-01-31 16:32:22.806 [0f54.1300] I: Checking for updates from https://xxxxx.xxxxx.xxx.de:443/guts2
2022-01-31 16:32:22.884 [0f54.1300] I: Update check failed, error=216 (untrusted root ca)

The problem occurred after updating to Policy Manager Server 15.30

Resolution:

Based on data from the Java KeyStore (.jks) files, the certificates on the Policy Manager Proxy was renewed, however, it was not included in the logs. The CA certificate was updated, however, SCEP certificates were not.

You can delete the SCEP certificates from fspms-ca.jks to fix the issue.

For Policy Manager installed on a Linux host: :

Stop the WithSecure Policy Manager service
Delete the fspms.jks file
Run the following command folder under data folder (/var/opt/f-secure/fspms/data/)

/opt/f-secure/fspms/jre/bin/keytool -delete -alias fspm-ra-encryption -keystore fspms-ca.jks
/opt/f-secure/fspms/jre/bin/keytool -delete -alias fspm-ra-signing -keystore fspms-ca.jks

Start WithSecure Policy Manager service
On the Policy Manager Proxy machine, run the fspmp-enroll-tls-certificate script from /opt/f-secure/fspms/bin/

For Policy Manager installed on a Windows host:

Stop the WithSecure Policy Manager Server service from services.msc > F-Secure Policy Manager Server
Delete the fspms.jks in %ProgramData%\WithSecure\NS\Policy Manager\Policy Manager Server\data Note: Make a backup of this file
Launch Command Prompt as administrator
Navigate to %ProgramData%\WithSecure\NS\Policy Manager\Policy Manager Server\data folder in the Command Prompt
Run the following command:

"C:\Program Files\WithSecure\Policy Manager\jre\bin\keytool.exe" -delete -alias fspm-ra-encryption -keystore fspms-ca.jks
"C:\Program Files\WithSecure\Policy Manager\jre\bin\keytool.exe" -delete -alias fspm-ra-signing -keystore fspms-ca.jks

Start the WithSecure Policy Manager Server service from services.msc
Upon launching the Policy Manager Console, you will be prompted to accept the new certificate. You can click Accept to continue
Run the fspmp-enrol- tls-certificate.bat script on the Policy Manager Proxy machine.

(...\F-Secure\Management Server 5\bin\fspmp-enroll-tls-certificate.bat)

Once the steps above are completed, the definition updates should work as expected.

Article no: 000038287