Jason,
I work with Big fixer who made this post and I have been troubleshooting this issue on our side with your suggestions and some googling
Issue: Prefetch Jobs fail with “Reason: HTTP Error 60: SSL peer certificate or SSH remote key was not OK: SSL certificate problem: unable to get local issuer certificate”
Things we know/have tried…
- We know that our proxy does SSL intercption
- We are only having this SSL intercept issue with Prefretch fixlets that use https://
- I can confirm that when our proxy admin add’s affected sites to the proxy’s SSL Decryption Exclusion list the prefetch https:// fixlet’s work; however this is not feasable to do everytime
- Adding the Cert(s) to the /opt/BESServer/Reference/ca-bundle.crt has no affect on the https:// prefretch fixlets running…they still fail with the same error
- Copying the fixlet and changeing the https:// to http:// allows it to work
- The guy on this post On an Initial Install, Untrusted Certificate to https://gatherer.bigfix.com Prevented Loading of BigFix Management Fixlets interestingly says
"Can go into many details for security reasons, however the problem is certainly related to the proxy. To avoid “man in the middle attacks”, the https gather includes also a peer verification, and your proxy could not be configured to work with the above peer verification." - Purposely breaking the entire ca-bundle.crt file has no affect on the error for the prefetch https:// however it does break other traffic with an error such as this:
HTTPS connection to {https://sync.bigfix.com/cgi-bin/bfgather/cyberfocus?Time=1674576987} was unsuccessful due to {HTTP Error 77: Problem with the SSL CA cert (path? access rights?): error setting certificate verify locations: CAfile: /opt/BESServer/Reference/ca-bundle.crt CApath: none}; retried using HTTP - The above behavior leads me to believe that the prefetch fixlets are not using the specified ca-bundle.crt file to verify certificates.
Verbose log snippit of example failure from BESRelay.log…
Thu, 26 Jan 2023 10:46:03 -0500 - GatherMain (3571107584) - Queueing download: {aid=16396,index=1,sha1=bd8ea599f044e3834b779bd99e8732a92ae869a8,size=null,url=https%3a%2f%2fcatalog.s.download.windowsupdate.com%2fc%2fmsdownload%2fupdate%2fsoftware%2fupdt%2f2022%2f09%2fsqlserver2019-kb5017593-x64_bd8ea599f044e3834b779bd99e8732a92ae869a8.exe}
Thu, 26 Jan 2023 10:46:03 -0500 - GatherMain (3571107584) - DownloadState: download {aid=16396,index=1,sha1=bd8ea599f044e3834b779bd99e8732a92ae869a8,size=null,url=https%3a%2f%2fcatalog.s.download.windowsupdate.com%2fc%2fmsdownload%2fupdate%2fsoftware%2fupdt%2f2022%2f09%2fsqlserver2019-kb5017593-x64_bd8ea599f044e3834b779bd99e8732a92ae869a8.exe} changed from FAILED to QUEUED
Thu, 26 Jan 2023 10:46:03 -0500 - GatherMain (3571107584) - Starting download: {aid=16396,index=1,sha1=bd8ea599f044e3834b779bd99e8732a92ae869a8,size=null,url=https%3a%2f%2fcatalog.s.download.windowsupdate.com%2fc%2fmsdownload%2fupdate%2fsoftware%2fupdt%2f2022%2f09%2fsqlserver2019-kb5017593-x64_bd8ea599f044e3834b779bd99e8732a92ae869a8.exe}
Thu, 26 Jan 2023 10:46:03 -0500 - 2470385408 - Entering GET https://catalog.s.download.windowsupdate.com/c/msdownload/update/software/updt/2022/09/sqlserver2019-kb5017593-x64_bd8ea599f044e3834b779bd99e8732a92ae869a8.exe
Thu, 26 Jan 2023 10:46:03 -0500 - 2470385408 - The currently configured proxy server is: lsproxy.palmbeach.k12.fl.us:3128
Thu, 26 Jan 2023 10:46:03 -0500 - 2470385408 - Actually used proxy server depends on the proxy exception list which is: localhost,palmbeach.k12.fl.us,fhbigfix
Thu, 26 Jan 2023 10:46:03 -0500 - 2470385408 - Proxy authentication methods allowed are: all
Thu, 26 Jan 2023 10:46:03 -0500 - 2470385408 - You can’t use the proxy for downstream
Thu, 26 Jan 2023 10:46:03 -0500 - 2470385408 - The proxy doesn’t use secure channel
Thu, 26 Jan 2023 10:46:03 -0500 - 2470385408 - Enabling Host verification for connection with url https://catalog.s.download.windowsupdate.com/c/msdownload/update/software/updt/2022/09/sqlserver2019-kb5017593-x64_bd8ea599f044e3834b779bd99e8732a92ae869a8.exe
