Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 11 replies
  • Subscribers 1 subscriber
  • Views 9539 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Certificate Manager Service Stopped, fffffffd error

Jase

Notice the Sophos Certificate Manager service has stopped. When I attempt to start the service, after 1-2sec, the service stops by itself . Do I need to reinstall SEC?

Secondly I notice on the console, it is showing error: fffffffd. This happen when I reformat the server and reinstall SEC. All other client which was previously protect and managable are now showing this error. I suspect the certificate the server has is different from the client's. Is there a way to enable the server to use back the old certificates?

If you need any log file, please let me know.

:19151


This thread was automatically locked due to age.
  • 0

    Hello,

    What does it say in the CM log file?

    E.g.

    "\ProgramData\Sophos\Remote Management System\3\CertificationManager\Logs \CertManager-[timestamp].log "

    Can you restart the service and post the log or part of it that covers the startup or attempted startup?

    Regards,

    Jak

    :19157
  • 0

    Hi,

    Here the log

    24.11.2011 15:28:54 2164 I SOF: C:\Documents and Settings\All Users\Application Data/Sophos/Remote Management System/3/CertificationManager/Logs/CertManager-20111124-072854.log
    24.11.2011 15:28:54 2164 I [CertMgr]Certification Manager starting...
    24.11.2011 15:28:55 2164 E [Msgr]CM:OneTimeOnly:Invalid certificateCInvalidCertificateException:Invalid certificate:Failed to verify certificate with CA certificate:sts=54:OpenSSLErr=
    24.11.2011 15:28:55 2164 E [CertMgr]OneTimeOnly Initialisation invalid
    :19159
  • 0

    Hello Jase,

    so you did already reinstall (reformat the server and reinstall SEC ) and when doing so, did you backup/restore the database? Or am I misinterpreting your post?

    Christian

    :19161
  • 0

    Yes I did, I saw the original grouping was there; but to confirm the steps, could you verify the steps for me?

    :19163
  • 0

    hi,

    That would suggest the the cert of the certification manager is wrong:

    E.g. The key:

    HKEY_LOCAL_MACHINE\SOFTWARE\[Wow6432Node]\Sophos\Certification Manager\MessengerStore \pkc

    I would suggest:

    1. Export the key:

    HKEY_LOCAL_MACHINE\SOFTWARE\[Wow6432Node]\Sophos \

    to be safe,  then delete:

    HKEY_LOCAL_MACHINE\SOFTWARE\[Wow6432Node]\Sophos\Certification Manager\MessengerStore \pkc

    and

    HKEY_LOCAL_MACHINE\SOFTWARE\[Wow6432Node]\Sophos\Certification Manager\MessengerStore \pkp

    2. Run the exe:

    \Program Files [(x86)]\Sophos\Enterprise Console \ServerInit.exe

    That should recreate the deleted keys but not change the certs as cac should be the same.

    3. Restart the Sophos services.

    I hope that helps.  If not you can just re-import the backup and you're no worse off :)

    Regards,

    Jak

    :19165
  • 0

    If Jak's suggestion doesn't help - did you also export/import the certificates registry keys when reinstalling SEC? And did you reinstall because of the issue with CM or did you reinstall and then the issue cropped up?

    To reinstall (or reincarnate) a SEC you should back up the database, export certificates and EE\Management Tools registry keys and run ExportPrivateStore (and store them away of course). After setting up the base OS and before installing SEC you'd have to import the certificates - otherwise it won't be the "same" server. After installing SEC stop at least the Management Service and the Message Router and restore/import the rest of the stuff. A more detailed description can be found in the Migration Guide.

    If you did not export/import the original certificates the clients either must be re-protected or you could use Jak's script to re-init RMS on the clients.

    Christian

    :19175
  • 0

    I got these errors from the router logs after i follow the instructions.

    25.11.2011 09:53:08 0BC4 W SSL connection alert, peer address 192.168.77.3525.11.2011 09:53:08 0BC4 W Cannot verify peer's SSL certificate, unknown CA25.11.2011 09:53:08 0BC4 E The certificate of this router is incompatible with the server, please reinstall RMS25.11.2011 09:53:08 0BC4 I This computer is part of the domain TSPSG25.11.2011 09:53:08 0BC4 E ACE_SSL (9144|3012) error code: 336105650 - error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned25.11.2011 09:53:08 13B4 W SSL connection alert, peer address 192.168.77.3525.11.2011 09:53:08 13B4 W Cannot verify peer's SSL certificate, unknown CA25.11.2011 09:53:08 13B4 E The certificate of this router is incompatible with the server, please reinstall RMS

    Does this means I need to reinstall the RMS? 

    I on a test server right now. So reinstallation is fine.

    :19211
  • 0

    The current router log: http://pastebin.com/NJjePhF5

    Looking through the router logs again after serveral testing, i feeling like reinstalling everything. If i am to start a fresh installation of the SEC, does my client need to do anyting? I have 2XP, 1 Macintosh, 1 Windows 7 and 2 Window 2K3 Svr for this test enviroment.

    Could anyone list the things I need to do on the client end? For the server end, the policys and grouping can be recreated manually.

    :19217
  • 0

    Hello,

    you can re-protect the Win clients from SEC, the Mac has to be installed manually.

    Christian

    :19219
  • 0

    Hi,

    This problem is all about matching up values on the server and the clients.  On the server-side the important values regarding certification are held here:

    HKEY_LOCAL_MACHINE\SOFTWARE\[Wow6432Node]\Sophos\Certification Manager\CertAuthStore

    cac

    DelegatedManagerKey

    ManagedAppKey

    RouterKey

    All these values need to be the same on the clients (stored in different registry locations).  

    They are essentially passed to the clients in the files cac.pem (the cac value) and mrinit.conf (the 3 indentity keys).  The clients download these files (setup.exe copies them over at install) from the distribution locations (CIDs), they are in the root of deployment share, e.g. \\[server]\SophosUpdate\CIDs\S000\SAVSCFXP\ cac.pem and mrinit.conf.

    Note: All cac.pem files throughout the system should be the same and all mrinit.conf files in the system should have the same 3 identity keys.

    When the RMS package on the client is installed, an application called ClientMRInit.exe runs, reads in the above files from the local clients copy now in "\program files\sophos\remote management system\", and puts the same values in the registry on the client in the following localtions:

    HKEY_LOCAL_MACHINE\SOFTWARE\[Wow6432Node]\Sophos\Messaging System \cac

    HKEY_LOCAL_MACHINE\SOFTWARE\[Wow6432Node]\Sophos\Messaging System\CertificationIdentityKeys \CertificationIdentityKey

    This is the same as the "RouterKey ".

    HKEY_LOCAL_MACHINE\SOFTWARE\[Wow6432Node]\Sophos\Remote Management System\CertificationIdentityKeys \ManagedApplication

    This is the same as the "ManagedAppKey"

    HKEY_LOCAL_MACHINE\SOFTWARE\[Wow6432Node]\Sophos\Remote Management System\ManagementAgent\Private \CertificationIdentityKey

    This is the same as the "DelegatedManagerKey "

    If you are going to try and repair the system it's important to get all the values on the server working first and ensure all local server compoents can talk correctly, then ensure all the cac.pem and mrinit.conf files are correct in the server.  Only then is it worth re-preotecting the clients, either by re-protecting them or running the script I worte that Christain mentions.

    You might find it easier to reinstall but you shouldn't need to, it's whatever is quicker for you I guess.

    Regards,

    Jak

    :19229