/build/static/layout/Breadcrumb_cap_w.png

Security Question


SSL Cert question

09/28/2016 1774 views
I am having issue with my k1000 cert and wanted to see if someone can point me somewhere.
My SSL cert was about to expire and decided instead of renewing it to just change it and use my wildcard cert which support said should not be a problem. I inserted the wild cert but now I have almost 600 machines with active amp connection but not reporting inventory. Also when I access the K1000 web address from Android Chrome browser I get connection is not private though every other browser (IE, Chrome, Safari) show the cert is good and Green. I ran ssl checker on the site and all passed though I got intermediate cert error and I am not using intermediate since this is Digicert. Support is telling me this is a cert issue though its not. I have this cert on many servers with no issue.


5i4RiE.png

Thank you.
1 Comment   [ + ] Show comment

Comments

  • I would make that the SMMP.conf/amp.conf files match the host name listed on the wildcard, which should also match the web server name in the K1000's network settings.

    On the client systems ensure that the signing authority used to create the certificate exists as a trusted root on their client machines. When you open the certificate manager (certmgr.msc on windows) do you see that authority listed under "Trusted Root Certification Authorities\Certificates"?

All Answers

0
Since the AMP Connection is still online I assume you did not change the host name.
Use one machine and go to c:\program files (x86)\dell\kace
Run runkbot 1 0 and check the log for error messages which help you to diagnose the issue.
The script 1 is a bootstrap
Answered 09/29/2016 by: Nico_K
Red Belt

  • Yes I have amp connection and the url has not changed the only thing really different is the wildcard cert is "*.company.com" instead of "Helpdesk.company.com".

    I ran the runkbot 1 0 I see there is an ssl error in the log "'error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure' Error Code (35:SSL connect error), url: https://helpdesk.company.com/service/kbot_service_notsoap.php?"

    The signing authority is on the trusted root as well. If I install a new agent manually the issue gets resolved. This is happening to 600 out of 2K machines and I cannot manually reinstall over 600 agents, I cannot use MI or script, though the machines have amp they are not running any scripts.
0
have you tried running a Domain login script to call amptools to clear cache and  reset to see if that fixes the problem.


AMPTools: Utility functions for AMPAgent
Usage:
AMPTools [help | -h | -? | /?]
This help text

AMPTools get <config>
Read configuration option from amp.conf. Configuration options are:
host: Server hostname.
debug: (true|false) Debug logging.

AMPTools [set] [-n] <config>=<value> ...
Set values in amp.conf. 'set' is optional. See 'get' for options.
By default, restarts AMPAgent. -n prevents this.
Known keys are host and debug.
Changing host clears host-dependent config.
AMPTools clearcache
Clear AMP caches

AMPTools killtasks [-f] [-w]
Kill any running AMP subprocesses. With -f, force-kill them.
With -w kill everything except watchdog.

AMPTools shutdown [-f] [-r]
Shutdown system. With -f, immediately without prompting user.
With -r, reboot.

AMPTools resetconf [-n] [<config>=<value> ...]
Set amp.conf to defaults, optionally setting values (see 'get').
By default, restarts AMPAgent. -n prevents this.

AMPTools restart [-w]
Stop and start agent. With -w everything except watchdog

AMPTools delayed-restart
Stop and start the agent, but delay for 20 seconds, this is used by RESETAGENT to allow time to send message back to K1

AMPTools start [-w]
Start agent if stopped. With -w everything except watchdog

AMPTools stop [-w]
Stop agent if started. -w everything except watchdog

AMPTools uninstall [all|all-kuid]
Uninstall agent. Leaves configuration and KUID.
all: Also delete configuration, but not KUID.
all-kuid: Delete everything, including KUID.



Answered 09/29/2016 by: SMal.tmcc
Red Belt

  • I tried running it locally on 1 machine....clear cache, resetconf with the host though the host has not changed and no luck.

Don't be a Stranger!

Sign up today to participate, stay informed, earn points and establish a reputation for yourself!

Sign up! or login

View more:

Share

 
This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