Thu, 26 Jan 2023 10:46:03 -0500 - GatherMain (3571107584) - DownloadState: download {aid=16396,index=1,sha1=bd8ea599f044e3834b779bd99e8732a92ae869a8,size=null,url=https%3a%2f%2fcatalog.s.download.windowsupdate.com%2fc%2fmsdownload%2fupdate%2fsoftware%2fupdt%2f2022%2f09%2fsqlserver2019-kb5017593-x64_bd8ea599f044e3834b779bd99e8732a92ae869a8.exe} changed from QUEUED to DOWNLOADING
Thu, 26 Jan 2023 10:46:03 -0500 - Main Thread (1409366080) - /data/site-readers - 10.254.16.16
Thu, 26 Jan 2023 10:46:03 -0500 - /data/site-readers (2716587776) - Running plugin /data/site-readers with client 10.254.16.16
Thu, 26 Jan 2023 10:46:03 -0500 - /data/site-readers (2716587776) - select ServerID from DBINFO
Thu, 26 Jan 2023 10:46:03 -0500 - /data/site-readers (2716587776) - select FieldContents from ADMINFIELDS where FieldName = ? and IsDeleted = 0
Thu, 26 Jan 2023 10:46:03 -0500 - /data/site-readers (2716587776) - select Certificate
from CERTIFICATES
Thu, 26 Jan 2023 10:46:03 -0500 - 2470385408 - Exiting GET https://catalog.s.download.windowsupdate.com/c/msdownload/update/software/updt/2022/09/sqlserver2019-kb5017593-x64_bd8ea599f044e3834b779bd99e8732a92ae869a8.exe (14 ms)
Thu, 26 Jan 2023 10:46:03 -0500 - /data/site-readers (2716587776) - select U.UserID, MastheadUsername, Username, IsMaster, CustomContent, UserCreationTime, ShowOtherUsersActions, StopOtherUsersActions, UnmanagedAssetPrivilege, ApproverRoleID, LdapID, LdapDN, GUID, CanCreateActions, PostActionBehavior, ActionScriptCommands, CanLock, CanSendMultipleRefresh, CanSubmitQueries, ConsoleLogin, APILogin, WebUILogin, IsDeleted, LoginPermission, UL.LastLoginTime, SignedData from USERINFO U join USER_LOGIN UL on UL.UserLoginID = U.UserID where UserID = ? and IsDeleted = 0
Thu, 26 Jan 2023 10:46:03 -0500 - /data/site-readers (2716587776) - select R.RoleID, R.Name, R.ModificationTime, R.IsDeleted, R.IsMaster, R.CustomContent, R.ShowOtherUsersActions, R.StopOtherUsersActions, R.CanCreateActions, R.CanLock, R.CanSendMultipleRefresh, R.CanSubmitQueries, R.ConsoleLogin, R.APILogin, R.WebUILogin, R.PostActionBehavior, R.ActionScriptCommands, R.UnmanagedAssetPrivilege, R.Description, R.Computers, R.SubscriptionSMIME, R.SignedData from ROLE_USER_ASSIGNMENTS RA join ROLES R on R.RoleID = RA.RoleID where R.IsDeleted = 0 AND RA.UserID = ? AND ( RA.Explicit = 1 or RA.Inherited = 1 )
Thu, 26 Jan 2023 10:46:03 -0500 - /data/site-readers (2716587776) - select SiteID, Privilege from ROLE_EXTERNAL_SITE_ASSIGNMENTS where RoleID = ? and IsDeleted = 0
Thu, 26 Jan 2023 10:46:03 -0500 - /data/site-readers (2716587776) - select Sitename, Privilege from ROLE_CUSTOM_SITE_ASSIGNMENTS where RoleID = ? and IsDeleted = 0
Thu, 26 Jan 2023 10:46:03 -0500 - /data/site-readers (2716587776) - select RA.UserID, RA.Explicit, RA.Inherited, RA.InheritedFrom from ROLE_USER_ASSIGNMENTS RA join USERINFO U on U.UserID = RA.UserID and U.IsDeleted = 0 where RA.RoleID = ? and ( RA.Explicit = 1 or RA.Inherited = 1 )
Thu, 26 Jan 2023 10:46:03 -0500 - /data/site-readers (2716587776) - select LdapID, GroupDN, GroupName from ROLE_GROUP_ASSIGNMENTS where RoleID = ? and IsDeleted = 0
Thu, 26 Jan 2023 10:46:04 -0500 - GatherMain (3571107584) - DownloadState: download {aid=16396,index=1,sha1=bd8ea599f044e3834b779bd99e8732a92ae869a8,size=null,url=https%3a%2f%2fcatalog.s.download.windowsupdate.com%2fc%2fmsdownload%2fupdate%2fsoftware%2fupdt%2f2022%2f09%2fsqlserver2019-kb5017593-x64_bd8ea599f044e3834b779bd99e8732a92ae869a8.exe} changed from DOWNLOADING to FAILED
Thu, 26 Jan 2023 10:46:04 -0500 - GatherMain (3571107584) - Download failed: aid=16396,index=1,sha1=bd8ea599f044e3834b779bd99e8732a92ae869a8,size=null,url=https%3a%2f%2fcatalog.s.download.windowsupdate.com%2fc%2fmsdownload%2fupdate%2fsoftware%2fupdt%2f2022%2f09%2fsqlserver2019-kb5017593-x64_bd8ea599f044e3834b779bd99e8732a92ae869a8.exe
Reason: HTTP Error 60: SSL peer certificate or SSH remote key was not OK: SSL certificate problem: unable to get local issuer certificate