BigFix v10.0.8.37 and BFI v 10.0.11.1.
This is the first new BFI catalog I’ve deployed since installing Patch 8 on BigFix. What is the procedure or setting in BigFix needed to allow connections to servers with self-signed certificates?
Can you detail a bit more where you’re getting an error? This could be in a couple of places - is it a problem with Inventory posting the new catalog update task into the console? Or is this showing when the root server tries to download the updated catalog from the BFI server, in the Action?
After importing a new Catalog into the BFI server, it creates a custom Action to download the OS-specific catalog data (i.e., CIT_catalog_WINDOWS.xml.gz) to the endpoints, for use by the Software Scanner. These files are identified with prefetch commands in the Action Script, and use the URL of the BFI server. For example:
prefetch catalog.xml.gz sha1:7ac4f75d8756399d7b9529e71cf16a9e7fdf48aa size:995564 https://10.0.0.2:9081/sam/catalogs/CIT_catalog_WINDOWS.xml.gz sha256:a5c84d6419876fb1a40dd8b0521535f806e9654dd124316d1f2bf0193a9ee829
Once the action kicks off, it goes into Waiting on Downloads status, and the downloads are unable to complete, due to the self-signed certificate on the BFI server (10.0.0.2).
1 Like
As some temporary workaround to allow connections to servers with self-signed certificates you can set on BES Root Server set the computer property:
_BESRelay_Download_UntrustedSites = 1
this will turn off 10.0.8 certificate validation when using HTTPS.
3 Likes
I had this same issue, however I’m not using a self-signed certificate. I’m using one issued by our internal PKI which is trusted by our BES root and BFI servers. All of the targets in the Catalog Download action were showing Pending Downloads/Waiting for downloads to be mirrored.
Setting _BESRelay_Download_UntrustedSites to 1 on both the primary and DSA servers fixed it.
This new certificate validation is casuing all sorts of issues…
Is this new in BigFix platform 10.0.8 or BFI 10.0.11 ?
This is new in the platform, delivered with patch 8.
I ran into this issue today, following our upgrade to v10.0.8. My issue is in Patch / Lifecycle though and patch fixlets.
Our issue is two fold. We use a proxy with an internal cert… BUT some sites are whitelisted. So when BES downloads a file, some sites would need to validate against the internal cert and others to the real world cert.
Initially setting the property _BESClient_Download_CACertPath solved my issue for downloads until I tried a site that was whitelisted. I then set _BESRelay_Download_UntrustedSites = 1. That solved my whitelist issue. I am trying removing the CACertPath and rechecking. Also opened a case with HCL to get best practice here. I like the idea of cert validation but I may just have to leave it disabled.
1 Like
I also had a similar situation, a customer upgraded to 10.0.8 and then all of the downloads stuck on the status “Pending Downloads” and then indicated an error with self-signed certificate.
The root server was configured with Proxy
For testing, I’ve took the same proxy settings and configured it into the Browser and pasted the URL for Download - The Root Certificate has been replaced with a Self-signed certificate of the Proxy - They enabled SSL Inspection
At first, I thought to set the _BESRelay_Download_CACertPath on the Root Server to a custom CA Bundle that will include the Root Certificate of the Proxy - BUT - then the system administrator will need to make manual job of updating the custom CA bundle with new CA bundle that is gathered in the BES Support site and add the self-signed Root certificate of the Proxy - of course, this could also be automated
I’ve ditched that idea and used _BESRelay_Download_UntrustedSites = 1 to return the previous way of downloading content.
If it was possible to use the new method of validating with the updated CA bundle in the BES Support site and allow a fallback CA Bundle that will include a custom Root CA that the system administrator will update - that could help
In Platform 10.0.9 there has been shipped some major improvements.
KB0102706 has been updated to show how can use used: https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0102706
Here is the updated Platform Doc: https://help.hcltechsw.com/bigfix/10.0/platform/Platform/Config/c_customizing_HTTPS_downloads.html?hl=download
2 Likes